Intrusion
        Detection &
               Prevention



IDP, LLC
443-506-3813
www.idpnow.net


IDP Professional Services & Capability Summary:

Click on link for more in-depth information.

Network Penetration Testing Services
Website Penetration Testing Services
Compliance Assessments
IT Governance Consulting Services
Enterprise Security Audits

Network Penetration Testing Services

The changes you make to your network on a day-to-day basis can increase the risk of compromise to your critical information and systems. Changes such as providing intranet access to a strategic partner, deploying new applications and implementing new technology can go undiscovered, introducing unacceptable levels of business risk into your environment. IDP can help!

IDP’s penetration testing services can give you a quick and detailed analysis of your current external (and internal) exposure to breaches that threaten critical information and assets. This is an essential first step for governments and businesses worldwide in determining the necessary next steps for maintaining the security levels mandated by common standards such as ISO 17799/BS 7799, Sarbanes-Oxley, HIPAA and the Payment Card Industry Data Security Standard.

The Benefits

  • Find out exactly what potential security vulnerabilities are present on your  network perimeter.
  • Get practical and relevant technical information on how these vulnerabilities can be remediated.

The Details

By analyzing your network, IDP can provide an accurate evaluation of the vulnerabilities on your Internet facing hosts, as well as hosts on your internal network. IDP will test your systems to determine if vulnerabilities are present and what the likelihood is your systems will be attacked by known exploits, automated malcode threats or malicious Internet users. Specifically, IDP will verify which systems on your network are active and what services are running. Our security analysts will identify potential security vulnerabilities and provide relevant technical information on how these vulnerabilities can be fixed. Vulnerabilities will be rated by severity to help you quickly identifying the level of security threat these vulnerabilities pose and then priorities the issues for mitigation.

Our Approach

  • Perform a pre-test validation scan to determine the number of live hosts and to confirm access to the target IP address ranges.
  • Attempt to identify the most vulnerable entry point on your network perimeter.
  • Attempt to exploit the vulnerabilities identified.
  • Report our findings and make recommendations for fixing vulnerabilities before they become a real problem.

The penetration test will include both manual and automated tests including:

  • Port scanning and banner capture to identify services available on hosts
  • Vulnerability assessment of identified services
  • Firewall checks pertinent to the type and release of firewalls employed by the business
  • Password authentication tests
  • Network protocol based tests
  • Protocol spoofing checks
  • Network device checks
  • Mail relay checks
  • Wireless checks
  • DNS checks
  • VoIP checks

Website Penetration Testing Services

As many as 70% of web sites have vulnerabilities that could lead to the theft of sensitive corporate data such as credit card information and customer lists.

Website security is possibly today's most overlooked aspect of securing the enterprise and should be a priority in any organization. Hackers are concentrating their efforts on web-based applications - shopping carts, forms, login pages, dynamic content, etc. Web applications are accessible 24 hours a day, 7 days a week and control valuable data since they often have direct access to backend data such as customer databases. Firewalls, SSL and locked-down servers are futile against web application hacking

Any defense at network security level will provide no protection against web application attacks since they are launched on port 80 - which has to remain open. In addition, web applications are often tailor-made therefore tested less than off-the-shelf software and are more likely to have undiscovered vulnerabilities. IDP will evaluate and analyze your web applications for SQL Injection, XSS & other web vulnerabilities.

IDP’s penetration and assessment services include:

  • An automatic client script analyzer allowing for security testing of Ajax and Web 2.0 applications.
  • In-depth SQL injection and Cross site scripting testing.
  • Advanced penetration testing tools, such as a HTTP Editor and the HTTP Fuzzer.
  • Visual macro recorder makes testing web forms and password protected areas easy.
  • Support for pages with CAPTHCA, single sign-on and Two Factor authentication mechanisms.
  • Extensive reporting facilities including PCI compliance reports.
  • Multi-threaded and fast scanner crawls hundreds of thousands of pages with ease.
  • Intelligent crawler detects web server type and application language.
  • Crawling and analyzing of websites including flash content, SOAP and AJAX
  • Port scans a web server and runs security checks against network services running on the server.

Compliance Assessments

HIPAA

In recent years, there has been an increased dependence on web-based information systems within the healthcare industry. This new form of healthcare information access and communication has come at a price. This price comes in the form of security vulnerabilities in web applications. Practically all recent statistics point to web applications as being one of the greatest risks to information.

HIPAA, among other things, mandates the privacy and security of PHI from the various threats and vulnerabilities associated with information management. As it relates to web application security, IDP will access HIPAA security compliance using best practices including:

  • Risk analysis to determine what applications and data are vulnerable
  • Proper authentication, access control, and logging systems
  • Ongoing auditing of information systems to test for newly discovered vulnerabilities

Sarbanes-Oxley (SOX)

Sarbanes-Oxley is all about accountability. It requires that C-level officers of publicly traded companies personally sign off on the accuracy of financial reports and demonstrate that they have a sound series of internal controls.

Sarbanes-Oxley’s audit requirements mandate security for networked systems and financial data. The Sarbanes-Oxley provisions (below) invite a process-based solution, rather than a turnkey one.

  • Section 302 requiring executives to certify the accuracy of corporate financial reports — and that they have mechanisms in place to assure data integrity and to protect against fraud.
  • Section 404 requiring executives and auditors to confirm the effectiveness of internal controls for financial reporting — requiring an annual assessment of controls and external verification or opinion on the accuracy of that assessment.
  • Section 409 requiring disclosure to the public on a “rapid and current” basis material changes to the firm’s financial condition.
  • Section 802 mandating the protection and retention of financial audit records — requiring security for those records and criminal penalties for altering documents.

IDP assists clients attain and maintain compliance with Sarbanes-Oxley by performing:

  • Pre-Audit SOX Security Assessments — By having IDP conduct a security assessment before the compliance audit; clients are able to establish a standard of due care and build a defensible case for their internal controls and implementation decisions for compliance with Sections 302 and 404.
  • Managed Security Services for continued compliance with Sections 404 and 409 for 24x7 monitoring of networked information systems.
  • SOX Security Reports for a demonstrable record of compliance with Sections 409 and 802 by providing compliance reports, including a Defensible Position Portfolio.

Payment Card Industry (PCI) Data Security

Major credit card companies have instituted new mandatory compliance programs that require most businesses that store or transmit cardholder data to adhere to the Payment Card Industry (PCI) Data Security Standard. Data transmitted or stored via Web site, Shopping Cart, e-Mail, Point-of-Sale systems, and customer databases must be protected.

Compliance with the PCI standard requires a detailed, ongoing program involving no less than:

  • An annual assessment
  • A time-sensitive detailed plan to achieve 100% certification
  • Quarterly vulnerability assessments conducted by a PCI-certified third party

IDP provides comprehensive PCI assessment services encompassing an organization’s network, its applications and its underlying databases.

IT Governance Consulting Services

IDP assists businesses and governmental entities develop, document, train and implement global policies and procedures to support their IT Governance Strategy. IDP employs best practices based on the framework and methodologies set forth by COBIT and ITIL.

Now more than ever, information and the technology that supports it represent a business’ most valuable assets. Key to protecting those assets is the need to understand and manage the associated risks – both to the information itself and the underlying technology.

Assuring the value and availability of IT, the management of IT-related risks and the increased requirements for control, protection and security over information has become generally accepted as key elements of effective enterprise governance. Value, risk and control constitute the core of IT governance.

Control Objectives for Information and related Technology (COBIT®) provides a framework from which businesses can develop robust IT governance. It does this by ensuring that:

  • IT is aligned with the business
  • IT enables the business to operate effectively and achieve its goals
  • IT resources are used responsibly
  • IT risks are managed appropriately

The business orientation of COBIT consists of linking business goals to IT goals, providing metrics and maturity models to measure their achievement, and identifying the associated responsibilities of business and IT process owners.

The process focus of COBIT is based on a process model that subdivides IT into four domains and 34 processes. The four domains are:

  • Plan and Organize (PO): Provides direction to solution delivery (AI) and service delivery (DS).
  • Acquire and Implement (AI)—Provides the solutions and passes them to be turned into services.
  • Deliver and Support (DS)—Receives the solutions and makes them usable for end users.
  • Monitor and Evaluate (ME)—Monitors all processes to ensure that the direction provided is followed.

ITIL® is a consistent and comprehensive documentation of best practice for IT Service Management. It is used by thousands of organizations around the world.

ITIL provides guidance on the provision of quality IT services, and on the accommodation and environmental facilities needed to support IT. ITIL has been developed in recognition of organization’s growing dependency on IT and embodies best practices for IT Service Management.

ITIL provides a systematic and professional approach to the management of IT service provision. Adopting its guidance offers users a huge range of benefits that include:

  • reduced costs
  • improved IT services through the use of proven best practice processes
  • improved customer satisfaction through a more professional approach to service delivery
  • standards and guidance
  • improved productivity
  • improved use of skills and experience
  • improved delivery of third party services through the specification of ITIL or ISO 20000 as the standard for service delivery in services procurements.

Enterprise Security Audits

IDP assists clients design, implement and conduct Enterprise Security Audits in these key areas of the organization:

  • Asset Protection
  • Internet Security
  • Intranet Security
  • Wireless and Remote Access
  • IT Policy and Procedure Development
  • Email Security, Retention and Availability
  • Physical and Infrastructure Threat Assessments
  • Information Security - Authentication, Access and Availability
  • Backup and Recovery - Business Interruption – Business Continuity

Value Proposition

 
home    |   services   |   links   |   clients   |   contact   |   privacy policy

IDP, LLC www.idpnow.net © 2007