"Risk comes from not knowing what you're doing." - Warren Buffett
AIM has extensive expertise conducting enterprise wide and system specific Threat Risk Assessments (TRAs) and application and web penetration testing. Moreover, our comprehensive TRA methodology will ensure that your application, network, and computing infrastructure are thoroughly scrutinized in order to reduce risk and exposure.
AIM Consulting will follow a TRA methodology based on a simplified and customized version of the CSE-RCMP Harmonized TRA methodology.
Other methodologies and standards that will be used in this engagement include:
In order to conduct the TRA assessment, AIM Consulting uses the following framework:
AIM has many years of experience conducting network infrastructure, computing layer and application layer vulnerability assessment and penetration testing. Over the past 6 months we have conducted 7 technical vulnerability assessments and penetration testing in health care settings including infrastructure, database, networks, web and mobile application (Mobile Asthma application).
Our Technical Vulnerability Assessment (TVA) and Penetration Testing methodologies are based on aspects of the Open Source Security Testing Methodology Manual (OSSTMM) and Open Web Application Security Project (OWASP) frameworks. Approaches can include “black box” and “white box” external vulnerability assessments, internal infrastructure and network vulnerability assessments and application vulnerability assessment
We leverage both commercial and open source network and application scanning tools and commonly known hacking techniques in an attempt to identify security vulnerabilities against the target environments and applications.
This type of testing is aimed at identifying vulnerabilities at network and base operating system level and will be performed from the following perspectives:
Network level assessments are performed using the following high level methodology:
The methodology applied to network level assessments is similar to the widely accepted OSSTMM (Open Source Security Testing Methodology Manual).
There are multiple checks under each of the category mentioned above.
Penetration Testing of Applications is a hybrid security test that aims to uncover security vulnerabilities at the application layer. Popular types of vulnerabilities discovered include SQL injection, XSS and CSRF vulnerabilities. This type of test has a high manual component, approximately 70%, and the testers build custom threat profiles to discover contextual security vulnerabilities that are specific to the application.
Application level assessments are categorized into two distinct classes:
Both types of assessments will follow the following high level methodology:
Application assessments are commonly performed from the perspective of one or more of the following scenarios:
Our hybrid approach to code reviews blends automated tools with human intelligence. We use proprietary scripts that can be customized and extended for each application.
The benefits of the hybrid approach include:
We have assisted organizations understand how information security threats translated to business risk, develop accreditation frameworks and to assess the organization’s readiness to face today’s threats. The security health check provides a comprehensive and customizable tool to assess and enterprise security program. It is attainable tool that will evaluate critical elements of your information security including: