A security audit is a service that helps improve the security of computer systems, prevent information leaks and ensure its availability.
There are different approaches for performing an IT security audit or “ethical hacking” of an organisation’s assets. Tarlogic uses internationally renowned security review methods, as is the case of OSSTMM, NIST SP 800-115, OWASP and OWISAM to ensure the safety of all our customers’ assets.
At Tarlogic we have unified the services involving cyber security of information and intelligence solutions to build our portfolio of professional solutions. Our differentiating factors are our high level of specialisation, the technical quality of our team and the significant investment we make in R&D, to ensure we are at the forefront of the cutting-edge security techniques with which we can minimise the risks of cyber attacks.
Approaches for performing a security audit
Depending on your needs, a security review can be carried out with two different approaches, security audit or intrusion test.
These terms are often used in a similar way, although a security audit focuses on identifying and analysing the theoretical impact of vulnerabilities affecting a system, while an intrusion test is more comprehensive and includes verification of the true impact of the vulnerabilities detected in relation to the affected system.
Tarlogic uses security metrics such as CVSS to classify the impact of vulnerabilities and conducts audits in accordance with two different points of view:
Black box security audit
Black Box Audit: “Black box” is the name given to a security audit or intrusion test in which the auditor has no knowledge of the underlying technological infrastructure.
This security review is ideal for simulating attacks carried out by external attackers and provides an insight into the system’s level of exposure to an attack. In this type of security review, the team of auditors has no previous access to users with which to interact with the applications to be analysed.
In this type of work, the team of analysts is required to gather information related to the platform with a view to posing the most plausible attack scenarios.
White box security audit
White Box Audit: This is a more comprehensive security audit. It provides technical information about the assets to be audited including information such as users, passwords and existing security mechanisms in accordance with the assets analysed.
With this approach the auditor does not need to devote any additional effort to searching for information and it allows to focus all efforts on those elements that are critical to your business.
This review is complementary to a black box security review and can be carried out in continuation to the previous one. The aim of this review is to shield a platform against more sophisticated attacks, against an attacker who has greater resources or to provide the platform with greater protection due to the criticality of the information it handles.
Main types of security audits
The IT security audits performed by the Tarlogic cyber security specialists are carried out in different modalities: closed project, hours bank and recurring services.
Some of the most common types of security audits are the following:
- Web audit: Its objective is to achieve the protection of web portals and applications by simulating real attacks. The Web applications audit also analyses vulnerabilities in the infrastructure (Microsoft IIS, Apache, Websphere, nginx,..), vulnerabilities associated to the technology used (.NET, PHP, Java, Python…) and vulnerabilities associated to the application’s logic.
- eCommerce audit: Improves the confidentiality and availability of an eCommerce platform and helps to reduce the risk of fraud and payment data (PCI DSS).
- Internal intrusion test: Identification of weaknesses and access routes to confidential information within the company’s systems. This intrusion test helps to identify areas for improvement in the security of the active directory and internal servers.
- Perimeter security review: Analysis of the external perimeter of the organisation, analysing the exposed services (web portals, e-mail, DNS…) and applications.
- WiFi Audit: Review of the deployment and security of the WiFi infrastructure in enterprise networks and captive portals. Analysis of coverage and triangulation of devices and access points.
- Microsoft Windows platforms audit: Analysis of the active directory infrastructure, security policies, configuration of servers and workstations, as well as the drafting of secure configuration guidelines.
- Linux and Unix systems: Study of the security mechanisms implemented in the systems, weaknesses and areas for improvement.
- Hardware hacking: Audit of hardware device security (communication routers, cablemodems, embedded devices, alarms, IOT devices,..).
- Mobile app audit: Security testing on Android and IOS mobile applications and code auditing of the mobile application for analysing the storage, transmission and processing of data by these applications.
In addition to conventional security reviews, Tarlogic also offers tailored services, such as the performance of cyber security exercises, code audits and of specific departments that lead the following services:
- Cyber intelligence: Provides information to facilitate decision-making. Includes forensic analysis services and response to security incidents, analysis services relating to fraud, intelligence and counterintelligence.
- Red Team: A specialised team available 24/7 that simulates sponsored computer attacks against your company, with a view to detecting weak points in your security model and ways to enter into the defensive equipment.
- Bug Bounty: Managed bounty programme for researchers who detect security breaches.
CVSS-based Security Audit
A company willing to perform an IT security audit may find that, if the audit is performed by two different security analysts, the number of weaknesses, evidences, and risk assessment may differ. There are several key aspects for a consistent assessment that should be considered in a penetration test.
Risk Assessment Analysis
Security Risk Analysis can be considered a highly subjective aspect that may result in assessments that may differ beyond reason. This difference in the criticality and asset risk qualification negatively impacts several organizational and project management aspects:
- Defense of a penetration test results in a executive meeting.
- Defense of the results with the Technical Department.
- Prioritization of a technical action plan.
- Justification of investment in periodic security audits.
- Investment in technology and perimetric security elements.
In order to improve this aspects, the Tarlogic Security Team relies on the CVSS methodology, an IT security risk classification methodology that leaves little room for misinterpretation of the risk level classification and that can be used to represent the impact as a graphic or plot.
CVSS makes use of several aspects to measure vulnerability impact. The main aspect is represented by the baseline metrics associated with vulnerability aspects, measuring:
- The complexity of access to the audited system
- The need for authentication to exploit a security flaw
- The impact in information confidentiality
- The impact on integrity
- The impact on system uptime
Contact Tarlogic to perform a Web Security Audit based on the OWASP Methodology and protect your business applications.
If you are looking for a higher detailed security audit, environmental metrics can be added, which analyze the reliability of the detected vulnerability, the complexity to be exploited by a third party, ad the complexity of getting it fixed.
Temporary metrics evaluate how this vulnerability impacts the systems based on the existence of functional tools to exploit this vulnerability and the availability of security patches.
The use of CVSSv2 allows you to know precisely the security level of your organization and justify, based on the results, the need for a larger investment in security.