System Security Review Services

Audit Level 1

On-site System Audit
Based upon ISO/IEC17799 and ISO/IEC 27001, the On-site System Audit service comprises of a documented, detailed hands-on examination of the operating systems, databases and application configurations identifying the vulnerabilities of our client's information assets. Executing this service requires access to the system(s) for up to a full working day. On-site System Audit Level 1 is carried out manually by Microtec Security Consultants; typically in close cooperation with our clients own technical staff. The Audit service is designed to provide documented host-based configuration information.

On-site Network Audit
Based upon ISO/IEC17799 and ISO/IEC 27001, this On-site Network Audit is an assessment and review of the network environment. This includes the effectiveness of the protocols, switching and routing, infrastructure and architectural design and other individual components of the network. Executing this service requires access to the system(s) for up to a full working day. On-site Network Audit Level 1 is carried out manually by Microtec Security Consultants; typically in close cooperation with our clients own technical staff. The Audit service is designed to provide documented host-based configuration information

Audit Level 2

Security Policy Documentation Audit
Based upon ISO/IEC17799 and ISO/IEC 27001, this Security Policy Documentation Audit is an assessment and review of the existing documented information security policies, guidelines and procedures vis-a'-vis the enterprise and/or their individual business unit's technical security environment and posture regarding network, system and application security. Microtec works closely with our client's information security committee and produces a summary report specifying where areas are properly covered, pointing out weaknesses, and submitting recommendations in order to help provide written documentation on the policies, guidelines and standards governing the security of their computing environment.

Firewall rule-base and Configuration Audit
Based upon ISO/IEC17799 and ISO/IEC 27001, the Firewall rule-base and Configuration Audit service reviews, identifies and analyzes firewall configurations and rule-sets assisting clients align the rule statements in their firewalls with the enterprise-wide business objectives and policies. We make sure the firewall rules are current and aligned with the enterprise security policy of our clients and that they are updated to reflect new changes in business policies.

Examine Level 1

Examine Level 2

On-Site Wireless LAN Design and Vulnerability Assessment
Based upon ISO/IEC17799 and ISO/IEC 27001, the On-Site Wireless LAN Design and Vulnerability Assessment service is a passive network scan of Wireless Networks (WLANS) to determine the security of WLAN deployment. Microtec will review the security and the design of the wireless deployment to identify devices that are compromising the security of information assets. Microtec will document and submit its findings in a report with recommendations based on the tests and tools used by the Microtec team. This will provide a comprehensive "snapshot" of the current WLAN infrastructure identifying Access Points and type, network addresses including client machines and their addresses with any information that was detected that may be of use to gain unauthorized access to the information assets.

Messaging System Assessment
Based upon ISO/IEC 17799 and ISO/IEC 27001, the Messaging System Assessment service reviews the security of the email environment including the desktop mail-client component, mail server architecture, mail routing, email virus protection and the administrative, operational and support procedures including the Business Continuity Plan and Disaster Recovery Plan of the email system.

Telephony-based Penetration Assessment
Based upon ISO/IEC17799 and ISO/IEC 27001, the Telephony-based Penetration service is designed to identify 'back-doors' into a Company network by systematically dialing a range of telephone numbers associated with a Company and analyzing the responses received. This is known as war-dialing. This service will attempt to identify lines with modems, PBXs or other systems attached and determine if access can be achieved. Such modems, PBXs or other systems are likely to be set up to accept inbound calls with little or no authentication and although the main gateway to the Company network may offer extensive logging of user activity, such systems would bypass this logging and provide an un-monitored route directly to the internal network. These systems present an enticing target to hackers and need to be properly installed, configured and maintained.

Network Penetration Service
Based on ISO/IEC17799 and ISO/IEC 27001, the Network Penetration service is a full network and system penetration testing service, designed to penetrate a client network infrastructure via any feasible route, exploiting any vulnerabilities identified. Successful penetration is proved by performing a privileged operation such as creating a file on the target host containing a message from our team. This service does not confine itself to penetration attempts via the Internet. Equally valid is penetration of the network via other access points. These access points may include dial-up RAS servers, employee tele-working points or customer and supplier (trusted party) connections. The range of tools and utilities used in this service includes war-dialers and password cracking programs to name a few. Tools will be selected according to the method being attempted. This service is carried out over a specific period of time - 7, 14, or 28 days.

Forensics
Security Incident Analysis
Based upon ISO/IEC 17799 and ISO/IEC 27001, the Forensics Security Incident Analysis service provides investigative procedures and analysis of data held on computers for evidence that a crime has been committed. The investigation is carried out in a forensically sound manner that will preserve the accuracy and integrity of any potential evidence and will ensure admissibility in a court of law.