Information Risk Management Plc.

Security Testing

The core of IRM's technical services has been built around a comprehensive and skilled security testing consulting practice.

IRM conducts many different types of security tests and is convinced of the value of testing across the entire IT environment - people, policies, processes, technical infrastructure and application technology. IRM's assessment philosophy assumes that behind all information security crime or fraud there is a human element and motivation.

IRM performs Open Source Intelligence gathering to examine information leakage from any organisation which an attacker may target to exploit loopholes in technology.

Security tests are designed to meet particular client requirements and the IRM testing team have experience working as both ad-hoc security testers as well as within more formal frameworks such as functional or site acceptance testing against formally defined test scripts.

Security testing may be carried out without any knowledge of the organisation's culture, structure or technology - commonly called a black-box test. These can be useful to provide an easily explainable view of the risk of an organisation to an unquantified threat.

However, the IRM testing team recommends that in our experience most clients get more value from the testing process by providing full details to the team in what is known as a full knowledge investigation. Full knowledge testing is of most value when targeted against specific routes of attack such as Internet connections, wireless connectivity or even customer facing applications.

In fact by spending some time attempting to quantify the most likely threats faced by an organisation in advance, the IRM team is able to provide scenario-based security testing where the testing team works within the characteristics of a defined threat such as a rogue administrator or a disgruntled employee or even an opportunistic attacker with physical access to an organisation's premises. This can include an IRM consultant posing as a new employee or contractor for a set period of time and identifying what level of exposure an organisation has internally by default.

IRM's assessments at the application layer ensure that the security of commercial off-the-shelf or bespoke products is to a suitable standard. IRM has performed assessments on many applications including: online web-based banking systems, airport operating systems, gambling sites and back office IT systems.

All of IRM's assessments are carried out manually and without relying on the use of automated vulnerability assessment tools. This ensures a thorough and effective investigation of specific targets following a strict methodology. Assessments which are carried out manually and intuitively by skilled information security experts will comprehensively mirror the risks an organisation realistically faces from a dedicated and motivated hacker.

IRM's assessors are CESG CHECK approved; this means that they are sufficiently skilled to test government platforms and systems of critical national importance. All IRM penetration testing and architecture reviews utilise the CVE mechanism for reporting vulnerability information.

Common security testing services provided by IRM include:

Black-Box Testing or Full Knowledge Testing
Specific Attack-Simulation Testing:

Internal Network Testing
Internet Connection Testing
Public Telephone System Testing
Wireless and Radio Testing
Application Security Testing

Open Source Intelligence Gathering
Social Engineering
Physical Site Security Testing
Scenario-Based Testing:

Unrestricted physical access to company networks
Disgruntled employees
Rogue administrators
Stolen Remote Access Devices (Laptops, PDAs, Phones)

The IRM consulting team testing methodology can be fine-tuned to meet client requirements and is available to clients for review.