Systems and devices audits
Have you done some penetration tests but still aren’t sure if the security of a particular server or other application platform is enough? Do you need to thoroughly test the security of key elements in your information system? The solution to these and many other problems is to make a detailed security audit of specific systems or devices within your organization’s information system
Whereas during penetration tests, AEC specialists take on the role of a potential attacker, during technical security audits they approach the element under investigation more in the role of a system administrator and implementer of measures recommended to improve its security. When checking the settings of individual systems, we use the knowledge and experience of AEC’s security and system specialists, the manufacturers’ recommendations for hardening systems and so on.
Every deficiency found is described in detail in the audit report. The risks of these vulnerabilities are described and, of course, suggestions for eliminating them (or risk minimisation) are also included.
During the technical audits we provide the following services
- An audit of the configuration of active network elements.
- An audit of the configuration of operating systems on servers.
- An audit of firewall and IDS/IPS configurations.
- An audit of the security of special systems, applications and services.
Other specialised audits
- Audits in accordance with the PCI-DSS and PA-DSS.
- Topology and infrastructure audits.
When conducting security audits, we use an integral and continuously updated AEC methodology based on the methodologies and recommendations of some of the top organizations dealing with information technology security.
- Manufacturers’ recommendations on the hardening of audited HW, OS and SW.
- Recommendations from the Internet Engineering Task Force (IETF) – an organisation releasing RFCs, called Internet standards.
- NIST recommendations (e.g. NIST SP 800-44 Guidelines on Securing Public Web Servers).
- CVE – Common Vulnerabilities and Exposures - a standardised dictionary of common vulnerabilities and threats.
- Common Criteria (ISO/IEC 15408) – a standard for assessing the security level of systems, etc.