Security

SLAM | Service Management | Data Intelligence| End User Computing|EATS



Announcing TMG’s new service as part of our Executive, Architecture and Technical Services (EATS) Practice.  TMG has partnered with Kustodian to deliver security penetration services.  This is a comprehensive service which covers:

1. External Penetration Testing
2. Internal Penetration Testing
3. Social Engineering
4. Remediation

Why Undertake Penetration Testing?

All organisations with external connections whether they be internal systems being accessed remotely by staff or have internet facing customer products should test their systems at least annually as part of ongoing due diligence.  It demonstrates to customers and management within your organisation that security is taken seriously and more often than not, can be a point of difference.

Genuine attempts to mitigate the risks of your systems being sabotaged by Trojans or thieves, is seen as being proactive and demonstrates to your clients and staff that compromising security is not tolerated and that leading by example will influence a person’s behaviour and increase awareness about security.

The tests that we offer are not restricted to just technology.  Social testing is also undertaken where we will attempt to enter your workplace to see how easy it is to gain access to assets and systems.

Why Kustodian?

We only partner with the best people and organisations in their field and when it comes to penetration testing, Kustodian are the best in the business.  They train testers for the Big 5 Accounting firms in Australia, the US and Australian Military, Australian Federal and State Police, Airforce and system security staff in the banking sector.

External Penetration Testing

This is the traditional "hacking". Where all your external devices are tested for any vulnerabilities including Servers, routers firewalls, wireless and modems. Attempts are made to penetrate your network and notify you of all the findings so you can rectify them in a comprehensive report.

This exercise is similar to, but more sophisticated than an experienced hacker would use to penetrate your network.  Results are presented in a user-friendly comprehensive report with recommendations on how to address the issues. Videos of the attacks are also presented for a quick understanding of the attack.  This may include, but is not limited to:

As part of external network testing, the following are just some of the tests that are undertaken:

Network Discovery - gather externally accessible information about the physical network structure and identify available network services.

Vulnerability Identification - conduct vulnerability assessment activities with open source tools and our proprietary vulnerability database in order to identify potential vulnerabilities.

Exploitation Testing - confirm vulnerabilities using exploit code

WEB APPLICATION SECURITY ASSESSMENT covers the following:

Information Gathering - To determine the sort of information that can be gathered from the web application in relation to the perimeter network or application.

Administrative Interfaces -To determine the extent of any administrative interfaces used and whether or not they are secure.

Authentication and Access Control - To determine the adequacy of the authentication and access control configurations.

Input Validation - To determine whether the web application can be manipulated by inserting invalid input in order to extract sensitive information or perform unauthorized functions.

Parameter Manipulation - Determine whether parameters in the web applications can be manipulated to extract sensitive information or perform unauthorized functions.

Session Management - To identify the session management mechanism used and to determine any security control weaknesses.

Business Logic - Determine whether business logic controls (eg. access other account holder data) can be bypassed.)

VPN, EMAIL AND CUSTOMER PORTAL ASSESSMENT covers the following:

 VPN Testing – Attempt to compromise the VPN systems

 EMAIL Testing –Attempt to compromise the email systems.

Customer Portal Assessment – Attempt to compromise customer determined portals.

WIRELESS AND PABX MODEM SECURITY ASSESSMENT covers the following:

Wireless Exploitation Testing – Attempt to compromise the wireless infrastructure without prior knowledge of the systems in place.

PABX Exploitation Testing – Attempt to compromise the PABX systems including voicemail and call forwarding.

 Modem Exploitation Testing – Attempt to compromise any modems in place at Metlink that connect to the outside world.

Internal Penetration Testing

Internal Vulnerability testing is performed from within the organisation's technology environment. This test mimics an attack on the internal network by a disgruntled employee or an authorised visitor having standard access privileges. The focus is to understand what could happen if the network perimeter were successfully penetrated or what an authorised user could do to penetrate specific information resources within the organization's network. It is a good opportunity to for management to gauge the current internal security controls, supporting policies and procedures. The tests will confirm if servers and applications are being patched. It will confirm whether users are selecting strong passwords as per policy requirements or whether wireless networks are secure or network controls have been implemented to detect any internal unauthorised attacks.
Results are presented in a user friendly comprehensive report with recommendations on how to address the issues. Videos of the attacks are also presented for a quick understanding of the attack This may include, but not be limited to:

Social Engineering

Social engineering is the technique of circumventing technological and physical security measures by manipulating people to disclose crucial authentication information. 
Many companies regularly review and challenge the in-place security of their publicly facing Internet. However criminal hackers use Social Engineering skills to gain access to a well fortified network when technical controls are strong and hackers rely on human weaknesses instead.
A Social Engineering exercise takes place to identify any weaknesses in staff training or areas in physical security that could take place. The goal is for someone external to gather information about the company, its staff and its internal processes using the Art of Deception. 
This approach will ensure your company has not only implemented technical controls to protect itself from outside threats but also administrative and training policies and procedures.
Attempts are made to gain physical access into your company by passing security, proximity card readers, receptionists and other staff members.   For example, we can sit in a corporate office for an entire week blending in with the other staff, and hacking the network from the inside.

 Remediation

TMG is able to assist in resolving the actions resulting from the report.  We have security experts that will remediate any vulnerabilities whether they be technical or process related.   Depending on the extent of the remediation required, services include:

• Developing Architecture & Design specifications
• Implementing the recommendations in the report
• Evaluate products and solutions that will be best meet your needs
• Ongoing security checks

If you would like to know more about this service, please contact us at info@tmg100.com or call us on 1300 772 992

Please visit our partner site by clicking on the image.