varnost_velika

Security Assessment Print

Security auditing and penetration testing clearly determine the security level of an information system with the assessment of implemented security policy and its effectiveness, thus identifying the fields that need to be improved and exposing discrepancies between the security policy and actual situation.


 

The results of security auditing penetration testing are:

  • Lower, or no business loss after a potential security incident
  • Information about information systems security level
  • Information about areas that need additional security measures according to security policy and standard ISO/IEC 27001:2005
  • Less threats and lower vulnerability of information systems

 

Our advantage is an experienced security team, focusing exclusively on information security projects, with years of experience and many internationally recognized certificates (SANS - Network Penetration Testing and Ethical Hacking, GIAC - Penetration Tester – GPEN, SANS – GIAC Certified Incident Handler – GCIH, SANS – GIAC Stay Sharp: Defeating Rogue Acess Points).


Read more


Security Auditing and Penetration Testing Answer the Following Questions:

  • Are we using adequate security measures?
  • Are our services (Internet applications, etc.) safe?
  • Do our firewalls have an appropriate security policy?
  • Are our systems properly installed and properly protected?
  • Does our security policy meet all legal requirements?
  • Why and where is it necessary to spend even more money on improving the security of our information system?

 

Types of Security Assessment


With external security assessment, the level of information system security is assessed with tools, commonly used by hackers. The target systems are:

  • Web servers and web business applications
  • Mail servers
  • Firewalls
  • Intrusion detection and prevention systems
  • Other publicly available services of the company

 

The purpose of the internal security assessment is to assess security and vulnerability level in internal network. The main points of interest are:

  • Checking the internal network security with the simulation of internal hacker
  • Security assessment of information system design
  • Assessment of servers and network devices security configuration
  • Checking firewalls and IDS/IPS systems security policy
  • Business applications security assessment

 

With forensic analysis after intrusion, the perpetrator, causes and manner of a security incident are identified, business loss is estimated, and consequences eliminated. Evidence for court trial is collected.

 

Errors in the source code are the most frequent intrusion type, and represent the cause for the majority of all unauthorized accesses; therefore the security assessment of source code is of utmost importance, and includes:

  • Source code auditing with professional software
  • Manual source code auditing and vulnerability review
  • Comprehensive report on vulnerabilities
  • Detailed technical recommendations for vulnerability elimination

 

And what is the most important – the source is not taken out of your organization!

Our Methodology

The security auditing and penetration testing methodology, used in Astec d. o. o., is based on acknowledged recommendations of OSSTMM (OpenSource Security Testing Methodology Manual) and OWASP (Open Web Application Security Project), and complemented with PCI DSS and ISO/IEC 27001:2005 requirements for auditing mechanisms and test processes.