AUDIT AND ASSESSMENT
Our IT Audit and Assessment services provide you with an independent, unbiased assessment of your security program, policies, and controls. This provides your executive leadership and management team with the confidence that your organization is adequately mitigating risk in alignment with business objectives.
ICS utilizes the best tools available in the market and couples these tools with our proprietary software and processes to save our clients time and unnecessary expense. Because ICS serves hundreds of clients every year, you will benefit from our significant investment in industry-leading technologies.
(CLICK IMAGE TO ENLARGE)
Our consultants use some or all of the tools above to deliver the risk management & cyber assessment services such as:
A Risk Assessment from a qualified IT security firm is like checking the doors and windows on your network. With all of the confidential corporate and customer information in your database, you would never consider leaving those doors and windows open. But beyond the entryways that are easy to see, are there other access points that are not so obvious? Is your network at risk of experiencing a devastating breach?
Our Risk Assessment model delivers both quantitative and qualitative measures of organizational risk, allowing you to optimize your security spend and efficiently allocate resources to maximize business value. We have a 20-year history of delivering Risk Assessments against all major standards including NIST 800-series, ISO, Octave, COBIT, COSO, and others.
An Information Security Risk Assessment is a means of examining your organization’s information security infrastructure to identify vulnerable areas in the network and provide steps to secure those weaknesses. Only then will your organization be able to prioritize which areas need to be addressed immediately, which are less urgent, and which ones are not urgent at all.
A Risk Assessment will provide your organization with an objective evaluation of the security of your information infrastructure.
You can’t fix what you don’t know is broken, and it is impossible to ensure the security of your network without a clear picture of its strengths and its weaknesses. Regularly scheduled vulnerability assessments are an uncomplicated way to uncover potential hazards.
There are countless individuals and entities intent on accessing other organizations’ network resources and data for myriad reasons, and they’re using the latest technology and techniques to accomplish this goal. Without adequate protection, your organization can be easily compromised, resulting in anything from a minor inconvenience to a breach that seriously harms your operations and your bottom line. ICS can guide you through the process to properly safeguard any weak or exposed areas with an internal or external vulnerability assessment.
By working with ICS you:
Catalog and prioritize vulnerabilities within your infrastructure.
Implement quick, efficient and cost-effective remediation solutions, created for your specific needs.
Give your customers confidence by ensuring their information is secure.
Satisfy regulatory compliance requirements.
Penetration Testing Overview
The practice of technical security assessment has long been recognized as a standard best practice across all business and industry segments. It is a crucial component in a well-managed information and technology security strategy, and in today’s fast-paced e-commerce society, it has become more important than ever.
A qualified technical security firm can provide your business or organization with a comprehensive technical security assessment to identify weaknesses and potential risks that could compromise the enterprise network and systems. This assessment should include the following security components: vulnerability assessment, web application assessment, and penetration testing,
A vulnerability assessment is the process of identifying, quantifying and prioritizing weaknesses and potential risks that could compromise the enterprise network and systems. These vulnerabilities may be caused by unpatched or obsolete software or poorly configured systems. A vulnerability assessment will provide insight into areas that are exploitable by both authorized users and attackers.
Today more than ever, businesses use web-based applications for sales, marketing, accounting and other applications. While these applications have many benefits, including the convenience of online accessibility and enhanced team collaboration; they can also expose an organization to vulnerabilities that could be leveraged to gain unauthorized access to network resources and sensitive data. An effective web application assessment allows for the discovery of vulnerabilities that exist in web-based applications, and provides strategies to protect the organization from breach.
Penetration Testing Demystified
A Penetration Test is a method of evaluating the security of a computer system or network by simulating an attack by a malicious user.
During a penetration test, the technical security firm is challenged with taking the position of an attacker to attempt
a penetration via previously identified points of weakness. The potential entry points may have been identified either by the organization or through a previously completed vulnerability assessment. The penetration test will confirm the legitimacy of the potential weaknesses. If the attack is successful, the consultant will assess the impact an information security breach could have on the organization and will present the findings along with a detailed proposal for mitigation.
Internal vs. External Penetration Testing
When considering a penetration test, an organization must decide whether to conduct internal testing, external testing, or a combination of both.
An external penetration test is commonly referred to as “ethical hacking”. The external pen test is performed from “outside”
the organization, in a manner similar to the approach that would be used by an actual hacker. Having limited information regarding the network infrastructure, the ethical hacker will garner information from public web pages and attempt to break through any security vulnerabilities that might exist in the IT infrastructure.
Many threats come from within the organization’s firewall – from employees or partners with access to privileged information. These threats, (while often not malicious in their intent,) can have the same damaging results as an external attack from a malevolent hacker. In an internal penetration test, the ethical hacker is given network authorization equivalent to that of an employee or guest user and will conduct the penetration test from the vantage point of users within the organization’s own network.
Results of the Penetration Test
Following the penetration test, the organization will have a much clearer understanding of the weak areas within the IT infrastructure, as well as how to shore up defenses to protect the organization from a costly, potentially devastating security breach. This thorough test provides answers to the questions raised by the vulnerability assessment and is an invaluable component of a comprehensive technical security assessment.
Benefits of Effective Penetration Testing
Penetration Testing should be performed bi-annually as a part of a comprehensive technical security assessment. The benefits of this act of corporate due diligence include protection of the organization’s reputation; protection of data and assets; third-party verification; cost justification; customer/client assurance; and validation of existing security measures. A comprehensive technical security assessment, which includes web application assessment and vulnerability assessment in addition to penetration testing, will also help ensure legislative and regulatory mandates are met while risk exposure is reduced.
When to Perform Penetration Testing
Penetration Testing should be performed bi-annually as a
part of a comprehensive technical security assessment. As changes in the network environment occur, the potential for new weaknesses develops. The testing schedule should be planned with your technology security firm around vulnerability assessments (quarterly) and web application assessments (at least bi-annually, or as new applications are added.)
How ICS can help:
The ICS Technical Security Team is a recognized leader in both external, internal, and web application aspects of information security testing. At ICS, we offer a range of security services and are able to create a customized solution to meet the unique and specific needs of your business. From periodic vulnerability assessments and penetration tests to mitigation practices including full data encryption, ICS can provide solutions that are customized for your organization. Contact us to get started.
Pen Test Resources:
A Penetration Test is a method of evaluating the security of a computer system or network by simulating an attack by a malicious user. Following a pen test, your organization will have a much clearer understanding of the weak areas within the IT infrastructure, as well as how to shore up defenses. This whitepaper provides an overview of penetration testing.
Penetration Testing should be performed bi-annually as a part of a comprehensive technical security assessment. The benefits of this act of corporate due diligence include protection of the organization’s reputation; protection of data and assets; third-party verification; cost justification; customer/client assurance; and validation of existing security measure. Learn more with this Penetration Test sales sheet.
How many web-based applications do you expose to internal and external users? Chances are good that just about every department within your organization is using web apps daily for standard business functions. While the benefits of these apps are many, they also bring with them hazards for which you should be prepared.
A web application assessment is a specific test designed to identify threats of unauthorized access, so you can keep your sensitive information safe and secure no matter how many web-based applications your organization is using.
The goal of the web application security assessment is to identify security issues and weaknesses in the web-based application as installed, configured, maintained, and used in the production environment. Examples of the types of security issues assessed include:
- Input/Output validation (e.g., cross site scripting, SQL Injection)
- Application logic flaws (e.g., authentication bypass)
- Server configuration errors/versions (e.g., directory traversal, missing patches)
The assessment is a dynamic review of the state of the application and infrastructure security at a point in time. Findings will be reflective of the current state of security. The deliverable will contain detailed information based on NIST 800-53, and will include the vulnerabilities discovered, the number of vulnerabilities, and detailed remediation recommendations.
At ICS, we utilize constantly updated, state-of-the-art tools operated by trained professionals to ensure the security of your web apps, and our highly trained experts possess a wide breadth of knowledge and maintain key security certifications. You don’t have to stay on top of the ever-changing world of network security; we do it for you. Contact us today.
ICS is available for code review projects with the goal of identifying security issues and weaknesses in the applications’ coding. We are able to conduct a systematic review of applications in scope for code review, which can include in excess of 1,000,000 lines of code.
Examples of programming languages involved are:
- .NET 3.5 framework
By conducting a static review of application code as it exists at the time of the assessment, we are able to provide an assessment of each application’s architecture from a security perspective as well as remediation recommendations.