<<< Start | Our competence | Services | Training | Software | Partners | Contact us

Vulnerability Assessment | Penetration Testing | Source Code Audit Intrusion Detection | E-mail Sanitation | IT Security Advice

Vulnerability Assessment

Our consultants look for known vulnerabilities in network services, known or unknown web application bugs, the possibility to penetrate security mechanisms, configuration errors, forgotten/neglected services, information leakage (private information, business intelligence, financial information, internal reports, documentation, etc.) and legal aspects (privacy policy, acceptable use policies, etc.).

The audit is conducted in full compliance with Open Source Security Testing Methodology Manual (OSSTMM) (PDF file) - the most widely used, accepted and comprehensive methodology for testing security to date. OSSTMM complies with and beyond guidelines in ISO/IEC 17799, HIPAA (US), BDSG (Germany), NIST SP 800-42, and several other standards and privacy acts.

tigerteam.se conducts all identification steps in OSSTMM concerning TCP/IP networking and computer security. We don't do the actual penetration tests which allows us to do more on a lower budget.

All identification steps in OSSTMM conducted are documented under Section C - Internet Technology Security (page 42), the modules are:

• Logistics and Control: Initial assessment to determine the stability of communication with the target.
• Network Surveying: Basic network information, ISP information, cached information on the Internet about past/present connections into the target network (forums, mailing list archives, P2P networks).
• System Services Identification: Port scanning revealing a full network map, Operating Systems, version signatures of services, patch level, etc.
• Competitive Intelligence Review: A comprehensive investigation conducted on the Internet for data that can be categorized as Business Intelligence.
• Privacy Review: Assessment of disclosures, compliance with expressed privacy policy and actual privacy, information disclosed in marketing or advertisement, assessment of any publicly available private/confidential information, etc.
• Document Grinding: Profiling of the organization, it's employees, partners, competition, etc. (AKA Digital Dumpster Diving).
• Vulnerability Research: Two or more state-of-the-art vulnerability scanners are used together with manual assessment to determine any application/network/OS vulnerabilities, the possibility of exploitation of services, Denial of Service attacks, etc.
• Router and feature identification: The type of router/gateway used, types of traffic allowed to flow, etc.
• Trusted Systems Testing: Possible trust relationships between systems, found vulnerabilities mapped against systems with trust relationships, listing possible ways to spoof, etc.