We are Managed Service Provider
  Vulnerability Assessment & Penetration Testing (VAPT) Services
 


Vulnerabilities in IT systems can be considered as holes or errors. These may be due to improper systems design or coding or both. When vulnerability is exploited, it results in a ‘Security Violation’ or an ‘Impact’. Denial of Service and Privilege Escalation are some of the examples of Impacts.


Risk Categorization

Vulnerabilities are either exploitable locally or remotely. The table below gives the Risk categorization based on the type of Exploitation and Access:

 

Exploitation

Access

Category

 

Remotely Exploitable

Administrative Access

Extremely High

 

Remotely Exploitable

User Access

High

 

Locally Exploitable

Administrative Access

Very High

 

Locally Exploitable

User Access

Medium


 

 


Generally IT vulnerabilities are:

  1. 85% in Application Software
  2. 8% in Operating Systems
  3. 7% in Devices

Vulnerability Assessment

Vulnerability Identification is a process in which IT systems are scanned for known and unknown vulnerabilities by using proper tools called Vulnerability Scanners.

The identified vulnerabilities are analyzed for severity based on the criticality of the system. This process is called Vulnerability Analysis.

Aureole’s Vulnerability Assessment service is based on ISO 27001 (Global IT Security standard) requirements:


Identify the Risks

  • Identify the Assets within the scope of ISMS.
  • Identify the Threats to these assets.
  • Identify the Vulnerabilities that might be exploited by the threats.
  • Identify the losses of Impacts that losses of confidentiality, integrity and availability may have on the assets.


Assess the Risks

  • Assess the business harm that might result from security failure.
  • Assess the realistic likelihood of such Security Failure occurring in the light of Prevailing Threats and Vulnerabilities and impacts associated with these assets.

The outcomes of the Vulnerability Assessment service are:

  • A set of comprehensive reports comprising a Technical Report and a Management Report.
  • Review of the test results is conducted between the client and an Aureole security analyst, which provides a review of enterprise network vulnerabilities and outlines potential actions to close identified threat exposures.

Penetration Testing

Penetration testing is a method of evaluating the security of a computer system or network by simulating an attack by a malicious user, commonly known as a hacker. It is also known as Ethical Hacking. The process involves an active analysis of the system for any potential vulnerabilities that may result from poor or improper system configuration, known and/or unknown hardware or software flaws, or operational weaknesses in process or technical countermeasures. This analysis is carried out from the position of a potential attacker, and can involve active exploitation of security vulnerabilities. Any security issues that are found will be presented to the system owner together with an assessment of their impact and often with a proposal for mitigation or a technical solution. The intent of a penetration test is to determine feasibility of an attack, the amount of business impact of a successful exploit, if discovered.

Penetration tests can be conducted in several ways. However, there are two testing methodologies that are generally used – Black Box Testing and White Box Testing. The most common difference is the amount of knowledge of the implementation details of the system being tested that are available to the testers. Black box testing assumes no prior knowledge of the infrastructure to be tested. The testers must first determine the location and extent of the systems before commencing their analysis. At the other end of the spectrum, White box testing provides the testers with complete knowledge of the infrastructure to be tested, often including network diagrams, source code and IP addressing information.


Need for Penetration Testing

From a business perspective, penetration testing helps safeguard your organization against failure through:

  • Preventing financial loss through fraud (hackers, extortionists and disgruntled employees) or through lost revenue due to unreliable business systems and processes.
  • Proving due diligence and compliance to your industry regulators, customers and shareholders. Non-compliance can result in your organization losing business, receiving heavy fines, gathering bad PR or ultimately failing. At a personal level it can also mean the loss of your job, prosecution and sometimes even imprisonment.
  • Protecting your brand by avoiding loss of consumer confidence and business reputation.
    From an operational perspective, penetration testing helps shape information security strategy through:
  • Identifying vulnerabilities and quantifying their impact and likelihood so that they can be managed proactively; budget can be allocated and corrective measures implemented.


Aureole’s Penetration Testing Services

Our services are based on various industry standards and guidelines provided by organizations like:

  • ISO 27001
  • The Payment Card Industry (PCI)
  • Information Systems Audit and Control Association (ISACA)
  • The Open Source Security Testing Methodology Manual (OSSTMM)
  • The Open Web Application Security Project (OWASP)

After testing and analysis, we provide to the client:

  • A comprehensive report
A briefing to the client’s team giving them a list of vulnerabilities to address, the business risks and possible recommended solutions

 


Developed by Aureole Infotech Pvt. Ltd.