Indusface Consulting
Home Contact Indusface Sitemap  
 
 
data sheets
case studies
 

“Tawuniya would like to put it on record the high quality services offered by Indusface.  We acknowledge the successful completion of Penetration Testing & Vulnerability Assessment Indusface.”

- Sabry Abdou, Tawuniya
- Largest Insurance Company
in Saudi Arabia

vulnerability management

services

Over the last few years, organizations have been adding additional functionality to their existing applications in an effort to provide more convenience and better service to its customers, partners and employees. These continual changes to your IT infrastructure create new gaps, introducing unacceptable levels of business risk within itself by increasing the risk of compromise to your existing critical data and information systems. With the advent of sophisticated, automated exploitation tools and “point-and-click” hacking, anyone with a network connection (internet, corporate, internal etc.) is potentially vulnerable and susceptible to attacks. The consequences of a malicious attack could be fatal for your organization leading to potential financial losses, damage to reputation, risk exposure of business (downtime, media attention, effort etc), legal issues, loss of internet presence of a service (causing business disruption) etc.

Managing vulnerabilities requires a well thought-out process that aligns to business needs and provides a solid framework for the IT department. The goal of Vulnerability Management is to have a system that helps to reduce the time and money invested in dealing with vulnerabilities and reduces the risk of vulnerability exposure.

In recent times, following are some concern areas that need immediate remedies and only go to indicate that Vulnerability Management is rapidly becoming a key area of concern of every organization:

  1. The number of vulnerabilities is growing
  2. The timeframe between vulnerability disclosure and exploit has shortened
  3. The urgency to mitigate network vulnerabilities has become more crucial than ever
  4. Management held responsible on vulnerability management
  5. Auditors need a detailed report on vulnerability management
  6. Management in need of a single dashboard on vulnerability status within the organization
When was the last time you evaluated your vulnerability management program?  Turn to Indusface. Indusface can help you assess your current vulnerability management program. Our Vulnerability Management service analyzes the gaps in your vulnerability management program and identifies the areas where you may not have the right balance of people, process and technology. Vulnerability management encompasses a number of related disciplines, some of which are processes in and of their own right. Vulnerability assessments and penetration tests have their place in a vulnerability management process. However, both are monumental tasks that should not be entered into lightly. It's vital to know when one is more suitable than the other and how it will mitigate threats.
Indusface Solution

Indusface Penetration Testing and Vulnerability Assessment service is typically a zero touch, Security as a Service (SAAS), remote assessment of an organization’s internal as well as external network delivered from its ISO 27001 adhered Secure Delivery Centers. Indusface security analysts through these assessments try to find out how safe a customer network is from hackers and identify the technical risks associated with them. Key objective of these tests are to help customers in minimizing the risk of a hacker causing damage to its network by performing a range of intrusion tests using the same techniques known to be used by the most common hackers. Indusface follows a standardized assessment approach based on internationally accepted OSSTMM best practice:

Scope definition
»  Which attacker profile the tester will use
»  Hacker with no knowledge about the target
»  Hacker with knowledge about the targetInternal user with access
»  Which systems or networks the test will be conducted for
»  Duration of the test

Information gathering
»  Whois  
»  Google 
»  DNS Retrieval SOA Records
»  Tools/Websites 
»  Social Engineering
»  Dumpster Diving
»  Web Site copy

Vulnerability Detection        
»  Using manual and tool based technique to identify vulnerabilities. Tools consist of combination of commercial as well as open source

Information analysis and planning
»  Collating the information gathered in previous stages
»  Preparation of High level attack planning
»  Overall Approach
»  Target identification

Attack and Penetration/Privilege escalation
»  Attack and penetration
»  Known/available exploit selection
     ›  Tester acquires publicly available s/w for exploiting
»  Exploit customization
     ›  Customize exploit s/w program to work as desired
»  Exploit development
     ›  Develop own exploit if no exploit program available
»  Exploit testing
     ›  Exploit must be tested before formal Test to avoid damage
»  Attack
     ›  Use of exploit to gain unauthorized access to target
»  Privilege Escalation
»  What can be done with acquired access/privileges
     ›  Alter
     ›  Damage
     ›  What not……

Result analysis and reporting
»  Organize Data/related results for Management Reporting
»  Consolidation of Information gathered
»  Analysis and Extraction of General conclusions
»  Recommendations

Clean Up
»  Cleaning of all that has been done during the testing
»  Any System alterations
»  Exploits
    © 2009 IndusFace Consulting. All rights reserved. Terms of Use and Privacy Statement