ZZICT Security audits

Preconditions

Before zzict starts with it's remote security audit, a written and confirmed document has to be delivered that ZZICT is allowed to do this and that no legal actions will be undertaken against ZZICT as a result of this audit.

Security audit scenario

Below, we give an overview of a full scale security audit.

Footprinting

By footprinting, we create a profile of an organization's security posture. The target organization's internet connection is reduced to a specific range of domain names, network blocks, individual IP addresses and OS identified hosts of systems connected directly to the internet. The techniques used include amongst others network enumeration, DNS interrogation, tracerouting and scanning.

Enumeration

Once the target hosts have been identified, these will be enumerated. The footprinting information is used, since these techniques are operating system dependent. Enumerated information includes network resources and shares, users and groups, applications and banners.

System hacking

All Operating Systems have weaknesses. After host identification, we'll make educated guesses about the potential vulnerabilities that may be present on the target system (vulnerability mapping) . We map specific system attributes against publicly available sources of vulnerability information sa Bugtraq, CERT and vendor security alerts. Also we use public exploit code posted on various security mailing lists as well as automated vulnerability scanning tools to identify true vulnerabilities.

Software hacking

Web servers, application servers, database servers, payment solutions, aso can have weaknesses too. 40% of the successful hacking attempts occur at this level. Session hijacking, back doors, wrongfully configured remote control software, aso are all possible defects of the software architecture setup. We check all relevant possibilities.

Web hacking

The security measures like filtering routers, firewalls, and intrusion detection systems are unable to fix web vulnerabilities. So a lot of the attacks run over web ports (80,81,443,8000,8080,...). Web pilfering makes use of the fact that server side scripting code sometimes ends up in web pages going to the client, leaking all kinds of information (like database architecture, or hidden tag leaks ) that could assist attackers in their attempts to compromise the web application. Also, web scripts sometimes are not that robust and can by attacked by input validation attacks. URL validation attacks, Unicode attacks are also in this category.

Deliverables

After the audit, a detailed report of the audit itself, complete with attack scenario and concequences (in case of a successfull break & entry ) as well as a list of recommendations will be delivered within 5 working days after the audit. ZZICT always guarantuees total non disclosure of the results of the audit.

Cost and Timing

A ZZICT remote security audit of one web site (and it's infrastructure) takes 3 days to do the audit, and 3 days to write the report. Most of the audit will be performed by a senior security consultant (Master of Computer Sciences 5+ years of experience in security audits) because every security audit is different and a lot of expertise and experience is required.