Application Testing

The testing of applications is fast becoming a much higher priority due to the improved security available for infrastructure. Recent studies show that 80% of security breaches are now achieved through the application layer. MWR InfoSecurity have substantial expertise when testing a wide range of bespoke and CotS (commercial off the shelf) web-based applications and application servers. Evidence of this is provided by the high number of advisories identifying vulnerabilities within applications which we have submitted to The Centre for the Protection of the National Infrastructure (CPNI).

All technical testers employed by MWR InfoSecurity have demonstrable coding experience, and are able to code to a high standard in a variety of languages (and associated frameworks). In addition we also have experience working in a variety of specialist areas and have built up an in-house library of attack tools. This extensive knowledge is also used within our Application Security Development workshops, in which MWR InfoSecurity consultants provide advice to clients on the secure development of applications throughout the software development life cycle (SDLC).

Corporate Governance

It is important to the organisation that it identifies the legal and regulatory issues relating to information risks that arise as a result of new projects, business advances or changes in the business environment. This would typically be followed by identifying the impact that such changes could have on the organisation and suggesting and implementing appropriate controls to manage the risk.

Some of the principal activities involved in identifying the information requirements of regulatory and corporate governance obligations, and planning an approach to meeting them would typically include:

• Conducting a high level business impact assessment cascaded to identify key risk areas
• Developing a risk map
• Developing an appropriate risk control framework
• Developing policies to govern the implementation of the control framework
• Control identification and implementation.

Application Testing

The testing of applications is fast becoming a much higher priority due to the improved security available for infrastructure. Recent studies show that 80% of security breaches are now achieved through the application layer. MWR InfoSecurity have substantial expertise when testing a wide range of bespoke and CotS (commercial off the shelf) web-based applications and application servers. Evidence of this is provided by the high number of advisories identifying vulnerabilities within applications which we have submitted to The Centre for the Protection of the National Infrastructure (CPNI).

All technical testers employed by MWR InfoSecurity have demonstrable coding experience, and are able to code to a high standard in a variety of languages (and associated frameworks). In addition we also have experience working in a variety of specialist areas and have built up an in-house library of attack tools. This extensive knowledge is also used within our Application Security Development workshops, in which MWR InfoSecurity consultants provide advice to clients on the secure development of applications throughout the software development life cycle (SDLC).

Risk Assessment

Risk assessment is fundamental to the way that all organisations manage information risks. Whether it is a short form Business Impact Assessment or a full risk assessment of a business area, MWR InfoSecurity risk managers have a track record of conducting various levels of risk assessment for clients across diverse environments such as:

• Reviewing of a bank's entire security organisation
• Assessing the entire ground/air/ground communications system for European air traffic control
• Assessing weather forecasting arrays
• Assessing various aspects of outsourcing and off-shoring contracts.
• Developing and implementing Information security policies across organisations

MWR InfoSecurity would, in the majority of cases, use its own risk assessment method which has been developed over many years of developing risk assessment tools for clients. Where clients have a preference for a particular risk assessment method MWR InfoSecurity would use the tool of the client's choice.

MWR InfoSecurity are also able to use the two leading risk assessment methods: ISF's IRAM method and CRAMM.

MWR InfoSecurity has carried out information risk assessments for clients in other spheres other than to assess the risks to a particular area. A risk assessment can be conducted for any of the following purposes:

• identifying information risks in existing businesses, individual business areas, processes, systems and operations
• identifying information risks associated with proposed developments
• comparison between different areas or operations such as:
  • competing technologies
  • different security solutions
  • alternative hosting sites.

Due Diligence

The provision of business functions and infrastructure services by partners and subsidiaries brings with it the concern that the information security provision may not be as appropriate as that provided by the parent organisation. In extreme cases the connection of these organisations to an infrastructure service could even compromise the security of the organisation's existing services.

All businesses need to assure themselves that their subsidiaries and partners are capable of ensuring the security of both their service and the proprietary information the service relies upon. The determination of the information security capability of subsidiaries and partners is through a due diligence process which is typically called an information security Healthcheck.

An MWR InfoSecurity Information Security Healthcheck is conducted against subsidiaries and the partners service, to provide the client with a basic level of assurance that the third party has the information security ethos, policies and processes in place to properly secure the service to expectations.

SAS70

The outsourcing provider is a significant risk factor within any outsourcing arrangement because the overall information risk management controls are directly within the provider's implementation and management sphere. Assessing the provider's track record and capability in information risk management is particularly important and therefore it is reasonable to conduct a risk assessment of the provider.

A risk assessment of the provider can be based on any set of requirements developed by the organisation, however there are significant advantages to conducting a risk assessment to a recognised standard such as ISO/IEC 27001 or SAS70 because they have international applicability and have been rigorously validated.

The Statement of Auditing Standards (SAS) 70 was developed by the American Institute of Certified Public Accountants (AICPA) to ensure that services provided by third parties have been through an in-depth audit of its control activities. The resulting report by an independent third party is often referred to as the Service Auditor Report and has a standard format.

There are two types of report:
Type 1 - Includes the auditor's opinion and details the specified controls
Type 2 - Includes an assessment of the effectiveness of the controls.
MWR InfoSecurity can provide clients with both type 1 and type 2 SAS 70 reports.

27001

The 27001 standard was published by the International Organisation for Standardisation (ISO) in 2005. Essentially, ISO 27001 defines an Information Security Management System (ISMS) and complements the ISO 17799 'code of practice' standard, itself first published as BS 7799-1. The two standards are closely aligned and related, but have different roles.

ISO 17799 details a number of individual security controls, which may be selected and applied as part of the ISMS. ISO 17799 is again based on a British Standard and subsequently became ISO 27002 in 2007.

ISO 27001 specifies the requirements for the security management system itself. It is this standard, as opposed to ISO/IEC 17799, against which certification is gained. ISO 27001 has also been harmonised to be compatible with other management systems standards, such as ISO 9001 and ISO 14001.

Although certification is against ISO 27001 rather than ISO 27002/17799, and will remain so, implementation, however, involves both of these standards, and is a pre-requisite of the former.

ISO 27001 is a standard setting out the requirements for an information security management system (ISMS). The standard is designed to ensure the selection of adequate and proportionate security controls that protect information assets and give confidence to third parties including an organisation's customers. It is intended to provide a good level of assurance of appropriate information security protection,

In all there are over 1100 individual controls within the two standards although it is very much a selection of the right controls relevant to the environment.

MWR InfoSecurity has been involved with BS7799 from the early implementations through to the latest incarnation as ISO 27002, maintaining a pool of lead auditors throughout this period. Throughout this period MWR InfoSecurity has been interested in helping clients to develop simple and uncomplicated systems of working within an ISMS so that information risk management does not become a black art but a sensible working method.

MWR InfoSecurity recommends a knowledge-based approach towards 27001 compliance because often an audit-based approach leaves the organisation with a list of issues that need to be resolved but will not provide the essential basis for establishing a remediation project such as:

• evaluating the scope of the tasks required
• identifying the associated requirements
• prioritisation of the tasks
• developing a roadmap to compliance.

The MWR InfoSecurity approach provides the organisation with a better understanding of the issues involved and a firmer foundation for moving forward.

Gap Analysis

The prescribed manner by which organisations establish how much effort needs to go into meeting the requirements of standards such as PCI DSS or ISO 27001/2 is by conducting a Gap Analysis. In short, a gap analysis is a comparison of the organisation's existing information security controls against set criteria.

A gap analysis is always a good way to start any compliance exercise because it can identify where the remediation exercise needs to start from. However, there is also good reason to carry out a gap analysis at various points within a compliance remediation exercise because it will provide a snapshot of where the project is at any given point.

The advantages of a gap analysis are:

• Generates awareness within the organisation of the criteria
• Identifies progress since the last snapshot
• Identifies areas where more resources are required
• Identifies areas where there is a lack of expertise
• identifies areas where timeliness is critical.

MWR InfoSecurity consultants have considerable knowledge and experience of various criteria from one of the information security standards such as: PCI DSS or ISO/IEC 27001/2, to privacy or COBIT. A selection of gap analysis criteria that MWR InfoSecurity have used ion past exercises are given below:

• ISO/IEC 27001
• ISF Standard of Good Practice
• BS 25999
• COBIT
• PCI DSS
• SAS70 (pts1 and 2)
• DPA data audits
• third party due diligence.

Developing risk assessment methods

MWR InfoSecurity have extensive experience in developing risk assessment tools for a great variety of industries and businesses. Information risks may be assessed either quantitatively, using historic data as a guide to future occurrences or it can be assessed qualitatively, using judgement about the threats that may arise in the future. Whilst MWR InfoSecurity has the expertise to develop quantitative risk assessment methods for clients, our major expertise is in qualitative risk methods, where MWR InfoSecurity consultants have developed information risk methods ranging from standard office systems to air traffic control risk assessment tools.

MWR InfoSecurity consultants are trained in their own internal risk assessment, using qualitative processes, although they will have additional expertise in other methods, both individual client's method and other commercial offerings. MWR InfoSecurity consultants have also carried out comparative risk assessments for clients to determine the relative risk levels of competing technologies.

There are a number of ways in which to assess risk:

• Quantitatively, using historic data as a guide to future occurrences
• Qualitatively, using judgmental processes
• A combination of the two
• Threat analysis and subsequent vulnerability analysis.

MWR InfoSecurity are able to develop risk assessment methods using any of these approaches or a combination of them.

Equally MWR InfoSecurity are able to develop risk assessment methods to meet a wide range of situations and not just the traditional form of risk assessment, such as:

• The risks of proposing for a particular contract
• Identifying appropriate technology
• Hazard analysis.

Data privacy health checks

There is data protection and privacy legislation in place in many countries and most organisations are coming under pressure from customers and business partners to ensure respect for privacy. There are currently no national or international standards for privacy although the Payment Card Industry Data Security Standard (PCI DSS) is a very good stopgap as it is aimed at preventing identity theft.

The UK Data Protection Act 1998 (DPA), along with several privacy obligations within other legal requirements on business (such as the Electronic Commerce Act), require that organisations have a detailed knowledge of all information they use which relates to private individuals. In organisations where this level of knowledge is not available, typically the process is to undertake a data audit to collect the required information. Once the information and its attributes have been identified and documented the organisation needs to implement a control domain for any information for which there is a legal obligation. MWR InfoSecurity has considerable expertise and experience in developing privacy and data protection policies for clients and setting up control frameworks for protecting privacy information.

There are various aspects of privacy and data protection where MWR InfoSecurity have capability:

• privacy and data protection policies
• data audits for privacy and data protection
• privacy and data protection standards and procedures

Penetration Testing

Pen Testing

Penetration testing is the accepted method of testing infrastructure and applications to identify weaknesses which could be exploited by a malicious attack. Our approach to penetration testing is to work closely with the client and any third parties to scope the project accurately in order to identify the attack vectors which would expose the client to the highest level of risk, or those which would prove most attractive to unauthorised users. Threat modelling can aid in this process and is frequently used to identify priorities for penetration testing.

The penetration testing methodology employed by MWR InfoSecurity has been developed around industry standards and is both CESG and CREST approved. The testing consists of a series of phases that are performed with the attacker located externally (or internally) and mirroring the activities that could be used during a genuine attack. These results are then assessed and interpreted within an appropriate business risk context. We conduct both Black-Box and Focussed tests, which are the two recognised approaches to penetration testing and use a mixture of tools including some that have been internally developed.

Other Security Testing

Coding Reviews

Any application or software product can consist of thousands of lines of code, any of which could be potentially harboring a vulnerability affecting its security. Given the conditional nature of the paths which could be followed within the code, it is often difficult to fully test all of them without knowledge. However, with access to application code it becomes easier to identify weaknesses that might not be otherwise detected.

MWR InfoSecurity consultants have extensive experience in software development, as well as in the discovery and exploitation of vulnerabilities in a wide variety of languages and development frameworks. Using this combination of skills it is possible to perform code reviews in a manner which allows effective identification of vulnerabilities.

Wireless Testing

Wireless technology can bring businesses many benefits, but they must be balanced against the risks associated with it. MWR InfoSecurity can provide consultancy from Industry leading experts to ensure that any new wireless deployment is as secure as possible, or can review existing wireless networks and test for areas of weakness.

The testing can be conducted covertly using GPS technology to identify rogue access points and is aimed at assessing whether the wireless network can be breached, what level of access can be obtained (up to Denial of Service) and the potential business impact of a breach.

Our wireless testing team have a detailed understanding of Wireless technology, the current wireless standards (802.11 a, b and g) and are highly experienced in the cracking of encryption standards. The progress of the 802.11w standard towards ratification is also being closely tracked by the team.

Managed Vulnerability Assessments

Managed Vulnerability Assessments (MVA's) are regular scans which are an excellent starting point to check for weaknesses across the whole of your externally facing infrastructure. They aim to identify vulnerabilities which could be used to gain access to your organisation, identify areas for improvement and track your progress in securing your networks. VA's support a proactive, rather than reactive focus on securing your perimeter.

Unlike many organisations offering scanning, we work with a mix of automated testing which provides consistency and manual testing and tools to discover vulnerabilities. Vulnerability scans may be run on a weekly or monthly cycle, dependent on client needs. Reports and recommendations are then delivered through our secure portal "Fasthold". This provides you with a quick and easy way to compare reports and identify improvements. Fasthold also give you a clear audit trail and evidence of security testing.

Physical testing

The technical security of a client's stored information can often be extremely well configured and managed, only for key vulnerabilities to be exposed once a physical audit is undertaken. MWR InfoSecurity conduct physical testing and consultancy, often with identified targets set by the client, highlighting and identifying areas of security shortcomings that represent high information security risks to the clients business.

Examples of this can include paper based sensitive information, poor access controls, and poor challenge/response awareness by members of staff. Such a service helps raise staff awareness considerably and demonstrates operational weaknesses outside of the normal areas of security awareness.

Magnetic Payment, Travel, Access Control and Customer Loyalty Card Assessment

In conjunction with wider applications and infrastructure testing; MWR InfoSecurity are able to help clients ensure their use of magnetic stripe technologies are robust and secure. MWR InfoSecurity are able to analyse all industry standard card structures and provide analysis for propriety card data structures.

In addition to the analysis of the data format, MWR InfoSecurity are also able to offer a wide range of testing and assurance services for various magnetic card implementations, including attack scenarios. These have previously taken the form of input validation testing against client implementations based on improperly formatted track structures and card data.

VPN testing

Virtual Private Networks are a standard part of organisational infrastructure topology, and have assumed a hugely important role in the transmission and protection of information within an organisation. As with all things, misconfiguration, or false assumptions can result in substantial vulnerabilities being exposed and a greater risk to the organisational information as a result.

MWR InfoSecurity are highly experienced when testing and examining VPN configurations both from the perspective of a non-authorised party, and an authorised user. By approaching the exercise using a business based focus our findings provide clear direction for the project teams when assessing the level of risk associated with the use of the VPN infrastructure.

Mobile device testing

MWR InfoSecurity are able to offer an assessment of mobile devices such as PDAs as part of the wider corporate environment. Piecemeal add-on security solutions for mobile devices within the organisation often present problems in software integration, usability, and administration.

In addition to analysing the mobile devices, business role and interaction with the wider corporate infrastructure, MWR InfoSecurity will also review a client's mobile devices against three broad security areas:

• User Authentication
• Content Encryption
• Policy Controls

Social Engineering

The strength of any security system is only as strong as its weakest link - often this can be at the "human interface" level. Social engineering is a collection of techniques used to gain access to computer systems or to gather information. Most of the techniques involve convincing legitimate users that they should openly provide their credentials for an unauthorised reason which is presented in such a way as to appear as a genuine request. This request will generally appear to originate within their own organisation, or within an equally well respected institution.

MWR InfoSecurity can use extensive social engineering techniques and physical breach techniques during their testing. Social engineering can include techniques such as verbally engineering sensitive information from client staff and internal penetration testing. During physical breaches, MWR InfoSecurity use fake identification, and team based techniques based around the UK Armed Forces reconnaissance methodology. Prior to the breach attempt, considerable effort is put into gathering publicly available information such as architects' plans, onsite photos and local authority records to help scope the approach and determine the final breach method.

Phishing

Most people have heard about phishing attacks and how they are used to trick users into providing their credentials for bank accounts or other websites. However, the technique can also be used effectively to obtain credentials for business applications, network logins or even valid credentials for a two factor authentication scheme such as RSA's SecurID. By exposing employees to a simulated phishing attack it can help to highlight the need for effective user education and additional technical controls.

MWR InfoSecurity have used this technique to help a wide range of organisations understand how susceptible they are to these types of attack and how they can protect themselves. The testing is usually conducted in a highly controlled manner that is compliant with HR requirements but still obtains accurate results. The companies that have conducted such exercises have been able to strengthen their defences against an increasingly popular type of attack and at the same time improve buy-in to the security management programme from its employees.

Log Analysis

It is vital that every effort is spent ensuring a security breach or incident does not occur. However, if the worst does happen it is important to quickly and effectively identify the cause and extent of a breach and take appropriate action to resolve the issues caused by it.

Often this will require reviewing and correlating log files to identify what activity has occurred and where it originated from.

MWR InfoSecurity consultants are able to effectively review a wide range of log sets using a combination of in-house tools and custom scripts written for a particular incident. By combining the use of these tools with extensive knowledge of attack patterns (and trends) it is possible to review log data and provide timely results to an organisation. By utilising these skills alongside effective client communication and reporting, it is possible to respond dynamically to a potential incident and help a client to minimise the impact it has on their business. This has been proved to provide beneficial support to an organisation at a time that is often difficult to manage.

Laptop Testing

Recent media reports have served to highlight the importance of securing portable devices and media against loss or theft. These devices can often contain highly sensitive data and if this falls into the wrong hands could have a significant negative impact on the organisation. This can not only allow a laptop to be used to recover sensitive information from its disks and memory, but could also allow an attacker to gain remote access to the organisation. A laptop test can quickly identify the risks associated with a given laptop build and how an attacker might use it to their advantage.

MWR InfoSecurity consultants have a vast range of skills in computer forensics, data recovery and knowledge of methods for gaining unauthorised access to data. Using these skill-sets it is possible to examine and evaluate the contents of a laptop (or other media) and identify sensitive data or methods for further attacking an organisation. The findings of the testing enable an organisation to understand the risk they are exposed to, the skill level required to access the data on the device and methods for better securing their assets.

Incident Management and Investigation

The goal of every business is to prevent a security incident or breach from occurring, however, it must be accepted that sometimes something unexpected will happen. In those situations the ability to respond in an appropriate manner can make a huge difference to the cost of the incident and the damage that it can cause to the business as a whole.

MWR InfoSecurity can work with your organisation to make sure that if an incident occurs the correct processes are in place to manage the response effectively. By understanding the structure and dependencies within the business and where its risks it faces it is possible to build a response plan that is effective in identifying the source of the security breach and containing so that minimal disruption is caused. In addition MWR InfoSecurity are able to work directly with clients if an incident occurs. This allows direct support to be provided to the business and allows targeted access to the consultant's extensive knowledge of vulnerabilities, exploitation techniques and incident handling. Ultimately these approaches result in smaller financial losses being incurred due to an incident and reduces the risk of reputational damage occurring.

Smart card testing

The smart card industry consists of various different types of cards, including, among others, Mifare Contactless cards as well as the ISO 7816 standard EMV cards (an acronym derived from the first letters of EuroPay, MasterCard and VISA). These cards are mostly used to authenticate a user on a system in order to make sure that the correct person is doing a transaction, successfully identify a person, or allow physical access to authorised persons. The cards may also carry some information such as: biometric templates; personal information that serves as a distributed database; or electronic certificates used for encryption purposes.

Smart cards can be vulnerable to attack if they are not implemented correctly. It would constitute a breach of security of a smart card system if a card can be duplicated, data stored on the card can be read or altered, or if the host system is compromised.

MWR InfoSecurity can submit a smart card implementation to comprehensive security testing by analysing the following:

• Smart Card:
  • Find all data areas on the card
  • Ensure that all sensitive information is encrypted
  • Ensure that the card cannot be duplicated
• Host System:
  • The host system will be submitted to a full application security test
• Communication:
  • Side channel attacks on host to card communication
  • Data and passphrase encryption
  • Protocol reverse engineering

Embedded System Testing

MWR InfoSecurity has undertaken multiple embedded application tests across an array of infrastructures and devices. Such tests have been designed and applied to assignments including enterprise level printer/file server devices, encrypted examination systems, 2-factor Protected applications and bespoke financial applications. Bespoke tests have also involved review of proprietary encryption standards and source code analysis to ensure that the highest possible level of security is attained by clients.

Typically, an testers will examine the application, before compiling a method to conduct testing. This method can contain any of the elements of a standard penetration or application test (and often does), but also include some of the following types of test:

• Import identified applications to a good debugger such as SoftICE or OllyDbg
• Run the applications through different debug modes and study results (see diagram)
• Capture network traffic of networked based applications
• Check the application installation directory for sensitive data
• Obtain hardware manufacturers Application Programming Interface (API), if hardware or other token device is present
• Study the API
• Identify routines used in the application which were identified in the manufacturers API
• Research previous cracking techniques
• Patch applications to bypass hard coded validation
• Test applications with patches implemented

The benefits of such techniques often include identification of circumvention vulnerabilities, and an array of issues impacting on the assurance provided by the implemented security measures.

Strategic Risk Review

Takeover/acquisitions audit

Takeover audits allow the senior management or board of directors to ascertain the true risk levels present within the organisation targeted for purchase. Specifically, this means any risk (tactical or operational) that represents a substantial financial downside to the procurer.

MWR InfoSecurity has a strong track record when identifying and highlighting issues that substantially lower the value of proposed purchases and communicating them in a clear and concise manner to the management team (usually under considerable time pressures). This service can either be used as part of due diligence, or as a mechanism to ascertain whether the offer price represents true value given the level of risk.

Development Support

Developing Secure Applications Workshops

MWR InfoSecurity believes in the importance of building security into the development life cycle. Following secure design principals and secure coding practices eliminates many common security issues from the outset, as well as minimising the cost and time needed to ensure applications are secure after development. If secure design principals are not followed during development, large parts of the application may need to be re-engineered to address security issues, and fixes can often be hard to implement in this way.

To help clients build security best practice into their application development process, MWR InfoSecurity provides application security workshops to help train your development teams in secure development practices. Our workshops include a comprehensive syllabus of key security principals, how to build a secure architecture and understanding web application attack vectors and their counter measures.

Workshops are interactive and hands on, and participants will have the opportunity to ask questions of the consultant delivering the workshop.

Implementation Support

Coding Reviews

Any application or software product can consist of thousands of lines of code, any of which could be potentially harboring a vulnerability affecting its security. Given the conditional nature of the paths which could be followed within the code, it is often difficult to fully test all of them without knowledge. However, with access to application code it becomes easier to identify weaknesses that might not be otherwise detected.

MWR InfoSecurity consultants have extensive experience in software development, as well as in the discovery and exploitation of vulnerabilities in a wide variety of languages and development frameworks. Using this combination of skills it is possible to perform code reviews in a manner which allows effective identification of vulnerabilities.

PCI Workshops

Payment Card Industry Data Security Standard (PCI DSS) is a mandatory requirement which was constructed by the major payment card companies, such as VISA and MasterCard, for all organisations that process any form of payment card information (credit, debit or pre-paid), develop products for payment card transactions or store payment card details on their networks. MWR InfoSecurity is both a Qualified Security Auditor company (QSA) and an Authorised Scanning Vendor (ASV). All of our consultants have a track record of providing excellent practical and innovative support to clients on all aspects of PCI DSS.

The MWR InfoSecurity onsite discovery workshop aims to provide attendees with a unique insight into the PCI DSS and guide them into developing a structured approach to PCI DSS compliance. Some of the areas that could be covered are:

• The governance structure for PCI DSS compliance
• Who and what is covered?
• The two components of PCI DSS compliance:
  compliance to the standard
  validation of compliance
• Issues between the Self Assessment Questionnaire and the standard
• The possible consequences
• Insights into the requirements
• A structured approach to PCI DSS compliance
• Addressing individual issues within the organisation

Benefits

• Explains the PCI DSS in terms of your business
• Addresses the unique issues you face
• Covers your specific environment
• Manages the issues that you have or think you may experience
• Applies unique knowledge and experience to your issues.

Firewall Ruleset Review

An organisation's firewall is often viewed as the most important part of its security infrastructure. Whilst secure firewall configuration is not the only part of ensuring an effective security model it is of critical importance. A firewall ruleset review is the most effective method of obtaining an understanding of the risks associated with the traffic a device will either permit or reject. A ruleset review can be combined with knowledge of an organisation and its network architecture to provide a business focused view of the firewall configuration.

The consultants at MWR InfoSecurity have extensive experience of maintaining secure firewall rulesets and therefore can readily understand and interpret the rules that are enforced. Performing a rulebase review can enable an organisation to pinpoint rules that expose them to excessive risk whether that is from Internet based attackers, trusted third parties or administrative activities. A clear and illustrative reporting format also enables security managers and administrators to identify which rules should be prioritised for remedial activities.

Host Configuration Reviews

A host configuration review provides assurance that hosts in an organisation follow configuration best practice, in order to minimise the risk of compromise and mitigate the impact of attacks. Our methodologies for host configuration reviews are tailored closely to specific operating system versions, allowing greater accuracy in identifying configuration problems. As a configuration review is undertaken with local access to hosts under review, internal information about risks inherent in the way systems are deployed can be obtained.

This gives a different perspective from external tests, such as Vulnerability Assessments, performed from an attacker's eye view.

MWR InfoSecurity's host configuration review methodologies combine resources from NIST checklists, the Microsoft Baseline Security Analyzer (MBSA) and a variety of custom checks to provide a more complete picture of the configuration of hosts to be analysed by the testing team. This process allows MWR InfoSecurity to pick up on missing OS patches, weak file permissions and configurations which allow potentially sensitive system information to be obtained by attackers.

Database Configuration Reviews

Databases often hold much sensitive information and protecting that data is a primary goal of information security strategies. Database configuration reviews provide assurances of the secure deployment of database servers. As configuration reviews are undertaken from an internal perspective, risks and risk mitigation can be assessed with different sources of information than external tests which are performed from the perspective of an attacker.

The database configuration reviews provided by MWR InfoSecurity follow careful methodology developed according to industry best practice standards. By ensuring databases are deployed according to these best practices, risk can be minimised and the impact of attacks reduced.

Web Server Configuration Reviews

Web servers are often the primary systems exposed to the internet, and web vulnerabilities are increasingly becoming a primary attack vector. A web server configuration review provides assurances that web servers are deployed according to security best practice. This minimises the risk from web based attacks, and limits their impact. Aspects of configuration can change the viability of a given web attack vector, and such information can be obtained and analysed in a configuration review which has access to the configuration of the servers themselves. This provides a different picture from an external test performed from an attacker's perspective.

MWR InfoSecurity provides web server configuration reviews which follow a methodology developed in line with industry best practice. Web server configuration is carefully analysed to ensure proper permissions, proper location of sensitive files, appropriate content mappings and that no sensitive system information is leaked to the attacker.

Network Architecture Review

Security has become a vital component of computer networks and therefore has a major impact on their topology. A network architecture review provides a technical overview of the security posture of a network and its components and will look at configuration choices such as the location of filtering devices, access control mechanisms and whether network segregation has been achieved in a secure fashion. Attacks can come from multiple sources, thus this review will assess perimeter defence mechanisms and determine exposure to external threats as well as the robustness of the network to handle internal attacks or attacks coming from trusted networks.

During this review, MWR InfoSecurity security consultants will assess the posture of the network with regards to your security goals and take into consideration any compliance or standards which you must adhere to or hope to achieve. This will be done through one or more of the following; reviewing documentation, connecting to and assessing the network and working closely with network administrators. The strengths and weaknesses of the network architecture will be presented in conjunction with recommendations specific to your architecture needs.

Design Documentation Review

One of the most important aspects of any IT project is the design phase and this is equally true when designing security controls into a system, network or application. Failure to include appropriate controls at this stage can leave a project with retro-fitting to be performed later on in the project, or worse still gaping holes in their security model.

A design documentation review will ensure that any security controls are appropriate for their purpose at the correct stage in the project lifecycle. MWR InfoSecurity regularly works with its clients to ensure that such controls are factored into the project at an early stage. This brings the benefit that these do not need to be added at a later stage in the project, for example, when security testing is performed during the rollout. It has been demonstrated that performing design documentation reviews provides cost savings and helps to ensure go live occurs on time and with a minimal level of risk being exposed.

Product Evaluation Reviews

A product evaluation is aimed at performing as comprehensive a security assessment as is practically possible, in order to identify any vulnerabilities present from any perspective in security critical applications. Where compliance with any industry standards is also required, all results will be assessed in line with these.

MWR InfoSecurity's approach to product evaluations consists of performing a comprehensive set of security tests and reviews from different perspectives. This will include performing black box penetration testing, application security testing, security code reviews, technical documentation reviews, operational testing and where appropriate, reverse engineering.

Build Documentation Review

An important objective of any project is to ensure that the security that was proposed in the design will be accurately reflected through the build and configuration of the solution. Failure to deploy a secure build can often negate the effort and cost invested in the design of the network, system or application and can undermine the security of the entire project. If identified in the later stages of a project, an insecure build can often disrupt the operation of the application if it is to be reconfigured to meet the desired security model.

A build documentation review will ensure that the systems deployed within the relevant environment are proposed to be built in a secure manner. MWR InfoSecurity can engage with clients to ensure that the proposed system build is in line with the security requirements of the project. It has been demonstrated that performing build documentation reviews provides cost savings and helps to ensure that systems can be built and deployed in a manner that does not affect the operation of the environment. It also ensures that only a minimal level of risk is exposed.

Product Identification/selection

It is becoming more common for organisations to consider deploying particular project solutions, whilst needing accurate verification of potential risk with respect to a pool of candidate products or solutions. In this instance, MWR InfoSecurity help the client to identify potential risk with respect to the candidate solutions, and importantly, which risks will not be acceptable to the organisation. In this manner, the experience of MWR InfoSecurity is utilised early in the project lifecycle to ensure that costly and expensive mistakes are not made affecting the viability or go-live of the project at the sign off stage.

Business Impact Assessment

A business impact assessment (BIA) is effectively a short-form of information risk assessment that is typically used to determine whether there are serious information risks (that can cause consequential business impacts) associated with a business area or project. A BIA is often used at the start of a project to allow an initial understanding of the information risks that the project may generate so that advance preparations or allowances may be made. It may also be used in existing projects as a quick information risk health check.

BIA is also used to good effect as a strategic tool to evaluate the high level risks associated with individual business areas. In such cases BIA is used within a cascade process starting at the top of the company and working downwards gradually increasing the granularity of the results until a full risk map of the organisation has been developed. The objective is to identify the areas where there is the greatest risk so that the organisation's limited resources may be focussed where they are required the most.

MWR InfoSecurity have consultants trained to use two of the more popular BIA methods which are fast becoming standards in the area of risk management: ISF's IRAM BIA method and CRAMM Express. However, there are other methods and MWR InfoSecurity consultants have the capability to use other methods including Sprint and ALE.

MWR InfoSecurity can conduct business impact assessments of:

• businesses (cascade process)
• individual business areas
• individual processes
• individual systems
• individual operations
• new developments.

Business continuity

Business continuity is the way in which a business protects itself from the disruption arising from a failure in the availability of information. This can be anything from a minor annoyance to a complete loss of essential information through a complete destruction of the information processing systems or even the inability to get into a building to work. Business continuity is primarily concerned with continuing business and therefore important aspects will be:

• determining the critical business functions
• prioritising critical business functions
• establishing contingency plans for top priority critical business functions
• developing a communications strategy
• developing employee awareness.

Threat Analysis

Threat Modelling

It is often difficult, when considering a large interconnected system, to decide which element poses the most risk to your company. Threat modelling is a high level process, designed to help protect the digital assets in a business, by prioritising and focusing security efforts in the areas it is needed the most. It also aids greatly in identifying threats before they occur in a production environment and can provides focus for additional testing or development to the most vulnerable system components. This saves money and time in that the right components get the required hardening during system build and reviews.

The threat modelling process requires a large amount of input from the client in order to be effective and would include steps such as identifying system assets, creating an architecture overview, identifying threats to assets and data using STRIDE (Spoofing, Tampering, Repudiation, Information disclosure, Denial of Service, Elevation of privilege) and CIA (Confidentiality, Integrity, Availability) and classifying threats using DREAD ( Damage potential, Reproducibility, Exploitability, Affected users, Discoverability). MWR InfoSecurity then uses this information to formulate actions and recommendations to prevent the identified threats from becoming major security breaches.

Business Recovery

Business Recovery Strategies and Contingency Planning

Over the years MWR InfoSecurity has developed it own approach to Business recovery Strategies, Contingency Planning and Disaster recovery. Most of MWR InfoSecurity's contingency work is conducted using the MWR InfoSecurity contingency planning and disaster recovery method which loosely equates with the proposed continuity management standard PAS56 and will comply with BS 23999 Part 2 when issued. The MWR InfoSecurity contingency planning and disaster recovery method has been proven in practice during many contingency assignments across the world.

The core of the MWR InfoSecurity business continuity, contingency and disaster recovery method is a business impact assessment biased towards availability and developing controls within the recovery and prevention aspects of risk assessment.

Disaster Recovery

Disaster recovery is different from business continuity in that it assumes that the worst has already happened and concentrates on managing a disaster from identification through to reinstatement. It requires processes and procedures, inter alia, to identify that a disaster has happened, initiate a disaster plan, call together the disaster management team and define how the team will work together to manage the disaster.

Therefore the concentration for disaster recovery will be on:

• identifying that there is an incident
• calling out the recovery team
• liaising with staff
• liaising with the media
• dealing with the incident
• recovering to an interim position
• return to normal.

Information security health checks

The MWR InfoSecurity health check is a comprehensive overview of the information security understanding, capability and operations of an organisation, providing the client with the information to make decisions about its information security provision and where to concentrate resources. The MWR InfoSecurity health check examines an organisation and provides a detailed analysis of their information security capability in three particular areas:

• Information security management
• Information security operations
• Contingency and disaster recovery

These three areas have been chosen because they are the key focal points for information security within an organisation and therefore by examining these areas we are able to give a very good idea of the level of the organisation's information security capability.

These areas of information security are also essential to a good broad base of information security provision as they encompass:

• Ethos and commitment
• Security implementation
• Management of commercial activities
• Contingency provision

MWR InfoSecurity carries out a set of structured interviews, discussing operational practices, data handling, general management and security issues with all levels of management to determine how policies are set, how the standards are developed and set and how information security procedures are adhered to. The latter is an intrinsic part of examining whether there is sufficient awareness of the needs for information security within the organisation.

Contingency Planning

Contingency Plans

Contingency plans are generally associated with information systems and tend to concentrate on the major aspects of information protection:

• prevention
• detection
• recovery.

However, contingency plans can cover any aspect of a business where it relies upon a particular business function or service. A contingency plan will allow the business function or service to continue despite adverse events, and generally includes:

• capacity planning
• single point of failure analysis
• environmental degradation
• key resource limitation or incapacity
• service supply.

MWR InfoSecurity consultants have many years of experience in conducting risk assessments for availability issues and constructing control domains for the protection of businesses from loss of information both temporarily and permanently. Such processes and procedures have a great deal of dependency on the structure and culture of the organisation and require consultants to work very closely with the organisation and to understand its workings. MWR InfoSecurity consultants have significant experience in working closely with organisations in the development of disaster recovery plans for diverse businesses.

PCI DSS

Payment Card Industry Data Security Standard (PCI DSS) is a standard for the protection of cardholder data whilst it is stored, processed or transmitted throughout its lifecycle. It applies to all parts of the payments card management chain including: retailers, banks and third party service providers.

It was defined because the major payment card schemes, such as VISA and MasterCard, have for a long while been concerned at the large number of attacks on organisations' computer networks that have resulted in the theft of large blocks of cardholder data (payment card numbers etc.). Often the information stolen could also facilitate identity theft attacks on the information owners. This can cause considerable distress to the people involved and significant additional costs to the card brands.

It was the recurrence of many similar types of attack mainly originating from the internet that convinced the big card brands that positive action was necessary to ensure an acceptable level of protection is provided on all computer networks that process payment cards. This action has resulted in the establishment of the Payment Card Industry Data Security Standard, commonly called the PCI DSS.

PCI DSS is a complex and prescriptive standard which can be resource intensive to implement. Many organisations appreciate the help and assistance from MWR InfoSecurity; a QSA an ASV and a QFI with knowledge and insights into the standard that enable us to provide structured guidance to all types of organisations.

Compliance to the PCI DSS is a mandatory requirement placed on all organisations that process credit card or debit card payments, develop products for payment card transactions and/or store payment card details. PCI DSS defines the controls that need to be placed around cardholder data in order to protect it from theft or unauthorised disclosure.

MWR InfoSecurity as a QSA

MWR InfoSecurity is a PCI DSS QSA and works on the basis that the QSA is the facilitator for Merchants' compliance with PCI DSS. A Merchant's QSA is charged with interpreting the DSS as it relates to the Merchant's operations and should be capable of ensuring compliance without compromising the merchant's information policy and approach to security.

Equally the QSA has a responsibility towards the accurate reporting of compliance so must have integrity and honesty but with balance. Merchants need to ensure that they can be compliant year after year as compliance is not a single one off exercise but an annual event so their initial audit must be repeatable regardless of which QSA carries out the assessment. Audits in subsequent years should not be problematic because of compliance failures that were not identified in the first instance.

Therefore Merchants are looking for a QSA that is capable of exercising judgement and justifying that judgement to the acquirer as well as acting as an honest broker between the acquirer and the merchant on issues of compliance.

Many acquirers are now requiring their merchants to engage a QSA as a demonstration that they are committed to compliance with PCI DSS. Equally, because the merchant will often need to demonstrate the adequacy of compensating controls, Acquirers are increasingly relying upon QSAs for their qualification of such alternatives to the PCI DSS requirements.

PCI Workshops

Payment Card Industry Data Security Standard (PCI DSS) is a mandatory requirement which was constructed by the major payment card companies, such as VISA and MasterCard, for all organisations that process any form of payment card information (credit, debit or pre-paid), develop products for payment card transactions or store payment card details on their networks. MWR InfoSecurity is both a Qualified Security Auditor company (QSA) and an Authorised Scanning Vendor (ASV). All of our consultants have a track record of providing excellent practical and innovative support to clients on all aspects of PCI DSS.

The MWR InfoSecurity onsite discovery workshop aims to provide attendees with a unique insight into the PCI DSS and guide them into developing a structured approach to PCI DSS compliance. Some of the areas that could be covered are:

• The governance structure for PCI DSS compliance
• Who and what is covered?
• The two components of PCI DSS compliance:
  compliance to the standard
  validation of compliance
• Issues between the Self Assessment Questionnaire and the standard
• The possible consequences
• Insights into the requirements
• A structured approach to PCI DSS compliance
• Addressing individual issues within the organisation

Benefits

• Explains the PCI DSS in terms of your business
• Addresses the unique issues you face
• Covers your specific environment
• Manages the issues that you have or think you may experience
• Applies unique knowledge and experience to your issues.

ASV PCI Testing

The PCI DSS is a comprehensive standard that establishes common processes and procedures for handling, processing, storing and transmitting credit card data. MWR InfoSecurity holds PCI accreditation as an Approved Scanning Vendors (ASV's). We pride ourselves in the level of support we provide to all clients; consultants are available to guide you through the steps towards PCI DSS compliance. We have developed scanning services that enable organizations to identify and remediate vulnerabilities quickly and effectively. Reports only contain details of actual vulnerabilities keeping the number of false positives to a minimum.

The PCI Service from MWR InfoSecurity offers you scheduled quarterly or monthly scans of relevant domains or IP addresses, full vulnerability remediation support from CISSP certified security specialists, assistance in completing your self-assessment questionnaire, unlimited telephone technical support and quarterly statements on compliance. Overall this service provides guidance to organisations seeking PCI certification and provides ongoing support in eliminating vulnerabilities.

Service Presentation

Choice an area of interest for more information.

ISO/IEC 27001

ISO 27001 is an international standard which sets out the requirements for an information security management system (ISMS). The standard is designed to ensure the selection of adequate and proportionate security controls that protect information assets and give confidence to third parties including an organisation’s customers. It is intended to provide a good level of assurance of appropriate information security protection.

The prescribed manner by which organisations establish how much effort needs to go into meeting the requirements of ISO 27001/2 is by conducting a Gap Analysis. A gap analysis is a comparison of the organisation’s existing controls against stated criteria – in this case ISO 27001/2. MWR InfoSecurity consultants have extensive experience in reviewing organisations’ information risk provision in accordance with varied and diverse criteria, including ISO/IEC 27001.

ISF Standard of Good Practice

The Information Security Forum Standard of Good Practice is set of best practices for information security. It was developed in 1996and has been published and revised biannually The Standard is developed from research carried out by the ISF in conjunction with its members allowing it to keep up with technological developments and emerging threats. MWR InfoSecurity consultants have extensive experience in reviewing organisations’ information risk provision in accordance with varied and diverse criteria, including the ISF Standard of Good Practice.

The ISF Standard of Good Practice is available free of charge for non-commercial use from the ISF, whereas other ISF reports and tools are generally available only to member organizations.