The
potential for intruders to gain unauthorised
access to systems via an organisation's
Internet gateway poses a very real
threat. This is often coupled
with embarrassing media attention.
Whilst there are a variety of ways
in which ‘black hat’ attacks from
the Internet are launched to breach
the defences of even a hardened firewall
system, the reality is that many networks
unwittingly advertise clues about
themselves, which can be exploited
by hackers.
It
is common for unnecessary network
services to be enabled on the gateway,
for example, allowing Telnet sessions
to be made to networking devices and
or hosts thereby allowing a ‘foot
in the door’. Reconnaissance of an
identified network is the first step
in any hack attempt. In order to penetrate
systems, hackers gather as much information
about their ‘target’ as possible in
advance. The truth is that this is
not as hard as it could be, inadvertently
we disclose a lot of information about
our networks onto the Internet.
If
a hacker cannot gain information about
a network or cannot identify a soft
target he will move on to another
target unless the value of the information
that is on a network will make it
worth spending time and resources
to break into the system. Using
time and resources inevitably means
that the attacks and probes will become
“louder” enabling the company to stand
a better chance of identifying the
hack attempts.
Interchange
systematically investigates a customer’s
network from an offsite Internet connection
in much the same way as a hacker would,
except that this is a non-disruptive
test. Interchange engineers keep up
to date with the latest exploits,
hacking methodologies, and hacking
tools, which, in a controlled situation,
can be utilised constructively to
expose holes and bugs in versions
of the customer’s operating and applications
software.
The
External Vunerability Scan has three
options available:
Silver
Service:
-
The
client will provide Interchange
with the IP addresses that are
to be assessed.
-
Three
IP address are included in the
service offering.
-
A
commercial scanning tool will
be used on the provided IP addresses.
-
The
resulting report will be provided
to the customer. It will contain
identified vulnerabilities in
the:
-
Hardware
-
Operating
System
-
Application
Consideration
will be given to any other identified
security concerns.
Gold
Service:
The
Gold Service offering is as Silver
but with the following additions:
-
Public
DNS records will be examined to
identify any potential risks.
-
The
tools used in the engagement will
also include non-commercial tools
and command-line testing to ensure
the accuracy, comprehensiveness
and validity of the test and results.
-
Interchange
will inspect the source code of
the client’s website for any reference
to internal IP addresses or information
that could be exploited.
-
Nine
IP address are included in the
service offering
The
report will also include recommendations
that will include actions to
remedy identified vulnerabilities.
Platinum
Service:
The
Platinum Service offering is as Gold
but with the following additions:
-
Mail
Servers will be identified and
tested for vulnerabilities.
-
The
report will also include recommended
countermeasures to address
security issues as well as providing
the management and technical
recommendations required to correct
security concerns.
-
The
assessment can be conducted after
hours if there is concern from
clients or users.
-
Password
testing using password grinders
and dictionary tools.
-
PABX
and RAS vulnerability assessment
included.
-
Twenty
Five IP address are included in
the service offering
A
Review Test is performed after six
months but no later than 12 months
after the original test.
Optional
extras:
Optional
additional services are also available
upon request to address a broad spectrum
of requirements:
-
PABX
and RAS vulnerability assessment.
-
“Live”
Denial of service attacks can
be conducted on client’s request.
-
Extra
IP addresses may be tested.
-
Quarterly
“subscription” testing of systems
to ensure continued and
maintained security levels.
|
