Security Audit

ePlus Sysinsecure_orgtems is offering full comprehensive security audit in yours organization with specific value for banking and telecommunication sector organizations.

Security and penetration tests are a requirement for meeting regulations such as PCI DSS, ISM, SOX, and HIPAA. It is also defined in industry standards such as ISO 17799 and ISO 27001 as important security tests an organisation should regularly undertake.We can do for you several level of security audits/tests:

<1>Outside comprehensive network scann

We are using top 10 listed tools (Nmap, Snort, Nessus, Wireshark, BackTrack)  from [insecure.org] in order to perform comprehensive vulnerability scans of Internet facing environments in yours organization.eplus_systems

Behavioral audit

Vulnerabilities are often not related to a technical weakness in an organization’s IT systems, but rather related to individual behavior within the organization. A simple example of this is users leaving their computers unlocked or being vulnerable to phishing attacks. ePlus Systems audit will include a penetration test in which auditors attempt to gain access to as much of the system as possible, from both the perspective of a typical employee as well as an outside hacker.

 

List of tests we usually perform

  • Application penetration testing (including web applications, web services, mobile applications, thick-client applications)
  • Human factor penetration testing (social engineering/behavioral audit)
  • Red teaming
  • Physical security (physical penetration testing)
  • SAP Security
  • Intrusion detection and prevention systems (IDS/IPS)
  • Wireless
  • PBX / PABX including VoIP
  • Interactive Voice Response (IVR)
  • Remote access solutions e.g. Citrix, Terminal Services, IPSEC VPN, SSL VPN
  • Virtualisation
  • Database
  • SCADA
  • Microsoft Office SharePoint Server
  • Mobility solutions
  • Black box

 

<2>Comprehensive IT/Security audit (not limited to)

  • Meeting with IT management and IT staff interview
  • Current IT  organization review
  • Job descriptions review
  • Operating Systems and Software Applications  analyse
  • Company’s IT policies and procedures analyse
  • Data center review and analyse
  • Compliance with Data Protection Directive (Officially EU Directive 95/46/EC)

it-security2Some of IT review details

IT personnel – All IT personnel should be authorized to access the data rooms (key cards, login ID, secure passwords). IT/organization employees are adequately educated about IT equipment and properly perform their jobs.   ePlus Systems auditor will observe and interview IT employees to satisfy their objectives.

Equipment – ePlus Systems auditor will verify that all IT equipment is working properly and effectively. Equipment utilization reports, equipment inspection for damage and functionality, system downtime records and equipment performance measurements all help the auditor determine the state of IT equipment.

Business Procedures – All IT policies and procedures will  be documented and located at the IT data center. Documented procedures include: organization personnel job responsibilities, back up policies, security policies, employee termination policies, system operating procedures and an overview of operating systems.

Physical security – ePlus Systems auditor will  assess the security of the client premises. Physical security includes bodyguards, locked cages, man traps, single entrances, bolted down equipment, and computer monitoring systems. Additionally, environmental controls should be in place to ensure the security of organization (air conditioning units, raised floors, humidifiers and UPS).

Backup Procedures – ePlus Systems auditor will verify that the client has backup procedures in place in the case of system failure. Clients may maintain a backup data center at a separate location that allows them to instantaneously continue operations in the instance of system failure.

 

<3>Reporting

As result yours organization will receive detailed report 33+ pages  covering but not limited to:

3.1>Exploitation Timeline

3.2>Targets selected for Exploitation

3.3>Exploitation Activities

it-security1

  • Directed Attack
  • Target Hosts unable to be Exploited
  • Target Hosts able to be Exploited
    • Individual Host Information
    • Attacks conducted
    • Attacks Successful
    • Level of access Granted  plus escalation path
    • Link to Vulnerability section reference
    • Additional Mitigating technique
    • Compensating control suggestion
  • Indirect Attack
    • Phishing
      • Timeline/details of attack
      • Targets identified
      • Success/Fail ratio
      • Level of access granted
    • Clientside
      • Timeline/details of attack
      • Targets identified
      • Success/Fail ratio
      • Level of access granted
    • Browser Side
      • Timeline/details of attack
      • Targets identified
      • Success/Fail ratio
      • Level of access granted
  • Audit/Review
    • IT personal report
    • Equipment report
    • Business Procedures report
    • Physical security report
    • Backup Procedures report

eplus_systems_secure-screenshot2016-07-08
 



[ Positronic intelligence solutions™ ]