Website Security Audit & Vulnerability Assessments
Web Application Security Assessment
Recent media profiles of attacks targeting organizations highlight the risks that web application vulnerabilities present, making web application security more important than ever for maintaining a comprehensive security and compliance program to protect company data and assets. While standard vulnerability assessments focus on the host and server platforms, web application vulnerability assessments focus on the web applications themselves.
WAS security assessments Detects web vulnerabilities such as SQL injection, Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF) and URL redirection with maximum automation. WAS provides identification of the most common web application vulnerabilities including the OWASP Top Ten. Web Application Scanning (WAS) brings web application security to a new level that includes unique capabilities – including accurate discovery and cataloging of web applications, identification of vulnerabilities and remediation paths, helping companies proactively secure their web applications.
Malware Detection Service
Thousands of web sites, including those of larger, well-established companies, are infected with malware daily, often without their knowledge. The malware can disrupt operations for the website or its users, or gain unauthorized access to information and computer systems.
In addition, with the emergence of third-party content services such as ad networks, malware often doesn’t need to reside on a web site to infect its users. To counter these threats, Malware Detection Service (MDS), scans their web sites for malware, providing automated alerts and in-depth reporting to enable prompt identification and resolution. MDS enables organizations to protect their customers from malware infections and safeguard their brand reputations daily for one year.
Manual Penetration Testing
Penetration testing is security testing in which assessors mimic real-world attacks to identify methods for circumventing the security features of an application, system, or network. It often involves launching real attacks on real systems and data that use tools and techniques commonly used by attackers. Most penetration tests involve looking for combinations of vulnerabilities on one or more systems that can be used to gain more access than could be achieved through a single vulnerability.
Penetration testing can also be useful for determining:
- How well the system tolerates real world-style attack patterns
- The likely level of sophistication an attacker needs to successfully compromise the system
- Additional countermeasures that could mitigate threats against the system
- Defenders’ ability to detect attacks and respond appropriately.
CDI utilizes the NIST methodology which is a widely adopted approach to performing penetration testing that is effective in testing the security of the CLIENT’s network. All of the examinations are conducted with publicly available and commercial tools.
External Penetration Tests follow best practice in penetration testing methodologies which generally includes 4 phases:
In the planning phase, rules are identified, management approval is finalized and documented, and testing goals are set. The planning phase sets the groundwork for a successful penetration test. No actual testing occurs in this phase.
The discovery phase of penetration testing includes two parts. The first part is the start of actual testing, and covers information gathering and scanning. Network port and service identification is conducted to identify potential targets. In addition to port and service identification, other techniques are used to gather information on the targeted network
- Host name and IP address information can be gathered through many methods, including DNS interrogation, InterNIC (WHOIS) queries, and network sniffing (generally only during internal tests)
- Employee names and contact information can be obtained by searching the organization’s Web servers or directory servers
- System information, such as names and shares can be found through methods such as NetBIOS enumeration (generally only during internal tests) and Network Information System (NIS) (generally only during internal tests)
- Application and service information, such as version numbers, can be recorded through banner grabbing.
The second part of the discovery phase is vulnerability analysis, which involves comparing the services, applications, and operating systems of scanned hosts against vulnerability databases (a process that is automatic for vulnerability scanners) and the testers’ own knowledge of vulnerabilities.
Executing an attack is at the heart of any penetration test and represents the individual steps of the attack phase—the process of verifying previously identified potential vulnerabilities by attempting to exploit them. While vulnerability scanners check only for the possible existence of a vulnerability, the attack phase of a penetration test exploits the vulnerability to confirm its existence. If an attack is successful, the vulnerability is verified and safeguards are identified to mitigate the associated security exposure.
In many cases, exploits that are executed do not grant the maximum level of potential access to an attacker. They may instead result in the testers learning more about the targeted network and its potential vulnerabilities, or induce a change in the state of the targeted network’s security. Some exploits enable testers to escalate their privileges on the system or network to gain access to additional resources.
The reporting phase occurs simultaneously with the other three phases of the penetration test. In the planning phase, the assessment plan—or ROE—is developed. In the discovery and attack phases,
written logs are usually kept and periodic reports are made to system administrators and/or management. At the conclusion of the test, CDI prepares a report that describes identified vulnerabilities, present a risk rating, and give guidance on how to remediate the discovered weaknesses.