Vox OKI

Click on logo above to be directed to their website.

In today’s world of rapidly developing technology we forget that there are new threats we may not think of and for this our answer is NEWORDER Group – An Information Security and Ethical Hacking Professional Service that provides an in-depth insight into your school’s actual state of security. It verifies whether you have put in place the best security measures to minimise the impact of any and all security risks.

NEWORDER will assist in identifying the risks by performing the required tests to determine your school’s vulnerability.

EXTERNAL VULNERABILITY ASSESSMENT AND PEN-TEST OVERVIEW

The NEWORDER Information Security and Ethical Hacking Professional Services provide a strategic and tactical insight into the School’s real state of security. It verifies whether the “best practices” and appropriate security measures are in place to mitigate and minimise the impact of known and unknown security risks. We assist with the identification of these risks by directly probing and performing Web Application Scanning, Discovery, Vulnerability Assessments, and Exploitation, much like an actual attacker would do.

Black Box or a Blind Pen-test is performed with zero/minimum prior information about the School. Black Box pen-testing simulates an external attacker who only has the School’s Web Application URL. All the additional information that is needed for the test, will be sourced by the “attacker” using various resources such as School Website, Scanning, Social Networking Websites, Social Engineering, DNS Records, Who-is records, etc.

The methodology framework is combined with the external risks that any school is faced with in today’s computer technology environment.

In this Black Box pen-test, we attempt to identify weaknesses against hosting environments as well as web applications by using a combination of known and unknown attack vectors. In this Zero-Knowledge pen-test, testing the web application and hosting environment security posture without any valid credentials and privilege. It is attempted to get the credentials and the privilege through the various attack methods.

The NEWORDER Pen-Test 2.0 framework is unique to the NEWORDER brand as it was in- house developed by decades of research, case studies, and hands-on expertise.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

There is NO Silver Bullet. Tools do not make software secure! They help scale the process and help enforce the policy. Remember that security is a process, not a product.

While it is tempting to think that a security scanner or application firewall will either provide a multitude of defences or identify a variety of problems, in reality, there are no silver bullets to the issue of insecure software. Most importantly, these tools are generic, meaning that they are not designed for your custom code, but for applications in general. What the effect of this is, is that while they can find some general problems, they do not have enough knowledge of your custom application to allow them to detect most flaws. A combination of industry-leading, as well as custom developed automated tools, were used to perform parts of the external assessment combined with our unrivalled skillsets, unique methodology, frameworks, and experience.

Some industry-leading automated tools and custom developed automated tools will be used to perform parts of the external assessment. Most of the evaluation will be performed by applying skill, based on our unique methodology, frameworks and experience.

An effective Information Security Management initiative can only be built upon a clear understanding of the aims and goals of the business so that the outcomes can demonstrate benefits to the whole organisation. All too often we see a disconnect between an organisation’s business strategy and the security functions that are in place to support its operations. It appears that the more extensive business doesn’t fully understand the possible security risks or how these would impact on critical services. Consequently, this is only left out of its strategy. On top of this, the traditional way in which organisations tend to manage risk against cyber-attacks is to roll out a wide range of technologies and tools. These technologies are often unrelated and therefore not managed holistically. This approach may be effective against specific threats, but it is heavily dependent upon technology and does not allow a business to develop aligned business and security strategies. This disjointed approach also makes it difficult to prioritise investment in Information Security Management and is the reason why so many Information Security programmes fail to deliver on the intended benefits because they fail to demonstrate how they support a business’s overarching objectives.

The NEWORDER custom developed Corporate Threat Protection, and Prevention Framework provides an additional layer of capabilities around an organisation’s existing ICT security mechanisms. Perimeter security, network security, endpoint security, application security, and critical business assets are the core areas of the Corporate threat assessment, which will highlight shortfalls within technical configurations, business processes, governance enforcement, and professional skills.
















The NEWORDER “Threat Intelligence Cyber Warfare Center” has been designed to operate as a multi-tenant managed security service provider (MSSP) to integrate our professional security as a service (SECaaS) model into any organisation’s infrastructure on a subscription-based or SLA-based model. The service offering is specifically focused on organisations that seek to be associated with an industry recognised Information Security brand to manage Information Security as a whole, and that organisations can focus on other aspects of emergency response and leave the technology infrastructure to specialised professionals.

The guideline employed during our evaluations is primarily based on the Open Web Security Application Project (OWASP) framework and internally developed guidelines and frameworks based on years of experience. The following section provides an overview of the OWASP-2017 Top-10 List;

A1 - INJECTION

Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker's hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorisation.

A2 -  BROKEN AUTHENTICATION

Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users' identities temporarily or permanently.

A3 - SENSITIVE DATA EXPOSURE

Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser.

A4 - XML EXTERNAL ENTITIES (XXE)

Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks.

A5 - BROKEN ACCESS CONTROL

Restrictions on what authenticated users are allowed to do are often not adequately enforced. Attackers can exploit these flaws to access unauthorised functionality and/or data, such as access to other users' accounts, view sensitive files, modify other users' data, change access rights, etc.

A6 - SECURITY MISCONFIGURATION

Security misconfiguration is the most commonly seen issue. This is usually a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must be patched/upgraded in a timely fashion.

A7 - CROSS-SITE SCRIPTING (XSS)

XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript. XSS allows attackers to execute scripts in the victim's browser, which can hijack user sessions, deface web sites, or redirect the user to malicious sites.

A8 -  INSECURE DESERIALIZATION

Insecure deserialization often leads to remote code execution. Even if deserialization flaws do not result in remote code execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks.

A9 - USING COMPONENTS WITH KNOWN VULNERABILITIES

Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate severe data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defences and enable various attacks and impacts.

A10  - INSUFFICIENT LOGGING AND MONITORING

Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to attack systems further, maintain persistence, pivot to more systems, and tamper, extract or destroy data. Most breach studies show time to detect a breach is over 200 days, typically identified by external parties rather than internal processes or monitoring.

Checks on vulnerabilities in web applications will include but not limited to the following:

1. INVALIDATED PARAMETERS

Information from web requests is not validated before being used by a web application. Check for flaws that could lead to an attack on backend components through a web application.

2. BROKEN ACCESS CONTROL

Check to ensure that restrictions on what authenticated users are allowed to do are properly enforced. Check for exploit to access other user’s accounts, view sensitive files, or use unauthorized functions.

3. BROKEN ACCOUNT AND SESSION MANAGEMENT

Ensure that account credentials and session tokens are properly protected.

4. CROSS-SITE SCRIPTING (XSS)

Ensure that web application cannot be used as a mechanism to transport an attack to an end user’s browser. Check to ensure that end user’s session token will not be disclose or spoof content to fool the user.

5. BUFFER OVERFLOWS

Check to ensure web application components such as CGI, libraries and web application server component has proper validated input so as not to cause system to crash.

6. COMMAND INJECTION FLAWS

Ensure that the web application does not pass parameters when they access external systems or local operating system.

7. ERROR HANDLING PROBLEMS

Ensure that the web application does not allow an attacker to cause errors to occur that the web application does not handle.

8. REMOTE ADMINISTRATION FLAWS

Ensure that remote administration functions are protected to prevent attacker from gaining full access to all aspects of a site.

9. APPLICATION DENIAL OF SERVICE

Ensure that an attacker cannot consume all of the required resources, thereby preventing legitimate users from using the system.

10. INSECURE CONFIGURATION MANAGEMENT

Ensure that web servers, application servers and web application environments are not susceptible to misconfiguration.

Questionnaire

Were you aware these types of threats were out there?

Do you have any information security measures in place at the moment for these types of threats?

What information security measures are you utilising?
Would you be interested in implementing information security measures?

Have you ever performed a Vulnerability Assessment against your school's website and network infrastructure to know your current state of security?

Were you satisfied with the results presented?
Was the testing based on automated tool-sets?
Was manual testing performed?
Was the testing performed based on an annual requirement?
After receiving the results: Did you implement a vulnerability management program that could include the likes of more regular testing?
Would you be interested in an objective re-visit of the program?
Would you be interested to know the true Internet risk exposure of your School?

Have you ever performed a Wireless Assessment to know your current state of security and what mobile threats enter your School environment?

Were you satisfied with the results presented?
Was the testing based on automated tool-sets?
Was manual testing performed?
Was the testing performed based on an annual requirement?
After receiving the results: Did you implement a vulnerability management program that could include the likes of more regular testing?
Would you be interested in an objective re-visit of the program?
Would you be interested to know the true Wireless airspace risk exposure of your School?

Have you ever performed a Simulated Phishing exercise to know which of your users is susceptible to such Phishing attacks that could result in confidential School, Financial and/or Learner/Parent data being breached?

Were you satisfied with the results presented?
Was the testing based on automated tool-sets?
Was manual testing performed?
Was the testing performed based on an annual requirement?
After receiving the results: Did you implement a vulnerability management program that could include the likes of more regular testing?
Would you be interested in an objective re-visit of the program?
Would you be interested to know the true Internet risk exposure of your School?

Name & Surname
Contact Number
Email Address

UTS  provides the portals to facilitate transactions between re-sellers, suppliers, service providers and UTS customers. UTS is neither the buyer nor the seller of these Goods unless otherwise specified. The Sale formed on acceptance of your order for Goods that are for sale by a re-seller, supplier and/or service provider is therefore solely between the registered user and such re-seller, supplier and/or service provider. The re-seller, supplier and or service provider is solely responsible for fulfillment of the delivery of the Goods and is also responsible to provide an invoice to the registered user if required.

UTS © 2019 | Created by Prycision

Stay in touch with the latest on COVID19 in South Africa | Click here for more information