Lateral Security - Services

By: Lateral Security  06-Dec-2011
Keywords: Security, It Security, Security Testing

Lateral Security's standard services include:

The design & architecture review focuses on the environment to ensure key risks are mitigated and to identify key security control points. This includes control of traffic flows, identification of single points of failure, segregation of security zones and documentation to support the proposed design.

This review includes:

  • Pre-production security testing and advice
  • Analysis of security implications of the chosen design
  • Application architecture and security controls
  • Boundaries and interfaces
  • Dataflow, caches and data stores
  • Physical deployment configuration of the service and all network devices
  • Documentation review (including version controls)

The design & architecture review often reduces the overall IT project budget as issues are discovered earlier and changes are easier to implement before the design is implemented.

This review takes approximately 1 day for a standard review.

This review includes:

  • Network discovery - establishes Internet "foot print"
  • Network scanning - external and internal scanning
  • Internet profiling - vulnerability testing of all Internet devices
  • Network device test - servers, firewalls, routers

Penetration testing & vulnerability assessment involves the use of automated tools as well as manual test methods. Vulnerabilities or weaknesses often exist within systems and penetration testing can be used to qualify the extent to which any identified vulnerability can be exploited.

This review takes approximately 2-3 days for a standard review.

The application & source code review looks deeply into the internal workings of an application. Lateral Security selects and reviews security-sensitive processes within an application in a line-by-line manner.

The application & source code review is a way of ensuring that the application has been developed so as to be “self-defending” within its given environment.

This type of testing is designed to provide assurance for applications that have a high IT security requirement like banking, finance, Government, or database applications that hold private client information.

This review includes:

  • Login registration and transactional processes
  • Code error identification and exploitation
  • Logic errors, backdoor identification
  • Test code vulnerabilities (code left behind)
  • Upgrades and patch vulnerabilities
  • Privacy leakage testing for banking, finance and government
  • Post-exploitation information gathering

The time taken for a source code review is dependant on the number of lines within the code and the overall application size.

A typical source code review would take 5 days.

As a recognised leader and frequent presenter at mobile security conferences, Lateral Security recognises that mobile technology has become a key strategic component within any organisation with many productivity benefits. Lateral Security recommends reviewing of these technologies before and during deployment to reduce the likelihood of a future compromise.

This review analyses the security implications of these devices, the various operating systems, the backend applications, monitoring systems and the security controls and processes used within your environment.

Mobile technologies:

  • Handheld mobile devices - iPhone, Android, Nokia, Blackberry
  • Portable mobile devices - Laptops, tablets, iPad
  • Wifi, WiMAX, GSM, Edge, 3G, 4G
  • Enterprise - MS Exchange/Outlook, Android, Apple MobileMe
  • Mobile applications - iPhone and Android custom built client device apps

Handheld mobile review includes:

  • Synchronisation authentication including log-on and digital certificates
  • On device security and encryption
  • Remote disable and wipe
  • Software application security (iPhone and Android custom built applications)
  • Patch management
  • Mobile application review
  • Server and transport layers (Telco links, testing includes both fixed and wireless)
  • Firewall rule set review
  • Management control processes and policies

This review takes approximately 3 days for a standard review.

Wireless has become commonplace in many working environments. This “frees” up staff and allows seamless roaming within a building or location based area. Wireless technologies can be easily compromised and this review focuses on understanding and measuring these risks.

This review looks at the infrastructure security (Corporate vs. Guest vs. Public) and how the mobile devices access the network in an authorised secure fashion. Lateral Security outlines protection methods and mitigations that can be implemented to secure any given Wireless environment.

Wireless technologies:

  • Wifi, WiMAX, 802.11 (a/b/g/n/i)
  • WEP, WPA/2, PSK
  • Bluetooth and Infrared technologies
  • Infrastructure (Access Points and network nodes)

Review includes:

  • Architecture review
  • Network segregation & shared wireless infrastructure controls
  • Authenticated/Unauthenticated tests
  • Firewalls/VLAN, Anti virus controls
  • Intrusion detection testing
  • Rogue Access Points
  • Full network scanning - establish existing wireless “footprint”
  • Password security and authentication
  • Network segregation (what other data can be viewed on the wireless LAN)
  • Encryption levels - Is data encrypted, what type of encryption?
  • Physical device deployment - device locations, can they be physically compromised?

This review takes approximately 3-4 days for a standard review.

This is an in-depth review of the configurations of various components within the environment, including servers, routers, and firewalls. Each component is reviewed against security best practice and standards such as DISA STIGs, NIST, CIS checklists, and vendor guides.

This review includes:

  • Documentation reviews
  • File “dumps” of network devices to check configuration
  • Vendor firmware update check
  • Miss-configured devices (breaks business logic rules)
  • Ruleset checks (against recognised standards)

Documentation is also reviewed to ensure what is written down matches the configurations on the devices. This can help to reduce costs for ongoing support within an IT environment. This review is recommended on a production or close to production environment to ensure that configurations match the production environment.

This review takes approximately 1 day per device.

Under PCI DSS version 2, Companies are required to regularly test their security systems and processes. Lateral Security offers auditing and certification services and uses the latest Qualys PCI certified scanning and testing tools.

Lateral Security can help you to meet the following PCI DSS requirements:

  • PCI DSS requirement 11.1 - Wireless access point presence and detection of unauthorised wireless access points (quarterly)
  • PCI DSS requirement 11.2 - Internal and external vulnerability scanning (quarterly)
  • PCI DSS requirement 11.3 - External and internal penetration testing (annually and after any significant infrastructure or application upgrade or modification)

Lateral Security can also assist with:

  • Security policy development to fully comply with PCI DSS
  • Auditing against PCI DSS

Security policy development and compliance to relevant standards is challenging for any organisation. There are many standards that need to be taken into consideration. Lateral Security can help with the development, implementation and measurement of these security policies within your organisation.

Services include:

  • Security Policy design and development
  • Implementation of a base line Security Policy
  • Produce customer facing documents to satisfy third parties
  • Security Policy improvement e.g.: move ITIL maturity score
  • Standards include ISO/IEC 27001 & 27002, PCI DSS, NZISM, SIGS, COBIT, ITIL, SOX
  • Initial security audit
  • Security policy alignment e.g. ISO/IEC 27002, NZISM
  • Organisational documentation creation

This is a review of the organisation’s policies and procedures in relation to specific tasks, such as user management or security monitoring. The review can contain a number of elements including:

  • Organisational documented policies and procedures relating to specific security tasks
  • Policy and procedure alignment with recommended practice
  • Policies and procedures are implemented correctly
  • Sufficient monitoring of the implementation

Standards that we measure against can include:

  • ISO 27001 and 17799 (27002)
  • NZISM and SIGS (for government)
  • ITIL V3
  • Cobit 4.1
  • Sarbanes-Oxley Act 2002
  • Privacy Act 1993
  • Protected Disclosures Act 2000
  • Human Rights Act 1993
  • Official Information Act 1982

Threat Modeling & Risk Assessment is the process of understanding and assessing the risk appetite of an organisation for security-related events. It allows an organisation to prioritise its security spending on the areas that truly matter. This is an interactive process where input is required from the organisation in order to gain the most benefit from the process. During the remainder of the review, mitigations for risks will be identified, and residual risk determined.

Lateral Security uses the following methodology:

  • Asset classification
  • Threat identification
  • Countermeasure identification
  • Likelihood determination
  • Impact determination
  • Risk determination
  • Additional; countermeasure recommendation

The outcome of this engagement is a clear understanding of the threats and risks facing an organisation, and a priority list of areas that need to be focused on in order to either gain assurance that countermeasures are in place, or implement new countermeasures where they do not exist.

Keywords: It Security, Security, Security Testing

Other products and services from Lateral Security

IT Security Consulting and Testing Services from Lateral Security thumbnail

IT Security Consulting and Testing Services

Agile, fully independent IT security testing and assurance company

IT Security Consulting and Testing Services from Lateral Security thumbnail

IT Security Consulting and Testing Services

Agile, fully independent IT security consulting and testing services