Sentinel Data Security Services


Services
Vulnerability assessment
> Penetration testing > OWASP ASVS testing > Network/application design reviews > Application source code reviews > Denial of Service handling > Managed ongoing vulnerability identification & scanning > Social engineering
Information security governance
> Policies, procedures and guidelines development > Incident Response Planning > Disaster Recovery Planning > Business Continuity Management
home

Security assessment

Penetration testing

Penetration testing involves assessing an environment, host or application, for both known and unknown security vulnerabilities.

Penetration testing is undertaken to inspect and test the effectiveness of your company's resilience to direct targeted attacks, as well as to test existing security controls, network topology & system design, as well as staff & system responses to the attacks.
Our Penetration testing methodology is designed to simulate a thorough 'real-world' attack by applying the same techniques commonly used by attackers.

External Penetration Testing

While internal and external vulnerability assessments identify your network's security weaknesses by scanning network assets, external penetration testing goes further by forcing a path into your network and exposing miss-configuration's and holes. Revealing these holes will demonstrate the possible ramifications to your reputation and information assets should your company fall victim to attack.
These tests are custom designed to cover whatever system platforms, network devices, software or applications comprise your IT infrastructure and assets. This form of testing is very comprehensive, not only does it exhibit an intruders view of your system it also examines its configurations and management.

Internal Penetration Testing

Internal penetration testing is a procedure by which Sentinel Data Security demonstrates to your company the results of an attacker perpetrated from within.
These types of attacks are generally carried out by disgruntled employees. However this is not always the case, causes can be anything from incorrectly configured servers to inadequate password protection at workstations, or a failure to install the appropriate security patches on a particular program.
All of these problems can arise from within your company's internal network, either through malicious intent or simple incompetence. By putting your internal network through its paces, you will be able to identify and rectify any security weaknesses before they cause problems.

Deliverables:

Sentinel Data Security identifies vulnerabilities both system specific and architectural, we will then recommend suitable countermeasures and solutions for all sighted liabilities. This will mitigate the risk of your company suffering loss of integrity, confidentiality and key information assets.

The format and content of the delivered reports is reader-friendly, ensuring that appointed personnel are able to recognise and remedy identified weaknesses. Also included in the report is an executive summary, and a risk-rated table of the key findings, negating the need for management to read the entire report in order to recognise the implications of its findings.

OWASP Application Security Verification Standard (ASVS) testing

Organisations face challenges when procuring security services in the case of large ongoing application development cycles, longer product lifespans, many small iterations or feature releases, where multiple security providers are engaged across the enterprise. This can lead to inconsistent methodologies or approaches being utilised, various depths of testing, rigor and ultimately technical approach, across similar applications in an organisation, leading to unforseen and hard to measure risks, post-engagement management overheads and sometimes re-testing by preferred providers.

We address this in several ways, however one approach utilised by some enterprise customers is our ASVS aligned testing. The primary aim of the OWASP Application Security Verification Standard is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. The standard provides a basis for testing application technical security controls, as well as any technical security controls in the environment, that are relied on to protect against web based vulnerabilities. This standard can be used to establish a level of confidence in the security of Web applications, and consistency across vendors and applications in an enterprise environment.

Network/application design reviews

Initially, Sentinel will evaluate your company's network infrastructure in order to improve security accordingly and to maximise reliability and productivity. Then, based on a classification of services, data and roles within your network, Sentinel can separate servers into different zones in order to reduce the impact should a security breach occur. Whether it is a vanilla office network, processing plant, enterprise workplace or microservices fabric, our review services help identify threats and weaknesses and provide advisory expertise on a path forward to an improved design.

Application source code reviews

Sentinel Data Security source code security review services identify vulnerabilities in your software by analysing the overall design of the system as well as the source code its self. This analysis identifies the key areas of the application architecture and design which pose the greatest risk to an application, as well as the defects introduced through the software development process.

Sentinel combines automated static analysis with manual human line-by-line review, returning a thorough result ensuring code correctness and security. The discovered flaws and mitigation information helps developers avoid the discovered programming pitfalls in the future, as well as removing the specific security defects from the reviewed software project.

Sentinel also offers dynamic analysis reviews, ensuring all integrated software components; libraries and other closed-source objects combined within the project are also reviewed for security defects and risks.

Denial of Service handling

Denial of Service can cause significant ongoing disruption to services, customers, business and trade. This is in several forms, including network load and application or service saturation, but also targeted logic and processing exhaustion which can lead to resource or environment scaling, not just application disruption.

We offer testing services to identify entry points for targeted attacks as well as pure network load and response handling.

Managed ongoing vulnerability identification & scanning

Software security changes rapidly, with new vulnerabilities being discovered and disclosed daily it's difficult for businesses to keep up to date with the latest threats across their IT environments.

Sentinel Data Security offers managed ongoing vulnerability identification through our remotely hosted, best of breed automated assessment software suites.
These systems regularly scan your IT assets and identify systems that are vulnerable or play host to known software vulnerabilities, misconfigurations or vulnerable third-party software.

This service allows you to identify new, known vulnerabilities across the externally exposed systems that make up your environment. Through the system you then manage the analysis, risk rating and remediation of any identified security issues through the communication and workflow tracking components.

Social engineering

Social engineering is the term given to the art of exploiting the human weakness of trust. In practice, this can include tricking employees into divulging confidential information such as passwords, access codes or system information, or coercing them into performing an action for the requesting person. Often attackers are able to glean sufficient information by unsuspecting and untrained staff that they are able to use this technique to compromise a company's security.

Sentinel is able to 'test' your company by employing the methods typically used, in order to assess your staff confidentiality training levels and physical security policies.

Information security governance

Policies, procedures and guidelines development

Your security policy serves as a map for your organisation, demonstrating ways to protect itself from internal and external attacks as well as employee mistakes.

Information security policies support the security and management of information resources, they are the foundation, the bottom line, of information security within your organisation.

The security policy for an organisation is comprised of a collection of documents including the policy itself, procedures, guidelines and standards. These documents provide an organisation with a broad summary of their security as well as the step-by-step installation details of the particular system.

These policy documents address the need to protect personnel, information and property assets. Furthermore they provide management with detailed action plans which can be employed in the event that a company's information assets or activities are in jeopardy.

Sentinel Data Security closely aligns its policy frameworks with the Australian and International standards (AS/NZS 4444, ISO 27001/27002, BS 17799). This will ensure that the organisation meets its legal requirements, adheres to its industry best practices act and is up to international standards, while protecting itself from potential threats.

Incident Response Planning:

Managing the aftermath of an attack requires a high level of security expertise to ensure that disaster recovery and forensics investigations are successful. Sentinel will inform clients of how the attack was perpetrated and advise companies on ways to re-establish the integrity of their network or system. Sentinel can also conduct computer fraud investigation and gather evidence to help with prosecution.

Disaster Recovery Planning:

Organisations must develop a comprehensive disaster recovery plan.
It is imperative for organisations to develop a comprehensive disaster recovery plan. The disaster recovery plan should cover all essential and critical business activities.

This DR plan should be periodically tested in a simulated environment to ensure that it can be implemented in emergency situations and that all employees are confident in executing the procedure should the need arise. These procedures must be kept up to date evolving and advancing along with the changing circumstances of your company. Naturally, staff must be made aware of the recovery procedure(s) and their personal role as well as be informed of any amendments made to the plan.

Business Continuity Management:

Organisations must be able to operate under adverse conditions, including events that directly impact the business (such as prevented access to facilities), and indirectly (key supplier disasters).

To help organisations better prepare for disasters, we facilitate workshops and meetings with key personnel to identify and determine current business processes, by focusing on business operations; key non-IT dependencies used in business units and their key IT dependencies; determine their impact severity, likelihood of occurrence, locations impacted, recovery time objectives and recovery point objectives.

Policies, procedures and a complete BCM/BCP framework is then developed that aligns directly with the business objectives. These should also be regularly tested with different scenarios to ensure completeness.

Sentinel Data Security