Security Audit    Startpage    UTMB0X    Incident Response    Imprint

   20.05.2012 - 16:20 Uhr         

Security Audit / Pentest

The goal of a Security Audit or Pentest is the systematic search for weaknesses in networks, hosts or programs, as well as the creation of proposals to eliminate problems originating from them for the future. During that task, we check all common hard- and software platforms. It is important to mention that a security check can only result in a description of the actual state of security. That being said, it is recommend to do a yearly security check. The main difference in between a security audit and a pentest is the detail level and manner in which the attacks are actually conducted: During a pentest, additional more complex techniques like cross-site-scripting (XSS), SQL injection, fuzzing and brute force attacks, as well as - eventually self-programmed - exploits to target classic weaknesses in software, are being used.

Description

Audit describes an action, that (normally from a remote location) checks the actual state of IT security particularly in regard to completeness and improvement possibilities. By using this method, one gets a pretty adequate indication for possible attack vectors. The result is a detailed audit-report w/ a catalog of countermeasures. Key element of the the pentest is the conduct of realistically simulated attacks on IT infrastructure like servers, workstations, switches, printers, webcams, telephone systems or other hardware connected to the network. If weaknesses are found that can be mitigated using patches, the patches URLs are listed in the PatchGuide. If not, recommendations on at least limiting the impact are given. Additionally, all already implemented security devices can be tested under very realistic circumstances.

Types

Blackbox

A blackbox test is conducted w/o knowledge of credentials or the inner structure, layout and procedures of the target hosts. It is conducted remotely by targetting the defined IP adresses and oftenly by multiple NetworkSEC technicians to increase efficiency and reduce the overall time.

Greybox

A greybox test is a mixture of a black- and a whitebox test, in which partial knowledge about credentials and the inner workings are available. This is often the case, when a normal user account is given to the pentester to check for the possiblity of priviledge escalation, e.g. becoming root on the target.

Whitebox

A whitebox test is in most cases the classical internally conducted security audit which includes a whole hostrange. The time needed for a whitebox test is in most cases far less than that of a black- or greybox test because the auditor does not have to work his whole way up the ladder.

Features

• Reliable conclusion about the state of security of the network, hosts and services
• Chose in between Blackbox. Greybox and Whitebox
• Availability of a security audit maintenance contract for regular execution (recommended by PCI DSS)
• Identification and exploitation of weaknesses
• Testing for network or operating system misconfigurations
• Final report including risk assessment and recommendations
• Non-discosure-agreement, if desired
• Full packetlog of attacks, if desired
• Partially influenced by BSI IT Grundschutzhandbuch, OSSTM and PCI-DSSv2