DirSec Security Services

External Vulnerability Assessment

DirSec offers external vulnerability assessments that are designed to look at the environment from the public view (i.e. outside looking in). This is one of the first lines of defense for security on most networks. During this assessment, we identify vulnerabilities with systems that could allow access to private areas of your network, which allows us to perform a denial of service on or obtain information from your private network.

If we identify these vulnerabilities, you may choose to then initiate a Penetration Test. We provide this service remotely, and it usually does not require an onsite visit. The External Vulnerability Assessment provides a final report that will enable you to mitigate vulnerabilities and develop a project plan and attack strategy for moving ahead with the remediation of your external-facing environment.

Internal Vulnerability Assessment

DirSec offers internal vulnerability assessments that are designed to look at the environment from the inside (i.e. inside looking around). This assessment analyzes the systems that make up most of what users see while they are interacting with the internal system. During this assessment, we identify system vulnerabilities that may allow us access to private areas of your network, allow us to perform a denial of service on your network or obtain information from your network that should not be available to everyone on the LAN. We also verify password complexities, and review a sample number of servers and workstations to determine what may need to be done to enhance your organization's security posture. We also assess virus protection and patch management during this engagement.

We provide this service onsite, and it requires interaction from IT staff and may require limited input from end users. The Internal Vulnerability Assessment provides a final report that will enable your organization to mitigate vulnerabilities and develop a project plan and attack strategy for moving ahead with the remediation of your external-facing environment.

Penetration Testing

DirSec offers penetration testing services to help you determine if we can actually get information from your private network - commonly referred to as "ethical hacking". During this process, we use the same tools and methods that hackers use to gain control or access of systems and information that should be protected. This type of testing is performed with caution, as it may cause disruption of services for network users. During this process, we also try to avoid being detected by Intrusion Detection Systems (IDS).

We provide this service remotely after an External Vulnerability Assessment (above). This testing service will help you determine the potential risk associated with the vulnerabilities identified from the activities above. After test verification, we will recommend a mitigation plan to secure your data and network, and will report on what was accessed by reviewing logs from the IDS or other systems.

Optional Additional Service

IDS Avoidance is the practice of spreading out an attack over a longer period of time to see if we can gain access or penetrate the network - fooling the IDS so it does not report on those activities. Please note: using the IDS Avoidance service will increase the time required to complete the project. However, if someone were trying to break in, this is exactly what they would do.

System Activity Review

DirSec has developed an offering in which we review an audit trail that may or may not exist in your organization. Having an appropriate audit trail can help defend and protect your organization by enabling the appropriate staff to understand not only who, but how and when things occurred. This can be invaluable information for writing policy and allowing for a defensible position (required under most compliancy rules such as HIPAA, Sarbanes Oxley and GLB).

We provide this service with a combination of onsite and offsite work. Penetration Testing and Vulnerability Assessments are generally combined with this to validate the audit trails. The goal of this review is to develop a logging and audit trail, enabling your organization to review, debrief and defend private information.

Wireless Security Survey

DirSec offers wireless security surveys that can be provided alone or added onto any of the above services. The purpose of this type of survey is to analyze the ability of people to access internal systems through the use of wireless networks. It is also designed to look for rogue access points that are not authorized in the environment.

We provide this service onsite and require interaction from IT staff, and may require limited input from end users. The Wireless Security Survey provides a final report that will enable your organization to mitigate vulnerabilities associated with having wireless networks in your environment.

War Dialing

DirSec offers war dialing services that can be provided alone or added onto any of the above services. The purpose of this assessment is to analyze the ability of people to access internal systems through the use of modems and other telephonic connected devices through the standard public switched telephone network (PSTN). It is also designed to look for rogue modems that are not authorized in the environment.

We provide this service onsite and require interaction from IT staff, and may require limited input from end users. The War Dialing service provides a final report that will enable your organization to mitigate vulnerabilities associated with having Dial-Up capabilities in your environment.

Intrusion Detection Assessment (IDS)

DirSec offers IDS assessment services that can be provided alone or added onto any of the above services (included with Penetration Testing). The purpose of this assessment is to analyzethe ability of your IDS equipment to report on our attempts to access the network and data while we are not authorized.

We provide this service onsite and offsite, depending on the design of your network, and it requires interaction from IT staff members in some cases. The IDS assessment provides a final report that will enable your organization to tune, enhance or deploy IDS in your environment.

Business Impact Assessment (BIA)

A BIA plays a vital role in the business continuity planning process, ensuring that senior management allocates resources in the most cost-effective way to balance operational continuity with business needs. The BIA process must link interruptions of operations with business needs; otherwise the assessment may lead to too much or too little business continuity. BIA methodologies should not only provide a technical assessment of business impacts, but also provide a business justification for disaster recovery and business continuity plans.

The DirSec BIA requires interaction from a wide variety of resources at your location, with both onsite and offsite work. The BIA will help your organization understand its critical business systems and develop a customized business continuity and/or disaster recovery plan.

Social Engineering

In computer security, "social engineering" is a term that describes a non-technical type of intrusion that relies heavily on human interaction, and often involves tricking other people to break normal security procedures. A social engineer runs what used to be called a "con game". For example, a person using social engineering to break into a computer network would try to gain the confidence of someone who is authorized to access the network in order to get them to reveal information that compromises the network's security. They might call the authorized employee with some kind of urgent problem - social engineers often rely on the natural helpfulness of people as well as on their weaknesses. Appealing to vanity, appealing to authority, and old-fashioned eavesdropping are typical social-engineering techniques.

Another aspect of social engineering relies on people's inability to keep up with a culture that relies heavily on IT. Social engineers rely on the fact that people are not aware of the value of the information they possess and are careless about protecting it. Frequently, social engineers will search dumpsters for valuable information, memorize access codes by looking over someone's shoulder (i.e. shoulder surfing), or take advantage of people's natural inclination to choose passwords that are meaningful to them but can also be easily guessed.

Security experts propose that as our culture becomes more dependent on information, social engineering will remain the greatest threat to any security system. Prevention includes educating people about the value of information, training them to protect it, and increasing people's awareness of how social engineers operate.

We provide this service both onsite and offsite, and may utilize many other methods of intrusion. Our Social Engineering service will help your organization identify weaknesses in Policy, Procedure and staff training related to information security.

Risk Analysis

Risk analysis plays a role in corporate governance and performance, ensuring that senior management allocates resources in the most cost-effective way to balance information security with business needs. The risk analysis process must link security exposures and business needs; otherwise risk analysis may lead to too much or too little information security.

The DirSec Risk Analysis process varies according to your organization’s particular needs and skills, as well as the particular risk analysis tools deployed.

Fundamentally, the risk analysis process must answer these questions:
- What can go wrong?
- What is the probability that, what can go wrong will go wrong?
- What are the consequences?

Real-world risk analysis goes beyond the answers to these questions. Risk analysis identifies and evaluates business processes and supporting information systems, potential system vulnerabilities and threats, calculated risks and the effectiveness of possible controls. Once these steps are completed, the process should be repeated on a regular basis to ensure that the decisions made and controls implemented continuously reduce risk while effectively meeting business needs and goals.

Our Risk Analysis service typically contains most - if not all - of the processes previously discussed, and are customized to the environment and the compliancy issues faced by your organization including HIPAA, SOX, GLBA and FISMA.

We perform this service both onsite and offsite. The overall process varies depending on compliancy requirements and the organization the work is being provided for. Our Risk Analysis service not only provides your organization with a technical assessment of vulnerabilities, but also provides business justification and prioritization for implementing security controls.