Limited Scope Assessments
These engagements have a specific scope, focus on a detailed review, specific deliverables, and technical orientation. These engagements are periodic and used for sustainable security environment and are mostly for middle and/or top management's consumption. As against this, Larger Scope Assessments are enterprise-wide, flow from regulatory compliance or corporate policy, broadly defined, architected and crafted with respect to objectives to be achieved.
Physical and Administrative Controls
One of the most obvious ways to protect your assets is to ensure effective site security and protection of assets and employee . We recommend improvements to physically protect client's assets by assessing the effectiveness of existing physical security controls. The assessment covers ingress and egress, physical safety, visitor control, business hours, after hours and weekend physical access controls, media control/document destruction, employee identification, and ancillary facilities.
The effectiveness of an organization's security program is dependent heavily upon the organizational structure. We assess and improve the effectiveness of the client's security team based on the organizational analysis, budgeting and resources, and roles and responsibilities of the team members for:
- Testing security team effectiveness,
- benchmark effectiveness with similar organizations, and
- make recommendations to improve the effectiveness of the security team.
Corporate Security policy is the basis for a sound security implementation. The implementation and operation of any set of technical security solutions without appropriate policies, standards, guidelines, and procedures results in dissipated, inconsistent, incoherent, inefficient and ineffective security controls and may at times be incompatible with regulatory framework. Spry Control has developed a process for reviewing security policies and procedures that align with BS 7799 or other standards as part of Spry Control's methodology. This process will involve:
- interviewing key personnel and review existing policies and procedures
- taking an inventory of technical and administrative controls,
- determining if the policies have clarity and are consistent with standards, guidelines and procedures. An assurance that administrative controls are effective and support technical controls.
- provide recommendation for where gaps are noted.
Penetration TestingA network design that follows secure principles, properly configured firewalls, and hardened operating systems will typically defeat malign attacks. Spry Control runs one time and periodic vulnerability scans on hosts and network to check and double-check that infrastructure is safe from known vulnerabilities. No two networks and infrastructures are alike. The scanner employed may include commercial-grade, shareware, and internally developed software to scan for known vulnerabilities. The clients are provided prompt alerts and recommendations, updates, patches or work-around for any vulnerability found.
Vulnerability scans can be performed remotely (on externally visible IP addresses) or on-site. On-site vulnerability scans can include external and internal IP addresses.
Application Testing and Review
Certain site-specific configurations and custom developed applications and scripts commonly known as application related vulnerabilities may introduce additional vulnerabilities. Our Security consultants will use information gained from vulnerability scans and attempt additional ad-hoc techniques to circumvent the security measures of the client's network. This may include but is not limited to buffer overflows, TOC/TOU errors, race conditions, object reuse problems, error handling mistakes, overlooking return codes, and concurrency mistakes.
Design error, poor coding or reckless deployment of an application could be a source of security vulnerability within an application or extend to network or desktop. Spry Control assessment is a rigorous application code review methodology that provides a systematic and comprehensive review of the application and infrastructure from security perspective. This assessment finds vulnerabilities in your web applications with far more rigor than a standard penetration test. We employ several tools to find instance of well known coding errors, design implementation deficiencies, and any known security flaws.
Security Architecture Review
Even the best technology can be improperly designed, configured or maintained and can leave the IT assets open to unacceptable levels of risk. Spry Control makes an assessment on your applications, network, and overall system for consistency and compliance with security policy, and network design principles. A detailed Security Architecture Review comprises the overall architecture, integration, and configuration of network components, systems, and security layers.
Other Security Review
A war dialing effort is performed to canvas available and assigned phone lines for modems and carrier signals in search of "dial-in" vulnerabilities. War-Dialing encompasses identifying the range of possible numbers (footprint), prioritizing numbers found in the footprint for penetration, and attempting to gain access to the systems through modem numbers identified and sorted during the previous steps.
Social Engineering is described as a non-technical kind of intrusion that relies heavily on human interaction and often involves tricking other people to break normal security procedures. This assessment throws up the level of security culture and awareness within the target organization.
Home
Search
Sitemap
