locuz.com Security Audit Services Professional Services
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
locuz.com
Security Audit Services
Professional Services
Today’s Security Landscape
“Today, over 80% of attacks against a company’s network come at the ‘Application
Layer’ not the Network or System layer.”
Immunity against security threats is becoming one of the leading challenges for Enterprise
community. The race to “go online” and develop competitive services are enabling enterprise
communities to launch web applications rapidly with less attention to security risk’s making the sites
vulnerable. Interestingly many corporate sites are vulnerable to hackers in touch of a button.
Locuz follows complete, established and highly effective methodology to help organizations across
various verticals address the vulnerabilities and improve their security posture.
Today's security challenges require a fresh look at connectivity and its related security from a
fundamental, architectural, perspective.
Locuz is
CERT-In empanelled
IT Security Auditor
Internal and external threat environment
not improving
Attacks becoming more targeted and
financially motivated
Attacks becoming more sophisticated,
targeting applications as well as networks
Organized criminal gangs taking over from
teenage hackers and "script kiddies"
Base II, Sarbanes-Oxiey, HIPAA, SEC, PCI
DSS etc…
Shareholder Value
Brand and Reputation
Dynamic Threat Environment
Regulations / Compliance
Security Services Framework
Our security services comprises of processes and technologies that provide secure access to your
business applications and new endpoints.
Security Services Portfolio
BUSINESS GOALS & OBJECTIVES
VISIBILITY CONTROL
Identity & Access
Mgmt
Active
Monitoring
Corelation
& Analysis Isolation &
Remediation
Policy Enforceme
nt
CONFIDENTIALITY INTEGRITY AVAILABILITY
SECURITY
POLICY
Risk
Assessment
Security
Operations
Hardening
Infrastructure &
Network Security
Governance, Risk & Compliance
Cloud Security
BCP
Identity & Access Management / Single Sign-On
Security Information & Event Management
(SIEM)
Mobile Security
Security Posture Assessment (VA / PT) Security Operations Center (SOC)
Data Loss Prevention (DLP) End Point Security Web Security & Mail Security
Security Audit Methodology
We indeed integrate the best security testing practices of the industry conforming to Information
Security compliance standards and our commitment to ensure the highest possible confidentiality.
Every activity is performed only after identifying the complete architecture of the network and its
complexity.
The steps followed in the Audit process are given below:
Preparation: Identifying critical areas to perform the audit
Scanning: Understand the organizational processes, complexity and technical
configurations of the Infrastructure
Enumeration: Collection of network resources and understand the active connections to
systems and direct queries
Vulnerability Analysis: Understand the vulnerabilities and impact on information such as
web applications variables, etc…
Documentation: Documentation of information and provide scanned reports on the
vulnerabilities and impact.
1
2
3
4
5
Preparation
Scanning
Document- ation
Enumeration
Vulnerability Analysis
Field tested methodologies based on
standards and proven frameworks
Strategic Technology Alliances with
Security Vendors
End-to-End Security Consulting,
Deployment & Management
SOC Service Provider
Value Proposition
CERT-In Empaneled Auditor
Best of class Certified Ethical Hackers &
Security Specialists
Combination of State-of-the-art tools
Insightful Reports
Deep Domain knowledge (Industry
Regulations, Compliance needs etc)
What we do?
Vulnerability Assessment & Penetration Testing
Vulnerability Assessment Penetration Testing
Testing Scope Scans for all potential
network vulnerabilities.
Identifies vulnerabilities and
determines if they can
actually be exploited.
Vulnerability Relevance Categorizes vulnerabilities
based on standardized,
theoretical information - not
customized to the tested
network.
Tests vulnerabilities on
specific network resources,
enabling prioritization of
remediation efforts.
Usefulness of Test Results Provides false positives,
identifying vulnerabilities that
cannot be exploited.
Exploits vulnerabilities,
identifying only those that
pose actual threats to
network resources.
Network Connection
Testing
Does not address
connections between
network components.
Exploits trust relationships
between network
components to demonstrate
actual attack paths.
Remediation Assistance Delivers long lists of
vulnerabilities, limiting
remediation options to
widespread patching.
Assesses the potential risks
of specific vulnerabilities,
allowing users to patch only
what is necessary and to test
the effectiveness of patches
and other mitigation
strategies, such as intrusion
prevention.
Testing of Other Security
Investments
Does not simulate attacks to
test IDS, IPS or other
security technologies.
Launches real-world attacks
to determine if other security
investments are functioning
properly.
Security Risk Assessment Only identifies missing
patches, making it impossible
to truly assess security risks.
Safely mimics the actions of a
hackers and worms,
providing risk evaluations
based on tangible network
threats.
Web Application Testing
Test Category Test Types Web App Testing
Authentication
Brute Force Yes
Insufficient Authentication Yes
Weak Password Recovery Validation Yes
Authorization
Credential/Session Prediction Yes
Insufficient Authorization Yes
Insufficient Session Expiration Yes
Session Fixation In-depth
Logical Attacks
Abuse of Functionality In-depth
Denial of Service Yes
Insufficient Anti-Automation Yes
Insufficient Process Validation Yes
Client- Side Attacks
Content Spoofing Yes
Cross Site Scripting In-depth
CGI Scripting Extensive, Including application specific
Command Execution
Buffer Overflow Yes
Format String In-depth
LDAP Injection Yes
OS Commanding Yes
SQL Injection In-depth
SSI injection Yes
Information Disclosure
Directory Indexing Yes
Path Traversal Yes
Predictable Resource Location Yes
Information Leakage In-depth
System Vulnerability
Check
ICMP Checks Yes
Windows NT Checks Yes
TCP & UDP Port Tests Yes
Stealth testing Yes
DNS Spoofing Yes
RPC testing Yes
Initial Sequence Number Prediction Yes
FTP abuse checks Yes
SMTP relay checks (spam) Yes
LDAP checks Yes
SNMP checks Yes
DNS and bind checks Yes
SMB/ NetBIOS checks Yes
NFS checks Yes
NIS checks Yes
WHOIS checks Yes
Domain checks Yes
Spoofing checks Yes
Partial Clientele List…
locuz.com
About Locuz
Locuz is an IT Infrastructure Solutions and Services company focused on helping enterprises
transform their businesses thru innovative and optimal use of technology. Our strong team of
specialists, help address the challenge of deploying & managing complex IT Infrastructure in the face
of rapid technological change.
Apart from providing a wide range of advisory, implementation & managed IT services, Locuz has
built innovative platforms in the area of Hybrid Cloud Orchestration, High Performance Computing
& Software Asset Analytics. These products have been successfully deployed in leading enterprises
and we are helping customers extract greater RoI from their IT Infrastructure assets &
investments.
Security Audit Services
Locuz Enterprise Solutions
401, Krishe’ Sapphire, Main Road, Madhapur, Hyderabad - 500018, Telangana, India
Related Documents
