Focused Audits & Assessments

Penetration Testing & Vulnerability Assessments 

There are many benefits to penetration testing and vulnerability assessments.  If done properly, such testing can provide a view of your IT infrastructure and application from the perspective of an attacker, identifying both areas of strength and weakness in your security posture, and a corresponding root-cause analysis can provide insight into the cause of any discovered weaknesses.

Penetration testing and vulnerability assessment approaches in the market vary from running a scanning tool and providing a copy of the output, to unleashing a team of former government Red Team members on your organization for several weeks or months.  While Incendio is able to accommodate both approaches, most of our clients opt for a value-based approach that fulfills regulatory requirements while also providing valuable insight for improving their organization’s security. This approach mimics an attacker looking to exploit the client’s systems or that of a similar company (for example, small banks), usually for financial gain, rather than taking the approach of an advanced threat with vast resources specifically targeting an organization.  We go beyond running a simple scan by attempting to exploit vulnerabilities and perform limited password cracking, thus limiting false positives and evaluating the impact of these vulnerabilities to your specific environment.

Common testing scopes include a combination or all of the following:

• External-facing hosts
• Web applications
• Internal hosts and network devices
• Wireless access
• Social engineering
  • Email phishing
  • Spear phishing
  • Information disclosure
  • Physical access

We pride ourselves on communication and keeping our clients informed of all activities, including the beginning, pausing and restarting, and completion of testing.  At any point in the testing, we immediately notify our client, based on a pre-established communication protocol, of any critical findings requiring immediate attention.  While external testing is always performed remotely, we are able to perform internal testing onsite, or remotely by shipping our scanning appliance to the client location to keep costs to a minimum. Most clients prefer to perform testing during business hours when IT staff is available in the rare event of a technical issue, but we are also able to accommodate any testing windows, including nights and weekends.

Network Device Configuration   

Despite the value a penetration test or vulnerability assessment provides in evaluating the security of a network infrastructure from the perspective of an attacker, there is great value to be had in performing an assessment of network device configurations by auditing the actual configuration files themselves.  Incendio uses an automated tool to parse the configuration file and provide a detail of potential configuration issues and firmware vulnerabilities, which are then analyzed by way of manual investigation to identify false positives and assess the level of risk within the context of the client’s network.

Incendio has performed this type of assessment numerous times and has developed a simple approach, as follows:

• Obtain and review an inventory of network devices
• Obtain the configuration files included in the scope of the assessment and validate the inventory
• Perform the automated scan of the configuration files
• Analyze the scan results
• Perform a root-cause analysis to identify potential procedural causes of configuration issues
• Provide a summary report of the results and the automated scan output to the client
• Discuss the results with the client
• Answer any questions and perform follow-up analysis as required

If the client provides detailed information about the network, Incendio can better customize risk ratings to the specific environment. Otherwise we provide relative risk ratings to be used as a prioritization guide for analysis and remediation by the client, rather than absolute ratings.

In many instances, particularly for clients who wish to use the assessment as part of a formal audit plan, Incendio will also obtain relevant policies, procedures, and device configuration standards against which we compare the assessment results to evaluate compliance with organizational controls. This modular approach allows for assessments ranging from a network device configuration health check to a detailed network device configuration management audit that has received favorable feedback from multiple regulatory bodies.

Incident Response Management 

The National Institute of Standards and Technology (NIST) has developed recommendations for establishing a Computer Security Incident Handling Capability in its Special Publication 800-61.  It explains the importance of this capability by stating:

Computer security incident response has become an important component of information technology (IT) programs. Cybersecurity-related attacks have become not only more numerous and diverse but also more damaging and disruptive. New types of security-related incidents emerge frequently. Preventive activities based on the results of risk assessments can lower the number of incidents, but not all incidents can be prevented.  An incident response capability is therefore necessary for rapidly detecting incidents, minimizing loss and destruction, mitigating the weaknesses that were exploited, and restoring IT services.

Our experience indicates that many companies are not prepared to handle an incident, or possibly worse, do realize they are not prepared.  Incendio has the expertise to assist our clients with developing an incident response capability, or to review and assess an existing one.  This is often an important part of regulatory compliance, as multiple organizations including the SEC and NY DFS have begun sending questionnaires to their regulated entities inquiring about cyber security defenses, included incident response management.  We can ensure you have a risk-based, comprehensive plan in place to identify and manage a security incident before it occurs.

Cloud Computing Security  

One of the biggest technology changes faced by business today is the rise of cloud computing.  While a variety of definitions exist for cloud computing, Accenture concisely defines it as “the dynamic provisioning of IT capabilities (hardware, software, or services) from third parties over a network.” From an IT security standpoint, the primary concern is that the user of cloud computing services is relinquishing physical control of its data by transmitting and/or storing it on infrastructures owned and controlled by an outside party or parties, which presents additional risks that require consideration and, possibly, additional controls.  While some organizations simply shun the use of cloud computing as a result, the reality is that the use of cloud computing can be difficult to avoid, can offer significant business advantages, and is sometimes more secure than locally hosted systems that are often not secured or managed properly.

To assist our clients with the enhancement of controls surrounding the use of cloud computing services, Incendio can perform an assessment or audit of controls surrounding cloud computing, while also developing a detailed risk assessment to be used for both initial and ongoing assessments of cloud computing vendors.  The controls used to create the risk assessment and audit steps are derived from a combination of sources, including ISACA, the FBI’s Recommendations for Implementation of Cloud Computing Solutions, Gartner, and the Cloud Security Alliance.  Incendio separates the high-level controls related to the management of cloud computing services as a whole from more specific controls related to specific cloud computing vendors to provide a comprehensive cloud computing control environment.  The high-level controls address the following areas:

• Governance Model
• Identification of Risk
• Monitoring of Vendor Compliance with SLAs and Contractual Requirements
• BCP/DR Plans for Loss of Provider Services
• Incident Response Related to Cloud Computing Services
• Formal Compliance Review Related to Cloud Computing Services
• Customer Control Over Identity Provisioning for Cloud Computing Services

The more detailed controls specific to each cloud computing vendor are customized for each client and used to develop the risk assessment template to be used by the client for current and future assessment of cloud computing services.