IT System Security Testing
The IT systems are fairly complex, composed of a large number of interconnected and dependent segments, and IT technology and Customer requirements change frequently and rapidly.
Concurrently, implementation deadlines are increasingly reduced, and consequently, IT systems become vulnerable to malevolent attacks.
Irrespective of undertaken preventive measures for protection, the Customer can never be completely certain of the extent of system vulnerability, or its ability to detect all User misuses or to repair their effects.
Due to prospective system vulnerability, the Customers occasionally have a need and sometimes also a legal obligation (PCI norm and Macedonian National Bank requirements) to carry out the penetration test.
The penetration test is a simulation of the attack of a highly motivated and trained IT system attacker.
The attacker only has publicly available information and unprivileged IT system access. The Customers have a need to test their IT system vulnerability to a variety of attack routes: over the Internet, wireless network, internal local network.
This type of testing is used to detect actual current vulnerability and defects that can be used to threaten the IT system confidentiality, accessibility and integrity.
According to the preliminary arrangement with the Customers, the ECS team of experts makes an attempt to use the IT system vulnerability and gain access to the system exceeding the level of their authorization.
The team makes arrangements with the Customer concerning the attack route (e.g. over the Internet), the attack target (e.g. a network segment, a specific device or application), time of the attack and methods that will not be used during the testing (e.g. social engineering or service denial).
The Customers should consider all system segments that remain untested as vulnerable. ECS only uses ethical testing methods.
The end result of the penetration test is a written report. The report contains a description of the system tested, security defects detected, the level of achieved unauthorized access, and repair recommendations and general recommendations that might increase the IT system security.
The IT systems change in time. The security policy should foresee the penetration test carried out once a year, i.e. subsequent to any severe IT system intervention.
This test brings fairly specific results. The experts who carry out the penetration test can either manage to enter the User system or not.
The penetration test does not have any theoretical deficiencies and theoretical protection against phantom threats. Any type of vulnerability detected and described is realistic, with realistic effects for the system security.
The penetration test is a type of prevention against unexpected direct costs, and indirect troubleshooting and repair costs.
The Customer benefits from project activities that provide fixed costs, deadlines and clear and accurate project results.
It is also important to obtain independent opinion, unaffected by in-house relationships, selling demands or security repair difficulties.
ECS has a large number of permanently employed specialists for a variety of different areas who can cover virtually any configuration the Customers might have in their possession.
There are 4 persons in charge of security. We use both open code based methodology and commercial tools.
We can particularly highlight our use of the Qualys device for security testing – a security scanner recognized by the Credit Card Issuer Association.
A confidentiality agreement.
On going contact with the technical staff during testing.
Obligatory backup of all systems included in testing.
PRODUCTS AND SERVICES
- Penetration test
- Development of Reports with Penetration Results
- Presentation for the Board Members
- Presentation for the technical staff