Application Security

What is Application Security?

Application Security Review evaluates the security posture of an application across the development life cycle, enabling you to identify, eliminate, and prevent security risks in the applications that drive your business. This review would include your specific business goals and security control objectives as part of its analysis, helping you assure the controls in your environment meet the requirements of your business partners, stakeholders, and relevant regulatory bodies.

Application Security Review Phases

The Application Security Review consists of four phases:

Our Solutions

NSS Application Security Review offerings utilize holistic approach to ensure a higher degree of assurance to manage your application security risks.

The ingredients of our application security offerings are:

• Application Architecture Review
• Application Development Process Review
• Application Platform & Configuration Management Review
• Application Code Review
• Application Penetration Test

The review provides detailed findings on vulnerabilities that may adversely impact overall information security risk, and provides specific recommendations for improvement.

• Inherent vulnerabilities in your application network architecture
• Risks introduced through development, integration, and deployment processes.
• Inherent vulnerabilities in your application and its platform;
• Application and infrastructure exposure to attack.

Benefit

NSS can offer this service to customers at various stages of the application lifecycle. However, conducting an Application Security Review earlier in the development process may help organizations recognize and correct design, development, or implementation flaws before they become expensive fixes or irreparable problems.

• Cost effective solutions
• Industry standard compliance ISO27001, OWASP
• Repeatable process and maximum knowledge transfer
• Industry knowledge expertise
• Proven track record and methodology

If you wish to find out more you can contact us directly.

Business Continuity (BCP & DR)

Why Business Continuity Planning (BCP) is Necessary

Business continuity and contingency planning are vital activities. However, the creation of a sound business continuity and contingency plan is a complex undertaking, involving a series of steps. Prior to creation of the plan itself, it is essential to consider the potential impacts of disaster and to understand the underlying risks. These are the foundations upon which a sound business continuity & disaster recovery plan should be built.

Following these activities the plan itself must be constructed. Then it must be maintained and tested to ensure that it remains appropriate to the needs of the organization. With the efficiencies and advantages that accrue out of a state of the art Information Infrastructure come risks, threats and vulnerabilities to disasters of various kinds, which the organization must contend with to maintain its leadership position.

Every day, businesses are confronted with disasters of varying degrees. Those that have adequately developed, maintained, and exercised their contingency plans will survive. Yet many organisations continue to take the uninhibited operations of their companies for granted. They assume that the power will always be available, the telephone system will not fail, there will be no fire or earthquake--everything will always be normal. However, if a business is to survive, organizational "strategic" and "tactical" battle planning is essential.

The final corporate contingency plan is the lifeblood of corporate survival. However, it is only as good as the foundation upon which it was built. The foundation is, of course, the concept.

What NSS Offers

A typical BCP/DR offering from NSS will contain two main things:

• A Comprehensive Business Continuity and Disaster Recovery Plan for the client locations. This plan will help in identifying weaknesses and implement a disaster prevention program; minimize the duration of a serious disruption to business operations; facilitate effective co-ordination of recovery tasks; and reduce the complexity of the recovery effort.
• Comprehensive Disaster Risk Assessment of the establishments at the client locations covering Physical, e-security, IT Systems security management and Business Impact Risk assessment.

The key benefits of the BCP & DR to the company would include:

• Minimizing potential economic loss.
• Decreasing potential exposures.
• Reducing the probability of occurrence.
• Reducing disruptions to operations.
• Ensuring organizational stability.
• Providing an orderly recovery.
• Minimizing insurance premiums.
• Reducing reliance on certain key individuals.
• Protecting the assets of the organization.
• Ensuring the safety of personnel and customers.
• Minimizing decision-making during a disastrous event.
• Minimizing legal liability.

If you wish to find out more you can contact us directly.

CSIRT / CERT Setup

Computer Security Incident Response Team & Center

As dependency on automated Information Systems has grown so has the threat to Confidentiality, Integrity and Availability of data and Information Systems. Government agencies and other large multiple location networked organizations have begun to augment their computer security efforts
because of increased threats to computer security. Incidents involving these threats, including
computer viruses, malicious user activity, and vulnerabilities associated with high technology,
requires a skilled and rapid response before they can cause significant damage. At the core of
these efforts lies an organization's ability to respond to a computer incident quickly and efficiently
so as to prevent / contain the damage.

Our Experience

Network Security Solutions has developed an esoteric expertise and capability in research and
reviewing of new vulnerabilities, exploits, and their solutions keeping in pace with the latest Internet security trends. Coupled with valuable experience of setting up the India's only National level Computer Emergency Response Team (Indian CERT).

What NSS Can Provide

NSS can help conceptualize and setup a Computer Security Incident Response Center (CSIRC) so as to resolve computer security problems in a way that is both efficient and cost-effective. Combined with policies for centralized reporting, SIRC can reduce waste and duplication while providing a better posture against potentially devastating threats.

The CSIRC shall enable the Government/Organisation to cater to computer incidents which may
include one or more or a combination of the following:

• Compromise of integrity, such as when a virus infects a program or the discovery of a serious system vulnerability
• Denial of service, such as when an attacker has disabled a system or a network worm has saturated network bandwidth
• Misuse, such as when an intruder (or insider) makes unauthorized use of an account; Damage, such as when a virus destroys data
• Intrusions, such as when an intruder penetrates system security.

In its broadest sense, a CSIRC effort can be viewed as the involvement of the agency as a whole, organized such that its management structures, communications and reporting mechanisms, and users all work together in reporting, responding to, and resolving computer security incidents quickly and efficiently. However, our experience in establishing a Computer Emergency Response Team has shown that a CSIRC is defined less by its organizational structure than by its centralized, proactive capability to respond to security threats with speed, efficiency, and without duplication of effort and waste of agency resources.

To achieve those objectives:

• Current efforts will most likely require some revamping.
• Policies for centralized reporting and mechanisms for affecting it will need to be setup.
• Personnel with requisite skills & equipment will need to be dedicated to the effort.
• Other changes in the way in which the agency manages computer security will most likely result.

Why NSS?

Knowledge partnership with NSS brings with it an unprecedented resource pool of talent and experience in Security, Information Risk Management, Privacy Protection, Incident Response, Risk Mitigation and Damage Limitation. Our security experts include former National Security Officers, Military and Law Enforcement Officers, and a core team of Certified Information Systems Security Professionals (CISSPs), Certified Information System Auditors (CISAs) and Lead Auditors in Information Security (BS7799). Out of this pool of experts has been selected, a Core team of specialists who setup India's CERT based on Industry best practices, in collaboration with Carnegie Mellon University (US CERT). This NSS team shall fortify the organisation's initiative in creating an effective CSIRC.

If you wish to find out more you can contact us directly.

Digital Forensics

Digital Forensics

Nearly all "white collar" crimes today involve the computer either as a tool in enabling the crime or as a target of the crime.

• Digital forensics is the discovery, analysis, and reconstruction of evidence extracted from any element of computer systems, computer networks, computer media, and computer peripherals that allow investigators to solve the crime. In the battle against malicious hackers, digital forensic investigations are performed in support of various objectives, including timely cyber attack containment, perpetrator location and identification, damage mitigation, and recovery initiation in the case of a crippled, yet still functioning, network.
• Computer forensics deals with gathering evidence from computer media seized at the crime scene. Principle concerns with computer forensics involve imaging storage media, recovering deleted files, searching slack and free space, and preserving the collected information for litigation purposes.
• Network forensics gathers digital evidence that is distributed across large-scale, complex networks. Often this evidence is transient in nature and is not preserved within permanent storage media. Network forensics deals primarily with in-depth analysis of computer network intrusion evidence, while current commercial intrusion analysis tools are inadequate to deal with today's networked, distributed environments.

Our Experience

In the past NSS had conducted training programs for law enforcement officers and assisted police forces in India and abroad in Cyber Crime and Online fraud investigations. NSS is one of the few organisations that possess expertise in Digital and Network Forensics as well as handling digital evidence in keeping with legal requirements. NSS has been sought by corporate and government clients to investigate & gather evidence for cases involving Hate mail, E Mail spoofing, IP spoofing, Email fraud, email trace backs, Incident handling, insider fraud, web defacements, network forensics, Intellectual property theft etc.

Why NSS?

The company has best of breed certifications and has deep and varied project experience across the industry. Our digital forensics experts are trained and certified from the USA and have top end certifications like the Certified Fraud Examiner CFE from the University of New Haven, Computer Security Institute etc. NSS core team, having worked in law enforcement agencies like the Royal UK Police, Air Force and Military Special Forces possess the highest levels of security consciousness.

If you wish to find out more, contact us directly.

Digital Rights Management Consulting

Digital Rights Protection Services

How secure is your proprietary content that is being streamed across continents to broadcast providers (licensees) across the world? How security conscious are the operators? What is the risk of your content being copied due to negligence, lack of security controls or from piracy. Digital Rights Management has become a cause for concern for most studios as technology allows for rapid copying and dissemination of data over long distances without corruption.

What does it Involve?

The NSS Onsite Broadcast Security Environment Audit looks into:

• Security policy framework of the licensee (last mile content provider)
• Network architecture & communication backbone for providing digital content
• Benchmark the proposed solution against the security concerns of the client & general security objectives
• Re-transmission/Copying of data
• Fraudulent Billing
• Encryption Standards
• Insider crime threat to content, transaction information, and consumer information
• Set Top Box architecture
• Physical security safeguards.

This non invasive onsite assessment will determine whether the licensee has the ability and security framework (technology, people and processes) to ensure digital rights protection.

DRM Deliverables

• A review document highlighting the strengths and weaknesses of the proposed solution.
• Rate the proposed solution based upon its ability to address the security concerns outlined.
• An audit report listing the performance of the capabilities of the Licensee in relation to their proposed architecture and security solution.
• Recommendations to enhance security and resolve any the security concerns noted in the given system.

As a result of this service you will have a better understanding of the security environment under which the licensee is handling and delivering content. With huge investments being made into content generation, broadcasting and delivery, it is imperative that piracy protection measures be affected from end to end. Such a periodic review shall enable you to benchmark the security posture of the licensee against the dynamic security policy objectives laid down by you from time to time.

If you wish to find out more you can contact us directly.

Host Hardening Services

Why Host Hardening?

Host Hardening often goes hand in hand with intrusion detection and is an important part of building a secure information security architecture. It is of course most important when it comes to public facing or Internet enabled servers such as e-mail, web or DNS servers.

Security should always consist or multi-tiered, multi-layered hardened solutions, the outside consisting of perimeter devices such as routers, firewalls and proxies and the interior with intrusion detection systems.

Just like its name suggests, the main function of host hardening is to harden the key servers within your environment. The host hardening takes place to ensure the confidentiality and integrity of your systems.

Of course the security must be tested and the architecture is as equally important as the security of a single server, NSS can provide Technical Security Assessment Services (Penetration Testing & Vulnerability Assessment) and can also Review your Security Architecture as a whole.

What is Host Hardening?

The host hardening process starts with an requirements evaluation to see what the server is for and to assess the risks involved, as always security is a balance between ultimate security and usability. The more secure something is, by nature the less usable it becomes.

The main stages of host hardening are as follows:

• Disabling unused services and user accounts
• Tightening the security settings of required services (Limiting access by host or IP block)
• Replacing insecure or vulnerable services with more secure alternatives
• Removing unused tools, libraries, and files (OS minimization)
• Tightening file system security settings (System ACLS)
• Installing host-based intruder detection systems (HIDS)
• Running high risk services in a tightly controlled environment (e.g. chroot jail)

The Benefits of Host Hardening

The main benefits of Host Hardening are:

• Ensures the integrity and confidentiality for crucial servers and data
• Greatly reduces the risk of malicious attacks or web defacements
• Limits company liability by securing servers against spam attacks and being used as zombies
• Increases server performance and stability as a by-product of increasing security

If you wish to find out more, contact us directly.

Information Security Policy Development

What is an Information Security Policy?

In terms of a strong security posture, organizations must be able to rely on the three key aspects of information security:

• Confidentiality (knowing that sensitive information can be accessed only by those authorized to do so)
• Integrity (knowing that the information is accurate and up-to-date and has not been deliberately or inadvertently modified from a previously approved version)
• Availability (knowing that the information can always be accessed)

An Information Security Policy plays a vital role in providing guideline and management direction in implementing and enforcing company's information security goals/objectives with respect to Confidentiality, Integrity & Availability.

Why do you need Information Security Policies?

In modern times with the expansion of networks across boundaries of companies, cites, countries and continents, a pervasive Information Security Policy has become an indispensable document for an organization to keep up to security requirements. A complete Information Security Policy fulfils many purposes, such as:

1. Protecting People & Information
2. Setting the rules of expected behavior by management, users, system administrators and security personals
3. Provide the guidelines to respond to any security incidents
4. Ensure the compliance to various security standards such as ISO 27001, HIPPA, VISA PCI and Master Card SDP.
5. Meet regulatory requirements such as Bank Negara GPIS1

Why NSS?

NSS being one of few ISO 27001 certified company in the field of Information Security brings years of experience in Information Security Consulting and Security Policy Development. NSS has unprecedented resource pool of talent and experience in Information Security.

NSS has executed numerous projects for our esteemed clients and helped them to get certified for various industry security certifications, such as BS7799, ISO 27001, VISA PCI and the Malaysian National Bank (Bank Negara) GPIS1.

If you are interested or just wish to find out more, please contact us directly.

Infrastructure Security Services

What are Infrastructure Security Services?

A total infrastructure prevention solution is an integration of a number of physical security systems. Infrastructure Security Services Consultancy covers the entire range of electronic security systems, namely:

• Addressable fire detection systems
• Automatic gas suppression systems
• CCTV systems (IP Networks, Matrix Switchers, DVR Cameras etc)
• RFID/Biometric/Smart Card Access Control Systems
• Intrusion Detection Systems
• Law Enforcement Systems and Products such as
• Perimeter fencing
• Crash barriers
• Automatic Retraceable Bollards
• Turnstiles
• Undercarriage Scanners
• X-ray/Gamma Scanners
• Sniffers

Why Consultancy for Infrastructure Security Services?

Companies seeking Infrastructure Security have a wide range to choose from, the user needs to decide on the type and configuration of the equipment. This is possible with the help of NSS, who will allow the user to understand the products and give a fair comparison of the benefits and pitfalls of similar products on the market.

These systems are usually proprietary and comparison is difficult to make. Other major points for evaluation include pricing, vendor selection, after sales service and maintenance.

While Infrastructure Security Solutions and products can be easily deployed, they have to part of a complete and secure architecture to be effective.

With the right consultancy from our team of Infrastructure Security experts, the client will be able to address and understand their security requirements, budget accordingly and have professional assistance during the implementation of their chosen solution.

Our Infrastructure Security Solution

NSS provides vendor neutral consultancy for turnkey Infrastructure Security Solutions.

To date, NSS has successfully executed independent projects as well as assisted system integrators and suppliers in overcoming design and technical challenges during implementation of solutions. NSS consultants are functional experts who are experienced in the various aspects and considerations involved in providing complete Infrastructure Security.

Our implementation of major high profile Infrastructure Security projects have become benchmarks for subsequent implementations for the Government of India and the Sultanate of Brunei Darussalam. NSS has given pro-active consultation for the implementation of Infrastructure Security for high security government buildings in India. NSS has also executed successful projects for major petrochemical companies, multi-location corporations and high risk establishments.

If you are interested in finding out more, please contact us immediately.

ISO 27001 Consulting

What is ISO 27001?

ISO 27001 was published by the International Organization for Standardization (ISO) on 15 October 2005. Essentially, ISO/IEC 27001 defines an Information Security Management System (ISMS) and complements the ISO/IEC 17799 'code of practice' standard, itself first published as BS 7799-1. The two standards are closely aligned and related, but perform distinctive roles.

ISO/IEC 27001 is a standard setting out the requirements for an information security management system (ISMS). The standard is designed to ensure the selection of adequate and proportionate security controls that protect information assets and give confidence to interested parties including an organization's customers. It is suitable for several different types of organizational use, including the following:

• Formulation of security requirements and objectives;
• To ensure that security risks are cost effectively managed;
• To ensure compliance with laws and regulations;
• As a process framework for the implementation and management of controls to ensure that the specific security objectives of an organization are met;
• Identification and clarification of existing information security management processes;
• To be used by management to determine the status of information security management activities;
• To be used by internal and external auditors to determine the degree of compliance with the policies, directives and standards adopted by an organization;
• To provide relevant information about information security policies, directives, standards and procedures to trading partners;
• To provide relevant information about information security to customers.

To Risk or Not to Risk?

To risk or not to risk your corporate information? This is the question that should be discussed within your organization. Do you put your organization at risk or do you take actions to establish and manage ISMS?

ISO 27001 is a risk based approach for assessing, evaluating, treating and managing Information and Asset security risks, a review process for re-assessing the risks and the effectiveness of this system and to have an internal ISMS audit process for checking compliance.

The Objective

Protection of information asset from wide range of threats to ensure business continuity, minimize business damage and maximize return on investments and business opportunities. In short ensures preservation of Confidentiality, Integrity and Availability of your business critical data.

Our Offerings

Implementing ISMS in organization requires sufficient ISO27001 domain expertise. NSS ISO27001 Certified Consultants are backed with strong Information Security domain expertise to help organizations achieve compliance in accordance to the ISO27001 standard.

We offer:

• ISMS Gap Analysis
• ISMS Risk Assessment
• ISMS Implementation Services
• ISMS Awareness Training
• ISMS Pre-Audit Services
• ISMS Regular Review
• ISO27001 Certification Trainings

Why NSS?

NSS is a pure play Information Security company backed by consultants with security credentials such as CISA, CISSP, OPST, and ISO 27001 Lead Auditor and holds associate partnership with BSI (British Standard Institution).

• ISMS implementation track record for over 20 companies world-wide including 12 companies that have been BS7799 certified 
• ISO27001 Certification trainings for over 30 fortune 1000 companies
• First ISO 27001 company certified in ASEAN (UKAS accredited)
• Over 30 consultants with ISO 27001 certification
• Proven global track record in Information Security consulting with local presence

If you are interested, or would just like more information, please contact us directly.

Security Architecture Review

What is a Security Architecture Review?

The Security Architecture Review will comprehensively review the applications, network, servers and services within an organization's environment and identify methods to enhance and improve on the system infrastructure and support. This includes both future and existing infrastructure.

Security Architecture review often goes hand in hand with Technical Security Assessment, Information Security Policy Development and Host Hardening Services.

The Problem

Many organizations today are focused in implementing network architecture based upon business urgency rather than security. Architecture design flaws are almost awakening for many organisations today. In addition a delusion of security is achieved through state-of-art technology does not help many organisations to prevent such flaws.

Security must be a multi-layered approach (often referred to as the 'Onion Model') and the NSS Security Architecture Review ensures that all the layers gel together well to form a strong security posture for your organization.

The NSS Solution

The Architecture Review and Design focuses on a set of structured workshops, which cooperatively perform the following with customer staff and the project team.

• An Asset Inventory comprises an examination of the systems and related risks and threats from within and outside the organization.
• A review of the Business areas supported by the infrastructure to better understand the asset risk and required controls.
• Planned seminars to ensure all parties understand the intent, methods, justification and their role in the project.
• A technical review of the Architecture to ensure it is capable and sufficient to meet the business needs. Including operations and security management. A detailed review of the network component functions to ensure suitability.
• Development of detailed recommendations, migration plans and documentation to assist organisations in the growth and support plans of the infrastructure.

If you are interested in a Security Architecture Review, please contact us immediately.

Technical Security Assessment

What is Technical Security Assessment?

There are two main kinds of Technical Security Assessment that NSS focuses on, Vulnerability Assessment and Penetration Testing. If you wish to learn more you can read our article on Penetration Testing vs Vulnerability Assessment. We offer a comprehensive range of security assessment solutions for companies of all sizes (we have tested networks of over 10,000 active nodes) and also have service offerings especially for Security Architecture Review, Web Application and Application Security and Security Policy Development.

If you have an internal computer network, a mail server, a web server or any kind of custom software application or web-based application you are at risk from Malicious attacks.

An intruder will take any useful, worthy information they can, use your bandwidth and resources and leave you suffering a bruised ego, battered reputation and facing a severe financial loss.

Hackers, script kiddies, crackers, whatever the media currently calls them are all knocking your door. Why would someone hack me you ask? Simply because they can.

• Are you prepared?
• Could you survive an attack?
• Are you susceptible to attacks?
• Do you have a disaster recovery plan?
• An intrusion mitigation strategy?

In 2005 91% of organisations reported detecting computer security breaches in the last 12 months and 97% of these had websites. Of those with web sites, 23% reported suffering an attack within the last 12 months and 27% did not know if they had been attacked or not. Of those reporting attacks, 21% reported 2-5 and 58% 10 or more.

These statistics are alarming but it's likely that these don't truly show how bad things are; only 61% of polled organisations used some form of Intrusion Detection System.

Wouldn't you prefer the hackers on your side?

NSS security team will test the effectiveness of your security policies to see if they can survive a realistic, intensive attack.

Let us find the holes before somebody else does.

You can read our article on the differences between Blackbox Testing and Whitebox Testing and Internal vs External Testing to get an idea of the range of tests available from NSS.

We provide this information so you feel more comfortable with the process and understand what is involved. This means when you come to us you will have a clearer idea on your objectives for the project that will enable us to work together more efficiently.

Essentially your company’s security measures are analysed for design weaknesses, technical flaws and failings in the policies and procedures, then the results of the test are delivered in a comprehensive multi-level report including a human-readable management summary and a more technical section for the I.T. to take action on.

What is Involved?

There are many stages in a Penetration Test or Vulnerability Assessment our experts will undertake for your organisation, some of the stages would involve:

• Port Scan to open ports and exposed services
• Identify public services and any associated exploits
• External OS (Operating System) identification
• Router Testing Firewall and IDS testing
• Password cracking and account enumeration
• DoS (Denial of Service) tests
• Other specific tests for UNIX, Linux, Windows and Mac machines

Others can include physical security, war-dialing and more.

If you are interested or just wish to find out more please contact us directly.