IT SECURITY TESTING & ADVISORY SERVICES
General Security Consulting

OVERVIEW

Lateral Security's general security consulting is designed to provide clients with an onsite consultant or consultants to help with projects or any general IT security service requirement. This could include design work, technical testing, advisory or management of a team or project delivery.

Lateral Security provides support services to corporate security organizations, including general assessments of current security programs and the development of security policies, procedures, design guidelines, and standards specific to the industry and location.

In addition to general security consulting, Lateral Security can develop complete corporate security programs, or review and update existing programs. When developing a program, careful consideration is given to industry standards, operating resources, statutory and regulatory requirements, and corporate culture. Many clients turn to Lateral Security on an annual basis for an objective review of their current security programs.

Lateral Security can help organisations to understand your assets, weaknesses, and the threats towards your business in order to calculate true risk and in the reduction or mitigations of that risk to an acceptable level. This may include policies, procedures, configuration guidelines, security awareness programs and technical controls. General Security consulting covers all of the above and can help organisations become more secure over time to meet internal and external business goals.

MORE INFORMATION

Get in touch for more information about how we can help.

 

^ BACK TO TOP
SECURITY POLICY AND PROCESS REVIEWS

OVERVIEW

Security policy development and compliance with relevant standards is challenging for any organisation.

Lateral Security has developed security policy for many large Government and Corporate organisations in New Zealand and Australia and has the experience to offer real world advice.

Lateral Security can also offer help with presentations to management, implementation and ongoing measurement of these security policies to ensure success within your organisation.

SERVICES

  • Security policy design and development
  • Implementation of a baseline security policy
  • Produce customer facing documents to satisfy third parties
  • Security policy improvement (such as move ITIL maturity score)
  • Standards include ISO/IEC 27001 and 27002, PCI DSS, NZISM, SIGS, COBIT, ITIL, SOX
  • Initial security audit
  • Security policy alignment (such as ISO/IEC 27002, NZISM)
  • Organisational documentation creation

MORE INFORMATION

Get in touch for more information about how we can help.

^ BACK TO TOP
PCI DSS ASSISTANCE

OVERVIEW

PCI DSS are security standards for payment cards. Under PCI DSS version 2, companies are required to regularly test their security systems and processes.

Lateral Security offers auditing and certification services and uses the latest Qualys PCI certified scanning and testing tools.

SERVICES

Lateral Security can help you to meet the following PCI DSS requirements:

  • PCI DSS requirement 11.1 - wireless access point presence and detection of unauthorised wireless access points (quarterly)
  • PCI DSS requirement 11.2 - internal and external vulnerability scanning (quarterly)
  • PCI DSS requirement 11.3 - external and internal penetration testing (annually and after any significant infrastructure or application upgrade or modification)

Lateral Security can also assist with:

  • Security policy development to fully comply with PCI DSS
  • Auditing against PCI DSS
  • ISO 27001 and 17799 (27002)
  • NZISM and SIGS (for government)
  • ITIL V3
  • Cobit 4.1
  • Sarbanes-Oxley Act 2002
  • Privacy Act 1993
  • Protected Disclosures Act 2000
  • Human Rights Act 1993
  • Official Information Act 1982

MORE INFORMATION

Get in touch for more information about how we can help.

THREAT MODELLING AND RISK ASSESSMENT

OVERVIEW

A threat modelling and risk assessment assesses the risk appetite of an organisation for security-related events which allows an organisation to prioritise its security budget on the areas that truly matter.

This is an interactive process between management and key stake holders from within the organisation.

The outcome of this engagement is a clear understanding of the threats and risks facing an organisation, and a priority list of areas where countermeasures need to be reviewed or new countermeasures introduced where they do not exist.

Lateral Security uses the following methodology:

  • Asset classification
  • Threat identification
  • Countermeasure identification
  • Likelihood determination
  • Impact determination
  • Risk determination
  • Additional: countermeasure recommendation

MORE INFORMATION

Get in touch for more information about how we can help.

^ BACK TO TOP
Temporary Staff Replacement

OVERVIEW

Every organisation has times when they don’t have enough internal resource – whether it's for a new project, RFP selection or to cover for absent staff. Lateral Security can provide a temporary staff replacement for your organisation without the expense of recruiting in-house staff.

Services we offer:

  • Independent impartial vendor product selection
  • RFP measurement and selection assistance
  • Internal security resource (business management or technical level)
  • Data collation, gathering exercise
  • Moves, adds, changes management
  • Staff overflow or temporary cover

MORE INFORMATION

Get in touch for more information about how we can help.

^ BACK TO TOP

PENETRATION TESTING

OVERVIEW

Penetration testing simulates an attacker attempting to gain access to a specified target server or application. It should be done whenever a new application, server or network device is being deployed or the configuration of an Internet-facing service has changed. See also application and source code review.

SERVICES

Penetration testing typically includes:

  • Network discovery - establishes Internet "footprint"
  • Network scanning - external and internal scanning
  • Internet profiling - vulnerability testing of all Internet devices
  • Network device test - servers, firewalls, routers
  • Web application testing - web applications and front facing client applications

A penetration testing and vulnerability assessment uses automated tools as well as manual tests. Vulnerabilities or weaknesses often exist within systems and penetration testing can be used to quantify how easily any identified vulnerability can be exploited.

TIMEFRAME

A standard review takes approximately three to five days.

MORE INFORMATION

Get in touch for more information about how we can help.

^ BACK TO TOP
SYSTEM CONFIGURATION REVIEW

OVERVIEW

A system and configuration review audits and technically tests a network system, server or device to ensure it meets current security standards and or defined security policies. The system and configurations are reviewed against standards such as DISA STIGs, NIST, CIS checklists, vendor guides and known issues that Lateral Security has seen before. This review includes:
  • Physical deployment configuration of the service and all network devices
  • Server, device hardening and patching levels
  • Dataflows, caches and data stores
  • File “dumps” of network devices to check configuration
  • Vendor firmware update check
  • Misconfigured devices (breaks business logic rules)
  • Ruleset checks (against recognised standards)

TIMEFRAME

This review takes approximately one day for a standard review per device (firewall, server or IDS type system) plus reporting.

MORE INFORMATION

Get in touch for more information about how we can help.

^ BACK TO TOP
DESIGN REVIEW

OVERVIEW

The security design review provides assurance that the solution has been designed to meet the protection requirements and that appropriate security controls have been incorporated into the technical design. This review can focus on a high level solution design incorporating the design specification, documentation of the design including the stated security objectives and risks are appropriately managed, and to identify any gaps in the services’ technical design. Specifically, the following key elements are typically assessed:

  • Have security requirements for the project been clearly defined
  • Does the solution design meet the security requirements
  • Does the solution documentation contain enough detail regarding the security controls

Lateral Security undertakes the following approach to the design review:

  • Obtain requirements definitions, high level designs and detailed designs for the environment
  • Review the documentation provided against the points above
  • If necessary, clarify areas with architects to ensure the design is clearly understood
  • Provide a security report detailing test findings

MORE INFORMATION

Get in touch for more information about how we can help.

^ BACK TO TOP
APPLICATION CODE REVIEW

OVERVIEW

An application code review looks deeply into the internal workings of an application with a line-by-line review of security-sensitive processes within an application.

This type of testing provides assurance for applications that have a high IT security requirement like banking, finance, government, or database applications that hold private client information.

SERVICES

  • Login registration and transactional processes
  • Code error identification and exploitation
  • Logic errors, backdoor identification
  • Test code vulnerabilities (code left behind)
  • Upgrades and patch vulnerabilities
  • Privacy leakage testing for banking, finance and government
  • Post-exploitation information gathering

TIMEFRAME

A typical source code review takes five days, however this depends on the number of lines within the code and the overall application size.

MORE INFORMATION

Get in touch for more information about how we can help.

^ BACK TO TOP
MOBILE AND WIRELESS SECURITY REVIEW

OVERVIEW

This review includes mobile devices, operating systems, applications, security controls and processes. Smartphones, tablets, laptops, wireless systems including WiFI, RFID, identity cards, smartcards, payments cards are within scope for this type of security review.
A typical review takes approx 2-5 days depending on complexity, device numbers (OS dependant) and network typology.

Mobile and wireless technologies can be configured incorrectly and are easily compromised. This review is a risk based approach with a technical assessment to measure the controls and systems. The aim is to provide you with a report that identifies the real risks and provides mitigations for these risks.

We recommend a mobile and wireless security review before and during deployment of mobile and wireless devices, and a short review whenever they are upgraded or changed.

SERVICES

Network and infrastructure:

  • Full network scanning - establish existing wireless “footprint”
  • Password security and authentication
  • Wireless infrastructure security (corporate versus guest versus public)
  • Network segregation (what other data can be viewed on the wireless LAN)
  • Security implications of mobile devices, operating systems, applications, monitoring systems and security controls and processes
  • Design and Architecture review
  • Firewalls/VLAN, Anti virus controls
  • Intrusion detection testing
  • Rogue Access Points
  • Encryption levels - Is data encrypted, what type of encryption?
  • Physical device deployment - device locations, can they be physically compromised?

Handheld mobile review includes:

  • Synchronisation authentication including log-on and digital certificates
  • On-device security and encryption
  • Remote disable and wipe
  • Software application security (iPhone and Android custom built applications)
  • Patch management
  • Mobile application review
  • Server and transport layers (telco links, testing includes both fixed and wireless)
  • Management control processes and policies

Mobile technologies:

  • Handheld mobile devices - iPhone, Android, Nokia, Blackberry
  • Portable mobile devices - laptops, tablets, iPad
  • Wifi, 802.11 (a/b/g/n/i), WiMAX, GSM (Edge, 3G, 4G)
  • Enterprise - MS Exchange/Outlook, Android, Apple MobileMe
  • Mobile applications - iPhone and Android custom built client device appsBluetooth and Infrared technologies

TIMEFRAME

A standard review takes approximately three to four days.

MORE INFORMATION

Get in touch for more information about how we can help.

^ BACK TO TOP