Information Security
Security Audit
A security audit is conducted to assess the overall security of the customer's network. This is done to have an in-depth understanding of the network from a security perspective. This would help the customer identify security loopholes in design, implementation and practices in the network.
Study
A detailed study of network is undertaken. All components including servers,networking devices,firewalls and IDS systems are mapped.
Architect
Depending on the network architecture and OS/applications present, a detailed preliminary survey questionnaire is prepared. The questionnaire is designed to capture all the details pertaining to the server or network object to assess the security risks it presents.
Deploy
Data is collected using pre-defined questionnaires. The data collected is used to analyse the applications and services running on the system. Each application is examined in detail to identify potential insecurities, starting from design and implementation weaknesses to the current version of patches. Operating system security testing includes assessing the current patch versions and review of access control policy, audit policy and disaster recovery policy. The Firewall and IDS systems are audited extensively to find out if experienced hackers can evade them to break into internal network. Social engineering attacks are employed to test the practices and procedures followed by users to safeguard sensitive network information.
Entrust
A detailed report is presented with all vulnerabilities documented in detail. For each vulnerability, the report would include a brief description, known exploits against the same, the level of skill required to run the exploit and also remedies for fixing the vulnerability. Recommendations are made for long term initiatives to be taken in terms of products and practices to ensure a safe network.
Penetration Testing
Penetration testing is used for analysing the vulnerabilities of a system/network remotely. This helps the customer to get a hacker's eye-view of the system and identify security holes, which could be exploited by a remote attacker to compromise the network. Industry standard remote vulnerability assessment tools, in combination with custom-developed in-house tools simulate a range of attacks.
Study
The functional features of the application are studied as groundwork; the attack team needs to understand what is valuable and what is not.
Architect
Depending on the type of network and the Operating systems in the environment, the tools to be used are determined. This would include, among others, standard tools like Cybercop scanner, ISS Internet Scanner, Whisker etc. and also custom tools developed by Paladion security engineers.
Deploy
The network administrator is notified of the time when the penetration testing would be carried out. At the pre-determined time, the test is carried out using the set of tools and techniques. Apart from using the tools, select procedures are used to expose application specific vulnerabilities including weak encryption and insecure coding practices. Bruteforce network password cracking tools are used to break weak passwords. The network is also tested for DoS attack vulnerabilities.
Custom-built stealth scanning tools are used to expose flaws in firewall rule base content and order.
Entrust
The list of vulnerabilities discovered are presented in a detailed report. For each vulnerability, the report would include a brief description, known exploits against the same, the level of skill required to run the exploit and also remedies for fixing the vulnerability. Recommendations are made for long term initiatives to be taken in terms of products and practices to ensure a safe network.
Server Hardening
Server hardening is the first line of defence against a possible intrusion. The process ensures that all non-essential services are shutdown and a strict access control policy is put in place. All relevant security updates are applied to the system to safeguard against all known vulnerabilities.
Study
Detailed study of the server involves using a combination of port scanning tools and operating system commands. The results provided by these tools give a true picture about the applications/services running on the system and the ports required by them. Access control policy and audit policy are analysed.
Architect
Appropriate access control policy is designed after consultation with customer so that users are permitted to access resources on a need-to-know basis. All access to sensitive directories need to be audited.Password policy is designed to discourage users from keeping easily guessable passwords.Application configurations are fine tuned to prevent all exploits including buffer overflow and DoS attacks. The patch versions of the basic operating system and all applications are compared to the latest patch releases of respective vendors.
Deploy
Any active service or process that is not required by the system is terminated. Modified access control policy, password policy and audit policy are enforced. All configuration changes required to protect the OS and application from potential security threats are done. After hardening, the servers are restarted and logs examined to ensure that functionality and performance have not been affected by the changes. The latest security patches and hotfixes are applied.
Entrust
A comprehensive document describing all steps taken for hardening the server is presented to customer. Paladion will train the system administrators on best practices to be followed to maintain secure servers and methods to update security patches and monitor the security logs to identify possible security breaches and track defaulters.
Firewall
A firewall is a system or group of systems that enforces an access control policy between two networks. The actual means by which this is accomplished varies widely, but in principle, the firewall can be thought of as a pair of mechanisms: one which exists to block traffic, and the other which exists to permit traffic.The most important thing to recognize about a firewall is that it implements an access control policy.
Study
A detailed network study is undertaken. Servers and applications protected by firewall are analysed. Additional OPSEC compliant products to meet specific customer needs, including Anti-virus checking and URL filtering, are kept in mind at this stage.
Architect
The access control policy is designed. The number of firewalls required to guard the network and their locations are decided. The ports used by services running on protected servers are identified. Access control policy is translated to firewall rules. User and service groups are designed to facilitate easy rule base administration. The type of network traffic that should be monitored and type of logging required for these services are decided. The rulebase order is optimised for performance enhancement.
Deploy
The firewall is installed and the rulebase is configured. The rulebase is tested for functionality.
Entrust
Paladion will train the system administrators on firewall administration including rule base modification, maintenance and regular health check of firewall. The customer will also be provided training on how to retrieve, manage and analyse firewall logs.
Intrusion Detection
Intrusion detection attempts to identify and isolate unauthorized usage or misuse of a computer system. Intrusion Detection Systems are used to monitor network activity, alert against intrusions and record the relevant information for further analysis. Intrusion Detection Systems make use of built-in attack signatures and if the monitored traffic matches a signature, it leads to a predefined action. The action can be an email alert, SNMP trap or even dynamic reconfiguration of a firewall rulebase.
Study
A detailed study of the customer network is carried out in this phase. Network segments are classified according to their criticality, and potential threats are identified. Details of operating systems and applications in the environment are captured.
Architect
The design of an ID system is carried out in this phase. It involves determining the number of IDS sensors, analysis components and management stations required and their placement in the network. IDS sensors are mapped to the attack signatures that they would monitor. Capacity planning of the IDS system is also carried out at this time.
Deploy
Management stations, analysis components and sensors are deployed at designated points in the network. Relevant attack signatures are enabled on the sensors. Alerts are configured and penetration tests are done to verify whether the IDS components are working correctly.
Entrust
A report detailing the installation and configuration procedure for IDS is given to the client. We provides training for network administrators to carry out the day-to-day administration of IDS, including the generation of reports, the administration of corrective action in the event of alerts and the updation of new attack signatures.
Incident Handling
Incident handling is required when the security of a system or network has been compromised. Analysing and fixing a compromised network or server requires very high-end security skills . The exercise determines the extent of attack, identifies the possible source and takes corrective measures.
Study
All visible details related to the attack are collected. This would include time of attack, any network service/server that has been brought down, loss or corruption of data and misbehaviour of desktop or server application.
Architect
Based on the preliminary data collection, quickfix measures are designed that will limit the damage. Analysis is conducted to determine the extent of the compromise and to decide whether the analysis can be done offline. The presence of trojans and sniffers, and the corruption of system files are also gauged at this time.
Deploy
On each of the compromised servers, the integrity of all system binaries are checked against original distribution media. Additionally, all configuration files are matched against copies that are confirmed to be unchanged.Data on compromised systems is often modified by intruders. To verify the integrity of data, the web pages, ftp archives, files in users' home directories, and any other data files on your system are analysed. Reviewing the system log files will help to get a better idea of how the machine was compromised, what happened during the compromise, and what remote hosts accessed the machines. All systems are examined, not just those that are known to be compromised. On compromised machines the original system binaries and config files are restored. Data needs to be restored from a safe backup if it was corrupted by the attacker. Trojan horse programs, network sniffers and viruses planted by the intruder are removed. All the current security patches are applied, the security policy is tightened and logging is maximised to monitor all activity.
Entrust
The process followed for recovering from the compromise is documented and reviewed. This will help to decide how exactly to revise the security policy. The vulnerabilities are highlighted that were present in the current system that led to the exploit being successful.The long term initiatives to be taken in terms of implementing new security products and procedures will also be presented to the customer.