Savid’s Core Service Offerings include:
Savid’s Technical Services include:
Black Box Testing
A zero-knowledge functional testing assessment, most commonly performed externally.
White Box Testing
A functional testing assessment using valid account logins and with knowledge of the network, for example, network maps. This type of test is most commonly performed internally.
Note: Once vulnerabilities are uncovered, Savid can either stop at that point (pure Vulnerability Assessment), or Savid can continue to explore to what extent the client system can be exploited (a Penetration Test or Ethical Hack).
Note: Gray box testing, a hybrid of black box and white box testing, is also an option.
Configuration and System Hardening Assessment
A human analysis of operating system, server and device configuration. Configuration assessments of group policy, service configuration, file and directory permissions, and access control structures are also performed. Custom analysis is performed where scripting is supported by the device/server.
Note: all of the assessment services to this point have covered IT infrastructure. The following assessments cover specific IT functions in-depth.
A human analysis of the server and database configuration. If the server can be scripted, custom packets and datasets are built to test against the configuration. Service configuration, file and directory permissions, and access control structure configurations are assessed. Privileged account and password management are also reviewed. Database penetration tests are also performed.
Secure Software Development Life Cycle Assessments
Review of applications development procedures, technologies, testing/QA, developer training and secure coding awareness.
Application Security Assessments
Review of custom internal applications, open source, outsourced and COTS software for security vulnerabilities, focusing on OWASP 2010 and CWE/SANS Top 25 Most Dangerous Programming Errors, but also capable of uncovering any and all types of application vulnerabilities. Savid is experienced at vulnerability scanning, penetration testing, architecture reviews and code analysis. Savid also leverages the Veracode SecurityReview service for static and dynamic application security testing.
Wireless Security Assessment
Analysis of connectivity restrictions, and verification of secure design and network access defenses.
An assessment of the resilience of the voice network to a simulated attack is performed. Architecture, policy and procedures are also reviewed.
Perimeter Security Technology Assessment: IDS/IPS and firewall audit and optimization
Intrusion detection systems, intrusion prevention systems and firewalls are assessed for optimization. Assessment spans from high level design down to specific rule sets. Signatures and rule sets are reviewed to reduce false positives and increase effectiveness.
Note: all of the assessment services to this point have covered IT technology. The following assessments also cover policy, people and physical access.
Policy and Procedure Audits
A review of administrative processes to ensure compliance with government laws, corporate and industry standards and to ensure IT security is aligned with corporate business objectives.
Employee Security Awareness Assessment
A review of employee security awareness, practices, and training and enforcement of secure employee behavior. Employee vulnerability to improper internet use (including phishing, email/IM and web surfing), poor password behavior and other practices that lead to corporate security vulnerabilities are also reviewed.
Business Continuity Management (BCM) Plan Assessment
An assessment of current business threats and existing contingency plans to determine the associated business risk.
PCI Compliance Assessments
Ensure IT environment meets PCI DSS compliance requirements. Performed by a QSA certified consultant. Pre-QSA preparation assessments and PCI reconnaissance assessments are also offered. Follows PCI DSS v2.
HIPAA Compliance Assessments
Ensure IT environment meets HIPAA Security Rule. Refer to Savid’s “How To Avoid Common HIPAA Failures” white paper for detail.
FISMA Compliance Assessments
Ensure IT environment meets FISMA/FIPS compliance requirements. Latest FedRamp regulations are referenced. Refer to Savid’s “Best Practices for FISMA Compliance” white paper for additional information.
Physical Security Assessment
A review of the operational effectiveness of security guards, key systems, and biometric authentication to restricted area access.
IT Security Technology Deployments
Beyond IT Security risk assessments, Savid is also experienced at IT security technology deployments including, but not limited to the following:
Security Information and Event Management / Log Management