Certification & Accreditation
FISMA Review & Compliance Audits
Vulnerability Assessments
Contingency Planning & Disaster Recovery Planning
Risk Assessments
Policy Planning & Security Program Development
Incident Response
Remediation
Information Security Planning
 

For more information about Carson's Information Assurance services please contact us

Vulnerability Assessments and Penetration Testing

 Project Snapshot –

A vulnerability assessment is an overt study to identify areas that are susceptible to attack due to improper security. The goal is to study the organization's security and present improvements to resolve or mitigate problems. Vulnerability assessments range from internal to external and may even consider non-technical security procedures. These assessments are also passive and active. A passive assessment inspects system configuration settings, system password files, and other system objects for security policy violations. An active assessment reenacts common intrusion scripts and documents system responses. A vulnerability assessment enables an organization to be proactive in protecting their systems by locating security holes before attackers find and utilize them. Penetration testing goes beyond detecting vulnerabilities to safely exploiting them, and demonstrating the path an attacker could use to breach a network. It is important to note that the assessment results provide a snapshot of an organization's security system at that point in time. Future changes in configurations or even permissions may alter the assessment. Vulnerabilities pop up even in operating systems and applications that are patched and secure today.

Carson vulnerability assessment and penetration testing involves the performance of network security scans using the SAINT® vulnerability assessment and penetration testing tools, or tools selected by the organization.

The following steps outline Carson Associates' baseline vulnerability assessment approach. Carson Associates staff will perform all of these steps.

Assessment Setup Step–Carson Associates will meet with the organization's network personnel to obtain an overall picture of the computer network. Carson Associates will verify the IP addresses and phone numbers to be included in the penetration test, coordinate a testing schedule, and identify any other areas of concern that should be included in the testing.

Network Scan Step–This step utilizes a variety of security assessment tools to identify software and configuration vulnerabilities available to an external hacker. If the organization's network is protected by a firewall an internal scan should also be applied, as the system may be vulnerable to an internal attack. This scan will include:

  • Live host scan (using ping, fping) - The results of this scan will be presented to the organization so that critical machines may be excluded from further scanning/penetration tests.
  • Active network services scan (using nmap, ncat)
  • Vulnerability scan (using SAINT™)

Penetration Testing–Using data collected during the scanning step, Carson Associates will identify specific software and configuration weaknesses. Unless otherwise directed by the organization, these tests should be non-disruptive and will include (but are not limited to):

  • By-hand penetration attempts using the latest hacker exploits (successful attempts typically result in gaining root access to the machine)
  • Brute force password cracking (often as high as 25% success rate for larger organizations)
  • Scans for vulnerable Web applications (finds hidden programs that compromise a web server's security)
  • Utilization of trust relationships (determines how one compromised machine may affect the others on the network).

Remote-access Assessment–Telephone hacking tools (e.g., ToneLoc - a war dialer) will be implemented to identify vulnerabilities in the personal and remote-office dial-in infrastructure.

Web Infrastructure Configuration Review–The results from the penetration tests will be used in conjunction with known Web server configuration vulnerabilities to identify areas that may make the Web servers more vulnerable to an external attack (e.g., Common Gateway Interfaces (CGI) scripts, incorrect permissions, needed software patches, etc.).

Comprehensive Policy and Procedure Review–Security policies and procedures will be reviewed with concentration on relevant federal security standards appropriate for the organization. Key personnel will be interviewed to identify operational security procedures and to assign weights to various threats.

Infrastructure and Configuration Review–The organization's network topology and the configuration of a representative portion of the organization's computers will be reviewed. These computers will be identified from the external and internal network scans, however, the organization will make final decision as to which computers will be included in the configuration review.

 
©Richard S. Carson & Associates, Inc. All Rights Reserved. Privacy Policy Site Map