External Infrastructure Testing

Network Testing

These services are based on an integrated, intelligence-led consultative approach and are designed to subject the public-facing elements within an organisation’s network infrastructure to external attacks. Tests target areas including remote access systems like virtual private networks (VPNs) and telecoms networks. Techniques used include SQL injection, IP spoofing and attack scripts. We may also use targeted application testing, to try and subvert application code or logic in order to make it perform actions outside its usual constraints. We also offer vulnerability assessment (VA) services and can train clients’ staff to implement VA exercises themselves, if regular assessments are required.

PCI ASV

The Payment Credit Industry (PCI) Data Security Standards (DSS) are designed to ensure that any organisation storing, processing and/or transmitting credit card data does so correctly and safely, protecting this sensitive data from fraudsters or other security threats. The standards are based in part on some of the same principles that underpin ISO27001, but were formed through the merging of security procedures developed by Visa and MasterCard.

Context is a PCI DSS Approved Scanning Vendor (ASV), so is fully equipped to carry out the regular security assessments required for compliance.

Telecoms

Telecoms security is as important to the operational health and safety of an organisation as IT security, and Context offers a range of services designed to protect against attacks on telephony networks. These include security assessment and auditing services, to help protect against attacks on telephone PBX, Interactive Voice Response (IVR) and Automatic Call Distribution (ACD) systems. Left unsecured, these systems could be exploited by external attackers or internal staff intending to perpetrate toll fraud and the theft and resale of long distance call services. We can also assess the security of voicemail systems, through which it may be possible to access confidential information.

Voice network security assessments are based on a combination of war dialing and the use of telephone management tools that enables us to carry out a comprehensive review of both inbound and outbound network traffic. War dialing is an effective method of modem detection, but can only detect those that could be accessed by inbound callers, and not modems set to make outbound calls or modems in constant use. These may be on the network for legitimate reasons but should be secured or removed, if necessary. To fill these gaps in modem detection and telecoms network traffic analysis, Context uses monitoring tools that are plugged in between the organisation's PBX and the telecoms carrier that will monitor inbound and outbound call activity for a set period, usually a week.

Physical Testing

An organisation that boasts the most rigorous, best-designed security strategies and policies can still be vulnerable to physical and social engineering attacks. Context is able to carry out comprehensive assessments of physical security, which may entail consultants trying to access a client’s building to see how easy it might be for unauthorised persons to move around the building to access internal networks and data.

We can advise clients on the design and implementation of access control systems and policies and on the use of procedures covering the disposal of classified information and of waste paper. We can identify and counter risks related to staff being bribed or coerced by malicious individuals, or attempts to obtain information via more sophisticated methods. We also specialise in “red team” exercises, during which we attempt to gain access to client’s systems via any available attack avenue. Please click here for more information on Context's Red Teaming service.

Vulnerability Analysis

Companies may wish to conduct a vulnerability scan rather than a full external infrastructure test. Unlike the infrastructure test, this is a tool-driven exercise rather than consultant-led, and entails compilation of a list of potential vulnerabilities within the network. As all tools are prone to generating false positives, and no tool kit can ever provide absolute coverage, these results are then reviewed manually by Context consultants. This allows us to add value to the process by manually verifying issues in order to confirm their presence (or not), adding coverage where tools fall short and placing issues in a real world context related directly to a client’s specific needs.


© Copyright 2013 Context Information Security