The requirement to secure today’s network services is no longer focused on securing the perimeter alone. Network security now includes the requirement to enable communications between different organisations and for mobile workers. In addition, the criticality of today’s communications infrastructure includes the requirement to protect e-mail, instant messaging, BlackBerry® and other collaborative communication mechanisms from both a business continuity and data privacy perspective.
Over time, a well-designed and expensive security infrastructure may become vulnerable for newer types of attack. For example, we have found web servers that do not filter user input and hence may make their back-end application vulnerable to SQL attacks. We have also found that websites using strong authentication are still vulnerable to phishing attacks due to the lack of protection against the hijacking of secure sessions. While perhaps sounding far-fetched and sophisticated, these risks have led to actual fraud.
Deloitte’s Infrastructure Vulnerability Assessments operate proactively to identify threats in all external or internal access points and suggest clear remediation options. Our approach to attack & penetration testing can be summarised as follows:
We establish the scope, so that you can control the effects of any possible test in time and space. We also agree upfront on escalation and incident management procedures in case tests yield a noticeable operational effect.
We document the type of attacks, the applications, the data and the potential weaknesses you are most concerned about. Our experience has shown that every company has its unique risk profile that drives the type, scope and level of hostility of our tests.
We determine and scan for the systems, network components, and wireless connection points visible from the attack points. Our experience has shown that this type discovery generally leads to surprises that confirm the need of attack and penetration testing.
We conduct a wide range of vulnerability scans and simulated attacks using Deloitte methodology and tools. All tests are bound by the agreed time-table and scope and by the Deloitte policy and service agreement. This ensures that the tests don’t miss anything and yet do not harm your normal operations.
With our Assess and Architect services, we deliver reports that are to-the-point, that answer the 'so-what?' questions and provide clear guidance on how to solve the issues at hand. The key benefits we offer are:
- All penetration tests are performed by Deloitte professionals to limit your exposure and disclosure.
- Our professionals arrive at their conclusions by using the same tools and techniques as rogue hackers, and by following a pragmatic and project-oriented approach to ensure predictability and consistency.
- Selected hosts or networks are targeted carefully, to protect the integrity of critical systems, data and applications and keep any side-effect on other hosts to an absolute minimum.
- A combination of Internet based and inside-the-DMZ tests ensure complete coverage and allows you to understand the vulnerability level in case of faulty configuration or maintenance later on.