Information security analysis and penetration tests

Information security analysis services

The purpose of the security analysis is to identify vulnerabilities in the information infrastructure, which allows you to plan further actions to eliminate deficiencies, and if necessary, take additional activities to protect and improve information security processes. Thus, the whole complex of activities – identification, elimination and prevention – is aimed at reducing the likelihood of various security threats.

The results of the security analysis give the best way to prepare the existing infrastructure for its application in accordance with the requirements of legislation, industry requirements and taking into account the existing world experience based on international standards of information security and best international practices.

Objects of analysis

  • Web applications: penetration testing (pen-tests), during which specialists of our company emulate the actions of an attacker whose goal is to penetrate into the internal infrastructure or unauthorized receipt of protected data located within the external network perimeter.
  • IT infrastructure: security assessment using the “intruder inside” infrastructure of the LAN and DMZ networks that make up the internal and external perimeters of the organization’s network infrastructure, searching for vulnerabilities on workstations, terminal devices, corporate and service server platforms, and databases.
  • Personnel: assessment of the awareness level of employees in matters of information security on the basis of the conducted questionnaires and interviews. This assessment is also carried out using social engineering methods, which, in descending order of efficiency, include phishing, travel apple, pre-texting and quid pro quo.
  • Other infrastructure: assessment of the applicable technical and administrative physical security means, including buildings and premises where information is stored and processed. In addition to assessing the threats of penetration and the risks of overcoming physical controls, the study and analysis of engineering facilities, ensuring the availability and continuity of computing equipment and information storage, is carried out.

For the purpose of analyzing the security of information systems, there are two assessment options, each of which aims to study the organization’s ability to maintain continuous activity when a cyber-incident occurs and provides an analysis with varying degrees of confidence about the security status of information systems for compliance with special policies, international standards and best world practices.

Vulnerability Assessment and Penetration Testing

Vulnerability assessment and penetration testing are two different testing methods that differ in the degree of detail of the results and specific parameters that are subject to study.

Measure Vulnerability Assessment (VA) Penetration testing (pentest)
Reports A comprehensive report on the identified vulnerabilities, on impaired management processes, including recommendations for eliminating flaws and increasing security. A specific report on penetration, flaws in the information security architecture, vulnerable systems and compromised data with point and system corrective measures.
Controls Detects all known vulnerabilities at the time of the inspection that can be applied to the information environment. It allows you to detect unknown “zero-day” vulnerabilities, not limited solely to software or hardware flaws, including the imperfection of the systems approach and sociotechnical methods of penetration.
Value Allows you to detect already compromised systems and determines the range of uniquely vulnerable systems. It makes adjustments to manage technical and business processes that exclude future vulnerabilities. Offers proactive preventive measures applied to significantly reduce damage from impact on tested systems. Point adjustment of technical processes and systems approach to eliminate identified vulnerabilities.
Confidence A reasonable level of confidence about the state of security of the entire infrastructure. High level of confidence with respect to all systems covered by the study.

Security Analysis Technique

Work on security analysis is carried out using the black box method (BlackBox) in accordance with Baker Tilly’s own methodology and taking into account international standards and best practices:

  •  Penetration Testing Execution Standard (PTES);
  •  NIST Special Publications 800-115 Technical Guide to Information Security Testing and Assessment;
  •  Open Source Security Testing Methodology Manual;
  • Information Systems Security Assessment Framework;
  •  Web Application Security Consortium (WASC) Threat Classification;
  •  Open Web Application Security Project (OWASP) Testing Guide;
  • Common Vulnerability Scoring System (CVSS).

The security analysis is carried out both using special tools and manually by experienced experts. We use exploits and tools that are not accessible to the public, and specialized utiities for exploiting vulnerabilities developed by the Baker Tilly experts.

The development of an attack using the obtained privileges and the methods listed above is carried out until access to the LAN is reached or until all attack methods available at the time of testing have been exhausted.

Description of the work progress

  • OSINT (Open Source INTelligence): passive collection of information about the infrastructure of the object of the analysis and its personnel based on the sources of information available to the potential intruder.
  • Infrastructure scanning: identification of available resources in the network and physical infrastructure, determination of software versions, models of active server and network equipment. Simulation vector attacks.
  • Active Phase: conducting attacks, exploiting vulnerabilities, passwords brute forcing, attempting to embed and deepen into accessible network segments.
  • Completion: documenting the progress and results of the work steps. Assessment of the level of security. Development of recommendations. Release of the report.