A Proven Process
Sunera offers a variety of security services, the most common being vulnerability assessments and penetration testing engagements. A vulnerability assessment presents clients with an evaluation of the overall security of the organization’s systems and provides a valuable baseline for determining appropriate safeguards. Penetration testing extends this methodology to include the simulation of an attack on the computer systems by a malicious attacker.
Overview of Our Methodology
For each service listed below, Sunera will identify vulnerabilities, threats and risks, provide recommendations, and assist in vulnerability remediation.
Vulnerability Assessment
A Vulnerability Assessment intends to discover, using both automated and manual techniques, vulnerabilities susceptible to known exploits that pose varying levels of risk to the organization. In order to produce accurate results and measurable metrics, all of Sunera's security professionals follow the industry standard Open Source Security Testing Methodology Manual (OSSTMM).
Sunera’s standard process ensures that the latest vulnerability signatures are used at the beginning of every assessment. Current and past threats, such as missing security service packs, buffer/heap overflows, local and remotely exploitable vulnerabilities, default accounts, backdoors and trojans, conditions leading to denial of service attacks, the presence of rootkits or network hacking tools, and firmware vulnerabilities for networked devices are included for several diverse platforms such as HPUX, AIX, Windows, various Linux derivatives, Macintosh, Netware, Solaris and multiple network device vendors.
Penetration Testing
Penetration Testing attempts to leverage and exploit discovered weaknesses in logical and physical environments to compromise the target. Specifically, each asset undergoes a comprehensive attack and the results are evaluated to determine a successful compromise. The assessment may also identify potentially less significant risks that, when combined, may escalate the severity of the attack and the underlying vulnerability and result in a compromise of the information systems.
Successful system compromise(s) can be documented using proof of concept (PoC) demonstrations. Each PoC provides the attack scenario, specific actions taken to compromise the system, steps to remediate the risk, and industry standard references.
Additional Assessments
The scope of the vulnerability assessment and penetration testing engagement methodology can be expanded to include the following:
Social Engineering – The human element is often the most overlooked aspect of an organization’s security program. Humans introduce a level of risk that can expose secure resources and divulge sensitive information. The social engineering engagement identifies critical risk factors through varying levels of communication scenarios intended to determine areas of personnel and systemic enforcement. The results are delivered using an educated evaluation regarding the appropriate level of technical controls and personnel security awareness.
Physical Security – The implementation of physical security (PhySec) should not be perceived as simply a method to protect a material object. PhySec is the means used to protect infrastructure, information and human personnel from loss and damage. Organizations have different requirements as certain resources require varying levels of physical protection. We provide a diverse set of PhySec services ranging from evaluating environmental controls all the way to full penetration breach and impact assessments. In order to provide the organization’s management team with a visual method of understanding the actual areas of risk, the breach and impact assessments are intended to impersonate the various methods that an attacker could employ to bypass security controls. Upon completion of an assessment, the organization will understand how an attacker can leverage the organization’s physical vulnerabilities to compromise the integrity of the target.
Web Application Security – A web presence is critical for business today, but it is also an easy attack target for anyone in the world. By leveraging both automated and manual analysis of a web site or application, our security consultants can identify the vulnerabilities and risks to any application or platform, regardless of the underlying technologies. Once a complete understanding has been obtained of both the scope and architecture of the target application(s), automated tools are carefully configured and monitored in an effort to comprehensively test the enabled security controls meant to protect the application's exposed user interface. Manual testing starts where the automated tools stop—security consultants use their experience to test the site as an attacker would, finding the flaws missed by automated testing.
Wireless Security – Wireless communication enables network convenience; however, this same convenience can introduce undetected security issues. Without a secure configuration, deployment, detection and prevention methodology, an organization is unable to control unauthorized network access. The wireless security assessment provides organizational value by determining the current state of implementation, the sanctioned wireless assets, configuration standards, and actual wireless vulnerabilities. We can make sure the organization’s wireless security exceeds industry best practices and regulatory compliance initiatives.
Our Security Resources
Professionals - Sunera’s Information Security and Network Services Practice are 100% Certified Information Systems Security Professionals (CISSP).
Additional certifications held by practice members include: Cisco Certified Network Associate (CCNA); Certified Information Systems Auditor (CISA); Certified Information Security Manager (CISM); Certified Secure Software Lifecycle Professional (CSSLP); Microsoft Certified Systems Engineer (MCSE); Red Hat Certified Engineer (RHCE); Red Hat Certified Technician (RHCT); and, Payment Card Industry Qualified Security Assessor (PCI-QSA). Additionally, Sunera’s highly technical team of security professionals has an in-depth knowledge of a wide range of vendor hardware and software products.
Tools - Both commercially available automated tools and proprietary methodologies augment Sunera’s data collection process. This information is compiled and presented to provide the client with a single reference of the tools that we may use on the engagement, based on the defined systems and environment. These tools and their usage are provided to the client prior to any work being performed.
Benefits of Vulnerability Assessment and Penetration Testing
By contracting Sunera to provide its Vulnerability Assessment and Penetration Testing Services, the following benefits can be realized by the organization:
- Threat Exposure - Sunera can identify, and help remediate, weakness and vulnerabilities from a technical, physical and administrative perspective and reveal the level of risk posed to your organization’s operations, IT infrastructure, applications, wireless, sensitive data, and personal information for both customers and personnel.
- Comprehensive Reporting - We provide a detailed report both from a technical and management standpoint, showing issues, vulnerabilities and discovery methods as well as provide an action plan to correct the problems in terms of a remedial, tactical and strategic approach.
- Product and Vendor Neutral Advice - Sunera provides objective and independent advice with regard to the best alternatives for the implementation of a sound security strategy. Sunera is not a reseller for any specific software or security vendors, thereby enabling us to provide unbiased recommendations.
