We would be delighted to assess your Network Vulnerabilities

Eventually, someone is going to test your network security, 

whether you ask them to or not.

Let PJ Networks test it for you first.

Businesses often choose to conduct a vulnerability assessment, also called a vulnerability audit or security audit, because they know their security posture needs improvement.  But, they're not sure where to begin.

We do.

Additionally, Vulnerability Assessments can be a requirement for some standards, like PCI and HIPAA compliance, that need to be performed on an annual or quarterly basis.  We will first identify the most severe issues and recommend solutions for mitigating them, so that the most exploitable weaknesses are quickly locked down.  We will then run a series of deeper-level vulnerability scans to find the less obvious (but still penetrable) weaknesses, document them, and then assemble final summaries and reports that will clearly define what issues still need to be addressed, and then present a clear plan for resolving them.

The following list represents techniques and procedures that can be performed during the assessment, depending on your specific environment and needs:

• Unknown and known asset identification
• Credentialed or network-based vulnerability discovery
• Sensitive content auditing
• Selective re-scan by host, net, sub-net, etc.
• Authentication weaknesses
• Botnet/Malicious Process/Anti-virus Auditing
• Compliance Auditing (FFIEC, FISMA, GLBA, HIPAA, PCI DSS)*

FFIEC = Federal Financial Institutions Examination Council

FISMA = Federal Information Security Management Act

GLBA = Gramm-Leach-Bliley Act also known as the Financial Modernization Act of 1999

PCI DSS = Payment Card Industry Data Security Standard

HIPAA = Health Insurance Portability and Accountability Act of 1996

A Vulnerability Scan is a preconfigured series of automated scans that try to identify and talk to open ports on a network - either from the inside of from the outside - to identify which ports are active and accessible, and then it will query them to find out how they are configured, what is accessible behind them, and what kind of security has been put into place to protect them.  It is not so much of a hostile attack as an active dialogue between the scanning software and the network, to see what responds back and how it responds.

We can even conduct custom-tailored social engineering penetration tests, where one or more members of our team attempt to get employees from a targeted client to divulge information or allow access into the network environment using a number of proven social penetration techniques, such as tailgating, phishing, pretexting or media dropping.  Most security and data breaches happen as a result of the actions of people on the inside of an organization, either intentional or unintentional.  They are a legitimate risk and need to be addressed, just as much as any technology-based weakness or vulnerability.

What kinds of systems should be tested?

• Network devices:   Servers, workstations, firewalls/routers/switches, printers, storage
• Network Access Control:  Security policies, Group Policies, User Permissions, Administrative Rights
• Virtualization:   VMware ESX, ESXi, vSphere, vCenter, Microsoft, Hyper-V, Citrix Xen Server
• Operating systems:   Windows, OS X, Linux, Solaris, FreeBSD, Cisco iOS, IBM iSeries
• Databases:   Oracle, SQL Server, MySQL, DB2, Informix/DRDA, PostgreSQL, MongoDB
• Web applications:   Web servers, web services, OWASP vulnerabilities
• Endpoint Protection:   Antivirus, system firewalls, User Access Control, user permissions  
• Cloud:   Scans the configuration of cloud applications like Salesforce and cloud instances like AWS and Rackspace