Browse Solutions

Security Assessments

Network security is a major business consideration, especially when faced with increasing regulations and compliance standards, as well as ever-evolving security threats. Securing the network, prohibiting unauthorized access, and protecting sensitive data prove to be daunting challenges for businesses large or small. TNS offers a suite of security assessments that provide in-depth analysis to your network security. All assessments are performed by professional security experts with years of training and certification.

External Vulnerability Assessment

TNS offers external vulnerability assessments that are designed to look at the environment from an external perspective. This is one of the first lines of defense for security on most networks. During this assessment we will identify vulnerabilities with systems that may allow us access to the private parts of your network, allow us to perform a denial of service on your network or obtain information from your private network that should not be available on the outside of your unprotected network. If vulnerabilities are identified from the external view of your network you may choose to then initiate a penetration test.

This service is typically done in a remote fashion and does not require an onsite visit in most cases. The goal of the assessment is to deliver a final report that will allow the organization to mitigate vulnerabilities and to develop a project plan and attack strategy on how to move ahead with the remediation of their external facing environment.

Internal Vulnerability Assessment

TNS offers internal vulnerability assessments that are designed to look at the environment from the inside. This type of assessment is to look at the systems that make up most of what the users see while they are interacting with the internal system. During this assessment we will identify vulnerabilities with systems that may allow us access to the private parts of your network, allow us to perform a denial of service on your network or obtain information from your network that should not be available to everyone on the Local Area Network (LAN). We will also verify password complexities and review a sample number of servers and workstations to determine what may need to be done to enhance the organizations' security posture. We will also assess virus protection and patch management during this engagement.

This service is done onsite and does require interaction from the IT staff members and may require limited input from end users. The goal of the assessment is to deliver a final report that will allow the organization to mitigate vulnerabilities and to develop a project plan and attack strategy on how to move ahead with the remediation of their external facing environment.

Penetration testing

TNS offers penetration testing for those customers that want to determine if a hacker can obtain information from their private network. This is commonly referred to as ethical hacking. During this process we use the same tools and methods that hackers would use to gain control or access of systems and information that are to be protected. This type of testing is performed with caution as it may cause disruption of services for the network users. During this process we will also try to avoid being detected by Intrusion Detection Systems (IDS).

This service is typically done in a remote fashion and occurs usually after an External Vulnerability Assessment. The goal of this testing is to determine the potential risk associated with the vulnerabilities identified from the activities above. After verification of the information from the testing, we would then recommend a mitigation plan to secure the data and network to prevent the information from being accessed and to report on what was accessed by the review of logs from the IDS or other systems.

System Activity Review

TNS has developed an offering that will review the audit trail that may or may not exist in the organization. Having an appropriate audit trail can help defend and protect the organization by allowing the appropriate staff to understand not only who, but how and when things occurred. This can become invaluable information with regard to writing policy and allowing for a defensible position if needed. This is also something that is required under most compliancy rules such as HIPAA, Sarbanes-Oxley and GLBA.

This service is typically done with a combination of on and offsite work. Penetration testing and vulnerability assessments are generally combined with this in order to validate the audit trails. The goal of this review is to develop a logging and audit trail that will allow the organization to review, debrief, and defend their private information (if necessary).

Wireless Security Survey

TNS offers wireless security surveys that can augment our other security offerings. This can be done as an a-la-carte service as needed. This type of survey is to look at the ability of people to access internal systems through the use of wireless networks. It is also designed to look for rogue access points that are not authorized in the environment.

This service is performed onsite and does require interaction from the IT staff members and may require limited input from end users. The goal of the assessment is to deliver a final report that will allow the organization to mitigate vulnerabilities associated with having wireless networks in their environment.

War Dialing

TNS offers War Dialing surveys that can augment our other security offerings. This can be done as an a-la-carte service as needed. This type of assessment is to look at the ability of people to access internal systems through the use of modems and other telephonic connected devices through the standard Public Switched Telephone Network (PSTN). It is also designed to look for rogue modems that are not authorized in the environment.

This service is performed onsite and does require interaction from the IT staff members and may require limited input from end users. The goal of the assessment is to deliver a final report that will allow the organization to mitigate vulnerabilities associated with having dial-up capabilities in their environment.

Intrusion Detection (IDS) Assessment

TNS offers IDS assessments that can augment our other security offerings. This can be done as an a-la-carte service as needed and is included with penetration testing. This type of assessment will look at the ability of the IDS equipment and report on our attempts to access the network and data while we are not authorized.

This service is performed onsite and offsite depending on the design of the network and does require interaction from the IT staff members in some cases. The goal of the assessment is to deliver a final report that will allow the organization to tune, enhance, or deploy IDS in their environment.

Social Engineering

In computer security, social engineering is a term that describes a non-technical kind of intrusion that relies heavily on human interaction and often involves tricking other people to break normal security procedures. A social engineer runs what used to be called a "con game." For example, a person using social engineering to break into a computer network would try to gain the confidence of someone who is authorized to access the network in order to get them to reveal information that compromises the network's security. They might call the authorized employee with some kind of urgent problem and social engineers often rely on the natural helpfulness of people as well as on their weaknesses. Appealing to vanity, authority, and old-fashioned eavesdropping, are typical social engineering techniques.

Another aspect of social engineering relies on people's inability to keep up with a culture that relies heavily on IT. Social engineers rely on the fact that people are not aware of the value of the information they possess and are careless about protecting it. Frequently, social engineers will search dumpsters for valuable information, memorize access codes by looking over someone's shoulder (shoulder surfing), or take advantage of people's natural inclination to choose passwords that are meaningful to them but can be easily guessed. Security experts propose that as our culture becomes more dependent on information, social engineering will remain the greatest threat to any security system. Prevention includes educating people about the value of information, training them to protect it, and increasing people's awareness of how social engineers operate.

This process is conducted both onsite and offsite and may utilize many other methods of intrusion. The goal of social engineering is to identify weaknesses in policy, procedure and training from the human perspective as it relates to information security.

Risk Analysis (and IT Compliance)

Risk analysis plays a role in corporate governance and performance, ensuring that senior management allocates resources in the most cost-effective way to balance information security with business needs. The risk analysis process must link security exposures and business needs. Otherwise, risk analysis may lead to too much or too little information security.

The risk analysis process varies according to an organization's particular needs and skills, as well as the particular risk analysis tools deployed. Fundamentally, the risk analysis process must answer these questions:

  • What can go wrong?
  • What is the probability that, what can go wrong will go wrong?
  • What are the consequences?

Real-world risk analysis goes beyond the answers to these questions. Risk analysis identifies and evaluates business processes and supporting information systems, potential system vulnerabilities and threats, calculated risks and the effectiveness of possible controls. Once these steps are completed, the process should be repeated on a regular basis to ensure that the decisions made and controls implemented continuously reduce risk while effectively meeting business needs and goals.

Risk analysis typically contains most, if not all, of the processes previously discussed and are generally customized to the environment and the compliancy issues faced by the organization including HIPAA, SOX, GLBA, and FISMA.

This process is conducted both on and offsite and the overall process varies depending on the compliancy and the organization the work is being done for.

The goal of a risk analysis is to not only provide a technical assessment of vulnerabilities but also a business justification and prioritization for implementing security controls.