What is Security Assessment?
Security Assessment is a process to assess the security risk level of systems (e.g. standalone, web and mobile applications) and infrastructure (e.g. web and database servers, network devices) within the project scope. After the process, clients would receive assessment report and able to identify current risks resided in the network and related IT systems. Clients could then follow recommendations provided by assessors to mitigate the security loopholes and secure their information systems.
According to OWASP TOP 10 Project, many websites and mobile apps connected to the internet are bearing different level of security risks. Severe risks like Injection, Broken Authentication and Sensitive Data Exposure which could lead to system compromise and customer information disclosure were still the most common vulnerabilities identified. A security assessment could help clients prevent encountering such incidents.
According to OWASP TOP 10 Project, many websites and mobile apps connected to the internet are bearing different level of security risks. Severe risks like Injection, Broken Authentication and Sensitive Data Exposure which could lead to system compromise and customer information disclosure were still the most common vulnerabilities identified. A security assessment could help clients prevent encountering such incidents.
Do I need Security Assessment?
Generally speaking, every computer and mobile phone connected to the internet should concern about their security, especially nowadays when security incidents outbreak so often. But to be specific, it will be the question of how much impact will be posed if the information system, e.g. websites, mobile apps, etc. being hacked and all information was leaked/stolen. According to our experience, information systems meeting more criteria below are considered more critical:
- Accessible from internet
- Containing login module
- Accepting internet users registration
- Storing user personal information, e.g. name, address, phone number, payment information, etc.
- Integrated with internal infrastructures and touching company confidential information
- Popular with lots of accesses
Strength of labo00
With certifications of CREST and Offensive Security, along with various project experiences from different business categories, we could provide professional security assessment services best suit our clients' needs and expectations.
Besides, we are also developers having knowhow on building websites and different applications. We could communicate with programmers in the same languages and think from their perspective. It makes our solutions more in place and efficient to be implemented, saving more time and effort at the same time less potential impact to current systems.
Besides, we are also developers having knowhow on building websites and different applications. We could communicate with programmers in the same languages and think from their perspective. It makes our solutions more in place and efficient to be implemented, saving more time and effort at the same time less potential impact to current systems.
Types of Assessment
To fulfil different needs and objectives, there are different assessments in the security industry. Below are some basic services and their brief descriptions we currently providing. Nonetheless, we provide tailor-made customization for our customers to best fit their needs.
Internal Vulnerability Assessment
It is usually performed within the internal infrastructure and office network by automatic scanning tools to identify security risks like misconfigurations and missing patches. It could provide the whole picture to company IT staff to do follow up before outbreak of any security incident, e.g. widespread of wannacry ransomware in May 2017.External/Internal Security Assessment
This is the most common assessment type requested by our customers. Assessors will act as a hacker trying to break into the target websites or mobile applications from internet (External) or from customer network (Internal) to identify any security loopholes which could damage customers infrastructures or reputations. IT staff and developers could then follow our recommendations to block the loopholes at once.Phishing Attack
Email phishing is now a very common mean of attack which could lead to direct money loss and internal network breaches. In this assessment we will work with customer IT staff to provide a simulated phishing attack to company staff. Results will be used to discuss with management team for education and awareness training purposes.Simulated Attack Assessment (Red teaming)
This is an advanced assessment which aims to achieve the objective (e.g. compromise the network, get access to critical information, disrupt the database, etc) by all possible means. It will be the most time consuming and intrusive assessment but at the same time the most advanced assessment revealing actual customers' information system security status. Please beware that real world hackers will attack their targets by all means.
Workflow of an Assessment
For different type of assessment, the workflow might have slight deifference. Below is our standard flow for an assessment project. Usually from Assessment Request Step 1 to Release of Assessment Report Step 5 will complete within 1 month.
1. Assessment Request from Customer
2. Discuss Scope, Schedule, Details and Price with Customer
3. Assessment Plan Sign-off by Customer
4. Conduct Assessment
5. Report Submission and Presentation
6. Customer's IT Staff and Developers Follow-up
7. Conduct Verification
8. Verification Report Submission
9. Project Complete
