“There are number of steps to assure a company’s security firstly check all its controls (procedural controls, administrative controls, technical controls etc). The second step is to move into attack mode and check if every control, procedure, or product is configured or implemented properly. The third step is to do an audit.”
“We first do an internal audit for the company. Then an external threat is simulated by our experts. We have Certified Ethical Hackers to simulate internal and external threats.
Vulnerability assessment Methodology:
Step 1 : Study & scope the IT architecture & components for assessment
Step 2 : Determine the boundary of analysis
Step 3 : Identify asset owners & schedule tasks
Step 4 : Impact analysis for Active scans, which includes assessment of Service(s) or Server(s) scans in online production.
Step 5 : Plan for Downtime & Contingency, if applicable
Step 6 : Estimate the scan process, based on the complexity of the target network(s) and host(s)
Step 7 : Define the scan Policy for each target. Scan Policy to define the level of scan – Information gathering, Policy checking, Port scanning, Password analysis, Attack stimulation etc.
Step 8 : Scan the targeted network(s) and host(s), based on the defined scan policy
Step 9 : Collect the scan results and analyze for security loopholes, configuration errors, default installation settings, overlooked setups, password quality, firmware/software revisions, patch fixes, security policy violations etc.
Step 10 : Submission of Assessment Reports with suggestions and recommendations to fix the vulnerabilities
Top 10 Security lapses or vulnerabilities:
1. Security threats and risks are not analyzed prior to selection of security technology and design
2. Corporates fail to deal with the awareness and operational aspects of security
3. Lack of robust security policy definition or non-adherence to security policies
4. Absence of non-periodic security audits of IT infrastructure and operations
5. Lackadaisical implementation of physical security – Easy physical access to Data centers & critical IT assets
6. Misconfiguration of servers – Default options in installation procedures of operating systems and applications, which can be hacked easily
7. Password User accounts with No Passwords or Weak Passwords – Leads to password cracks with easy guesses
8. Failure to block unauthorized access to application ports – Unwanted TCP ports are open in Application Servers
9. Lack of availability of data foot prints due to non-existent or incomplete logging and backup of data
10. Improper Virus prevention procedures – Lack of timely update of periodic virus signatures