Security Assessment

SECURITY ASSESSMENT. Test and check activities must fill the gap between a state-of-the-art design and the system operative reality. Those activities are also very important to improve the company security position. A complete and effective test and check program integrated into the operative management routine of system and application network allows the user to avoid security incidents. On the other hand, a remediation activity after an adverse event has occurred can be a non-effective effort and cost a lot in terms of money and image. The policies defined by the company have a “baseline” function to be used as a reference to evaluate if the security requirements and position emerged from the operative practice are correct. Testing activities should therefore be fully integrated in the company Risk Management practices. However, it would be limiting to use a model which only uses a “Penetrate&Patch” approach: the evolution of software vulnerability has contributed to highlight its incompleteness and non-effectiveness, therefore the installation of patches without analyzing the problem causes in detail is not considered as a strategic solution for security issues. In this context, it is very important to setup a correct management of the risks associated to the company IT system. Such a management cannot be effective without cyclic checking activities. These activities must have a complete range of action including: people, who must be adequately trained and aware; processes reflecting policies and procedures in line with the company requirements; technologies which help to implement processes effectively. Test activities are not limited to mere technological aspects, they also must be enabled to detect operational and organizational vulnerabilities that could result into a non-correct security position.

Another very important aspect is the methodology used to execute tests and evaluate results. For its checking activities, Communication Valley uses the OSSTMM and OWASP methodologies which are universally acknowledged and used as a reference point for the execution of complete, accurate, verifiable and repeatable tests.
In order to adapt to multiple requirements, the Security Assessment activity is composed of the following modules.

  • Network & Service Discovery. Network&Service Discovery activities are introductory to the successive Vulnerability Assessment and Penetration Test stages. They are aimed at collecting as many information as possible on tested applications and systems and on their owners and managers.
  • Network Vulnerability Assessment. This activity is aimed at identifying all the vulnerabilities of the tested systems mainly by using automatic scanning tools. The use of automatic tools allows for the check of many systems within a limited period of time.
  • Penetration Test. This activity is aimed at exploiting the vulnerabilities in the systems in order to jeopardize the integrity, confidentiality and availability of information and services: its ultimate aim is that of determining the feasibility degree of an attack and to check its impact in case it is successfully carried out.
  • Web Application Test. The application security should be guaranteed mainly through a strict software design stage. Unfortunately, many development processes do not imply a standard test stage for security issues before the applications are released. The consequence is that many security issues are identified when the software has already been released into production, so that the process is non-effective and often very expensive in terms of structural remediation implementation. This activity is aimed at detecting and suggesting the changes to be adopted for software development in software engineering.
  • Wireless Assessment. The extension of the traditional network infrastructure through a wireless component has some advantages such as higher portability and flexibility and a saving on wiring costs for a wide range of portable devices (laptops, PDAs and mobile phones) with possible connections using both Wi-Fi and Bluetooth technologies. Wireless networks are subject to the same vulnerabilities as wired ones; however, in the case of wireless networks the signal cannot be limited within a physical medium such as the cable and therefore some specific vulnerabilities are to be taken into consideration. Specific test activities can be used to highlight a series of vulnerabilities:
  • VoIP Assessment. VoIP can be considered as one of many applications which use the data network; however, security issues must take into consideration the particular impact it has on the company business. Therefore, a correct evaluation of all possible risks is very important. The main threats are: Denial of Service, tapping, protocol vulnerability, unauthorized access, Vishing, Spit. Communication Valley operates to detect any vulnerability and suggest corrective actions.
  • Telephone Assessment. This activity is aimed at identifying the possible security breaches generated by the interconnection between traditional telephone networks and data networks through the identification of possible internal and external attacks and abuses. Many of these problems are due to the difficulty of controlling authorized and unauthorized modem use.

The Fraud Management service of Communication Valley is based on a technological infrastructure dedicated to:

  • Continuous monitoring -H24x365dd- of a wide range of data to find clues for phishing actions, data obtained from distributed honeypots, email, newsgroups, spam, referrers and registration areas;
  • Collection of information concerning the registration of new domains and/or the monitoring of existing domain status with the aim of preventing the use of registered (or expired) domains or domains similar to the brand to be protected from ill-intentioned users;
  • Collection and analysis of the actions of spiders launched on the web to search for new Internet pages that use some specific brands in order to identify their illegal (or legal) uses;
  • Constant monitoring of any change to authority DNSs for specific Internet domains in order to promptly identify any pharming activity.
  • Constant watching of networks and providers of malicious sites (watch-list);
  • Management of the activities towards providers, organizations and bodies (ex. CERT) to obtain the closing of clone sites. In particular, for financial institutions, Communication Valley has created the Transaction Monitoring module, a tool used to clearly monitor online activities (both for login and post-login) and to identify high risk actions by signaling the adequate countermeasures to the customer. With reference to Home Banking, different transaction typologies are supported: session logging, money transfer, profile change, operations on securities, card recharges and checks on specific bank web applications.

Why us?

Test and check activities must fill the gap between a state-of-the-art design and the system operative reality. Those activities are also very important to improve the company security position.