Security Services: Assessment Services

Security assessment is the review of existing or planned security controls, assessing their effectiveness and efficiency, and documenting the results. There are many names for security assessments; these names typically reflect the target of assessment and objectives of the assessment.

Security assessments can be targeted at all or some of an organization's overall security program. Limited scope security assessments are useful for targeting specific security concerns or to assist in specific security projects.

Assessment
Target of Risk Assessment	Policies & Procedures	Technology
		Application	System	Wireless LAN	Desktop

Limited Scope Assessments	Security Policy & Procedures Review	Code Review	System Architecture Review
			External Vulnerability Scan
			Internal Vulnerability Scan
			War Dialing
	Social Engg	Penetration Testing

Larger Scope Assessments	Information Risk Assessment, Security Audits, BS 7799 Gap Analysis, BS 15000 / ITIL Assessments, COBIT Assessment & BCP/DRP Review

Examples of a limited scope security review include a physical security survey, a security policy and procedure review or a scan of system to identify known security vulnerabilities that exist in the current implementation.

Target of Risk Assessment: All security reviews require a proper scoping of the project. The target of assessment (Target Area) is the subject of the security review and provides the boundaries of the project. Typical security review subject areas are listed below:· Physical Site: The physical site includes many aspects with unique security implications. These aspects include geographic location (e.g., crime rate, accessibility, natural disasters), environmental issues (e.g., temperature, humidity, fire suppression), perimeter security (e.g., access control, walls, fencing, lighting, surveillance), and administrative procedures (e.g., training, drills).
Organization: The organizational structure and support is a target of assessment since many aspects of the organization can support or detract greatly to the effectiveness of security controls. Some aspects to consider include organizational structures (e.g., to whom does the head of security report?), presence of a security forum / steering committee, audit departments and their independence, budgeting and resources, and roles and responsibilities.
Policies & Procedures: Policies and procedures are the distributed rules, regulations, standards, and guidelines that provide planned, repeatable, and documented approaches to implementing administrative security controls. Examples include: recruitment and termination procedures, acceptable use policies, and patch management procedures. An assessment targeted at Policies & Procedures will amongst others evaluate the controls dictated by the policy, their effective implementation and adherence.
Technology: Technology encompasses many aspects of an organization's security controls. It may be useful to further categorize these controls.
- Applications: "Applications" refers to specialized programs running on top of general operating systems. This aspect of technology requires different processes for security assessment since application are typically customized or even "home grown." General review tools and techniques, such as vulnerability scans do not adequately test the security functions of applications. Examples include SAP audits, Financial / HR applications review etc.
- System: The system encompasses the information system components, general operating systems, common applications, and how these components are all put together. Security assessments of the system can be high-level (i.e., security architecture review) or low level (i.e. vulnerability scan assessment.)
- Wireless: Wireless technology has today become an enabler in many organizations with LAN's being migrated to wireless for their ease of use. (Not to mention doing away with all that mess of wiring and cabling devices). This advantage brings a major security concern to the doorstep (or parking lot). It is imperative to ensure > that wireless LAN's have been setup securely and that any intrusion can be detected on time and acted upon.
- Desktop: The desktop includes the workstation assigned to individual users. These components of technology are unique in that they are more exposed to the actions of the user and may include unique software and connectivity.

Limited Scope Assessments

Site Security Survey: One of the most obvious ways to protect your assets is to make sure no one can walk off with them. Businesses also need to ensure that they protect their most valuable assets - their employees. PCS security analysts recommend improvements to physically protect your assets by assessing the effectiveness of existing physical security controls. Elements covered include ingress and egress, visitor control, after hours and weekend access controls, media control/document destruction, employee identification, and parking.
Organizational Security Assessment: The effectiveness an organization's security program can rely heavily on the organizational structure. PCS engineers have assessed scores of security teams in many different industry segments and environments. We have developed an approach to assess and improve the effectiveness of the security team based on the organizational placement, budgeting and resources, and roles and responsibilities of the team members. PCS engineers will apply our process for assessing security team effectiveness, benchmark effectiveness with similar organizations, and make recommendations to improve the effectiveness of the security team.
Security Policy & Procedures Review: Security policies are the basis for a sound security implementation. The implementation and operation of any set of technical security solutions without appropriate policies, standards, guidelines, and procedures may result in unfocused, ineffective security controls, and legal risks. Based on our experience with security regulations, industry practices, and developing and reviewing security procedures for many organizations, PCS has developed a process for reviewing security policies and procedures that align with BS 7799. This process will interview key personnel and review existing policies and procedures to catalog their existence, determine their clarity and organization ensure they are approved and distributed, and to ensure they cover the necessary elements and contain effective controls. PCS will provide recommendation for where gaps are noted.
Vulnerability Scan: Weather you like it or not your network is being scanned and probed for vulnerabilities from hackers, and 'script kiddies.' When they discover vulnerability on your site they typically exploit it and gain control of your resources. A network design that follows secure principles, properly configured firewalls, and hardened operating systems will typically defeat these types of attacks. It is an industry standard practice to check and double-check such a vulnerable and dynamic interface. PCS performs one-time and periodic vulnerability scans of your network presence using a suite of tools including commercial-grade, shareware, and internally developed software to scan for known vulnerabilities on your system. PCS provides immediate alerts and recommendations, updates, patches or work-around for any holes found.

External vs. Internal Vulnerability Scan. Vulnerability scans can be performed remotely (on externally visible IP addresses) or on-site. On-site vulnerability scans can include external and internal IP addresses.
Penetration Testing: A vulnerability scan is a search for the existence of known security vulnerabilities in common systems and applications. While a vulnerability scan can find most of the vulnerabilities in a network, certain site-specific configurations and custom developed applications and scripts may introduce additional vulnerabilities. PCS Security consultants will use information gained from vulnerability scans and attempt additional ad-hoc techniques to circumvent the security measures of your network. This may include but is not limited to buffer overflows, TOC/TOU errors, race conditions, object reuse problems, error handling mistakes, overlooking return codes, and concurrency mistakes.
Code Review: An often overlooked area of security is application security. While most security controls are designed to properly confine external interfaces to custom applications, surprisingly little attention is paid to the applications themselves. Despite the strength and effectiveness of other security controls, the lack of application security controls will leave your organization's enterprise open to many attacks. Your application code could contain design errors; PCS has a rigorous code review methodology that provides a systematic and comprehensive review of your security code. This assessment finds vulnerabilities in your web applications with far more rigor than a standard penetration test. Our engineers use several tools to find instance of well known coding errors, identify security relevant mechanisms and carefully review the design implementation, check the remaining code systematically to ensure there are no additional security flaws that might enable an attacker to compromise the system.
Security Architecture Review: This review comprises the architecture, integration, and configuration of network components, systems, and security mechanisms. Basically, this is how your network is put together (placement, separation, and connectivity), how your routers and firewalls are configured, what kind of access control mechanisms are employed, and what features are implemented in your systems (i.e., auditing). Even the best technology can be improperly architect, configured or maintained and can leave your IT assets open to unacceptable levels of risk. PCS security consultants assess your applications, network, and overall system for consistency and compliance with security policy, and network design principles.
War Dialing: A war dialing effort is performed to canvas available and assigned phone lines for modems and carrier signals in search of "dial-in" vulnerabilities. War-Dialing encompasses identifying the range of possible numbers (footprint), prioritizing numbers found in the footprint for penetration, and attempting to gain access to the customer systems through modem numbers identified and sorted during the previous steps.
Social Engineering: Social Engineering is hacker-speak for tricking a person into reveling sensitive or confidential information. It describes a non-technical kind of intrusion that relies heavily on human interaction and often involves tricking other people to break normal security procedures. A social engineer runs what used to be called a "con game". For example, PCS consultants, using social engineering to break into a computer network would try to gain the confidence of someone who is authorized to access the network in order to get them to reveal information that compromises the network's security. Appeal to vanity, appeal to authority, and old-fashioned eavesdropping are typical social engineering techniques. This assessment throws up the level of security culture and awareness within the target organization.

Larger Scope Assessments

All larger scope assessments involve an overall evaluation of your organization's ability to enforce confidentiality, integrity, and availability of assets.
Objective: The objective of the assessment is the reason your organization would spend money for the review. It is important, but why? The following are typically the only objectives for a comprehensive security review:
Objective 1: [Self-Improvement] obtain an independent review of your ability to protect your assets so that you may prioritize your risks and implement the most cost effective measures (control) to mitigate your information security risk.
Objective 2: [Convey Assurance] obtain an independent review of your ability to protect your assets so that we may reference or share this review with prospective customers, stakeholders, investors, or partners to assure them that you are providing adequate controls to protect our information assets.

Larger scope assessments seeking to meet objective 1 are popularly known as information risk assessments.

Information Risk Assessment: Even the smoothest running security program can benefit from an independent review of its effectiveness. An independent review of your existing security program will verify those elements that protect your IT assets, those areas that are lacking, and pinpoint areas for improvement. A system security review covers all elements of your security program (i.e., physical protection, policy, procedures, and organization, security infrastructure, and system, desktop and application security controls) Please see our paper on Risk Management for more information.

Security Audit: Many outside organization (and regulatory agencies) depend upon or require the effective control of your information assets. Assertions from your organization that your controls are effective typically do not satisfy these consumers of your services. PCS provides an independent audit of your organization's security controls from experienced and credentialed security engineers. We are well-versed in industry regulations and industry standards (BS 7799 / ISO 17799, ISO 15408, COBIT etc.) A security audit covers all required elements of your security program, depending on your industry this may include: physical protection, policy, procedures, organization, security infrastructure, and system, desktop, and application security controls.

BS 7799 Gap Analysis: BS7799 is the British standard that provides guidelines for safeguarding an organizations asset. It helps business managers and staffs set up and manage an effective information security management system (ISMS). PCS consultants can effectively conduct timeline audits of organizations that are BS 7799 certified, as well as can assess an organization's preparedness for the certification. The relevant applicable controls will be assessed for effectiveness and efficiency.

BS 15000 / ITIL Assessment: BS 15000 is the British standard that provides guidelines and assesses organizations to be ITIL (Information Technology's Infrastructure Library) compliant. Service management (Service delivery and Service support) processes are assessed by PCS consultants to ensure that they comply with ITIL guidelines. PCS, in fact boasts to have the first and only BS 15000 certified implementer and assessor on its rolls.

BCP / DRP Assessment: A Business continuity plan (BCP) or a Disaster recovery plan (DRP) is of no value if it remains documented and lying on a shelf. PCS consultants with their vast process and technical expertise will assess and evaluate the practicality of your BCP/DRP plans. The consultants will in addition assess if these plans have been tested thoroughly to take care of any business impacting eventuality.

COBIT Assessment: ISACA's guidelines and controls for Information Assurance formulate the COBIT. (Control Objectives for Information and related Technology). PCS consultants, many of whom are CISA's, (Certified Information Systems Auditors) can evaluate and assess your organizations' compliance to COBIT framework for effective IT governance. Controls at a granular level can be audited to check compliance against COBIT.

	Preamble
	Our Belief, Vision, Mission
	Our Values
	Quality Philosophy
	Leadership
	Making of Paramount
	Partnership
	Paramount Difference

	Product Value Chain
	End point Security
	Content Filtering
	Fire Wall/VPN
	Intrustion Detection
	Authentication
	Threat Management
	Anti Virus/Anti Spam
	WLAN Security
	Single Sign On
	Security Event Manager
	Vulnerability Mgt. System

	Service Overview
	Assessment Services
	Mitigation Services
	Assurance Services

	Overview
	Certified Product Trainings
	CISSP Certification
	BS7799 Training
	Information Security Fundamentals

	Client List
	Case Studies

	Overview
	People Progress
	Career Progression
	<< Join Paramount

Current Openings
Apply On-Line

White Papers & Articles
Presentations
Critical Vulnerability

	Trend Micro
	RSA
	Web Sense
	Juniper Networks / Netscreen
	Other Products

War Dialing