A Professional Internet Security Provider

Timely Security Issues HIPAA Compliance Small Business IT Safety Solutions SNMP and DHCP Web Worms Honeypots SOAP/XML Interfaces Service Offerings Custom VPN Work Security Certification Policy Facilitation Intrusion Detection Systems Integration Other Services Products and Partners Security Tools Spam Control Custom Software Partners Resource Library Internet Security Corporation About Us

Network/Web Security Certification What is Security Certification? It is a phased analysis of your vulnerability to malicious mischief or criminality from the Internet and a confidential written report of the results. This comes in two types, one is also known as a vulnerability assessment (also known in the trade as a penetration test), and includes a vulnerability and DNS information gathering stage, followed by an attempt to actually see or sniff, or break in to your systems and networks. The other is also known as a network audit: one of our GIAC-certified network auditors will perform scanning and reporting work that is pertinent to current security threats, subject to your security policy's objectives. A report with an auditor's opinion will be delivered as the work product from this kind of assessment. This will include our own methodology for estimating the value of the risks that would be avoided by implementing the risk mitigation measures recommended. Vulnerability Assessment The first phase is the research conducted from an Internet site not otherwise trusted by your Internet gateway. This consists of automated probes to determine what hosts and services are visible to the Internet. Known web application weaknesses are explored by our web experts. The research phase concludes with directed attacks at all the points of vulnerability generally known and used by the more sinister Internet inhabitants. The second phase is the analysis of the results of the research. In this phase we assess your vulnerability to the generally understood threats of Internet exposure. We also determine your best defense against any vulnerabilities we might discover. If, for example, we misappropriate your password file, we will see if you have any weak or obvious passwords in it. The final phase is the report preparation. We will document what was done, who did it, when it was done, and all results discovered, good news and bad. We will make specific recommendations and offer opinions regarding your Internet security. For each client we will prepare in advance a statement of work similar to this on line version. What does an Audit do? A full audit is more comprehensive, for reporting to higher management levels. It includes all IT assets and their disposition and has an economic focus. It attempts to take in the full picture of your IT operations, and the level of threat to the value of your organization, as it is supported by those assets. This kind of assessment makes a value proposition that tends to support expenditure on it, as well as making a case for remedial security measures that should be taken. While you may engage in the same exercises in-house, a large part of the value we add is in the seasoned judgement we apply. You might consider it a worthwhile expenditure to measure the effectiveness of the new firewall you just built or bought. We can deploy auditors with the CISA, CISSP, or GSNA auditing credentials, as you prefer. Generally, companies want two different parties to perform the audit, and the penetration test, also known as "auditing the auditors". It is common practice to put two competitors to work on the problem, so that the incentives are there to excel at work done. We will generally not perform network certifications of both types for the same client. What does it cost? Vulnerability assessment is a service that we provide for a fee, typically $200 per IP address. However, you can specify that we audit only a few externally exposed routers and gateways, avoiding any NAT-ed internal addresses, and keeping the cost well below $1,000. Most of our clients want a second certification done to confirm that the original vulnerabilities we found have been remedied. In this case, second and subsequent audits will be done for half the price of the initial certification. Full audits typically run about $400 per external and internal IP address, and can run upwards of several thousand dollars for an organization with twenty to forty seats. This is only a general indication: audits are done on an hourly basis at our standard hourly consulting rates. Work products contain a certification, unlike a simple Vulnerability Assessment. Call Internet Security Corporation at (650) 570-6967 for a quotation for either type of assessment.

---

webmaster@internet-security-corp.com

Last modified: Thu Jun 27 18:50:51 PDT 2002