Security Assessment Services

NetSPI analyzes the system architecture documentation to identify potential weaknesses in the application design. We also interview key personnel to fully understand how security controls will be incorporated into the application design. We look at things like database and application audit logging, database and application encryption, key management, the transport of sensitive data, authentication and authorization schemes, and error handling. Once the information gathering is complete, NetSPI provides actionable recommendations for improving the system architecture design.

Code review is the basic mechanism for validating the design and implementation of an application. It also helps maintain consistency in design and implementation practices across various applications within a company. While an application assessment looks at an application from the outside in, the code review looks at an application from the inside out. As part of this process, NetSPI provides actionable recommendations for improving your security posture.

NetSPI's evaluation of the security configuration of a database identifies known weaknesses within the database account settings, server configurations, and SQL configuration that may allow unauthorized access to the data. NetSPI‘s testing includes:

• Configuration issues (e.g., default passwords and missing patches).
• Known database vulnerabilities such as buffer overflow or potential denial-of-service vulnerabilities.
• Connections that can be made using accounts with weak or non-existent passwords.
• Third-party software vulnerabilities that could lead to a SQL data compromise.

NetSPI reviews data communications between the server and client to identify communication or encryption vulnerabilities. We review files, registry, memory, and the actual application forms for potential DOS vectors and sensitive information disclosures; we also decompile code if possible. We attempt to bypass authentication controls by taking advantage of weak file, registry, memory, and network components or permissions. We consolidate and analyze the data collected using our CorrelatedVM™ tool.  We then review the proof of concepts with you and discuss our recommendations for addressing security deficiencies.

NetSPI looks at a piece of software to define a set of attacks that could be made against it. Having a threat model enables us to assess the probability, the potential harm, and the priority of attacks, and how those attacks can be parried or minimized. Threat modeling is an integral part of the SDLC (Security Development Lifecycle) process.

In a Web Vulnerability Assessment, NetSPI evaluates web applications for security vulnerabilities and provides actionable recommendations. The assessment includes targeting the OWASP Top 10 web application vulnerabilities. Unlike strictly tool-based approaches to application assessment, we do extensive manual testing and manually verify all automated tests to reduce false positives.

As an Approved Scanning Vendor (ASV) qualified by the Payment Card Industry Security Standards Council (PCI SSC), NetSPI offers the Quarterly PCI/ASV Assessment to demonstrate compliance with the Payment Card Industry’s Data Security Standard (PCI DSS) and also to gain insight into a client’s overall security posture. The Quarterly PCI/ASV Assessment will help identify and address the security issues that exist in a client's Internet-accessible environment, reduce risk to cardholder data and other sensitive information, and demonstrate compliance with PCI DSS requirement 11.2.

NetSPI evaluates the client's Internet-accessible network, systems, and applications for known security vulnerabilities. All of the data collected are consolidated and analyzed using NetSPI’s CorrelatedVM™ tool. In addition, vulnerabilities are prioritized based on the Payment Card Industry (PCI) severity system. NetSPI then formulates recommendations for mitigating the identified security issues.

NetSPI analyzes the client's current network architecture and device configurations, in order to identify potential weaknesses in the network infrastructure. also interview key personnel to fully understand how the systems are managed and what security controls are in place to protect the environment. Our findings and recommendations are presented in a report that includes both detailed descriptions of the identified issues and remediation recommendations, as well as summary information that will provide insight to senior management on the environment’s strengths and weaknesses.

Using a variety of techniques, NetSPI identifies gaps in physical security controls protecting core facilities.

NetSPI does a detailed review of all controls in place for a data center, including such items as physical access control, logon/logoff, backup procedures, hardware maintenance, problem reporting and escalation, assigned responsibilities to back up someone who is unavailable, audit logging, and documentation for all procedures.

It is essential for an organization to identify and address the security issues that exist on their internal environment in order to prevent unauthorized access to their systems, applications and sensitive information. During the Internal Network Penetration Test, NetSPI will attempt to gain unauthorized remote access to the client's internal networks, systems, and applications. Then we create actionable recommendations for improving security posture and meeting PCI compliance.

In an External Network Penetration Test, NetSPI gathers information on the current network architecture, implemented technologies and planned security initiatives; identifies security issues on a client's externally accessible networks; attempts to gain unauthorized access, and provides actionable recommendations for improving the security posture. We use commercial, open source and proprietary software, combined with expert manual testing. All of the data collected are consolidated and analyzed using the NetSPI’s CorrelatedVM™ tool. Finally, NetSPI formulates recommendations for mitigating the identified security issues.

NetSPI conducts an interview to discuss the wireless implementation. Topics include a high-level overview of the wireless architecture, configuration management, authentication, and encryption methods. NetSPI then evaluates the wireless network implementation from the perspective of an anonymous user. During the test, manual and automated processes are followed that leverage commercial, open source, and proprietary software. All of the data collected will be consolidated and analyzed using NetSPI’s CorrelatedVM™ tool. In addition, vulnerabilities are ranked based on their impact, and we formulate recommendations for mitigating the identified security issues.

NetSPI identifies and minimizes risk to your organization as it relates to phishing attacks. The goal of these attacks is to gain access to sensitive information such as passwords, credit cards, and social security numbers. It is essential that organizations understand their employee’s level of awareness and educate them on the risks presented by phishing attacks to help prevent leakage of sensitive personal, employee, and client information.

In order to determine the current level of employee awareness, NetSPI sends phishing e-mails to employees in an attempt to persuade them to divulge sensitive information. NetSPI identifies strengths and weaknesses within any phishing-related policy and technical controls in place.

In order to determine the current level of employee awareness, NetSPI makes calls to employees in an attempt to persuade them to divulge sensitive information. NetSPI also reviews policy and technical controls that can help the reduce the impact of phone-based attacks. Finally, NetSPI provides actionable recommendations for controls and user awareness training to help improve the security posture.

Social engineering seeks to manipulate people into doing things they ordinarily would not or into divulging confidential information like passwords or Social Security numbers. Physical social engineering is non-computer-based and includes tactics such as tailgating or shoulder-surfing behind someone with a key or access card to gain entrance to a facility without proper permission. NetSPI consultants use a variety of social secured areas, including server rooms, file storage areas, and computers with administrative access to the internal network.