Approach & Methodology
Network Penetration Test
Our Network Security Assessments are executed based on the following methodology and follows best industry security
standards such as ISO 27001:
Step Activity Objective
Identify domain names, server names, IP addresses, network map and ISP/ASP
1 Network Surveying
information.
Identify IP addresses of live systems, internal network addressing, tunneled &
2 Port Scanning
encapsulated protocols, routing protocols and active services.
Identify system type, system enumeration, OS type & patch level, services types
and services application types & patch level.
Vulnerability Scanning & Service
3
Identification
Identify possible vulnerabilities, list of secured vs. unsecured areas, list of internal
or DMZ systems, list of mail servers and naming conventions.
Attempts to identify list of actual vulnerabilities minus false positives and attempt to
4 Verification & Exploitation
gain complete control by performing commonly known exploits*.
* Due to the disruptive nature of certain exploits, consent will first be obtained from JPN before performing these exploits.
© 2021 Nexagate Sdn Bhd. All Rights Reserved.
Approach & Methodology
Network Penetration Test
Our Network Security Assessments are executed based on the following methodology and follows best industry security
standards such as ISO 27001:
Step Activity Objective
Identify domain names, server names, IP addresses, network map and ISP/ASP
1 Network Surveying
information.
Identify IP addresses of live systems, internal network addressing, tunneled &
2 Port Scanning
encapsulated protocols, routing protocols and active services.
Identify system type, system enumeration, OS type & patch level, services types
and services application types & patch level.
Vulnerability Scanning & Service
3
Identification
Identify possible vulnerabilities, list of secured vs. unsecured areas, list of internal
or DMZ systems, list of mail servers and naming conventions.
Attempts to identify list of actual vulnerabilities minus false positives and attempt to
4 Verification & Exploitation
gain complete control by performing commonly known exploits*.
* Due to the disruptive nature of certain exploits, consent will first be obtained from JPN before performing these exploits.
© 2021 Nexagate Sdn Bhd. All Rights Reserved.
Approach & Methodology
Web Application Penetration Test
WEB APPLICATION PENETRATION TEST
OBJECTIVES
Ascertain susceptibility of web applications to unauthorized attempts via tweaking of its functionality and programming logic.
KEY ACTIVITIES
Web Application Penetration Testing shall be carried out from an “entry point” perspective, i.e. from the point of end-user access (public
internet/Intranet gateway), based on 3 steps methodology:
1. Web Services Identification
2. Application Vulnerability Test
3. Exploit test and verification
EXPECTED RESULTS
Identify vulnerable web applications and the respective application-specific vulnerabilities.
© 2021 Nexagate Sdn Bhd. All Rights Reserved.
Approach & Methodology
Web Application Penetration Test
WEB APPLICATION PENETRATION TEST
OBJECTIVES
Ascertain susceptibility of web applications to unauthorized attempts via tweaking of its functionality and programming logic.
KEY ACTIVITIES
Web Application Penetration Testing shall be carried out from an “entry point” perspective, i.e. from the point of end-user access (public
internet/Intranet gateway), based on 3 steps methodology:
1. Web Services Identification
2. Application Vulnerability Test
3. Exploit test and verification
EXPECTED RESULTS
Identify vulnerable web applications and the respective application-specific vulnerabilities.
© 2021 Nexagate Sdn Bhd. All Rights Reserved.
Approach & Methodology
Web Application Penetration Test
© 2021 Nexagate Sdn Bhd. All Rights Reserved.
Approach & Methodology
Web Application Penetration Test
© 2021 Nexagate Sdn Bhd. All Rights Reserved.
Approach & Methodology
Web Application Penetration Test
Our Web Application Penetration Test is executed in 3 phases:
Phase Activity Description
Web services identification is the process of connecting to TCP or UDP ports on the target
application to determine what type web services are running or in a LISTENING state. The
objectives of identifying the web services are:
1 Web Services Identification • To identify both TCP and UDP web services running on the target system (HTTPS, HTTP)
• To identify the type of applications running on the target system
• To identify specific applications or versions of a particular platform
Also, based on application banners obtained, a best guess would be derived.
Upon identification of the possible application and services running, the following checks are
performed:
Application Vulnerability Test
2
and Findings • Perform checks to identify possible applications currently running
• Perform vulnerability assessment to identify possible application vulnerabilities
• Perform checks to identify risky services/daemons executed by the applications
Customized scripts and potential exploits will be executed upon agreed schedule date and time.
Based on the identified vulnerabilities the list of selected customized scripts would be enabled
based on the test scope.
3 Exploit Test and Verification
We will advise any precautions which user may need to take before a test is performed. Generally,
no precautions need to be taken, as we do not perform destructive testing. However, we advise
that application data be backed up regularly and tested.
© 2021 Nexagate Sdn Bhd. All Rights Reserved.
Approach & Methodology
Web Application Penetration Test
Our Web Application Penetration Test is executed in 3 phases:
Phase Activity Description
Web services identification is the process of connecting to TCP or UDP ports on the target
application to determine what type web services are running or in a LISTENING state. The
objectives of identifying the web services are:
1 Web Services Identification • To identify both TCP and UDP web services running on the target system (HTTPS, HTTP)
• To identify the type of applications running on the target system
• To identify specific applications or versions of a particular platform
Also, based on application banners obtained, a best guess would be derived.
Upon identification of the possible application and services running, the following checks are
performed:
Application Vulnerability Test
2
and Findings • Perform checks to identify possible applications currently running
• Perform vulnerability assessment to identify possible application vulnerabilities
• Perform checks to identify risky services/daemons executed by the applications
Customized scripts and potential exploits will be executed upon agreed schedule date and time.
Based on the identified vulnerabilities the list of selected customized scripts would be enabled
based on the test scope.
3 Exploit Test and Verification
We will advise any precautions which user may need to take before a test is performed. Generally,
no precautions need to be taken, as we do not perform destructive testing. However, we advise
that application data be backed up regularly and tested.
© 2021 Nexagate Sdn Bhd. All Rights Reserved.
Approach & Methodology
Web Application Penetration Test
The security assessment includes checks for application security issues which will cover, but not limited to the following:
No Checks Description
Information from web requests must be validated before being used by a application. Independent
1 Input Validation of client side validation using JavaScript or otherwise, the parameters must also be validated at
the server end.
Authentication and session management includes all aspects of handling user authentication and
managing active sessions. Authentication is a critical aspect of this process, but even solid
Authentication and Session
2 authentication mechanisms can be undermined by flawed credential management functions,
Management
including password change, forgot my password, remember my password, account update, and
other related functions.
Access control, sometimes called authorization, is how an application grants access to content
3 Authorization and functions to some users and not others. These checks are performed after authentication and
govern what “authorized” users are allowed to do.
Improper handling of errors can introduce a variety of security problems for a web site. The most
common problem is when detailed internal error messages such as stack traces, database dumps,
4 Exception Management
and error codes are displayed to the user (hacker). These messages reveal implementation
details that should never be revealed.
This is to examine how effectively the administration interfaces & sensitive configuration data are
5 Configuration Management
secured, if the application provides an administration interface that allows it to be configured.
© 2021 Nexagate Sdn Bhd. All Rights Reserved.
Approach & Methodology
Web Application Penetration Test
The security assessment includes checks for application security issues which will cover, but not limited to the following:
No Checks Description
Information from web requests must be validated before being used by a application. Independent
1 Input Validation of client side validation using JavaScript or otherwise, the parameters must also be validated at
the server end.
Authentication and session management includes all aspects of handling user authentication and
managing active sessions. Authentication is a critical aspect of this process, but even solid
Authentication and Session
2 authentication mechanisms can be undermined by flawed credential management functions,
Management
including password change, forgot my password, remember my password, account update, and
other related functions.
Access control, sometimes called authorization, is how an application grants access to content
3 Authorization and functions to some users and not others. These checks are performed after authentication and
govern what “authorized” users are allowed to do.
Improper handling of errors can introduce a variety of security problems for a web site. The most
common problem is when detailed internal error messages such as stack traces, database dumps,
4 Exception Management
and error codes are displayed to the user (hacker). These messages reveal implementation
details that should never be revealed.
This is to examine how effectively the administration interfaces & sensitive configuration data are
5 Configuration Management
secured, if the application provides an administration interface that allows it to be configured.
© 2021 Nexagate Sdn Bhd. All Rights Reserved.
Approach & Methodology
Web Application Penetration Test
The security assessment includes checks for application security issues which will cover, but not limited to the following:
No Checks Description
Most applications have a need to store sensitive information, either in a database or on a file
system somewhere. The information might be passwords, credit card numbers, account records,
6 Sensitive Data
or proprietary information. Frequently, encryption techniques are used to protect this sensitive
information.
The web service consumer’s identity shall be validated before being allowed to invoke a web
7 Cryptography
service. The web service consumer shall also validate the identity of vendor’s application.
Canocalization, Locale and
8 Ensuring the application is robust when subjected to encoded, internationalized and Unicode input.
Unicode
© 2021 Nexagate Sdn Bhd. All Rights Reserved.
Approach & Methodology
Web Application Penetration Test
The security assessment includes checks for application security issues which will cover, but not limited to the following:
No Checks Description
Most applications have a need to store sensitive information, either in a database or on a file
system somewhere. The information might be passwords, credit card numbers, account records,
6 Sensitive Data
or proprietary information. Frequently, encryption techniques are used to protect this sensitive
information.
The web service consumer’s identity shall be validated before being allowed to invoke a web
7 Cryptography
service. The web service consumer shall also validate the identity of vendor’s application.
Canocalization, Locale and
8 Ensuring the application is robust when subjected to encoded, internationalized and Unicode input.
Unicode
© 2021 Nexagate Sdn Bhd. All Rights Reserved.
Approach & Methodology
Host Assessment (Operating Systems)
HOST ASSESSMENT (OPERATING SYSTEMS)
OBJECTIVES
Ascertain how robust the systems are to a direct frontal break-in attempt.
KEY ACTIVITIES
The Host Assessment is performed at System Level - Focuses on the security configuration of the Operating System (Windows, Linux,
etc).
Phase 1: Review System security configurations
Phase 2: Recommend Improvements
EXPECTED RESULTS
List of non-compliant security configurations based on best practices.
© 2021 Nexagate Sdn Bhd. All Rights Reserved.
Approach & Methodology
Host Assessment (Operating Systems)
HOST ASSESSMENT (OPERATING SYSTEMS)
OBJECTIVES
Ascertain how robust the systems are to a direct frontal break-in attempt.
KEY ACTIVITIES
The Host Assessment is performed at System Level - Focuses on the security configuration of the Operating System (Windows, Linux,
etc).
Phase 1: Review System security configurations
Phase 2: Recommend Improvements
EXPECTED RESULTS
List of non-compliant security configurations based on best practices.
© 2021 Nexagate Sdn Bhd. All Rights Reserved.
Approach & Methodology
Host Assessment (Operating Systems)
The Host Assessment seeks to ascertain how robust the systems are to a direct frontal break-in attempt. This is a risk scenario
of a case that all perimeter defenses have now been breached, and the only barrier between the attacker and the information
residing on the system the state of its hardening.
The objective of this exercise is to audit the security configuration of the servers to find out possible weakness or eminent
vulnerabilities, which could be exploited either “in-isolation” or “in-correlation” with others (for example application-layer
vulnerabilities). The Host Assessment focuses on the security configuration of the Operating System of Servers (Windows,
Linux, etc.)
© 2021 Nexagate Sdn Bhd. All Rights Reserved.
Approach & Methodology
Host Assessment (Operating Systems)
The Host Assessment seeks to ascertain how robust the systems are to a direct frontal break-in attempt. This is a risk scenario
of a case that all perimeter defenses have now been breached, and the only barrier between the attacker and the information
residing on the system the state of its hardening.
The objective of this exercise is to audit the security configuration of the servers to find out possible weakness or eminent
vulnerabilities, which could be exploited either “in-isolation” or “in-correlation” with others (for example application-layer
vulnerabilities). The Host Assessment focuses on the security configuration of the Operating System of Servers (Windows,
Linux, etc.)
© 2021 Nexagate Sdn Bhd. All Rights Reserved.
Approach & Methodology
Host Assessment (Network/Security Devices)
HOST ASSESSMENT (NETWORK/SECURITY DEVICES)
OBJECTIVES
Perform review of security configurations of network devices.
KEY ACTIVITIES
Targets network devices located within the same LAN.
1. Review System security configurations, End-of-Life (EOL), current version, firewall rules, etc.
2. Recommend Improvements
EXPECTED RESULTS
List of security configurations vulnerabilities with recommendations.
© 2021 Nexagate Sdn Bhd. All Rights Reserved.
Approach & Methodology
Host Assessment (Network/Security Devices)
HOST ASSESSMENT (NETWORK/SECURITY DEVICES)
OBJECTIVES
Perform review of security configurations of network devices.
KEY ACTIVITIES
Targets network devices located within the same LAN.
1. Review System security configurations, End-of-Life (EOL), current version, firewall rules, etc.
2. Recommend Improvements
EXPECTED RESULTS
List of security configurations vulnerabilities with recommendations.
© 2021 Nexagate Sdn Bhd. All Rights Reserved.
Approach & Methodology
Host Assessment (Network/Security Devices)
We will perform selective testing of devices such as routers, firewalls and IDS/IPS. The objective of these tests is to
verify/validation that the devices are functioning according to their configured security settings.
No Task Description
• Verify the router type with information collected from intelligent gathering
• Verify if the router is providing network address translation (NAT) and port address translation
1 Router testing
(PAT)
• Verify the penetration from strategically determine packet TTL setting.
• Verify the viability of SYN stealth scanning through the firewall enumeration
• Measure the use of scanning with specific source ports through the firewall for enumeration
• Measure the ability of the firewall to handle overlapped fragments, tiny fragments
2 Firewall testing
• Ability to manage an ongoing series of SYN packets, response to packets with the RST flag set
and management of standard UDP packets
• Verify Access Control policy
• Verify IPS/IDS type with information collected
3 IPS/IDS testing • Test signature sensitivity
• Verify and test IDS/IPS capability base on various approached.
© 2021 Nexagate Sdn Bhd. All Rights Reserved.
Approach & Methodology
Host Assessment (Network/Security Devices)
We will perform selective testing of devices such as routers, firewalls and IDS/IPS. The objective of these tests is to
verify/validation that the devices are functioning according to their configured security settings.
No Task Description
• Verify the router type with information collected from intelligent gathering
• Verify if the router is providing network address translation (NAT) and port address translation
1 Router testing
(PAT)
• Verify the penetration from strategically determine packet TTL setting.
• Verify the viability of SYN stealth scanning through the firewall enumeration
• Measure the use of scanning with specific source ports through the firewall for enumeration
• Measure the ability of the firewall to handle overlapped fragments, tiny fragments
2 Firewall testing
• Ability to manage an ongoing series of SYN packets, response to packets with the RST flag set
and management of standard UDP packets
• Verify Access Control policy
• Verify IPS/IDS type with information collected
3 IPS/IDS testing • Test signature sensitivity
• Verify and test IDS/IPS capability base on various approached.
© 2021 Nexagate Sdn Bhd. All Rights Reserved.
Approach & Methodology
Host Assessment (Database)
HOST ASSESSMENT (DATABASE)
OBJECTIVES
Ascertain how robust the systems are to a direct frontal break-in attempt.
KEY ACTIVITIES
Focuses on the security configuration of the Database.
Phase 1: Review Database security configurations
Phase 2: Recommend Improvements
EXPECTED RESULTS
List of non-compliant security configurations based on best practices.
© 2021 Nexagate Sdn Bhd. All Rights Reserved.
Approach & Methodology
Host Assessment (Database)
HOST ASSESSMENT (DATABASE)
OBJECTIVES
Ascertain how robust the systems are to a direct frontal break-in attempt.
KEY ACTIVITIES
Focuses on the security configuration of the Database.
Phase 1: Review Database security configurations
Phase 2: Recommend Improvements
EXPECTED RESULTS
List of non-compliant security configurations based on best practices.
© 2021 Nexagate Sdn Bhd. All Rights Reserved.
Approach & Methodology
Database Security Assessment
The Database Security Assessment seeks to ascertain how robust is the Database to a direct frontal break-in attempt. This is a
risk scenario whereby an attacker is already in the internal network and the only barrier preventing him from accessing
sensitive data in the database is the state of its hardening, i.e. how secure is the Database being configured.
During this exercise our consultants will audit the security configuration of the database to find out possible weaknesses or
eminent vulnerabilities due to misconfiguration or default/weak settings. The audit is performed by using a combination of
automated tools and manual checks.
Among the Database configuration checks includes:
• User Account Setup and Privileges
• Access Controls
• Database Organization/Schema
• Audit Policy & Logging Settings
• Default configuration and setup
• The Database Security Assessment can be performed on any kind of database including MSSQL, MySQL, Oracle, Sybase
and even Informix
© 2021 Nexagate Sdn Bhd. All Rights Reserved.
Approach & Methodology
Database Security Assessment
The Database Security Assessment seeks to ascertain how robust is the Database to a direct frontal break-in attempt. This is a
risk scenario whereby an attacker is already in the internal network and the only barrier preventing him from accessing
sensitive data in the database is the state of its hardening, i.e. how secure is the Database being configured.
During this exercise our consultants will audit the security configuration of the database to find out possible weaknesses or
eminent vulnerabilities due to misconfiguration or default/weak settings. The audit is performed by using a combination of
automated tools and manual checks.
Among the Database configuration checks includes:
• User Account Setup and Privileges
• Access Controls
• Database Organization/Schema
• Audit Policy & Logging Settings
• Default configuration and setup
• The Database Security Assessment can be performed on any kind of database including MSSQL, MySQL, Oracle, Sybase
and even Informix
© 2021 Nexagate Sdn Bhd. All Rights Reserved.
Approach & Methodology
Application Performance Test
APPLICATION PERFORMANCE TEST
OBJECTIVES
Provide a strategic assessment to evaluate the overall level of application and system responsiveness, throughput, reliability and
scalability under a various given workload level. It is also meant to help establish the performance acceptance criteria for application
service delivery.
KEY ACTIVITIES
1. Identify the Test Environment
2. Identify the Performance Acceptance Criteria
3. Plan and Design the Tests
4. Configure and Test the Test Environment
5. Execute the Test
EXPECTED RESULTS
Remediation actions and recommendations with the intention of providing incremental improvements to overall application service
delivery.
© 2021 Nexagate Sdn Bhd. All Rights Reserved.
Approach & Methodology
Application Performance Test
APPLICATION PERFORMANCE TEST
OBJECTIVES
Provide a strategic assessment to evaluate the overall level of application and system responsiveness, throughput, reliability and
scalability under a various given workload level. It is also meant to help establish the performance acceptance criteria for application
service delivery.
KEY ACTIVITIES
1. Identify the Test Environment
2. Identify the Performance Acceptance Criteria
3. Plan and Design the Tests
4. Configure and Test the Test Environment
5. Execute the Test
EXPECTED RESULTS
Remediation actions and recommendations with the intention of providing incremental improvements to overall application service
delivery.
© 2021 Nexagate Sdn Bhd. All Rights Reserved.
Approach & Methodology
Application Performance Test
Load Test
The most common purpose of Application Load Tests is to determine the Application’s behavior under both normal and
anticipated peak load conditions.
We will start with a small number of virtual users and then incrementally increase the load from normal to peak. We will then
observe how our application performs during this gradually increasing load condition. Eventually, we will cross a threshold limit
for our performance acceptance criteria.
The following steps are involved in our load-testing process:
Step 1 - Identify performance acceptance criteria
Step 2 - Identify key scenarios
Step 3 - Create a workload model
Step 4 - Identify the target load levels
Step 5 - Identify metrics
Step 6 - Design specific tests
Step 7 - Run tests
Step 8 - Analyze the results
© 2021 Nexagate Sdn Bhd. All Rights Reserved.
Approach & Methodology
Application Performance Test
Load Test
The most common purpose of Application Load Tests is to determine the Application’s behavior under both normal and
anticipated peak load conditions.
We will start with a small number of virtual users and then incrementally increase the load from normal to peak. We will then
observe how our application performs during this gradually increasing load condition. Eventually, we will cross a threshold limit
for our performance acceptance criteria.
The following steps are involved in our load-testing process:
Step 1 - Identify performance acceptance criteria
Step 2 - Identify key scenarios
Step 3 - Create a workload model
Step 4 - Identify the target load levels
Step 5 - Identify metrics
Step 6 - Design specific tests
Step 7 - Run tests
Step 8 - Analyze the results
© 2021 Nexagate Sdn Bhd. All Rights Reserved.
Approach & Methodology
Application Performance Test
Stress Test
Stress testing is a type of performance testing focused on determining an application’s robustness, availability and reliability
under extreme conditions. With application stress testing, we are likely to uncover defects related to data locking and blocking,
network congestion, and performance bottlenecks on different components or methods across the entire application. It is also
common to find defects related to race conditions and general memory leaks from shared code or components.
The objective of stress testing is to identify application issues that arise or become apparent only under extreme conditions.
These conditions can include heavy loads, high concurrency, or limited computational resources. Proper stress testing is useful
in finding synchronization and timing bugs, interlock problems, priority problems, and resource loss bugs.
The idea is to stress a system to the breaking point in order to find bugs that will make that break potentially harmful. The
tested system is not expected to process the overload without adequate resources, but to behave (e.g., fail) in an acceptable
manner (e.g., not corrupting or losing data).
© 2021 Nexagate Sdn Bhd. All Rights Reserved.
Approach & Methodology
Application Performance Test
Stress Test
Stress testing is a type of performance testing focused on determining an application’s robustness, availability and reliability
under extreme conditions. With application stress testing, we are likely to uncover defects related to data locking and blocking,
network congestion, and performance bottlenecks on different components or methods across the entire application. It is also
common to find defects related to race conditions and general memory leaks from shared code or components.
The objective of stress testing is to identify application issues that arise or become apparent only under extreme conditions.
These conditions can include heavy loads, high concurrency, or limited computational resources. Proper stress testing is useful
in finding synchronization and timing bugs, interlock problems, priority problems, and resource loss bugs.
The idea is to stress a system to the breaking point in order to find bugs that will make that break potentially harmful. The
tested system is not expected to process the overload without adequate resources, but to behave (e.g., fail) in an acceptable
manner (e.g., not corrupting or losing data).
© 2021 Nexagate Sdn Bhd. All Rights Reserved.
Approach & Methodology
Application Performance Test
The following steps are involved in our stress-testing process:
Step 1 - Identify objective
Step 2 - Identify key scenarios
Step 3 - Identify workload
Step 4 - Identify metrics
Step 5 - Create test case
Step 6 - Simulate load
Step 7 - Analyze the result
Both tests will be performed in a stand-alone environment (i.e test environment) to eliminate any external contributing factors (such
as network congestion) in order to obtain accurate results. The application load test and stress test can be further customized for
close simulation of actual user’s environment such as:
i. Simulation of real user’s activities
ii. Different user behaviour in one test
iii. Testing of dynamic response of the web application
iv. Load level definition
v. Testing of HTTPS site with SSL content
vi. To support different platforms and technologies
© 2021 Nexagate Sdn Bhd. All Rights Reserved.
Approach & Methodology
Application Performance Test
The following steps are involved in our stress-testing process:
Step 1 - Identify objective
Step 2 - Identify key scenarios
Step 3 - Identify workload
Step 4 - Identify metrics
Step 5 - Create test case
Step 6 - Simulate load
Step 7 - Analyze the result
Both tests will be performed in a stand-alone environment (i.e test environment) to eliminate any external contributing factors (such
as network congestion) in order to obtain accurate results. The application load test and stress test can be further customized for
close simulation of actual user’s environment such as:
i. Simulation of real user’s activities
ii. Different user behaviour in one test
iii. Testing of dynamic response of the web application
iv. Load level definition
v. Testing of HTTPS site with SSL content
vi. To support different platforms and technologies
© 2021 Nexagate Sdn Bhd. All Rights Reserved.
03
Approach & Methodology
3.4 Post-Assessment Phase
© 2021 Nexagate Sdn Bhd. All Rights Reserved.
03
Approach & Methodology
3.4 Post-Assessment Phase
© 2021 Nexagate Sdn Bhd. All Rights Reserved.
Approach & Methodology
Analysis & Reporting
ANALYSIS & REPORTING
OBJECTIVES
Document assessment findings and respective recommendations.
KEY ACTIVITIES
Security Posture Assessment reports are divided according to the following:
1. Executive Summary
2. Summary of Findings
3. Detail Findings
Each finding documented in the SPA reports is assigned a risk rating of High, Medium, Low or Informational. Also as part of the SPA Key
Performance Indicator (KPI), each finding shall also be referenced to the relevant ISO/IEC 27001 Annex A controls.
EXPECTED RESULTS
Set of reports for based on respective SPA activity.
© 2021 Nexagate Sdn Bhd. All Rights Reserved.
Approach & Methodology
Analysis & Reporting
ANALYSIS & REPORTING
OBJECTIVES
Document assessment findings and respective recommendations.
KEY ACTIVITIES
Security Posture Assessment reports are divided according to the following:
1. Executive Summary
2. Summary of Findings
3. Detail Findings
Each finding documented in the SPA reports is assigned a risk rating of High, Medium, Low or Informational. Also as part of the SPA Key
Performance Indicator (KPI), each finding shall also be referenced to the relevant ISO/IEC 27001 Annex A controls.
EXPECTED RESULTS
Set of reports for based on respective SPA activity.
© 2021 Nexagate Sdn Bhd. All Rights Reserved.
Approach & Methodology
Analysis & Reporting
After successfully completing all assessment activities, findings and recommendations will be documented in a Security
Posture Assessment report and is divided according to the following:
1. Executive Summary
This section contains a high-level write-up of the project, the findings presented using graphical charts, and a summarized
conclusion intended for top management.
2. Summary of Findings
A table summarizing the findings is included to provide an umbrella view of findings and for ease of reference, intended for
mid management or Managers.
3. Detail Findings
The detail findings includes details of the finding itself, the risk impact and the consultant’s recommendation. As the
purpose of this section is to assist the working level with the remediation/mitigation activities, step by step instructions as
well as screenshots are also included.
* Please refer to Sample Reports in Section 20 of the Technical Proposal.
© 2021 Nexagate Sdn Bhd. All Rights Reserved.
Approach & Methodology
Analysis & Reporting
After successfully completing all assessment activities, findings and recommendations will be documented in a Security
Posture Assessment report and is divided according to the following:
1. Executive Summary
This section contains a high-level write-up of the project, the findings presented using graphical charts, and a summarized
conclusion intended for top management.
2. Summary of Findings
A table summarizing the findings is included to provide an umbrella view of findings and for ease of reference, intended for
mid management or Managers.
3. Detail Findings
The detail findings includes details of the finding itself, the risk impact and the consultant’s recommendation. As the
purpose of this section is to assist the working level with the remediation/mitigation activities, step by step instructions as
well as screenshots are also included.
* Please refer to Sample Reports in Section 20 of the Technical Proposal.
© 2021 Nexagate Sdn Bhd. All Rights Reserved.
Approach & Methodology
Analysis & Reporting
Each finding documented in the SPA reports is assigned a risk rating. The risk rating is classified as Critical, High, Medium, or
Low. These are explained in the table below:
Risk Rating Description
Critical risk level findings are the highest priority problems. These represent vulnerabilities that, if
successfully exploited, would lead to code execution, privilege escalation, full system and network
compromise. Some other type of vulnerabilities rated as Critical Risk Level is (but not limited to):
• Buffer Overflows
CRITICAL: •
Should be addressed immediately; • Format String Attacks
imminent threat to affected system(s) Default Login Credentials
• Known Backdoors
• Misconfigurations
Fairly large number of worms (ex: Sasser, Code Red, Nimda) and malwares were known to take
advantage of these types of vulnerabilities to propagate itself and causes disruptions.
High risk level findings are a vulnerability that may provide hackers with remote access to specific
information stored on the host, including security settings and file-system.
HIGH: Examples of high-risk level findings include: read and/or write capabilities on file system, partial
Immediate attention is recommended disclosure of file contents, access to certain files on the host, directory browsing, disclosure of
filtering rules and security mechanisms, susceptibility to denial of service (DoS) attacks,
vulnerability that will jeopardize the integrity of the system, and unauthorized use of services (for
example, mail relaying)
© 2021 Nexagate Sdn Bhd. All Rights Reserved.
Approach & Methodology
Analysis & Reporting
Each finding documented in the SPA reports is assigned a risk rating. The risk rating is classified as Critical, High, Medium, or
Low. These are explained in the table below:
Risk Rating Description
Critical risk level findings are the highest priority problems. These represent vulnerabilities that, if
successfully exploited, would lead to code execution, privilege escalation, full system and network
compromise. Some other type of vulnerabilities rated as Critical Risk Level is (but not limited to):
• Buffer Overflows
CRITICAL: •
Should be addressed immediately; • Format String Attacks
imminent threat to affected system(s) Default Login Credentials
• Known Backdoors
• Misconfigurations
Fairly large number of worms (ex: Sasser, Code Red, Nimda) and malwares were known to take
advantage of these types of vulnerabilities to propagate itself and causes disruptions.
High risk level findings are a vulnerability that may provide hackers with remote access to specific
information stored on the host, including security settings and file-system.
HIGH: Examples of high-risk level findings include: read and/or write capabilities on file system, partial
Immediate attention is recommended disclosure of file contents, access to certain files on the host, directory browsing, disclosure of
filtering rules and security mechanisms, susceptibility to denial of service (DoS) attacks,
vulnerability that will jeopardize the integrity of the system, and unauthorized use of services (for
example, mail relaying)
© 2021 Nexagate Sdn Bhd. All Rights Reserved.
Approach & Methodology
Analysis & Reporting
Each finding documented in the SPA reports is assigned a risk rating. The risk rating is classified as Critical, High, Medium, or
Low. These are explained in the table below:
Risk Rating Description
Medium risk level findings are vulnerability that may expose some sensitive information from the
host, such as precise versions of services or vulnerability that may be exploited in certain
MEDIUM:
condition such as insecure protocol.
Inspection is recommended
With this information, hackers could research potential attacks to try against a host.
Low risk level findings are not vulnerability; instead they are information such as service running
LOW: and open port which may be in used by the system.
Informative, minimal actions needed It is suggested for low risk level finding to be always monitored and secured by IDS and firewall
configuration.
© 2021 Nexagate Sdn Bhd. All Rights Reserved.
Approach & Methodology
Analysis & Reporting
Each finding documented in the SPA reports is assigned a risk rating. The risk rating is classified as Critical, High, Medium, or
Low. These are explained in the table below:
Risk Rating Description
Medium risk level findings are vulnerability that may expose some sensitive information from the
host, such as precise versions of services or vulnerability that may be exploited in certain
MEDIUM:
condition such as insecure protocol.
Inspection is recommended
With this information, hackers could research potential attacks to try against a host.
Low risk level findings are not vulnerability; instead they are information such as service running
LOW: and open port which may be in used by the system.
Informative, minimal actions needed It is suggested for low risk level finding to be always monitored and secured by IDS and firewall
configuration.
© 2021 Nexagate Sdn Bhd. All Rights Reserved.
Approach & Methodology
Analysis & Reporting
Sample of Findings
© 2021 Nexagate Sdn Bhd. All Rights Reserved.
Approach & Methodology
Analysis & Reporting
Sample of Findings
© 2021 Nexagate Sdn Bhd. All Rights Reserved.
Approach & Methodology
Hardening Workshop
HARDENING WORKSHOP
OBJECTIVES
Assist & manage mitigation measures based on assessment recommendations.
KEY ACTIVITIES
Mitigation/hardening recommendations shall be documented in the SPA reports. Additionally, Nexagate will assist to guide the client
(and their respective vendors) on how to perform the mitigation and hardening exercise.
As a value added services the hardening status of affected resources will be monitored and tracked using our own Remediation
Ticketing System.
• Presentation & discussion of SPA findings with system vendors and system administrators
• Monitoring & tracking of hardening status through the use of "Remediation Ticketing System"
EXPECTED RESULTS
Workshop will be scheduled according to respective information systems, whereby it shall be attended by the respective administrator
and vendor.
© 2021 Nexagate Sdn Bhd. All Rights Reserved.
Approach & Methodology
Hardening Workshop
HARDENING WORKSHOP
OBJECTIVES
Assist & manage mitigation measures based on assessment recommendations.
KEY ACTIVITIES
Mitigation/hardening recommendations shall be documented in the SPA reports. Additionally, Nexagate will assist to guide the client
(and their respective vendors) on how to perform the mitigation and hardening exercise.
As a value added services the hardening status of affected resources will be monitored and tracked using our own Remediation
Ticketing System.
• Presentation & discussion of SPA findings with system vendors and system administrators
• Monitoring & tracking of hardening status through the use of "Remediation Ticketing System"
EXPECTED RESULTS
Workshop will be scheduled according to respective information systems, whereby it shall be attended by the respective administrator
and vendor.
© 2021 Nexagate Sdn Bhd. All Rights Reserved.
Approach & Methodology
Post Review
POST REVIEW
OBJECTIVES
Verify mitigation status (Open/Close) of all findings discovered.
KEY ACTIVITIES
Last sweeping audit of all Information Systems which were found with vulnerabilities and with recommendations to rectify them.
Note:
• As auditors, the same Nexagate consultants cannot be involved in direct rectification activities for independence objectivity.
• Post Review Testing is after JHEKS has rectified the findings as per Nexagate’s recommendations.
• The Post Review Testing shall take place ONLY upon notification by JHEKS on readiness to commence the review.
EXPECTED RESULTS
Respective reports are updated with the mitigation status of all finding discovered.
© 2021 Nexagate Sdn Bhd. All Rights Reserved.
Approach & Methodology
Post Review
POST REVIEW
OBJECTIVES
Verify mitigation status (Open/Close) of all findings discovered.
KEY ACTIVITIES
Last sweeping audit of all Information Systems which were found with vulnerabilities and with recommendations to rectify them.
Note:
• As auditors, the same Nexagate consultants cannot be involved in direct rectification activities for independence objectivity.
• Post Review Testing is after JHEKS has rectified the findings as per Nexagate’s recommendations.
• The Post Review Testing shall take place ONLY upon notification by JHEKS on readiness to commence the review.
EXPECTED RESULTS
Respective reports are updated with the mitigation status of all finding discovered.
© 2021 Nexagate Sdn Bhd. All Rights Reserved.
03
Approach & Methodology
3.5 Security Testing Tools
© 2021 Nexagate Sdn Bhd. All Rights Reserved.
03
Approach & Methodology
3.5 Security Testing Tools
© 2021 Nexagate Sdn Bhd. All Rights Reserved.