Helping you manage risk and secure your business
According to PWC’s recent Global State of Information Security® Survey, Australia has among the highest number of detected cyber security incidents in the world. As new security risks emerge constantly, it’s important to have a robust and regularly updated security plan. However, in order to do so, you need to determine exactly how secure – or vulnerable – your infrastructure is in the first place.
At Brennan IT, our experienced security experts can help you assess your infrastructure for any potential risks, and then depending on your needs, recommend an appropriate strategy, architecture and overall solution.
Our range of security consulting services includes:
Vulnerability Assessments: We can perform an in-depth analysis of your IT environment; identifying, quantifying and prioritising any vulnerabilities in your system, application or network component. Find out more...
Penetration Testing: This is a systematic method of regularly evaluating the security of your computer system or networks by simulating an attack or intrusion from a malicious source. Based on the results, we can then take recommended corrective action and evaluate the effectiveness of existing security measures. Find out more...
PCI DSS Compliance: Payment Card Industry Data Security Standards (PCI DSS) must be implemented by all entities that process, store or transmit credit cardholder data. We can help you determine if your current standards meet requirements, and what to do about it. Find out more...
What is Vulnerability Assessment?
With the growth of world-wide hacking groups and state-sponsored attacks, no industry sector is immune from attack. A vulnerability assessment is the regular process of identifying, quantifying, and prioritising the vulnerabilities in a system, an application or a network component, often as a means of demonstrating security compliance. For example, quarterly vulnerability assessments are a requirement for obtaining and maintaining PCI DSS Compliance certification by companies accepting credit and debit payments.
A Vulnerability Assessment can also be done in preparation for a penetration test, in order to identify the weaknesses to be exploited in the test.
How does it work?
There are three key steps to every Vulnerability Assessment:
- Scan: This involves conducting a thorough scan of your IT environment. Our team can identify vulnerabilities associated with a range of IT assets, including operating systems, network devices, databases and applications. We offer two types of scans:
- Unauthenticated scans, which allow us to see your network through the eyes of an attacker. We look at basic weaknesses and detect issues within operating systems, open network ports, serves listing on open ports, and data leaked by these running services.
- Authenticated scans, which are more in-depth and allow us to use privileged credentials to dig deeper into a network and detect vulnerabilities around weak passwords, malware, installed applications, and configuration issues and more.
Typically, we recommend all clients start with an unauthenticated scan, and then request an authenticated scan once initial vulnerabilities are addressed.
- Report: After each Vulnerability Assessment, we provide a detailed report outlining each vulnerability, the vulnerable host(s), operating system weaknesses, level of security risk for each vulnerability, a description of the vulnerability and our recommendation for remediating the vulnerability.
- Action: The Vulnerability Assessment does not itself fix any found vulnerabilities. Your report will point out the weaknesses, recommend solutions, and inform you about security risks. We can then work with you to take the most appropriate course of action.
Why choose Brennan IT for your Vulnerability Assessment?
- Experience and expertise. Brennan IT has the in-depth security knowledge and experience to help you identify and mitigate key areas of risk.
- Practical, pragmatic approach. We are logical and cost-effective in how we prioritise what you implement.
- End-to-end approach. Unlike many other consulting firms, Brennan IT can also help you action any recommendations and provide a complete security service, from start to finish. We can work with you to apply best practice relating to configuration, patching and updates, define policies, and develop documentation as well as help you meet compliance requirements.
What is Penetration Testing?
Penetration testing is a systematic method of regularly evaluating the security of the a computer system or networks by simulating an attack or intrusion from a malicious source to ultimately take recommended corrective action and evaluate the effectiveness of existing security measures.
What does Penetration Testing involve?
The process involves an active analysis of the system for any potential vulnerabilities that could result from poor or improper system configuration, known and unknown hardware or software flaws, or operational weaknesses in process or technical countermeasures. This analysis is carried out from the position of a potential attacker and can involve active exploitation of security vulnerabilities. The intent of a penetration test is to determine the feasibility of an attack and the amount of business impact of a successful attack. We’ll present any security issues that are found, together with an assessment of their impact, and a proposal for mitigation.
Brennan IT can also deliver its penetration testing against your infrastructure targets as well as web applications, wireless networks and operations:
- Web application security review: We can perform web application penetration testing against nominated targets by searching for vulnerabilities and weaknesses using automated and manual techniques. All testing activities can be performed from the perspective of either an authenticated or unauthenticated attacker, or both and delivered either remotely or on site at any time that suits your business requirements.
- Wireless Security Testing: Our consultants can perform an onsite security assessment of your wireless infrastructure. This can be done passively by reviewing the system configuration or ‘actively’ by attempting to compromise the wireless infrastructure using specialised hardware and software.
- Social Engineering: Trained consultants can attempt to infiltrate your organisation and determine what kind of access as a highly motivated attacker could achieve. Using methods such as phone calls, spear phishing emails and dumpster sectioning, our consultants attempt to find out as much information as possible about your organisation. In addition, infiltration and tail gating activities, identification forging, eavesdropping on communications and other advanced attack techniques can be carried out against an organisation in the hopes of comprising its security.
- Denial of Service (DoS) assessment: We can test the strength of your infrastructure by intelligently exploiting any weakness in services or web applications to cause your environment to fail against application-layer Denial of Service attacks. Such techniques include exploiting known denial of service conditions, form submissions and HTTP/S conditions. DoS assessments do not include volumetric testing as this could have an impact on networks outside the scope of work.
PCI Compliance Assessment
How does PCI Compliance affect Australian businesses?
Payment Card Industry Data Security Standards (PCI DSS) must be implemented by all entities that process, store or transmit credit cardholder data. This must be done in order to maintain, safe harbour and avoid potential liability in the event of fraud associated with cardholder data. The cost of not complying can be catastrophic and could result in millions of dollars in fines, and loss of reputation. Our team can help you identify the level of compliance you need, and then take you through the entire lifecycle of compliance starting with a gap analysis all the way to formal certification.
If you are a Level 1 PCI DSS complaint organisation, you need to go through a formal Annual Attestation that must be performed by a certified external Qualified Security Assessor (QSA). Our team can offer these services as we partner with a certified QSA company. Our PCI QSA consultants are trained to understand the intent and process required to meet the PCI DSS requirements and come with years of experience delivering security reviews and audits. We can conduct an an-site PCI audit and issue the documentation required by your acquiring bank.
As a Level 2, 3, or 4 PCI DSS compliant organisation, you must complete an annual Self Assessment Questionnaire (SAQ) to remain compliant. The SAQ is a validation tool for the merchants and service providers who are not required to undergo an on-site data security assessment per the PCI DSS Security Assessment Procedures. The purpose of the SAQ is to assist organisations in self-evaluating compliance wih the PCI DSS, and you may be required to share it with your acquiring bank. There are multiple versions of the PCI DSS SAQ to meet various business scenarios. Our team can help you determine which SAQ best applies to your and how to complete the relevant SAQ documentation.
Additional security services
We can also deliver vulnerability assessment and penetration testing services that are required in order to satisfy the PCI-DSS requirements. Whether you need assistance in identifying the presence of wireless access points, conduct internal/external quarterly vulnerability assessments, web application penetration testing or annual penetration testing covering your infrastructure and applications, our team have the resources and the know how.