There are two main kinds of Technical Security Assessment that NSS focuses on, Vulnerability Assessment and Penetration Testing. If you wish to learn more you can read our article on Penetration Testing vs Vulnerability Assessment. We offer a comprehensive range of security assessment solutions for companies of all sizes (we have tested networks of over 10,000 active nodes) and also have service offerings especially for Security Architecture Review, Web Application and Application Security and Security Policy Development.
If you have an internal computer network, a mail server, a web server or any kind of custom software application or web-based application you are at risk from Malicious attacks.
An intruder will take any useful, worthy information they can, use your bandwidth and resources and leave you suffering a bruised ego, battered reputation and facing a severe financial loss.
Hackers, script kiddies, crackers, whatever the media currently calls them are all knocking your door. Why would someone hack me you ask? Simply because they can.
In 2005 91% of organisations reported detecting computer security breaches in the last 12 months and 97% of these had websites. Of those with web sites, 23% reported suffering an attack within the last 12 months and 27% did not know if they had been attacked or not. Of those reporting attacks, 21% reported 2-5 and 58% 10 or more.
These statistics are alarming but it's likely that these don't truly show how bad things are; only 61% of polled organisations used some form of Intrusion Detection System.
NSS security team will test the effectiveness of your security policies to see if they can survive a realistic, intensive attack.
Let us find the holes before somebody else does.
You can read our article on the differences between Blackbox Testing and Whitebox Testing and Internal vs External Testing to get an idea of the range of tests available from NSS.
We provide this information so you feel more comfortable with the process and understand what is involved. This means when you come to us you will have a clearer idea on your objectives for the project that will enable us to work together more efficiently.
Essentially your company’s security measures are analysed for design weaknesses, technical flaws and failings in the policies and procedures, then the results of the test are delivered in a comprehensive multi-level report including a human-readable management summary and a more technical section for the I.T. to take action on.
There are many stages in a Penetration Test or Vulnerability Assessment our experts will undertake for your organisation, some of the stages would involve:
Others can include physical security, war-dialing and more.
If you are interested or just wish to find out more please contact us directly.
Penetration Testing or Vulnerability Assessment can take either of two main approaches from a management or birds eye perspective. Essentially the test can be overt or covert, commonly known as Black Box Testing and White Box Testing. These terms originate from the testing of many things in the engineering field, especially software.
Black box testing assumes no prior knowledge of the infrastructure to be tested, and the testers must first determine the location and extent of the systems before commencing their analysis (This stage is quite time consuming and is commonly known as Information Gathering). At the other end of the spectrum, white box testing provides the testers with complete knowledge of the infrastructure to be tested, often including network diagrams, domain names, phone numbers, e-mail addresses, source code and IP addressing information before they start.
There are several other variations in the middle, which are most common, known as Gray or Grey Box Testing
It really depends on how you look at it, but the pros and cons can be endlessly debated. It is said by many that Black Box Testing closely simulates the actions of a real cracker, and in most cases it is true. The fact remains though that any targeted attack on a system generally requires some kind of knowledge of the system and any inside attacker would be in possession of such information.
Many companies are interested in certain parts of the information gathering stage however, are they leaking information online, are phone numbers, names and other details easily available online? This area has become rather fashionable with the media lately and has been labeled as 'Google Hacking'.
In many cases it is preferable to assume a worst-case scenario and take the White Box Testing approach, this is to hand over all the information they require and assume any savvy, determined attacked would already have all of it. Also bear in mind White Box Testing is a lot more time-efficient so if you have a short schedule it is recommended.
It really depends on what your objective is for the project, your budget and any time constraints you have. Black Box Testing tends to be a lot more time consuming and manpower intensive but is a lot more thorough and seen by some as more realistic. White Box Testing is faster and to the point but doesn't give the sharp edge of a reality based test. After discussing your needs our team of specialists will recommend the best type of test for you and your organisation to meet any objectives you have any to ensure you reach the highest level of security possible within your limitations.
The majority of organisations have some kind of LAN or Local Area Network connecting their computers and resources so they can be shared over the network.
You can consider this your Internal network, all the workstations, laptops, switches, printers and other devices inside your office that are only accessible within that network.
External devices are those accessible over the Internet, or the public portion of your network. Generally in this category you will find servers such as Web Servers (HTTP), Mail Servers (POP3 and SMTP) and DNS servers. These are called External Resources and are generally classified as higher risk than those inside the organisation as they are exposed to the Internet.
What we often find when auditing or assessing is companies do have secure External Resources and have put a lot of effort into perimeter defenses and controls with Firewalls, Intrusion Detection/Prevention and DMZs (Demilitarized Zone) setup for externally accessible servers.
But what they overlook is internal security, privilege segregation and separation of duties.
Around 50% of information security incidents occur INSIDE the organization, they don't come from outside the perimeter so it is actually extremely important that you ensure your internal security architecture is well designed and properly implemented.
Which makes sense really, the people inside your organization already have access to the network, it's likely they know the layout of the network and they will, to some degree, understand the security architecture being used.
You have to take into account disgruntled or criminal employees, industrial espionage and other malicious activities as industries move towards knowledge based business, information is valuable.
As for business risk, internal attacks tend to be a lot more expensive than external attacks:
"Oracle quotes a study by the Computer Security Institute (CSI) which concluded that the average insider attack cost the target enterprise approx. $2.7 million, compared with $57,000 for the average outside attack." - Source
NSS recommends a thorough check of both Internal and External resources, things can be done from the perspective of an employee by using a Whitebox Testing approach (more on Blackbox vs Whitebox Testing). You can go one step further where the NSS experts are given a normal login ID of a user and then proceed to test the network from that perspective to see if they escalate their privileges to an administrative level.
Most organizations do like to have both an Internal Test and External test carried out, we can perform both tests concurrently if you wish according to your timescale and network availability (we generally perform the External tests during the quietest hours as a precaution).
External Tests can be conducted remotely from our offices in Malaysia, India or US and Internal Tests need to be conducted onsite at your facility.
There seems to be a certain amount of confusion within the I.T arena about the differences between Penetration Testing and Vulnerability Assessment, they are often classified as the same thing when in fact they are not. Penetration Testing does sound a lot more exciting, but in our experience we have found that most clients actually require a comprehensive Vulnerability Assessment or V.A. and not a more intrusive Penetration Test.
They are similar projects and do cover many of the same bounds, the main different being a Penetration Test is more aggressive and more intrusive, it actually goes one step further and involves trying to technically break into the systems or servers and prove they are vulnerable.
The problem with this is it can be risky as exploits are making use a flaw in the software running or the operating system so can cause instability, when we are testing the live servers of a client this is the last thing we want to happen.
A penetration test is a method of evaluating the security of a computer system or network by simulating an attack by a malicious hacker. The process involves an active analysis of the system for any weaknesses, technical flaws or vulnerabilities. This analysis is carried out from the position of a potential attacker, and can involve active exploitation of security vulnerabilities. Any security issues that are found will be presented to the system owner together with an assessment of their impact and often with a proposal for mitigation or a technical solution.
Most clients actually want a Vulnerability Assessment, even though they may label it a Penetration Test. In the majority of cases the systems we are testing for flaws are live production systems and can't afford to be disrupted by active exploits which might crash the system or cause some kind of unpredictable behaviour or instability.
Vulnerability assessment is a much broader term and can be applied to many things; it's related closely to Risk Assessment (Also involved in Business Continuity Planning and Disaster Recovery Development) and involves the process of identifying and quantifying vulnerabilities in a system. In this case it's technical vulnerabilities within the system known as exploits. These of course put the systems at risk.
NSS generally delivers a comprehensive vulnerability assessment as most clients do not require any actual penetration, we are contracted to assess and document any possible vulnerabilities within the information technology architecture and recommend mitigation measure and improvements to the system. This also generally includes Information Security Policy Development or Review.
We also offer comprehensive Penetration Tests and Application Security reviews to those clients with more specific worries or doubts.