You are here: Home » Solutions Products » Security Products » Managed Assessment Products

» Managed Assessment Products

PCI Compliance Testing:

Assess any potential gaps in your organizational and regulatory compliance programs including PCI in preparation for your formal assessment and audits.

PCI Compliance services include:

  • PCI compliance audit report and automated scans on a quarterly, scheduled basis.
  • Remediation Plan and Report with detailed step-by-step instructions for vulnerability remediation to attain full PCI compliance.
  • PCI Professional Services Review.
  • PCI Assessment Checklist completion for PCI certification.

Penetration Testing:

Conduct a detailed penetration test to analyze your network, operating systems, services, applications, and databases for real exploits. Create a prioritized remediation plan to secure your corporate computing assets.

Vulnerability assessment & penetration testing services include:
  • Accurate and thorough analysis of how vulnerabilities in one system affect another, ensuring the organization maintains up-to-date insight into how its vulnerabilities impact the entire enterprise. Risk scores are assigned to each asset based on several factors that weigh the relative risk of discovered vulnerabilities, enabling smoother prioritization of remediation tasks.
  • Accurate scan results with no false positives. The intelligent system tests all vulnerabilities to determine if they are actually there and provides definitive proof of the vulnerabilities discovered. Because the system exploits vulnerabilities and leverages those exploits to access other systems, it can effectively calculate the true risk to the environment.
  • A complete test of your entire IT environment, not just operating systems and network devices. Automated scans for vulnerabilities in software such as web applications and databases, determines the presence of adware or spyware, and tests other security products such as firewalls and intrusion detection systems to ensure they are functioning appropriately.

Web Application Security Auditing

Audit your custom Web applications and run checks for key security threats such as Cross Site Scripting (XSS), SQL Injection, Cross Site Request Forgery (CSRF), Buffer Overflows and other vulnerabilities based on the Open Web Application Security Project (OWASP) Framework.

This framework includes checks for:

  • Unvalidated Input Parameters
  • Broken Access Control
  • Broken Authentication and Session Management
  • Cross Site Scripting (XSS)
  • Cross Site Request Forgery (CSRF)
  • SQL and Command Injection
  • Improper Error Handling
  • Buffer Overflows
  • Insecure Configuration Management

Security Best Practices Assurance:

Develop a prioritized security plan, conduct a risk assessment and identify potential gaps in your security program. Implement security policies that minimize the risk posture of your organization.

To begin developing your organization's network security best practices, you need a three step approach: preparation, organization and execution.

Preparation includes understanding what levels of security are appropriate to your organization and defining acceptable use policies of systems and data by category of users; conducting a risk analysis to identify possible security exposures in the network and assigning a risk level based on what could occur if that system was compromised; and defining a cross-functional security team that will take responsibility for communicating the policies, responding to security breaches, and reporting to senior management. Armed with your security policies and risk analysis, you can now organize the issues that need to be resolved based on risk to the organization, beginning with the highest risk category and working down the list. Organizing the effort gives your IT team the definitive list of systems in order of risk, enabling them to take care of the highest risk systems first.

Social Engineering:

Identify potential security holes from an insider intrusion based on unauthorized employee access to confidential information. Leverage a number of techniques to identify employee-related vulnerabilities and arm your security teams with empirical data to improve your security posture.

Tenth Power/WhiteHat offers security consulting to help your organization identify social engineering weaknesses and then train your employees to help them become more conscientious of network security. The following are the types of social engineering testing we can provide:

External Social Engineering

  • Passive Internet Reconnaissance - Using publicly available sources, such as Web sites, search engines, and DNS records, Tenth Power/WhiteHat will gather all relevant information such as employee names, titles, phone numbers, and email addresses about the company and employees available on the Internet. This information will be useful when conducting more active social engineering testing.
  • External Social Engineering - Tenth Power/WhiteHat will perform Social Engineering phone calls to individuals within the organization. Targets will include individuals from the help desk, IT department, human resources, finance, and other departments within the organization. The objective of these calls will be to induce the users to divulge sensitive information over the phone in violation of company policy.
  • Targeted Email “Phishing” Attacks - Emails will be sent to individuals and groups within the organization in order to attempt to entice the user to click on an external link that will either attempt to gather sensitive information or deliver a malicious payload onto their desktop system which could include browser and operating system buffer overflows, trojan horses and keystroke loggers.

Internal Social Engineering and Physical Security Assessment:

  • Malicious Portable Media - USB Flash drives and CD-ROMs with enticing labels such as “Payroll” will be left in public areas such as hallways, restrooms, and break rooms. The media will contain simulated malicious code that will attempt to grab sensitive host information such as the network configuration, list of running processes, and a password hash dump. This information will be posted back via HTTPS to a Rapid7 controlled server.
  • Sensitive Document Disposal Audit – "Dumpster Diving" - Tenth Power/WhiteHat will search internal trash receptacles and external dumpster and disposal areas for sensitive documents and flash, magnetic or optical media that is disposed of in violation of company policy.
  • Physical Security Assessment - High level assessment of physical security controls including:
    • Building Access Control
    • Access Controls Around IT Assets
    • LAN Jack Access Controls