At Fortego Security, we offer professional and flexible
security audits and penetration tests. These services identify potential
vulnerabilities in IT systems, and are often an invaluable step before
taking new or upgraded systems into production. Annual audits are also
highly recommended to verify that system integrity is preserved.
When you hire Fortego Security for a security
audit or a penetration test, you will get an external party's view on
your system. The value of this is high, both because we have thorough
experience and knowledge in this area, and because it might be very hard
for someone to find and recognize potential vulnerabilities in a system
which they are working with every day.
You are welcome to hire Fortego Security for an
external penetration test, where a group of consultants would work as
a so called "Tiger team" to attack your system. This would be
a real-world scenario, where we would try to actively find and exploit
any vulnerabilities that your systems might have. This might be valuable
to demonstrate how vulnerabilities can be used in combination to leverage
access through several interconnected parts of a larger system.
However, a full-scale penetration test like that
is often not the most cost-efficient solution. Partly because our consultants
will need to test for many issues that could have been discarded from
the start if only enough information about the system had been given,
and certain kinds of vulnerabilities are also very hard to find using
this kind of test no matter the allowed time span. Also, a vulnerability
is just as serious if it is merely identified as if it is actually exploited
by the consultants during the test. In the end, allocating more time for
identifying and finding vulnerabilities rather than spending the same
time on actually exploiting a few of them is often a lot more efficient,
both cost wise and security wise. Hence, another approach is to hire Fortego
Security to do an open security audit. When doing so, your organization
will instead provide privileged access to let us scrutinize your systems
and installations for configuration and design mistakes, and audit all
the installed versions of software against databases of known vulnerabilities.
In addition to being much more efficient than an external penetration
test most of the time, no exploits will be actually used, and the system
will thus not be disrupted in any way.
In some cases, depending on several factors of
the target system, combinations of these two types of audits might be
the most efficient solution, in which case we will of course present this
alternative to you.
Our penetration tests are based on the Open Source
Security Testing Methodology (OSSTM) which we have enhanced with extensive
additional procedures for application testing, for example from the Open
Web Application Security Project (OWASP). For security audits, we have
a set of baseline security templates for most common platforms, based
on NIST recommendations, Microsoft security hardening guides, NSA hardening
guides and the security benchmarks from the Center for Internet Security.
We are also familiar with the COBIT control objectives from ISACA and
the HIPAA regulations.
All our assignments are documented in written
reports. Our reports are often very appreciated due to their comprehensible
outline and friendly language. We write what is necessary to know in
order to understand problems and find reasonable solutions. Our way of
visualizing risks in a relative manner is usually much appreciated too.
Live presentations and debriefings are of course also part of our service,
even though critical findings will be reported to you immediately upon discovery
if time is of the essence.
We will sign non-disclosure agreements as appropriate,
and handle all information under strict confidentiality. We are well covered
by responsibility insurances, and we do of course never employ anyone
who is convicted of any kind of computer related or otherwise relevant
felony.
Regarding security audits and penetration tests
we have knowledge and experience in many areas, of which the most important
are outlined below:
|
- Microsoft Windows (all commonly used versions)
- RedHat and Debian Linux
- OpenBSD and FreeBSD
- Sun Solaris
|
|
- Corporate Firewalls
- Personal Firewalls
- VPN Gateways
- Routers and Switches
- WLAN Gateways
|
|
- PKI and certificate authority systems along with status protocols like OCSP and CMP
- PKCS#11 and Microsoft CAPICOM
- File, folder and disk encryption programs
- SSL and TLS
- One-time password token systems and RADIUS
|
|
- Major web servers like IIS, Apache and Domino
- Scripting frameworks like PHP, JSP and ASP
- Web proxies and reverse proxies
- Java and Servlets
- Web Services
|
|
- File scanners
- E-mail scanners
- Spam filters
|
|
|
|
- Major database servers like MySQL, Oracle and SQL Server
- ODBC and JDBC database connection protocols
- Web Integration with PHP, JSP and ASP
|
|
- Active Directory
- NDS
- LDAP
|
If you have any inquiries or want more information
of any kind, please contact us by e-mail at
|