IT SECURITY TESTING & ADVISORY SERVICES
PENETRATION TESTING

OVERVIEW

Penetration testing simulates an attacker attempting to gain access to a specified target server or application. It should be done whenever a new application, server or network device is being deployed or the configuration of an Internet-facing service has changed. See also application code review.

SERVICES

Penetration testing typically includes:

  • Network discovery - establishes Internet "footprint"
  • Network scanning - external and internal scanning
  • Internet profiling - vulnerability testing of all Internet devices
  • Network device test - servers, firewalls, routers
  • Web application testing - web applications and front facing client applications

A penetration testing and vulnerability assessment uses automated tools as well as manual tests. Vulnerabilities or weaknesses often exist within systems and penetration testing can be used to quantify how easily any identified vulnerability can be exploited.

TIMEFRAME

A standard review takes approximately three to five days.

MORE INFORMATION

Get in touch for more information about how we can help.

^ BACK TO TOP
System Configuration Review

OVERVIEW

A system and configuration review audits and technically tests a network system, server or device to ensure it meets current security standards along with any applicable security policies. The system and configurations are reviewed against standards such as DISA STIGs, NIST, CIS checklists, vendor guides and known issues that Lateral Security has seen before.

This review includes:

  • Physical deployment configuration of the service and all network devices
  • Server, device hardening and patching levels
  • Dataflows, caches and data stores
  • File “dumps” of network devices to check configuration
  • Patching and firmware update levels
  • Misconfigured devices
  • Configuration review against recognised standards
  • Ruleset checks (against recognised standards)

TIMEFRAME

This review takes approximately one day per device (firewall, server or IDS type system).

MORE INFORMATION

Get in touch for more information about how we can help.

^ BACK TO TOP
Security Design & Architecture Review

OVERVIEW

A security design and architecture review provides assurance that a solution has been designed with security in mind. The following key elements are typically assessed. Items for review can cover the design specification, documentation including the stated security objectives and business risk.

Specifically, the following key elements are typically assessed:

  • Have security requirements for the project been clearly defined
  • Does the solution design meet the security requirements
  • Does the solution documentation contain enough detail regarding the security controls

Lateral Security undertakes the following approach to the design review:

  • Obtain requirements, definitions, high level designs and detailed designs for the environment
  • Review the documentation provided against the points above
  • If necessary, clarify areas with architects to ensure the design is clearly understood
  • Provide a report detailing findings

TIMEFRAME

A standard review takes approximately one to two days.

MORE INFORMATION

Get in touch for more information about how we can help.

^ BACK TO TOP
Application Code Review

OVERVIEW

An application code review looks deeply into the internal workings of an application with a line-by-line manual review of security-sensitive processes.

This type of testing provides assurance for applications used in sensitive industries including banking, finance, government or database/transactional applications that hold personally identifiable information (PII) or other client information.

SERVICES

An application code review includes:

  • Login registration and transactional processes
  • Code error identification and exploitation
  • Logic errors and backdoor identification
  • Test code vulnerabilities (including code inadvertently included in release)
  • Inadvertent disclosure of personal information
  • Upgrades and patch vulnerabilities
  • Privacy leakage testing for banking, finance and government
  • Post-exploitation information gathering

TIMEFRAME

A standard review takes approximately three to four days, however this depends on the number of lines within the code, functionality and the overall application size.

MORE INFORMATION

Get in touch for more information about how we can help.

^ BACK TO TOP
Mobile and Wireless Security Review

OVERVIEW

This review includes mobile devices, operating systems, applications, security controls and processes. Smartphones, tablets, laptops and wireless systems including WiFI, RFID, identity cards, smartcards and payments cards are within scope for this type of security review.

Mobile and wireless technologies can be configured incorrectly and are easily compromised. This type of review provides you with a report that identifies the real risks and provides mitigations for these risks.

We recommend a mobile and wireless security review before and during deployment of mobile and wireless devices, and a short review whenever they are upgraded or changed.

SERVICES

Network and infrastructure:

  • Design and architecture review
  • Full network scanning - establish existing wireless “footprint”
  • Password security and authentication
  • Wireless infrastructure security (corporate versus guest versus public)
  • Network segregation and what other data can be viewed from the wireless LAN
  • Security implications of mobile devices, operating systems, applications, monitoring systems and security controls and processes
  • Firewalls/VLAN, and malicious code (AV) controls
  • Intrusion detection testing
  • Rogue access point detection
  • Encryption levels - Is data encrypted, what type of encryption?
  • Physical device deployment - device locations, can they be physically compromised?

Handheld mobile review includes:

  • Mobile application review
  • Synchronisation authentication including log-on and digital certificates
  • On-device security and encryption
  • Remote disable and wipe
  • Software application security (iPhone and Android custom built applications)
  • Patch management
  • Server and transport layers (telco links, testing includes both fixed and wireless)
  • Management control processes and policies

TIMEFRAME

A typical review takes 2-5 days depending on complexity, device numbers (OS dependant) and network typology.

MORE INFORMATION

Get in touch for more information about how we can help.

^ BACK TO TOP
CLOUD SERVICES REVIEW

OVERVIEW

Lateral Security performs frequent reviews of a wide range of cloud based services including New Zealand All of Government (AoG and CWP platforms), Amazon AWS, Microsoft Azure, Revera, and Salesforce.

Cloud-based services are reviewed to ensure that security policies, technical controls and the correct security configurations have been implemented. Applications hosted on these service providers can also be reviewed similar to an application code review or penetration test. A cloud platform and web application are often included in the same review.

This review includes:

TIMEFRAME

This review takes approximately three days for a standard review.

MORE INFORMATION

Get in touch for more information about how we can help.

^ BACK TO TOP
KIOSK SECURITY REVIEW

OVERVIEW

A kiosk security review provides assurance to an organisation around their deployment of kiosk based systems. This is especially important as typically these devices are externally located in an area not actively monitored by staff. Lateral Security recommends that kiosk systems are regularly reviewed as they can pose a significant risk to an organisation. A kiosk review covers the physical kiosk, the kiosk application and network segregation to ensure the system meets appropriate security standards.

This review includes:

  • Kiosk physical deployment configuration
  • Kiosk application
  • Kiosk hardening
  • Patching and firmware update levels
  • Network authentication, services and network attached devices

TIMEFRAME

This review takes approximately two days for a standard Kiosk review.

MORE INFORMATION

Get in touch for more information about how we can help.

^ BACK TO TOP
Lateral Red Teaming – Real World Control Verification and Validation

Overview

A Lateral Red Team engagement enables an organisation to obtain an accurate assessment of the real-world vulnerabilities of their production systems, networks and organisation as a whole.

Security testing and vulnerability assessments are often scope limited and directed at specific components. A Lateral Red Team engagement provides an organisation with the opportunity to undertake a holistic approach to verifying the controls which protect it, their ICT systems and the data within.

Lateral Red Team engagements are requested by customers for a variety of purposes including:

  • Exercising organisational ability to detect, react and take mitigative measures in response to actions from a simulated adversary
  • Verification of system or organisation wide controls following changes in system or organisational security states
  • Testing existing controls to justify and prioritise additional investment
  • Identifying defective controls
  • Assurance that controls that are functioning as implemented

A Lateral Red Team engagement is carefully scoped by working with the customer to determine exactly what the outcomes the customer requires, as all engagements are tailored based on requirements. Using well-defined methodologies and agreed “rules of engagement”, the adversary threat or threats that the team is emulating is decided up front and can range from a Tier 1 nation state to an opportunist criminal. This ensures that engagement objectives are being met, without altering the customers already accepted residual risk levels.

Engagements can be based on testing specific controls using a repeatable, demonstrable and evidence based methodology or by utilising a goal/objective based approach, where a customer levies a general requirement for our team to achieve (e.g. demonstrate whether it is possible to obtain physical access to a network component).

Service details:

  • Customers receive a detailed written report detailing vulnerabilities that our team uncovered
  • If desired this can be backed up with a verbal briefing tailored to the audience
  • Depending on the approach selected, information on the methodologies utilised to allow customers to repeat the verification tests themselves
  • An understanding of where your organisation is at from a security standpoint and where enhancement and refinement of controls is required to achieve your desired risk level

More Information

Get in touch for more information about how we can help.

^ BACK TO TOP