Varutra’s vulnerability assessment methodology focuses on identifying, validating, prioritizing the vulnerabilities in the target system and provide realistic status. We carry out external and internal vulnerability assessment for a given network. Combination of open source and commercial tools are used along with major stress on manual verification and validation of each and every vulnerability to understand the vulnerability potential, risk involved in case the vulnerability gets exploited on client’s network and its business impact.
Vulnerabilities will be prioritized considering client’s business and reported with specific mitigation steps in the recommendations.
It is critical to assess the network security to defend and protect the data against known/unknown attacks. Varutra penetration testing involves assessing the network to gain unauthorized access in the network as an external entity/hacker and/or as a malicious insider trying to elevate access privileges. As per the client’s need black box, gray box or combination of both approaches will be followed. No exploitation will be carried out before seeking client’s permission during the engagements. Proof of concept exploitation can be carried out on testing servers. Assessment reports will prioritize vulnerabilities listing with severity rating, business impact rating and detailed recommendations.
Varutra’s technical configuration audit process is highly customized to suit the organization’s network infrastructure.
The audit process broadly consists of auditing the perimeter devices, networkdevices such as firewall, routers, switches, load balancers, IPS, IDS and Server Systems such as Domain Controllers, File Servers, FTP Servers, Email Servers, Proxy Servers, Antivirus Servers and Databases comprising network architecture.
For all In-scope Hosts, Varutra consultants will analyze various components of identified operating systems using automated tools and manual techniques to identify known vulnerabilities in categories such as:
- Security Patch Levels
- File Permissions / Registry Permissions (if applicable)
- File Systems
- Users / groups presents on the system
- Services running
- Network Configurations
- Event Logging
- Database Configurations
- Version specific vulnerabilities
The technical audit checks will be selected specific to the devices, servers systems and databases under the scope.
Varutra network architecture review is a process of thoroughly assessing the network component’s configurations with their placements in the network and network design. Our network security team will observe network from defense in depth strategy to withstand any network attacks. The audit objective is to assist in increasing the security posture of the network.
The Network Architecture Review encompasses following steps:
- Understanding organization business and the network infrastructure
- Review network design and deployed network security solutions
- Device configuration audit
- Review organization’s security policy
- Analysis and Reporting
Wireless Networks are an integral part of organizations network infrastructure and has the exposure to internal/external threats.
Varutra’s wireless security audit methodology is a result of research, proven techniques, advance testing tools and rich experience of our security experts in this area to ensures the maximum coverage over all possible threats from various dimensions.
Several wireless deployments are accessible beyond the acceptable physical premises protecting the infrastructure,which presents unique threats. Attackers can target wireless access points with pre-defined and planned attack strategy.
Wireless security assessment will help in detecting, locating and mitigating the risks posed by the current implementation of wireless network technology by taking a very pragmatic and systematic approach to assess & report the current security posture of wireless networks.
- Defining Testing Scope
- Detection of Wireless Access Points as well as Rogue Access Points (if any)
- War Driving
- Wireless Network Vulnerability Scanning
- Vulnerability Identification & Validation
- Wireless Device Configuration Review & Report