What are the top reasons to select ADDSecure.Net Inc. to conduct your network security audit?

Unlike many competing firms, ADDSecure.Net Inc. is an independent provider of security auditing services and operates at arms length from any provider of security solutions. Hence, we do not conduct your audit in order to convince you to buy expensive security equipment and services. Being truly impartial, ADDSecure.Net Inc. exposes the most serious problems that can easily be exploited by hackers, rather than trying to scare the client into unnecessary purchases of expensive "security" solutions. Security audit is our only business and we do it professionally -- fast and right, producing easy to understand audit reports. Ask our competitors regarding their intentions to conduct followup "solution" sales to your company, and your choice will become clear.

What is ADDSecure.Net™ Audit?

ADDSecure.Net™ Audit is a security auditing service that probes the integrity of corporate networks and servers, including Web and email servers. The service is being offered world-wide to corporations, government agencies and financial institutions that must maintain sensitive data on their Web sites.  ADDSecure.Net™ Audit encompasses a range of Internet network and server audit and testing services.  The program is powerful enough to satisfy the strenuous demands of leading government organizations, banks and private corporations, yet it can meet the budget requirements of even small firms.

Our goal is to make clients aware of their security problems, and then let them make business decisions based on a balance of cost, operational necessity and security requirements. We do not provide recommendations for correcting problems because many different approaches can be used to derive a sensible solution. An appropriate course of action always requires complete understanding of corporate business goals, available resources, security policies and practices and application alternatives. Making our clients accept that the vulnerability exists is a very significant step in their committment to derive a solution.

What is included in ADDSecure.Net™ Security Audit?

ADDSecure.Net™ Audit consists of several hundred thousand remote tests conducted by our team of dedicated network security professionals. The tests include:

  Probing of all tcp/udp/icmp for active services;
  tcp/udp/icmp service-specific attacks;
  Application specific attacks;
  Operating system specific attacks;
  Denial of service attacks;
  Verification of Domain Registration Records;
  Domain Name Service (DNS) security test;
  Fully Qualified Domain Name (forward and reverse) validation;
  A complete Report containing references to the accumulated results and detected vulnerability areas.

Comprehensive tests are conducted using powerful Internet auditing tools developed by ADDSecure.Net Inc., as well as commercial probes optimized for the operational environment used by service clients. The tests take several hours and we typically produce a report within 72 hours of test completion.

What is included in SNAPShot™ Security Review?

SNAPShot™ Security Review consists of a set of remote tests designed to detect the "most common vulnerabilities" and are conducted by our team of dedicated network security professionals. The tests include:

  Probing of all tcp/udp/icmp ports for active services;
  Verification of Domain Registration Records;
  Domain Name Service (DNS) security test;
  Fully Qualified Domain Name (forward and reverse) validation;
  An Executive Memo containing references to the accumulated results and detected vulnerability areas.

Tests are conducted using powerful Internet auditing tools developed by ADDSecure.Net Inc., as well as commercial probes optimized for the operational environment used by service clients.

Do you test for everything?

Regrettably, no vulnerability analysis service can cover everything. New threats are continuously being devised, it's forever a cat and mouse game. Security is an ongoing process, which is the primary reason that every organization should perform external audits periodically -- at least annually and, preferably, more frequently.

How much does it cost?

A single vulnerability check costs just US$5500. Electronic submission of a scan request using an online Order Form reduces the price to $5000 -- a 10% discount. Additional discounts are available for bulk scans based on volume and complexity.
We recommend an annual set of tests to maintain the security of a network over a longer term.  A set of tests can be purchased at significant savings.

Why should I audit my Web server, Internet and intranet for potential security problems?

You owe it to yourself, your stakeholders and your clients. A security audit of Web servers, Internet, Extranet and intranet is an essential component of any sound security policy and practice. Security hardware and software are only as good as their design and implementation. Shortcomings in product design and configuration and newly emerging ways to penetrate security defenses can frustrate even most expensive security solutions, allowing external and internal hackers to seize sensitive data or deface web sites. Auditing your security set up is one of only two reliable ways to determine you have security deficiencies. The other is a malicious attack.

Why should I use an independent team from outside my organization to conduct a security audit?

As financial audits are always conducted by an independent source (i.e., as required by the US Securities and Exchange Commission, Generally Accepted Auditing Standards -- GAAS, and by Section 5751.32 of the Canadian Institute of the Chartered Accountants Handbook), so too should your security audits.  Only by using an independent audit you can ensure that all potential security problems have been examined and exposed. It also adds credibility to your claim that your Web site is indeed secure.

US Federal Deposit Insurance Corporation's (FDIC) guidance FIL-68-99 of July 7, 1999 "Risk Assessment Tools and Practices for Information System Security" recommends regular use of vulnerability assessment tools and penetration analyses as an integral component of an institution's information security program. The analysis should be independent and may be conducted by a trusted third party, qualified internal audit team, or a combination of both. If using internal testers, the independence of the testers from system administrators should be considered.

Electronic Payments Association's (NACHA) March 2001 rules have created a new Automated Clearing House (ACH) transaction code for identifying debit transactions authorized over the Internet. Under the rules, all financial institutions and businesses that offer an ACH debit as a payment method must conduct an annual security audit.

According to Ted Julian, analyst at Forrester Research Inc. in Cambridge, MA, Web security audit services are of great benefit, and internal use of audit probes is not a substitute for testing done by external professionals (see review "CSCI Audit at ADDSecure.Net Inc." in ComputerWorld Canada, February 27, 1998, p.6) "Companies need external expertise to audit their sites... Bringing somebody in from the outside creates a greater initiative to find a problem. Having your internal people, who set up the security system, does not only create a questionable initiative for them to find things that are wrong but it might simply be hard for them to do."

Every business should ensure that all applications they run are secure, otherwise they compromise the overall security of their network. Keeping a particular Internet port open or not is usually a business decision based on a balance of cost, operational necessity and security requirements. Internal personnel sometimes keeps ports open without compelling business reasons -- because they either are not aware that a particular application makes use of a port, do not fully understand security implications, want to perform some tasks from the outside of the corporate premises, or are not particularly concerned about security. In a larger firm, with numerous people participating in servicing corporate information systems, they might not all work in accord to preserve the security of the network.

My vendor's Web site specify to visitors that transactions are secure and describes the site's security procedures. Can I trust the vendor based on such information? Am I still responsible for consequences after I read that they "adequately secured their site"?

A client who relies on vendor's word that his data are fully secured on vendor's system has only himself to blame "when" (and not "if") something goes wrong. It is buyer beware -- as is in any other business. Every technical security measure is by nature either transitory or inadequate. Only an up-to-date independent security audit provides sufficient confirmation that you can trust the vendor with your data.

If we pass an audit, does it guarantee that our system is impenetrable?

A. US Federal Deposit Insurance Corporation's (FDIC) guidance FIL-68-99 of July 7, 1999 Risk Assessment Tools and Practices for Information System Security specifies that a penetration analysis is a snapshot of the security at a point in time and does not provide a complete guarantee that the system(s) being tested is secure. It can test the effectiveness of security controls and preparedness measures.

What is the best way to convince our skeptical executives to implement adequate security solutions?

A. Always start by demonstrating to your management that security problems do exist. By ordering an independent audit, corporate IT and security specialists can prove beyond reasonable doubt that their current network is indeed vulnerable. Audit also helps to identify security measures required to swiftly correct the situation.

Our organization only uses ICSA-certified firewalls and proxy servers. Is it sufficient to ensure security of our Net and Web site?

The only reliable way to ensure that your firewall, proxy server and other security equipment would indeed operate as intended is to conduct independent and periodic security audits of your Net and Web sites. Just using a certified equipment in principle could not provide such an assurance, as it is often improperly set or because all Internet defense software becomes obsolete literally as soon as it is installed using certified equipment or software does not provide any assurance that the security features needed to meet your corporate security policy requirements have been enabled or set up appropriately.

Shouldn't we buy a probe and do audits ourselves?

By all means -- a probe might be a useful tool in an organization that can afford running it's own security audit team. Our company even resells some specialized audit probes. Just remember that one probe, however expensive, is unlikely to cover all the tests required to evaluate vulnerabilities of your site, hence you might need a set of such tools from various sources. Moreover, you should strive to constantly keep up with the new security treats that occur almost daily. And of course you need a very knowledgeable personnel who would specialize in security audit and are able to constantly challenge other IT and security experts within your organization to make sure that lapses do not occur. Owing a probe or two does not negate the need for an independent audit but rather reinforces the importance of this essential link in your organization's security chain.

What kind of report is produced?

We produce a comprehensive audit report that is suitable to indicate further protective measures that are required.

Is a security audit a one-time event?

Security audits should never be treated as a one time event. Security audits should be an ongoing part of your security maintenance management. Given time, professional hackers are adept at breaking into any organization, even with the most expensive security defenses. That is part of the challenge for them. Periodic audits are essential to ensure that the security of your Web servers is maintained over the long run, since every subsequent audit is likely to include new tests and explore new threats. You must always try to keep pace with those who would attempt to break into your network.

Does a ADDSecure.Net™ Audit mean we will have to invest in new hardware or software?

Not necessarily.  We are totally "equipment neutral" and never dictate the security measures you have to use.  If the audit uncovers problems with the security of your site, it's entirely up to you how to correct them, and whether to use inhouse resources or external consultants and which ones.  By knowing the nature of the problem from our confidential report detailing security vulnerabilities, you can derive the least expensive and the most efficient solution to address it.

Is your audit just a way to sell us a pile of expensive security "goodies"? A very large corporation already did an audit at our site. We didn't really understand their report. However, they insisted that we should buy expensive security solutions from them which in our view does not parallel findings. Is it likely to happen with your service as well?

Unlike many other firms that also market security equipment and services, ADDSecure.Net Inc. personnel will never try to sell you yet another expensive "magic bullet" -- to fix all security problems uncovered by our audit. Web audit and certification is our sole activity. And our audit reports are very easy to understand, as they are produced "for human consumption" and have very good marks from our clients for their clarity and readability. We will make sure you clearly comprehend the problems uncovered at your site.

What happens if my organization fails a security audit?

Statistics show that the majority of Web sites fail their first security audit in one way or another.  After your Web site has been audited, our ADDSecure.Net™ Audit team will provide you with a confidential detailed report of your network's weaknesses prioritized in order of their importance. Audit results will allow you to significantly improve your network's defenses.  Most of our clients have good chances to pass the second and subsequent audits.

How thorough is your test?  What tools do you use?

We use a combination of inhouse utilities, commercial products and tools used by hackers, since we have been unable to find a single tool which covers all areas equally well.  We use the components of each tool which we have found to be most effective in their own areas of expertise and development.

We are often asked to provide a list of specific commercial tools we use. In order to preserve our impartiality, we will not provide such a list since, by implication, this may appear to be a recommendation for the use of the tool or tools listed. Each commercial tool developed has a focus on a specific operating system, protocol suite, or general area of problems. No single tool we have found is capable of performing the battery of tests we require to ensure the client's security.

Do you check for NT server vulnerabilities? Win 95? Unix? Linux?

Since the protocol itself is independent of the machine type, we scan all operating systems. Vulnerabilities particular to any given operating system are given particular attention when/if tools are available to do so.

Will your audit disrupt our services or destroy data on the machines being audited?

No. We use an original structured methodology that does not destroy any data. Due to the nature of connections to the Internet, there will be a minimal impact on Internet bandwidth while the audit tests are making requests to the machines being audited. This impact may extend to your internal network if your Internet connection is not implemented securely.

What guarantee do you have that our vulnerability list will not be made available to non-privileged people?

Our company has a worldwide reputation for being independent, professional and ethical and we are very serious in safeguarding the interests of our clients. Our personnel that deal with security issues has been carefully selected for their integrity and dedication to the cause of network security. Our security analysts are all full time employees of ADDSecure.Net. We have carefully checked their references and they have also been cleared by the Government of Canada. None of our employees have a criminal background or had any acts of moral turpitude in their past. We are entirely confident in their personal and professional integrity and their experience has been substantiated by extensive reference checks. ADDSecure.Net has adopted the Statement of Ethics, signed by every employee of the company. Any staff member who intentionally or knowingly violate any provision of this Statement of Ethics will be subject to an action by a peer review panel or a corporate disciplinary action.

Scans are done to a worm CD-ROM and stored in a safe.  Reports are generated on the same device and also stored in the safe.  Reports and results are only released to the client representative specified in the contract.

Once the report has been accepted by the client, all data relating to the audit and the report are destroyed.

Will we sign a non-disclosure agreement?

Yes, a mutual non-disclosure agreement is a part of the project and the report.

Q. Do you have a subscription service?

We do have a subscription service.  Subscription cost is based on the scanning intervals.  For transactional sites we recommend at least a quarterly audit interval.

Do you people hire real hackers?

We don't employ hackers. Our employees that deal with the corporate sensitive data are well-established professionals checked for the absense of a criminal background. They subscribe to ADDSecure.Net Inc.'s Statement of Ethics and have corresponding security clearances.

Should we hire real hackers or ex-hackers to check our corporate defenses?

Some of our clients have already found the hard way that hiring hackers to check corporate defenses might be imprudent at the best. The danger of hiring them is real. Some hackers even apply to become security consultants in order to exploit the weaknesses of your network. Often they leave the back doors open, to gain the access after the project is finished, or as an insurance in case of disagreement with the employer or the client.

Stories are abound of ex-hacker hired as security consultants who subsequently describe in underground publications the vulnerabilities of their clients. On the other hand, many hackers are just unskilled "script kiddies" who do not really know how to make network secure, They are only able to mount attacks by using widely available hacking utilities that can be fully mastered in a short time without deep understanding of the underlining technical issues.

What is to prevent someone else from ordering an ADDSecure.Net™ Audit on my server, and then using the knowledge from the results to attack or break into my environment?

ADDSecure.Net Inc. verifies the owner of the machine, the premises on which it is being maintained, and that the person who made the request is authorized to do so. If such verification cannot be made, the audit will not be carried out, and the owners of the machine will be informed that an audit was requested, and by whom.

What happens if I order an ADDSecure.Net™ Audit and my server is not housed on my premises?

Many business have their servers housed on the premises of their ISP, or in a server farm. ADDSecure.Net will contact both the owner of the server and the premises. If permission is not given by the both owners, you will each be informed who made the request and refusal so you can contact each other directly to work it out.

To order "ADDSecure.Net™ Audit" service or for more information, please fill a form or email us: addsecure (at) ADDSecure.Net.