At Fortego Security, we offer professional and flexible security audits and penetration tests. These services identify potential vulnerabilities in IT systems, and are often an invaluable step before taking new or upgraded systems into production. Annual audits are also highly recommended to verify that system integrity is preserved.

An External View

When you hire Fortego Security for a security audit or a penetration test, you will get an external party's view on your system. The value of this is high, both because we have thorough experience and knowledge in this area, and because it might be very hard for someone to find and recognize potential vulnerabilities in a system which they are working with every day.

Penetration Test vs. Security Audit

You are welcome to hire Fortego Security for an external penetration test, where a group of consultants would work as a so called "Tiger team" to attack your system. This would be a real-world scenario, where we would try to actively find and exploit any vulnerabilities that your systems might have. This might be valuable to demonstrate how vulnerabilities can be used in combination to leverage access through several interconnected parts of a larger system.

However, a full-scale penetration test like that is often not the most cost-efficient solution. Partly because our consultants will need to test for many issues that could have been discarded from the start if only enough information about the system had been given, and certain kinds of vulnerabilities are also very hard to find using this kind of test no matter the allowed time span. Also, a vulnerability is just as serious if it is merely identified as if it is actually exploited by the consultants during the test. In the end, allocating more time for identifying and finding vulnerabilities rather than spending the same time on actually exploiting a few of them is often a lot more efficient, both cost wise and security wise. Hence, another approach is to hire Fortego Security to do an open security audit. When doing so, your organization will instead provide privileged access to let us scrutinize your systems and installations for configuration and design mistakes, and audit all the installed versions of software against databases of known vulnerabilities. In addition to being much more efficient than an external penetration test most of the time, no exploits will be actually used, and the system will thus not be disrupted in any way.

In some cases, depending on several factors of the target system, combinations of these two types of audits might be the most efficient solution, in which case we will of course present this alternative to you.

Methodology

Our penetration tests are based on the Open Source Security Testing Methodology (OSSTM) which we have enhanced with extensive additional procedures for application testing, for example from the Open Web Application Security Project (OWASP). For security audits, we have a set of baseline security templates for most common platforms, based on NIST recommendations, Microsoft security hardening guides, NSA hardening guides and the security benchmarks from the Center for Internet Security. We are also familiar with the COBIT control objectives from ISACA and the HIPAA regulations.

All our assignments are documented in written reports. Our reports are often very appreciated due to their comprehensible outline and friendly language. We write what is necessary to know in order to understand problems and find reasonable solutions. Our way of visualizing risks in a relative manner is usually much appreciated too. Live presentations and debriefings are of course also part of our service, even though critical findings will be reported to you immediately upon discovery if time is of the essence.

We will sign non-disclosure agreements as appropriate, and handle all information under strict confidentiality. We are well covered by responsibility insurances, and we do of course never employ anyone who is convicted of any kind of computer related or otherwise relevant felony.

Areas of Expertise

Regarding security audits and penetration tests we have knowledge and experience in many areas, of which the most important are outlined below:

Operating Systems

  • Microsoft Windows (all commonly used versions)
  • RedHat and Debian Linux
  • OpenBSD and FreeBSD
  • Sun Solaris

Network Security

  • Corporate Firewalls
  • Personal Firewalls
  • VPN Gateways
  • Routers and Switches
  • WLAN Gateways

Applied Cryptography

  • PKI and certificate authority systems along with status protocols like OCSP and CMP
  • PKCS#11 and Microsoft CAPICOM
  • File, folder and disk encryption programs
  • SSL and TLS
  • One-time password token systems and RADIUS

Web Applications

  • Major web servers like IIS, Apache and Domino
  • Scripting frameworks like PHP, JSP and ASP
  • Web proxies and reverse proxies
  • Java and Servlets
  • Web Services

Antivirus Software

  • File scanners
  • E-mail scanners
  • Spam filters

E-mail and Collaboration Systems

  • Exchange
  • Lotus Notes

Databases

  • Major database servers like MySQL, Oracle and SQL Server
  • ODBC and JDBC database connection protocols
  • Web Integration with PHP, JSP and ASP

Directory Services

  • Active Directory
  • NDS
  • LDAP

Contact us

If you have any inquiries or want more information of any kind, please contact us by e-mail at