IT Security Testing Services

(1)

IT Security Testing

Services

Context Information Security

T +44 (0)207 537 7515

W www.contextis.com

(2)

19 CESG Tailored Assurance Service (CTAS)

20 1 Introduction to Context Information Security

2 2 Introduction to IT Security Testing Services (Assurance)

3 3 CESG CHECK ITHC

4 4 Application Security Assessment

5 5 External Infrastructure Testing

6 6 Internal Infrastructure Testing

7 7 Build and Configuration Review

8 8 Firewall Rule-Base Reviews

9 9 Code Review

10 10 Mobile Device Security

11 11 Mobile Application Security

12 12 MDM Configuration Reviews

13 13 Wireless Testing

14 14 Bespoke Training Courses

15 15 Cloud Security Assessment Service

16 16 Managed Phishing Service

17 17 Product Evaluation

18

(3)

1 Introduction to Context Information Security

Context is a highly skilled consultancy that supports

organisations to meet their ever evolving cyber-security

challenges.

Context’s services include Penetration Testing, Cyber Incident Response, Digital Forensics and Vulnerability Research.

Key facts:

• Context has one of the largest penetration testing teams in Europe

• The research team regularly features in both the global and national press including the BBC, The Telegraph and CBS New York

• Context is certified by CESG and CPNI for the Cyber Incident Response scheme to help organisations respond effectively to sophisticated cyber security attacks

• Context’s response team investigate and resolve breaches on a daily basis

• Context assisted in the development of CREST and its associated standards, and has been a ‘Green Light’ CESG (CHECK) service provider for over 10 years

• A significant number of our consultants hold CREST or CESG CHECK accreditations

• Context is actively involved in the UK Security Researchers Information Exchange (SRIE), OWASP, and regularly presents at industry events such as Black Hat, Hack in the Box, and CanSec West

• Context is an early adopter to the CBEST and CREST STAR schemes and regularly presents at industry events such as Black Hat, Hack in the Box, and CanSec West

(4)

2 Introduction to IT Security Testing Services

Context offers several world class services under the category

of assurance, these include but are not limited to: penetration

testing, security assurance, design assurance and software

engineering security assurance.

Within each of these categories Context employs world class security consultants who are trusted by Government clients working within a wide range of governmental departments. Context holds strong levels of accreditation and boasts one of the UK’s largest pools of CHECK/CREST resource. In order to ensure your penetration test is sufficiently rigorous you should insist upon utilising a CHECK Green Light Consultancy and CHECK resource.

The main aim of penetration testing is to identify known technical vulnerabilities that a potential attacker might exploit in a system or environment. Once identified, Context establishes the relevant impact and weighs this against the skills needed to leverage the vulnerabilities. This in turn allows Context to assign a risk rating and thereafter provide remediation advice for the identified vulnerabilities.

The main aim of security assurance and design assurance is to baseline the

configuration of our clients’ devices. Context review configurations against industry best standards (defined by government or industry related bodies). Clients choose to undertake this service to harden their defences against malicious users and provide a heightened level of security.

The main aim of software engineering security assurance is to provide a mature understanding of the potential risks posed to environments and systems. These services are based on a range of secure development principles.

(5)

3 CESG CHECK ITHC

A CHECK IT Health Check (ITHC) identifies vulnerabilities in

HMG IT systems and networks to assure the confidentiality,

integrity and availability of information.

Using certified, security cleared testers, an ITHC is as much about risk assessment as it is penetration testing, and assesses the security posture of the environment as well as the data stored within.

Features

• Pre-engagement scoping services to ensure both coverage and value for money • Large resource pool of CHECK and CREST penetration testers

• Security cleared consultants

• Threat ratings based on impact and ease of exploitation

• Proven testing methodology to ensure both coverage and depth

• Cross-discipline expertise to provide assurance against emerging threats (drawing on research and response experience)

• Ability to report using many common vulnerability metrics

Benefits

• Identification of vulnerabilities affecting critical infrastructure • Assurance to support accreditation of IT systems

• Accurate threat ratings to assess vulnerability risk

(6)

4 Application Security Assessment

Application Security Assessments identify security weaknesses

in applications and provide recommendations for their

mitigation.

They provide assurance that an application is safe, secure and adheres to security best practices. Context draws on years of experience and a tried-and-tested, constantly evolving methodology covering all major and emerging application technologies.

Features

• Pre-engagement scoping services to ensure both coverage and value for money • Assessment of web-based and thick-client applications

• Large resource pool of CHECK and CREST penetration testers • Threat ratings based on impact and ease of exploitation

• Cross-discipline expertise to provide assurance against emerging threats (drawing on Research and Response experience)

• Global presence

Benefits

• Identification of vulnerabilities affecting bespoke and COTS applications • Accurate threat ratings to assess vulnerability risk to the business

(7)

5 External Infrastructure Testing

External infrastructure assessments aim to answer the

question, ‘could an attacker compromise our internet-facing

resources?’.

External infrastructure testing explores the consequences of a hacker carrying out malicious activities from across the internet. It involves surveying available network services, interrogating them for weaknesses, and trying to exploit them to extract information or compromise the network.

Features

• Pre-engagement scoping services to ensure both coverage and value for money • Identification of Internet-facing “footprint” and attack surface

• Identification of vulnerabilities affecting Internet-facing systems • Large resource pool of CHECK and CREST penetration testers • Proven testing methodology to ensure both coverage and depth

Benefits

• Assurance that critical Internet-facing systems are secure

• Identification of vulnerabilities and accurate threat rating to assess vulnerability risk to the business

(8)

6 Internal Infrastructure Testing

Internal infrastructure assessments aim to identify what could

an attacker do if they had access to an organisations internal

network?

Internal infrastructure testing is usually conducted at a client’s premises and is often scenario and risk-based. An assessment could explore the consequences of a rogue employer or contractor carrying out malicious activities.

Features

• Pre-engagement scoping services to identify useful attack scenarios, providing coverage and value for money

• Large resource pool of CHECK and CREST penetration testers • Threat ratings based on impact and ease of exploitation

Benefits

• Identification of vulnerabilities affecting critical infrastructure • Assurance that the risk of internal attack is mitigated

• Accurate threat ratings to assess vulnerability risk to the business

(9)

7 Build and Configuration Review

Build and configuration reviews ensure that laptops,

workstations and servers are configured securely.

Insecurely configured environments can allow malicious users to obtain unauthorised access, and if a standard build containing weaknesses is deployed across hundreds or thousands of servers, the impact can be significant.

Features

• All mainstream operating systems covered (Unix, Linux, Windows etc.) • Large resource pool of CHECK and CREST penetration testers

• Engagements carried out either on-host, or remotely via a delivered script • Threat ratings based on impact and ease of exploitation

Benefits

• Assurance that specific business-critical systems are configured in a secure manner

• Provides defence-in-depth assurance that systems are not only secure from a network perspective, but also from on-host threats (e.g. phishing attacks, privilege escalation)

(10)

8 Firewall Rule-Base Reviews

Many organisations have come to rely on firewalls as a keystone

of their network defences, so it is important to ensure that they

are fit for purpose and delivering optimum performance.

Features

• Tried-and-tested methodology covering all firewall vendors

• Both rule sets and device configuration are assessed (e.g. secure management interfaces, firmware versions)

• Large resource pool of CHECK and CREST penetration testers • Ability to report using many common vulnerability metrics

Benefits

• Assurance that perimeter and internal devices are fit for purpose and configured in line with industry best-practice

• Assurance that firewall implementation adheres to design

(11)

9 Code Review

Code reviews aim to provide assurance of complex software

where coverage from a ‘black box’ perspective cannot be

guaranteed.

During a code review a consultant will combine targeted manual code inspection and automated analysis to identify security risks in software. Code review is often undertaken in support of application security assessments.

Features

• Expertise in review of code in all major languages, both compiled and interpreted • Assessments carried out by experts with extensive industry experience in finding

and exploiting flaws in code

• Identification of critical areas of code

• Large resource pool of CHECK and CREST penetration testers

Benefits

• Assurance that software is free from vulnerabilities arising from coding mistakes, oversights (e.g. buffer overflows), and insecure design

• Assurance that secure code principles are being adhered to during development • An extra level of assurance alongside ‘black box’ application security assessments • Recommendations for remediating code problems and ensuring they are not

repeated long-term

(12)

10 Mobile Device Security

Mobile Device Security Assessments provide assurance that

a device is safe to use in the home or workspace, and provide

recommendations on how to configure them in a secure way.

Context has a proven track record in performing these assessments for government, telecommunications companies and large businesses.

Features

• Experience and expertise in assessing all major mobile device platforms (Apple iOS, Google Android, Windows, Blackberry etc.)

• Methodology based upon contributions made towards CESG guidance material supplied to public sector organisations when deploying end user devices for remote working

• Advances in MDM security features and technologies feedback into mobile device security assessment methodologies

Benefits

• Advice on secure deployment of mobile devices in the workplace

• Assurance that risks relating to lost/stolen devices and data are mitigated

• Analysis of the risks presented to mobile devices from emerging threats including malware

• Advisory for the practices and policies relating to the integration of mobile devices within the workplace such as for ‘Bring Your Own Device’ (BYOD).

(13)

11 Mobile Application Security

Mobile Application Security Assessments identify security

weaknesses in applications running on mobile devices (e.g.

smartphones, tablets).

Modern mobile applications often re-implement the functionality of traditional web-based applications, which can lead to many security mistakes being repeated. Additionally, modern mobile operating systems open new attack vectors, including cross-application attacks, and accidental disclosure of sensitive data.

Features

• Experience and expertise in assessing applications on all major mobile device platforms (Apple iOS, Google Android, Windows, Blackberry etc.)

• Modern testing toolset results in time-efficient mobile application security assessments

Benefits

• Identification of vulnerabilities affecting bespoke and off the shelf mobile applications • Assurance that sensitive application data is securely stored on-device

• Recommendations for remedial actions and strategic management of vulnerabilities • Knowledge transfer from mature web application testing pedigree and methodology

(14)

12 MDM Configuration Reviews

As mobile devices are increasingly used to access sensitive

enterprise data, the security of these devices is of increasing

concern.

In performing MDM solution security reviews, Context assesses the deployed MDM solution configuration, the supporting network architecture as well as the mobile device security policies and management processes. The assessment is performed via hands-on reviews of the MDM configuration, paper-based review of the design documentation and policy documents as required, as well as conversations with key technical operators.

Features

• A pre-testing consultancy focused on establishing which personnel to interview and which documents to review

• Audit review of any documents related to the running of the MDM solution, including security and device policies

• A review of MDM server configurations, whether it aligns to both security best practices and documented policies

• Testing the relevant mobile devices to verify the policy and configuration options provide expected device security

Benefits

• Assurance that corporate MDM systems and BYOD set-ups are securely • Assurance that risks relating to lost or stolen devices and data are mitigated • Advisory for the adequate integration of the MDM system into the wider client

(15)

13 Wireless Testing

Wireless connectivity is now an expectation for many: in the

home, in public places and in the workplace.

This has long been an area where Context has focused its efforts, in research and development of best practice in the field.

Features

• Extensive experience in all types of wireless, RF-enabled technologies • Identification of rogue devices on wireless networks

• Analysis of wireless network segregation and passive information leakage. • Threat ratings based on impact and ease of exploitation

• Cross-discipline expertise to provide assurance against emerging threats (drawing on research and response experience)

Benefits

• Identification of threats affecting corporate and guest wireless networks • Assurance that wireless networks are appropriately segregated

• Assurance that sensitive wireless data is appropriately encrypted • Accurate threat ratings to assess vulnerability risk to the business

(16)

14 Bespoke Training Courses

Context run a number of training courses for individuals looking

to enhance their specialist skills.

We also provide courses aimed at non-security specialists, such as training to help organisations cope in the aftermath of a security incident, or raise awareness of security issues.

Features

• Hands on courses delivered by subject matter experts with industry experience • Hosted in a dedicated training suite capable of holding 20 delegates

• Courses containing industry insight that’s not available from other vendors

Benefits

• Upskills security teams

• Reduced development costs in the future

• Helps security officers drive up best-practice across the estate • Certification recognizing completion of training

(17)

15 Cloud Security Assessment Service

As a result of the increasing popularity of Cloud computing,

clients have frequently requested our support in helping to

improve the security posture of their Cloud-based systems.

Our Cloud Security Assessment Service analyses the security of the client’s Cloud system from multiple perspectives, drawing on expertise from our Assurance team as well as research conducted by Context against several cloud providers.

Features

• External application and infrastructure penetration testing of cloud environments • Scenario testing of cloud node segregation

• Architecture review

• Cloud VM hardening assessment • Remote administration review • Vulnerability Scanning

Benefits

• Gain assurance over cloud environment security

• Multi-perspective assessments covering a range of potential attacks

• Context have significant experience in this space, for more information see

(18)

16 Managed Phishing Service

Context’s managed phishing service allows an organisation to

send simulated phishing emails to their users in a controlled

manner.

User actions are tracked safely, user awareness is benchmarked and trends can be analysed across regular assessments. This assesses an organisation’s resilience to these attacks, both from a technical and staff awareness perspective.

Features

• Customized phishing assessments ranging from single users to company-wide assessments

• Assess technical controls to mitigate phishing attacks

• Measure and track employee awareness of common phishing attacks • Educate users to identify and report suspicious emails

Benefits

• Assessments tailored to customer environment

• Benchmark the effectiveness of controls to prevent phishing attacks

(19)

17 Product Evaluation

Context consultants also conduct comprehensive product

security evaluation exercises.

These may cover hardware and software products of all types, including, for example, firewalls, telecoms equipment, anti-malware technologies used in the banking sector, voice biometric systems and a range of mobile and wireless devices and technologies.

Features

• Bespoke tools and methodologies are designed specifically for the device(s) under review

• Product evaluation approaches are aligned to methodologies and activities conducted by Context’s state-of-the-art research team

Benefits

• Assess the security stature of the product for its ability to operate safely in specified environments

• Ability to assess devices for compliance against a variety of evaluation schemes and sensitivity criteria such as CPA

(20)

18 CESG Product Assurance (CPA)

Context is qualified to evaluate products on behalf of CESG

under the CESG Product Assurance (CPA) service. CPA

certification provides a product with entry into an approved list

from which government departments and industry partners

may purchase.

CPA is essentially a certificated accreditation process for products to be used by government, public sector and any industries requiring access to UK government accredited networks. CPA certification enables product vendors to sell their products into government and public sector departments, the wider public sector and associated industry for use in communications networks requiring IL2 and IL3 accreditation.

Features

• Experience certifying products across a wide-variety of security characteristics • CPA provides products with entry into an Government approved list

• CPA scheme evaluates commercial off the shelf (COTS) products

• CPA assists COTS developers with published security and development standards • CPA consolidates previous schemes to provide simplified, certificate-based

assurance

Benefits

• One of the first companies on the scheme with CPA lab onsite

• Provide end-to-end service from producing assurance plans for defined security characteristics to submission to CESG

(21)

19 CESG Tailored Assurance Service (CTAS)

The CTAS scheme provides tailored accreditation of customer

environments to government standards. Context is a CESG Tailored

Assurance Scheme (CTAS) company and has a wealth of experience

providing CTAS services on behalf of CESG. Context utilize their

CLAS and CHECK teams to deliver an unrivalled breadth of CTAS

services.

These may range from minor software components to national infrastructure networks.

Features

• Large pool of CREST and CHECK accredited testers • Pre-engagement assistance as needed

• Creation and implementation of security targets, evaluation work plans and audit maintenance plans

• Performance of CTAS testing to CESG standards.

Benefits

• Highly skilled consultants with experience working within government • Bespoke, highly skilled assessment of novel technologies and systems • Government accreditation of a system, product or environment

• Context take a cost effective approach to CTAS environments • Project managed by experience personnel

(22)

(23)

20 Red Teaming, STAR and CBEST Assessments

Context’s red team engagements emulate real world attacks

in a controlled manner. From email ‘phishing’ campaigns to

exfiltration of information, they are an end-to-end simulation

of the sophisticated real world threats Context defends against

daily.

Combining expertise in information security, social engineering, malware and targeted attack analysis, Context is uniquely positioned to perform sophisticated attacks against organisations.

Features

• Certified to deliver under the CREST STAR scheme and the UK government CBEST Scheme with the largest number of CCSAM and CCSAS testers in the UK

• Highly specialised and customised engagements, according to customer requirements

• Attacks based on real world threat scenarios, tailored to the attacks faced by each client

• Cross-discipline engagements involving attacks on IT systems, physical locations and social engineering of employees

• Mature risk management and delivery approach drawing from experience delivering red team, STAR and CBEST engagements for over five years.

Benefits:

• An assessment of the business mitigations in place against tailored, real-world threat scenarios

• Identification of weaknesses arising from publicly-available information, staff usage of social media, and security vulnerabilities in IT systems and physical locations

(24)

21 Automated Vulnerability Assessment (AVA)

Context’s Automated Vulnerability Assessment (AVA) is designed

to analyse an organisation’s entire internet facing estate to

automatically and regularly detect vulnerabilities and provide

remediation advice. Identify new services as they become live,

and provide statistical trends on the security posture of the

organisation’s Internet footprint.

Features

• Flexible service levels to meet customer requirements • Reconnaissance & Network Mapping

• Vulnerability assessment scanning

• Vulnerabilities mapped by Context consultants in a handwritten report • Manual verification of high and critical impact issues

• Bespoke, weekly, monthly or quarterly frequency of scans

• Bespoke Scan algorithms and vulnerability detection mechanisms detect emerging vulnerabilities • Ad-hoc scanning available

Benefits

• AVA provides statistical reporting on external facing infrastructure • All remediation advice is written by senior consultants

• Frequently provide visibility into technical risk for stakeholders • Cost effective entry to security testing

(25)

Why work with Context?

• Our highly skilled consultants are leaders in their field; their breadth of skills and knowledge enable us to meet the most complex technical requirements

• Our research has led to the identification and remediation of new vulnerabilities in critical systems

• We have a large and diverse team strategically situated to work with clients worldwide

• We are independently operated with the financial backing of a FTSE 100 company

• We have ample technical resource and the flexibility to schedule complex engagements according to our clients’ rapidly changing needs

• We are actively engaged with security industry bodies such as CREST and CESG and regularly hold and speak at key industry events

For more information please contact us on +44 (0)207 537 7515 or email [email protected] or visit our website

IT Security Testing Services