EXECUTIVE SUMMARY

Alpha Technologies is a provider of advanced Cyber Security services in the Private sector, Education sector, Healthcare sector, Government and US military in United States. This proposal is for a Cyber Security assessment project in XYZ organization. The work will cover assessment of different areas which can act as vulnerabilities for XYZ which can be detrimental for the organization or its reputation. Alpha Technologies also provide Cyber Security Services in Industrial Control System (ICS) that support critical infrastructure of United States of America.

SCOPE, APPROACH, AND METHODOLOGY

The Cyber Security Assessment will examine internal and external security threats to organization. This assessment will evaluate the present security infrastructure and organizational security policies. There are some areas which will be the major part of this assessment.

  • External Network Vulnerability Assessment and Penetration Testing
  • Internal Network Vulnerability Assessment and Penetration Testing
  • DMZ or Network Architecture Designs / Reviews
  • Wireless Network Assessment and Penetration Testing
  • Server Configuration Reviews
  • Firewall and Router Configuration Reviews
  • Social Engineering Assessments
  • Physical Security Reviews
  • Information Security Policy Review
  • Web Application Vulnerability Assessment and Penetration Testing

There are three different approaches we can perform this assessment with:

  • Black Hat: In this approach we will work as external adversary without any background knowledge of the XYZ organization system.
  • Grey Hat: Gray hat approach is about getting little bit information about the organizational internal network, which provides better assessment results.
  • White Hat: This approach includes getting some secret information about the organization like IP scheme, network topology, and IT assets classification.

The whole assessment process will be performed according to Cyber Kill Chain methodology

KEY ASSUMPTIONS

A network connection to the XYZ’s network will be provided and physical access to the premises will be provided

Appropriate notification will be provided to stakeholders during the assessment so that business is aware of the work being done.

ASSESSMENT ACTIVITIES AND DELIVERABLES

External Network security Assessment

The External Network Security assessment shall include attempts to identify vulnerabilities and risks to the XYZ information system environment from the external internet. After this assessment, a results report will be reviewed with the XYZ technical team

DMZ or Network Architecture Designs / Review

A complete evaluation of the present network infrastructure with industry parameters will be performed and analyzed. Server , Firewall and Router Configurations will be reviewed with network architecture. Vulnerabilities and recommendations will be discussed with XYZ technical team

Wireless Network Assessment and Penetration Testing

Wireless network security assessment will be done because wireless network is one of the easy targets to compromise in an organizational security. Combination of different attacks will be performed and results with recommendations will be reviewed with technical team of XYZ

Social Engineering Assessments

Social Engineering is the act of using coercion and other malicious tactics to gain access to an organization’s data or physical premises. So we are including Social engineering assessment in this assessment. Assessment report with recommendation on some attacks like Onsite Impersonation, phishing attack, dumpster diving, pretext calling and other social engineering attacks will be provided in deliverables

Physical Security Reviews

A complete evaluation of present physical security services of building employees, IT assets and sensitive data will be performed. Vulnerabilities and recommendations will be discussed with XYZ technical system

Information Security Policy Reviews

All the present physical security, applications security, system usage, data sharing, IT assets usage and other policies will be reviewed according to market standards. A detailed report will be provided to XYZ management

Web Application Vulnerability Assessment and Penetration Testing

Web Applications are most important and open to public internet. Web Application Vulnerability Assessment and Penetration Testing (VAPT) identifies the vulnerabilities like SQL injection, Cross Site Scripting in the web application

ICS SCADA Security Assessment

Industrial Control System supports critical infrastructure that includes Power Industry, Water Industry, and/or Oil/Gas Industry needs to be protected. AlphaIT can assess the security of XYZ Company ICS SCADA system