Risk Assessment Domains

The following are assessment domains that Network Vigilance provides consulting services for.  They are grouped by section heading.

External Assessment

Network Penetration Test

Perimeter testing can take the approach of an uninformed hacker’s view to simulate a real pattern that a potential attacker might take.  This “uninformed” test that might include, information gathering exercises to map out the network and then utilize various probing techniques to find potential weaknesses and finally use custom exploit tools to gain access to a “weak link” or insecure system.

Firewall & Router Policy Analysis

We provide an in-depth review of all firewall rules to ensure their proper order, Best Practices, and proper enforcement.  Firewall policies that allow external connections from anywhere outside the network without being restricted would be one such example.

Remote Access

Includes an analysis of E-Mail Remote Access (OWA or RPC), Remote Client Access - VPN, Terminal Services, or other methods that utilize common remote access methods used by the company to access files, e-mail, and other corporate security resources.

Internal Assessment

Server Vulnerability Analysis

Typically we take an “informed” approach to analyzing and testing the servers and network for potential weaknesses.  This analysis is not limited to running scanning tools, it includes in depth evaluation to determine whether reported weaknesses actually exist and if they could be exploited by a potential threat.

Desktop Vulnerability Analysis

This type of analysis can comprise an in-depth analysis of individual desktops and workstations, or be a more specific focused scan that looks for suspected vulnerabilities such as spyware, malware, Instant Messaging, or common vulnerabilities and misconfigurations.

Infrastructure Analysis & Review

An analysis and review of network infrastructure such as Routers, switches, and networking equipment (Including other devices such as Tape Backup, Storage, etc.)

Web Content & Data Leakage Analysis

Analyzes how company employees use and potentially abuse the internet during their work activities, including non-business related sites, lost productivity and revenue.  Also can determine whether protected or confidential information may be "leaking out through" via users in e-mails, file copying, USB drives or other sources.

Spam & E-Mail Review

Provides an analysis of e-mail based threats and the problems related to SPAM and mail-based threats to the organization.

Wireless Security Review

A security review of potential wireless threats such as rogue access points, ad hoc networks, weak encryption, “war driving”, etc.

File & System Access Permissions Review

A review of file access rights and permissions of users and groups on the network to network resources.  This may include an information “leak” analysis of sensitive information leaving the company through unauthorized means.

Web Application Security

Database Security Review

An analysis of database vulnerabilities and a review of excessive user privileges that may be present within common databases such as SQL, MySQL, Oracle, etc.

Web Application Security

Evaluates security code, libraries, objects, etc. for potential security risks that exist with the code to be exploited.

Social Engineering & Physical Security

Social Engineering

includes a wide variety of tests that are typically tailored to identify areas of weak physical access controls within the organization.  Typically involves techniques that may trick users into giving out their passwords or allowing unauthorized access to sensitive areas.

Physical Security Review

Includes a review of the physical security controls within the environment including access to sensitive areas, data center access, alarm systems, fencing, camera systems, building perimeters, guard services, removal of equipment, ID badge systems, etc.

Security Policy & Practices Development

IT Security Policy Review

An in-depth review to evaluate IT policies and/or practices that govern IT security utilizing an ISO 27001 policy framework.

IT Best Practices Review

Review and evaluate whether certain recommended security practices or polices should exist or be modified to meet compliance, risk management, and data security goals.

Data Classification Review

Review the documentation and data of the company to design and implement a system of classification of data to ensure that sensitive or confidential information can be safeguarded based on organizational policy.

IT Security Planning & Program Development

Incident Response Planning

Design and implementation of an organizational policy and program (plan) to provide a managed response in the event of a computer security incident, data breach, or other event stemming from a computer system attack.

Security Awareness Program Development

Design and develop an employee security awareness program to ensure that an organization can communicate IT security policies, procedures, and best practices for interacting with sensitive data and systems.

Disaster Recovery & Business Continuity Plan

Evaluates the plans according to industry and Best Practices tailored for the size and potential financial losses to the organization.

Regulatory Compliance Review

Privacy & Protected Systems Scope Review

This review is conducted to determine whether certain regulatory requirements are applicable to systems and data and which systems may or may not be part of the compliance scope.

Compliance Review

We provide an in depth analysis of regulatory compliance issues that affect businesses from such legislation as SOX, GLBA, PCI, FFIEC, FERPA, FISMA, HIPAA, and others.  We have a “pre-audit” review that can be used to identify gaps

SAS-70, Type I or II & ISO 27001 Review

We can provide preparatory “pre-audit” review in preparation to pass SAS-70 or ISO 27001 audits.  In concert with other business partners conduct a formal audit according to AICPA or ISO framework requirements.

© 2013 Security On-Demand, Inc. All rights reserved