Testing

Identifying and managing vulnerabilities in systems, networks, and applications is vital to keeping an organization secure.  Actively seeking out vulnerabilities and testing the susceptibility of exploitation of your vulnerabilities takes your risk management program to the next level.  CyberTAP has a conservative methodology that balances the risk of active testing and system interruption with providing pragmatic advise and customized reports to assist with any remediation efforts.

External Vulnerability Assessment (Generally performed semi-annually)

The CyberTAP security team will perform security testing of Internet exposed environments in order to identify potential weaknesses that could be exploited by a remote adversary.

  • External scan of hosts in 30 IP address increments
    • A scan seeking to identify vulnerabilities in Internet facing hosts.  Both operating system specific and application specific scans will be conducted.
  • Meta-data analysis of primary web domain
    • A review of documents and data publically accessible from Healthcare Providers web presence.
  • DNS / Whois record review
    • A review of externally facing domain name service and domain name registration records.

The following items are not in this project scope:

  • Social engineering of staff.
  • Physical penetration of facilities.
  • Testing of identified vulnerabilities.

 Deliverables:

  • A detailed report summarizing all identified critical, high, and medium level vulnerabilities and recommended action required to resolve or reduce risk associated with vulnerabilities;
  • The output of all technical tests performed.

External Vulnerability Assessment & Penetration Test

The PHA security team will perform security testing of Internet exposed environments in order to identify potential weaknesses that could be exploited by a remote adversary.  Once testing is completed, PHA will attempt to exploit identified vulnerabilities to validate the finding and to assist with development of a remediation plan.

  • External scan of up to 30 IP addresses (additional systems can be added for larger organizations).
    • A scan seeking to identify vulnerabilities in Internet facing hosts. Both operating system specific and application specific scans will be conducted.
  • Meta-data analysis of clients web domain
    • A review of documents and data publically accessible from Healthcare Providers web presence.
  • DNS / Whois record review
    • A review of externally facing domain name service and domain name registration records.
  • Manual and automated testing of identified vulnerabilities to gauge the likelihood of a successful exploitation.
    • All efforts will be made to exploit networks, systems, and applications without impacting the availability of services or jeopardizing the confidentiality and integrity of data.
    • Interruption in service or availability is not guaranteed during active testing phase.

The following items are not in this project scope:

  • Social engineering of staff.
  • Physical penetration of facilities.

Deliverables:

  • A detailed report summarizing all identified critical, high, and medium level vulnerabilities and recommended action required to resolve or reduce risk associated with vulnerabilities;
  • Results of the penetration test and recommended steps to take to harden systems from remote exploitation;
  • A follow-up scan 4-6 weeks after initial test to assist client with remediation efforts;
  • The output of all technical tests performed.

Password Audits 

 Passw0rd! will meet most basic password requirements, but can be cracked in seconds. Passwords are our first line of defense in protecting data and IT assets, and password audits provide evidence that employees are adhering to password-creation best practices.  CyberTAP can provide organizations great insight into their employee’s password creation habits.  Our password audit will also inform you if any of your employee’s password has been publically disclosed in a known password dump on the Internet.

Contact

George Bailey
George Bailey
MS, CISSP, GCIH
Assistant Director
(765) 494-7538
baileyga@purdue.edu

 

Purdue University, 610 Purdue Mall, West Lafayette, IN 47907, (765) 494-4600

© 2015 Purdue University | An equal access/equal opportunity university | Copyright Complaints | Maintained by Office of Corporate and Global Partnerships

Trouble with this page? Disability-related accessibility issue? Please contact Office of Corporate and Global Partnerships at ocgp@purdue.edu.