Services/Security

Web Security


In the current digital age security is all important, whether it is your data or identity that requires protecting, we can help.

We offer a Penetration Test service for your web site to give you peace of mind that your value data and reputation is secure.

A penetration test is a set of procedures designed to bypass the security controls of a system in order to test the system’s resistance to attack.

A standard penetration test follows these steps:

Profiling

The objectives of this step are to gain an understanding of the Web infrastructure – for example identifying which protocols are used and over which ports, how many servers are there and what web server software is being used.

Web Server Vulnerabilities

Owing to the number of well publicised Web server vulnerabilities that exist, this step would attempt to gain access to the server itself.

Application Survey

This step aims to identify the structure of the site, listing all of the possible pages used and noting how they interact with each other.  It also aims to identify parameters passed to pages and cookies used.

Authentication Mechanism Attack

The objective of this step is to attempt to gain access to protected pages and content without being given a username and password.  Often the most effective technique for this type of attack is simply password guessing which may be automated to try username/password combinations stored in a file.

Other techniques are session ID prediction, cookie subversion and SQL injection of the login form.

Authorisation Mechanism Attack

The distinction between authentication and authorisation is that authentication determines if a user can log in to an application and authorisation determines what part of the application an authenticated user can access.

The objective of attacking authorisation is to perform transactions that are normally restricted to the user.

Examples of these types of attacks would be the ability to view other users’ data, and performing transactions on behalf of other users.

In addition to these standard tests there are a number of other security tests that we can perform depending on your requirements.

Benefits

  • You will know what external services are publicly available at a point in time and you can act to remove unnecessary services.
  • Vulnerabilities are highlighted and can be dealt with to reduce risk of unauthorised access or loss to business assets.
  • The test mimics how a real intruder may attempt to compromise the system and is an offensive rather than defensive security measure, and so is the best way to determine how secure your network is in reality.
  • The test will highlight any serious weaknesses in your network before a real hacker exploits them.
  • The test will determine your ability to detect and respond to security incidents, and so improve your detection and response effectiveness for the future.
  • As the test is independent, it is an objective assessment of your external security, and so is more likely to identify security weaknesses than if performed by those who are responsible for the security.
  • The test and report can be used to justify the security budget.
  • The report lists security issues in order of severity, so that remedial action can be easily prioritised.
  • The report creates management and board awareness of security weaknesses and improvements.
  • Provide confidence in the security of the network infrastructure.
  • You can demonstrate to clients that their confidential data is an important asset to be protected.
  • A follow up test can verify the impact of a security program and justify the expense.
  • Identify areas that have been abused, so that an investigation or forensics can take place to determine the perpetrators and the effect on business information assets.
  • Assess compliance with standards such as the Data Protection Act.
  • A test on a system prior to implementation may highlight issues before they are publicly available.
  • The report exists as evidence of security issues that need to be addressed, or evidence to assist with compliance to standards.
  • Regular tests ensure that your network is not compromised by changes in network services and new vulnerabilities.
  • Vulnerabilities highlighted in the tests can be used to develop your security policy, security procedures and longer-term strategy on information security.