Security Services and Solutions Enabling Secure Business

Mission: To provide state-of-the-art security solutions and services to customers employing in-depth research, comprehensive analysis and knowledge share. Vision: To produce innovative security products and provide superior consulting services for enabling secure computing and business. Introduction

Mission:

To provide state-of-the-art security solutions and services to customers employing in-depth research, comprehensive analysis and knowledge share.

Vision:

To produce innovative security products and provide superior consulting services for enabling secure computing and business.

V-Empower is global solutions and services company established 2000 North America: Bowie, Maryland USA Seattle, Washington USA Los Angeles, California USA Maple, Ontario Canada Europe: London, United Kingdom Asia Pacific Beijing, China South East Asia Hyderabad, India Company Profile

V-Empower is global solutions and services company established 2000

North America:

Bowie, Maryland USA

Seattle, Washington USA

Los Angeles, California USA

Maple, Ontario Canada

Europe:

London, United Kingdom

Asia Pacific

Beijing, China

South East Asia

Hyderabad, India

Company Profile V-Empower saw a 206 % increase in revenue in 2006 Our security team consists of highly talented industry experts Providers of security services and solutions to the worlds largest software company

V-Empower saw a 206 % increase in revenue in 2006

Our security team consists of highly talented industry experts

Providers of security services and solutions to the worlds largest software company

Services Infrastructure Security Penetration Testing Network Infrastructure Configuration Review of Infrastructure Devices Design and Deploy Secure Infrastructure Solutions Application Security Black Box Assessments (Penetration Testing) White Box Assessments (Detailed Code Reviews) Threat Analysis and Modeling Security Research and Development Security Program Development Resource Integration Integrating Security into Systems Development Lifecycle (SDLC) Security Policy and Standards Development Security Program Analysis Training Services Secure Application Development Application Source Code Auditing Threat Analysis and Modeling Application Security Awareness

Penetration Testing Network Infrastructure

Configuration Review of Infrastructure Devices

Design and Deploy Secure Infrastructure Solutions

Black Box Assessments (Penetration Testing)

White Box Assessments (Detailed Code Reviews)

Threat Analysis and Modeling

Security Research and Development

Resource Integration

Integrating Security into Systems Development Lifecycle (SDLC)

Security Policy and Standards Development

Security Program Analysis

Secure Application Development

Application Source Code Auditing

Threat Analysis and Modeling

Application Security Awareness

Comprehensive Penetration Services Typical Penetration Tests consist of arbitrary approaches

Typical Penetration Tests consist of arbitrary approaches

Comprehensive Penetration Services Systematic Approach Comprehensive Services Environment Specific Threat Evaluation Assets Driven Assessment Vulnerability Analysis Comprehensive Reporting Recommendations and Validation

Systematic Approach

Comprehensive Services

Environment Specific

Threat Evaluation

Assets Driven Assessment

Vulnerability Analysis

Comprehensive Reporting

Recommendations and Validation

Comprehensive Penetration Services Assurance on effective controls

Assurance on effective controls

Systematic Approach

Design And Architecture Review Background Analysis (Business Functionality) Design Documentation (Architecture Diagram) Asset Identification (Data Flow Diagrams) Review Design and Architecture

Background Analysis (Business Functionality)

Design Documentation (Architecture Diagram)

Asset Identification (Data Flow Diagrams)

Review Design and Architecture

Threat Analysis and Modeling Review Threat Models Environment Decomposition Asset Identification (Data, Functionality, etc) Operating Procedures Identification (Use Cases) Threat Identification (Based on Assets and Operations)

Review Threat Models

Environment Decomposition

Asset Identification (Data, Functionality, etc)

Operating Procedures Identification (Use Cases)

Threat Identification (Based on Assets and Operations)

Comprehensive Assessment

Comprehensive Assessment Identify Technologies Involved

Host Assessment Default Configs Protocols Access Control Default Configs Services Patches

Application Layer Assessment AuthN Protocol Elevation of Privileges Logging XSS, XRSF, RI, SQL Injection, BO Resources Cryptography Information D AuthZ Bypass DOS, Deface

Network Layer Assessment Firewall, IDS, etc Perimeter Cntrls Fuzz Testing Standard Eval Network Security Best Practices.

Risk Analysis and Reporting Risk Analysis Evaluation of each vulnerability to assess true risk to an environment. Risk is reported based on a matrix which evaluates the following keys factors Vulnerability classification (STRIDE - CIA) Classification of Asset Probability of Exploit Impact of Exploit

Risk Analysis

Evaluation of each vulnerability to assess true risk to an environment.

Risk is reported based on a matrix which evaluates the following keys factors

Vulnerability classification (STRIDE - CIA)

Classification of Asset

Probability of Exploit

Impact of Exploit

Risk Analysis and Reporting All vulnerabilities are given the following Severity Ratings:

All vulnerabilities are given the following Severity Ratings:

Severity Ratings Critical : Impact of vulnerability can compromise multiple applications/across organization boundaries. Recommend immediate mitigation. High : Impact of vulnerability can compromise application with limited cross organization impact. Recommend priority in mitigation. Medium : Best Practice & should be fixed with in next version release. Low : Recommended best practice with low priority for mitigation.

Critical : Impact of vulnerability can compromise multiple applications/across organization boundaries. Recommend immediate mitigation.

High : Impact of vulnerability can compromise application with limited cross organization impact. Recommend priority in mitigation.

Medium : Best Practice & should be fixed with in next version release.

Low : Recommended best practice with low priority for mitigation.

Risk Analysis and Reporting Title Severity Explanation of Issue Explanation of Impact Real life attack scenario Proof of concept exploit Recommendations for Remediation Validation Steps References

Title

Severity

Explanation of Issue

Explanation of Impact

Real life attack scenario

Proof of concept exploit

Recommendations for Remediation

Validation Steps

References

Analysis and Reporting Critical High Medium Low

Critical

High

Medium

Low

Acknowledgements What controls are effective which were tested. Break down of the controls which effectively guard the environment against different threat types.

What controls are effective which were tested.

Break down of the controls which effectively guard the environment against different threat types.

Incremental Reviews Due to the in-dept Analysis performed at the first iteration of the assessment, any update and changes can be reviewed incrementally following the same approach.

Due to the in-dept Analysis performed at the first iteration of the assessment, any update and changes can be reviewed incrementally following the same approach.

Future Follow-up Establish future touch points or additional services required in relation to an assessment.

Establish future touch points or additional services required in relation to an assessment.

Our Team V-Empower Security Team (VST) consist of 27 consultants world wide providing services to Fortune 100 companies VST’s methodology and services have been incorporated by many clients VST’s has been featured in Microsoft’s Information Security Newsletter

V-Empower Security Team (VST) consist of 27 consultants world wide providing services to Fortune 100 companies

VST’s methodology and services have been incorporated by many clients

VST’s has been featured in Microsoft’s Information Security Newsletter

Publications Advances in Forensics Intro to Exploits Coding Forensics with Open Source Software Pen Testing Tools Development Pen Testing Methodologies Exploits Coding Techniques Real Life VulnDev Process of a Win32 Stack Buffer Overflow Vulnerability Development on Linux and Win32 Elevation of Privileges in Thick Clients Presentations Antivirus (In)Security (Black Hat Europe 2007) Vulnerability Development under Unix and Win32 (CIH2K5, International Hackers Congress 2005) Introduction to Exploits Coding (InfoSecurity 2004) Automated Pen testing Tools Development (GCon III) Project Portfolio

Publications

Advances in Forensics

Intro to Exploits Coding

Forensics with Open Source Software

Pen Testing Tools Development

Pen Testing Methodologies

Exploits Coding Techniques

Real Life VulnDev Process of a Win32 Stack Buffer Overflow

Vulnerability Development on Linux and Win32

Elevation of Privileges in Thick Clients

Presentations

Antivirus (In)Security (Black Hat Europe 2007)

Vulnerability Development under Unix and Win32 (CIH2K5, International Hackers Congress 2005)

Introduction to Exploits Coding (InfoSecurity 2004)

Automated Pen testing Tools Development (GCon III)

Clients

Testimonials V-Empower Inc is the preferred Security Vendor for Microsoft. Testimonials … your team is the best in the business. - Todd Kutzke ( Director , Microsoft) Another nice example of how good a job V-Empower is doing….extend my compliments to your team for the quality of their support and making sure our customers see the value of the services we provide… - Shawn Veney ( Manager , ACE Team, Microsoft) Thank you! It’s outstanding that we had someone who actually knows about Email. - Yaron Goland ( PRINCIPAL PROGRAM MANAGER , MSN) “ Quoted in relation to a vulnerability.”

Future Value Add to Wamu Methodology Knowledge Share Resource Augmentation Off shore development Code Reviews General Security Consulting

Methodology Knowledge Share

Resource Augmentation

Off shore development

Code Reviews

General Security Consulting