Fortifire: Internal Audits

Internal Security Audits

OVERVIEW

Our Audit Team will perform a thorough audit of your site security. Our track record on penetration audits is second to none.

Most applications crumble like stale cookies when first confronted by Fortifire Inc.'s audit team. The result of each audit is a very informative deliverable outlining the specific steps to take to make your systems secure.

Who would you rather be audited by? Fortifire or an attacker? Don't make the mistake of testing your systems live on the Internet. Get a Fortifire Inc. security audit today! Take preventative measures now, before it is too late.

Fortifire Inc. Audit Teams are made up of highly skilled security professionals who have many years of hands-on experience testing corporate security. These advanced teams are capable of testing physical, social, internal and external (Internet) systems.

Results and recommendations are documented in a detailed report presented to your IT staff following the audit. Team members are also available to advise clients on security architecture matters.

SECURITY ASSESSMENTS

SITE SECURITY
A Penetration Team will attempt to physically breach your site security and collect sensitive data. This assessment attempts to expose the level of security awareness in your staff and facilities.

ZERO PRIVILEGE VULNERABILITY
Your security posture is assessed from the "zero privilege" standpoint. We will perform a vulnerability assessment of internal systems and data assuming network access is available without an authorized logon. We use "zero privilege" techniques to map and exploit network and system vulnerabilities from the inside similar to those an attacker might use.

USER PRIVILEGE VULNERABILITY
With this assessment it is assumed that a basic level of privilege has been obtained through exploits of previously discovered vulnerabilities. Many vulnerabilities that allow high privilege levels are exposed only once some level of privilege is attained. This assessment is particularly important as it assesses vulnerabilities available to those with a limited privilege level.

PRIVILEGE VULNERABILITY
This audit focuses on the vulnerabilities available with higher levels of privileged access. We assume this privilege level was attained through exploitation of lower level vulnerabilities or through social engineering.

Since in most systems today there is little protection from the administrator this audit focuses on determining the scope of exposure resulting from attainment of administrative privilege levels.

CONFIGURATION AUDITS

APPLICATIONS	• Desktop images (95/NT/2k) • Email (virus and Attachments) • Application Servers • SQL Services (ACL)
INFRASTRUCTURE	• Public Network • Private network • Remote Connectivity • Internet Access • Security Policy • Best Practices
RECOMMENDATIONS	• Upgrades • Patches • Configurations • Site Security • Security Policy • Design Review

External Sercurity Audits

OVERVIEW

Penetration Team engagements are controlled exercises designed to expose potential vulnerabilities resulting from a breach of external network security.

Fortifire Inc. Audit Teams are made up of highly skilled security professionals who have many years of hands-on experience testing corporate security. These advanced teams are capable of testing physical, social, internal and external (Internet) systems.

The Penetration Team operates on a "zero-knowledge" basis, utilizing techniques similar to those an attacker might employ to maximize their ability to "0wn" your systems.

Results and recommendations are presented to your IT staff in briefing session following the engagement. Team members are also available to advise clients on security architecture matters.

PENETRATION METHODOLOGY

RECONNAISSANCE
This method identifies visible hosts, routers, ISPs, and more from public sources using automated tools and human expertise.

TARGET PROFILING
Using target profiling we develop a detailed picture of each device identified during reconnaissance. This includes operating system fingerprinting, software/hardware version and other information.

VULNERABILITY MAPPING
This type of mapping uses information from the target profile to map known vulnerabilities to individual host.

TARGET SELECTION
We select the "softest" host through creation of penetration plans for each host.

HOST PENETRATION
The Team executes the penetration plan(s) for each host using series of exploits with proprietary and publicly available tools.

COUNTER-MEASURES
Using counter-measures we define a work plan for corrective actions to protect your systems. This includes identification of all patches and configuration changes, along with specific architectural recommendations.

CONFIGURATION AUDITS

APPLICATIONS	• Desktop images (95/NT/2k) • Email (virus and Attachments) • Application Servers • SQL Services (ACL)
INFRASTRUCTURE	• Public Network • Private network • Remote Connectivity • Internet Access • Security Policy • Best Practices
RECOMMENDATIONS	• Upgrades • Patches • Configurations • Site Security • Security Policy • Design Review