Stormwind's staff of professional hackers and Certified Information Systems Security Professionals have many years of experience providing consulting expertise to both small and and Fortune 500 businesses. Please call Stormwind if you are interested in finding out more about the following consulting services.
- Internal Security Assessments
- External Security Assessments
- Security Policy Assessment & Design
- Secure Network Architecture Review & Design
- IT Governance Implementations
- IT Compliance Reporting Implementations
Internal Security Assessments
Up to 70% of attacks come from inside the security perimeter. The heart of a company and its data can be vulnerable to disgruntled employees who already have the keys to the kingdom or from improper infrastructure configuration that allows guests to access key corporate information. Stormwind's internal network assessments, review the internal network design and vulnerabilities in the infrastructure layers of your organization.
Stormwind will provide you with both an executive and detailed report. The executive report can be filed with the SOX, HIPAA, and GLB auditors while the detailed report is used by the system administrators to remediate the vulnerabilities. Stormwind also provides a remediation workbook to the system adminstrators so they can easily keep track of their work and provide "% complete" status reports to management as well show due diligence to auditors.
In addition to the written report, Stormwind Security Consultant(s) will conduct a review meeting to discuss Stormwind's findings. Specific questions and concerns from Client can also be addressed at this time.
External Security Assessments
Stormwind uses an external assessment methodology that mimics the process used by hackers to gain access to information and systems at a company’s site. The methodology combine’s state-of-the-art testing techniques with unique security expertise to provide Client with an independent assessment of its security posture. Stormwind consultants use a set of evaluation tools (public domain, commercial and “home built”) to gather vulnerability information. Testing of the Client’s Internet connection is conducted from an external site.
Focused attention will be given to the application servers that are accessible from the Internet. During the audit the following techniques will be applied to determine the vulnerabilities:
- Hidden Manipulation – changing hidden field values
- Cookie Poisoning – altering the content of a cookie
- Backdoor & Debug Options – trying debug syntax on URLS
- Buffer Overflow – sending large numbers of characters to a web site
- Stealth Commanding – Placing of “Trojan Horses”
- 3rd Party Mis-Configuration – attempting web server default configuration vulnerabilities
- Known Vulnerabilities – trying all publicly known vulnerabilities
- Parameter Tampering – altering parameters on the URL
- Cross Site Scripting – entering executable commands into web site buffers
- Forceful Browsing – accessing orphan scripts
Stormwind will provide you with an executive report that can be filed with your SOX, HIPAA, or GLB auditors and
also give you a project workbook to track the remediation activities discovered during the vulnerability testing.
Security Policy Assessment
Security policies are the cornerstone of an effective security program. The security policy defines objectives, assigns responsibilities, and provides direction to protect your organization’s critical information.
To be effective, your security policy must be tailored to directly address the specific security issues that affect your organization. Attempting to fit an organization’s security policy into a standard template is not likely to result in a practical or useful policy — or an effective security program. Even though security has become a crucial business issue, many organizations still suffer from incomplete, obsolete, or poorly organized policies — and many don’t have a security policy at all.
Stormwind will perform the following:
- Review the existing security policy.
- Review the operational framework that enables the policy.
- Identify missing IT control standards that are specific to your business.
- Collect evidence records verifying the policy is in operation.
- Provide a detailed report of recommendations and a project workbook to track the remediation activities.