Organizations failing to secure and regularly test the security of their internal systems can fall victim to a myriad of devastating insider attacks. The attackers often range from disgruntled employees & internal data/information thieves to external attackers that are able to gain unauthorized access to internal systems via an unsecured wireless access point, modem, or other portal.  In either case, the severity of an attack will primarily depend on the ?strength? of the internal security controls and counter measures an

organization has in place.

The team at RVASI can help your organization by coming on sight and performing comprehensive vulnerability assessment testing against target internal systems and identify security holes that could be exploited.  Our testing will simulate a real-world attacker that has access or who has gained unauthorized access inside of your organization and explore the effectiveness of the security controls in place.  At the conclusion of our testing, a findings report is provided which includes a detailed description of each issue, an associated severity rating, an exploitability risk rating, and one or more practical recommendations for addressing the issues throughout the System Design Life Cycle (SDLC).

Testing Performed

RVASI conducts the following core tests as part of our Internal Vulnerability Scanning services:

		Intelligence Gathering
		A variety of proven tools and techniques are used to electronically ?Dumpster Dive? and collect all types of information (intended & unintended) about the target organizations employees, systems, customer base, product offerings, financials, business relationships, and more that is available/accessible in the public cyber domain.
		Port Scanning
		Testing includes an assortment of port scans conducted against targets that are designed to positively identify all open TCP & UDP ports, determine compliance with stated policies, and find potential attack vectors.
		Services Probing
		Thorough probes for available services and subsequent listening applications are conducted against targets to find potential attack vectors and to determine which vulnerabilities may be present to exploit.
		Fingerprinting
		Various fingering printing tools & techniques are used to enumerate information about target systems, remotely map target networks, and to determine which vulnerabilities may be present to exploit.
		Vulnerability Scanning
		A combination of commercial & open source tools, manual techniques, knowledgeable & experienced consultants, and the information collected during other testing phases are utilized to conduct comprehensive External (perimeter) vulnerability scans against target networks, systems, and Web applications for thousands of potential security issues.
		Research and Verification
		In order to eliminate false positives, detailed research, analysis, and verification testing is performed.  This research and testing primary focuses on corroborating results via the search of online databases, mailing lists, newsgroups, exploit publication sites, and other relevant sources and by utilizing manual techniques to verify each finding.
		Compliance Testing
		During testing, all vulnerabilities discovered are analyzed/evaluated from a compliance and industry standards perspective and violations are reported.

Optional Testing

RVASI offers the following optional tests for organizations desiring a more comprehensive look at their external/perimeter security posture:

		Wireless Security Assessments
		Our Wireless LAN (WLAN) vulnerability assessments thoroughly examine and test an organization’s (1) compliance with stated security polices, (2) WLAN system security architecture, design, and configuration, (3) WLAN compliance with regulatory requirements, and (4), for the existence of exploitable vulnerabilities.
		War Dialing & PBX Assessments
		Our Wireless LAN (WLAN) vulnerability assessments thoroughly examine and test an organization’s (1) compliance with stated security polices, (2) WLAN system security architecture, design, and configuration, (3) WLAN compliance with regulatory requirements, and (4), for the existence of exploitable vulnerabilities.
		Social Engineering Assessments
		We test the susceptibility of an organization's employees to Social Engineering attacks primarily geared towards gaining unauthorized access to the organization’s networks, systems, Web-based applications, and/or confidential information assets such as customer data.
		Denial of Service (DoS) Assessments
		We test an organization’s external defensive measures and capabilities to withstand various types of DoS attacks launched against their Internet facing networks, systems, and Web applications.  Furthermore, we will thoroughly examine whether it is possible to gain unauthorized access to these systems and use them to target other organizations with similar attacks.

Process Overview

The first step in our process is to complete our Assessment Contact Form.  Once complete, a member of the RVASI team will contact the specified point of contact(s) within your organization and begin the process overviewed below:

•   Signed Mutual Non-Disclosure Agreement (MNDA)

RVASI requires organizations to sign a MNDA before proceeding with any assessment related activities including detailed discussions, interviews, or similar.  The primary purpose of this agreement is to govern the handling of confidential information shared between our organizations.

•   Scope Interview & Questionnaire

Unquestionably, this is one of the most critical phases in the entire process. Our team will meet with individuals at your organization via a conference call or other means and conduct one or more interviews in order to gain a thorough understanding of your desired testing goals/needs, security & compliance requirements, business risks, and other related factors.  We will then work on defining the scope. 

•   Statement of Work (SOW)

We will synthesize the information provided by your organization during the ?Scope Interview? process into a customized and detailed SOW for the testing engagement; the completed SOW will be securely delivered to your organization for review, modification, and acceptance. 

•   Pre-Assessment Activities

A review of testing objectives, scope, and requirements will be done prior to the start of testing to ensure that everyone is on the same page.  Typically, this is accomplished via a conference call initiated by RVASI and includes organizational points-of-contact, IT security personnel, business stakeholders, and the team at RVASI performing the testing.

•   External Vulnerability Scanning

During this phase, our team will conduct agreed upon testing and provide designated points-of-contact with status updates at agreed upon intervals i.e. daily, bi-weekly, etc. in a pre-selected secure format.  Contacts receive an automatic notification of all security or compliance issues discovered that pose an immediate threat to the organization?s networks, systems, Web applications, or other information assets.  

•   Report/Wrap-up

At the conclusion of testing, RVASI delivers a detailed report of our findings that includes proven/practical recommendations for remediating, mitigating, and thoroughly understanding the risk of issues discovered.  We also meet and discuss each of our reported findings with key individuals within your organization and provide ongoing support & resources throughout the resolution process.

Return on Investment (ROI)

RVASI’s Internal Vulnerability Scanning Services help organizations identify, understand, and address security or compliance issues that affect their internal information assets.  Our in-depth and comprehensive testing also provides organizations with an accurate snapshot of their security posture along with an excellent baseline to measure change and ongoing security efforts.

Cost

Our Internal Vulnerability Scanning Services are extremely affordable and priced within the security budget of most small to large organizations.   RVASI charges a flat-fee for this service and the cost is based on the scope of the engagement and travel expenses.  

Getting Started

To get this process started, please take a few minutes and complete our Assessment Contact Form and a member of the RVASI team will contact you soon.  We look forward to hearing from you!