Threat and Risk Assessment (TRA)

AIM has extensive expertise conducting enterprise wide and system specific Threat Risk Assessments (TRAs) and application and web penetration testing. Moreover, our comprehensive TRA methodology will ensure that your application, network, and computing infrastructure are thoroughly scrutinized in order to reduce risk and exposure.

AIM Consulting will follow a TRA methodology based on a simplified and customized version of the CSE-RCMP Harmonized TRA methodology.

Other methodologies and standards that will be used in this engagement include:

• Government of Ontario MGS TRA methodology
• ISO/IEC 27005:2008 Information technology — Security techniques — Information security risk management
• NIST SP800-30 Risk Management Guide for Information technology Systems

In order to conduct the TRA assessment, AIM Consulting uses the following framework:

Technical Vulnerability Assessment and Penetration Testing

AIM has many years of experience conducting network infrastructure, computing layer and application layer vulnerability assessment and penetration testing. Over the past 6 months we have conducted 7 technical vulnerability assessments and penetration testing in health care settings including infrastructure, database, networks, web and mobile application (Mobile Asthma application).

Our Technical Vulnerability Assessment (TVA) and Penetration Testing methodologies are based on aspects of the Open Source Security Testing Methodology Manual (OSSTMM) and Open Web Application Security Project (OWASP) frameworks.  Approaches can include “black box” and “white box” external vulnerability assessments, internal infrastructure and network vulnerability assessments and application vulnerability assessment

We leverage both commercial and open source network and application scanning tools and commonly known hacking techniques in an attempt to identify security vulnerabilities against the target environments and applications.

Infrastructure and Network Level Assessment

This type of testing is aimed at identifying vulnerabilities at network and base operating system level and will be performed from the following perspectives:

1. External attacker. Someone attempting to perform malicious activities from an external connection (e.g. the Internet).
2. Internal attacker. Someone having compromised external boundaries (either by hacking into the internal / DMZ environment or by having physically gained access to the premises) and attempting to perform malicious activities from within.

Network level assessments are performed using the following high level methodology:

The methodology applied to network level assessments is similar to the widely accepted OSSTMM (Open Source Security Testing Methodology Manual).

There are multiple checks under each of the category mentioned above.

Web application vulnerability and Penetration assessments

Penetration Testing of Applications is a hybrid security test that aims to uncover security vulnerabilities at the application layer. Popular types of vulnerabilities discovered include SQL injection, XSS and CSRF vulnerabilities. This type of test has a high manual component, approximately 70%, and the testers build custom threat profiles to discover contextual security vulnerabilities that are specific to the application.

Application level assessments are categorized into two distinct classes:

1. Web application assessments. Those that are presented through a browser by a web server. Our methodology for assessing web applications is closely aligned to industry accepted OWASP (Open Web Application Security Project).
2. Thick client server applications. Those that present some sort of application through installation or execution.

Both types of assessments will follow the following high level methodology:

Application assessments are commonly performed from the perspective of one or more of the following scenarios:

1. No knowledge. Commonly referred to as black box testing, this simulates an attacker without any knowledge of the application or its associated environment.
2. Some knowledge. Commonly referred to as grey box testing, here we simulate an attacker with some knowledge (perhaps an application user, and / or someone with knowledge about how the application works).
3. Full knowledge. Using a white box testing approach, this simulates an attacker with full knowledge about the application, associated environment, and with access to the source code (perhaps a disgruntled application developer).

Manual Source Code Review Methodology

Our hybrid approach to code reviews blends automated tools with human intelligence. We use proprietary scripts that can be customized and extended for each application.

The benefits of the hybrid approach include:

• Zero false positives as human intelligence is used to verify each finding
• Very high efficiency as automated scripts are used to zoom into suspicious code
• Ability to detect business logic security flaws, including custom backdoors
• Customize the scripts specifically for the programming styles used
• Greater coverage by using automated scripts to analyze the entire code base

Information Security Health Check

We have assisted organizations understand how information security threats translated to business risk, develop accreditation frameworks and to assess the organization’s readiness to face today’s threats. The security health check provides a comprehensive and customizable tool to assess and enterprise security program. It is attainable tool that will evaluate critical elements of your information security including:

• Information Security Strategy. Understand how information security should enable your business, and determine whether or not an effective security strategy is in place.
• Security Management and Governance. Evaluate if you have the right organizational and policy structures to support your information security function(s).
• Security Operations. Verify the adequacy of incident response, identity and access, and vulnerability and risk management processes.
• Privacy and Compliance. Evaluate your privacy and data protection processes and mechanisms in order to strengthen your regulatory compliance.
• Technical Architecture. Assess technical and logical controls (e.g. network, application and security tools) resilience against cyber and internal threats. Optionally, this may also include technical vulnerability assessments and penetration testing.