Application Security

Even in a well-deployed and secured infrastructure, a weak application can expose sensitive information to unacceptable risk. An assessment can ensure that the application doesn't expose its underlying servers and software to attack, and prevent malicious users from accessing data or services within the system.

Our Application Security Testing services are designed to identify and assess threats to the organization. We offer both Dynamic Application testing and Source Code Application Reviews. Dynamic Application Testing analyzes the dynamic behavior of the code. Our security engineers will assess application variables and determine how they respond to manipulation. Application Source Code Reviews analyze a combination of the code of the application, application architecture, and results from the dynamic application testing to build a comprehensive view of the application’s overall security. As a consulting sponsor of Open Web Application Security Project (OWASP) at www.owasp.org, our services are designed to identify and assess threats to the organization.

Compliancy Audits and Services

TRM performs a range of Compliancy Audits and Services. TRM can:

• develop and execute information security strategy
• develop and implement cost reduction strategies
• perform due diligence for mergers, acquisitions, divestitures, and joint ventures
• design and implement IT Security and Compliance programs and Risk Management programs, including policies, processes, internal controls, procedures, metrics, reporting, and training
• perform Risk Assessments
• design and document IT Security policies and their alignment with laws, regulations, compliance requirements, and existing technology and practices
• perform other specialized audits and compliance reviews (HIPAA, PCI, and Data Privacy)"

Incident Response

Even the most proactive cyber security plan must include contingencies for the unexpected. When your organization's protected information is at risk, AccessIT Group provides Incident Response services. Whether by phone, on-site, or remote intervention, AccessIT Group's security engineers provide the services and know-how required to restore data security and ensure business continuity.

AccessIT Group Incident Response services are available in the event of an emergency or as part of a TRM security support package.

InspectIT

Vulnerability assessments are essential to effective information security. Most organizations don't have the staff or the resources to perform their own assessments. For 10 TCP/IP devices to 20,000 TCP/IP devices, the solution to this problem is InspectIT®, available exclusively from AccessIT Group.

Identify and remediate network infrastructure and remote access vulnerabilities without adding additional staffing, software, or hardware costs. With InspectIT and our team of certified information security professionals, you can satisfy information security regulatory requirements with a trusted partner.

Get detailed analysis reports that show you exactly where your network and systems are vulnerable. With this information you can mitigate risks and demonstrate due diligence for regulatory requirements. Reports are provided both graphically and textually and they include an executive summary, security threat summaries and definitions of key terms, all in a straightforward and easy-to-read style.

The InspectIT suite features:

• weekly and monthly InspectIT assessments;
• multiple levels of reporting;
• ease of use with no agents to download, install, or configure;
• rapid worldwide deployment; and
• a certified and trusted partnership with AccessIT Group.

Optional features include:

• unlimited InspectIT war dialing of telephone remote access systems;
• web application assessments; and
• a free 15-Day Evaluation.

Penetration Testing

A penetration test is the practice of evaluating the security of a computer system or network by simulating an attack from a malicious source. It can be performed through full disclosure of the topology and environment (white box) or with no knowledge of the environment (black box).

The process involves an active analysis of the system for any potential vulnerabilities that could result from poor or improper system configuration, both known and unknown hardware or software flaws, or operational weaknesses in process or technical countermeasures.

This analysis is carried out from the position of a potential attacker and can involve active exploitation of security vulnerabilities. Any security issues found will be presented to the system owner together with an assessment of their impact and a customized remediation plan to mitigate the risk. The intent of a penetration test is to determine the feasibility of an attack and the amount of business impact of a successful exploit, if discovered.

Social Engineering

Social Engineering addresses non-technical intrusions, which typically result from human action. These services often involve tricking people into breaking normal security procedures.

Social engineering usually involves a deception: trying to gain the confidence of a trusted source by relying on the natural helpfulness of people as well as their weaknesses. Other Social Engineering techniques include eavesdropping, appealing to the target's vanity or their authority, as well as physical security bypass and searching refuse bins for sensitive information.

The following Social Engineering services are offered as part of our comprehensive Technology Risk Management practice:

Pretexting. Typically done over the phone, it is the act of creating and using an invented scenario to persuade a targeted victim to release information or perform an action. This technique is often used to trick a business into disclosing customer information. For example, calling the helpdesk to reset an account password without verifying the caller.

Phishing. The “phisher” sends an email that appears to come from a legitimate business, such as a bank or credit card company, and requests “verification” of account information. The email usually contains a link to a fraudulent web page that seems legitimate, and contains a form requesting everything from the user's home address to his or her debit card PIN number.

Dumpster/Trash Can Diving. These techniques are used to retrieve information that could be used to carry out an attack on a computer network. Diving isn't limited to searching through the trash for obvious treasures like access codes or passwords written down on sticky notes. Seemingly innocent information like a phone list, calendar, or organizational chart can be used by an attacker to target victims and gain access to the network.

USB Drops. An engineer will drop multiple USB drives outside of your company. If the USB drives are inserted into a PC, a program will auto run and connect via secure channel to AccessIT Group through an open port. If requested, sensitive account and PC information can be copied and used to attempt to penetrate the internal network.

Mobile Exploits. The act of assessing device security by launching actual attacks designed to run on or against targeted devices. This technique involves replicating email and text-based phishing attacks to determine whether employees would click through to malicious sites and/or install nefarious mobile apps.

Threat Mapping Assessments

Our team of certified penetration testers will perform a Threat Mapping Assessment of your network. Our goal is to define the attack scenarios that have the greatest potential impact on your company’s infrastructure, to see how each asset is exposed and to obtain a comprehensive risk overview of your network.

Our security engineers will combine an external and internal vulnerability assessment and penetration test along with configuration data from network firewalls, routers, switches, and host-based firewalls to capture a complete representation of your network security posture. We will analyze possible attack scenarios proactively and completely. This solution will reveal weaknesses in the network, evaluate the impact of a combination of exploits, and recommend changes based on the following:

Modeling both hosts and network infrastructure devices such as firewalls and routers, mapping reachability from attackers to hosts identifying exploitable paths through the network where vulnerabilities are reachable, building a clear path of possible attacks, including multi-hop attacks.

We will provide your company a remediation plan that will prioritize vulnerabilities by considering them against your overall network context, recommending those actions that will improve your overall security posture the most.

Vulnerability Assessment

Proactively fortify your high-risk information assets against emerging threats with AccessIT Group's Vulnerability Assessment and Vulnerability Testing services. In a Vulnerability Assessment, AccessIT Group security engineers perform a top-to-bottom inspection of your network and its known points of vulnerability, providing insight into the safety and security of your critical information and assets. AccessIT Group's Vulnerability Testing examines your points of vulnerability and reports the potential damage that could be incurred if a threat were to breach these gateways.

Wireless Services

AccessIT Group can help ensure the security, performance and reliability of your new wireless or remote network.

Our Engineers will perform a comprehensive analysis of your company’s wireless infrastructure. AccessIT Group security engineers will:

• review existing local security policies;
• review your system architecture and configurations;
• verify encryption and authentication levels;
• investigate physical installations of access points;
• identify rogue access points;
• perform a vulnerability assessment and penetration tests;
• analyze security gaps; and
• validate any identified issues.