Securing digital information systems

Today, every company utilizes a digital information system in order to handle their business data. Due to the sensitivity of the data, securing the system is extremely important. Commonly, each digital information system comprises of several segments, which include:

- Computer network – includes network routers, switches and cables, as well as network endpoints such as physical ports and WiFi networks. Might require a definition of a timeframe for testing and physical access to the site in case of white hat testing.

- Computer nodes – represent laptops, PCs, servers, mobile phones and any other devices that are used within a company for processing and storing company’s data. They commonly include operating system and arbitrary applications, which are connected to a network. Might require a definition of a timeframe for testing and physical access to the site in case of white had testing.

- External services – commonly include company’s web site hosted on servers of some web hosting providers, as well as any other Cloud service used by the company’s employees, such as web mail (Gmail, Hotmail, etc.), storage services (Dropbox, OneDrive, etc.), etc. Might require an approval from both the company and external providers.

- Data – owned by the company, processed, transmitted over the network, and finally stored on local nodes or Cloud services. Represents company’s accounting and legal documents, statements, notes, pictures, videos and any other valuable data stored in a digital format. Might require a non-disclosure agreement with the company and an access to the data.

In order to secure its digital information system, a company has to first evaluate its current security level by finding vulnerabilities, estimating risks and finally implementing secure solutions into the system.

This can be done by performing Vulnerability Assessment (VA) and/or Penetration Testing (Pen test), as well as Damage Control in case an attack has already taken place.

Vulnerability Assessment

A vulnerability assessment is the process of identifying and quantifying security vulnerabilities in a system. It is an in-depth evaluation of an information security posture, indicating weaknesses as well as providing the appropriate mitigation procedures required to either eliminate those weaknesses or reduce them to an acceptable level of risk.

Vulnerability Assessment follows these general steps:

- Determination of scope (defining segments)

- Catalog assets and resources in a system within a scope

- Assign quantifiable value and importance to the resources

- Identify the security vulnerabilities or potential threats to each resource

- Report and mitigate or eliminate the most serious vulnerabilities for the most valuable resources

Our services include Vulnerability Assessment of all listed segments:

- Computer network – network configuration, open ports, accessibility to physical ports and WiFi network, encryption, authentication, etc. Additionally, analysis is performed from the inside of the local network, as well as from the outside.

- Computer nodes – configuration of operating systems, including firewalls, anti-virus software, security updates, user credentials, authorization and authentication procedures, etc. Additionally, physical vulnerabilities of the nodes, i.e., accessibility to the nodes, hardware lock down, etc. Finally, configuration of specific applications, such as email (e.g., Outlook), web browsers (e.g., Internet Explorer), communication (e.g., Skype), etc. can also be included.

- External services – vulnerabilities of a web site (e.g., Joomla), as well as the configuration of Cloud services (e.g., Gmail, Dropbox).

- Data – data confidentiality through encryption and authorization, data integrity through backups, and data availability through redundancy.

Penetration Tests

A penetration test simulates the actions of an external and/or internal cyber attacker that aims to breach the information security of the organization. Using many tools and techniques, the penetration tester (ethical hacker) attempts to exploit critical systems and gain access to sensitive data.

Penetration Testing follows these general steps:

- Determination of scope (defining targets)

- Targeted information gathering or reconnaissance

- Exploit attempts for access and escalation

- Sensitive data collection testing

- Clean up and final reporting

Our services include Pen Testing all the segments. Pen Testing can be performed by using three different approaches:

- White box – an approach where the company provides all the necessary information for breaking into the system, such as IP addresses, credentials, sitemaps, etc. This approach is very close to the VA, with a distinction that it targets a specific part of the segment.

- Black box – an approach where the ethical hacker gets only the company’s name, while all other steps are carried out independently. This approach represents more realistic simulation of an external attacker, however, it is most time consuming.

- Grey box – an approach which is somewhere in between White and Black box. This is an optimal approach.

Damage control

In case an attack has already taken place, there are actions that can be performed in order to alleviate or completely cancel the damage imposed by the attacker.

Damage Control follows these general steps:

- Determination of scope (defining specific issues)

- Analyzing compromised segments

- Defining objectives and a rescue plan

- Executing the plan

- Retrieving the objective and reporting

Compromised systems can reflect different symptoms and behavior, and thus it is impossible to list them all. Our services cover many of those, among which the most common ones are:

- WiFi compromised – company’s WiFi has been penetrated and it is being used by malicious neighbors. Illegal devices are identified, reported and blocked. Higher security level and change of password advised.

- Operating system lock down – user is unable to access its computer due to an attack or password misplacement. First, data is backed up, and then the user account is penetrated in order to restore access. Restore disc and administrator account advised.

- Web site hijacked – Joomla web site has become unavailable due to hacker attacks. Web site and a database are backed up through FTP, and then cleaned. Web site update and backup advised.

- Data loss – user is unable to find the data on a disk or USB stick due to virus infection. Storage device is cloned for backup, and then accessed by low level tools for retrieving the data. Backing up data advised.

HOW TO APPROACH US?

First, an exchange of general information is done in order to conclude if both parties will enter a deal, and which type of security analysis is required, namely Pen Testing, VA or Damage Control. Upon agreement, a contract is signed and scoping is performed, i.e., determining which segments will be analyzed. However, in most cases, before determining the scope, a non-disclosure agreement is signed, which protects the company as well as the ethical hacker performing the testing/assessment. After scoping is performed, a timeframes, responsibilities and prices are determined.

The analysis itself depends on the scope, but it may include questionnaires, scouting the site, use of computer equipment and network, etc. Additionally, any high security risk vulnerabilities found on site can be handled immediately.

The final output of the analysis is a report containing a well documented list of found vulnerabilities, as well as proposed mitigations and solutions. Implementation of those solutions falls out of the agreed scope and is charged by the flat rate previously defined.

PRICING?

Price is determined after the scope of security analysis is defined, which includes performing security tests as well as writing a report.

Along with that, a flat rate per hour is also defined for any additional task that will be performed beyond the agreed scope. This includes additional security analysis that falls out of scope, immediate security fixes found on the site that represent high security risks, as well the implementation of security solutions defined in the report.

Finally, damage control tasks are charged as lump sum depending on a case, or as flat rate per hour in case of a more complex problem.