Internet and Network Security Services
Vulnerability Assessment Services

Securing your network? Want fixes that work over the long haul? Let the experts at R@pid Stability help secure your networks, applications, and critical information.

Assessing your network security has never been more important. Unfortunately, too many security firms simply don't find the root causes of security vulnerabilities, nor fix them once they're found.

At R@pid Stability, our experts identify and help you remove critical vulnerabilities. More importantly, we arm you with the strategic information you need to attack the source of vulnerabilities. We provide a complete portfolio of vulnerability assessment and penetration-testing services to address a range of requirements and budgets. Our Command Center security management system provides real-time vulnerability alerts to ensure your systems remain secure long after the project is completed.

Vulnerability Scanning Services

Our vulnerability scanning services provide you with an economical, yet comprehensive security review of your network perimeter or internal network. Our experts spot critical vulnerabilities and gaps in network security practices. We weed out false positives, provide strategic advice to help you correct root issues, and prioritize recommendations to ensure critical holes are addressed first.

Vulnerability Assessment & Penetration Testing

During our comprehensive assessment and penetration testing engagements our security combine "hands on" hacking techniques with a full set of proprietary and commercial tools, to reproduce real-world attack scenarios. Our experts find new and obscure vulnerabilities, identify process and procedural issues - the sources of vulnerabilities - and prioritize findings based on your specific business risk.

Web-based Application Assessments

Many organizations have are making substantial progress in protecting their networks from attack. However, web-based applications - and the critical customer, employee, constituent data they contain - often remain at high risk. Assessing the security of web-based applications requires special skills.

Managed Vulnerability Assessment Services

R@pid Stability can provide monthly, quarterly, and semi-annual assessments, or design a program to fit your specific needs. These services range from scanning to comprehensive assessment and penetration testing. The assessments can target internal networks, network perimeters, or web-based applications. While initial assessments provide a baseline to measure against, subsequent reviews address new vulnerabilities and track your security program's progress.

Lines of Defense for the Corporate Information System

Firewalls

Many enterprises erect a firewall as the first and often only line of defense for their information systems. A firewall is a device that controls the flow of communication between internal networks and external networks, such as the Internet. Many Incorporateds assume that, once they have installed a firewall, they have reduced all their network security risks.

A firewall must be configured to allow or deny appropriate traffic. The configuration process can be highly susceptible to human error. In a dynamically changing environment, system managers routinely reconfigure firewalls without regard to security implications. Access control lists on a firewall can be numerous and confusing. You must be sure that the firewall has been set up correctly and that it is performing well.

Internal Defenses

Even when properly configured the firewall can only repel connection attempts that come through the firewall itself. An information attack can be mounted via modem on the internal network. If all of the enterprises defenses are focused on the firewall then an attack that circumvents firewall though a modem or an internally based attack will have free reign over the information systems.

Thus the security features of the internal computers must also be employed. The important balance between convenience for the users and security concerns must be considered. That is the computer systems must be allowed to be collaborative in nature with appropriate access to information and functions across systems. At the same time this access provides a wide open avenue for the industrial espionage attack.

Often the elements of the enterprises computer system must be updated to eliminate security risks introduced by bugs in operating systems and network service programs. If a bug creates a performance related problem then it is a squeaky wheelie that will drive the upgrade. A functioning version of a program or service with the security bugs can be easily overlooked as an important item for upgrades. By the time a security related bug becomes the proverbial "squeaky wheel" - its too late.

Assessing IT Security

Security must be assessed from multiple viewpoints for the best over all picture. These perspectives range from the physical security of the machines to the configuration of the firewalls to the trustworthiness of workers. The history of industrial espionage has been in the physical world and thus numerous practices have been developed to handle the this portion of security assessment. The age of network based industrial espionage has a brief history and thus less developed security assessment practices.

The security profile of a network of machines can be assess from three principle vantage points.

  • From the outside of the Enterprise - the view of the computer infrastructure through the firewall
  • From the inside of the Enterprise - the view of computers from behind the firewall
  • From the computer keyboard - the view from the actual operating system of the individual machine itself.

Each of these perspectives will reveal unique security vulnerabilities. Removing the vulnerabilities as seen from outside the enterprise is the first step to halt the efforts of the casual hacker and industrial espionage age. Removing the vulnerabilities as they appear from behind the firewall accomplishes two goals. It creates a second line of defense should the firewall become compromised. It also creates a defense for the "blitzkrieg" attack around the firewall through a modem or other non-protected entryway. Finally, evaluating security from the machines themselves will close vulnerabilities that could be exploited through a firewall or from other machines on the network. It also hardens the security of the machines, restricting the avenues of attack for the disgruntled worker or the co-opted contractor.

Assessment Strategies

The Ideal Strategy

The ideal assessment strategy begins with the individual machines before they are ever inter-connected. Each machineries vulnerabilities are corrected, putting the network of machines off to a reasonable start. Next the network of computers are probed for security vulnerabilities. Typically the move from individual machines to an inter network of interdependent machines creates a significant number of exploitable holes. Thus the network of computers is examined for security vulnerabilities. Finally the external network defenses, the firewall, are verified. In this final stage the last layer of defense - the first layer encountered by an information adversary - can be thoroughly checked. Problems are more easily isolated to the configurations and performance of the firewall connections themselves.

Pragmatist strategy

In real life the machines, the inter network of computers (and often the external connections to the Internet) already exist. Additionally, a significant number of vulnerabilities exist at each level of the enterprises information systems. Often, the number of known vulnerabilities exceeds an organizations capacity to implement corrective action. This imbalance between known vulnerabilities and corrective capacity is a chief contributor to the gap between an enterprises security policy and security practice. An enterprise in this position often does not care to learn of more security vulnerabilities, following a "what I omit know omit hurt me" philosophy.

The real danger in this situation is that the scarce resources available to implement corrective security policies are squandered on the most well know vulnerabilities instead of being allocated to the vulnerabilities with the greatest risk to the enterprise. Firms in this position should invest in knowledge so that their limited resources are optimally deployed. The first step in a resource investment decision to is fully understand the range of options available and then pick the portfolio of investments that presents the highest aggregate return. In security assessment the firms must first evaluate all the vulnerabilities from all perspectives: system, internal and external. Aggregating and prioritizing the list of vulnerabilities will then provide a guideline for investing in corrective action to improve the match between security practice and security policy.

Continuous Security Improvement

As individual vulnerabilities are corrected under any security improvement process these vulnerabilities should stay fixed. Thus the corrections must always to monitored. By monitoring these changes over time the firm can look for the root causes of frequently occurring vulnerabilities. Then the enterprise can move on to lower priority vulnerabilities.

By undertaking a strategy of consistently fixing vulnerabilities, monitoring them to make sure they stay fixed and analyzing the causes of recurring vulnerabilities the enterprise enters the mode of continuous security improvement. The feedback loop of a security assessment provides the information flow necessary to improve the security of the enterprise's information systems.

We regularly perform several types of penetration testing. For each of the testing scenarios described below, our reports focus on concrete and practical measures you can take to address any deficiencies we might find. Some of the testing scenarios we perform frequently are:

Internet Exposure Profile

As a skillful outsider on the Internet, we focus on vulnerabilities related to TCP/IP protocols and services. We specifically look for problems in your DMZ or firewall setup, the configuration of your systems, and unauthorized access to resources in your environment. In this test scenario, we will attempt to gain privileges on systems (either at an application level or system level) and see if we can reach data.

Denial of Service Review

Some of the most visible hacker attacks of the recent past have been denial of service attacks. In this test scenario, we will assess your vulnerability to a wide range of both point-source and distributed denial of service exploits. In considering a Denial of Service Review and unlike all of the other testing scenarios described on this page, it is important to understand that this type of testing requires substantial advance planning and close coordination during the actual testing.

Web Content Review

As a skillful outsider on the Internet, we focus on vulnerabilities related to your web applications themselves. In this test scenario, we will attempt to escalate privileges, potentially reach the back-end database, or identify instances where private data may be exposed.

Dial Exposure Review

While Internet based attacks are getting the headlines, hackers continue to use direct dial attack techniques to do significant damage to companies. By systematic dialing and analysis of your telephone resources, we will assess your exposure to this classic form of hacker attack.

Firewall Review

Firewall rules tend to grow by accretion; changes to the rules are made to support the evolving needs of the business and they tend to accumulate over time. Too often, the rule set grows too large to be readily understood. Too often, later rules contradict earlier rules. Too often, a particular business need that required a specific opening in the firewall, no longer exists but the opening remains as a historical artifact. We will work with you to document how the firewall should function and review the configuration to determine if the configuration is consistent with the expected behavior.

Security Services Summary

In order to ensure a consistent assessment which can be used repeatedly to measure changes over time, the consultants will use as their model both R@pid Stability's own internal site security standards and a standards-based "best practices" model. The review will determine if:

  • Procedures have been implemented to ensure a secure business environment for all employees and other persons working in your facilities,
  • Emergency plans covering anticipated emergencies and catastrophes have been established, and plans adequately address the protection of people and assets,
  • Procedures have been implemented to report and analyze security incidents, bring them to closure, and prevent reoccurrence,
  • Effective management processes to protect proprietary information and assets from unauthorized disclosure, modification or misappropriation,
  • A process in place to provide management with a validation that the security controls within the scope of this engagement are operating effectively.

Service Covers:

  • A review of your organization's IT site security processes and related documentation in the following areas: physical security, emergency planning, incident management, contract management, and information protection
  • An analysis of the information from interviews with key managers and process owners against your Incorporated's standards, R@pid Stability's own internal standards and a standards-based model of "best practices"
  • A final report detailing observations and recommendations made during the review, and a management presentation outlining identified strengths and weaknesses relating to site security processes and procedural compliance

Home | Profile | Products | Services | Support | Contact Us
® © 2000 - 2008 Rapid Stability Corporation | Terms of Use