fr | en
image

Audits

Regular audits by a neutral third party are the only way to know the level of protection of your information systems and assets.

Objectif Sécurité can tailor the scope and depth of its audits to the needs of the customer. Typical audit subjects include organizational as well as technical subjects:

  • Network audits
  • Firewall, perimeter audits
  • System audits
  • Application audits
  • Audits of information system polices, standards and procedures

How far do you want to go?

The depth of an audit can vary from a simple security evaluation to a vulnerability assessment or finally to an intensive penetration testing.

  • Security evaluation

    A security evaluation consists in comparing the description of a system to accepted best practices. Often a security evaluation is applied to security policies to find out whether they conform to standards like the ISO 27001, the ISF standard or even the German Grundschutzhandbuch. Security evaluations can also be applied to network architectures, firewall configurations, system configurations, application architectures or algorithms.

    The goal of a security evaluation is to find out whether the security strategy conforms to best practices. As a result, some processes, procedures or configurations may have to be adapted.

  • Vulnerability Assessment

    In a vulnerability assessment, automatic tools are used to detect any known vulnerability of the system. For example, a network scanner can be used to find misconfigurations or missing security patches on all machines connected to a network. Automatic tools can also be used to assess vulnerabilities in firewall configurations, on hardened operating systems or in applications. Web application can be assessed with tools that test for typical vulnerabilities like cross site scripting or SQL injection. Other application can be assessed by tools that scan the source code.

    The goal of a vulnerability assessment is to find out whether the security strategy is being implemented correctly. The result will show weak spots in security and indicate where a special effort has to be given to reach the desired level of security.

  • Penetration testing

    Finally, penetration testing is the strongest type of audit. It simulates the attack of the information system by a hacker. This type of audit can be carried out in a black-box setting, where the auditor has no advance knowledge of the system or in a white-box setting where the customer reveals information in order to maximize the return of the audit. A customer can request Objectif Sécurité to penetrate its networks from the Internet or from the internal network. A first step consists in finding all vulnerabilities that might be an entry point into the network. In the second phase, these vulnerabilities are exploited to mount a successful attack. Penetration tests can also be carried out against a single application or security device.

    The goal of a penetration test is to evaluate the difficulty and the consequences of exploiting existing vulnerabilities, in other words to evaluate the risk to which the company is currently exposed. As a result, the customer learns which assets are in danger and what has to be done to reduce the risk.

| Audits | Consulting | Training | Products | OS Labs | Contact |

OS Objectif Sécurité SA  Route Cité-Ouest 19  CH-1196  Gland  Tel : +41 22 364 85 70  Fax : +41 22 364 85 79   info@objectif-securite.ch