Helping you to effectively manage risk and secure your business
Companies that fail to address security issues risk impacting productivity, brand, business relationships and trust. But knowing exactly how vulnerable your ICT systems are can be tricky. That’s where our consulting services help. Our specialists assess the vulnerability of your environment. Then, depending on your needs, they recommend the appropriate strategy, security architecture and an overall solution for your environment.
Our range of security consulting services include:
- Vulnerability Assessments - A vulnerability assessment is the regular process of identifying, quantifying and prioritising the vulnerabilities in a system, an application or a network component, often as a means of demonstrating security compliance. Find out more...
- Penetration Testing - Penetration testing is a systematic method of regularly evaluating the security of the a computer system or networks by simulating an attack or intrusion from a malicious source to ultimately take recommended corrective action and evaluate the effectiveness of existing security measures. Find out more...
- PCI Compliance - PCI DSS must be implemented by all entities that process, store or transmit credit cardholder data. This must be done in order to maintain, safe harbour and avoid potential liability in the event of fraud associated with left of cardholder data. Find out more...
What is it?
With the growth of world-wide hacking groups and state-sponsored attacks, no industry sector is immune from attack. A vulnerability assessment is the regular process of identifying, quantifying, and prioristing the vulnerabilities in a system, an application or a network component, often as a means of demonstrating security compliance. For example, quarterly vulnerability assessments are a requirement for obtaining and maintaining PCI DSS Compliance certification by companies accepting credit and debit payments.
What happens during the assessment?
During a vulnerability assessment, we’ll catalogue assets and capabilities in a system, assign a value and level of importance to those resources, identify the vulnerabilities or potential threats and then recommend controls to mitigate or eliminate the most serious vulnerabilities for the most valuable resources.
A vulnerability assessment can also be done in preparation for a penetration test, to identify the weaknesses to be exploited in the test.
What is Penetration Testing
Penetration testing is a systematic method of regularly evaluating the security of the a computer system or networks by simulating an attack or intrusion from a malicious source to ultimately take recommended corrective action and evaluate the effectiveness of existing security measures.
What does Penetration Testing involve?
The process involves an active analysis of the system for any potential vulnerabilities that could result from poor or improper system configuration, known and unknown hardware or software flaws, or operational weaknesses in process or technical countermeasures. This analysis is carried out from the position of a potential attacker and can involve active exploitation of security vulnerabilities. The intent of a penetration test is to determine the feasibility of an attack and the amount of business impact of a successful attack. We’ll present any security issues that are found, together with an assessment of their impact, and a proposal for mitigation.
Brennan IT can also deliver its penetration testing against your infrastructure targets as well as web applications, wireless networks and operations:
- Web application security review – We can perform web application penetration testing against nominated targets by searching for vulnerabilities and weaknesses using automated and manual techniques. All testing activities can be performed from the perspective of either an authenticated or unauthenticated attacker, or both and delivered either remotely or on site at any time that suits your business requirements.
- Wireless security testing – Our consultants can perform an onsite security assessment of your wireless infrastructure. This can be done passively by reviewing the system configuration or ‘actively’ by attempting to compromise the wireless infrastructure using specialised hardware and software.
- Social engineering – Trained consultants can attempt to infiltrate your organisation and determine what kind of access as a highly motivated attacker could achieve. Using methods such as phone calls, spear phishing emails and dumpster sectioning, our consultants attempt to find out as much information as possible about your organisation. In addition, infiltration and tail gating activities, identification forging, eavesdropping on communications and other advanced attack techniques can be carried out against an organisation in the hopes of comprising its security.
- Denial of Service (DoS) assessment – We can test the strength of your infrastructure by intelligently exploiting any weakness in services or web applications to cause your environment to fail against application-layer Denial of Service attacks. Such techniques include exploiting known denial of service conditions, form submissions and HTTP/S conditions. DoS assessments do not include volumetric testing as this could have an impact on networks outside the scope of work.
PCI Compliance Assessment
How does PCI Compliance affect Australian businesses?
Payment Card Industry Data Security Standards (PCI DSS) must be implemented by all entities that process, store or transmit credit cardholder data. This must be done in order to maintain, safe harbour and avoid potential liability in the event of fraud associated with cardholder data. The cost of not complying can be catastrophic and could result in millions of dollars in fines, and loss of reputation. Our team can help you identify the level of compliance you need, and then take you through the entire lifecycle of compliance starting with a gap analysis all the way to formal certification.
If you are a Level 1 PCI DSS complaint organisation, you need to go through a formal Annual Attestation that must be performed by a certified external Qualified Security Assessor (QSA). Our team can offer these services as we partner with a certified QSA company. Our PCI QSA consultants are trained to understand the intent and process required to meet the PCI DSS requirements and come with years of experience delivering security reviews and audits. We can conduct an an-site PCI audit and issue the documentation required by your acquiring bank.
As a Level 2, 3, or 4 PCI DSS compliant organisation, you must complete an annual Self Assessment Questionnaire (SAQ) to remain compliant. The SAQ is a validation tool for the merchants and service providers who are not required to undergo an on-site data security assessment per the PCI DSS Security Assessment Procedures. The purpose of the SAQ is to assist organisations in self-evaluating compliance wih the PCI DSS, and you may be required to share it with your acquiring bank. There are multiple versions of the PCI DSS SAQ to meet various business scenarios. Our team can help you determine which SAQ best applies to your and how to complete the relevant SAQ documentation.
Additional security services
We can also deliver vulnerability assessment and penetration testing services that are required in order to satisfy the PCI-DSS requirements. Whether you need assistance in identifying the presence of wireless access points, conduct internal/external quarterly vulnerability assessments, web application penetration testing or annual penetration testing covering your infrastructure and applications, our team have the resources and the know how.