About Security Auditing
Security auditing is the first process in the ZenithSecure security assessment and risk management methodology. A security audit is a detailed evaluation of the security of a client’s information system. An audit determines how that system is actually functioning compared to the internally established security procedures.
The audit activities will generally focus on assessing the security of the system’s operations, user practices, software and information handling processes, as well as configuration and environment. The security audit also results in the determination of compliance with applicable regulations.
ZenithSecure employs security auditing to determine the extent of potential threats and the risk associated with an IT system throughout an organization. The information received is an “Output” and these are used to identify appropriate controls for reducing or eliminating threats, vulnerabilities or risks during the risk mitigation process.
Risk is the product of the likelihood of an event occurring and the impact that event would have on an information technology asset.
To determine the likelihood of a future adverse event, threats to an IT system must be analyzed in conjunction with the potential vulnerabilities and the controls in place. Impact refers to the relative amount of harm that may be caused by a threat exercising vulnerability. The level of impact is determined by the possible mission impacts and thus produces a relative value for the IT assets and resources affected, such as; the criticality and sensitivity of the IT system components and data.
The security auditing methodology utilized by ZenithSecure encompasses nine main steps:Step 1. System Characterization
Initially the scope of the effort needs to be defined. To do this, identify where information and data are created, received, maintained, processed, or transmitted. Using information-gathering techniques, the IT system boundaries are identified, as well as the resources and the information that comprise the system. Additional consideration is needed to include: policies, laws, the remote work force and telecommuters, and removable media and portable computing devices.
Output: Characterization of the IT system is evaluated along with an overall view of the IT system environment, and explanation of system boundaries.
Step 2. Threat Identification
Now, potential threats are identified and documented. A threat is any circumstance with the possibility of causing damage to a client’s IT system (purposely or accidentally). These threats can be natural, human, or environmental. We consider all potential threats to generate a comprehensive list customized for each client and their business environment.
Output: A list of identified threats which could exploit their system vulnerabilities.
Step 3. Vulnerability Identification
Here we create a list of system vulnerabilities which can be exploited by the potential threats. Vulnerabilities can appear from inadequate or conflicting policies concerning computer usage and access to insufficient physical safeguards to protect computer equipment to any number of software, hardware, or other insufficiencies that encompass a client’s computer network.
Output: A list of the system potential vulnerabilities which could be exercised by potential threats.
Step 4. Control Analysis
Control analysis is used to document and assess the effectiveness of technical and non-technical controls that have been implemented by a client to minimize the probability of a threat exploiting a system vulnerability.
Output – List of current controls (policies, procedures, training, technical mechanisms, insurance) used for the IT system to reduce the probability of a vulnerability being exercised as well as to reduce the impact of such an event.
Step 5. Likelihood Determination
This determination is used to conclude the overall likelihood rating that indicates the prospect that a vulnerability could be exploited by a threat given the security controls that are currently in place.
Output – Likelihood rating of low (.1), medium (.5), or high (1).
Step 6. Impact Analysis
Thorough analysis leads to our conclusions regarding the level of overall impact which would result from a threat successfully exploiting client vulnerability. Many factors are considered, including; the importance to the organization’s mission; availability of systems and data; information value or importance; related costs; confidentiality; integrity.
Output – Magnitude of impact rating of low (10), medium (50), or high (100).
Step 7. Risk Determination
By multiplying the ratings from the likelihood determination and impact analysis, a risk level is determined. This level represents the degree of risk to which an IT system, facility, or procedure might be exposed if a given vulnerability were exercised. The risk rating also presents measures which management must take for each risk level.
Output – Risk level of low (1-10), medium (>10-50) or high (>50-100).
Step 8. Control Recommendations
Now we will categorize controls that could diminish identified risks, which are appropriate to the organization’s operations. Reducing the level of risk (system and data) to an acceptable level is the purpose of these controls.
Many factors are considered in establishing client controls, including; cost, effectiveness, assurance, compatibility of systems, compliance issues, legislation, industry regulation, company policy, impact on client operations, and of course; safety and reliability.
Control recommendations supply input to the overall risk mitigation process, during which the recommended security controls, both procedural and technical, are assessed, prioritized, and deployed.
Output – An extensive list of recommendations and complementary solutions to ensure the mitigation of risk.
Step 9. Results Documentation
All of the outcomes of this client risk assessment process are documented. This report is discussed in detail with each client. Management will then use the report and its recommendations take decisions about policies, procedures, budgets as well as any operational and personnel changes for the system.
Output – An informative and comprehensive risk assessment report which documents threats and vulnerabilities, measures their risk, and provides recommendations for control implementation. Prepared with the focus on the business and operational environment of each client.
Vulnerability Testing and Assessment
The ZenithSecure Security Audit will cover the informational aspect of your company as well as its organizational security.
ZenithSecure identifies the vulnerabilities existing on your network as well as on hosts. Then we provide you with recommended methods for alleviating your vulnerabilities. The audit includes network equipment (routers, switches, firewalls) as well as your operating systems (Windows, Solaris, Linux, any others).
ZenithSecure analyzes outside threats to your systems through the application of penetration testing. This provides you an external view of your security status.
ZenithSecure vulnerability assessment service examines your internal security issues. These hidden threats can come from many sources, including; insecure configurations, weak settings, non-compliance with established policies or procedures.
These internal vulnerabilities could harm or compromise your system from an inside threat or error. They have the added problem of potentially being exploited by an outside threat, once they have gained access to your system.
The ZenithSecure vulnerability assessment is conducted in accordance with leading international security standards. We use industry standard procedures and tools for comprehensive and accurate auditing of each system and for creating individualized reports.
The ZenithSecure team personally verifies the audit results and then documents recommended methods for alleviating those threats and vulnerabilities which they have identified.
ZenithSecure reports will be written to conform to any regulatory standard which your company requires.
We provide clients with a comprehensive report after completion of the assessment of your system. This report documents the vulnerabilities in your systems which affect your information assets. Importantly, it contains recommended methods and solutions designed to alleviate the identified threats and vulnerabilities.
- A detailed listing including all the vulnerabilities found in your servers, operating systems and the server applications.
- A comprehensive assessment of your security systems; including potential vulnerabilities and threats from both internal and external sources.
- An all encompassing set of recommended methods, devices and procedures which are designed to alleviate current vulnerabilities and improve your security.
We employ the most up to date and industry accepted standards on device configuration to assure that your company understands its vulnerabilities and protects itself from them.
Using custom-designed procedures, methods and tools ZenithSecure identifies vulnerabilities in your systems, policies, procedures throughout your company.
ZenithSecure will work to ensure that your company reduces its risks to acceptable levels through the elimination of known vulnerabilities and the preparation for defense against unknown and future ones!
Our experts will audit all of your public facing applications, including; email, websites, mobile applications, chat, messaging, blogs, social media sites, public forums and any others which are unique to your company.
We will audit all of your internal applications, including; intranets, internal architecture, support platforms, business process tools and any other specific applications unique to your company.
- Servers: Web, FTP, LDAP Load Balancing and any others
- Routers, Hubs & switches
- Operating Systems
- E-Commerce applications
- Mobile Applications/Devices
- Communication tools
- Employee workstations
Physical Security Review
- Entry and exit access control
- Employee termination procedures
- Social Engineering: attempts and breaches
- Industrial Espionage: Threats and vulnerabilities
- Terrorism vulnerabilities