The vulnerability assessment was performed in two stages. The first stage consisted of penetration testing and an external assessment. The purpose of this assessment is to identify external threats to internal systems and resources. Knowing little more than the company name, GEOBRIDGE began the process of discovering the identities of critical systems, mapping the ports and services on those systems, enumerating them, and using various strategies to intrude upon those systems.
The second, and more telling stage, was the internal assessment. The purpose of this stage is to identify internal threats by determining how much information an internal resource can obtain on restricted or highly sensitive systems. GEOBRIDGE connected to the client’s network but was given no permissions or rights within the network. With only a network connection, GEOBRIDGE gained access to as many workstations and critical servers as possible throughout the network. Once completed, the security configurations on a representative sample of operational servers, firewalls, routers, modem pools, and switches were reviewed.
The final result was a report back to the client outlining the tests performed, detailed results, and recommendations for eliminating the vulnerabilities. While the client had done a good job at protecting their systems against external threats, there were a number of internal vulnerabilities that needed to be addressed prior to any audit. GEOBRIDGE assisted the customer in identifying some simple fixes, such as implementing a strong password policy, to help reduce these risks as well as providing long term recommendations. The client was able to use the information provided by GEOBRIDGE to ensure that their systems are adequately protected and in compliance with Sarbanes-Oxley prior to their internal audit.