ASSESSMENT
Comprehensive risk transparency is key for managing your information and IT security. Only with this insight will you be able to optimize security measures in a targeted, effective and efficient manner. Based on many years of profound experience and proven expertise, SCHUTZWERK can provide you with different types of security assessments in this area.
A targeted and regular scan for vulnerabilities within technologies, measures and concepts of information and IT security is an elementary component of the overall security strategy of modern companies. Based on the complexity of the deployed information technologies and the inherent threats, there is a variety of sensible assessment approaches. Technical security thereby is an important key aspect; however, organizational and personnel security must also be included in the assessments. Thus, great demands are made on the assessors' know-how. It is therefore sensible to seek the support of a dedicated partner such as SCHUTZWERK GmbH, not least to guarantee an impartial review.
SCHUTZWERK provides the following risk assessments for the identification of your individual risks:

Penetration
test
Risk-based assessment of IT systems on existing security vulnerabilities from the perspective of external and internal attackers

Penetration
test
- Objective
- Realistic simulation of targeted attacks on IT systems
- Scope
- Focussed (defined risk scenarios)
- Information Base
- Grey or black box
- Starting Point
- Via internet and/or LAN/WAN
- Objects
- All IT components/applications
- Method
- Direct attack attempts (complex attacks/multi-staging)

VULNERABILITY ANALYSIS
Comprehensive assessment of IT systems on existing security vulnerabilities from the perspective of external and internal attackers

VULNERABILITY ANALYSIS
- Objective
- Identification of all vulnerabilities in defined IT environments
- Scope
- Comprehensive (e.g. defined IP address ranges)
- Information Base
- White, grey or black box
- Starting Point
- Via Internet and/or LAN/WAN
- Objects
- All IT components/applications
- Method
- Software-supported vulnerability scan with attack attempts

Cloud Security Assessment
Security assessment of the overall cloud configuration and security measures of cloud service components from the perspective of external attackers and privileged users

Cloud Security Assessment
- Objective
- Identification of misconfiguration and vulnerabilities in the cloud area
- Scope
- Comprehensive or focused (defined risk scenarios)
- Information Base
- Grey or black box
- Starting Point
- Via Internet and cloud consoles
- Objects
- Cloud resources
- Method
- Concept reviews, configuration analyses, technical attacks

WeB Application
Security AssesSment
Security assessment of web applications as well as corresponding base systems from the perspective of external attackers and privileged users

WeB Application
Security AssesSment
- Objective
- Identification of all vulnerabilities in defined web applications
- Scope
- Comprehensive or focussed (defined risk scenarios)
- Information Base
- White, grey or black box
- Starting Point
- Via internet and/or LAN/WAN
- Objects
- Web applications, base systems, web services
- Method
- Direct attack attempts (complex attacks, multi-staging) from the perspective of external attackers and privileged users

Mobile Application
Security AssesSment
Security assessment of mobile applications as well as corresponding operating environments from the perspective of attackers and privileged users

Mobile Application
Security AssesSment
- Objective
- Identification of all vulnerabilities in defined mobile applications
- Scope
- Comprehensive or focussed (defined risk scenarios)
- Information Base
- White, grey or black box
- Starting Point
- Via available interfaces
- Objects
- Mobile applications, base systems, web services
- Method
- Direct attack attempts (complex attacks/multi-staging) from the perspective of external attackers and privileged users

Home office
Security AssesSment
Security assessment of home office setup and infrastructure as well as a review of related services

Home office
Security AssesSment
- Objective
- Identification of misconfiguration and vulnerabilities
- Scope
- Comprehensive
- Information Base
- White, grey or black box
- Starting Point
- Via Internet and client
- Objects
- Client system and home office infrastructure
- Method
- Concept reviews, configuration analyses, technical attacks

EMBEDDED SYSTEMS ASSESSMENT
Security assessment of hardware components and embedded systems as well as corresponding operating environments from the perspective of attackers

EMBEDDED SYSTEMS ASSESSMENT
- Objective
- Identification of all vulnerabilities in defined embedded systems
- Scope
- Comprehensive or focussed (defined risk scenarios)
- Information Base
- White, grey or black box
- Starting Point
- Via physical access or defined interfaces
- Objects
- Hardware base systems, hardware modules, commuication interfaces
- Method
- Direct attack attempts (complex attacks/multi-staging) from the perspective of attackers

Maturity Level Analysis of Information Security
Assessment of technical, organizational and personnel security processes and concepts via interviews, documentation reviews and site inspections to the controls of ISO/IEC 27001

Maturity Level Analysis of Information Security
- Objective
- Comprehensive identification of the optimization requirements of security-relevant processes and concepts
- Scope
- Comprehensive
- Information Base
- White box
- Starting Point
- Entire IT environment or subareas defined by the client
- Objects
- Security-relevant processes and concepts of the defined IT environment
- Method
- Interviews, documentation reviews and site inspections (through a comprehensive questionnaire compliant with ISO/IEC 27001, incl. graphical analysis

IT Risk ASSessment
according TO ISO/IEC 27005
Process-based assessment of individual applications or entire IT environments to determine and quantify relevant risks

IT Risk ASSessment
according TO ISO/IEC 27005
- Objective
- Realistic assessment and quantification of risks
- Scope
- Focussed (according to identified threat scenarios)
- Information Base
- White box
- Starting Point
- Entire IT environment or defined subareas
- Objects
- Applications, IT environments
- Method
- Interviews, concept review, configuration analyses, technical attacks on basis of the process sequence according to ISO/IEC 27005

Assessment of Client Systems
Comprehensive assessment of client systems on technical and process-based security vulnerabilities

Assessment of Client Systems
- Objective
- Identification of all vulnerabilities in client configuration and client management
- Scope
- Comprehensive (defined clients)
- Information Base
- White box
- Starting Point
- Client systems and corresponding management environment
- Objects
- PC, notebooks, tablets, smartphones
- Method
- Interviews, concept reviews, configuration analyses, technical attacks

Social Engineering
Assessment
Risk-based assessment of building security regarding unauthorized entry or staff sensitivity towards personal IT attacks

Social Engineering
Assessment
- Objective
- Simulation of targeted attacks on buildings, rooms or IT environments via personal manipulation
- Scope
- Focussed (defined risk scenarios)
- Information Base
- Grey or black box
- Starting Point
- Building access points, communication channels (face-to-face, by phone, via email, etc.)
- Objects
- Buildings/rooms, staff sensitivity
- Method
- Direct attack attempts using false identities, false facts, etc.

IT ForensiCS
Analysis of security incidents or suspicious circumstances in IT technologies

IT ForensiCS
- Objective
- Analysis and (as far as possible) solving of security incidents or suspicious IT circumstances
- Scope
- Focussed or comprehensive (depending on incidence)
- Information Base
- White box
- Starting Point
- Via internet and/or LAN/WAN
- Objects
- All IT components / applications
- Method
- Detailed analysis with specific forensic/assessment tools

Digital Watchguard
Continuous vulnerability monitoring and early warning for critical IT systems

Digital Watchguard
- Objective
- Early detection and elimination of vulnerabilities
- Scope
- Comprehensive (e.g. defined IP address ranges)
- Information Base
- White box
- Starting Point
- Via internet
- Objects
- All IT components and web applications
- Method
- Software-supported vulnerability scan and early warning based on the "digital finger print" of the IT environment that is to be protected
Security assessments require more than specialist know-how. A structured project plan as well as professional project management are additional important success factors. SCHUTZWERK can offer all these aspects for the phases described below:
Basic Phases of Security Assessments
-
1 Kick-off Meeting
- Definition of the object of investigation (Depending on the method: white box/ black box/ grey box)
- Definition of relevant risk scenarios & main areas of examination
- Clarification of technical & legal guidelines
- Definition of project procedures, contacts, responsible parties & time limits
-
2 Project Preparations
- Compulsory scheduling & resource planning
- Updating of examination tools
-
3 Information Gathering
- Internet research
- Footprinting/ enumeration IP-Range scanning/ determination of attack surface/ Crawling/ Spidering
- Observation of buildings (Physical access control assessment)
-
4 Analyse & Verification
- Analysis of the objects of investigation regarding vulnerabilities
- Verification of identified vulnerabilities through direct attacks (Scope and aggressiveness depends on the type of assessment)
5 Creation of a Report
- Detailed documentation of the procedures and results
- Risk analysis of identified vulnerabilities
- Creation of a catalog of prioritized countermeasures
6 Presentation of Results
- Creation of target group specific presentations
- Explanation of the assessment and the results
- Explanation and discussion of the measures
Project Management & QA
Documentation