IT System Audit

shape
shape
shape
shape
shape
shape
shape
shape

In the background of numerous cyber-attacks being launched globally by cyber criminals, there is an immediate requirement for businesses to beef up the security levels of their IT systems. More than ever, we need to move to automation security. In today’s world, a company’s most vulnerable area is no longer physical, but digital. Shop fronts, banks, factories, hospitals, education institutions are being attacked not just in person, but also online, 24 hours a day and 365 days a year. With the threat increasing, companies need highly skilled cyber warriors to defend their networks Hiring more talent does not mean better security. No amount of additional talent or resource will improve your security posture if you do not fix your basic security posture and processes. Today, most companies face the harsh reality that there just is not enough skilled talent to go around to adequately safeguard their IT infrastructure.

Research suggests cybersecurity skills shortage from a staggering talent shortage. However, these factors pose a major challenge for many enterprises that have become technology depended and do not have the people. The situation certainly signals the need for automation to move security from human to machine speed. We wish to introduce to you our new IT Audit services wherein a Top IT consultant will be assigned to your organization for doing an internal IT audit of your systems. As you are aware how important IT is to your business. Thus, it is prudent that good controls are kept in this area and International best practices are followed to ensure effective management. At the end of this audit we will present you with a Management report outlining the present state of your IT systems and any shortcomings which you may consider to improve upon. We suggest that the following aspects be covered during this exercise. You may however add any other ones if the need be.

 

  •  Provides customers and stake holders with confidence on how you manage risk related to ICS.
  •  Save money by focusing on effective controls and appropriate levels of protection.
  •  Report detailing the risks with recommendation and support.
  •  Identifies compliance gaps in your ICS environment.
  •  Increased confidence for better business decisions.
  •  Maximizes your security Return of Investment.
  •  Improved visibility of your ICS Risks.

ISecurion’s ICS Security Assessment service focuses on Security Auditing based on Compliance requirements and ICS vulnerability Assessment and Penetration testing Services .Our methodology for security Assessment is based on the following approach.

Compliance Auditing

Isecurion experts audit the key compliance processes driving the ICS Security Program .We primarily focus on NESA,NIST SP800-82,ISO27001:2013 standards.The key processes are as below.

  •  Secure Configurations for Hardware and Software on Workstations, Servers, Application Software Security.
  •  Secure Configurations for Network Devices such as Wireless Access, Firewalls, Routers, Boundary Defense Policies.
  •  ICS Policy And Procedures and Their Alignment With Organizational Level Policies, Data Protection Systems.
  •  ICS Inventory For Authorized and Unauthorized Devices and Software’s. Risk Management process.
  •  Security Configuration of ICS Network Ports, Protocols, and Services. ICS Network Architecture Review.
  •  Endpoint Security and Malware Defense Process. Critical Controls for Industrial Control Systems
  •  Incident Response and Management and Recovery Plans, Access Management Process
  •  Vulnerability Assessment and Remediation process & Data Recovery Capability.

ICS Vulnerability Assessment and penetration testing.

Our unique penetration testing methodology consists of a combination of vulnerability assessment tools and practical, manual testing.SCADA/ICS penetration testing methodology derived from a combination of information security guidelines and recognised penetration testing methodology standards from sources such as OSSTMM,OWASP.

As part of the assessment we conduct Penetration Testing to identify remote exposure of ICS systems and strength of existing controls around it. We conduct vulnerability assessment and Penetration testing on ICS internal Networks to exploit vulnerabilities on ICS Networks, Systems and Applications.

The assessments conducted on Industrial Control Systems are done with extreme caution due to the criticality of the systems in scope. The client is adviced to provide test beds or identify redundant live systems for conducting such tests. A thorough impact analysis is done before conducting such Security Assessments.

iSecurion uses the following methodology for conducting Penetration Testing for Industrial Control Systems.

  •  Scanning of Network To Map Overall Architecture of Network and Exposed Services.
  •  Enumeration of Networks To Identify Operating Systems and Applications.
  •  Enumeration of Server, Master Node , Historian Database Credentials.
  •  Identification of Network and Protocol Based Vulnerabilities to Systems.
  •  Reconnaissance To Identify Remote and Local Entry Points To Systems.
  • Report With Recommendations and Corrective Actions.
  •  Identification of Default Configuration vulnerabilities.
  •  Enumerating Wireless and Radio Connections.
  • Exploiting Remote Access Mechanisms,VPN’s.
  •  Identification of Application Vulnerabilities.
  • Collate Findings and Prioritize Vulnerabilities.
  •  Identification of Systems Vulnerabilities.
  •  Exploiting Malware Control Mechanisms.