As the pace of new technologies are developed and integrated into society, traditional boundaries among organizations and individuals continue to disappear.
The ideal response involves planning and assessment to identify risks across key business areas, including people, processes, data, and technology throughout the entire organization. It is important to take a holistic approach that can facilitate a business-driven security blueprint and strategy that can act as an effective defense for the entire organization.
Organizations should build business services that are secure by design, meaning that security is intrinsic to their business processes, product development, and daily operations. Security should be factored into the initial design, not bolted on afterwards. This enables an organization to securely and safely adopt new forms of technology, such as cloud computing and mobile device management, and business models such as tele-working; and outsourcing can be more safely leveraged for cost benefit, innovation, and shorter time to market.
- Industry Business environment
- Legal & Regulatory Environment
- Enterprise IT Architecture
- Management Support
- Culture and Awareness
With over 100 years of combined experience in the field of technology and security, our consultants can work with your staff to identify and document current policies and procedures as well as develop a strategic plan to help move your organization from its current to desired state. We utilize a modular framework to provide your organization with the specific services it needs. Below is a list of some of the core services provided by DoD Training Center
- Security Program Development/Implementation
- Penetration Testing
- Security Posture Assessment
- Security Control Assessment
- Web Application Testing
Security Program Development
Information security program development and implementation is not a simple process, but it is an absolutely essential and on-going process – particularly if your organization is responsible for maintaining the integrity, availability, and confidentiality of customer information or business-critical data. Information security programs are mandated by authorities in industries like health management, banking, and energy, as well as other state and federal agencies, but the legal and business ramifications go far beyond regulatory compliance when sensitive data is compromised. As such, even businesses in non-regulated industries need to embrace information security best practices. Regardless of the size or nature of your business, or the skill set of your Information Security (IS) team, security threats (both internal and external) to your organization exist, and having an active, comprehensive information security program in place is your best defense.
Our penetration testing services provides a simulated attack against your entire infrastructure or key components that have been identified during planning. The purpose of this invasive test is to see how well your security
Unauthorized access to company resources using existing and new vulnerabilities is a serious security concern. Verifying that new and existing applications, networks and systems are not vulnerable to a security risk is key to addressing these vulnerabilities before they can be utilized by unauthorized users. While vulnerability assessments are a “light touch” evaluation to identify gaps and vulnerabilities in your network, further testing is required to show how an attacker would gain access to your environment and use those systems as a base for attacks deeper into the network.
Secureworks approaches every penetration test as unique to every organization. Our methodology is performed by the industry’s top security testers, leveraging our proprietary tactics and intelligence from the Secureworks Counter Threat Unit™. Both Penetration and Advanced Penetration Tests are designed to show how an attacker would gain unauthorized access to your environment by compromising in-scope systems and highlight pivoting opportunities from compromised hosts. Based on the findings, Secureworks will discuss the findings with all relevant audiences and provide a customized course of action for both leadership and technical audiences.
Penetration Testing Benefits
- Validate internal and/or external security controls, including protections around high-value systems
- Manual testing that simulates current threats, including pivoting and post exploitation
- Satisfy compliance needs, including PCI 3.x, FFIEC, HIPAA
- Confidence in the assessment knowing that the latest threat intelligence and tactics from the Secureworks Counter Threat Unit™ were utilized
- Tests users in conjunction with your external and internal networks
- Simulates a common real-world threat; spear phishing + external testing that segues into an Internal foothold
- Tests your response and detection capabilities
Security Posture Assessment
Why do you need Cyber-Security Posture Assessment?
A majority of organizations are highly dependent on the Internet and networks to run their daily business.
However, an organization is unaware of the security issues that might result in an attack (from outside or from within). Customer information, the organization’s private and confidential data, intellectual property, and information assets might leak out to the public––thereby resulting in huge financial losses and damage to the organization’s reputation.
In order to measure the overall cyber-security maturity of the organization, an independent expert assessment of the current state of its information security environment is conducted against global standards and leading industry practices. It is followed by a remediation of the identified gaps and the development of a roadmap for transformation.
Security Control Assessment
This service is based on the auditing of security controls using the NIST SP 800-53A guidelines.
The goal of this service is to not only audit your security controls, but train your organization on the understanding of the process so that you can move to continuous monitoring. We team with your organization to move through 9 key phases of the assessment process, culminating with the security assessment report.
- The Process
- Assessment Methods
- Penetration Testing
- Security Assessment Procedures
- How to Audit the -I’s
- How to Audit Controls other than the I’s
- How to Audit Privacy Controls
- Documenting the Assessment Findings
- Developing Security Assessment Reports
Web Application Testing
Our web application testing practice is based on 8 steps that can be customized to your web application testing requirements.
1. Functionality testing:
This is used to check if your product is as per the specifications you intended for it as well as the functional requirements you charted out for it in your developmental documentation. Testing Activities Included:
Test all links in your webpages are working correctly and make sure there are no broken links. Links to be checked will include –
- Outgoing links
- Internal links
- Anchor Links
- MailTo Links
Test Forms are working as expected. This will include-
Scripting checks on the form are working as expected. For example- if a user does not fill a mandatory field in a form an error message is shown.
Check default values are being populated
Once submitted, the data in the forms is submitted to a live database or is linked to a working email address
Forms are optimally formatted for better readability
Test Cookies are working as expected. Cookies are small files used by websites to primarily remember active user sessions so you do not need to log in every time you visit a website. Cookie Testing will include
Testing cookies (sessions) are deleted either when cache is cleared or when they reach their expiry.
Delete cookies (sessions) and test that login credentials are asked for when you next visit the site.
Test HTML and CSS to ensure that search engines can crawl your site easily. This will include
Checking for Syntax Errors
Readable Color Schemas
Standard Compliance. Ensure standards such W3C, OASIS, IETF, ISO, ECMA, or WS-I are followed.
Test business workflow- This will include
Testing your end – to – end workflow/ business scenarios which takes the user through a series of webpages to complete.
Test negative scenarios as well, such that when a user executes an unexpected step, appropriate error message or help is shown in your web application.
2. Usability testing:
Usability Testing has now become a vital part of any web based project. It can be carried out by testers like you or a small focus group similar to the target audience of the web application.
Test the site Navigation:
Menus, buttons or Links to different pages on your site should be easily visible and consistent on all webpages
Test the Content:
- Content should be legible with no spelling or grammatical errors.
- Images if present should contain an “alt” text
3. Interface testing:
Three areas to be tested here are – Application, Web and Database Server
Application: Test requests are sent correctly to the Database and output at the client side is displayed correctly. Errors if any must be caught by the application and must be only shown to the administrator and not the end user.
Web Server: Test Web server is handling all application requests without any service denial.
Database Server: Make sure queries sent to the database give expected results.
Test system response when connection between the three layers (Application, Web and Database) cannot be established and appropriate message is shown to the end user.
4. Database testing:
Database is one critical component of your web application and stress must be laid to test it thoroughly. Testing activities will include-
- Test if any errors are shown while executing queries
- Data Integrity is maintained while creating, updating or deleting data in database.
- Check response time of queries and fine tune them if necessary.
- Test data retrieved from your database is shown accurately in your web application
5. Compatibility testing:
Compatibility tests ensures that your web application displays correctly across different devices. This would include-
The rendering of web elements like buttons, text fields etc. changes with change in Operating System. Make sure your website works fine for various combination of Operating systems such as Windows, Linux, Mac and Browsers such as Firefox, Internet Explorer, Safari etc.
6. Performance testing:
This will ensure your site works under all loads. Testing activities will include but not limited to –
- Website application response times at different connection speeds
- Load test your web application to determine its behavior under normal and peak loads
- Stress test your web site to determine its break point when pushed to beyond normal loads at peak time.
- Test if a crash occurs due to peak load, how does the site recover from such an event
- Make sure optimization techniques like gzip compression, browser and server side cache enabled to reduce load times.
7. Security testing:
Security Testing is vital for e-commerce website that store sensitive customer information like credit cards. Testing Activities will include-
- Test unauthorized access to secure pages should not be permitted
- Restricted files should not be downloadable without appropriate access
- Check sessions are automatically killed after prolonged user inactivity
- On use of SSL certificates, website should re-direct to encrypted SSL pages.
8. Crowd testing:
You will select a large number of people (crowd) to execute tests which otherwise would have been executed a select group of people in the company. Crowdsourced testing is an interesting and upcoming concept and helps unravel many a unnoticed defects.