diamond_full diamond diamond_half diamond_euro search-icon menu chat-icon close-icon envelope-icon smartphone-call-icon

Assessment

Creating Risk Transparency

Assessment

Comprehensive risk transparency is key for managing your information and IT security. Only with this insight will you be able to optimize security measures in a targeted, effective and efficient manner. Based on many years of profound experience and proven expertise, SCHUTZWERK can provide you with different types of security assessments in this area.

SCHUTZWERK provides the following security assessments for identification of your individual risks:

A targeted and regular scan for vulnerabilities within technologies, measures and concepts of information and IT security is an elementary component of the overall security strategy of modern companies. Based on the complexity of deployed information technologies and their inherent threats, there is a variety of sensible assessment approaches. Technical security thereby is an important key aspect; however, organizational and personnel security must also be included in the assessments. Thus, great demands are made on the assessors' know-how. It is therefore sensible to seek the support of a dedicated partner such as SCHUTZWERK GmbH, not least to guarantee an impartial review.

Scope and Approach

For each assessment, the exact scope and approach are agreed with the customer in advance. The following aspects, among others, can be taken into account (based on the classification of penetration tests proposed by the BSI):

Objective
Identification and risk assessment of vulnerabilities
Perspective of attacker
External attackers
Internal attackers
Privileged users
Aggressiveness
Each selectable between passive, cautious/calculated, and aggressive
Approach
Each selectable between stealthy to noisy
Information base & Techniques
Black-Box
Gray-Box
White-Box
  • Vulnerability scan
  • Manual analysis
  • Reverse Engineering
  • Social Engineering
  • Exploitation of vulnerabilities
  • Configuration analysis
  • Analysis of concepts and specifications
  • Interviews and workshops
  • Source code analysis
  • Analysis of concepts and specifications
  • Interviews and workshops
Scope
Comprehensive
Limited
Focused
Objective
Identification and risk assessment of vulnerabilities
Perspective of attacker
External attackers
Internal attackers
Privileged users
Aggressiveness
Each selectable between passive, cautious/calculated, and aggressive
Approach
Each selectable between stealthy to noisy
Information base & Techniques
Black-Box
  • Vulnerability scan
  • Manual analysis
  • Reverse Engineering
  • Social Engineering
  • Exploitation of vulnerabilities
Gray-Box
  • Configuration analysis
  • Analysis of concepts and specifications
  • Interviews and workshops
White-Box
  • Source code analysis
  • Analysis of concepts and specifications
  • Interviews and workshops
Scope
Comprehensive
Limited
Focused

Results

As a result of the assessment we will provide a detailed report. Depending on the type and scope of the project, the final report will include the following parts:

  • Management summary with a description of the results and the security level
  • Description of the project approach, scope, schedule and methodology
  • Detailed description of identified vulnerabilities in order to understand underlying issues and to enable reconstruction of possible attacks (where necessary with proof-of-concept implementation)
  • Detailed description of the iterative exploitation process when using chained vulnerabilities
  • Risk assessment of identified vulnerabilities taking into account the IT environment or the application context (risk classification: low, medium, high, critical)
  • Description of measures to remedy the vulnerabilities
  • If necessary, a description of higher-level strategy, concept and process-related measures or optimization suggestions.

Basic Phases of Security Assessments

Security assessments require more than specialist know-how. A structured project plan as well as professional project management are additional important success factors. SCHUTZWERK can offer all these aspects for the phases described below:

> Definition of the object of investigation

> Definition of relevant risk scenarios & main areas of examination

> Clarification of technical & legal guidelines

> Definition of project procedures, contacts, responsible parties & time limits

Protocol

> Compulsory scheduling & resource planning

> Updating of examination tools

> Internet research

> Footprinting/ enumeration IP-Range scanning/ determination of attack surface/ Crawling/ Spidering

> Observation of buildings (Physical access control assessment)

> Analysis of the objects of investigation regarding vulnerabilities

> Verification of identified vulnerabilities through direct attacks (Scope and aggressiveness depends on the type of assessment)

> Detailed documentation of the procedures and results

> Risk analysis of identified vulnerabilities

> Creation of a catalog of prioritized countermeasures

> Creation of target group specific presentations

> Explanation of the assessment and the results

> Explanation and discussion of the measures

Documentation
Project management & QS


How can we help you?

Call us or find your contact person