|
I/T Security Audit Based on Regulatory Standards (ISO, FISAP, HIPAA or others), xDefenders works with clients to interview employees, I/T staff and management to determine if published security policies are being followed. We compare policy with procedures and note where there are “gaps”. A detailed checklist is completed and a report is written and reviewed with the client. An audit will review the following areas:
>Web Application Security
We will audit your key web applications using OWASP standards and provide you with a report that will detail all remediation needed to secure the applications. We use a number of the industry's best tools. These tools can be run remotely and provide information on a number of known exploits including:
-Cookie poisoning - Identity Theft
-Hidden field manipulation - eShoplifting
-Parameter tampering - Fraud
-Buffer overflow - Closure of business
-Cross-Site scripting - Hijacking/Breach of trust
-Manipulation of SQL statements
-Backdoor and Debug Options - Trespassing
-Forceful browsing - breaking and Entering
-Stealth commanding - Concealed Weapons
-3rd party manipulation - Debilitating a site
-Known vulnerabilities - Taking control of a site
>Database Access and Security Controls
Many applications that reside on top of Oracle, Sybase, DB2, MS/SQL or MySQL rely on the security attributes of the database to secure, control and backup the data. Understanding this concept and Data Base Administrator (DBA) processes and tools, is essential to auditing a database and the applications that utilize it. We look at the relationship between application and database security.
-Log-On Procedures
-Password administration and management
-User Identification, Authentication, Admin.
-Use of system utilities
-Links to applications, operating systems
-Backup and storage security procedures
-Security of DBA tools and software
-Evaluation of stored procedures
> Housekeeping
-Management of Logs
-Back-up Procedures
-Fault Logging
-Problem Reporting and Administration
>Operating System Access Control
-Password Administration and Management
-User Identification, Authentication, Admin.
-Use of System Utilities
-Terminal Time-out
-Limitation of Connection Time
-Terminal Log-On Procedures
-Peripheral Administration
>Security of System Files and Servers
-Control of operational software
-Protection of system data and files
-Access control to program source library
-Connectivity and Interconnected network
-Network Access
-Trust relationships
-Server Logical Security
-Penetration detection
-Violation investigation and monitoring
-Virus Protection
-Remote access facilities and VPN controls
-Authentication mechanisms
|
