Operating System Assessments
J S Teksys has significant experience in conducting Operating System security assessment based on multiple standards and guides. We identify the function of the
OS and develops an assessment of possible vulnerabilities, threats to the OS and environment. Utilizing guidance from NIST SP800-123, our security experts validate
adherence to security configuration guidance.
Our operating system assessment service can be provided as part of a strategic or compliance assessment, as staff capabilities onsite or as part of our large-scale operations and administrative support capabilities.
As the 2018 Verizon Data Breach Report shows, web applications are a popular attack target in confirmed data breaches, and in some industries up to 41% of data breaches are web application-related. The report also found that about half of web application-related breaches took several months or longer for security teams to discover. The longer an attacker has access to systems, the more damage they can cause. Attackers must be discovered and removed as quickly as possible, but that’s often easier said than done.
Database Assessments
Many organizations are learning that their databases are a prime target for both external cyber attackers and internal sources. Additionally, compliance with
regulatory data requirements such as Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA) and
Sarbanes-Oxley (SOX) require organizations to perform regular database security audits. Database vulnerability assessments assess your data environment to identify
risks, threats and weaknesses, then prioritize them to be remedied.
You can’t protect against problems if you don’t know they exist. The J S Teksys Consulting team will scan your databases and associated systems for vulnerabilities such as missing patches, weak passwords, misconfigurations, excessive privileges, default vendor accounts and external threats. Additionally, we look at your data administration and security policies to see if they meet industry standards and best practices. Finally, we calculate your level of risk and present you with a detailed security and compliance report, complete with prioritized recommendations for fixes, upgrades and improvements.
Vulnerability Scanning
Our Threat and Vulnerability Management practice has developed a time-tested methodology that covers the spectrum of TVM activities - from executing one-time
automated scans and manual penetration tests to establishing and running an ongoing TVM capability. Our vulnerability scanning service can be provided as part
of a strategic or compliance assessment, as staff capabilities onsite or as part of our large-scale operations and administrative support capabilities.
Our cloud labs evaluate security technologies, develop proprietary security tools used for penetration testing, and develop security tool baselines that accelerate implementation and ramp-up, and enhance our knowledge of the latest vulnerabilities and security tools.
Our consultants developed a four step ISPV process to start an effective vulnerability assessment process using any automated or manual tool.
1. Initial Assessment
Identify the assets and define the risk and critical value for each device (based on the client input), such as a security assessment vulnerability scanner.
It’s important to identify at least the importance of the device that you have on your network or at least the devices that you’ll test. It’s also important
to understand if the device (or devices) can be accessed by any member of your company (such as a public computer or a kiosk) or just administrators and
authorized users.
2. System Baseline Definition
Second, gather information about the systems before the vulnerability assessment. At least review if the device has open ports, processes and services that
shouldn’t be opened. Also, understand the approved drivers and software (that should be installed on the device) and the basic configuration of each device
(if the device is a perimeter device, it shouldn’t have a default administrator username configured).
3. Perform the Vulnerability Scan
Third, Use the right policy on your scanner to accomplish the desired results. Prior to starting the vulnerability scan, look for any compliance
requirements based on your company’s posture and business, and know the best time and date to perform the scan. It’s important to recognize the
client industry context and determine if the scan can be performed all at once or if a segmentation is needed. An important step is to re-define
and get the approval of the policy for the vulnerability scan to be performed.
For the best results, use related tools and plug-ins on the vulnerability assessment platform, such as:
✔ Best scan (i.e., popular ports)
✔ CMS web scan (Joomla, WordPress, Drupal, general CMS, etc.)
✔ Quick scan
✔ Most common ports best scan (i.e., 65,535 ports)
✔ Firewall scan
✔ Stealth scan
✔ Aggressive scan
✔ Full scan, exploits and distributed denial-of-service (DDoS) attacks
✔ Open Web Application Security Project (OWASP) Top 10 Scan, OWASP Checks
✔ Payment Card Industry Data Security Standard (PCI DSS) preparation for web applications
✔ Health Insurance Portability and Accountability Act (HIPAA) policy scan for compliance
4. Vulnerability Assessment Report Creation
The fourth and most important step is the report creation. Pay attention to the details and try to add extra value on the recommendations phase.
To get real value from the final report, add recommendations based on the initial assessment goals.
Also, add risk mitigation techniques based on the criticalness of the assets and results. Add findings related to any possible gap between
the results and the system baseline definition (deviations in any misconfiguration and discoveries made), and recommendations to correct the
deviations and mitigate possible vulnerabilities. Findings on the vulnerability assessment are normally very useful and are ordered in a way
to ensure the understanding of the finding.
However, it’s important to keep the following details in mind and realize that high and medium vulnerabilities should have a detailed report that may include:
✔ The name of vulnerability
✔ The date of discovery
✔ The score, based on Common Vulnerabilities and Exposures (CVE) databases
✔ A detailed description of the vulnerability
✔ Details regarding the affected systems
✔ Details regarding the process to correct the vulnerability
✔ A proof of concept (PoC) of the vulnerability for the system (if possible)
✔ A blank field for the owner of the vulnerability, the time it took to correct, the next revision and countermeasures between the final solution
© J S Teksys Inc. 2019. All rights reserved.