Cyber Security

Focus on your core business. While enableIT keeps your information and data protected.

Our Cyber Security Services

Cyber Security has emerged as a risk for every business that uses the Internet in any way. A significant security breach can damage the brand image and the bottom line of any company. The enableIT cyber security team has highly skilled and experienced personnel that focus on reducing risk by helping our customers build and enhance their security in the following 4 core services areas:

Why enableIT

enableIT maintains a laser sharp focus on providing the very best services combined with outstanding customer service. Our professional cyber security experts have combined their experience and knowledge into a testing methodology that ensures thorough testing and minimizes the risk missed vulnerabilities. We use a combination of custom and commercial tools to perform our testing in a collaborative environment so more eyes see any given function and set of controls.

pciWe are one of select few PCI approved Scanning Vendors (ASV) and can help secure your card holder data infrastructure.

Penetration Test Service

The EnableIT ethical hacking team conducts manual testing in conjunction with using a host of commercial, open source and internally developed tools to identify known and unknown vulnerabilities. Below is a list Penetration test that the enableIT Ethical Hacking team can perform:

Our Web and Mobile Application Penetration Services

Application Security Assessment (ASA) services provide a customized, extensive, impartial and periodic security analysis of internally developed or commercial enterprise applications. This service evaluates current “standards” and levels of compliance to give organizations a well-developed matrix of existing threats, application vulnerabilities and recommendations of real world solutions to address specific weaknesses.

Our consultants utilize a combination of automated and manual techniques to uncover vulnerabilities in clients’ systems and infrastructures. Both proprietary and commercial assessment tools are leveraged to best identify these vulnerabilities. To ensure the accuracy and quality of results, consultants perform false positive validation on each and every finding and all testing beyond URL scanning is performed manually.

We utilize a custom ASA methodology, developed through our extensive experience conducting ASAs and dynamic code reviews over the last fourteen years. Our ASA Methodology is based on the Open Web Application Security Project (OWASP) testing guide, NIST 800-115 and the Open Source Security Testing Methodology Manual (OSSTMM) Web Application Methodology. Our testing includes all testing requirements set out by the Payment Card Industry Data Security Standard (PCI DSS).

We perform ASA testing against both client and server applications including:

  • Web Applications
  • Mobile Applications
  • Thick Client Applications
  • Web Services
  • Application Programming Interfaces (APIs)

We maintain a library of proprietary tests and custom-developed tools to check for vulnerabilities that automated means cannot identify. Additionally, we use Burp Suite Pro Web application vulnerability scanner.

We deliver our ASA services in three (3) service levels, based on client requirements and objectives:

  • Application Penetration Assessments – Includes application scanning followed by intensive manual testing to identify application vulnerabilities. Application penetration assessments are typically performed on high risk applications, new applications or after major changes to an application. Reporting is fully customized and includes both positive and negative findings.
  • Application Vulnerability Assessments – Includes application level scanning and manual testing to identify application level vulnerabilities. Application vulnerability assessments are typically performed annually on stable applications, after minor changes to an application or to test a specific application module. Reporting is customized and only includes negative finings.
  • Mobile Application Security Assessments – Includes full interrogation of a mobile application and its associated services (Web Services & APIs) along with the server hosting those services. Mobile application security assessments are performed on release candidate versions or on productions versions of mobile applications. This includes iOS mobile applications and those found on the Android platform.

We believe in a proactive approach to security and a continuous assessment process and works with our clients to be an integral part of their Secure Software Lifecycle Development (SSDLC) process. However, each ASA offering can also be delivered as a one-time standalone assessment.

Methodology:

MASA & ASA Methodology – Download

Our Network Penetration Testing Service:

The goal of penetration testing is to simulate a hostile attack in order to discover vulnerabilities.  The EnableIT ethical hacking team will conduct manual testing in conjunction with using a host of commercial, open source and internally developed tools to identify known and unknown vulnerabilities. The following criteria will be applied to all penetration tests.

Summary of Testing (non-exhaustive):

  • Cross Site Scripting (XSS) Flaws
  • Injection Flaws
  • Malicious File Execution
  • Insecure Direct Object Reference
  • Cross Site Request Forgery (CSRF)
  • Information Leakage and Improper Error Handling
  • Broken Authentication and Session Management
  • Insecure Cryptography Storage
  • Insecure Communications
  • Failure to Restrict URL Access
  • Invalidated or Un-Sanitized Input
  • Insecure Configuration Management
  • Network Segmentation Testing
  • Infrastructure Testing

Our Code Analysis service

EnableIT provides static and source code analysis using commercial and open source tools. Our SCA offering identifies vulnerabilities present in source code that dynamic code analysis might miss.  Source code is scanned for common issues like input validation, buffer overflows, memory allocation functions and other issues that can lead to exploitable vulnerabilities within the application.  Especially when combined with dynamic testing (penetration testing), SCA provides a deeper level of security testing.

Methodology:

Source Code Analysis follows the basic process steps below:

  • Setup – includes loading code into an appropriate IDE and building the application
  • Automated code analysis using commercial and open source tools
  • Manual verification of findings
  • Manual analysis – includes numerous checks for things like encryption, authentication controls, unvalidated input, use of session controls, error handling, and many others

Wireless Penetration Test

Wireless testing is designed to provide a real world view into the security and risks of using wireless network communications. Internal and External networks are assessed, along with the segmentation between the various wireless networks and internal wired networks.

EnableIT conducts Wireless Penetration Tests using NIST SP 800-97 and 800-48 as guides. The goal of the assessment is to determine to overall security of the wireless implementation and emulate the types of attacks used by real world threats. Wireless tests include the following modules:

  • Review of wireless architecture
  • Sniffing wireless traffic
  • Network Mapping
  • Identification of legitimate and rogue access points
  • “Evil AP” attacks
  • Encryption cracking attacks

Our Audit & Compliance Services

Enterprise Security Audit services are designed to help clients determine the security posture of their IT platform. enableIT consultants work with clients to review their information security architecture, technical and compliance controls and their overall security program. These assessment provide the review of the following areas:

  • Risk Management
  • Information Security Policy
  • Organizational Security
  • Asset Management
  • Human Resource Security
  • Physical and Environmental
  • Communications and Operations Management
  • Access Control
  • Information Systems Application Development and Maintenance
  • Information Security Incident Management
  • Business Continuity/Disaster Recovery
  • Compliance

Enterprise Security Audit services can be expanded with additional consulting services, to include a review of policies, configuration review, penetration testing, and additional regulatory or compliance requirements testing or risk assessment.

 

Methodology:

EnableIT conducts audit using the appropriate audit standard, such as HIPAA, PCI, or SOX.  We also conduct general IT Security audits using the SANS Top 20 Consensus Security Controls, which map to all other security standards.

 

Our compliance audit process consists of the following modules:

  • Kickoff meeting to discuss client goals and compliance standard
  • Documentation gathering and review
  • Interviews
  • Technical Assessment to support controls testing
  • Reporting
  • Remediation and Review

Our Training Services

EnableIT offers customized technical training on industry tools for security assessment and in-house classes on doing internal assessments of network and applications. Our classes are hands-on and focus on giving people the skills needed to use tools or conduct assessments.

 

Methodology

Classes are developed based on client need and are customized specifically to meet the requirements of each individual customer.  We conduct on-site or remote classes for individuals or groups.

 

Examples of classes:

  • Quick start with HP Fortify for Mobile Application testing
  • Web application testing
  • Burp Suite Pro for application penetration testing
  • Developing and Enhancing Vulnerability Management Programs

Our Identity & Access Management Services

Large institutions run on data; however most of that data is in the form of files that are distributed on file hosting platforms distributed throughout the enterprise.  Because of the distributed nature of their creation, there is no central inventory or directory that allows the business to understand what they have and who has access to it.  This leads to a greater chance of data loss through atrophy (we just don’t use that file anymore – but someone else could) and leakage (someone took information we didn’t even know we had) as well as increased frequency of repeated operational efforts as different parts of the business work to solve the same problems. Through our traditional yet innovative I&AM methodology, enableIT can offer service in the following areas:

 

Regulatory Compliance

  • SOX / ECB / FED / Internal Audit
  • Recertification (Entitlement Review)
  • Request Process Enforcement / Validation
  • Unstructured Data (File Shares / SharePoint)

 

Service Consolidation / Improvement

  • Reduce number of request portals
  • Reduce service ticket response time

Whitepaper: Vulnerability Management

This paper discusses common obstacles to a successful vulnerability management program and how to overcome them.

Download Now

CYBER SECURITY

Threats can come from anywhere, with
Offensive and Defensive Security enableIT
can ensure your company stays protected.

FINANCIAL RISK
   

We can help you calculate your
financial exposure and streamline
risk data aggregation and reporting.

DIGITAL

Let us deliver Innovation where you
need to make the best impression with your data --
your customer facing interfaces.