Network and Application Scans

Network and Application Scans

Network and Application Scans

What people normally have in mind when they think of “IT/Computer Security” is network and web-based security assessments. While this is in fact only a part of what those terms refer to, it is a very important part, and one that covers a variety of different options. US ProTech provides multiple types of network scans, all of which use our security scanning process validated by the US Department of Commerce, penetration and wireless testing, as well as web-based application assessments.

At the very least, every business should perform network and device scans regularly so that they can be aware of their IT security situation. To help businesses out in this endeavor, US ProTech is happy to provide free device scans as well as complimentary network scans.

Types of Network Scanning

US ProTech offers four different types of network scans, but each scan comes with the following outstanding features:

  • Security scanning process recognized and validated by the US Department of Commerce and which exceeds the highest standards of NIST
  • Trend Analysis which allows you to actually compare one report to another over days and years and which builds your profile data to bring you limitless benefits

The four different types of network scans we offer are:

  1. External scanning: Perhaps the most common type of scan, this is where we test your vulnerability from an outsider’s perspective. This means that we try to find how well your security will uphold against someone from outside your company attempting to find a way in.
  2. Internal scanning: Did you know that 70% of your attack surface is internal? In other words, you are potentially most vulnerable from within your own network. This is why internal scanning is so important to ensure you operate at the highest levels of security.
  3. Unauthenticated scanning: In this case, we assess your vulnerabilities from the perspective of someone who doesn’t have credentials. This is mainly helpful to find basic configuration issues or input and output validation type errors
  4. Authenticated scanning: This type of scan tests your system’s vulnerabilities against attacks from someone who has credentials to your network. Since authenticated scanning gets “inside” your system, it allows for privilege escalation attack checks and to discover any business logic flaws that could become security defects.

Penetration & Wireless Testing

Penetration and wireless tests take the security evaluation one step beyond by searching for ways to exploit potential IT network vulnerabilities in the same way that anyone attempting to attack your system would.

Based on years of vulnerability and exploitation experience, US ProTech developed the US ProSecure penetration testing tool. This tool is used by highly-skilled professionals who put all their time and energy into performing a thorough and all around assessment of your internal or wireless networks, using the same techniques as attackers, but under strict control. This means people hard at work to detect any potential threat to your company, so that they can be identified and eliminated. In this way, we are able to assess your true security posture and make sure that no cracks, however small, are ignored.

The US ProSecure penetration testing tool is integrated with US ProSecure’s vulnerability scanner allowing customers to:

  • Exploit a vulnerability discovered by the scanner to confirm its existence beyond a doubt
  • Gain a better understanding of the threats to which they might be subject
  • Ensure that the ways in which a vulnerability may be exploited are known so that they can all be countered

Advanced features allow the addition of custom exploits, the modification of existing exploits, and the use US ProTech’s post-exploitation tools.

Web-based application assessments

Web-based application assessments are a type of penetration test specifically adapted to web applications instead of traditional IT networks, and which are vital for companies which use these applications in their day-to-day operations.

Web applications refer to any application software that runs in a web browser or is created in a browser-supported programming language (such as JavaScript for instance). Some common example of these applications include Google Docs, Meebo or Mint.

These applications are extremely convenient and widely used to streamline business communications, but they present a popular target for security threats. Web vulnerabilities are a serious challenge and have resulted in theft of credit cards, financial loss, and damage to the organization’s reputation and image.  In addition, these threats can also compromise browsers and websites, which puts customers, prospects, and business partners at risk as well.

Because web applications change frequently and new vulnerabilities are discovered on a daily basis, it is important to continuously assess these threats and weaknesses in order to mitigate the risk of becoming the victim of a web attack. Web-based application assessments are therefore a necessity for any company using web applications to run their business.

US ProSecure provides a scanning policy for interrogating systems for web application vulnerabilities (e.g., cross-site scripting, SQL injection, cross-site request forgery, etc.) in order to detect and exploit vulnerabilities that may exist.

This provides coverage across the OWASP Top 10 Web Application Security Risks, as well as industry-specific requirements.

 

OWASP 2013 Top 10 List

OWASP Top Ten

Testing

A1-Injection

Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.

A2-Broken Authentication and Session Management

Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities.

A3-Cross-Site Scripting (XSS)

XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.

A4-Insecure Direct Object References

A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data.

A5-Security Misconfiguration

Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. Secure settings should be defined, implemented, and maintained, as defaults are often insecure. Additionally, software should be kept up to date.

A6-Sensitive Data Exposure

Many web applications do not properly protect sensitive data, such as credit cards, tax IDs, and authentication credentials. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data deserves extra protection such as encryption at rest or in transit, as well as special precautions when exchanged with the browser.

A7-Missing Function Level Access Control

Most web applications verify function level access rights before making that functionality visible in the UI. However, applications need to perform the same access control checks on the server when each function is accessed. If requests are not verified, attackers will be able to forge requests in order to access functionality without proper authorization.

A8-Cross-Site Request Forgery (CSRF)

A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim.

A9-Using Components with Known Vulnerabilities

Components, such as libraries, frameworks, and other software modules, almost always run with full privileges. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications using components with known vulnerabilities may undermine application defenses and enable a range of possible attacks and impacts.

A10-Unvalidated Redirects and Forwards

Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages.

US ProSecure GoldOnce a web site and/or application successfully pass the US ProSecure Vulnerability Scan it can be certified by US ProTech and receive the US ProSecure Validation Mark for posting.

The US ProSecure shield (GOLD, SILVER, BRONZE) is based on the frequency of the ongoing scans. This validation seal links back to our site to certify the site is certified Secure based upon the OWASP “TOP 10” scanning policy.

VALIDATED BY THE U.S. DEPARTMENT OF COMMERCE / N.I.S.T 800-53

For more information or to get a quote, simply fill out the form on the right, or call us today!

  • This field is for validation purposes and should be left unchanged.

Skip to content