Information Risk Management
Our Penetration Test Services have been formulated to achieve three key objectives:
- Provide a non-invasive means to test the current strength of the external security of the network.
- Provide independent analysis of your network and locate all vulnerabilities.
- Advise on the most effective solutions to secure your network.
The test involves introduction of the Manual Verification and Testing phase. During the manual verification phase, false positive vulnerabilities are removed and targets are tested exhaustively using both Open Source security tools and NSS authored tools.
While the scans can effectively identify a large portion of the vulnerabilities present, some complex, emerging, or obscure vulnerabilities require manual testing to be identified. The NSS team attempts to discover these with an additional layer of manual tests.
The diagram below demonstrates the overall approach that is used to perform Internal Network Audit.
What is an Information Security Policy?
In terms of a strong security posture, organizations must be able to rely on the three key aspects of information security:
- Confidentiality (knowing that sensitive information can be accessed only by those authorized to do so)
- Integrity (knowing that the information is accurate and up-to-date and has not been deliberately or inadvertently modified from a previously approved version)
- Availability (knowing that the information can always be accessed)
Why do you need Information Security Policies?
In modern times with the expansion of networks across boundaries of companies, cites, countries and continents, a pervasive Information Security Policy has become an indispensable document for an organization to keep up to security requirements. A complete Information Security Policy fulfils many purposes, such as:
- Protecting People & Information
- Setting the rules of expected behavior by management, users, system administrators and security personals
- Provide the guidelines to respond to any security incidents
- Ensure the compliance to various security standards such as ISO 27001, HIPPA, VISA PCI and Master Card SDP.
- Meet regulatory requirements such as Bank Negara GPIS1
NSS brings years of experience in Information Security Consulting and Security Policy Development. NSS has unprecedented resource pool of talent and experience in Information Security.
NSS has executed numerous projects for our esteemed clients and helped them to get certified for various industry security certifications, such as BS7799, ISO 27001, VISA PCI and the Malaysian National Bank (Bank Negara) GPIS1.
The Application Security Review consists of four phases:
NSS Application Security Review offerings utilize holistic approach to ensure a higher degree of assurance to manage your application security risks.
The ingredients of our application security offerings are:
- Application Architecture Review
- Application Development Process Review
- Application Platform & Configuration Management Review
- Application Code Review
- Application Penetration Test
The review provides detailed findings on vulnerabilities that may adversely impact overall information security risk, and provides specific recommendations for improvement.
- Inherent vulnerabilities in your application network architecture
- Risks introduced through development, integration, and deployment processes.
- Inherent vulnerabilities in your application and its platform;
- Application and infrastructure exposure to attack.
NSS can offer this service to customers at various stages of the application lifecycle. However, conducting an Application Security Review earlier in the development process may help organizations recognize and correct design, development, or implementation flaws before they become expensive fixes or irreparable problems.
- Cost effective solutions
- Industry standard compliance ISO27001, OWASP
- Repeatable process and maximum knowledge transfer
- Industry knowledge expertise
- Proven track record and methodology
Many organizations today are focused in implementing network architecture based upon business urgency rather than security. Architecture design flaws are almost awakening for many organizations today. In addition a delusion of security is achieved through state-of-art technology does not help many organizations to prevent such flaws.
Security must be a multi-layered approach (often referred to as the ‘Onion Model’) and the NSS Security Architecture Review ensures that all the layers gel together well to form a strong security posture for your organization.
The Architecture Review and Design focuses on a set of structured workshops, which cooperatively perform the following with customer staff and the project team.
- An Asset Inventory comprises an examination of the systems and related risks and threats from within and outside the organization.
- A review of the Business areas supported by the infrastructure to better understand the asset risk and required controls.
- Planned seminars to ensure all parties understand the intent, methods, justification and their role in the project.
- A technical review of the Architecture to ensure it is capable and sufficient to meet the business needs. Including operations and security management. A detailed review of the network component functions to ensure suitability.
- Development of detailed recommendations, migration plans and documentation to assist organizations in the growth and support plans of the infrastructure.
What is Host Hardening?
The host hardening process starts with a requirements evaluation to see what the server is for and to assess the risks involved, as always security is a balance between ultimate security and usability. The more secure something is, by nature the less usable it becomes.
The main stages of host hardening are as follows:
- Disabling unused services and user accounts
- Tightening the security settings of required services (Limiting access by host or IP block)
- Replacing insecure or vulnerable services with more secure alternatives
- Removing unused tools, libraries, and files (OS minimization)
- Tightening file system security settings (System ACLS)
- Installing host-based intruder detection systems (HIDS)
- Running high risk services in a tightly controlled environment.
The Benefits of Host Hardening
The main benefits of Host Hardening are:
- Ensures the integrity and confidentiality for crucial servers and data
- Greatly reduces the risk of malicious attacks or web defacements
- Limits company liability by securing servers against spam attacks and being used as zombies
- Increases server performance and stability as a by-product of increasing security
Network Security Solutions has developed an esoteric expertise and capability in research and
reviewing of new vulnerabilities, exploits, and their solutions keeping in pace with the latest Internet security trends coupled with valuable experience of setting up the India’s only National level Computer Emergency Response Team (Indian CERT).
What NSS Can Provide
NSS can help conceptualize and setup a Computer Security Incident Response Center (CSIRC) so as to resolve computer security problems in a way that is both efficient and cost-effective. Combined with policies for centralized reporting, SIRC can reduce waste and duplication while providing a better posture against potentially devastating threats.
The CSIRC shall enable the Government/Organization to cater to computer incidents which may
include one or more or a combination of the following:
- Compromise of integrity, such as when a virus infects a program or the discovery of a serious system vulnerability
- Denial of service, such as when an attacker has disabled a system or a network worm has saturated network bandwidth
- Misuse, such as when an intruder (or insider) makes unauthorized use of an account; Damage, such as when a virus destroys data
- Intrusions, such as when an intruder penetrates system security.
In its broadest sense, a CSIRC effort can be viewed as the involvement of the agency as a whole, organized such that its management structures, communications and reporting mechanisms, and users all work together in reporting, responding to, and resolving computer security incidents quickly and efficiently. However, our experience in establishing a Computer Emergency Response Team has shown that a CSIRC is defined less by its organizational structure than by its centralized, proactive capability to respond to security threats with speed, efficiency, and without duplication of effort and waste of agency resources.
To achieve those objectives:
- Current efforts will most likely require some revamping.
- Policies for centralized reporting and mechanisms for affecting it will need to be setup.
- Personnel with requisite skills & equipment will need to be dedicated to the effort.
- Other changes in the way in which the agency manages computer security will most likely result.
Knowledge partnership with NSS brings with it an unprecedented resource pool of talent and experience in Security, Information Risk Management, Privacy Protection, Incident Response, Risk Mitigation and Damage Limitation. Our security experts include former National Security Officers, Military and Law Enforcement Officers, and a core team of Certified Information Systems Security Professionals (CISSPs), Certified Information System Auditors (CISAs) and Lead Auditors in Information Security (BS7799). Out of this pool of experts has been selected, a Core team of specialists who setup India’s CERT based on Industry best practices, in collaboration with Carnegie Mellon University (US CERT). This NSS team shall fortify the organization’s initiative in creating an effective CSIRC.
NSS offers comprehensive WLAN Auditing and Consultancy services to help assess the security posture of your WLAN and to configure it to the maximum security level possible.
- Investigation of wireless network architecture and implementation against various attacks and vulnerabilities.
- Advice on privacy
- Rogue access points presence
- Vulnerabilities in the access points
Benefits of Wireless Auditing
- Helps understand the security vulnerabilities in current WLAN setup
- Helps to fix those issues
- Helps to get more control over wireless network.
- Helps in increasing productivity
What are Infrastructure Security Services?
A total infrastructure prevention solution is an integration of a number of physical security systems. Infrastructure Security Services Consultancy covers the entire range of electronic security systems, namely:
- Addressable fire detection systems
- Automatic gas suppression systems
- CCTV systems (IP Networks, Matrix Switchers, DVR Cameras etc)
- RFID/Biometric/Smart Card Access Control Systems
- Intrusion Detection Systems
- Law Enforcement Systems and Products such as
- Perimeter fencing
- Automatic Retraceable Bollards
- Undercarriage Scanners
- X-ray/Gamma Scanners
Why Consultancy for Infrastructure Security Services?
Companies seeking Infrastructure Security have a wide range to choose from, the user needs to decide on the type and configuration of the equipment. This is possible with the help of NSS, who will allow the user to understand the products and give a fair comparison of the benefits and pitfalls of similar products on the market.
These systems are usually proprietary and comparison is difficult to make. Other major points for evaluation include pricing, vendor selection, after sales service and maintenance.
While Infrastructure Security Solutions and products can be easily deployed, they have to part of a complete and secure architecture to be effective.
With the right consultancy from our team of Infrastructure Security experts, the client will be able to address and understand their security requirements, budget accordingly and have professional assistance during the implementation of their chosen solution.
Our Infrastructure Security Solution
NSS provides vendor neutral consultancy for turnkey Infrastructure Security Solutions.
To date, NSS has successfully executed independent projects as well as assisted system integrators and suppliers in overcoming design and technical challenges during implementation of solutions. NSS consultants are functional experts who are experienced in the various aspects and considerations involved in providing complete Infrastructure Security.
Our implementation of major high profile Infrastructure Security projects have become benchmarks for subsequent implementations for the Government of India and the Sultanate of Brunei Darussalam. NSS has given pro-active consultation for the implementation of Infrastructure Security for high security government buildings in India. NSS has also executed successful projects for major petrochemical companies, multi-location corporations and high risk establishments.
- Defacement of websites leading to blacklisting.
- Loop holes in web application security providing attackers access to sensitive & confidential data.
- Malware / Spam were enters the web application which direct visitors to fake sites, aiding the attackers in capturing data for misuse and gain access to visitor information and online behavior
- Malware installs itself into a computer and starts stealing data without anyone’s knowledge. By the time you realize that your computer has been compromised, its more often than not, too late
- Vulnerabilities are weaknesses which are exploited by the attackers and provides them with access to web/database server information
- Sensitive Information Exposure: Mobile applications can write sensitive information on device memory and that can be retrieved. This information can be credit card details, password or any other private information which are easily exploited when exposed.
- Unencrypted Traffic: Mobile applications exchange information with various servers. By sniffing the clear text traffic on the network an attacker can steal the sensitive information like login credentials, transaction details, etc.
- Injection Attacks: Injection flaws occur when an application sends malicious information to the interpreter causing loss of data and can even lead to host takeover, which can ruin clients’ reputation.
- Parameter Manipulation Attacks: Malicious user may get access to the data or active private sessions by manipulating parameters going into HTTP requests. Fraudulent transactions are also conducted in this same manner.
- Insecure Coding: By doing reverse engineering on the application installer file, the attacker can look into the code for useful information. Badly coded applications may have hard coded sensitive information like password, database credentials, log information etc in the code itself.
- Exception and Error Handling: If error messages are not customized then they can reveal information about the application or server which might be useful in a security breach.
- Weak Server Side Controls: If server side controls are not in place this can lead to a bypass validation implemented at the client and business logic, leading to security breach and may also result in business loss.
- Authorization and Authentication Related Checks: An attacker can get unauthorized access of the application and will be able to perform malicious action leading to high security risks.
- Session Related Threats: Improper session management may lead to a compromised user session.