Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

V-Empower Services And Solutions


Published on

Published in: Technology
  • Be the first to comment

V-Empower Services And Solutions

  1. 1. Security Services and Solutions Enabling Secure Business
  2. 2. <ul><li>Mission: </li></ul><ul><ul><li>To provide state-of-the-art security solutions and services to customers employing in-depth research, comprehensive analysis and knowledge share. </li></ul></ul><ul><li>Vision: </li></ul><ul><ul><ul><ul><li>To produce innovative security products and provide superior consulting services for enabling secure computing and business. </li></ul></ul></ul></ul>Introduction
  3. 3. <ul><li>V-Empower is global solutions and services company established 2000 </li></ul><ul><ul><li>North America: </li></ul></ul><ul><ul><ul><li>Bowie, Maryland USA </li></ul></ul></ul><ul><ul><ul><li>Seattle, Washington USA </li></ul></ul></ul><ul><ul><ul><li>Los Angeles, California USA </li></ul></ul></ul><ul><ul><ul><li>Maple, Ontario Canada </li></ul></ul></ul><ul><ul><li>Europe: </li></ul></ul><ul><ul><ul><li>London, United Kingdom </li></ul></ul></ul><ul><ul><li>Asia Pacific </li></ul></ul><ul><ul><ul><li>Beijing, China </li></ul></ul></ul><ul><ul><li>South East Asia </li></ul></ul><ul><ul><ul><li>Hyderabad, India </li></ul></ul></ul>Company Profile
  4. 4. Company Profile <ul><li>V-Empower saw a 206 % increase in revenue in 2006 </li></ul><ul><li>Our security team consists of highly talented industry experts </li></ul><ul><li>Providers of security services and solutions to the worlds largest software company </li></ul>
  5. 5. Services Infrastructure Security <ul><li>Penetration Testing Network Infrastructure </li></ul><ul><li>Configuration Review of Infrastructure Devices </li></ul><ul><li>Design and Deploy Secure Infrastructure Solutions </li></ul>Application Security <ul><li>Black Box Assessments (Penetration Testing) </li></ul><ul><li>White Box Assessments (Detailed Code Reviews) </li></ul><ul><li>Threat Analysis and Modeling </li></ul><ul><li>Security Research and Development </li></ul>Security Program Development <ul><li>Resource Integration </li></ul><ul><li>Integrating Security into Systems Development Lifecycle (SDLC) </li></ul><ul><li>Security Policy and Standards Development </li></ul><ul><li>Security Program Analysis </li></ul>Training Services <ul><li>Secure Application Development </li></ul><ul><li>Application Source Code Auditing </li></ul><ul><li>Threat Analysis and Modeling </li></ul><ul><li>Application Security Awareness </li></ul>
  6. 6. Comprehensive Penetration Services <ul><li>Typical Penetration Tests consist of arbitrary approaches </li></ul>
  7. 7. Comprehensive Penetration Services <ul><li>Systematic Approach </li></ul><ul><li>Comprehensive Services </li></ul><ul><li>Environment Specific </li></ul><ul><li>Threat Evaluation </li></ul><ul><li>Assets Driven Assessment </li></ul><ul><li>Vulnerability Analysis </li></ul><ul><li>Comprehensive Reporting </li></ul><ul><li>Recommendations and Validation </li></ul>
  8. 8. Comprehensive Penetration Services <ul><li>Assurance on effective controls </li></ul>
  9. 9. Systematic Approach
  10. 10. Design And Architecture Review <ul><li>Background Analysis (Business Functionality) </li></ul><ul><li>Design Documentation (Architecture Diagram) </li></ul><ul><li>Asset Identification (Data Flow Diagrams) </li></ul><ul><li>Review Design and Architecture </li></ul>
  11. 11. Threat Analysis and Modeling <ul><li>Review Threat Models </li></ul><ul><li>Environment Decomposition </li></ul><ul><li>Asset Identification (Data, Functionality, etc) </li></ul><ul><li>Operating Procedures Identification (Use Cases) </li></ul><ul><li>Threat Identification (Based on Assets and Operations) </li></ul>
  12. 12. Comprehensive Assessment
  13. 13. Comprehensive Assessment Identify Technologies Involved
  14. 14. Host Assessment Default Configs Protocols Access Control Default Configs Services Patches
  15. 15. Application Layer Assessment AuthN Protocol Elevation of Privileges Logging XSS, XRSF, RI, SQL Injection, BO Resources Cryptography Information D AuthZ Bypass DOS, Deface
  16. 16. Network Layer Assessment Firewall, IDS, etc Perimeter Cntrls Fuzz Testing Standard Eval Network Security Best Practices.
  17. 17. Risk Analysis and Reporting <ul><li>Risk Analysis </li></ul><ul><ul><ul><li>Evaluation of each vulnerability to assess true risk to an environment. </li></ul></ul></ul><ul><ul><ul><li>Risk is reported based on a matrix which evaluates the following keys factors </li></ul></ul></ul><ul><ul><ul><ul><li>Vulnerability classification (STRIDE - CIA) </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Classification of Asset </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Probability of Exploit </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Impact of Exploit </li></ul></ul></ul></ul>
  18. 18. Risk Analysis and Reporting <ul><li>All vulnerabilities are given the following Severity Ratings: </li></ul>
  19. 19. Severity Ratings <ul><li>Critical : Impact of vulnerability can compromise multiple applications/across organization boundaries. Recommend immediate mitigation. </li></ul><ul><li>High : Impact of vulnerability can compromise application with limited cross organization impact. Recommend priority in mitigation. </li></ul><ul><li>Medium : Best Practice & should be fixed with in next version release. </li></ul><ul><li>Low : Recommended best practice with low priority for mitigation. </li></ul>
  20. 20. Risk Analysis and Reporting <ul><li>Title </li></ul><ul><li>Severity </li></ul><ul><li>Explanation of Issue </li></ul><ul><li>Explanation of Impact </li></ul><ul><ul><ul><li>Real life attack scenario </li></ul></ul></ul><ul><li>Proof of concept exploit </li></ul><ul><li>Recommendations for Remediation </li></ul><ul><li>Validation Steps </li></ul><ul><li>References </li></ul>
  21. 21. Analysis and Reporting <ul><li>Critical </li></ul><ul><li>High </li></ul><ul><li>Medium </li></ul><ul><li>Low </li></ul>
  22. 22. Acknowledgements <ul><li>What controls are effective which were tested. </li></ul><ul><ul><li>Break down of the controls which effectively guard the environment against different threat types. </li></ul></ul>
  23. 23. Incremental Reviews <ul><li>Due to the in-dept Analysis performed at the first iteration of the assessment, any update and changes can be reviewed incrementally following the same approach. </li></ul>
  24. 24. Future Follow-up <ul><li>Establish future touch points or additional services required in relation to an assessment. </li></ul>
  25. 25. Our Team <ul><li>V-Empower Security Team (VST) consist of 27 consultants world wide providing services to Fortune 100 companies </li></ul><ul><li>VST’s methodology and services have been incorporated by many clients </li></ul><ul><li>VST’s has been featured in Microsoft’s Information Security Newsletter </li></ul>
  26. 26. <ul><li>Publications </li></ul><ul><ul><li>Advances in Forensics </li></ul></ul><ul><ul><li>Intro to Exploits Coding </li></ul></ul><ul><ul><li>Forensics with Open Source Software </li></ul></ul><ul><ul><li>Pen Testing Tools Development </li></ul></ul><ul><ul><li>Pen Testing Methodologies </li></ul></ul><ul><ul><li>Exploits Coding Techniques </li></ul></ul><ul><ul><li>Real Life VulnDev Process of a Win32 Stack Buffer Overflow </li></ul></ul><ul><ul><li>Vulnerability Development on Linux and Win32 </li></ul></ul><ul><ul><li>Elevation of Privileges in Thick Clients </li></ul></ul><ul><li>Presentations </li></ul><ul><ul><li>Antivirus (In)Security (Black Hat Europe 2007) </li></ul></ul><ul><ul><li>Vulnerability Development under Unix and Win32 (CIH2K5, International Hackers Congress 2005) </li></ul></ul><ul><ul><li>Introduction to Exploits Coding (InfoSecurity 2004) </li></ul></ul><ul><ul><li>Automated Pen testing Tools Development (GCon III) </li></ul></ul>Project Portfolio
  27. 27. Clients
  28. 28. Testimonials V-Empower Inc is the preferred Security Vendor for Microsoft. Testimonials … your team is the best in the business. - Todd Kutzke ( Director , Microsoft) Another nice example of how good a job V-Empower is doing….extend my compliments to your team for the quality of their support and making sure our customers see the value of the services we provide… - Shawn Veney ( Manager , ACE Team, Microsoft) Thank you! It’s outstanding that we had someone who actually knows about Email.   - Yaron Goland ( PRINCIPAL PROGRAM MANAGER , MSN) “ Quoted in relation to a vulnerability.”
  29. 29. Future Value Add to Wamu <ul><li>Methodology Knowledge Share </li></ul><ul><li>Resource Augmentation </li></ul><ul><li>Off shore development </li></ul><ul><li>Code Reviews </li></ul><ul><li>General Security Consulting </li></ul>