The Lighthouse IT Audit and Compliance Group offers four specific Security Assessment services designed to help you identify security vulnerabilities before they happen, and plan remedial actions to correct these exposures. Our Security Assessment services help identify threats to your network security infrastructure and processes, including data vulnerabilities, hardware and software vulnerabilities, transmission vulnerabilities, configuration errors, and leakage of sensitive information:

• The Vulnerability Assessment looks at security 
  from the inside, determining specific services 
  and ports that are available on your hosts, and 
  documenting all known attacks to which they 
  may be exposed.

Vulnerability Assessment
A Vulnerability Assessment identifies technical vulnerabilities in computers and networks, as well as weaknesses in policies and practices related to the operation of these systems. The Vulnerability Assessment identifies what services your hosts are offering, and whether or not the policies and procedures associated with them are in line with industry and company standards for security.

Penetration Testing
As a simulation of a real-world outside attack, Penetration Testing identifies exploitable risks prior to costly damage being inflicted by security incidents. Our Penetration Testing services will:

• Attempt to gain control of the host system.

• Document the steps taken, showing if any attack
  was successful.

• If an attack was successful, pivot on that 
  system and attempt to attack other host 
  systems on the customer network. 

• Attempt to gain control of any production system 
  or extract sensitive data from the environment.

• Provide guidance on how to remediate the 
  issues identified. Document all findings in a 
  final report.

 
Configuration Audit
Regulatory Compliance Requirements can sometimes be cryptic and hard to apply to a robust infrastructure. This service will ensure systems are configured to standard or best practices and in accordance with regulatory requirements.

Data Loss Prevention (DLP) Assessment
While working with sensitive Personal Identifiable Information (PII), it is easy to misplace or mishandle this data and be susceptible to hefty regulatory fines and debilitating business results. Our DLP service will ensure that your organization’s PII is only present where it needs to be and is not leaking or misplaced.

External Vulnerability
and Penetration Testing

For a complete and consistent approach, the Lighthouse IT Audit and Compliance Group utilizes industry best practices and methodologies for penetration testing, such as the Open Source Security Testing Methodology Manual (OSSTMM) and National Institute for Standards and Technology (NIST). There are four major phases to the Internet vulnerability and penetration tests:

• Reconnaissance and Information Gathering

• Enumeration

• Vulnerability Scanning

• Attack and Penetrate (Optional)


Internal Vulnerability Assessment

Lighthouse designs its Internal Vulnerability Assessment to find existing vulnerabilities in internal hosts, such as servers, workstations, printers, routers, switches and other network devices and infrastructure components. In addition, Lighthouse will attempt to determine the root causes of the vulnerabilities identified.


Password Cracking/Recovery

The objective of this review is to ensure the target systems have appropriate password requirements in place and that users are creating strong passwords that are not easily enumerated. Online password cracking is possible for certain protocols, such as Telnet, Windows, SSH and HTTP.