Security Solutions Overview Information security is not a one time event. The dynamic nature of computer networks mandates that examining and ensuring information security be a constant and vigilant effort. The adaptation of a systematic security methodology enables an organization to leverage technologies as well as establishing each member of the organization as a key component of the information security effort. Arrow s security solutions are directed not in eliminating risk as a whole, but rather at allowing organizations, over time, to overlay transparent security measures that close the gap between the current state of information security and the targeted levels. If you need to defend your critical assets against attack (and you do), as well as establish that your solutions are securely built, the best way to start is to evaluate your security posture by mimicking a real attack. Arrow uses highly skilled security experts who employ a variety of manual techniques, supported by homegrown and commercial tools, to identify exposures and analyze the consequences of a targeted attack in safe and controlled manner. Business Needs Data security is crucial for all businesses. Customer and client information, payment information, personal files, bank account details - all of this information is often impossible replace if lost and dangerous in the hands of unauthorized people. Data lost due to natural disasters such as a flood or fire is devastating, but losing it to hackers or a malware infection can have far greater consequences. How you handle and protect your data is central to the security of your business and the privacy expectations of customers, employees and partners. A typical business will have all kinds of data, some of it more valuable and sensitive than others, but all data has value to someone. Your business data may include customer data such as account records, transactional data, and financial information, contact and address information, purchasing history, buying habits and preferences, as well as sensitive employee information. It can also include proprietary and sensitive business information such as financial records, marketing plans, product designs, and state, local and federal tax information. Version 1.1 1/17/2013.
Security experts are fond of saying that data is most at risk when it s on the move. If all your business-related data resided on a single computer or server that is not connected to the Internet, and never left that computer, it would probably be very easy to protect. But most businesses need data to be moved and used throughout the company. To be meaningful data must be accessed and used by employees, analyzed and researched for marketing purposes, used to contact customers, and even shared with key partners. Every time data moves, it can be exposed to different dangers. Benefits Arrow s security solutions can be conducted individually or combined to reveal how chains of vulnerabilities present exposure across your environment: Pinpoint real physical and system vulnerabilities that pose true risks to your business Conduct a wide range of tests that mirror techniques used by attackers Tailor each engagement to meet individual client needs Go significantly deeper than simple vulnerability scans Provide reproducible, step-by-step procedures for testing activities Why Arrow Our experience implementing security solutions for the Fortune 1000 performing a detailed physical and security provides you with valuable information and detailed recommendations that help you achieve the right balance between risk tolerance and cost to mitigate risk, increase efficiency and better align your security capabilities with business and governmental requirements while maximizing your security policies and plans. Scalable - our security solutions were developed in collaboration with one of the most respected outsource vendors in the industry. They have made a significant investment in the security tools and methodologies used to examine networks. Reliable and repeatable - our process is repeatable, reliable and highly extensible, having been used with extremely large as well as quite small environments and infrastructures. Experience - our security expert assessors range from 2 to 5 decades of experience and have led engagements with some of the very largest private as well as governmental organizations. We have the confidence, experience, methods and tools to execute to your business need. Deliverables All services include delivery of reports that document test procedures, details on confirmed security weaknesses and vulnerabilities, and remediation recommendations. A project plan will be prepared by Arrow; the project approach requires a team of two people. One analyst is assigned to investigate application based vulnerabilities, the other assigned to
systems and network technology-based vulnerabilities. Utilizing the team in this manner dramatically increases the efficiency of collecting critical data. Upon completion of the report, the customer is contacted and a date is determined for the executive briefing. In some cases the customer can request a pre-executive briefing prior to the formal briefing. This allows the customer to prepare or determine any budgetary requirements for technology needed to mitigate discovered risks. The assigned analysts who conducted the assessment will present the findings as well as suggestions for mitigating discovered vulnerabilities. Sample Project Schedule Project Activity 1 2 3 4 5 6 7 8 9 1 0 1 1 1 2 Security Assessment Project Planning and Kickoff Internal+ External Devices Tested Social Engineering Tactics Tested Physical Security Controls Tested Vulnerabilities Examined/Validated Metrics Applied to Validated Vulnerabilities Policies and Procedures Tested Architecture Reviewed Data compiled Report and Presentation Methodology External Network Vulnerabilities An external network service scan consists of identifying the service ports responding to queries. This information provides a road map of entry points into the network by external Internet users. This effort includes scanning all network ports on the external devices, checking them for vulnerabilities. Identifying Network Vulnerabilities & Validation of Vulnerability The network scan consists of finding devices on the network by scanning a range of addresses. (e.g. 10.10.10.0 through 10.10.10.255). All network devices are identified (e.g. Internet Facing Devices, Desktops, Laptops, Servers, Etc.) After scanning the range of addresses, the list of responding addresses
is used for further determining the security hardness of each device. Note: The software used to test each responding address executes a number of Requests and attempts to collect a Response from each Request. Each service, condition or piece of system information is the result of a Response from a Request. This request/response terminology is used throughout the reports associated with the security assessment. Non-Authenticated Scans of the Network The non-authenticated scan consists of connecting to the network without using any known user identification or passwords. The vulnerability scan attempts to identify known system and network vulnerabilities. Non- Authenticated scan findings will include all identified vulnerabilities. Vulnerabilities are prioritized as high, medium, or low. High-level vulnerabilities are identified as well as suggestions to mitigate the risk(s). Each device is analyzed and data is collected about the following conditions: Well-known service ports Viruses, Malware & Trojan horse programs Operating system types and versions Programs with known security weaknesses Windows vulnerabilities Known system and network vulnerabilities Registry related vulnerabilities Presence of database servers Windows sharing related vulnerabilities X-Windows Authenticated Scans of the Network The authenticated scan consists of connecting to the network using any known user identification or passwords. The vulnerability scan attempts to identify known system and network vulnerabilities. Authenticated scan findings will include all identified vulnerabilities. Vulnerabilities are prioritized as high, medium, or low. High-level vulnerabilities are identified as well as suggestions to mitigate the risk(s). Exploit Validation Validation of Exploits Arrow has made considerable investments in security assessment tools and technologies. Using software tools such as MetaSploit & Core Impact, findings are then validated by running exploits against the devices found. These software applications allow us to validate if the device is truly vulnerable,
eliminating false positive data within the report. By performing this task, the customer will be provided a report that truly identifies the security posture of the network. Web Based Applications and Portal Vulnerability Testing Since the customer is seeking to understand the risks associated with web based applications, along with expertise in determining if unauthorized access to applications data, and/or network can be achieved, the scope of the project involves performing the following services: Testing the security hardness of authentication methods the users are required to use when gaining access to the systems identified. Testing the security hardness of the devices the applications are hosted on. This will involve reviewing the configuration of the hosting architecture (i.e. web server software, web server hardware, application layer and database and any firewalls and routers associated). Testing the security hardness of the application the customer will be accessing (i.e. looking to see if the application and database can be compromised externally. Techniques such as buffer overflows, cross site scripting, SQL injections will be deployed to expose any concerns). Testing the security of the application in relation to privileges and customers. This will involve trying to traverse the privileges of the system user to see other customer s data that will also reside on the system. Note: Testing user level security will require a test account, similar to what will be handed out to users of the system. Testing the security stability of the system (i.e. under normal usage could excessive access expose data. The system will be tested for proper configuration of the session identification. An improperly administered session ID can be exploited by a hacker using phishing scams or other exploits. Testing the security hardness of applications helps determine potential vulnerabilities and ensures protection against the exposures that could lead to a breach of your network. Testing the system to filter harmful files and potential exploits. Other controls reviewed and tested follow the Open Web Application Security Project (OWASP), some of these include: Unvalidated Input- Information from Web requests is not validated before being used by a web application. Broken Access Control - Restrictions on what authenticated users are allowed to do are not properly enforced. Firewall Broken Authentication and Session Mgmt. - Account credentials and session tokens are not properly protected. Cross-site Scripting (XSS) Flaws - The Web application can be used as a mechanism to transport an attack to an end user's browser.
Buffer Overflows - Web applications pass parameters when they access external systems or the local operation system. If an attacker can embed malicious commands in these parameters, the external system may execute those commands on behalf of the web application. Improper Error Handling - Error conditions that occur during normal operation are not handled properly and could result in giving detailed system information to a hacker, or crash the server. Insecure Storage - Web applications frequently use cryptographic functions to protect information and credentials. If not coded properly, it can result in weak protection. Insecure configuration management - Strong server configuration standards are critical to a secure application. Servers are not secure out of the box and need to be configured for proper security. Arrow will identify areas of risk, the level of risk and recommend corrective action. Firewall & Virtual Private Network Review The firewall review involves the evaluation of the firewall policy and the firewall rule set. In so doing we will evaluate the live configuration against Customer firewall policy and best practices for your industry. Arrow will also review the Customers firewall policy itself. A policy that is too open will reduce the effectiveness of your firewall while a policy that is too restrictive will create problems for your user base and administrators alike. Unfortunately, there is no one-size-fits-all firewall policy as the policy for each firewall depends entirely on: The hosts it is protecting The services those hosts must offer through the firewall, including VPN services. Where the intended users of those services are located Firewall review findings will be documented and include suggestions for firewall policy and rule configuration, if needed Information Security DMZ and Network Architecture Overview As part of the assessment, an information security architecture review will be included. This report will review the effectiveness of the current network technology that exists in the customer environment. Devices that are Internet facing and outside each firewall are considered part of the "de-militarized zone" (DMZ) and should be subject to period review. These devices (network and host) are particularly vulnerable to attack from the Internet since they reside in an area subject to potential attack... The assessment will review but is not limited to the following: Ownership responsibility Secure configuration requirements Operational requirements Change control requirement.
Recommendations will be made as how to further secure the network with the present technology, as well as what additional technology is required to secure the environment. Wireless Network Assessment (War Driving) The wireless network assessment or "war drive" involves physically scanning the perimeter of Customer s facility using a wireless scanner. The wireless scanner probes the general vicinity for any emitted wireless access point (WAP) signals that are in the area. Each responding signal is documented for ownership, whether or not it is a known corporate resource, and whether or not it is secured with encryption. The process of accessing the security of the wireless network utilizes the following procedure and or practices. Testing begins with being positioned within the vicinity of wireless signal(s). Using a commercial laptop outfitted with a special wireless antenna, signals are then collected and identified for ownership. Signals identified as the wireless system belonging to the customer are then targeted for penetration. The attempt to penetrate begins with initiating a request and response from the wireless access point. As users connect to the device, encrypted packets of information are captured. Depending on the encryption technology securing the wireless network, the number of packets being collected will vary. The packets collected are then examined with an attempt to decrypt them. If successful the decrypted packets should provide the necessary information needed to connect to the wireless network. The Security Assessment for Virtualized Environments provides a comprehensive approach to assessing the posture of your virtualized infrastructure in the context of security. It provides a comprehensive review of VM lifecycle management policies or standards, VM operation management processes, and InfoSec policies and controls with regard to VM infrastructure hardening. The service provides the knowledge needed to protect information, identities, data and systems, across the entire virtualization infrastructure, including VMware, Hyper-V, XenServer systems, and corresponding management structures. This service provides an understanding of the level of protection that is appropriate for a given set of operational requirements, and recommends the best combination of policy, management and technology improvements to assure a comprehensive virtualization security strategy. The recommendations may include some, or all of the following areas: User and resource security Access controls Network configuration Platform security Data security Physical security
Security monitoring Security policy management Operational controls (change management, asset management, etc.) An important benefit of the assessment is evaluating the effectiveness of the security mechanisms currently in place against reference criteria, including: Deviations from industry best-practices (ISO 27002) Any known vulnerabilities (e.g., as reported by the CERT or other security related sites) Internet Record Validation Internet record validation involves locating and reviewing the domain names and IP addresses that are registered to Customer. The information is then reviewed for thoroughness such as contact data, domain ownership and the location of hosted domains. Findings are documented for customer reference and review. Records are obtained from VeriSign to validate the technical contact and owner of Customer s domain name. Project and Quality Management Underlying our service engagements is Arrow s Project and Quality Management process, which is based upon Project Management Institute (PMI ) principles. This helps ensure that the project is performed effectively to fulfill Customer s expectations. In addition, Arrow utilizes peer reviews among members of the project team at key points in the project to validate that quality expectations are being met, best practices are employed, and creative ideas and solutions are considered. Experience has proven that each of these steps adds considerable value to the overall project results. More Information Contact your Services Account Director to outline requirements, discuss your options and select the most appropriate level of service for your customer based on their business needs. Visit our Website: http://ecs.arrow.com/services Call toll-free: 1-877-558-6677 Email us: Arrow_Services@arrow.com