Security Compliance Associates

The External Systems Vulnerability Assessment and Analysis (ESVAA) is designed to assess the security posture of the institution's external network and systems. SCA's security engineers will examine the external information system for implementation of industry best practices and perform a technical review to exploit known vulnerabilities and configuration errors and identify immediate correction methods.

The first phase is reconnaissance. SCA's security engineers will utilize multiple search engines and research public databases to gather information about your institution and systems. Port scanning will also be performed during this phase. SCA will identify available services and begin foot printing them. The reconnaissance phase is often overlooked by novice attackers, who choose instead to go directly to heavier testing. The skilled attacker will not bypass this phase; they understand reconnaissance is a vital step in compromising a network. Information collected in this stage can help the attacker better understand the institution's network and systems. The more knowledge gained about the system the less likely the chance of them being detected and the higher the risk of having your data breached by a hacker; this phase is key in SCA's approach to securing your network.

The second phase is the assessment and penetration phase. SCA's expert security engineers will examine the systems for known vulnerabilities and mis-configurations. Automated tools will be utilized to identify possible areas of concern. Manual hands-on techniques will then be executed to exploit and validate the weakness. SCA will immediately notify the designated point of contact upon discovery of critical vulnerabilities.

Below is a high-level overview of the tasks that SCA will perform and evaluate during the engagement:

• Port Scanning
• OS Fingerprinting
• Manual Probing of Available Services
• IDS/IPS Evasion and Alerting Testing
• Vulnerability Testing
• Manual Validation of Discovered Vulnerabilities
• War Dialing
• Employee Email Phishing
• Dial-in/RAS Security Testing
• Web Application Assessments
• Firewall Testing and Validation

SCA's security professionals perform extensive tests on all external addresses, whether in use or not. SCA will document all dormant IP addresses that are not in use, and will focus on the live addresses for penetration testing. All telephone ranges are likewise assessed.