Services

Infrastructure Penetration Testing Services

Integralis Infrastructure Penetration Testing services help you identify how known and unknown vulnerabilities can be exploited by unauthorised intruders. As a result you can gain a higher level of confidence that your location and data is secure and that you are in compliance with security mandates and industry standards.

We use the latest tools and technology to test your:

  • Wired and wireless networks as well as unified communications including Voice over IP (VoIP)
  • Key systems
  • Applications
  • Internet connections.

Our flexible approach covers on-site and off-site testing and detailed manual analysis, correlation, and prioritisation of results by our expert security consultants. The resulting comprehensive report addresses vulnerabilities from both a technical and business perspective and details recommended and prioritised remediation efforts.

The Integralis Infrastructure Penetration Testing service is a combination of manual and automated testing. Manual testing provides intelligent analysis that is not available with a fully automated scan. Services are available to address: both Internet-facing and internally-accessible infrastructure; and both non-aggressive testing, designed to identify, but not exploit, potential vulnerabilities, and aggressive testing, designed to identify vulnerabilities and leverage them to determine further issues.

The Internet-facing service encompasses the following:

  • In-depth testing of all Internet available services, this will allow the customer to ensure that the appropriate versions and patches are applied to applications, a frequent source of hacking exploitation.
  • Unexpected or overly permissive visibility of hosts, allowing the customer to ensure full control over the Internet facing network infrastructure.
  • Identification of unexpected use of the network, such as IRC and Peer-to-Peer (P2P) networks, which can act as a source of information for attacks including social engineering.
  • Identification of information leakage regarding the internal servers and the networks they may be connected to.

The service is run in a number of stages by Integralis consultants. Each stage tests deeper into the network infrastructure and higher in the OSI model towards, where appropriate, the final test examining the application data. We follow procedures that are based on the well-respected OSSTMM Open Source Security Testing Methodology Manual (www.osstmm.org).

We also strongly recommend the Infrastructure Penetration Testing service for critical internal systems, such as database servers, RAS access points, application servers and intranet web servers that are not visible from the Internet. The service identifies vulnerabilities that exist through misconfiguration as well as those present in commercially released operating systems or applications that may be exploited to gain unauthorised access. The service operates most effectively in a ‘white box’ model with the client identifying the systems that are to be closely examined prior to the start of the work.

Vulnerability Assessment

As a lower cost alternative to full penetration testing (as described above) Integralis can offer a simpler vulnerability assessment service. The service is an intelligent, comprehensive, automated scan of your hosts, providing an assessment designed to identify, but not exploit, potential vulnerabilities. To minimise the risk of false positives, associated with automated scans, Integralis conducts a high level manual confirmation exercise and report.

The service can be performed externally, via the Internet, against specific external hosts; or it can be performed internally against critical servers. It identifies:

  • vulnerabilities that exist through misconfiguration
  • vulnerabilities present in commercially released operating systems or applications, which may be exploited to gain unauthorised access to the internal network or key servers.

Integralis consultants carefully compare the results of automated tools before completing a comprehensive report, suitable for technical staff. Technical issues are prioritised and explained, and remedial action or workarounds proposed. Human interpretation ensures that a client is provided with the best advice, presented in an easy-to-understand format.

PCI ASV Scanning Services

The Payment Card Industry Data Security Standard (PCI DSS) requirement 11.2 requires a merchant to run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades). The external scan must be completed by a PCI Approved Scanning Vendor (ASV).

The Integralis PCI ASV Scan performs a vulnerability assessment against hosts, via the Internet, that require remote auditing for PCI compliance. This service combines security experts with best-of-breed scanning technology to identify real and potential vulnerabilities in Internet facing systems such as routers, firewalls, web servers and email servers. It also identifies vulnerabilities that may exist as a result of misconfigurations and that may be inherent to commercially released operating systems and applications and could result in unauthorised access to the internal network and infrastructure components.

We employ a combination of leading test tools combined with expert detailed manual analysis of results for both network security and Internet security scans. Our attention to detail minimises the risk of false positives and reporting of erroneous vulnerabilities.

Once complete, we provide you with a comprehensive report that includes:

  • Detailed analysis of the overall security risks within the scanned network
    • Operating system vulnerabilities
    • Application vulnerabilities
  • Reconfiguration recommendations
  • Fixes
  • Remediation prioritisation
  • Common industry references
  • Infrastructure compliance status