Risk Management and Security Assessments

"Risk comes from not knowing what you're doing." - Warren Buffett

Threat and Risk Assessment (TRA)

AIM has extensive expertise conducting enterprise wide and system specific Threat Risk Assessments (TRAs) and application and web penetration testing. Moreover, our comprehensive TRA methodology will ensure that your application, network, and computing infrastructure are thoroughly scrutinized in order to reduce risk and exposure.

AIM Consulting will follow a TRA methodology based on a simplified and customized version of the CSE-RCMP Harmonized TRA methodology.

Other methodologies and standards that will be used in this engagement include:

In order to conduct the TRA assessment, AIM Consulting uses the following framework:

Technical Vulnerability Assessment and Penetration Testing

AIM has many years of experience conducting network infrastructure, computing layer and application layer vulnerability assessment and penetration testing. Over the past 6 months we have conducted 7 technical vulnerability assessments and penetration testing in health care settings including infrastructure, database, networks, web and mobile application (Mobile Asthma application).

Our Technical Vulnerability Assessment (TVA) and Penetration Testing methodologies are based on aspects of the Open Source Security Testing Methodology Manual (OSSTMM) and Open Web Application Security Project (OWASP) frameworks.  Approaches can include “black box” and “white box” external vulnerability assessments, internal infrastructure and network vulnerability assessments and application vulnerability assessment

We leverage both commercial and open source network and application scanning tools and commonly known hacking techniques in an attempt to identify security vulnerabilities against the target environments and applications.

Infrastructure and Network Level Assessment

This type of testing is aimed at identifying vulnerabilities at network and base operating system level and will be performed from the following perspectives:

  1. External attacker. Someone attempting to perform malicious activities from an external connection (e.g. the Internet).
  2. Internal attacker. Someone having compromised external boundaries (either by hacking into the internal / DMZ environment or by having physically gained access to the premises) and attempting to perform malicious activities from within.

Network level assessments are performed using the following high level methodology:

The methodology applied to network level assessments is similar to the widely accepted OSSTMM (Open Source Security Testing Methodology Manual).

There are multiple checks under each of the category mentioned above.

Web application vulnerability and Penetration assessments

Penetration Testing of Applications is a hybrid security test that aims to uncover security vulnerabilities at the application layer. Popular types of vulnerabilities discovered include SQL injection, XSS and CSRF vulnerabilities. This type of test has a high manual component, approximately 70%, and the testers build custom threat profiles to discover contextual security vulnerabilities that are specific to the application.

Application level assessments are categorized into two distinct classes:

  1. Web application assessments. Those that are presented through a browser by a web server. Our methodology for assessing web applications is closely aligned to industry accepted OWASP (Open Web Application Security Project).
  2. Thick client server applications. Those that present some sort of application through installation or execution.

Both types of assessments will follow the following high level methodology:

Application assessments are commonly performed from the perspective of one or more of the following scenarios:

  1. No knowledge. Commonly referred to as black box testing, this simulates an attacker without any knowledge of the application or its associated environment.
  2. Some knowledge. Commonly referred to as grey box testing, here we simulate an attacker with some knowledge (perhaps an application user, and / or someone with knowledge about how the application works).
  3. Full knowledge. Using a white box testing approach, this simulates an attacker with full knowledge about the application, associated environment, and with access to the source code (perhaps a disgruntled application developer).

Manual Source Code Review Methodology

Our hybrid approach to code reviews blends automated tools with human intelligence. We use proprietary scripts that can be customized and extended for each application.

The benefits of the hybrid approach include:

Information Security Health Check

We have assisted organizations understand how information security threats translated to business risk, develop accreditation frameworks and to assess the organization’s readiness to face today’s threats. The security health check provides a comprehensive and customizable tool to assess and enterprise security program. It is attainable tool that will evaluate critical elements of your information security including:

Get Started Now.

Contact us >