Whether you like
it or not your network is being scanned and
probed for vulnerabilities from hackers, and
script kiddies. When they find vulnerability
on your site they typically exploit it and gain
control of your resources. A network design
that follows secure principles, properly configured
firewalls, and hardened operating systems will
typically defeat these types of attacks. It
is an industry standard practice to check and
double-check such a vulnerable and dynamic interface.
En Pointe performs one-time and periodic vulnerability
scans of your network presence using a suite
of tools including commercial-grade, shareware,
and internally developed software to scan for
known vulnerabilities on your system. En Pointe
provides immediate alerts and recommendations,
updates, patches or work-around for any holes
found.
Feature
Benefit
Broader
scope of assessment than “Vulnerability
Scans”
* Social engineering
* Wireless security
* Application security
* Architectural review
* Configuration review
* Identification
of more vulnerabilities
* Recommendation for more improvements
* Greater overall risk reduction
Better
documentation for all levels of management
to technicians
* Executive
level management - explanations of risk
to corporate assets without being distracted
by technical details.
* Management - Recommended projects and
how to assign budget
* Technical Personnel - Clear instructions
for improvements
Flexible
process for determining vulnerabilities
Ability
to work within your production environment
and with your custom applications
Continuously
improving process and updated techniques
More accurate
Professional
report covering information security vulnerabilities.
Not simply the output of a single tool.
Realistic
and true data – leads to proper allocation
of effort and funds
Broader range of data
En Pointe assesses the vulnerabilities
within the customer site by implementing the following
phases of our vulnerability assessment methodology:
Public
Information Gathering. An
Open Source search of all publicly available
information (“Webcrawling”) on
company and subsidiaries such as: website
information, press releases, and website registration.
This search is performed using public
search engines (html tag review,
EDGAR, Google, AltaVista, and USENET), Whois
(registrar, organization, and POC query),
DNS interrogation (nslookup), email
information harvesting techniques, and traceroute
(network reconnaissance).
Network-Based
Vulnerability Scan. Ports
are scanned and vulnerabilities identified.
This process utilizes automated tools to attempt
to locate all TCP or UDP ports on a host that
are advertising a service. Vulnerability scanning
is then performed using a combination of public
domain tools, including, NESSUS
(and its various plugins), NTOinsight,
and sitedigger.
Social
Engineering and Physical Penetration Testing.
Information regarding
the strength of existing security controls
and countermeasures is gathered using information
given from the customer’s employees.
On site security breaches are attempted and
information gathered on essential data such
as network diagrams, internal memos, and similar
information. Phonecalls “phishing’
for information is one methodology used. Also,
password requests, impersonation and ingratiation
are used to attempt to breach security.
Data
Analysis. Data
is then analyzed to ensure its accuracy and
to determine its impact on the security posture
of the customer. Potential vulnerabilities
are verified through additional testing, review
of network documents, additional interviews,
and research.
