About us Contact us E-mail us
 

 

Home  |  Company Profile  |  Case Study
information technology
             
   

Security Services | Compliances | Training

Security Services & Methodology

For a Sample Security Audit
email at : mohit@aretecon.com
or call at : 09811500506

Arete penetration test methodology includes three types of approaches for penetration testing:

  • A zero-knowledge test
  • A full knowledge test
  • and a partial knowledge test
With our zero-knowledge attack, the Penetration Test Team has no real information about the target environment. This type of test is obviously designed to provide the most realistic penetration test possible

In our partial knowledge test, the client organization provides the test team with the type of information a motivated attacker is likely to find, and hence, saves time and expense.

Our partial knowledge test approach is used if there is a specific kind of attack or specific targeted host that the client organization wants to have the penetration test team focus on. To conduct a partial knowledge test, the test team is provided with such documents as policy and network topology documents, asset inventory, and other valuable information.

Our last type of approach for penetration testing is a full-knowledge attack, whereby the penetration test team has as much information about the client environment as possible. This approach is designed to simulate an attacker who has intimate knowledge of the target organization’s systems, such as an actual employee. The above strategies are conducted both on the Application as well as the Network. The steps involved in Application and Network VAPT are as follows:

1. Application Penetration Test Methodology

  • Information Gathering
  • Configuration Testing
  • Business Logic Testing
  • Authentication Testing
  • Authorization Testing
  • Client-side Attacks
  • Data Validation Testing
  • Session Management Testing
  • Denial of Service Testing
  • Web Services Testing
  • AJAX Testing

2. Network Penetration Testing Methodology

  • Reconnaissance
  • Vulnerability Assessment
  • Network Links and Protocol Vulnerability Testing
  • Multiple Attack Vector Analysis
  • Exploitation
  • Scenario Modeling Analysis
  • Root Cause Analysis
  • Risk Calculation
Information Security Services

Information Security Services are generally divided into the following areas:

  • Vulnerability Assessment and Penetration Testing (VAPT) of Web Applications
  • Managing Security Services
  • Training
3. Vulnerability Assessment and Penetration Testing (VAPT)

Arete Vulnerability Detection and Penetration Testing is the most comprehensive service for auditing, pen testing, reporting and patching for your company’s web based applications. With Port 80 always open for web Access there is always a possibility that Hacker can beat your Security systems and had some unauthorized access to your web Applications.

Benefits of Penetration testing

  • Identify any potential security vulnerabilities in an organization’s current infrastructure and develop plans to mitigate these weaknesses.
  • Determine the degree of exposure to external and internal attacks.
  • Provide evidence that verifies the possibility of exploiting the vulnerabilities found.
  • Determine the probability that an attacker could compromise the system with access to computers connected to your company's network.
  • Assess the defense systems such as Intrusion Detection System (IDS), firewall etc and check if they are working properly.
  • Third-party audits meet government and industry compliance standards.
  • Accurate and up-to-date vulnerability knowledge base.
  • Comprehensive and easy to user report for management as well as technical team.
  • Closing all window of opportunity for intruders.

They are also specific to the application(s) being tested for vulnerabilities. The process followed is as defined –

  • Audit
    • Information Gathering
    • Vulnerability Scanning & Penetration Testing
  • Report
    • Risk Assessment
    • Comprehensive Reporting with Management / Technical Reports
  • Secure
    • Patching Vulnerabilities
    • Software’s Recommendation / Implementation
  • Manage
    • Regular Patching of newly discovered vulnerabilities in the
      system
    • Address and escalate any unforeseen security related issue
    • Identify, recommend and implement long term solutions

4. Managing Security Services

Intrusion Detection System

An intrusion detection system (IDS) generally detects unwanted manipulations to Web Application, mainly through the Internet. The manipulations may take the form of attacks by hackers.

It consist of sensors which generate security events, a Console to monitor events and alerts and control the sensors, and a central Engine that records events logged by the sensors in a database and uses a system of rules to generate alerts from security events received.

An intrusion detection system is used to detect many types of malicious network traffic and computer usage that can't be detected by a conventional firewall. This includes network attacks against vulnerable services, data driven attacks on applications, host based attacks such as privilege escalation, unauthorized logins and access to sensitive files and malware.

Deliverables

  • Configure IDS for basic functioning
  • Create policies based on organizational requirements
  • Alerts and reporting for intrusions blocked
  • Management of IDS - patches, updates and optimization of rules.
  • Logs available for forensics .

Intrusion Prevention System

An intrusion prevention system is a computer security device that exercises access control to protect computers from exploitation. Intrusion prevention technology is considered by some to be an extension of intrusion detection (IDS) technology but it is actually another form of access
control, like an application layer firewall. The latest next Generation Firewalls leverage their existing deep packet inspection engine by sharing this functionality with an Intrusion-prevention system. It occurs in Real time.

Deliverables

  • Setting up and management of the Intrusion detection and Monitoring System.
  • Weekly reporting on malicious and abnormal activity.
  • Action taken on high security/load alerts.
  • Monthly detailed discussion on proactive steps to prevent intrusions, load, and policy violations based on the logs.
  • Forensic activity if required using the IPS.
  • Prevention/Monitoring of data transfer through Web Serves.
  • Prevents attacks on real time.

5. COMPLIANCE REPORT

Under this service we maintain compliance with HIPAA, GLBA, PCI and Sarbanes-Oxley carry out the required audits and re-audits. We give a 100 per cent assurance that once the non-conformities out of our audit are implemented and clear our regression audit it will never fail in the audit by certification bodies. We can do so as we do a strong audit and suggest practical implementations.

Health Insurance Portaility and Accountability Act (HIPAA):
Regulation impacts those in healthcare that exchange patient information electronically. HIPAA regulations were established to protect the integrity and security of health information, including protecting against unauthorized use or disclosure of the information.

Payment Card Industry Data Security Standard (PCI): Which enables payment service providers and merchants to track and report on all access to their network resources and cardholder data through system activity logs? The presence of logs in networked environment allows thorough forensic analysis when something does go wrong. Without system activity logs it would be difficult to determine the cause of a compromise.

Sarbanes-Oxley: Logs form the basis of the internal controls that provide corporations with the assurance that financial and business information is factual and accurate.

W3 Consortium : The world wide web consortium develops interoperable technologies (specification, guidelines, software, and tools) to lead the web to its full potential.W3C is a forum for information, communication, and collective understanding.

OWASP: The Open Web Application Security Project is a worldwide free and open community focused on improving the security of application software. The aim is to make application security visible, so that people and organization can make informed decisions about application security risks.