Vulnerability Assessment Service

In a world where hackers are knocking at your door 24/7, keeping a regular network vulnerability scanning schedule is a must. A vulnerability analysis can alert you to potential exposures and weaknesses in your network before a hacker takes advantage of them.

A vulnerability scan evaluates all aspects of your network and identifies any potential holes a hacker could exploit. The Vulnerability Scanning Service from Web Infomatrix analyzes every IP address, computer, server and device on your network including: desktops, web server platforms, mail servers, routers, switches, and hubs. You get a detailed explanation of the recommended fix for each vulnerability. This allows you to proactively fortify your network.

Web Security Services

Thorough overview of an organisations security from the public facing perimeter to the internal private network infrastructure.
Immediate definition of the security issues in your Network, Server and Application infrastructure.
A list of detailed steps to fix the discovered vulnerabilities and control security problems.
Compliance with Federal, State and many Organisational regulations that require security assessments.
Increased internal awareness of corporate liabilities.
Industry-leading expertise, support and guidance from SB’ security research and development team.
Benefit from our proprietary methods and processes.
Acquire and maintain certifications to industry regulations (BS7799, HIPAA, OSSTMM, OWASP).

Features

Web Infomatrix security experts validate your existing security controls and quantify real-world risks by conducting demonstrations of covert and hostile activities typical of network, system and application attacks in a safe and controlled exercise.When testing is complete, you will receive a detailed security roadmap that prioritizes the weaknesses in your network, system and application environment.

Safe, quality service by an expert security professional, through both manual techniques and automated scanning.
Unique combination of proprietary and industry-leading security assessment tools, complete with an in-depth analysis of vulnerability data.
Template driven projects to ensure the industry recognized guidelines of OSSTMM, OWASP, NSA and TTNSAC are followed at all times.
Prioritizes the discovered risks and defines immediate actionable items to improve security posture.
Regular examinations can highlight unexpected security changes to your company?s infrastructure.
Detailed report analyzing your network security and prioritizing the risks found in your system.
Clearly outlined responsibilities and detailed remediation steps to help you protect the confidentiality, integrity and availability of your company assets and resources.
Can be tailored on a per-client basis to suit individual requirements.

Benefits

Web Infomatrix ‘s Vulnerability Assessment Service helps safeguard your organisation against failure, through

Identifying vulnerabilities and quantify their impact and likelihood so that they can be managed proactively; budget can be allocated and corrective measures implemented.
Validates the effectiveness of current security safeguards.
Justifies and enables a security program by raising awareness about liability at all levels of the organisation.
Provides detailed remediation steps to prevent network compromise.
Raises executive awareness of corporate liability.

Technical Information :

Once specific domain names, networks and systems have been identified through scoping the testing team will gain as much information as possible about each part of the network. The process of enumeration will involve invasive discovery methods on each one of the systems with the aim to obtain usernames, application version information of services and applications and network share information limited only by the rules of engagement and scope agreed on.

Vulnerability Mapping

Attackers constantly probe networks, systems and web applications with automated tools in search of exploitable vulnerabilities. organisations that fail to test and secure their assets often fall victim to these attackers. These probes and attacks are not limited to the size or complexity of an organisations network but rather the security structure in place at the organisation. A successful compromise could cost a company grave financial losses along with loss of reputation, customer confidence, market share, productivity and trade secrets.

Security Brigade helps organisations identify security issues before they are exploited by malicious attackers. We accomplish this by conducting an assortment of vulnerability tests & scans against the target systems to simulate real-world probes and attacks, accurately discover issues, and provide proven solutions for countering the attacks. At the conclusion of the testing process, a findings report is provided which includes a detailed description of each issue, an associated severity rating, an exploit ability risk rating, and one or more practical recommendations for addressing the issues.

Different from Penetration Testing :

Vulnerability Assessment is very different approach to that of penetration testing, which often fails to identify vulnerabilities due to high traffic densities triggering IDS systems. With Security Brigade’s Vulnerability Assessment the investigation is undertaken in a non-invasive manner. Your network infrastructure is targeted but not penetrated, and no client information is obtained.

Our Testing Process

Scoping

The scoping process will define the target system(s) that will be considered during the penetration testing. This will define the boundaries, objectives and the validation of procedures. Defining the target system(s) is crucial in many ways – legally, resourcefully, and financially.

Enumeration

This process involves mapping the profile of the environment to publicly known, private and unknown vulnerabilities. The researchers at Security Brigade constantly work on discovering and cataloging new unknown vulnerabilities that could affect our clients. The mapping process allows the tester to short list the huge database of vulnerabilities to the most relevant ones for that particular network environment.

Compliance Testing :

All the vulnerabilities found during testing are analyzed/evaluated from a compliance and industry standards perspective and violations are reported.

Report

Web Infomatrix works with you to develop a report that will provide a clear and prioritized matrix of actions, work efforts and findings. A preliminary draft report will be provided to the technical point of contact for the purpose of review and clarification followed by a final report at the end of testing. The report will include the following

Executive Summary (Free of jargon, with topics of executive interest)
Methodologies, scope and summary of evaluations
Research: Websites, documents, IRC, USENET etc
Priority, including remediation priorities and risk
Estimates of work required for remediation
Findings and recommendations sufficient for risk management and remediation planning

Compliance

Web Infomatrix’s Penetration Testing service can meet the requirements of many standards and guidelines in relation to information security. Our Penetration Testing team has working knowledge of the following standards and attempt to exceedingly meet thier requirements.

1. PCI

The Payment Card Industry (PCI) Data Security Requirements were established in December 2004, and apply to all Members, merchants, and service providers that store, process or transmit cardholder data. As well as a requirement to comply with this standard, there is a requirement to independently prove verification.

2. ISACA

ISACA was established in 1967 and has become a pace-setting global organisation for information governance, control, security and audit professionals. Its IS Auditing and IS Control standards are followed by practitioners worldwide and its research pinpoints professional issues challenging its constituents. CISA, the Certified Information Systems Auditor is ISACA’s cornerstone certification. Since 1978, the CISA exam has measured excellence in the area of IS auditing, control and security and has grown to be globally recognized and adopted worldwide as a symbol of achievement.

3. CHECK

The CESG IT Health Check scheme was instigated to ensure that sensitive government networks and those constituting the GSI (Government Secure Intranet) and CNI (Critical National Infrastructure) were secured and tested to a consistent high level. The methodology aims to identify known vulnerabilities in IT systems and networks which may compromise the confidentiality, integrity or availability of information held on that IT system. In the absence of other standards, CHECK has become the de-facto standard for penetration testing in the UK. This is mainly on account of its rigorous certification process. Whilst good it only concentrates on infrastructure testing and not application. However, open source methodologies such as the following are providing viable and comprehensive alternatives, without UK Government association. It must also be noted that CHECK consultants are only required when the assessment is for HMG or related parties, and meets the requirements above. If you want a CHECK test you will need to surrender your penetration testing results to CESG.

4. OSSTMM

The aim of The Open Source Security Testing Methodology Manual (OSSTMM) is to set forth a standard for Internet security testing. It is intended to form a comprehensive baseline for testing that, if followed, ensures a thorough and comprehensive penetration test has been undertaken. This should enable a client to be certain of the level of technical assessment independently of other organisation concerns, such as the corporate profile of the penetration-testing provider.

5. BS7799

BS 7799 Part 1 was a standard originally published as BS 7799 by the British Standards Institute (BSI) in 1995. It was written by the United Kingdom Government’s Department of Trade and Industry (DTI), and after several revisions, was eventually adopted by ISO as ISO/IEC 17799. ISO/IEC 17799 was most recently revised in June 2005 and was renamed to ISO/IEC 27002 in July 2007. The BS 7799-2 focused on how to implement an Information security management system (ISMS), referring to the information security management structure and controls identified in BS 7799-2, which later became ISO/IEC 27001. The 2002 version of BS 7799-2 introduced the Plan-Do-Check-Act (PDCA) (Deming quality assurance model), aligning it with quality standards such as ISO 9000. BS 7799 Part 2 was adopted by ISO as ISO/IEC 27001 in November 2005. BS7799 Part 3 was published in 2005, covering risk analysis and management. It aligns with ISO/IEC 27001.

6. HIPPA

7. OWASP

The Open Web Application Security Project (OWASP) is an Open Source community project developing software tools and knowledge based documentation that helps people secure web applications and web services. It is an open source reference point for system architects, developers, vendors, consumers and security professionals involved in designing, developing, deploying and testing the security of web applications and Web Services.

Office Address Delhi

B-68, 40 FT Road, Chanakya Place, Opposite C-1 Janakpuri
New Delhi -110059
Phone: 9212306116, 8860646116
Email: info@webinfomatrix.com

Office Address Hyderabad

301, Mount Raghav Complex,
Model House Lane, Opp. Samsung Plaza,
Dwarkapuri Colony, Panjagutta,
Hyderabad – 500034 ( AP)