>> EN | DE
   Home | Solutions | References | About | Contact  
 
  IT Security Solutions
epas
Premium Audit
Security Consulting
Sign IA & PIN / iTAN

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 


Premium Audit


Security auditing and consultancy, together with performance consulting, are the core of the Detack services.
Detack GmbH specializes in providing coverage in all aspects of IT security auditing – from basic penetration testing to advanced application layer auditing and up to organizational level – IT security policy assessments, security guidelines evaluation and management consulting. The service is customizable to fit the particular needs of the client.

In order to provide the best quality of service the auditors perform vulnerability detection and research manually, thus ensuring full understanding and evaluation of security implications, and preventing any damage caused by automatic testing tools. Adding human creativity and reasoning to the testing procedures recreates real-world scenarios and guarantees a complete assessment.

The auditing services provided by Detack GmbH are modularly structured, depending on target type, complexity, perspective and layer, drawing on the previous experiences and scenarios already tested. For each client Detack finely tunes and prepares customized auditing packages determined by the particular perspective and targets intended for analysis. As such, for specialized auditing, modules are combined and extended for the best coverage.


Audit Targets
Automated Cash Handling and Payment Processing Systems



In recent years attacks on cashpoint machines – ATMs – have become more and more frequent. With the advancement of technology and the standardization of networks between ATMs, banks and computing centers, both external attackers and insiders now have access to previously secret knowledge that enables them to perform effective logical attacks. Sharing the same infrastructure, electronic payment options allowed by ‘Point of sale’ (POS) systems have also become a target.

Detack GmbH IT security audits for cash handling & payment processing systems identify the potential for attacks on ATM and POS systems, by looking into all elements of the networks these are part of – computing centers, banks, ATMs and POS terminals and also the infrastructure they depend on. The audits also address complex applications and interfaces that act as electronic control and management systems. The perspectives pursued in the audits focus both on bank employees and opportunistic attackers that have access to the local network, but also on anonymous external attackers that seek to penetrate the communication systems or the local ATM computers.


e-Services security audit



With increased usage and penetration of the Internet worldwide and the inherent shift to online financial and goods transactions comes an increased risk of criminal endeavors online. Hijackers attack the online banking systems, customer and dealers web portals, etc. stealing or compromising critical content. Phishing attempts, thefts of consumer and credit card data are all consequences of increased attacker attention particularly so with complex systems. Detack IT security experts simulate these types of attacks with the e-Services audit.

The e-Services Security Audit investigates any applications that are part of an e-business system. Detack’s experience in IT security testing has lead to the creation of a customized range of e-Services modules. One of the most in demand modules of the series is the e-Banking audit module that analyses either online banking and trading applications or portals for weaknesses at the application and architecture level.

e-Services audits simulate attacks from the perspective of customers, competitors, employees or subcontractors with the respective classes of user accounts available but also from anonymous external attackers via the Internet. This simulations aim to eliminate security risks before attackers can use them for their benefit.


Host & midrange systems



Host and midrange systems are a particular environment for IT security testing. Their particular structure and complexity, spanning over several types of technologies and covering multiple types of application environments, limit the number of security service providers that address IT security at this level, although data processed in these systems are frequently the most sensitive and implicitly most interesting for attackers.

Detack GmbH addresses the midrange and mainframe computer world by specifically tailoring its IT security audit modules to particular systems, such as the IBM System z or System i.

On these existing base modules a framework for checking the host and midrange systems has been developed. The technical design of such systems leads to a multi-level approach on IT security auditing. As such, for example, in the case of a normal IBM System z the following levels are audited:

- Hardware
- Subsystems
- Application Interfaces
- Applications


Infrastructure



Infrastructure is the baseline of an IT environment. The variety of components - networks, servers, services and software – lead to a wide array of possibilities for the attackers to use for accessing customers systems and compromising data. The most secure application is powerless if the attacker, external or insider, is able to compromise a network component and penetrate the internal LAN.

For this reason infrastructure security audits target all IT systems within a particular range selected by the client – for example the internet facing perimeter, the entire networking environment, the internal Microsoft systems or the software deployment and management system. This allows for the detection of all security weaknesses that affect the IT infrastructure forming the basis of all other services and applications. This particular type of audit provides a comprehensive security image of the usual standard components and services but does not address the application layer. Due to its extensive range this audit is usually employed as a basis for further checks, such as audits of the application layer.


Terminal Services



Terminal services are becoming ever more popular with companies all across the world, mainly because of their inherent infrastructural advantage. Remote access to company assets thus becomes a major security risk. This is both an internal and external hazard, with global availability of online access allowing an attacker to gain access to sensitive information, or a legitimate user to overstep his access.

Auditing terminal services extends to the entire environment, including internally developed additional components, from both points of view – legitimate user perspective and anonymous attacker. Since attackers exploit programming and configuration errors in order to bypass authorization procedures and security policies, the published applications are comprehensively tested to determine if they can be misused for escaping the application jail and obtaining unauthorized access to data.


VPN Services



VPN-based access to a company network is paramount to modern ways of working. Sales, financial or engineering staff must be able to access sensitive company data at any time, including when they are not at their workplace. If these connections become compromised they become a major security risk to the enterprise.

Detack auditors have gained extensive experience with VPN equipment and special VPN environments, as such solutions are popular and widespread. This audit module includes all aspects of the system, from the product to the network design, as well as special facets of development and adaptation. The auditors assume the position of an attacker with valid access ID that explores access-related security loopholes, configuration and design errors, and all activated VPN protocols and authentication services.


SAP® Systems



As SAP® enterprise software is becoming more extensively and frequently used, Detack auditors are permanently preoccupied with analyzing and evaluating safety-related systems and interfaces of SAP® environments. The opening of internal SAP® environments to the internet in recent years significantly increases the potential attack zone.

As such Detack auditors have amassed a comprehensive know-how in SAP® security, covering all SAP® components like R/3 ABAP, J2EE, WAS, XI/PI etc. Auditing includes all layers of SAP® deployments, starting with the kernel and custom application layers, up to business application programming analysis in ABAP and Java and multinational SAP® environment evaluation.


EDI / Enterprise services



Businesses today require and rely increasingly more on fast and efficient file exchange and modern payment procedures. This includes transactions implying sensitive data that is very attractive to a potential perpetrator – blueprints, customer data, invoices and orders.

Detack provides customized auditing services for industry specific online applications such as EDI, payment processing and clearing services. Detack customized e-Business Services Audit modules provide the basic procedural framework for these targets.


Documentation and Design Policy



Organizational security practices make up the backbone for the IT security infrastructure and system design. However, system handling and many other aspects, such as employee behavior with regard to the IT system, constitute an important component of IT security. Technical IT security audits provide with each test the measure of this preliminary work as well as its implementation.

Detack provides auditing services for the IT security policy, the policy application guidelines, rule enforcement and countermeasures for security violations. All existing documentation, strategic, design and technical data is subject to analysis. Besides policy related documentations, Detack also offers complex environment layout auditing and consulting in order to improve safety levels of the security design, ideally prior to implementation. Additionally, auditing measures are complemented with the integration of ISO 27001 specific verification – Detack also supports the preliminary steps for certification.


Custom & Specialized Audits



Complex scenarios and specialized applications are covered by fully customized IT security audits. For systems and/or applications that are not covered within the existing audit modules, a customized service offering will be built to cover the additional target or target-set.


Audit Layers
External



The external analysis layer comprises all IT security auditing performed from the perspective of an attacker placed outside the target(s), most often in a public area. This type of auditing is the most common since it covers the IT security vulnerabilities exploitable externally, where any Internet user is a potential attacker. All the IT security auditing covering this layer simulates attackers (anonymous or authorized clients) targeting the audited systems via the Internet, via public telephone networks or other large scale networking environments with public zones, such as Wi-Fi or mobile access networks.


DMZ



The DMZ layer analysis comprises all IT security auditing performed from the perspective of an attacker placed in a DMZ area. All the IT security auditing covering this layer simulates attackers (anonymous or logged in clients) targeting the audited systems from one or more DMZ areas, presuming that the external security measures have failed and the attacker is at the DMZ level.


Internal



The internal layer analysis comprises all IT security auditing performed from the perspective of an attacker placed within the internal network. The internal network represents all the restricted and trusted areas, e.g. it can also be a remote location connected via a private link or via VPN. The most common case simulates attackers being in the position of an occasional visitor or an employee. Additional profiles include rogue administrators, service partners, business units, enterprise scale clients, etc., targeting systems with a higher security clearance. The internal layer security auditing is highly customized in order to meet the specific needs of each client.


Support Layer



The support layer analysis comprises all IT security auditing that targets systems and frameworks that constitute infrastructure for more complex business services, regardless of their position. For example, such an audit can target all the routers, switches and access systems, regardless if they are external or internal, from both anonymous and user perspective; such an audit would address the networking part of the supporting layer. Similarly, audits addressing the management systems, firewalls, VPN systems or operating systems can be performed.


Application Layer



The application layer auditing is Detack's strongest point. It represents the most complex phase of a security audit project; it concerns the analysis of complex business applications, frameworks and application environments, covering all the related components regardless of their type or placement. The auditing of this layer is always customized depending on the type, development environment, usage and size of the target application or set of applications. The targets qualify as "application" layer test objects whenever the complexity of their functionality exceeds a certain level, for example not only an online banking system or a SAP server can qualify as application layer targets, but also a complex VPN server. Whenever needed, the application layer auditing includes source code review, should source code be available; all programming languages are supported.


Custom & Complex Environments



Complex environments are covered by IT security audit module sets that are customized in order to include all the layers present in these cases. Example targets are large, multinational companies with complex IT environments.


Audit Perspectives
Anonymous



The anonymous perspective simulates an attacker that has no authorized access to the test targets. Most of the typical Internet originating attacks fit into this category. Usually, the anonymous perspective attacks target a small surface made of perimeter services, with a large number of potential attackers – any Internet user can become an attacker.


Simple User



The simple user perspective simulates an attacker that has end user level access to the test targets. A typical case would be for example, in an e-banking environment, a normal bank client that has online banking access using the same service as many other clients. This perspective covers all the IT safety flaws that cannot be normally exploited by the anonymous user since the functionality affected is available only to registered users.


External Organisation



The external organization perspective simulates attacks originating from enterprise clients. Enterprise clients are considered all organizations that have authorized access to the test targets. A typical case would be for example, in an e-banking environment where more banks share the same processing and clearing center, to simulate attacks originating from a bank against another one. Similar cases are found in outsourced environments, where multiple companies share the same 3rd party processing and hosting environment.


Organizational Unit



The organizational unit or subsidiary perspective covers all the potential attacks originating from a lower trust entity, such as a remote organizational unit, a subsidiary company, or a government branch against a higher trust entity, such as the mother company, management zone or the central government.


Custom & Complex Profiles



All the different access profiles existing in a given company or organization can be covered by customizing the audit modules in order to transform them into audit perspectives and adapt the selected audit type.


© 2000-2017 Detack GmbH. All rights reserved.