Intrepidus Group - Services

Phishing Attack Emulation

Phishing is an email-based social engineering technique employed by attackers, to exploit employees of an organization and steal sensitive data that may facilitate unauthorized access to company resources. Intrepidus Group consultants have often been called upon to emulate such an attack against a representative sample of an organization’s employee population, as a means of base-lining user awareness. Such exercises are an engaging and highly effective way of educating employees against phishing attacks, and generally raising their security awareness.

Intrepidus Group first designs several phishing scenarios applicable to the organization. After a scenario is approved, Intrepidus Groupdevelops the supporting email content and the phishing website. The email is then sent to a list of employees provided by the customer. Responses are collected by the phishing website, which can either be controlled by the organizations staff, or Intrepidus Group consultants. After the phishing email is sent, consultants generate meaningful statistics based on the responses.

Spear Phishing Attack Emulation

Spear phishing is a more targeted form of phishing, in which attackers customize the phishing emails and collection website to a few employees. Our staff has assisted organizations in emulating such an attack, that aims to evaluate how vulnerable a particular subset of employees is to social engineering. This service is similar to the phishing attack emulation, except that the phishing scenario has a narrower focus. Intrepidus Group can tailor the level of sophistication of the attack based on the goal of the engagement e.g. a basic assessment may entail a phishing email with a link to a phishing site, while an advanced attack may include attaching specialized faux-malicious code that passes through email filters, and attempts to create an outbound network connections from the victim’s machine to Intrepidus Group controlled resources.

Telephonic Impersonation

Another commonly used technique by social engineers is telephonic impersonation. In this scenario, attackers posing as trusted insiders, establish telephonic contact with the victims. These attacks are often more successful than stand-alone spear phishing, as they allow a glib talker to win over the confidence of employees, before requesting sensitive data.

Intrepidus Group consultants have performed numerous ethical telephonic impersonation exercises. These exercises consist of making telephone calls to extract some of the data (e.g. email addresses) and email-based follow-up to obtain all the necessary information. To improve realism, Intrepidus Group can spoof caller-ID information to make calls appear to originate from internal resources or remote offices.

Web Application Penetration Testing

Our consultants have performed security assessments of numerous web applications, ranging from critical financial applications, to flagship retail applications. In addition, our consultants have presented worldwide at renowned security conferences, such as, ”Black Hat” and “Hack In The Box”, on web application security. They have also developed and delivered courses on this topic, tailored to application architects and developers in the commercial world, and students at universities like Carnegie Mellon and University of Wisconsin. Our methodology is a culmination of these experiences, our extensive research in the area, and the OWASP guidelines.

A typical web application assessment consists of two primary phases: pre- and post-authentication testing. The former evaluates the security posture of the application as seen by a malicious Internet surfer. The primary focus of this phase is on testing the security of the underlying infrastructure and the authentication mechanisms, which are the primary frontier of defense against unauthenticated access. The second phase constitutes a majority of the assessment including testing for input validation flaws like XSS and SQL Injection, and testing the authorization and entitlements controls implemented by the application to thwart horizontal and vertical privilege escalation attacks.

Mobile Application Security Assessment

The burgeoning wireless data subscriber base has caused attackers to focus their attention on mobile platforms e.g. BREW, SmartPhone, Windows Mobile 5, etc. Intrepidus Group has the extensive experience in testing the security of mobile applications built on such platforms. As a result, we have developed the necessary skill set to reverse engineer wireless protocols, review debugging output from the handheld devices, proxy WAP traffic, and analyze and modify mobile handset configurations.

Using this knowledge Intrepidus Group can assess mobile application security in similar manner to traditional web applications while being mindful of challenges that SMS, BREW, and WAP present.

Threat Modeling

Threat Modeling is a structured approach to uncovering and evaluating risks to system and application security. It entails analyzing the subject from an adversary’s standpoint, quantifying the risks associated with viable threats, and devising countermeasures to mitigate the risks. Our threat modeling approach is a practical adaptation of Microsoft’s STRIDE and DREAD models. The process includes a comprehensive analysis of all use-case scenarios and the corresponding data flows associated with the system or application, to identify threats. The threats are then classified based on their potential impact on the business, and their ease of exploitation. This exercise facilitates the development of security test cases and the prioritization of remediation activities for identified vulnerabilities.

Source Code Security Analysis

The purpose of source code security analysis is to identify all design flaws and implementation bugs that may render the application vulnerable to compromise. The first step in this process is a threat analysis of the application, to identify various data flows and critical sections of code. Armed with the threat model, we prioritize the threat vectors based on criticality and probability of exploitation. The consultants will then use a combination of automated tools and manual inspection to identify security flaws (corresponding to the high-priority threat vectors) in the application’s source code. Automated tools and custom scripts are used primarily to identify language-specific semantic bugs. The manual inspection phase focuses on identifying high-risk design and logic flaws, including insecure encryption of database secrets, insufficient data validation, insecure session management and broken authentication and authorization controls.

Our consultants are capable of reviewing the security of applications written in C, C++, Java, C#, VB, and PHP. In addition, they are intimately familiar with development platforms like .NET and J2EE and supporting frameworks like Struts, Hibernate, and Spring.

Network Security

Penetration Testing

Intrepidus Group consultants have performed Internet security assessments for numerous organizations, spanning the financial, telecommunications, healthcare, education, manufacturing, research, and retail industries. In addition, our consultants have contributed to books on this topic, including Osborne's Hack Notes – Network Security, as well as Addison Wesley's Extrusion Detection: Security Monitoring for Internal Intrusions.

Over the years, our methodology has evolved to encompass the latest threats, and now includes:

   Network Range Discovery
   Host and Service Discovery
   Vulnerability Identification
   Manual Testing and Verification
   Unauthenticated Web Vulnerability Testing

The purpose of such a test is to identify vulnerabilities in an organizations network and systems, demonstrate their impact on business, classify them based on business impact, provide detailed technology-specific remediation advice, and to test the effectiveness of incident detection mechanisms.

Wireless Network Assessments

Wireless networks are a convenient and economical means for organizations to provide last-hop access to their employees. However, due to the inherent nature of the wireless medium, security staff is posed with the unique challenge of attempting to secure a network with no real physical boundary. Intrepidus Group helps organizations address this challenge through comprehensive assessments of the wireless network that include:

   Architecture and access point configuration review
   Wireless client configuration review
   Attack and penetration
   Wireless event alerting and response review
   Rogue access point discovery and location

Server/Device Configuration Reviews

A deep technical review of the configurations of critical devices and servers on the network provides an accurate evaluation of an organizations IT security posture. Intrepidus Group uses a combination of commercial tools, custom scripts, and manual checks to review the configurations of the routers, firewalls, web servers, database servers, and access points connected to the corporate network.

Network Architecture Review

Whether it involves designing a new network, extending an existing network to partners, or completely re-engineering an existing network, Intrepidus Group can assist network engineers to ensure that the security requirements, as governed by applicable regulations and those viewed as industry leading practices, are given due consideration. Commonly covered security mechanisms include end-to-end encryption mechanisms, network segmentation and network-based access control. A well-designed network is fundamental to an organization’s overall security.

War Dialing

Rogue devices on a corporate network, such as modems, can severely undermine the overall security posture of an organization. Such devices are often installed by employees and contractors, as a means for providing convenient or emergency remote access to their internal resources. Even today, modems are often discovered connected to core routers, storage area network controllers, HVAC control systems, and datacenter power management devices. These devices are often installed “out of the box”, and provide external attackers a viable means of entry into the internal network. This is an enormous cause for concern for organizations. Intrepidus Group assists organizations in addressing this threat, by performing a sweep of their telephonic ranges to identify and fingerprint modems. The identified devices are then assessed for insecure configurations and weak passwords.

Strategic Services

Offshore Security Management

Offshoring software development has its obvious cost benefits. However, this IT dream often translates into a security nightmare when the software is delivered with security vulnerabilities, malicious backdoors, or even worse – it is stolen. These conditions are attributable to:

   The lack of appropriate security metrics in the service level agreements (SLAs) between the two parties
   An SDLC that is not geared to build secure software
   Offshore developers who are unaware of security threats and the corresponding countermeasures
   Lax security controls at the offshore centers that facilitate code theft

Our’ consultants can help an organization alleviate these risks by acting as the security liaison between the company and the offshore development centers. Our diverse ethnic backgrounds and extensive application security experience, are ideally suited to address this issue.

User Awareness Program Development

As technological security controls protecting critical IT resources have continued to mature, attackers have shifted their focus back to end users. This shift has resulted in a rise in social engineering attacks in the form of spear phishing and telephonic impersonation. To thwart the successful execution of such attacks against the employee population, it is critical that organizations establish an effective user awareness program. Intrepidus Group can assist organizations in this endeavor by:

   Conducting a baseline user awareness assessment
   Developing poster and email campaigns
   Delivering training sessions that include real-world case studies
   Establishing a user awareness assessment platform that includes an internal “phishing” server and scripts to send phishing emails and collect necessary statistics on a periodic basis

Our user awareness programs have demonstrated significant improvements in user awareness levels e.g. a 55% drop in the success rate of phishing attacks over a period of 6 months at a large Fortune 500 company.

Software Development Lifecycle Security Review

It has been proven, through empirical studies, that the cost of fixing software security flaws increases exponentially with every stage of the SDLC. Thus, tackling a software bug in design is significantly more cost effective than doing so post-development. Intrepidus Group assists organizations in adapting the SDLC to include security mechanisms at appropriate stages, while minimizing the impact of the changes on development times.

Our consultants have assisted, both, large Fortune 500 companies that have a mature SDLC, as well as small development teams that follow a rapid application development (RAD) paradigm to infuse security into the processes.

ISO Support

Information Security Officers (ISOs) are faced with the colossal task of maintaining the organizations risk at an acceptable level. This entails addressing the people, processes, and technology domains, to work in concert towards a common goal. Intrepidus Group can assist organizations in achieving strategic goals by:

   Assisting in the development of an information security program to suffice regulatory obligations and align with business goals
   Evaluating the current state of an existing information security program, by assessing the security controls around essential technologies, and reviewing the efficacy of the overarching security management processes
   Recommending practical security enhancements that operate within budgetary constraints
   Developing a roadmap to implement the recommended enhancements prioritized by their impact on company brand, regulatory posture and their support for business growth

Our consultants have engaged with large, geographically distributed organizations to align their security programs with the goals of the business, and ensure against compliance failure. Our strong managerial backgrounds lend themselves well to our ability to adopt a holistic view of the security program, while our technical expertise allows us to hone into the specific areas that need improvement.

Board Room Security

Board room activities rely on information technology, now, more than ever. The simple act of preparing the printed materials necessary to facilitate a board meeting can expose the most sensitive business decisions; yet, board room security it is rarely under the security department's charter.

A simple misconfiguration of the audio visual equipment in an executive board room can have grave implications. Experienced Intrepidus Group consultants have discovered open wireless networks set up by audio visual contractors, that have complete control of video and teleconference equipment. This would allow an attacker to listen and view board meetings from the parking lot.

Intrepidus Group offers a range of practical risk assessments and process improvement services that can dramatically improve the security and confidentiality of board room activities.