ASSESSMENT

Comprehensive risk transparency is key for managing your information and IT security. Only with this insight will you be able to optimize security measures in a targeted, effective and efficient manner. Based on many years of profound experience and proven expertise, SCHUTZWERK can provide you with different types of security assessments in this area.

A targeted and regular scan for vulnerabilities within technologies, measures ond concepts of information and IT security is an elementary component of the overall security strategy of modern companies. Based on the complexity of the deployed information technologies and the inherent threats, there is a variety of sensible assessment approaches. Technical security thereby is an important key aspect; however, organisational and personnel security must also be included in the assessments. Thus, great demands are made on the assessors' know-how. It is therefore sensible to seek the support of a dedicated partner such as SCHUTZWERK GmbH, not least to guarantee an impartial review.

SCHUTZWERK provides the following risk assessments for the identification of your individual risks:

Penetration
test


Risk-based assessment of IT systems on existing security vulnerabilities from the perspective of external and internal attackers

Penetration
test

Objective
Realistic simulation of targeted attacks on IT systems
Scope
Focussed (defined risk scenarios)
Information Base
Grey or black box
Starting Point
Via internet and/or LAN/WAN
Objects
All IT components/applications
Method
Direct attack attempts (complex attacks/multi-staging)

VULNERABILITY ANALYSIS


Comprehensive assessment of IT systems on existing security vulnerabilities from the perspective of external and internal attackers

VULNERABILITY ANALYSIS

Objective
Identification of all vulnerabilities in defined IT environments
Scope
Comprehensive (e.g. defined IP address ranges)
Information Base
White, grey or black box
Starting Point
Via internet and/or LAN/WAN
Objects
All IT components/applications
Method
Software-supported vulnerability scan with attack attempts

WeB Application
Security AssesSment


Security assessment of web applications as well as corresponding base systems from the perspective of external attackers and privileged users

WeB Application
Security AssesSment

Objective
Identification of all vulnerabilities in defined web applications
Scope
Comprehensive or focussed (defined risk scenarios)
Information Base
White, grey or black box
Starting Point
Via internet and/or LAN/WAN
Objects
Web applications, base systems, web services
Method
Direct attack attempts (complex attacks, multi-staging) from the perspective of external attackers and priviledged users

Mobile Application
Security AssesSment


Security assessment of mobile applications as well as corresponding operating environments from the perspective of attackers and privileged users

Mobile Application
Security AssesSment

Objective
Identification of all vulnerabilities in defined mobile applications
Scope
Comprehensive or focussed (defined risk scenarios)
Information Base
White, grey or black box
Starting Point
Via available interfaces
Objects
Mobile applications, base systems, web services
Method
Direct attack attempts (complex attacks/multi-staging) from the perspective of external attackers and priviledged users

EMBEDDED SYSTEMS ASSESSMENT


Security assessment of hardware components and embedded systems as well as corresponding operating environments from the perspective of attackers

EMBEDDED SYSTEMS ASSESSMENT

Objective
Identification of all vulnerabilities in defined embedded systems
Scope
Comprehensive or focussed (defined risk scenarios)
Information Base
White, grey or black box
Starting Point
Via physical access or definded interfaces
Objects
Hardware base systems, hardware modules, commuication interfaces
Method
Direct attack attempts (complex attacks/multi-staging) from the perspective of  attackers

Maturity Level Analysis of Information Security


Assessment of technical, organizational and personnel security processes and concepts via interviews, documentation reviews and site inspections to the controls of ISO/IEC 27001

Maturity Level Analysis of Information Security

Objective
Comprehensive identification of the optimization requirements of security-relevant processes and concepts
Scope
Comprehensive
Information Base
White box
Starting Point
Entire IT environment or subareas defined by the client
Objects
Security-relevant processes and concepts of the defined IT environment
Method
Interviews, documentation reviews and site inspections (through a comprehensive questionaire compliant with ISO/IEC 27001, incl. graphical analysis 

IT Risk ASSessment
according TO ISO/IEC 27005


Process-based assessment of individual applications or entire IT environments to determine and quantify relevant risks

IT Risk ASSessment
according TO ISO/IEC 27005

Objective
Realistic assessment and quantifiction of risks
Scope
Focussed (according to identified threat scenarios)
Information Base
White box
Starting Point
Entire IT environment or defined subareas
Objects
Applications, IT environments
Method
Interviews, concept review, configuration analyses, technical attacks on basis of the process sequence according to ISO/IEC 27005

Assessment of Client Systems


Comprehensive assessment of client systems on technical and process-based security vulnerabilities

Assessment of Client Systems

Objective
Identification of all vulnerabilities in client configuration and client management
Scope
Comprehensive (defined clients)
Information Base
White box
Starting Point
Client systems and corresponding management environment
Objects
PC, notebooks, tablets, smartphones
Method
Interviews, concept reviews, configuration analyses, technical attacks

Social Engineering
Assessment


Risk-based assessment of building security regarding unauthorized entry or staff sensitivity towards personal IT attacks

Social Engineering
Assessment

Objective
Simulation of targeted attacks on buildings, rooms or IT environments via personal manipulation
Scope
Focussed (defined risk scenarios)
Information Base
Grey or black box
Starting Point
Building access points, communication channels (face-to-face, by phone, via email, etc.)
Objects
Buildings/rooms, staff sensitivity
Method
Direct attack attempts using false identities, false facts, etc.

IT ForensiCS


Analysis of security incidents or suspicious circumstances in IT technologies

IT ForensiCS

Objective
Analysis and (as far as possible) solving of security incidents or suspicious IT circumstances
Scope
Focussed or comprehensive (depending on incidence)
Information Base
White box
Starting Point
Via internet and/or LAN/WAN
Objects
All IT components / applications
Method
Detailed analysis with specific forensic/assessment tools

Digital Watchguard


Continuous vulnerability monitoring and early warning for critical IT systems

Digital Watchguard

Objective
Early detection and elimination of vulnerabilities
Scope
Comprehensive (e.g. defined IP address ranges)
Information Base
White box
Starting Point
Via internet
Objects
All IT components and web applications
Method
Software-supported vulnerability scan and early warning based on the "digital finger print" of the IT environment that is to be protected
Security assessments require more than specialist know-how. A structured project plan as well as professional project management are additional important success factors. SCHUTZWERK can offer all these aspects for the phases described below:

Basic Phases of Security Assessments

  • 1 Kick-off Meeting

    • Definition of the object of investigation (Depending on the method: white box/ black box/ grey box)
    • Definition of relevant risk scenarios & main areas of examination
    • Clarification of technical & legal guidelines
    • Definition of project procedures, contacts, responsible parties & time limits
  • 2 Project Preparations

    • Compulsory scheduling & resource planning
    • Updating of examination tools
  • 3 Information Gathering

    • Internet research
    • Footprinting/ enumeration IP-Range scanning/ determination of attack surface/ Crawling/ Spidering
    • Observation of buildings (Physical access control assessment)
  • 4 Analyse & Verification

    • Analysis of the objects of investigation regarding vulnerabilities
    • Verification of identified vulnerabilities through direct attacks (Scope and aggressiveness depends on the type of assessment)
  • 5 Creation of a Report

    • Detailed documentation of the procedures and results
    • Risk analysis of identified vulnerabilities
    • Creation of a catalog of prioritized countermeasures
  • 6 Presentation of Results

    • Creation of target group specific presentations
    • Explanation of the assessment and the results
    • Explanation and discussion of the measures

Project Management & QA

Documentation