Risk Assessment DomainsThe following are assessment domains that Network Vigilance provides consulting services for. They are grouped by section heading.
Network Penetration Test
Perimeter testing can take the approach of an uninformed hacker’s view to simulate a real pattern that a potential attacker might take. This “uninformed” test that might include, information gathering exercises to map out the network and then utilize various probing techniques to find potential weaknesses and finally use custom exploit tools to gain access to a “weak link” or insecure system.
Firewall & Router Policy Analysis
We provide an in-depth review of all firewall rules to ensure their proper order, Best Practices, and proper enforcement. Firewall policies that allow external connections from anywhere outside the network without being restricted would be one such example.
Includes an analysis of E-Mail Remote Access (OWA or RPC), Remote Client Access - VPN, Terminal Services, or other methods that utilize common remote access methods used by the company to access files, e-mail, and other corporate security resources.
Server Vulnerability Analysis
Typically we take an “informed” approach to analyzing and testing the servers and network for potential weaknesses. This analysis is not limited to running scanning tools, it includes in depth evaluation to determine whether reported weaknesses actually exist and if they could be exploited by a potential threat.
Desktop Vulnerability Analysis
This type of analysis can comprise an in-depth analysis of individual desktops and workstations, or be a more specific focused scan that looks for suspected vulnerabilities such as spyware, malware, Instant Messaging, or common vulnerabilities and misconfigurations.
Infrastructure Analysis & Review
An analysis and review of network infrastructure such as Routers, switches, and networking equipment (Including other devices such as Tape Backup, Storage, etc.)
Web Content & Data Leakage Analysis
Analyzes how company employees use and potentially abuse the internet during their work activities, including non-business related sites, lost productivity and revenue. Also can determine whether protected or confidential information may be "leaking out through" via users in e-mails, file copying, USB drives or other sources.
Spam & E-Mail Review
Provides an analysis of e-mail based threats and the problems related to SPAM and mail-based threats to the organization.
Wireless Security Review
A security review of potential wireless threats such as rogue access points, ad hoc networks, weak encryption, “war driving”, etc.
File & System Access Permissions Review
A review of file access rights and permissions of users and groups on the network to network resources. This may include an information “leak” analysis of sensitive information leaving the company through unauthorized means.
Web Application Security
Database Security Review
An analysis of database vulnerabilities and a review of excessive user privileges that may be present within common databases such as SQL, MySQL, Oracle, etc.
Web Application Security
Evaluates security code, libraries, objects, etc. for potential security risks that exist with the code to be exploited.
Social Engineering & Physical Security
includes a wide variety of tests that are typically tailored to identify areas of weak physical access controls within the organization. Typically involves techniques that may trick users into giving out their passwords or allowing unauthorized access to sensitive areas.
Physical Security Review
Includes a review of the physical security controls within the environment including access to sensitive areas, data center access, alarm systems, fencing, camera systems, building perimeters, guard services, removal of equipment, ID badge systems, etc.
Security Policy & Practices Development
IT Security Policy Review
An in-depth review to evaluate IT policies and/or practices that govern IT security utilizing an ISO 27001 policy framework.
IT Best Practices Review
Review and evaluate whether certain recommended security practices or polices should exist or be modified to meet compliance, risk management, and data security goals.
Data Classification Review
Review the documentation and data of the company to design and implement a system of classification of data to ensure that sensitive or confidential information can be safeguarded based on organizational policy.
IT Security Planning & Program Development
Incident Response Planning
Design and implementation of an organizational policy and program (plan) to provide a managed response in the event of a computer security incident, data breach, or other event stemming from a computer system attack.
Security Awareness Program Development
Design and develop an employee security awareness program to ensure that an organization can communicate IT security policies, procedures, and best practices for interacting with sensitive data and systems.
Disaster Recovery & Business Continuity Plan
Evaluates the plans according to industry and Best Practices tailored for the size and potential financial losses to the organization.
Regulatory Compliance Review
Privacy & Protected Systems Scope Review
This review is conducted to determine whether certain regulatory requirements are applicable to systems and data and which systems may or may not be part of the compliance scope.
We provide an in depth analysis of regulatory compliance issues that affect businesses from such legislation as SOX, GLBA, PCI, FFIEC, FERPA, FISMA, HIPAA, and others. We have a “pre-audit” review that can be used to identify gaps
SAS-70, Type I or II & ISO 27001 Review
We can provide preparatory “pre-audit” review in preparation to pass SAS-70 or ISO 27001 audits. In concert with other business partners conduct a formal audit according to AICPA or ISO framework requirements.