Risk Management

A. Penetration testing


Experience has proven time and again that hostile entities, such as competitors and hackers, look for useful information about companies in order to exploit it to their own benefit; they will do so even when the targeted company is unaware of this activity for extended periods of time.
Penetration tests are a process in which the level of security in an organization's infrastructure and applications is realistically evaluated, and options for rectifying the deficiencies are examined. It is extremely important to conduct periodic penetration tests in organizations having sensitive data and data bases that require protection from intentional or random attacks.
Penetration tests and the implementation of their results will reduce the options available to hostile elements attempting to penetrate the organization's network and applications, and will provide an important, additional security layer, which oftentimes is the critical layer.

There are two main types of penetration tests: those performed on applications, and those performed on infrastructure.

The tests are implemented in accordance with the organization's needs and goals, both from a technical viewpoint, and to satisfy compliance with various standards, such as ISO 27001, ISO 27002, SOX, HIPAA instruction 357, etc.

ChoiceIT conducts numerous, diverse tests at a large number of organizations whose work requires them to store and utilize sensitive data. Our clients, who benefit from superior information security services, include world leading hi-tech companies; as well as governmental, public and private sector companies in Romania, including insurance, communication and content companies.

Application Security Testing


The importance of protecting the organization's applications is rapidly increasing due to the accelerated transition to the use of Web applications, which is becoming broader on a daily basis, and supplies users with unique and new access options that have not existed in the past.
Technological developments in the Web environment significantly impact on Web-based applications. To keep up with the pace of these developments, anticipate risks and develop suitable solutions, focused professional know-how is needed, since security products for Web applications is an area that is still in its initial stages of development in comparison with security products developed for infrastructure.
ChoiceIT specializes in the performance of advanced application tests, benefiting from proven experience in the provision of high level results without overly relying on the many scanners available on the market. Our experts conduct complex application tests based on our unique, proprietary methodology, developed by ChoiceIT's founders – who are leaders in the information security field both in Romania and internationally.
The application tests are carried out in Web environments such as PHP, ASP, ASP.NET, ISAPI, Web Services, JAVA and more. These tests detect Web-based attacks, for example:

  • Cross site scripting
  • SQL injection
  • Xpath injection
  • LDAP injection
  • SSI injection
  • OS commanding
  • Path traversal
  • Phishing
  • HTTP response splitting
  • Directory indexing
  • Session fixation
  • Credential/session prediction
  • Insufficient session expiration
  • Information leakage
  • Insufficient anti-automation
  • Insufficient authentication
  • Brute force
  • Buffer overflow
  • HTTP response splitting

There are several central approaches to the performance of existing tests, which are most often implemented in accordance with regulations the organization is subject to, or in accordance with decisions made by its management to execute Information security tests. The choice of the approach most suitable for the organization is extremely important and must be carefully considered. The different approaches, and the differences between them, are presented below:

  • Black Box
  • White Box
  • Gray Box
  • Code Review

Infrastructure Security Testing


Information security in an organization greatly depends on the choice and definition of the infrastructure upon which the information is managed. The infrastructure's functionality is an important element; however, its application under secure conditions is equally important.
ChoiceIT specializes in the performance of diverse tests that enable to determine the level of information security of its infrastructure and network, such as penetration tests from the external to the internal network; and tests conducted on servers, end stations, infrastructure products, firewall bypass and more. However, the company does not market security products such as firewalls and various network protection products, in order to avoid any possible conflicts of interest, leaving it free to provide its clients with the most cost-effective solutions on the market.
The uniqueness of the tests performed by ChoiceIT is expressed in the very limited use of scanners, as compared with manual penetration tests; and in the high level results they produce – justifying the client's investment. Many of our company’s clients benefit from these sophisticated tests and the consequent provision of a suitable response prior to purchasing their infrastructure.

Addition of new infrastructure
The addition of infrastructure in a secure manner to the organization's network may also result in significant savings in the future; for example, the appropriate installation of a server from the onset may save the costs of checking and hardening it in the future.

Instruction Manuals
Additionally, ChoiceIT supplies instruction manuals detailing how to install a server from the initial stages until the conclusion of the hardening process to attain the highest level of security. These manuals comprise a worthwhile investment, since their level of detail enables infrastructure personnel who are not knowledgeable in Information security to arrive at a very high level of hardening on their own – on one or many servers.

Outsourcing Services
ChoiceIT also provides outsourcing services to infrastructure specialists, including any or all of the following elements, as required by the client organization:
- Assistance in defining the organization's information security policy
- Preparing a complete set of information security procedures, tailored to meet the organization's specific needs
- Designing PKI infrastructures
- Managing infrastructure and application tests:

-Periodic testing in accordance with regulator requirements
- Penetration tests on applications
- Penetration tests on infrastructure
- Security audits

- Support of external tests and validation
- Assisting organizations in their preparations for external audits, and providing them with professional support throughout the process
- Preparing expert opinions and recommendations prior to the purchase of products by the organization
- Preparing recommendations prior to the implementation of changes in the network and the application
- Maintaining continuous contact with application and infrastructure development teams, including meetings conducted on a periodic basis
- Arranging professional study days
- Performing tests and updates in the area of information security, including the submittal of a periodic report

Testing Methods


BLACK BOX
Penetration tests based on the Black Box method are essentially a simulation of attempted penetrations that are as authentic as possible. These tests are carried out without prior knowledge of the specialists performing the tests about the system being evaluated – with regard to both the infrastructure protecting the application, the application itself and its source code.
ChoiceIT's experts carry out the tests as "hackers"; therefore, many professionals in the field of information security regard this method as the one most realistically indicating the level of risk faced by the organization's data bases and applications.

WHITE BOX
As opposed to the previous testing method, tests performed in accordance with the White Box method are carried out when the experts performing the tests are familiar with the internal characteristics of the system under evaluation – from both application and infrastructure aspects.
These tests are extremely broad in scope and highly effective; ChoiceIT's experts become aware of each vulnerability and exposure existing in the systems, since it is fully spread before them in the most transparent manner, including the application code.
ChoiceIT usually recommends the performance of these tests after prior tests based on the Black Box method are completed, in order to provide the capacity to grade the level of severity and risk, and devise a well thought out repair plan, including the chronological order in which the various repairs should be made.

GRAY BOX
Tests performed according to the Gray Box method combine both the White Box and the Black Box methods, allowing the organization to choose which data to provide the experts conducting the tests with – in order to commence testing with the best starting point, based on different bits of information concerning the network and the application. Some experts regard this method as the most legitimate, since many hackers are exposed to a great deal of information about the infrastructures of the organization they are attempting to attack anyway, from economic/ technological publications, and from sales data they manage to acquire.
Additionally, in many cases, the organization is interested in exposing only partial information; tests performed according to the Gray Box method will meet this preference.

CODE REVIEW
Application code review enables to find all the information security problems in a comprehensive and accurate manner.  By reviewing the code of functions and objects, the specialist performing the test can identify information security deficiencies and locate problems that are more difficult to identify when carrying out regular penetration tests.
ChoiceIT's experts have performed a large number of code reviews in Web environments, cellular device applications, server/client applications, Gateway applications – for screening content, etc.

Code reviews comprise a layer in the White Box testing method – which expose the system code to ChoiceIT's experts who are performing the test. Code review services may save the organization a great deal of money at the later stages, since the provision of professional support by an information security expert during the writing of the application, and scanning the code during the early stages, will lead to the precise identification of information security deficiencies in the writing, which are much easier to repair during the early stage of development, rather than in later stages – when which modifications are ten times higher than those made in the early stages, as revealed by researchers.

B. Risk assessment


An Information security risk assessment is a complex examination mechanism that encompasses all the aspects that come into direct or indirect contact with the organization's information systems. Within the framework of the assessment, the organization's information systems are mapped to an abstract level, at which it is easier to examine their different components and grade the level of risk derived from all the systems.

Numerous risks may affect the organization's information assets, such as flawed allocation of authorizations to employees in various departments; information leakage among departments; lack of compartmentalization; deficient password management; uncoordinated information availability; recovery following a disaster; and erroneous firewall definitions.

The risks are determined in accordance with the level of importance of the organization's assets; therefore the performance of the assessment is subject to the cooperation of its various departments. By mapping and assessing the risks, it is possible to arrive at an organized plan according to which penetration tests will be carried out on the systems, based on their importance to the organization.

The decision regarding who shall carry out the risk assessment is extremely important, since this entity's level of performance will reflect on the management of the information systems in the organization at the final stage, in which it expects a return on its investment in the risk assessment as quickly as possible.

ChoiceIT specializes in performing all stages of the assessment, from the initial interviews, at which questions are presented in order to learn about the organization's information security systems, to the execution of tests on each and every system. The company has developed a unique risk assessment methodology that encompasses all the functions of all the organization's systems. This proprietary methodology enables to achieve maximal results within a predefined period of time, at the most realistic level.

The repair of the detected deficiencies enhances the level of information security, enhances the organization's operation while allowing it to avoid the loss of business opportunities; irreparable damage to its reliability and reputation; and the risk of non-compliance with regulator requirements and laws (protection of privacy, instruction SOX 357, HIPAA, etc.) and their implications.

The main purpose of risk assessments is to arrive at a realistic evaluation of the risks faced by the organization's information systems. The evaluation is based on findings collected by ChoiceIT following an in-depth examination of the way the organization's information systems are operated and the information they contain.

The risks may involve:

  • Deficient management of a password policy;
  • Deficient management of a data sharing policy;
  • Insufficient network control;
  • Insufficient or ineffective rules defined in firewalls;
  • Data leakage;
  • Procedures governing the receipt of information by the organization's staff from external sources;
  • Authorizations;
  • Recovery procedures to be implemented after a disaster or system collapse;
    and more.

C.Hardening


The development of computerization and information systems technologies in recent years has created a complex, multi-user environment, in which various central, yet polar elements are involved, for example: organizations vs. clients; availability vs. large data bases; and security vs. broad access authorizations. In order to obtain the maximal functionality from these technologies, while still maintaining a high level of information security, it is important for the organization to undergo an examination by a professional, objective, external body with proven high capabilities, and to implement its recommendations.

ChoiceIT is a leader in the field of Information security in general; and in the performance of penetration tests and server and network hardening, in particular. The company supplies penetration testing services, as well as server and network hardening services based on a unique, proprietary methodology and the use of break-in tools and manual checks.

Additionally, ChoiceIT supplies instruction manuals used for network hardening in a variety of products, such as servers, firewalls, end stations, gateways, etc.

 

 

Warning: include(footer.php) [function.include]: failed to open stream: No such file or directory in /var/www/sites/www.choiceit.ro/services/risk_management.php on line 148

Warning: include() [function.include]: Failed opening 'footer.php' for inclusion (include_path='.:/usr/share/pear:/usr/share/php') in /var/www/sites/www.choiceit.ro/services/risk_management.php on line 148