Security Audit

EMPANELLED OF INFORMATION SECURITY AUDITING ORGANISATIONS IT Security Audit (Full Scope of Audit) Within the broad scope, 'Information
System Security Audit' or 'IT Security Audit' covers an assessment of security of an organisation's networked infrastructure comprising of computer systems, networks, operating system software, application software, etc. A security audit is a specified process designed to assess the security risks facing an organisation and the controls or countermeasures adopted by the organisation to mitigate those risks. It is a typical process by a human having technical and business knowledge of the company's information technology assets and business processes. As a part of any audit, the auditors will interview key personnel, conduct vulnerability assessments & penetration testing, catalog existing security policies and controls, and examine IT assets. The auditors rely heavily on technology, manual efforts & tools to perform the audit. For Customer Organisations The list of IT security auditing orgnisations, as given below, is up-to-date valid list of CERT-In empanelled Information security auditing orgnisations. This list is updated by us as soon as there is any change in it. Customer organisations may refer this list for availing their services on limited quotes / tender basis to carry out Information security audit of their networked infrastructure. While placing the order, customer organisations should again refer this list for the latest changes, if any, and should place order only on the organisation, which is in this list on that particular day. 1. M/s 3i Infotech Ltd #6/2, Brigade Champak, Union Street, Off Infantry Road, Banglore 560001. Website URL : http://www.3i-infotech.com Telephone : 080-30541360 Fax : 080-30541306 Contact Person : Mr. Babji V S, General Manager, Managed Services e-mail : babji.vs[at]3i-infotech.com Mobile : 9945322113 2. M/s AAA Technologies Pvt Ltd
278-280, F-Wing, Solaris-1, Saki Vihar Road, Opp. L&T Gate No. 6, Powai, Andheri (East), Mumbai 400072. Website URL : http://www.aaatechnologies.co.in Telephone : 022-28573815 Fax: 022-40152501 Contact Person : Mr. Anjay Agarwal, Director e-mail : anjay[at]aaatechnologies.co.in Mobile : 9821087283 3. M/s AKS Information Technology Services Pvt Ltd E-52, 1st Floor, Sector-3, Noida 201301. Website URL : http://www.aksitservices.co.in Telefax : 0120-4243669 Contact Person : Mr. Ashish Kumar Saxena, Managing Director
Page 1
e-mail : ashish[at]aksitservices.co.in Mobile : 9811943669 4. M/s Appin Software Security Pvt Ltd 9th Floor, Agarwal Metro Heights, Netaji Subhash Palace, Pitampura, New Delhi-110034 Website URL : http://security.appinonline.com Telephone : 011-64736970/71 Fax : 011-26581024 Contact Person : Mr. Rajat Khare, Director e-mail : appin.security[at]appinmail.com Mobile : 09212149267 5. M/s Auditime Information Systems (India) Pvt Ltd A-504, Kailash Esplanade, LBS Marg, Ghatkopar (West), Mumbai 400086. Website URL : http://www.auditimeindia.com Telephone : 022-25006875 Fax: 022-25006876 Contact Person : Mr. Chetan Maheshwari, Director e-mail : csm[at]auditimeindia.com
6. M/s Aegis Tech Limited 2nd Floor, Equinox Business Park, Tower 1, (Peninsula Techno Park), Off Bandra Kurla Complex, LBS Marg, Kurla (West), Mumbai 400070, INDIA Website URL : http://aegisglobal.com/section_level2.aspx?cont_id=zWj8z5qFobY= Telephone : +91 22 6661 7272 Fax: +91 22 6704 5888 Contact Person : Mr. Atul Khatavkar VP - ITGRC e-mail : atul.khatavkar[at]agcnetworks[dot]com Mobile : +91 9930132135, 98200 19392
7. M/s Aujas Networks Pvt Ltd No. 4025/26, 2nd Floor, K R Road, Jayanagar, 7th Block West, Bangalore 560082. Website URL : http://www.aujas.com Telephone : 080-40528527 Fax: 080-40528516 Contact Person : Ms. Sandhya Agnihotri, Manager - Sales Operations e-mail : sandhya.agnihotri[at]aujas.com Mobile : 9901133387
Page 2
8. M/s Controlcase India Pvt Ltd 203, Town Center, Andheri-Kurla Road Saki Naka, Andheri(E) Mumbai-400059 Website URL : http://www.controlcase.com Telephone :+91-2266471800 Fax : +912266471810 Contact Person : Mr. Suresh Dadlani, Chief Operating Officer e-mail : sdadlani[at]controlcase.com Mobile : +91-9820293399 9. M/s CyberQ Consulting Pvt Ltd # 622, DLF Tower A, Jasola, New Delhi 110044. Website URL : http://www.cyberqindia.com Telephone : 011-41066560, 41077561 Fax: 011-41077561 Contact Person : Mr. Debopriyo Kar, Head, Information Security e-mail : debopriyo.kar[at]cyberqindia.com 10. M/s Computer Science Corporation India Pvt. Ltd. DLF IT Park, A-44/45, Sector 62, Noida Website URL: http://www.csc.com/in Telephone : +91-120-4701015 Fax : +91-120-6700108 Contact Person : Narendra Nayak Email : india_busdev[at]csc[dot]com
11. M/s Cyber Security Works Pvt Ltd E Block, No. 3, 3rd Floor, 599, Anna Salai, Chennai - 600006 Website URL : http://www.cybersecurityworks.com Telephone : 044-42089337 Fax : 044-42089170 Contact Person : Mr Selva Kumar, Manager e-mail : info [at] cybersecurityworks[dot]com
12. M/s Deccan Infotech Pvt Ltd # 13, Jakkasandra Block, 7th Cross, Koramangala, Bangalore 560034.
Page 3
Website URL : http://www.deccaninfotech.in Telephone : 080-25530819 Fax : 080-25530947 Contact Person : Mr. Dilip. H. Ayyar, Director - Technical e-mail : dilip[at]deccaninfotech[dot]in Mobile : 9686455399
13. M/s Deloitte Touche Tohmatsu India Pvt. Ltd 7th Floor, Building 10, Tower B, DLF City Phase-II, Haryana India Gurgaon-122002 Website URL : http://www.deloitte.com Telephone : +91-1246792000 Fax : +91-1246792012 Contact Person : Mr. Sundeep Nehra, Senior Director e-mail : snehra[at]deloitte[dot]com Mobile : +91-9999003908
14. M/s Digital Age Strategies Pvt Ltd 204, Lakshminarayan Complex, 2nd Floor, Panduranganagar, Opp. HSBC, Bannerghatta Road, Bangalore 560076. Website URL : http://www.digitalage.co.in Telephone : 080-41503825 Fax : 080-264085148 Contact Person : Mr. Dinesh S. Shastri, Director e-mail : digitalageaudit[at]airtelmail[dot]in Mobile : 9448088666
15. M/s Ernst & Young Pvt Ltd 2nd Floor, TPL House, 3, Cenotaph Road, Teynampet, Chennai 600018. Website URL : http://www.ey.com/india Telephone : 044-42194650 Fax : 044-24311450 Contact Person : Mr. Terry Thomas, Partner e-mail : terry.thomas[at]in.ey.com Mobile : 9880325000
16. M/s Financial Technologies(India)Ltd 601, Bostan House, 6th Floor, Suren Road, Chakala, Andheri(East), Mumbai-400093 Website URL : http://www.ftindia.com/ Telephone : +912267099600
Page 4
Fax : +912267099066 Contact Person : Mr. Parag Ajmera, Head
17. M/s Haribhakti & Co. 42, Free Press House, 215, Nariman Point, Mumbai 400021. Website URL : http://www.haribhaktigroup.com Telephone : 022-66729999 Fax: 022-66729777 Contact Person : Mr. Milind Dharmadhikari, Director In-charge e-mail : milind.dharmadhikari[at]bdoindia.co.in
18. M/s HCL Comnet Ltd Head Office, A 10-11, Sector-3, Noida 201301. Website URL : http://www.hclcomnet.co.in Telephone : 0120-4362800 Fax : 0120-2539799 Contact Person : Mr. Prasun Roy Barman, Global Practice Director - Security e-mail : prasunb[at]hcl.in
19. M/s HEXAWARE TECHNOLOGIES LTD. Plot No. H5, SIPCOT IT Park Navallur Post, Siruseri, Kanchipuram Dt. 603 103 (India) Website URL : http://www.hexaware.com Telephone : +91-44-47451000 Fax : +91-44-47451111 Contact Person : Mr. S. Elangovan e-mail : Elangovan[at]hexaware[dot]com Mobile : 98404 13778
20. M/s IBM India Pvt Ltd 4th Floor, The IL&FS Financial centre, Plot No C 22, G Block, Bandra Kurla Complex, Bandra (East),Mumbai-400051 Website URL : http://www.ibm.com/ Telephone : +91-022-40589000 Fax : +91-22-26533585 Contact Person : Mr. Jeffery Paul
Page 5
e-mail : pjeffery[at]in[dot]ibm[dot]com Mobile : +91-9892502342
21. M/s IDBI Intech Ltd Plot No. 39-41, IDBI Building , Sector-11, CBD Belapur, Navi Mumbai 400614. Website URL : http://www.idbiintech.com/ Telephone : 022-39148000 Fax : 022-27566313 Contact Person : Mr. Pramod Gosavi, Head - Professional Services e-mail : gosavi.pramod[at]idbiintech.com / is.audit[at]idbiintech.com Mobile : 9890304884
22. M/s Indusface Consulting Pvt Ltd A/2-3, 3rd Floor, Status Plaza, Opp. Relish Resorts, Akshar Chowk, Atladra - Old Padra Road, Vadodara 390020. Website URL : http://www.indusfaceconsulting.com Telephone : 0265-6562666 Fax: 0265-2355820 Contact Person : Mr. Ashish Tandon, CEO e-mail : ashish.tandon[at]indusfaceconsulting.com Mobile : 9898866444
23. M/s Information Systems Auditors & Consultants Pvt Ltd 12/12 A, 3rd Floor, Dena Bank Building. 17B Horniman Circle, Fort, Mumbai 400001. Telephone : 022-22663955 Fax: 022-22662661 Contact Person : Mr. Shashin Lotlikar, Director e-mail : smlotlikar[at]isaac.co.in
24. M/s iSec Services Pvt Ltd 608/609 Reliable Pride, Anand Nagar, Opp. Om Heera Panna Mall, Jogeshwari West Mumbai - 400102 Website URL: www.isec.co.in Telephone : 022-26368830 Fax : 022-26300209 Contact Person : Mr. C Karthikeyan, Sr Security Analyst e-mail : contactus[at]isec.co.in
Page 6
25. M/s iViZ Techno Solutions Pvt Ltd RDB Boulevard, 4th Floor, Plot No. K-4, Sector 5, Block - EP & GP, Salt Lake, Kolkata 700091. Website URL : http://www.ivizsecurity.com/ Telephone : 033-40217300 Fax : 033-40217308 Contact Person : Mr. Rudra Kamal Sinha Roy, Group Head, Project Managment e-mail : rudra[at]ivizsecurity.com Mobile : 9845838888
26. M/s KPMG 4B, DLF Corporate Park, DLF City, Phase-3, Gurgaon 122002. Website URL : http://www.in.kpmg.com Telephone : 0124-2549191 Fax : 0124-2549101 Contact Person : Mr. Akhilesh Tuteja, Executive Director e-mail : atuteja[at]kpmg.com Mobile : 9871025500
27. M/s Locuz Enterprise Solutions Ltd 3, Tilak Road, Sudha House, Abids, Hyderabad 500001. Website URL : http://www.locuz.com Telephone : 040-66115511 Fax : 040-66781111 Contact Person : Mr. Uttam Majumdar, Chief of Consulting & Professional Services e-mail : uttam.majumdar[at]locuz.com Mobile : 9848005089
28. M/s Microland Ltd 1B, Ecospace, Belandur, Outer Ring Road, Bangalore 560037. Website URL : http://www.microland.com Telephone : 080-39180254 Fax : 080-39180044 Contact Person : Venugopal J D, Group Consultant e-mail : ptsdc[at]microland.com Mobile : +919845171663
Page 7
29. M/s MIEL e-Security Pvt Ltd C-611/612, Floral Deck Plaza, MIDC, Central Road, Andheri (East), Mumbai 400093. Website URL : http://www.mielesecurity.com Telephone : 022-28215050 Fax : 022-28215838 Contact Person : Mr. R. Giridhar, National Sales Manager e-mail : rgiridhar[at]mielesecurity.com Mobile : 9820142476
30. M/s Network Intelligence India Pvt Ltd 204 Ecospace IT Park, Off Old Nagardas Road, Andheri East, Mumbai-400069. Website URL: www.niiconsulting.com Telephone: 022-28392628 Fax: 022-28375454 Contact person: Mr K.K. Mookhey, Principal Consultant e-mail: kkmookhey[at]niiconsulting.com / info[at]niiconsulting.com mobile : +91-9820049549
31. M/s Network Security Solutions (India) Ltd 4 Kumar Pavilion, Gen Thimmayya Marg (East Street). Camp, Pune - 411 001 Website URL : http://www.mynetsec.com Telephone : 020-60601971 Contact Person : Mr. Rajendra Dave (COO), e-mail : coo[at]mynetsec.com Mobile : 9881122049
32. M/s Netmagic Solutions Pvt. Ltd B-2, 2nd Floor, Phase 1, Nirlon knowledge park, Goregaon East. Website URL : http://www.netmagiasolutions.com Telephone : +91 -22 - 40099099 Fax : +91 22 6785 1501 Contact Person : Mr. Yadavendra Awasthi, Chief Information Security Officer (CISO) e-mail : yadu@netmagicsolutions.com Mobile : + 91 - 9820 2425 84
Page 8
33. M/s NIIT Technologies Ltd 223-224, Udyog Vihar-I Gurgaon 122002. Website URL : http://www.niit-tech.com Telephone :0124-4374161 Fax : 011-40570933 Contact Person : Mr. Maneesh Bakhru, e-mail : maneesh.bakhru[at]niit-tech.com Mobile : +91 9818605093
34. M/s Paladion Networks 49, 1st Floor, Shilpa Vidya, 1st Main, 3rd Phase, J P Nagar, Bangalore 560078. Website URL : http://www.paladion.net Telephone : 080-41135991 Fax: 080-41208559 Contact Person : Mr. Manoj Kumar, Marketing Manager e-mail : manoj.kumar[at]paladion.net Mobile : 9810488748
35. M/s Persistent Systems Limited Pingala-Aryabhatt, Plot No. 9A/12, CTS No. 12A/12, Erandwana, Near Padale Palace , Pune 411004. Website URL : http://www.persistentsys.com Telephone : 020 30234000 Fax: 020 3023 4001 Contact Person : Mr. Anand Pande e-mail : security_info[at]persistentsys.com Mobile : +91 9552560590 36. M/s PricewaterhouseCoopers Pvt Ltd Building 8, 8th Floor, Tower B, DLF Cyber City, Gurgaon 122002. Website URL : http://www.pwc.com Telephone : 0124-4620000 Fax: 0124-4620620 Contact Person : Mr. Neel Ratan, Executive Director e-mail : neel.ratan[at]in.pwc.com 37. M/s Progressive Infotech Pvt Ltd C-161, Phase-II Extension Noida-201305 Website URL : http://progressive.in/ Telephone : +91-120-4393939 Fax : +91-120-4393922
Page 9
Contact Person : Mr. Ajay Batra, Practice Head e-mail : ajay.batra[at]progressive.in Mobile : +91-9811832622 38. M/s ProMinds Consulting Pvt Ltd 402, 4th Floor, ABK Olbee Plaza, Road No. 1, Banjara Hills, Hyderabad 500034. Website URL : http://www.promindsglobal.com Telefax : 040-40207383 Contact Person : Mr. Balaji Selvaraju, CEO and Principal Consultant e-mail : balajis[at]promindsglobal.com Mobile : +91-9866673663
39. M/s Qadit Systems & Solutions Pvt Ltd 1st Floor, Balammal Building 33 Burkit Road T. Nagar Chennai 600017. Website URL : http://www.qadit.com Telephone : +91-44-42791150/ 51/ 52 Fax : +91-44-42791149 Contact Person : Mr. V. Vijayakumar, Director e-mail : vijay[at]qadit.com Mobile : 9444019232
40. M/s Secure Matrix India Pvt Ltd 12 Oricon House, 14 K Dubash Marg, Kala Ghoda, Fort, Mumbai 400001. Website URL : http://www.securematrix.in Telephone : 022-32537579 Fax : 022-22886152 Contact Person : Mr. Saurabh B. Dani, Vice Chairman e-mail : saurabh[at]securematrix.in Mobile : 9821542619
41. M/s SecureSynergy Pvt Ltd #3332, 13th Main, 6th Cross, HAL II Stage, Indiranagar, Bangalore 560038. Website URL : http://www.securesynergy.com Telephone : 080-25210556 Fax: 080-41151605 Contact Person : Mr. Santhosh Koratt, Head - Consulting & Compliance e-mail : santhoshkoratt[at]securesynergy.com
Page 10
42. M/s SecurEyes Techno Services Pvt Ltd #3S, 3rd Floor,Swamy Towers, Chinapanahalli, Marathahalli, Outer Ring Road Bangalore 560037. Website URL : http://www.secureyes.net Telephone : 080-41264078 Contact Person : Mr. Karmendra Kohli , Chief Operating Officer e-mail : karmendra.kohli[at]secureyes.net Mobile : 9448111432
43. M/s Security Brigade 1/47 Tardeo AC Market, Tardeo, Mumbai 400034 Website URL : http://www.securitybrigade.com Telephone : 0651-6458865 Fax : 0651-2444545 Contact Person : Mr. Yash Kadakia, Chief Technology Officer e-mail : yash[at]securitybrigade.com Mobile : 9833375290 44. M/s Sify Technologies Ltd Brigade MLR Centre, No. 20, G Floor, Vanivilas Road, Basavanagudi, Bangalore 560004. Website URL : http://www.sifycorp.com Telephone : 080-61263144 Fax: 022-26177662 Contact Person : Mr. Natarajan K R, DGM - Information Assurance e-mail : natarajan.karrirama[at]sifycorp.com Mobile : 9844374175
45. M/s Simos Computer Systems Pvt Ltd No. 5 (Old No. 3/1), Poes Road, 1st Floor, Teynampet, Chennai 600018. Website URL : http://www.simosindia.com Telephone : 044-42110302 Fax : 044-42109436 Contact Person : Mr. Balamurugan R, Director e-mail : rbm[at]simosindia.com Mobile : 9884306004
46. M/s SISA Information Security Pvt Ltd 3029, SISA House, 13th Main Road,
Page 11
Sri Sai Darshan Marg, HAL II Stage, Indiranagar, - Bangalore - 560008 Website URL: http://www.sisa.co.in Telephone: 080-41153769 Fax: 080-41153796 Contact person: Mr. Nitin Bhatnagar, Head Business Development e-mail: info[at]sisa.in mobile : +91-9820885922
47. M/s Spectrum IT Solution B118, Sector 64, Noida,UP 201307 Website URL : http://www.spectrumin.co.in Telephone : 0120-4236230 Fax : 0120-4236231 Contact Person : Mr. Mahesh Singh, Director e-mail : mahesh[at]spectrumin.co.in Mobile : 9811943670
48. STQC Directorate Department of Information Technology, Min. of Comm'ns & IT, Govt. of India, Electronics Niketan, 6, CGO Complex, Lodhi Road, New Delhi 110003. Website URL : http://www.stqc.nic.in Telephone : 011-24363378 Fax: 011-24363083 Contact Person : Mr. Arvind Kumar, Scientist F e-mail : arvind[at]mit.gov.in
49. M/s Suma Soft Pvt Ltd Suma Center, 2nd Floor, Opp. Himali Society, Near Mangeshkar Hospital, Erandawane, Pune - 411 004 Website URL:http://www.sumasoft.com Telephone: +91-20-40130400 Fax: +91-20-25438108 Contact Person: C Manivannan e-mail: mani[at]sumasoft.com Mobile: +91-9371011855
50. M/s Sumeru Software Solutions Pvt Ltd #40, Arth, 12th Main, Jayanagar, 4th Block,
Page 12
Bangalore 560041. Website URL : http://www.sumerusolutions.com Telephone : 080- 28432475 Fax : 080-41211434 Contact Person : Mr. Chidhanandham Arunachalam e-mail : infosec[at]sumerusolutions.com Mobile : 9538912774
51. M/s Sysman Computers Pvt Ltd 312, Sundram, Rani Laxmi Chowk, Sion Circle, Mumbai 400022. Website URL : http://www.sysman.in Telephone : 9967247000 Telefax: 9967248000 Contact Person : Mr. Rakesh Goyal, Managing Director e-mail : rakesh[at]sysman.in
52. M/s Tata Consultancy Services Ltd Wellspring Phase-3, Godrej and Boyce Complex, Plant No. 12, Gate No. 4, LBS Marg, Vikhroli (West), Mumbai 400079. Website URL : http://www.tcs.com Telephone : 022-67784139 Fax: 022-67784399 Contact Person : Mr. P V S Murthy, Global Head-Information Security Management Practice e-mail : pvs.murthy[at]tcs.com Mobile : 9223179277
53. M/s Tech Mahindra Ltd A-7, Sector-64, Noida 201301. Website URL : http://www.techmahindra.com Telephone : 0120-4652000 Contact Person : Mr. Manoj Gilra, Director - Business Development e-mail : mgilra[at]techmahindra.com Mobile : 9810069966 54. M/s Technologics & Control 2/30, 3rd Floor , Sarai Julena, - New Delhi - 110025 Website URL: www.tech-controls.com Telephone: 011-26933733 Fax: 011-26910189
Page 13
Contact person: Mr. Sanjiv Arora, Director e-mail: sa[at]tech-controls.com mobile : +91-9810293733 55. M/s Torrid Networks Pvt. Ltd. H-87, First Floor , Sector-63, Noida 201 301 Website URL: www.torridnetworks.com Telephone: 0120-4216622 Fax: 0120-4314996 Contact person: Mr. Salil Kapoor e-mail: info [at] torridnetworks.com mobile : +91-9266666883/9266666696
56. M/s TVSNet Technologies Ltd 3rd Floor, V B C Solitaire, 47 & 49, Bazullah Road, T Nagar, Chennai 600017. Website URL : http://www.tvsnet.in Telephone : 044-42923900 Fax: 044-42923999 Contact Person : Mr. Sujit P Christy, ISecurity Manager - Solutions Architect e-mail : sujit.p[at]tvsnet.in Mobile : 9382122359
57. M/s Verizon Business Radisson Commercial Plaza, A-Wing, 1st Floor, National Highway-8, New Delhi - 110037. Website URL : http://www.verizonbusiness.com/in/ Telephone : +91-11-42818101 Fax : +91-11-42818164 Contact Person : Mr. Prashant Gupta e-mail : Prashant.gupta[at]verizonbusiness.com Mobile : +91- 9899211162 58. M/s VISTA InfoSec Pvt. Ltd. 2/203 Vahatuk Nahar, Caesar Road, Amboli, Andheri (W), Mumbai - 400058 Website URL : http://www.vistainfosec.com Telephone : +91-22-65236292 Fax : Contact Person : Rohan.Patil@vistainfosec.com Mobile : +91-9619990923
Page 14
59. M/s Wipro Ltd Consulting Division, 480 - 481, Udyog Vihar, Phase-3, Gurgaon 122016. Website URL : http://www.wipro.co.in Telephone : 0124-3084407 Fax : 0124-3084700 Contact Person : Mr. Sachin Nagpal, Consultant e-mail : sachin.nagpal[at]wipro.com Mobile : 9711360534
Page 15
CERT-In empanelled IT Security Auditing Organisations M/s 3i Infotech Ltd Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation 1. 2. 3. Name & location of the empanelled Information Security Auditing Organisation : 3i Infotech Ltd, Navi Mumbai Carrying out Information Security Audits since : December 2000 Technical manpower deployed for informationsecurity audits : CISSPs : 1 BS7799 / ISO27001 LAs : 7 CISAs : 2 DISAs / ISAs : 0 Total Nos. of Technical Personnel : 40 4. Outsourcing of External Information Security Auditors / Experts : No Information Security Audit Tools used (owned, in possession) : Freeware : 100 Commercial : 0 Proprietary: 1 Total Nos. of Audit Tools : 101 Details of the Audit Tools Freeware 1. Nessus - Remote security scanner 2. Snort - Network intrusion prevention and detection system 3. Netcat - A simple Unix utility which reads and writes data across network connections, using TCP or UDP protocol Commercial 1. Retina - Retina's function is to scan all the hosts on a network and report on any vulnerability found. 5. 6. Information Security Audit Methodology : OSSTM, OWASP Information Security Audits carried out since empanelment till now : Govt. : 0 PSU : 0 Private : 22 Total Nos. of Information Security Audits done : 22 7. 8. Business domain of auditee organisations : Banking, Financial, Manufacturing Typical applications in use by auditee organisations : Banking and Financial Applications
Page 16
9.
Typical bandwidth (maximum) of any auditee organisations : Internal Bandwidth (LAN / Intranet) : 16 Mbps External Bandwidth (WAN / Internet) : 2 Mbps
10. Networked Infrastructure details of an organizations audited with most complex network : No. of Computer Systems : 250 No. of Servers : 30 No. of Switches : 20 No. of Routers : 6 No. of Firewalls : 2 No. of IDS' : 0 11. Ability to carry out vulnerability assessment and penetration test : Yes Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing Organisation). Back
Page 17
M/s AAA Technologies Pvt Ltd Snapshot of skills and competence of CERT-In empanelled Security Auditor 1. 2. 3. Name, Location of the Empanelled Security Auditing organisation : AAA Technologies Pvt. Ltd., Mumbai Carrying out Information Security Audits since : 2000 Technical manpower deployed for security audits : CISSPs : 3 BS7799 / ISO27001 LAs : 5 CISAs : 9 DISAs / ISAs : 3 Total Nos. of Technical Personnel : 20 4. 5. Outsourcing of External IT Security Auditors / Experts : No Security Audit Tools used (owned, in possession) : Freeware : 19 Commercial : 0 Proprietary: 1 Total Nos. of Audit Tools : 20
Details of the Audit Tools Freeware : 1. 2. 3. 4. 5. 6. 7. 8. 9. Nessus Whisker HUNT - TCP/IP protocol vulnerability exploiter, packet injector DOMTOOLS - DNS-interrogation tools SARA - Vulnerability scanner RAT Nikto - This tool scans for web-application vulnerabilities Snort - IDS Firewalk - Traceroute-like ACL & network inspection/mapping mail, files, etc.). facilitate the interception of network traffic normally unavailable to an attacker 11. HTTrack - Website Copier 12. Chkrootkit - Rootkit discovery tool 13. Tools from FoundStone - Variety of free security-tools 14. SQL Tools - MS SQL related tools 15. John the Ripper - Password-cracking utility 16. ITS4 - Scan C/C++ source-code for vulnerabilities
10. Hping TCP ping utilitiy Dsniff - Passively monitor a network for interesting data (passwords, e-
Page 18
17. Paros 18. NMAP - The famous port-scanner 19. Ethereal - GUI for packet sniffing. Can analyse tcpdump-compatible logs 20. Nemesis - Packet injection suite 21. NetCat - Swiss Army-knife, very useful 22. RAT CISecuritys Router Auditing Tool 23. DSniff - A collection of different purpose sniffers 24. Achilles - An SSL-proxy allowing to change data 25. Whitehats - Snort IDS-signatures & other resources 26. Hping2 - TCP/IP packet analyzer/assembler, packet forgery, useful for ACL inspection 27. Brutus password cracking for web applications, telnet, etc. 28. WebSleuth - web-app auditing tool 29. Mieliekoek - SQL Injection tool, use with HTTrack 30. NT Toolbox - Resources & tools for NT 31. [at]Stake Tools - Tools provided by [at]-Stake 32. TSCrack - Wordlist-based Terminal Server login-cracker L0phtcrack - NT-password cracking utility 33. HTTPrint detect web server and version 34. Web proxy - web application testing 35. Web server vulnerability assessment tool Commercial : None Proprietary : 1. 6. 7. AAA - Used for Finger Printing and identifying open ports, services and misconfiguration
Security Audit Methodology : ISACA, ISO 27001 / BS 7799, COBIT Security Audits carried out since empanelment till now : Govt. : 88 PSU : 34 Private : 15 Total Nos. of Security Audits : 137
8. 9.
Business domain of auditee organisations : Stock Brokers, Banking, Travel, Insurance, Railways, Govt. Typical applications in use by auditee organisations : Banking, Tally, ERP, Home grown applications Internal Bandwidth (LAN / Intranet) : 100 M bps External Bandwidth (WAN / Internet) : 2 M bps
10. Typical bandwidth (maximum) of any auditee organisations :
11. Networked Infrastructure details of an organizations audited with most complex network : No. of Servers : 500 No. of Computer Systems : 1000 No. of Routers : 10 No. of Switches : 40
Page 19
No. of Firewalls : 30 No. of IDS' : 20 12. Ability to carry out vulnerability assessment and penetration test : Yes Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing Organisation). BACK
Page 20
M/s AKS Information Technology Services Pvt Ltd Snapshot of skills and competence of CERT-In Empanelled Information Security Auditing Organisation 1. Name, Location of the Empanelled Information Security Auditing Organisation : AKS Information Technology Services Pvt Ltd, Noida 2. 3. Carrying out Information Security Audits since : September 2006 Technical manpower deployed for information security audits : CISSPs : 2 BS7799 / ISO27001 LAs : 3 CISAs / CISMs: 1 DISAs / ISAs : 0 Total Nos. of Technical Personnel : 18 4. Outsourcing of External Information Security Auditors / Experts : N
Information Security Audit Tools used (owned, in possession) : Freeware : 50 Commercial : 4 Proprietary: 1 Total Nos. of Audit Tools : 55
Details of the Information Security Audit Tools Freeware Tools 1. 2. 3. 4. 5. 6. Nmap, Superscan and Fport - Port Scanners Nessus Vulnerability Scanner Metasploit & Securityforest - Penetration Testing Process explorer, Sigcheck, Kproccheck - Windows Kernel & malware detection Netstumbler & Kismet WLAN Auditing Nikto - Web server vulnerability scanner
Commercial Tools 1. 2. GFI Languard, Retina - Vulnerability Scanners Burp Suite, Acunetix - Web application auditing
Proprietary Tools 1. ISA Log Analyzer 5. Information Security Audit Methodology : OSSTM, OWASP, ISO 27001, ISO 25999, CoBIT
Page 21
6.
Information Security Audits carried out since empanelment till now : Govt. PSU : 650 : 50
Private : 40 Total Nos. of Security Audits : 740 7. 8. 9. Business domain of auditee organisations : Telecom, BPO, Banking & Finance, Software Development, Manufacturing, Defence Typical applications in use by auditee organisations : Payment Gateway, PKI-based, Client-Server, Web Based, MIS, Oracle ERP, NMS Web Applications Typical bandwidth (maximum) of any auditee organisations : Internal Bandwidth (LAN / Intranet) : 1 Gbps External Bandwidth (WAN / Internet) : 256 Mbps 10. LAN Infrastructure details of an organizations audited with most complex network : No. of Servers No. of Computers No. of Routers No. of Switches No. of Firewalls No. of IDS' :2 : 262 : 60 : 212 : 162 : 16
11. Ability to carry out vulnerability assessment and penetration test : Y
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing Organisation), Y = Yes, N = No, Std = Standard. BACK
Page 22
M/s Appin Software Security Pvt Ltd Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation 1. 2. 3. Name & location of the empanelled Information Security Auditing Organisation : Appin Software Security Pvt. Ltd., Delhi Carrying out Information Security Audits since : September 2005 Technical manpower deployed for information security audits : CISSPs : 1 BS7799 / ISO17799 / ISO27001 LAs : 7 CISAs / CISMs: 0 DISAs / ISAs : 0 Total Nos. of Technical Personnel : 30 4. 5. Outsourcing of information security auditing work to external Information Security Auditors / Experts : No Information Security Audit Tools being used (available, installed and licensed) : Freeware : 11 Commercial : 7 Proprietary: 2 Total Nos. of Information Security Audit Tools : 20 Details of the Information Security Audit Tools Freeware Tools 1. 2. 3. 4. 5. 6. 7. 8. 9. Nessus Nmap Retina SQL Injector SQL Ninja Backtrack Wikto Web Server Auditor NS Auditor
10. Kismet 11. Ethereal Commercial Tools 1. 2. 3. 4. GFI languard SSS Accunetix Core Impact
Page 23
5. 6. 7.
Appscan Webinspect QualysGuard
Proprietary Tools 1. 2. 6. 7. Appin Guard Appin Runner
Information Security Audit Methodology : OSSTM, OWASP, BS7799, ISO27001, ISO25999, CoBIT, SANS, APPSEC Information Security Audits carried out so far : Govt. : 70 PSU : 8 Private : 50 Total Nos. of Security Audits : 128
8. 9.
Business domains of auditee organisations : Telecom, BPO, Manufacturing, Defence, Media, Infrastructure, IT/ITES, Banking, Financial SW, Government, Education, Travel Typical applications in use by auditee organisations : CBS, Oracle ERP, NMS, SAP, Peoplesoft, e-Gov., Mobile & Web Applications
10. Bandwidth available with an auditee organisation having most complex network : Internal Bandwidth (LAN / Intranet) : 1 Gbps External Bandwidth (WAN / Internet) : 2 Mbps 11. LAN infrastructure details of an auditee organisation having most complex network : No. of Computers : 4000 No. of Servers : 300 No. of Switches : 200 No. of Routers : 200 No. of Firewalls : 20 No. of IDS' : 2 12. Ability to carry out vulnerability assessment and penetration test : Yes Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing Organisation). BACK
Page 24
M/s Auditime Information Systems (India) Pvt Ltd Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation 1. 2. 3. Name, Location of the empanelled Information Security Auditing Organisation : AUDITime Information Systems (I) Pvt. Ltd., Mumbai Carrying out Information Security Audits since : September 2000 Technical manpower deployed for Information security audits : CISSPs : 1 BS7799 / ISO27001 LAs : 2 CISAs : 10 DISAs / ISAs : 2 Total Nos. of Technical Personnel : 64 4. Outsourcing of External Information Security Auditors / Experts : No Information Security Audit Tools used (owned, in possession) : Freeware : 36 Commercial : 0 Proprietary: 0 Total Nos. of Audit Tools : 36 Details of the Audit Tools Freeware Tools 1. Achilles - A tool designed for testing the security of web applications 2. ADMFtp, ADMSnmp - Tools for remote brute-forcing 3. Brutus- An Windows GUI brute-force tool for FTP, telnet, POP3, SMB, HTTP, etc 4. Crack - A password cracker 5. CrypTool - A cryptanalysis utility 6. cURL - Curl is a tool for transferring files with URL syntax, supporting FTP, FTPS, HTTP, HTTPS, GOPHER, TELNET, DICT, FILE and LDAP 7. Different network mapping tools - ping, traceroute, whois, snmp tools, dig, nslookup, DNS tools etc 8. Elza - A family of tools for arbitrary HTTP communication with picky web sites for the purpose of penetration testing and information gathering 9. Exploits - publicly available and home made exploit code for the different vulnerabilities around 10. FScan - A command-line port scanner. Supports TCP and UDP 11. Fragrouter - Utility that allows to fragment packets in funny ways 12. HPing - HPing is a command-line oriented TCP/IP packet assembler/analyzer. It supports TCP, UDP, ICMP and RAW-IP protocols, has a traceroute mode, the ability to send files between a covered channel, and many other features. 13 .ISNprober - Check an IP address for load-balancing. 14. ICMPush - ICMPush is a tool that sends ICMP packets fully customized from command line
Page 25
15. John The Ripper - A password cracker 16. L0phtcrack - NTLM/Lanman password auditing and recovery application (read: cracker) 17. Nessus - A free, powerful, up-to-date and easy to use remote security scanner. This tool could be used when scanning a large range of IP addresses, or to verify the results of manual work. 18.Netcat - The swiss army knife of network tools. A simple utility which reads and writes data across network connections, using TCP or UDP protocol 19. NMAP - The best known port scanner around. 20.p0f - Passive OS Fingerprinting: A tool that listens on the network and tries to identify the OS versions from the information in the packets. 21. Pwdump - Tools that grab the hashes out of the SAM database, to use with a brute-forcer like L0phtcrack or John 22. SamSpade - Graphical tool that allows to perform different network queries: ping, nslookup, whois, IP block whois, dig, traceroute, finger, SMTP VRFY, web browser keep-alive, DNS zone transfer, SMTP relay check,etc. 23.ScanDNS - Script that scans a range of IP addresses to find DNS names 24. Scripts - A number of custom developed scripts to test different security issues. 25. Sing - Send ICMP Nasty Garbage. A little tool that sends ICMP packets fully customized from command line 26.SSLProxy, STunnel - Tools that allow to run non SSL-aware tools/programs over SSL. 27. Strobe - A command-line port scanner that also performs banner grabbing 28.Telesweep Secure - A commercial wardialer that also does fingerprinting and brute-forcing. 29. THC - A freeware wardialer 30. TCPdump - A packet sniffer 31. TCPtraceroute - Traceroute over TCP 32. UCD-Snmp - (aka NET-Snmp): Various tools relating to the Simple Network Management Protocol including snmpget, snmpwalk and snmpset. 33.Web Session Editor - Custom made utility that allows to intercept and edit HTTP sessions. 34. Webinspect - CGI scanning, web crawling, etc. 35. Webreaper, wget - Software that mirrors websites to your hard disk 36. Whisker - The most famous CGI scanner. has updated the scanning databases with checks for the latest vulnerabilities. Commercial Tools None Proprietary Tools None 5. 6. Information Security Audit Methodology : ISO17799 / ISO27001 Information Security Audits carried out since empanelment till now : Govt. : 0 PSU : 15 Private : 105 Total Nos. of Security Audits : 120
Page 26
7. 8. 9.
Business domain of auditee organisations : Banking & Finance, Telecom, Manufacturing, Logistics, Insurance Typical applications in use by auditee organisations : Core banking, Insurance, Loan & Treasury Management, Online trading, backoffice, CTCL, accounting, operations mangement, billing Typical bandwidth (maximum) of any auditee organisations : Internal Bandwidth (LAN / Intranet) : 100 Mbps External Bandwidth (WAN / Internet) : 2 Mbps
10. Networked Infrastructure details of an organizations audited with most complex network : No. of Computer Systems : 15 No. of servers : 28 No. of switches : 0 No. of routers : 1 No. of firewalls : 1 No. of IDS' : 1 11. Ability to carry out vulnerability assessment and penetration test : Yes Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing Organisation). BACK
Page 27
M/S Aegis Tech Limited Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation 1. 2. 3. Name & location of the empanelled Information Security Auditing Organisation : Carrying out Information Security Audits since : 12 Years Technical manpower deployed for information security audits : CISSPs : 1 No. BS7799 / ISO27001 LAs : 14 Nos. CISAs : 5 Nos DISAs / ISAs : Total Nos. of Technical Personnel : 15 4. 5. Outsourcing of External Information Security Auditors / Experts : DNV for ISO 27001 certification Information Security Audit Tools used (owned, in possession) : Freeware : Backtrack ver 5 Commercial : Nessus Ver 4.4.1, Accunetix Ver 7 Proprietary: Total Nos. of Audit Tools : 3 + Numerous Open Source Tools 6. Information Security Audit Methodology : Discovery (Scanning & probing), Exploitation & Analysis (Penetrate Perimeter, Attack Resources) , Reporting (Assessment Report & Recommendations) 7. Information Security Audits carried out so far : Govt. : PSU : Private : More than 50 Total Nos. of Information Security Audits done : More than 50 8. 9. Business domain of auditee organisations : Banking, Telecom, Manufacturing etc Typical applications in use by auditee organizations : SAP, Oracle Financials, Finacale etc 1
10. Typical bandwidth (maximum) of any auditee organisations : Internal Bandwidth (LAN / Intranet) : 1 Gbps External Bandwidth (WAN / Internet) : 8 Mbps 11. Networked Infrastructure details of an organizations audited with most complex network : No. of Computer Systems : 27 (Internal) No. of Servers : 11 (External) No. of Switches : 10
Page 28
No. of Routers : 5 No. of Firewalls : 1 No. of IDS' : 1 12. Ability to carry out vulnerability assessment and penetration test : Yes Details of the Audit Tools Freeware: Commercial: ACL, IDEA Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing Organisation). BACK
Page 29
M/s Aujas Networks Pvt Ltd Snapshot of skills and competence of CERT-In empanelled IT Security Auditing Organisation 1. 2. 3. Name & location of the empanelled Information Security Auditing Organisation : Aujas Networks Pvt Ltd, Bangalore Carrying out Information Security Audits since : February 2008 Technical manpower deployed for information security audits : CISSPs : 7 BS7799 / ISO17799 / ISO27001 LAs : 10 CISAs / CISMs: 7 DISAs / ISAs : 0 Total Nos. of Technical Personnel : 30 4. 5. Outsourcing of information security auditing work to external Information Security Auditors / Experts : No Information Security Audit Tools being used (available, installed and licensed) : Freeware : 24 Commercial : 3 Proprietary: 1 Total Nos. of Information Security Audit Tools : 28
Details of the IT Security Audit Tools Freeware Tools 1. 2. 3. 4. 5. 6. 7. 8. 9. NMAP - Port Scanning. Super Scan - Port Scanning Netcat - Network Utility. Telnet Client - Network Utility. Putty - Network Utility SNMPWalk - SNMP Scanner User2SID & SID2User - Look up Windows service identifiers. John The Ripper - Unix and NT password Cracker WireShark - Wireshark is a network protocol analyzer for Unix and Windows.
10. Snort - A free lightweight network intrusion detection system for UNIX and Windows. 11. MetaSpoilt - Exploitation Framework 12. Backtrack Live CD - Exploitation framework. 13. Nikto - Network Vulnerability Scanner. 14. BlackWidow - Website Profiling Tool. 15. Wget - Network Utility 16. Paros - HTTP Interceptor. 17. Burp Suite - HTTP Interceptor. 18. Brutus - Brute Force Password Attack
Page 30
19. WFetch - HTTP Raw Methods Debugging 20. AnEc Cookie Editor (Firefox Plug-in) - Cookie Editor 21. Netstumbler - Detection of Wireless LANs 22. Kismet - 802.11 wireless network detector, sniffer, and intrusion detection system. 23. MYSQL Administration Tool - MYSQL Administration. 24. GoCR Decoder - OCR reader. Commercial Tools 1. 2. 3. Acunetix - Web Vulnerability Scanning Tool. CodeSecure Code Review Tool Nessus Network Vulnerability Scanner
Proprietary Tools 1. 6. 7. PHP Security Audit Script : This script checks for insecure web configurations.
Information Security Audit Methodology : Standard (ITIL, CoBIT 4.1, COCO ERM, ISO27001, NIST 800-30, ISO27005, CIS Benchmarks, OWASP, OSSTM) Information Security Audits carried out so far : Govt. : 4 PSU : 1 Private : 35 Total Nos. of Security Audits : 40
8. 9. 10.
Business domains of auditee organisations : Banking, Telecom, IT/ITES, Manufacturing, Retail, Government Typical applications in use by auditee organisations : Web, Banking & Financial Applications Bandwidth available with an auditee organisation having most complex network : Internal Bandwidth (LAN / Intranet) : 1 Gbps External Bandwidth (WAN / Internet) : 6 Mbps
11.
LAN infrastructure details of an auditee organisation having most complex network : No. of Computers : 1120 No. of Servers : 30 No. of Switches : 10 No. of Routers : 2 No. of Firewalls : 1 No. of IDS' : 1
12.
Ability to carry out vulnerability assessment and penetration test : Yes
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing Organisation).
Page 31
BACK
M/s Controlcase India Pvt Ltd Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation 1. 2. 3. Name & location of the empanelled Information Security Auditing Organisation : M/s ControlCase India Pvt. Ltd., Mumbai Carrying out Information Security Audits since : 2004 Technical manpower deployed for information security audits : CISSPs : 7 BS7799 / ISO27001 LAs : 4 CISAs : 8 DISAs / ISAs : 0 Total Nos. of Technical Personnel : 20 4. 5. Outsourcing of External Information Security Auditors / Experts : No Information Security Audit Tools used (owned, in possession) : Freeware : 140 Commercial : 3 Proprietary: 1 Total Nos. of Audit Tools : 144
List of Tools used Freeware: Nmap Netcat 0.7.1 Netdiscover P0f PSK-Crack Protos Finger Google Firewalk Fport 2.0 (Windows Executable) Goog Mail Enum Google-search Googrape Gooscan Host InTrace 1.3 Itrace Maltego 2.0
Page 32
Metagoofil 1.4 Mbenum 1.5.0 (Windows Executable) Netenum Netmask Nmbscan 1.2.4 Protos PsTools (Windows Executables) PStoreView 1.0 (Windows Binary) QGoogle Relay Scanner SMTP-Vrfy 0trace 0.01 DMitry DNS-Ptr dnstracer 1.5 dnswalk dns-bruteforce dnsenum dnsmap DNSPredict Subdomainer 1.3 TCPtraceroute 1.5beta7 TCtrace Whoami (Windows Executable) Network Mapping Amap 5.2 Angry IP Scanner (ipscan) 3.0-beta3 Autoscan 0.99_R1 Fierce 0.9.9 beta 03/24/07 Fping Genlist Hping IKE-Scan IKEProbe ScanLine 1.01 (Windows Executable) SinFP XProbe2 Zenmap 4.60 Absinthe Bed CIRT Fuzzer
Page 33
Checkpwd Cisco Auditing Tool Cisco Enable Bruteforcer Cisco Global Exploiter Cisco OCS Mass Scanner Cisco Scanner Cisco Torch Curl Fuzzer 1.2 HTTP PUT Nikto OpenSSL-Scanner Paros Proxy RPCDump RevHosts SMB Bruteforcer SNMP Scanner SNMP Walk SQL Inject SQL Scanner SQLLibf SQLbrute Sidguess Smb4K Snmpcheck Snmp Enum Spike Stompy SuperScan TNScmd Taof VNC_bypauth Wapiti Yersinia sqlanlz sqldict sqldumplogins sqlquery sqlupload Metasploit Framework Milw0rm Archive
Page 34
Ascend attacker CDP Spoofer Cisco Enable Bruteforcer Crunch Dictgen DHCPX Flooder DNSspoof Driftnet Dsniff Etherape EtterCap File2Cable HSRP Spoofer Hydra John Mailsnarf SMB Sniffer TFTP-Brute VNCrack WebCrack Wireshark Wireshark Wifi HttpTunnel Client HttpTunnel Server Privoxy ProxyTunnel Rinetd AFrag ASLeap aircrack-ng Airoscript Kismet BTcrack Bluebugger Blueprint Bluesmash Bluesnarfer Btscanner GNU DDD Hexdump Hexedit Commercial:
Page 35
AppScan IBM Appscan Teanable Nessus eEye Retina 6. Information Security Audit Methodology : Standard (OSSTM, OWASP, PCI DSS, PA DSS, PCI ASV, FISAP, HIPPA, TG3 Certification, EI3PA Certification, ISO27001, ITIL, CoBIT, NIST 800-30, ISO27005, CIS Benchmarks) 7. Information Security Audits carried out so far : Govt. : 0 PSU : 0 Private : 55 Total Nos. of Information Security Audits done : 55 8. 9. Business domain of auditee organisations : Banking & Finance, Telecom, Manufacturing, Retail, Government, Health, Logistics, Insurance Typical applications in use by auditee organisations : Web, Banking & Financial Applications, Mobile Applications, Payment Applications, Billing Applications 10. Typical bandwidth (maximum) of any auditee organisations : Internal Bandwidth (LAN / Intranet) : 100 Mbps External Bandwidth (WAN / Internet) : 4 Mbps 11. Networked Infrastructure details of an organizations audited with most complex network : No. of Computer Systems : 30 No. of Servers : 45 No. of Switches : 4 No. of Routers : 1 No. of Firewalls : 2 No. of IDS' : 1 12. Ability to carry out vulnerability assessment and penetration test : Yes
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing Organisation). BACK
Page 36
M/s CyberQ Consulting Pvt Ltd Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation 1. 2. 3. Name, Location of the empanelled Information Security Auditing Organisation : CyberQ Consulting Pvt. Ltd., New Delhi Carrying out Information Security Audits since : 2002 Technical manpower deployed for Information security audits : CISSPs : 0 BS7799 / ISO27001 LAs : 4 CISAs : 4 DISAs / ISAs : 1 Total Nos. of Technical Personnel : 28 4. 5. Outsourcing of External Information Security Auditors / Experts : No Information Security Audit Tools used (owned, in possession) : Freeware : 44 Commercial : 1 Proprietary: 3 Total Nos. of Information Security Audit Tools : 48
Details of the Information Security Audit Tools Freeware Tools : 1. 2. 3. 4. 5. 6. 7. 8. 9. Metaspolit 3.2 Metasploit provides useful information to people who perform penetration testing, IDS signature development, and exploit research. Backtrack 3 a Linux distribution, distributed as a Live CD which resulted from the merger of WHAX and the Auditor Security Collection, which is used for Penetration testing. Sam Spade a Windows software tool designed to assist in tracking down sources of e-mail spam Telnet Can report information about an application or service; i.e., version, platform Tcpdump is a common packet sniffer that runs under the command line Nmap 5.00 powerful tool available for Unix that finds ports and services available via IP Hping2 powerful Unix based tool used to gain important information about a network P0F A versatile passive OS fingerprinting tool Netcat others have quoted this application as the Swiss Army knife of network utilities
10. Ping Available on most every platform and operating system to test for IP connectivity 11. Traceroute maps out the hops of the network to the target device or system 12. Tcptraceroute traceroute implementation using TCP packets 13. Queso can be used for operating system fingerprinting 14. WebInspect Vulnerability Scanner 15. Assuria System Scanner 16. Microsoft baseline analyzer Specific for Microsoft O/S based system
Page 37
17. Patchlink for assessing patch status 18. nCircle IP360 19. Nikto Web server scanner that tests Web servers for dangerous files/CGIs, outdated server software and other problems 20. Curl command line tool for transferring files with URL syntax 21. BurpSuite Burp Suite is an integrated platform for attacking web applications 22. Ollydbg debugger that emphasizes binary code analysis, which is useful when source code is not available 23. SNMP walk To audit SNMP enabled devices 24. Cain & Able The top password recovery tool for Windows 25. Brutus This Windows-only cracker bangs against network services of remote systems trying to guess passwords by using a dictionary and permutations thereof 26. LC4 is the award-winning password auditing and recovery application, L0phtCrack. 27. Legion SMB based tool 28. GetAcct shows anonymous login information 29. Pwdump A window password recovery tool 30. AMAP Application mapper to verify the actual services running on the open port 31. Nslookup Available on Unix and Windows Platforms 32. Whois Database Available via any Internet browser client 33. ARIN Available via any Internet browser client 34. Dig Available on most Unix platforms and some web sites via a form 35. Web Based Tools Hundreds if not thousands of sites offer various recon tools 36. Social Engineering People are an organizations greatest asset, as well as their greatest risk 37. Wireshark It can scan wireless and Ethernet data and comes with some robust filtering capabilities. 38. Network Stumbler a.k.a NetStumbler Windows based tool easily finds wireless signals being broadcast within range 39. Kismet One of the key functional elements missing from NetStumbler is the ability to display Wireless Networks that are not broadcasting their SSID. 40. Airsnort very easy to use tool that can be used to sniff and crack WEP keys. While many people bash the use of WEP, it is certainly better than using nothing at all. 41. AiroPeek / Omnipeek Sniffing & network health checkuptool 42. CowPatty Is used as a brute force tool for cracking WPA-PSK, considered the New WEP for home Wireless Security. 43. ASLeap If a network is using LEAP, this tool can be used to gather the authentication data that is being passed across the network, and these sniffed credentials can be cracked. LEAP doesnt protect the authentication like other real EAP types, which is the main reason why LEAP can be broken 44. Cheops-ng Cheops-ng is a Network management tool for mapping and monitoring your network. It has host/network discovery functionality as well as OS detection of hosts Commercial Tools :
Page 38
1.
Nessus Security Scanner (Professional feed) Professional Vulnerability Scanner
Proprietary Tools : 1. 2. 3. 6. 7. CyberQ vulnerability database Scripts for safe exploitation of vulnerabilities CyberQ checklists
Information Security Audit Methodology : CISA, Own (CyberQ Method) Information Security Audits carried out since empanelment till now : Govt. : 458 PSU : 45 Private : 29 Total Nos. of Information Security Audits : 532
8. 9.
Business domain of auditee organisations : PKI, Consultancy, Software Development, Telecom, Financial Institutions, Government, PSUs, Energy, BPO/KPO, Manufacturing Design. Typical applications in use by auditee organisations : PKI, ERP, Web, Client Server, MIS, Network Security Audit.
10. Typical bandwidth (maximum) of any auditee organisations : Internal Bandwidth (LAN / Intranet) : 100 Mbps External Bandwidth (WAN / Internet) : 2 Mbps 11. Networked Infrastructure details of an organizations audited with most complex network : No. of Computer Systems : 2000 No. of servers : 110 No. of switches : 60 No. of routers : 65 No. of firewalls : 1 No. of IDS' : 0 12. Ability to carry out vulnerability assessment and penetration test : Yes
Page 39
M/s Computer Science Corporation India Pvt Ltd Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation 1. Name & location of the empanelled Information Security Auditing Organisation : Computer Sciences Corporation India Pvt. Ltd. NOIDA 2. 3. Carrying out Information Security Audits since : 2005 Technical manpower deployed for information security audits : CISSPs : 10 BS7799 / ISO27001 LAs : 10 CISAs : 9 DISAs / ISAs : 0 Total Nos. of Technical Personnel : 31 4. 5. Outsourcing of External Information Security Auditors / Experts : NO Information Security Audit Tools used (owned, in possession) : Freeware : 7 Commercial : 5 Proprietary: 2 Total Nos. of Audit Tools : 14
Details of the Audit Tools Freeware 1. 2. 3. 4. 5. 6. 7. Commercial 1. 2. 3. 4. 5. McAfee Foundstone Cenzic Hailstorm Pro Tenable Nessus Pro Metasploit Pro MetaGeek Chanalyzer Pro Nmap Hydra John the Ripper Cain & Abel Wireshark Ettercap Firewalk
Page 40
6. 7.
Information Security Audit Methodology : Based on ISO 27001 Information Security Audits carried out so far : Govt. : 0 PSU : 0 Private : 5 Total Nos. of Information Security Audits done : 5
8.
Business domain of auditee organisations : Visa and Immigration Services, Cloud Computing, BPO, Software development
9.
Typical applications in use by auditee organisations : Web and E-commerce applications, Client server
10. Typical bandwidth (maximum) of any auditee organisations : Internal Bandwidth (LAN / Intranet) : 100Mbps External Bandwidth (WAN / Internet) : 16mbps 11. Networked Infrastructure details of an organizations audited with most complex network : No. of Computer Systems : 15000 No. of Servers : 64 No. of Switches : 168 No. of Routers : 8 No. of Firewalls : 8 No. of IDS' : 8 12. Ability to carry out vulnerability assessment and penetration test : Yes
Page 41
M/s Cyber Security Works Pvt Ltd Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation 1. 2. 3. Name & location of the empanelled Information Security Auditing Organisation : Cyber Security Works Pvt. Ltd., Chennai Carrying out Information Security Audits since : October 2008 Technical manpower deployed for informationsecurity audits : CISSPs: 3 CISAs: 2 DISAs / ISAs: 0 Total Nos. of Technical Personnel: 8 4. 5. Outsourcing of External Information Security Auditors / Experts : No Information Security Audit Tools used (owned, in possession) : Freeware: 19 Commercial: 6 Proprietary: 4 Total Nos. of Audit Tools: 29
Details of audit tools Freeware Tools: 1. NMap 2. Paros Proxy 3. X-Scan 4. Wikto 5. Wire Shark 6. SQL Power Injector 7. Metasploit 8. Tamper Data 9. SNMP Tool 10. Netcat 11. Dump Sec 12. Look[at]Lan 13. Nipper 14. Kismet 15. Airsnort 16. SQLmap 17. Dsniff 18. Scuba 19. DB Audit
Page 42
Commercial Tools: 1. Webinspect 2. Retina 3. Languard 4. Accunetix 5. Nessus 6. Network Director Proprietary Tools: 1. WEBSPLOITTM (Vulnerability Assessment and Penetration Mining Engine) 2. VAPSPLOITTM (Web Apps Vulnerability Assessment & Penetration Framework) 3. DPTTM (Dynamic Penetration Testing Toolkit) 4. DCATTM (Digital Crime Analysis Tracking Toolkit) 6. 7. Information Security Audit Methodology : OWASP, ISO27001, COBIT Information Security Audits carried out so far: Govt.: 6 PSU: 2 Private: 6 Total Nos. of Information Security Audits done: 14 8. 9. Business domain of audited organizations: Banking, Financial, Power and Energy, Government, eGovernance, Media, ISP Typical applications in use by audited organizations: ERP , Web Based, Client-Server Internal Bandwidth (LAN / Intranet): 1 Gbps External Bandwidth (WAN / Internet): 140 Mbps 11. Networked Infrastructure details of an organizations audited with most complex network: No. of Computer Systems: 8000 No. of Servers: 400 No. of Switches: 100 No. of Routers: 60 No. of Firewalls: 1 No. of IDS': 1 12. Ability to carry out vulnerability assessment and penetration test : Yes Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing Organisation). BACK 10. Typical bandwidth (maximum) of any audited organizations :
Page 43
M/s Deccan Infotech Pvt Ltd Snapshot of skills and competence of CERT-In Empanelled Security Auditor 1. 2. 3. Name, Location of the Empanelled Security Auditing organisation: Deccan Infotech (P) Ltd, Bangalore Carrying out Information Security Audits since : July 1998 Technical manpower deployed for security audits : CISSPs : 2 BS7799 / ISO27001 LAs : 2 CISAs : 5 DISAs / ISAs : 0 Total Nos. of Technical Personnel : 9 4. Outsourcing of External IT Security Auditors / Experts : No
Security Audit Tools used (owned, in possession) : Freeware : 26 Commercial : 10 Proprietary: 0 Total Nos. of Audit Tools : 36
Details of the Audit Tools Freeware 1. NMAP - Scan Network for Specific Information like logical existence of active reconnaissance. Check for open ports, services. Some of the tools above also act as vulnerability assessment tools, Patch management and password auditing. Different kinds of scanning techniques may be used such as - Open Scan, Half open scan, stealth Scan, sweeps, etc. 2. Demon dialer - War Dialers 3. Dsniff - Sniffers 4. Snort - Sniffers 5 .Ethereal - Sniffers 6. WinDump - Sniffers 7. Etherpeek - Sniffers 8 . ARP Spoofing - Sniffers 9. Man-in-the middle SMB/relay / SMB grind - Man in the middle attacks involves positioning oneself between two systems and actively participating in the connection to gather data 10. AKL - Key Loggers: used to monitor and record keystrokes, keyword detection, screen activity, all applications, emails, chat clinets etc. 11. Hunt- Session Hijacking, Tools to hijack TCP Sessions, Listen, Intercept and Hijack active sessions. 12. TTY Watcher - Session Hijacking, Tools to hijack TCP Sessions, Listen, Intercept and Hijack active sessions.
Page 44
13. T-Sight - Session Hijacking, Tools to hijack TCP Sessions, Listen, Intercept and Hijack active sessions. 14. IIS Hack/IIS - Buffer Overflow 15. KOEI.exe / ISAPI DLL - Buffer Overflow 16. IIS exploit - Buffer Overflow 17. IIS Crack - Buffer Overflow 18. IPP Printer Buffer Overflow - Buffer Overflow 19. Web Cracker - Web based password cracking 20. Brutus - Web based password cracking 21. Munga Bunga - Web based password cracking 22. SQL Injection - Attack methodology that targets the data residing in the database through the firewall that shields it. 23. Trojan maker - Creating Viruses, worms and trojans 24. Sub Seven - Creating Viruses, worms and trojans 25. LOKI - Creating Viruses, worms and trojans 26. 007 shell - Creating Viruses, worms and trojans Commercial 1. Symantec Net Recon --Scan Network for Specific Information like logical existence of active reconnaissance. Check for open ports, services. Some of the tools above also act as vulnerability assessment tools, Patch management and password auditing. Different kinds of scanning techniques may be used such as - Open Scan, Half open scan, stealth Scan, sweeps, etc. 2. Shadow Security Scanner -- Scan Network for Specific Information like logical existence of active reconnaissance. Check for open ports, services. Some of the tools above also act as vulnerability assessment tools, Patch management and password auditing. Different kinds of scanning techniques may be used such as - Open Scan, Half open scan, stealth Scan, sweeps, etc. 3. GFI Languard scanner -- Scan Network for Specific Information like logical existence of active reconnaissance. Check for open ports, services. Some of the tools above also act as vulnerability assessment tools, Patch management and password auditing. Different kinds of scanning techniques may be used such as - Open Scan, Half open scan, stealth Scan, sweeps, etc. 4. Netscan Pro -- Scan Network for Specific Information like logical existence of active reconnaissance. Check for open ports, services. Some of the tools above also act as vulnerability assessment tools, Patch management and password auditing. Different kinds of scanning techniques may be used such as - Open Scan, Half open scan, stealth Scan, sweeps, etc. 5. IP-eye -- Scan Network for Specific Information like logical existence of active reconnaissance. Check for open ports, services. Some of the tools above also act as vulnerability assessment tools, Patch management and password auditing. Different kinds of scanning techniques may be used such as - Open Scan, Half open scan, stealth Scan, sweeps, etc. 6. DOS & DDOS -- Involves breaking into several machines all over the internet. Then the attacker installs software for DDOS like Ping of death, SSPING, SMURF, LAND EXPLOIT, SYN FLOOD, etc. to launch coordinated attacks on victim's computer
Page 45
7. 8. 9.
LOPHT Crack -- Password crackers Use a combination of dictionary and brute force attacks commonly used words list. John the Ripper -- Password crackers Use a combination of dictionary and brute force attacks commonly used words list. Spector Soft -- Key Loggers: used to monitor and record keystrokes, keyword detection, screen activity, all applications, emails, chat clinets etc.
10. E-Blaster -- Key Loggers: used to monitor and record keystrokes, keyword detection, screen activity, all applications, emails, chat clinets etc. 5. 6. Security Audit Methodology : COBIT, BS7799, ISO27001, OWASP, OCTAVE, OSSTM Security Audits carried out since empanelment till now : Govt. : 0 PSU : 2 Private : 0 Total Nos. of Security Audits : 2 7. 8. 9. Business domain of auditee organisations : Banking, Shipping, BPO Typical applications in use by auditee organisations : Core Banking, HelpDesk Typical bandwidth (maximum) of any auditee organisations : Internal Bandwidth (LAN / Intranet) : 100 M bps External Bandwidth (WAN / Internet) : 2 M bps 10. Networked Infrastructure details of an organizations audited with most complex network : No. of servers : 4 No. of Computer Systems : 800 No. of routers : 0 No. of switches : 1 No. of firewalls : 1 No. of IDS' : 1 11. Ability to carry out vulnerability assessment and penetration test : Yes
Page 46
M/s Deloitte Touche Tohmatsu India Pvt. Ltd Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation 1. 2. 3. Name & location of the empanelled Information Security Auditing Organization : Deloitte Touche Tohmatsu India Pvt. Ltd Carrying out Information Security Audits since : 1999 Technical manpower deployed for information security audits : CISSPs : 17 BS7799 / ISO27001 LAs : 24 CISAs : 100 DISAs / ISAs : 100 Total Nos. of Technical Personnel : 290 4. 5. Outsourcing of External Information Security Auditors / Experts: Not Applicable. Information Security Audit Tools used (owned, in possession) : Freeware : 27 Commercial : 9 Proprietary: 3 Total Nos. of Audit Tools : 39
List of Tools used Freeware: Xprobe Dnssecwalker Tcpdump/tcpshow Dsniff Ettercap Ethereal Fping/ Hping Queso Nmap SuperScan Netwag Firewalk Q-Tip Jack the Ripper Crack 5.0a NGS SQLCrack Hydra Cain and Abel
Page 47
Commercial: AppScan LC4 (formerly L0phtcrack) Nessus Internet Security Scanner IP-Traf Firewalk Iris WS Ping ProPack SolarWinds
6. 7.
Information Security Audit Methodology : Own : Deloitte Methodology (Please refer Annexure I) Information Security Audits carried out so far : Govt. : 5+ PSU : 15+ Private : 150+ Total Nos. of Information Security Audits done : 170+
8. 9.
Business domain of auditee organizations : Banking & Finance, Information Technology, Third Party Service Providers / BPOs, Manufacturing, Public Sector Undertakings, Life Sciences & Healthcare. Typical applications in use by auditee organizations: Enterprise Resource Planning (ERPs), Web Services & Web Applications etc.
10. Typical bandwidth (maximum) of any auditee organizations : Internal Bandwidth (LAN / Intranet) : 1 Gbps External Bandwidth (WAN / Internet) : 10 Mbps 11. Networked Infrastructure details of an organizations audited with most complex network : No. of Computer Systems : > 70000 No. of Servers : 500 No. of Switches : 100 No. of Routers : 50 No. of Firewalls : 25 No. of IDS' : 10 12. Ability to carry out vulnerability assessment and penetration test : Yes Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing Organisation). BACK
Page 48
M/s Digital Age Strategies Pvt Ltd Snapshot of skills and competence of CERT-In Empanelled Security Auditor 1. 2. 3. Name, Location of the Empanelled Security Auditing organisation: Digital Age Stratergies Pvt. Ltd., Bangalore Carrying out Information Security Audits since : March 2004 Technical manpower deployed for security audits : CISSPs : 2 BS7799 / ISO27001 LAs : 5 CISAs : 10 DISAs / ISAs : 0 Total Nos. of Technical Personnel : 17 4. 5. Outsourcing of External IT Security Auditors / Experts : No Security Audit Tools used (owned, in possession) : Freeware : 11 Commercial : 3 Proprietary: 0 Total Nos. of Audit Tools : 14 Details of the Audit Tools Freeware 1. Winaudit Ver 2.00 - System & HW Audit Commercial 1. Idea 2004 - ETL & Data Format 2. Iaudit Net Ver 1.02 - ETL & Data Integrity 6. 7. Security Audit Methodology : CoBIT, OWASP, ISACA, ISO 27001 Security Audits carried out since empanelment till now : Govt. : 167 PSU : 112 Private : 412 Total Nos. of Security Audits : 691 8. 9. Business domain of auditee organisations : Bank,Stock Exchange, BPO, Government, Financial Sector, Insurance and Manufacturing. Typical applications in use by auditee organisations : Internates Banking / Core Banking Application Package, TBA Packages, Web Applications, Online Trading Packages. 10. Typical bandwidth (maximum) of any auditee organisations : Internal Bandwidth (LAN / Intranet) : 100 M bps External Bandwidth (WAN / Internet) : 2 M bps
Page 49
11. Networked Infrastructure details of an organizations audited with most complex network : No. of servers : 50 No. of Computer Systems : 4030 No. of routers : 443 No. of switches : 485 No. of firewalls : 7 No. of IDS' : 1 12. Ability to carry out vulnerability assessment and penetration test : Yes
Page 50
M/s Ernst & Young Pvt Ltd Snapshot of skills and competence of CERT-In empanelled IT Security Auditing Organisation 1. 2. 3. Name, Location of the empanelled IT Security Auditing organisation : Ernst & Young Pvt. Ltd., Chennai Carrying out Information Security Audits since : January 2001 Technical manpower deployed for IT security audits : CISSPs : 9 BS7799 / ISO27001 LAs : 2 CISAs / CISM : 65 DISAs / ISAs : 1 Total Nos. of Technical Personnel : 145 4. 5. Outsourcing of External IT Security Auditors / Experts : No IT Security Audit Tools used (owned, in possession) : Freeware : 9 Commercial : 8 Proprietary: 9 Total Nos. of Audit Tools : 26
Details of the IT Security Audit Tools Freeware 1. 2. 3. 4. 5. Nmap - Port scanner Nessus - Vulnerability scanner Nikto - Web server/application vulnerability scanner Ethereal - Protocol analyzer Somersoft - Security configuration, registry entries and access control lists on systems running the Windows operating system. Commercial 1. App Detective - Vulnerability assessment and review of security configuration of MySQL, Oracle, Sybase, IBM DB2, MS SWQL Server, Lotus Notes/Domino, Oracle Application Server, Web Applications. 2. Bv-Control Suite - Security assessment -Microsoft Windows, Active Directory, Microsoft Exchange, Microsoft SQL Server, UNIX (Sun Solaris, HP-UX, AIX, Red Hat and SUSe Linux), Internet Security, Check Point Firewall I 3. 4. 5. 6. 7. HP WebInspect - Web Application Security assessment IPLocks VA - Database configuration and vulnerability assessment eEye Retina - Network Security scans and IT infrastructure vulnerability assessment Immunity Canvas - Vulnerability exploitation framework for penetration tests eTrust - Online vulnerability management framework.
Page 51
8.
Bv-Control - Security and segregation of duty review for SAP
Proprietary 1. 2. 3. 4. 5. 6. 7. 8. 9. iNTerrogator - Review of security configuration of systems running the windows operating system. *nix scripts - A collection of scripts to assess the security configuration including file level ACLs on *nix systems (SCO OpenServer, Linux, HP-Ux, AIX, Solaris, *BSD). Spider - Web application security assessment FakeOra - Security assessment of 2-tier applications that use Oracle 8i (and above) as RDBMS. S-SAT - A travelling SAP Security tool. Permit - ERP risk assessment and control solution tool. Assessor - Configuration review of Oracle Financials system. WebSmack - Web Application inventory and vulnerability assessment . EY/Mercury - Web based technical work plan generator to perform security configuration review of IT infrastructure. 6. 7. IT Security Audit Methodology : Beyond Standard IT Security Audits carried out since empanelment till now : Govt. : 4 PSU : 7 Private : 68 Total Nos. of Security Audits : 79 8. 9. Business domain of auditee organisations : Banking, Financial Services, Software Development, Telecom, FMCG, Manufacturing. Typical applications in use by auditee organisations : Online Banking Solutions, Stock Trading Platforms, Online / Mobile Payment Solutions, ERP, CRM, Billing Systems, Corporate Websites. 10. Typical bandwidth (maximum) of any auditee organisations : Internal Bandwidth (LAN / Intranet) : 150 Mbps External Bandwidth (WAN / Internet) : 20 Mbps 11. Networked Infrastructure details of an organizations audited with most complex network : No. of Computer Systems : 10000 No. of servers : 600 No. of switches : 400 No. of routers : 400 No. of firewalls : 15 No. of IDS' : 24 12. Ability to carry out vulnerability assessment and penetration test : Yes Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing Organisation).
Page 52
BACK
M/s Financial Technologies(India)Ltd Snapshot of skills and competence of CERT-In Empanelled Security Auditing Organisation 1. 2. 3. Name & location of the empanelled Information Security Auditing Organisation : Financial Technologies(India)Ltd, Mumbai Carrying out Information Security Audits since : 2003. Technical manpower deployed for information security audits : CISSPs / CISMs: 5 BS7799 / ISO27001 LAs : 6 CISAs : 14 DISAs / ISAs : 4 Total Nos. of Technical Personnel : 78 4. Outsourcing of External Information Security Auditors / Experts : NA Information Security Audit Tools used (owned, in possession) : Freeware : 15 Commercial : 3 Proprietary: 2 Total Nos. of Audit Tools : 20
Financial Technologies(India)Ltd, Mumbai
List of Tools used Freeware: Nmap - Port scanner netcat Networking Utility SNMP Scanner - Router and network management Metasploit Penetration testing tool RAT - Cisco Router configuration analyzing tool MBSA Windows Security Assessment Wireshark Network Traffic sniffing tool Wikto Web application scanner Johntheripper Password cracking tool Acunitix - Web application scanner Firefox with addons Source code reviewing tool DumpSec - Windows Security Assessment Achilles Proxy application Brutus - Password cracking tool Hping2 Packet crafting tool Commercial:
Page 53
Nessus Network / OS Vulnerability Assessment tool HP Web inspect Web application scanner Network General's Sniffer with WAN book - Sniffer Portable - Network fault and performance management tool 5. 6. Information Security Audit Methodology : ISO / IEC 27001:2005, COBiT, PCIDSS, OWASP. Information Security Audits carried out so far : Govt. : 1 PSU : 0 Private : 25 Total Nos. of Information Security Audits done : 26 7. 8. 9. Business domain of auditee organisations : Banks, Insurance Co.s, Asset Management co.s, Financial Institutions, Brokerage Firms, Manufacturing, Media, Government, Retail. Typical applications in use by auditee organisations : Multi tier, Client Server, Web Applications, Databases, SAP, ERP, CRM. Typical bandwidth (maximum) of any auditee organisations : Internal Bandwidth (LAN / Intranet) : 1 gbps External Bandwidth (WAN / Internet) : 40 mbps 10. Networked Infrastructure details of an organizations audited with most complex network : No. of Computer Systems : 1000 No. of Servers : 100 No. of Switches : 40 No. of Routers : 75 No. of Firewalls : 4 No. of IDS' : 2 11. Ability to carry out vulnerability assessment and penetration test : Yes
Page 54
M/s Haribhakti & Co.
Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation 1. 2. 3. Name, Location of the empanelled Information Security Auditing Organisation : Haribhakti & Co. (CA), Mumbai Carrying out Information Security Audits since : July 1998 Technical manpower deployed for Information security audits : CISSPs : 0 BS7799 / ISO27001 LAs : 3 CISAs : 10 DISAs / ISAs : 6 Total Nos. of Technical Personnel : 21 4. 5. Outsourcing of External Information Security Auditors / Experts : Yes Information Security Audit Tools used (owned, in possession) : Freeware : 3 Commercial : 3 Proprietary: 0 Total Nos. of Information Security Audit Tools : 6 Details of the Information Security Audit Tools Freeware Tools 1. 2. 3. 1. 2. 3. Nessus - Vulnerability Assessment NMAP - Port Scanner IP Tools - Network App Detective - Database Vulnerability GFI-Languard - Network Vulnerability Acunetix None 6. 7. Information Security Audit Methodology : COSO & COBIT, ISO 27001, BS 25999 Information Security Audits carried out since empanelment till now : Govt. : 4 PSU : 8 Private : 24 Total Nos. of Security Audits : 26 8. Business domain of auditee organisations : Tax Information Network, Depository, Banking & Financial Services, Insurance, Call Centres, Regulators
Commercial Tools
Proprietary Tools
Page 55
9.
Typical applications in use by auditee organisations : Online/Internet Trading, Dealing Room, Depository Participant Modules, Treasury, CBS, Core Insurance, Bank Call Centre, Electronic Procurement, OLTAS
10. Typical bandwidth (maximum) of any auditee organisations : Internal Bandwidth (LAN / Intranet) : 100 Mbps External Bandwidth (WAN / Internet) : 2 Mbps 11. Networked Infrastructure details of an organizations audited with most complex network : No. of Computer Systems : 300 No. of servers : 20 No. of switches : 10 No. of routers : 300 No. of firewalls : 3 No. of IDS' : 1 12. Ability to carry out vulnerability assessment and penetration test : Yes Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing Organisation). BACK
Page 56
M/S HEXAWARE TECHNOLOGIES LTD
Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation 1. 2. 3. Name & location of the empanelled Information Security Auditing Organisation : M/S HEXAWARE TECHNOLOGIES LTD Carrying out Information Security Audits since : 2003 Technical manpower deployed for information CISSPs : BS7799 / ISO27001 LAs : CISAs : DISAs / ISAs : CEHs : LPT : CPTS : Total Nos. of Technical Personnel security : : : : : : : : audits : 1 3 4 4 1 (Licensed Penetration Tester) 1 (Certified Penetration Testing Specialist) 25
4. 5.
Outsourcing of External Information Security Auditors / Experts : NIL Information Security Audit Tools used (owned, Freeware : : Commercial : : Proprietary: : Total Nos. of Audit Tools : in possession) : 25 4 29
Details of the Audit Tools Freeware: 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. 21. 22. 23. 24. 25. Commercial: Nmap Nping Ncat Nikto NetStumbler Wireshark W3af Metasploit Paros Proxy BackTrack Tcpdump Sqlmap ScanDNS Grendel DirBuster Brutus Samurai Web Testing Framework Crack Google Whisker CrypTool TCPtraceroute NStalker Snort John the Ripper
Page 57
1. 2. 3. 4.
Acunetix, Nessus, Saint, GFI Languard
6. 7.
Information Security Audit Methodology : Information Security Audits carried out so far : Govt. PSU Private Total Nos. of Information Security Audits done Business domain of auditee organisations :
ISO27001, OWASP : : : : 1 25+ 26+
8. 9.
IT and Process Outsourcing Services
Typical applications in use by auditee organisations : Peoplesoft HRMS, Peoplesoft Finance, Microsoft CRM, Glodyne Whizible Suite, Borland StarTeam, MS Exchange
10. Typical bandwidth (maximum) of any auditee organisations : Internal Bandwidth (LAN / Intranet) : 80 mbps External Bandwidth (WAN / Internet) : 35 mbps 11. Networked Infrastructure details of an organizations audited with most complex network : No. of Computer Systems : 5000 No. of Servers : 300 No. of Switches : 300 No. of Routers : 20 No. of Firewalls : 10 No. of IDS / IPS : 4 12. Ability to carry out vulnerability assessment and penetration test : Yes
Page 58
M/s HCL Comnet Ltd Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation 1. 2. 3. Name, Location of the empanelled Information Security Auditing Organisation : HCL Comnet Ltd., Noida Carrying out Information Security Audits since : January 2001 Technical manpower deployed for information security audits : CISSPs : 10 BS7799 / ISO27001 LAs : 9 CISAs : 6 DISAs / ISAs : 0 Total Nos. of Technical Personnel : 350 4. 5. Outsourcing of External Information Security Auditors / Experts : No Information Security Audit Tools used (owned, in possession) : Freeware : 21 Commercial : 9 Proprietary: 0 Total Nos. of Audit Tools : 30
Details of the Audit Tools Freeware 1.Nessus -- Vulnerability Assessment 2. Database Scanner -- Vulnerability Assessment 3. NetRecon -- Vulnerability Assessment 4. Metasploit -- Penetration Testing 5. Underground Script -- Penetration Testing 6. Wax -- Penetration Testing 7. IMP -- Password Crackers for Penetration Testing 8. Pandora -- Password Crackers for Penetration Testing 9. Crack -- Password Crackers for Penetration Testing 10. John the Ripper -- Password Crackers for Penetration Testing 11. Cisco Crack -- Password Crackers for Penetration Testing 12. Nmap -- Port Scanners 13. Super Scan -- Port Scanners 14. Service Scanner -- Port Scanners 15. Cis-Rat -- to perform audit for Cisco Routers and PIX Firewall by assessing configuration files. 16. nslookup -- to perform initial information gathering of the Network. 17. Ping -- to perform initial information gathering of the Network. 18. tracreroute -- to perform initial information gathering of the Network. 19. Whois -- to perform initial information gathering of the Network.
Page 59
20. Finger -- to perform initial information gathering of the Network. Commercial 1. ISS -- Vulnerability Assessment 2 Qualys Guard -- Vulnerability Assessment 3 Core Impact -- Penetration Testing 4 L0phtCrack -- Password Crackers for Penetration Testing 5 Apps Scan -- Application Assessment 6 Web Inspect -- Web Application Assessment 7 App Detective -- Application and Database Assessment
6. 7.
Information Security Audit Methodology : Own Information Security Audits carried out since empanelment till now : Govt. : 0 PSU : 0 Private : 55 Total Nos. of Security Audits : 55
8. 9.
Business domain of auditee organisations : Banking & Finance, SW, Manufacturing & Devlopment, IT & ITES Typical applications in use by auditee organisations : NA Internal Bandwidth (LAN / Intranet) : 100 Mbps External Bandwidth (WAN / Internet) : 1 Mbps
11. Networked Infrastructure details of an organizations audited with most complex network : No. of Computer Systems : 500 No. of servers : 30 No. of switches : 45 No. of routers : 2 No. of firewalls : 3 No. of IDS' : 2 12. Ability to carry out vulnerability assessment and penetration test : Yes
Page 60
M/s IBM India Pvt Ltd Snapshot of skills and competence of CERT-In Empanelled Security Auditing Organisation 1. 2. 3. Name & location of the empanelled Information Security Auditing Organisation : IBM India Pvt Ltd, Mumbai Carrying out Information Security Audits since : Year 2000 Technical manpower deployed for information security audits : CISSPs : 15 BS7799 / ISO27001 LAs : 30 CISAs : 15 DISAs / ISAs : NA Total Nos. of Technical Personnel : 400 4. 5. Outsourcing of External Information Security Auditors / Experts : No Information Security Audit Tools used (owned, in possession) : Freeware : 14 Commercial : 6 Proprietary: 5 Total Nos. of Audit Tools : 25 List of Tools used Freeware: 1. Metasploit: Penetration Testing Framework 2. NMAP : Port scanner 3. RAT : Router and firewall benchmarking 4. Wireshark - Protocol analyzer 5. MBSA : Windows security assessment 6. Nikto : Web Applications security 7. SNMPWalk : Router and network management 8. CAIN & Able : Traffic sniffing and Password cracking 9. Brutus : Password cracking 10. JohntheRipper : Password cracking 11. W3AF: Application auditing framework 12. Maltego: Intelligence and forensics application. 13. Unicornscan: Port Scanner and Information gathering. 14. Burp: Web proxy tool. Commercial: 1. Nessus : Network Vulnerability Assessment 2. IBM Appscan : Web Systems & Applications security 3. Retina : Vulnerability Scanner 4. ISS : Vulnerability Scanner 5. Immunity Canvas : Penetration Testing Framework
Page 61
6. Modulo: GRC Framework Proprietary Tools: 1. Windows server Security assessment scripts 2. Unix/Linux/AIX server security assessment scripts 3. Oracle security assessment scripts 4. MSSQL security assessment scripts 5. ASP and Java Scripts : Web application assessment 6. 7. Information Security Audit Methodology : ISO27001, COBIT, ISF(IBM Security framework), OWASP, IBM Penetration Testing methodology. Information Security Audits carried out so far : Govt. : 5 PSU : 5 Private : 50 Total Nos. of Information Security Audits done : 60 8. 9. Business domain of auditee organisations : Government, PSU, ITES, Manufacturing, Financial Services,Banking, Telecom Typical applications in use by auditee organisations : Web Applications, Client Server, Banking, ERP, CRM, telecom Applications 10. Typical bandwidth (maximum) of any auditee organisations : Internal Bandwidth (LAN / Intranet) : 100 Mbps- 1Gbps External Bandwidth (WAN / Internet) : 2Mbps to 10 Mbps 11. Networked Infrastructure details of an organizations audited with most complex network : No. of Computer Systems : 2500 No. of Servers : 250 No. of Switches : 200 No. of Routers : 80 No. of Firewalls : 15 No. of IDS' : 5 12. Ability to carry out vulnerability assessment and penetration test : Yes
Page 62
M/s IDBI Intech Ltd Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation 1. 2. 3. Name, Location of the empanelled Information Security Auditing Organisation : IDBI Intech Ltd. Carrying out Information Security Audits since : November 2007 Technical manpower deployed for information security audits : CISA : 15 CRISC : 2 CGEIT : 2 CEH : 5 BS25999 :1 Managed Security Service Professional : 11 BS7799/ISO27001 LA's : 7 Total Nos. of Technical Personnel: 900 + 4. 5. Outsourcing of External Information Security Auditors / Experts : No Information Security Audit Tools used (owned, in possession) : Freeware : 17 Commercial : 2 Proprietary: 1 Total Nos. of Audit Tools: 20 (Details in the Attached File)
Details of the Audit Tools Freeware 1.Nmap - Port scanning & OS fingerprinting Tool 2. Nessus - Vulnerability Scanning Tool 3. Webscarab - Captures the request & test the parameter manipulation 4. Burp proxy -- Captures the request & test the parameter manipulation 5. Wireshark - Sniffs the data flowing on the network 6. Hydra - Password brute forcing 7. W3af - Application Security Scanner 8. Crowbar-- Password brute forcing 9. Paros -- A web application vulnerability assessment proxy 10. Wapiti - Checks the SQL injection 11. Nikto - Checks the web directory browsing 12. Metasploit - Exploits vulnerabilities exist in the applications 13. OpenVas -- Vulnerability Scanning 14. Grendelscan-- Performs application security testing 15. SQLbrute - Checks the SQL injection vulnerabilities 16. SQLiX -- Checks the SQL injection vulnerabilities 17. Httprint - Webserver fingerprinting
Page 63
Commercial ACL Desktop Edition: Auditing Tool for Data Analysis, Data Cleansing and Exception Reporting from ACL Services Ltd. Proprietary Customized script To Perform the relay check & DNS checks 6. 7. Information Security Audit Methodology : Own Also, COBIT, ISO27001, PCI-DSS, OWASP and OSSTMM. Information Security Audits carried out since empanelment till now : Govt. : 5 PSU : 9 Private : 7 Total Nos. of Security Audits : 26 8. 9. Business domain of auditee organisations, Banking and Financial services Typical applications in use by auditee organisations Finacle CBS, NSIPO, BSE Back office software, ICRA Online MF, Endorser, Crimson logic Stamping, Snorkel, Transnet, Lidha-Didha and Other In-House developed Applications. 10. Typical bandwidth (maximum) of any auditee organisations Internal Bandwidth (LAN / Intranet) : 256 kbps External Bandwidth (WAN / Internet): 8mbps 11. Networked Infrastructure details of an organizations audited with most complex network : No. of Computer Systems : 2000 No. of servers : 150 No. of switches : 250 No. of routers : 250 No. of firewalls : 1 No. of IDS : 5 12. Ability to carry out vulnerability assessment and penetration test : Yes
Page 64
M/s Indusface Consulting Pvt Ltd Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation 1. 2. 3. Name, Location of the empanelled Information Security Auditing Organisation : Indusface Consulting Pvt Ltd, Baroda Carrying out Information Security Audits since : July 2004 Technical manpower deployed for information security audits : CISSPs : 8 BS7799 / ISO27001 LAs : 12 CISAs : 1 DISAs / ISAs : 0 Total Nos. of Technical Personnel : 40 4. 5. Outsourcing of External Information Security Auditors / Experts : No Information Security Audit Tools used (owned, in possession) : Freeware : 40 Commercial : 2 Proprietary: 0 Total Nos. of Audit Tools : 42
Details of the Audit Tools Freeware : Information yet to be provided to CERT-In Proprietary : Information yet to be provided to CERT-In 6. 7. Information Security Audit Methodology : ISO27001, COBIT, OWASP, OSSTMM, PCI Information Security Audits carried out since empanelment till now : Govt. : 250 PSU : 35 Private : 15 Total Nos. of Information Security Audits done : 300 8. 9. Business domain of auditee organisations : Finance, Healthcare, Government, Software / ITES, Manufacturing, Power (Energy-utilities), Banking Typical applications in use by auditee organisations : Banking, Web 2.0, Billing, PKI, Oracle ERP, VAT, Document Management System, Content Management System, e-Tender 10. Typical bandwidth (maximum) of any auditee organisations : Internal Bandwidth (LAN / Intranet) : 1 Gbps External Bandwidth (WAN / Internet) : 6 Mbps 11. Networked Infrastructure details of an organizations audited with most complex network : No. of Computer Systems : 1500 No. of servers : 90
Page 65
No. of switches : 30 No. of routers : 4 No. of firewalls : 4 No. of IDS' : 2 12. Ability to carry out vulnerability assessment and penetration test : Yes
Page 66
M/s Information Systems Auditors & Consultants Pvt Ltd Snapshot of skills and competence of the CERT-In empanelled Information Security Auditing Organisation 1. 2. 3. Name, Location of the empanelled Information Security Auditing Organisation: Information Systems Auditors & Consultants Pvt Ltd, Mumbai Carrying out Information Security Audits since : July 1997 Technical manpower deployed for information security audits : CISSPs : 1 BS7799 / ISO27001 LAs : 1 CISAs : 5 DISAs / ISAs : 0 Total Nos. of Technical Personnel : 6 4. 5. Outsourcing of information security auditing work to other external Information Security Auditors / Experts : Yes Information Security Audit Tools used (owned, in possession) : Freeware : 6 Commercial : 0 Proprietary: 0 Total Nos. of Audit Tools : 6
Details of the Audit Tools Freeware : Information yet to be provided to CERT-In Proprietary : Information yet to be provided to CERT-In 6. 7. Information Security Audit Methodology : BS7799, COBIT Information Security Audits carried out since empanelment till now : Govt. : 1 PSU : 2 Private : 13 Total Nos. of Security Audits : 16 8. 9. Business domain of auditee organisations : IT Governance, Banking, Pharma Typical applications in use by auditee organisations : Banking, ERP, web, MIS Internal Bandwidth (LAN / Intranet) : 1 Gbps External Bandwidth (WAN / Internet) : 16 Mbps
Page 67
Page 68
M/s iSec Services Pvt Ltd Snapshot of skills and competence of CERT-In empanelled IT Security Auditing Organisation 1. Name & location of the empanelled Information Security Auditing Organisation : iSec Services Pvt Ltd, Mumbai 2. Carrying out Information Security Audits since : January, 2003 3. Technical manpower deployed for information security audits : CISSPs : 1 BS7799 / ISO27001 LAs : 8 CISAs : 1 DISAs / ISAs : 0 Total Nos. of Technical Personnel : 14 4. Outsourcing of External Information Security Auditors / Experts : No 5. Information Security Audit Tools used (owned, in possession) : Freeware : 25 Commercial : 0 Proprietary: 0 Total Nos. of Audit Tools : 25
Details of the Audit Tools
Freeware : 1. Nessus 2. Whisker 3. HUNT - TCP/IP protocol vulnerability exploiter, packet injector 4. DOMTOOLS - DNS-interrogation tools 5. SARA - Vulnerability scanner 6. RAT 7. Nikto - This tool scans for web-application vulnerabilities 8. Snort - IDS 9. Firewalk - Traceroute-like ACL & network inspection/mapping 10. Hping TCP ping utilitiy Dsniff - Passively monitor a network for interesting data (passwords, e-mail, files, etc.). facilitate the interception of network traffic normally unavailable to an attacker 11. HTTrack - Website Copier 12. Chkrootkit - Rootkit discovery tool 13. John the Ripper - Password-cracking utility 14. Paros 15. NMAP - The famous port-scanner 16. Ethereal - GUI for packet sniffing. Can analyse tcpdump-compatible logs
Page 69
17. Nemesis - Packet injection suite 18. NetCat - Swiss Army-knife, very useful 19. RAT CISecuritys Router Auditing Tool 20. DSniff - A collection of different purpose sniffers 21. Achilles - An SSL-proxy allowing to change data 22. Hping2 - TCP/IP packet analyzer/assembler, packet forgery, useful for ACL inspection 23. Brutus password cracking for web applications, telnet, etc. 24. WebSleuth - web-app auditing tool 25. Metasploit framework
Commercial : None Proprietary : None 6. Information Security Audit Methodology : OSSTM, OWASP, COBIT 7. Information Security Audits carried out so far: Govt. : 0 PSU : 0 Private : 15 Total Nos. of Information Security Audits done : 15 8. Business domain of auditee organisations : Banking, Financial, Manufacturing, Software development, Business process outsourcing 9. Typical applications in use by auditee organisations : Banking and Financial Applications, Trading Sofwtare 10. Typical bandwidth (maximum) of any auditee organisations : Internal Bandwidth (LAN / Intranet) : 100 Mbps External Bandwidth (WAN / Internet) : 20 Mbps 11. Networked Infrastructure details of an organizations audited with most complex network : No. of Computer Systems : 12000 No. of Servers : 150 No. of Switches : 100 No. of Routers : 40 No. of Firewalls : 8 No. of IDS' : 2 12. Ability to carry out vulnerability assessment and penetration test : Yes
Page 70
BACK
M/s iViZ Techno Solutions Pvt Ltd
BACK
Page 71
M/s KPMG Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation 1. 2. 3. Name, Location of the empanelled Information Security Auditing Organisation : KPMG, Gurgaon Carrying out Information Security Audits since : September 1996 Technical manpower deployed for Information security audits : CISSPs : 17 BS7799 / ISO27001 LAs : 17 CISAs : 50 DISAs / ISAs : 0 Total Nos. of Technical Personnel : 200 4. 5. Outsourcing of External Information Security Auditors / Experts : No Information Security Audit Tools used (owned, in possession) : Freeware : 19 Commercial : 12 Proprietary: 7 Total Nos. of Information Security Audit Tools : 38
Details of the Information Security Audit Tools Freeware Tools : 1. 2. 3. 4. 5. 6. 7. 8. 9. NMAP - Network security NetStumbler - Network security AirSnort - Network security SuperScan - Network security Nikto - Web Systems & Applications security THC - Web Systems & Application security CIS - Local Systems & Applications security As400 - Local Systems & Applications security CAIN - Password cracking
10. Brutus - Password cracking 11. JohntheRipper - Password cracking 12. SNMPWalk - Router and network management 13. SNMP Scanner - Router and network management 14. RIP query - Router and network management 15. RAT - Router and network management 16. DumpSec - Windows security
Page 72
17. Wireshark - Network sniffing 18. MBSA - Windows security 19. SQL Scan - Database security Commercial Tools : 1. 2. 3. 4. 5. 6. 7. 8. 9. ISS Internet - Network security Webinspect - Web Systems & Applications security AppScan - Web Systems &Applications security Bindview - Local Systems & Applications security ISS DB - Database Security AppDetective - Database Security Nessus - Network security Power Tech VeloSecure
10. IPLocks - Database Security 11. Qualsys Guard 12. Core Impact Proprietary Tools : 1. 2. 3. 4. 5. 6. 7. 6. 7. *nix Scripts - Security Configuration review of *nix systems Database Scripts - Security Configuration review of databases SAP Security Explorer - Security and Configuration review of SAP CHILLI (V. 1.2.0) - Network Discovery OSCR - Oracle Security Review KPMG Application Quality Assessment Tool AS/400 User Profile Analysis - Security Review
Information Security Audit Methodology : Beyond Standard, COBIT, ISO27001 Information Security Audits carried out since empanelment till now : Govt. : 10 PSU : 50 Private : 230 Total Nos. of Security Audits : 290
8. 9.
Business domain of auditee organisations : Financial Services, InfoTech, Communication, Entertainment, Infrastructure, Government, Marketing Typical applications in use by auditee organisations : ERP, Email, Client-Server, Web based, Workflow, Collaboration
10. Typical bandwidth (maximum) of any auditee organisations : Internal Bandwidth (LAN / Intranet) : 1 Gbps External Bandwidth (WAN / Internet) : 100 Mbps
Page 73
Page 74
M/s Locuz Enterprise Solutions Ltd Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation 1. 2. 3. Name, Location of the empanelled Information Security Auditing Organisation : Locuz Enterprise Solutions Ltd, Hyderabad Carrying out Information Security Audits since : August 2001 Technical manpower deployed for security audits : CISSPs : 1 BS7799 / ISO27001 LAs : 4 CISAs : 3 DISAs / ISAs : 0 Total Nos. of Technical Personnel : 35 4. 5. Outsourcing of External IT Security Auditors / Experts : No Security Audit Tools used (owned, in possession) : Freeware : 6 Commercial : 5 Proprietary: 1 Total Nos. of Audit Tools : 12 Details of the Information Security Auditing Tools Freeware Tools 1. 2. 3. 4. 5. 6. OSSIM : Network & System Scan + SCM +SIM Nmap : Network Scan AirSnort : Network Scan Ethereal : Sniffing Metaspoilt : PT Crack
Commercial Tools 1. 2. 3. 4. 5. Locuz/Cisco PSA : Network and all Cisco device scans CA-eTrust SCC : SOC with correlation engine OCTAVE : Risk Management Nessus : Vulnerability Assessments Scan F1 : VA and Firewall Analyzer
Proprietary Tools 1. LITOC : Event correlation, Scan and Remediation
Page 75
6. 7.
Security Audit Methodology : Own Security Audits carried out since empanelment till now : Govt. : 20 PSU : 2 Private : 15 Total Nos. of Security Audits : 37
8. 9.
Business domain of auditee organisations : Software Developmemt, Banking, Manufacturing, eCommerce, e-Governance, Pharmaceuticals Typical applications in use by auditee organisations : ERP, Banking, e-Commerce, Customised applications.
10. Typical bandwidth (maximum) of any auditee organisations : Internal Bandwidth (LAN / Intranet) : 2 Mbps External Bandwidth (WAN / Internet) : 6 Mbps 11. Networked Infrastructure details of an organizations audited with most complex network : No. of servers : 370 No. of Computer Systems : 1800 No. of routers : 6 No. of switches : 22 No. of firewalls : 4 No. of IDS' : 4 12. Ability to carry out vulnerability assessment and penetration test : Yes Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing Organisation). BACK
Page 76
M/s Microland Ltd Snapshot of skills and competence of CERT-In Empanelled Security Auditor 1. 2. 3. Name, Location of the Empanelled Security Auditing organisation : Microland, Bangalore Carrying out Information Security Audits since : December 1998 Technical manpower deployed for security audits : CISSPs : 3 BS7799 / ISO27001 LAs : 6 CISAs : 2 DISAs / ISAs : 0 Total Nos. of Technical Personnel : 25 4. 5. Outsourcing of External IT Security Auditors / Experts : Security Audit Tools used (owned, in possession) : Freeware : 12 Commercial : 0 Proprietary: 0 Total Nos. of Audit Tools : 12 Details of the Information Security Audit Tools Freeware Tools Vulnerability Assessment and Penetration Testing 1. 2. 3. 4. 5. 6. 7. 8. 9. Nessus : Vulnerability scanner - Port scan/ Vulnerability scan /web application security scan Nikto : Web application vulnerability scanner Superscan : Port scanner Dsniff : collection of tools for network auditing and penetration testing Whisker/Libwhisker : CGI vulnerability scanner Network Stumbler : Tool to find open wireless access points SARA : vulnerability assessment tool Achillies : Web application security - proxy Brutus : Password brute forcing tool No
10. SPIKE Proxy : HTTP proxy for finding security flaws in web sites 11. Winfingerprint : Win32 Host/Network Enumeration Scanner 12. Auditor : Collection of Tools to conduct security audit. Footprinting 1. 2. Greenwhich Whois
Page 77
3. 4. 5. 6. 7. 8. 9.
Gnetutil : Network Utilities Itrace : ICMP traceroot Tctrace : TCP traceroute Traceroute DNSwalk : DNS verification Dig : DNS lookup Host : DNS lookup
10. NSTXCD : IP over DNS client 11. NSTXD : IP over DNS server 12. Oxyman : DNS tunnel 13. Curl : URL transfer 14. Elinks : Console web browser 15. Konqueror : Web browser 16. Socat : Socket Cat 17. Stunnel : Universal SSL tunnel 18. Arpfetch : SNMP ARP/IP fetcher 19. SNMP Walk : SNMP tree walk 20. TKMib : Mib brower 21. Komba2 : KDE SMB browser 22. LinNeighborhood : Graphical SMB browser 23. Net utils : NET utilities 24. SMBClient : SMB client 25. SMBGet : SMB downloader 26. Smb4K : SMB share browser 27. Xsmbrowser : Graphical SMB browser 28. nmblookup : Netbios name lookup 29. smbdumpusers : User browser 30. smbgetserverinfo : Get server info 31. Cheops : Network neighborhood 32. NTP-fingerprint : Detection based on ntp fingerprint 33. Nmap : Network scanner 34. NmapFE : Graphical network scanner 35. P0f : Passive OS detection 36. Queso : OS detection 37. XProbe2 : OS detection Scanning 1. 2. 3. 4. Cisco global exploiter : Cisco scanner Cisco torch : Cisco oriented scanner ExploitTree search : ExploitTree collection Metasploit : Metasploit commandline
Page 78
5. 6. 7. 8. 9.
Metasploit : Metasploit console GUI Metasploit : Metasploit web interface Nessus : security Scanner Raccess : remote Scanner Httprint : Webserver fingerprinting
10. Nikto : Webserver scanner 11. Stunnel : Universal SSL tunnel 12. Cheops : Network neighborhood 13. GTK-Knocker : Simple GUI portscanner 14. IKE-Scan : IKE scanner 15. Knocker : Simple portscanner 16. Netenum : Pingsweep 17. Netmask : Request neetmask 18. Nmap : Network Scanner 19. NmapFE : Graphical network scanner 20. Proxychains : Proxifier 21. Scanrand : Stateless scanner 22. Timestamp : Requests timestamp 23. Unicornscan : Fast port scanner 24. Isrscan : Source routed packets scanner 25. Amap : Application identification 26. Bed.pl : Application fuzzer 27. SNMP-Fuzzer : SNMP protocol fuzzer 28. ScanSSH : SSH identification 29. Nbtscan : Netbios scanner 30. SMB-Nat : SMB access scanner 31. Ozyman : DNS tunnel 32. Ass : Autonomous system scanner 33. Protos : Protocol identification Analyzer 1. 2. 3. 4. 5. 6. 7. 8. 9. AIM-SNIFF : AIM sniffer Driftnet : Image sniffer Mailsnart : Mail sniffer Paros : HTTP interception proxy URLsnarf : URL sniffer smbspy : SMB sniffer Etherape : Network monitor Ethereal : Network analyzer Ettercap : Sniffer/Interceptor/Logger
10. Hunt : Sniffer/Interceptor
Page 79
11. IPTraf : Traffic monitor 12. Ngrep : Network grep 13. NetSed : Network edit 14. SSLDump : SSLv3/TLS analyzer 15. Sniffit : Sniffer 16. TcPick : Packet stream editor 17. Dsniff : Password sniffer Spoofing 1. 2. 3. 4. 5. 6. 7. 8. 9. Arpspoof : ARP spoofer Macof : ARP spoofer/generator Nemesis-ARP : ARP packet generator Nemesis-Ethernet : Ethernet packet generator CDP : CDP generator DNSSpoof : DNS spoofer Nemesis-DNS : DNS packet generator DHCPX : DHCP flooder Hping2 : Packet generator
10. ICMRRedirect : ICMP redirect packet generator 11. ICMPUSH : ICMP packet generator 12. Nemesis-ICMP : ICMP packet generator 13. Packit : Traffic inject/modify 14. TcPick : Packet stream editor 15. Yersinia : Layer 2 protocol injector 16. Fragroute : Egress rewrite 17. HSRP : HSRP generator 18. IGRP : IGRP injector 19. IRDP : IRDP generator 20. IRDPresponder : IRDP response generator 21. Nemesis-IGMP : IGMP generator 22. Nemesis-RIP : RIP generator 23. File2Cable : Traffic replay 24. Fragrouter : IDS evasion toolkit 25. Nemesis-IP : IP packet generator 26. Nemesis-TCP : TCP packet generator 27. Nemesis-UDP : UDP traffic generator 28. SendIP : IP packet generator 29. TCPReplay : Traffic replay 30. Etherwake : Generate wake-on-LAN Bluetooth
Page 80
1. 2. 3. 4. 5. 6. 7. 8. 9.
BTScanner : Bluetooth scanner Bluesnarfer : Bluesnarf attack Ghettotooth : Bluetooth scanner Kandy : Mobile phone tool Obexftp Obexftp ftp client Phone manager RFComm : Bluetooth serial RedFang : Bluetooth bruteforce USSP-Push : Obex-push
10. Xminicom : Terminal Wireless 1. 2. 3. 4. 5. 6. 7. 8. 9. apmde.sht : Act as accesspoin Airpwn : Client penetration Hotspotter : Client penetration GpsDrive start-gps-daemon : GPS daemon stop-gps-daemon : GPS daemon ASLeap : LEAP/PPTP cracker Genkeys : Hash generator for ASLeap Airforge
10. File2air : Packet injector 11. Void11 12. Void11-Hopper : Channel hopper 13. Gkismet : Graphical wireless scanner 14. GPSMAP : wireless mapping 15. KLV : Kismet Log Viewer 16. Kismet : Ncurses wireless scanner 17. Wellenreiter : Graphical Wireless scanner 18. 802ether : Dumpfile format convertor 19. airodump : Traffic recorder 20. aircrack : Modern WEP cracker 21. Aireplay : Wireless packet injector 22. Wep-Crack : Wep Cracker 23. Wep_Decrypt : Decrypt dump files 24. Airsnort : GUI based WEP cracker 25. ChopChop : Active WEP attack 26. DWEPCrack : WEP cracker 27. Decrypt : Dump file decrypter 28. WEPAtttack : Dictionary attack 29. WEPlab : Modem WEP cracker
Page 81
30. Cowpatty : WPA PSK bruteforcer 31. changemac.sh : MAC address changer Bruteforce 1. 2. 3. 4. 5. 6. 7. 8. 9. ADMsnmp : SNMP bruteforce Guess-who : SSH bruteforce Hydra : Multi purpose bruteforce K0ldS : LDAP bruteforce Obiwan III : HTTP bruteforce SMB-Nat : SMB access scanner TFTP : bruteforce VNCrack : VNC bruteforce Xhydra : Graphical bruteforcer
Password Cracker 1. 2. 3. 4. 5. 6. 7. 8. BKHive : SAM recovery Fcrackzip : Zip password cracker John : Multi-purpose password cracker Default password list : Nasty : GPG secret key cracker Rainbowcrack : Hash cracker Samdump2 : SAM file dumper Wordlists : Collection of wordlists
Forensics 1. 2. 3. 4. Autopsy : Forensic GUI Recover : Ext2 file recovery Testdisk : Partition scanner Wipe : Securely delete files
Honeypot 1. 2. 3. 4. 5. IMAP POP3 Honeyd : Honeypot IISEmulator : Honeypot Tinyhoneypot : Simple honeypot
Commercial Tools
Page 82
Proprietary Tools 6. 7. Security Audit Methodology : BS7799, OSSTM, Own Security Audits carried out since empanelment till now : Govt. : NA PSU : NA Private : NA Total Nos. of Security Audits : NA 8. 9. Business domain of auditee organisations : Petro, Banking, Insurance, BPO Typical applications in use by auditee organisations : Core Banking, SAP, Workflow Internal Bandwidth (LAN / Intranet) : 8 Mbps External Bandwidth (WAN / Internet) : 4 Mbps 11. Networked Infrastructure details of an organizations audited with most complex network : No. of servers : 243 No. of Computer Systems : 6000 No. of routers : 0 No. of switches :91 No. of firewalls : 4 No. of IDS' : 4 12. Ability to carry out vulnerability assessment and penetration test : Yes
Page 83
M/s MIEL e-Security Pvt Ltd Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation 1. 2. 3. Name, Location of the empanelled Information Security Auditing Organisation : MIEL e-Security, Mumbai Carrying out Information Security Audits since : July 1999 Technical manpower deployed for information security audits : CISSPs : 13 BS7799 / ISO27001 LAs : 25 CISAs : 10 DISAs / ISAs : 0 Total Nos. of Technical Personnel : 50 4. 5. Outsourcing of External Information Security Auditors / Experts : Yes Information Security Audit Tools used (owned, in possession) : Freeware : 20 Commercial : 1 Proprietary: 6 Total Nos. of Audit Tools : 27
Details of the Audit Tools Freeware : Information yet to be provided to CERT-In Proprietary : Information yet to be provided to CERT-In Information Security Audit Methodology : OSSTMM, OWASP, ISO/IEC 27001, COBIT 6. Information Security Audits carried out since empanelment till now : Govt. : 11 PSU : 15 Private : 110 Total Nos. of Security Audits : 136 7. 8. 9. Business domain of auditee organisations : BFSI, IT/ITES, Manufacturing, Shipping & Logistics, FMCG, Pharma, PSUs, Aviation, Energy Typical applications in use by auditee organisations : Core Banking, Ticketing, Client-Server, Web Server Typical bandwidth (maximum) of any auditee organisations : Internal Bandwidth (LAN / Intranet) : 100 Mbps External Bandwidth (WAN / Internet) : 2 Mbps 10. Networked Infrastructure details of an organizations audited with most complex network : No. of Computer Systems : 1000 No. of servers : 15
Page 84
No. of switches : 75 No. of routers : 75 No. of firewalls : 75 No. of IDS' : 0 11. Ability to carry out vulnerability assessment and penetration test : Yes Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing Organisation). BACK
Page 85
M/s Network Intelligence India Pvt Ltd Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation 1. Name, Location of the empanelled Information Security Auditing Organisation: Network Intelligence India Pvt. Ltd., Mumbai 2. Carrying out Information Security Audits since : July 2001 3. Technical manpower deployed for Information security audits : CISSPs : 2 BS7799 / ISO27001 LAs : 6 CISAs / CISMs : 2 DISAs / ISAs : 0 Total Nos. of Technical Personnel : 21 4. Outsourcing of External Information Security Auditors / Experts : No 5. Information Security Audit Tools used (owned, in possession) : Freeware : 25 Commercial : 3 Proprietary : 2 Total Nos. of Audit Tools : 30 Details of audit tools Freeware 1. Nmap 2. Nessus 3. Burpsuite 4. Firefox plugins 5. Hydra 6. Paros Proxy 7. Brutus AES 8. Ikescan 9. Ipsecscan 10. Cain & Abel 11. John the Ripper 12. Netstumbler 13. Kismet 14. WEPCrack 15. Nipper 16. RATS
Page 86
17. Unix shell scripts 18. Grease Monkey 19. Wireshark 20. Wikto/Nikto 21. Netcat 22. Phonesweep 23. MBSA 24. SNMPWalk 25. Ophcrack
Proprietary AuditPro AuditPro Enterprise Edition is a proprietary security auditing and compliance tool used by many organizations and auditors across the world. NII has developed this proprietary technology to help organizations define assets, policies, and audit systems against these policies. Supported technologies include Windows (all versions up to 2008), Unix (Sun Solaris, AIX, Linux), Oracle (8i, 9i, 106 and 11g), and SQL Server (2000 and 2005). Firesec Firesec is an in-depth security and configuration audit tool for firewalls helps review policy conflicts, unused policy rules, groupable rules, unused configuration objects, as well as helps check for PCI DSS compliance. Supported firewalls include Cisco, Netscreen, Cyberguard and Checkpoint. Commercial CodeSecure CodeSecure is a commercial code review scanner, and is owned by NII and used extensively for clients to ensure a comprehensive review of web application security. CodeSecure is a commercial code review scanner, and is owned by NII and used extensively for clients to ensure a comprehensive review of web application security. GFI Languard GFI Languard Network Security Scanner is one of the most widely used network scanners Appscan/Webinspect On client request, we have experience using these tools on a pay-per-use basis
Page 87
6. Information Security Audit Methodology : OWASP, OSSTMM, ISO 27001, PCI DSS 7. Information Security Audits carried out so far: Govt. : 7 PSU : 15 Private : 200 Total Nos. of Security Audits : 222 8. Business domain of auditee organisations : Banking, Telecom, IT/ITES, Manufacturing, Retail, Government, FMCG, Healthcare, Retail 9. Typical applications in use by auditee organisations : Web applications, Core banking applications, ERP, CRM, Telecom-specific applications 10. Typical bandwidth (maximum) of any auditee organisations : Internal Bandwidth (LAN / Intranet) : 10-100 Mbps External Bandwidth (WAN / Internet) : 2-10 Mbps 11. Networked Infrastructure details of an organizations audited with most complex network : No. of Computer Systems : 50000 No. of servers : 500 No. of switches : 7000 No. of routers : 1500 No. of firewalls : 25 No. of IDS' : 4 12. Ability to carry out vulnerability assessment and penetration test : Yes Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing Organisation), Y = Yes, N = No, Std = Standard. BACK
Page 88
M/s Netmagic Solutions Pvt. Ltd Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation 1. Name & location of the empanelled Information Security Auditing Organisation : Netmagic Solutions Pvt. Ltd. 2. 3. Carrying out Information Security Audits since : 2008 Technical manpower deployed for information security audits : CISSP : 1 BS7799 / ISO27001 LA : 2 BS7799 / ISO27001 LI : 3 CISA : 1 CCNA : 65 CCNP : 4 CCIE : 4 CEH ITIL PMP :3 : 132 :6
Total Nos. of Technical Personnel : 300 4. 5. Outsourcing of External Information Security Auditors / Experts : No Information Security Audit Tools used (owned, in possession) : Freeware : 27 Commercial: 2 Proprietary: 1 Total Nos. of Audit Tools : 30 Details of the Audit Tools
Freeware Tools 1. W3af 2. Nmap 3. Firefox with Firecat 4. Owasp CLASP 5. Themis 6. Paros
Page 89
7. Burp 8. WebScarab 9. Paros 10. Websecurify 11. Owasp CSRF tester 12. SQLiX 13. Nikto 14. Labrat 15. Metasploit 16. Backtrack 17. Cain&Able 18. Grendal Scan 19. Kismet 20. Aircrack-NG 21. Ophcrack 22. BeEF 23. CISCO OCS 24. Brutus 25. WFetch 26. NetStumbler 27. OSSEC Proprietary: nmcrawler Commercial: 1. Nessus 2. AppScan (Depending on customer request and engagements)
6. 7.
Information Security Audit Methodology: OWASP, OSSTMM, ISO27001, ISO20000, COBIT. Information Security Audits carried out so far : Govt. : 0 PSU : 5 Private : 100 Total Nos. of Information Security Audits done : 105
8.
Business domain of auditee organisations : Manufacturing, IT/ITES, Media & Entertainment (including online portals), BFSI, Services, PSU, Telecommunications, etc.
Page 90
9.
Typical applications in use by auditee organisations : Web Applications, Web Server Applications, SAP/CRM, Mobile Applications, Security & Monitoring Apps, Thick-Client Application, Network Infrastructure Applications.
10. Typical bandwidth (maximum) of any auditee organisations : Internal Bandwidth (LAN / Intranet) : 1GBPS External Bandwidth (WAN / Internet) : 400MBPS 11. Networked Infrastructure details of an organizations audited with most complex network : No. of Computer Systems : 200 No. of Servers : 1400 No. of Switches : 25 No. of Routers : 20 No. of Firewalls : 5 No. of IDS' : 5 12. Ability to carry out vulnerability assessment and penetration test : Yes
Page 91
M/s Network Security Solutions (India) Ltd Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation 1. 2. 3. Name, Location of the empanelled Information Security Auditing Organisation : Network Security Solutions (India) Ltd., Noida Carrying out Information Security Audits since : September 2002 Technical manpower deployed for Information security audits : CISSPs : 5 BS7799 / ISO27001 LAs : 13 CISAs : 6 DISAs / ISAs : 2 Total Nos. of Technical Personnel : 26 4. 5. Outsourcing of External Information Security Auditors / Experts : No Information Security Audit Tools used (owned, in possession) : Freeware : 29 Commercial : 4 Proprietary: 2 Total Nos. of Audit Tools : 35
Details of the Information Security Audit Tools Freeware Tools 1. 2. 3. 4. 5. 6. 7. 8. 9. X-Scan Hping W Scanner NMap Metasploit Burp Proxy Solar Winds Winhex Achilles Proxy
10. N-Stealth : Security Scanner 11. Websphinx 12. Rainbow : Password Cracker 13. John the Ripper : Password Cracker 14. Stellar : Data Recovery 15. Easy : Data Recovery 16. Nikto 17. Snort 18. Ethereal
Page 92
19. Backtrack 3 20. Helix 21. Auditor Pro 22. Ophcrack 23. Nessus 24. Super Scan 25. SATAN 26. Airmon 27. Aerodump 28. Airplay 29. Aircrack Commercial Tools 1. 2. 3. 4. eEye Retina Shadow : Security Scanner GFI LAN Guard Core Impact
Proprietary Tools 1. 2. 6. 7. Claymore : Vulnerability Scanner Vulnerability Database
Information Security Audit Methodology : COBIT, ISACA, BS25999, OSSTM, OWASP, ISO27001, NIST Information Security Audits carried out since empanelment till now : Govt. : 237 PSU : 3 Private : 107 Total Nos. of Information Security Audits : 347
8. 9.
Business domain of auditee organisations : Government, Defence, Electrical Power Generation, BPO / KPO, Telecom, Manufacturing, Pharma, Banking & Finance Typical applications in use by auditee organisations : Web, ERP, SAP, Finance, Proprietary Security Internal Bandwidth (LAN / Intranet) : 1000 Mbps External Bandwidth (WAN / Internet) : 2 Mbps
11. Networked Infrastructure details of an organizations audited with most complex network : No. of Computer Systems : 3000 No. of servers : 125 No. of switches : 250 No. of routers : 0
Page 93
No. of firewalls : 8 No. of IDS' : 2 12. Ability to carry out vulnerability assessment and penetration test : Yes
Page 94
M/s NIIT Technologies Ltd Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation 1. 2. 3. Name, Location of the empanelled Information Security Auditing Organisation : Paladion Networks, Bangalore Carrying out Information Security Audits since : May 2000 Technical manpower deployed for Information security audits : CISSPs : 16 BS7799 / ISO27001 LAs : 29 CISAs / CISMs : 7 DISAs / ISAs : 0 Total Nos. of Technical Personnel : 150 4. 5. Outsourcing of External Information Security Auditors / Experts : No Information Security Audit Tools used (owned, in possession) : Freeware : 19 Commercial : 0 Proprietary : 1 Total Nos. of Audit Tools : 20
Details of the Audit Tools Freeware : Information yet to be provided to CERT-In Proprietary :Information yet to be provided to CERT-In 6. 7. Information Security Audit Methodology : BS7799, COBIT, SANS Information Security Audits carried out since empanelment till now : Govt. : 51 PSU : 154 Private : 205 Total Nos. of Security Audits : 410 8. 9. Business domain of auditee organisations : Banking, Telecom, IT/ITES, Manufacturing, Retail, Government Typical applications in use by auditee organisations : Web, SAP, ERP Internal Bandwidth (LAN / Intranet) : 4 Mbps External Bandwidth (WAN / Internet) : 2 Mbps 11. Networked Infrastructure details of an organizations audited with most complex network : No. of Computer Systems : 100000 No. of servers : 15000 No. of switches : 15000 No. of routers : 14000
Page 95
No. of firewalls : 24 No. of IDS' : 4 12. Ability to carry out vulnerability assessment and penetration test : Yes Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing Organisation). BACK
Page 96
M/s Paladion Networks Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation 1. 2. 3. Name, Location of the empanelled Information Security Auditing Organisation : Paladion Networks, Bangalore Carrying out Information Security Audits since : May 2000 Technical manpower deployed for Information security audits : CISSPs : 16 BS7799 / ISO27001 LAs : 29 CISAs / CISMs : 7 DISAs / ISAs : 0 Total Nos. of Technical Personnel : 150 4. 5. Outsourcing of External Information Security Auditors / Experts : No Information Security Audit Tools used (owned, in possession) : Freeware : 19 Commercial : 0 Proprietary : 1 Total Nos. of Audit Tools : 20 Details of the Audit Tools Freeware : Information yet to be provided to CERT-In Proprietary : Information yet to be provided to CERT-In 6. 7. Information Security Audit Methodology : BS7799, COBIT, SANS Information Security Audits carried out since empanelment till now : Govt. : 51 PSU : 154 Private : 205 Total Nos. of Security Audits : 410 8. 9. Business domain of auditee organisations : Banking, Telecom, IT/ITES, Manufacturing, Retail, Government Typical applications in use by auditee organisations : Web, SAP, ERP Internal Bandwidth (LAN / Intranet) : 4 Mbps External Bandwidth (WAN / Internet) : 2 Mbps 11. Networked Infrastructure details of an organizations audited with most complex network : No. of Computer Systems : 100000 No. of servers : 15000
Page 97
No. of switches : 15000 No. of routers : 14000 No. of firewalls : 24 No. of IDS' : 4 12. Ability to carry out vulnerability assessment and penetration test : Yes
Page 98
M/s Persistent Systems Limited Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation
1.
Name & location of the empanelled Information Security Auditing Organisation : Persistent Systems Limited, Pune
2. 3.
Carrying out Information Security Audits since : 2008 Technical manpower deployed for information security audits : CISSPs : 0 BS7799 / ISO27001 LAs : 6 CISAs : 4 DISAs / ISAs : 0 Total Nos. of Technical Personnel : 7
4. 5.
Outsourcing of External Information Security Auditors / Experts : No Information Security Audit Tools used (owned, in possession) : Freeware : 11 Commercial : 3 Proprietary: 0 Total Nos. of Audit Tools : 14
Details of the Audit Tools
Freeware: Paros Burp Proxy Webscarab Nikto Wikto Nmap SoapUI Netcat Fiddler Backtrack4 Nipper Commercial: IBM AppScan Nessus GFI Languard NSS
6.
Information Security Audit Methodology : ISO 27001, COBIT
Page 99
7.
Information Security Audits carried out so far : Govt. : 0 PSU : 3 Private : 18 Total Nos. of Information Security Audits done : 21
8.
Business domain of auditee organisations : Educational, Biomedical Research, Health Care, Mail & Messaging, SaaS Email Archiving
9.
Typical applications in use by auditee organisations : IIS, Apache,Tomcat, JBoss, ASP.Net, PHP, MySQL, SQL server 2005
10. Typical bandwidth (maximum) of any auditee organisations : Internal Bandwidth (LAN / Intranet) : 100 MBPS External Bandwidth (WAN / Internet) : 1 MBPS 11. Networked Infrastructure details of an organizations audited with most complex network : No. of Computer Systems : NA No. of Servers : 8 No. of Switches :2 No. of Routers : 1 No. of Firewalls : 1 No. of IDS' : NA 12. Ability to carry out vulnerability assessment and penetration test : Yes
BACK
Page 100
M/s PricewaterhouseCoopers Pvt Ltd Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation 1. 2. 3. Name, Location of the empanelled Information Security Auditing Organisation : PricewaterhouseCoopers Pvt. Ltd., Gurgaon Carrying out Information Security Audits since : 1994 Technical manpower deployed for information security audits : CISSPs : 16 BS7799 / ISO27001 LAs : 20 CISAs / CISMs: 77 DISAs / ISAs : 4 Total Nos. of Technical Personnel : 160 4. 5. Outsourcing of External Information Security Auditors / Experts : No Information Security Audit Tools used (owned, in possession) : Freeware : 20 Commercial : 7 Proprietary: 5 Total Nos. of Audit Tools : 32 Details of the Information Security Audit Tools Freeware Tools : 1. 2. 3. 4. 5. 6. 7. 8. 9. Nessus : Network Vulnerability Assessmen NMAP : Port scanner RAT : Router and firewall benchmarking Ethereal : Network traffic sniffing and analysis MBSA : Windows security assessment AirSnort : Wireless Network security Phonesweep : War dialing RIP query : Router security assessment Netcat : Backdoor
10. Nikto : Web Applications security 11. CAIN & Able : Traffic sniffing and Password cracking 12. Brutus : Password cracking 13. JohntheRipper : Password cracking 14. SNMPWalk : Router and network management 15. SNMP Scanner : Router and network management 16. DumpSec : Windows security assessment 17. SQL Scan : Database security assessment 18. Absinthe : SQL Injection 19. Acunetix : Web Vulnerability Scanner
Page 101
20. SiteDigger : Google Hacking Commercial Tools : 1. 2. 3. 4. 5. 6. 7. Core Impact : Penetration Testing Appscan : Web Systems & Applications security ACL: Audit command La Retina : Vulnerability Scanner Languard : Vulnerability Scanner SolarWinds : Network security ISS : Vulnerability Scanner
Proprietary Tools: 1. 2. 3. 4. 5. 6. 7. Windows server Security assessment scripts Unix/Linux/AIX server security assessment scripts Oracle security assessment scripts MSSQL security assessment scripts ASP and Java Scripts : Web application assessment
Information Security Audit Methodology : ISO27001, COBIT, ESAS, ESBM Information Security Audits carried out since empanelment till now : Govt. : 5 PSU : 10 Private : 55 Total Nos. of Information Security Audits : 70
8. 9.
Business domain of auditee organisations : ITES, Manufacturing, Government, PSU, Financial Services, Telecom, Networking Typical applications in use by auditee organisations : Client Server, Web Applications, Oracle, Finacle, ERP, CRM, telecom Applications
10. Typical bandwidth (maximum) of any auditee organisations : Internal Bandwidth (LAN / Intranet) : 100 Mbps External Bandwidth (WAN / Internet) : 20 Mbps 11. Networked Infrastructure details of an organizations audited with most complex network : No. of Computer Systems : 2000 No. of servers : 200 No. of switches : 80 No. of routers : 100 No. of firewalls : 20 No. of IDS' : 10 12. Ability to carry out vulnerability assessment and penetration test : Yes
Page 102
Page 103
M/s Progressive Infotech Pvt Ltd Snapshot of skills and competence of CERT-In Empanelled Security Auditing Organisation 1. 2. 3. Name & location of the empanelled Information Security Auditing Organisation : Progressive Infotech (P) Limited, Noida Carrying out Information Security Audits since : 2009 Technical manpower deployed for information security audits : CISSPs : 02 BS7799 / ISO27001 LAs : 02 CISAs : DISAs / ISAs : Total Nos. of Technical Personnel : 40+ 4. 5. Outsourcing of External Information Security Auditors / Experts : No Information Security Audit Tools used (owned, in possession) : Freeware : 36+ Commercial : Proprietary: Total Nos. of Audit Tools : 36+
Details of the Audit Tools Freeware : Name of the S. No. 1. 2. 3. 4. 5. 6. Information Security Audit Tool Achilles ADMFtp, ADMSnmp Brutus Crack Cryp Tool Curl Whether freeware, commercial or proprietary Freeware Freeware Freeware Freeware Freeware Freeware Functions (In brief) A tool designed for testing the security of web applications Tools for remote brute-forcing An Windows GUI brute-force tool for FTP, telnet, POP3, SMB, HTTP, etc A password cracker A cryptanalysis utility Curl is a tool for transferring files with URL syntax, supporting FTP, FTPS, HTTP, HTTPS, GOPHER, TELNET, DICT, FILE and LDAP 7 8 Different network mapping tools Elza Freeware Freeware Ping, traceroute, whois,snmp tools, dig, nslookup, DNS tools.etc. A family of tools for arbitrary HTTP communication with picky web sites for the purpose of penetration testing and information gathering
Page 104
9 10 11
Exploits FScan HPing
Freeware Freeware Freeware
publicly available and homemade exploit code for the different vulnerabilities around A command-line port scanner. Supports TCP and UDP HPing is a command-line oriented TCP/IP packet assembler/analyzer. It supports TCP, UDP, ICMP and RAW-IP protocols, has a traceroute mode, the ability to send files between a covered channel, and many other features.
12 13 14 15
ISNprober ICMPush John the Ripper L0phtcrack
Freeware Freeware Freeware Freeware
Check an IP address for load-balancing. ICMPush is a tool that sends ICMP packets fully customized from command line A password cracker NTLM/Lanman password auditing and recovery application (read: cracker)
16
Nessus
Freeware
A free, powerful, up-to-date and easy to use remote security scanner. This tool could be used when scanning a large range of IP addresses, or to verify the results of manual work.
17
Netcat
Freeware
The swiss army knife of network tools. A simple utility which reads and writes data across network connections, using TCP or UDP protocol
18 19
NMAP P0f
Freeware Freeware
The best known port scanner tool Passive OS Fingerprinting: A tool that listens on the network and tries to identify the OS versions from the information in the packets.
20
Pwdump
Freeware
Tools that grab the hashes out of the SAM database, to use with a brute-forcer like L0phtcrack or John
21
SamSpade
Freeware
Graphical tool that allows to perform different network queries: ping, nslookup, whois, IP block whois, dig, traceroute, finger, SMTP VRFY, web browser keep-alive, DNS zone transfer, SMTP relay check,etc.
22 23 24
ScanDNS Scripts Sing
Script that scans a range of IP addresses to find DNS names A number of custom developed scripts to test different security issues Send ICMP Nasty Garbage. A little tool that sends
Page 105
ICMP packets fully customized from command line 25 26 SSLProxy, STunne Strobe Freeware Freeware Tools that allow to run non SSL-aware tools/programs over SSL. A command-line port scanner that also performs banner grabbing
27 28 29 30
Telesweep Secure THC TCPdump Snmp)
A commercial wardialer that also does fingerprinting and brute-forcing. A freeware wardialer A packet sniffer Various tools relating to the Simple Network Management Protocol including snmpget, snmpwalk and snmpset
UCD-Snmp- (aka NET- Freeware
31 32 33 34
Web Session Editor Webinspect Webreaper, wget Whisker
Freeware Freeware Freeware Freeware
Custom made utility that allows to intercept and edit HTTP sessions. CGI scanning, web crawling, etc Software that mirrors websites to your harddisk The most famous CGI scanner. has updated the scanning databases with checks for the latest vulnerabilities.
35
Ethereal
Freeware
GUI for packet sniffing. Can analyse tcpdumpcompatible logs.
6. 7.
Information Security Audit Methodology : Attached Information Security Audits carried out so far : Govt. : Nil PSU : Nil Private : 08 Total Nos. of Information Security Audits done : 08
8. 9.
Business domain of auditee organizations : Manufacturing, IT & ITES Typical applications in use by auditee organizations : Email and IM applications, ERP, CRM etc Internal Bandwidth (LAN / Intranet) : 100 Mbps External Bandwidth (WAN / Internet) : 01 Mbps
10. Typical bandwidth (maximum) of any auditee organizations :
11. Networked Infrastructure details of an organizations audited with most complex network : No. of Computer Systems : 500 No. of Servers : 20 No. of Switches : 50 No. of Routers : 6 No. of Firewalls : 6 No. of IDS' : 4
Page 106
12. Ability to carry out vulnerability assessment and penetration test : Yes
Page 107
M/s ProMinds Consulting Pvt Ltd Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation 1. Name & location of the empanelled Information Security Auditing Organisation : ProMinds Consulting Pvt Ltd, Hyderabad 2. 3. Carrying out Information Security Audits since : 2006 Technical manpower deployed for information security audits : CISSPs : 1 BS7799 / ISO17799 / ISO27001 LAs : 10 CISAs / CISMs: 2 DISAs / ISAs : 1 Total Nos. of Technical Personnel : 15 4. Outsourcing of information security auditing work to external Information Security Auditors / Experts : No
5. Information Security Audit Tools being used (available, installed and licensed) : Freeware : 40 Commercial : 5 Proprietary: 0 Total Nos. of Information Security Audit Tools : 45 Details of the Information Security Audit Tools Freeware Tools None Commercial Tools None Proprietary Tools None 6. 7. Information Security Audit Methodology : Own, COBIT, OCTAVE Information Security Audits carried out so far : Govt. : 20 PSU : 5 Private : 50 Total Nos. of Security Audits : 75 8. Business domains of auditee organisations : Govt, PSU, Defense, IT, ITES, BPO, Healthcare, Insurance, Financial Services, Banking, KPO 9. Typical applications in use by auditee organisations : Client-Server, Web Applications, ERP, Database, Office Applications, Software Development Tools, Testing Tools 10. Bandwidth available with an auditee organisation having most complex network : Internal Bandwidth (LAN / Intranet) : 1 Gbps External Bandwidth (WAN / Internet) : 10 Mbps
Page 108
11. LAN infrastructure details of an auditee organisation having most complex network : No. of Computers : 500+ No. of Servers : 30 No. of Switches : 15 No. of Routers : 5 No. of Firewalls : 3 No. of IDS' : 5 12. Ability to carry out vulnerability assessment and penetration test : Yes
Page 109
M/s Qadit Systems & Solutions Pvt Ltd Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation 1. 2. 3. Name, Location of the empanelled Information Security Auditing Organisation : Qadit Systems & Solutions Pvt. Ltd., Chennai Carrying out Information Security Audits since : April 2002 Technical manpower deployed for Information security audits : CISSPs : 0 BS7799 / ISO27001 LAs : 2 CISAs : 10 DISAs / ISAs : 7 Total Nos. of Technical Personnel : 17 4. 5. Outsourcing of External Information Security Auditors / Experts : No Information Security Audit Tools used (owned, in possession) : Freeware : 31 Commercial : 0 Proprietary: 5 Total Nos. of Information Security Audit Tools : 36 Details of the IT Security Audit Tools Freeware Tools 1. 2. 3. 4. 5. 6. 7. 8. 9. Nessus - Vulnerability Assessment Tool Metasploit Vulnerability Assessment and Penetration Testing Tool Paros Proxy - Vulnerability Assessment Tool Samurai Framework Vulneability Assessment Tool Grendel - Vulnerability Assessment Tool Retina Network Security Scanner Vulnerability Assessment Tool Webinspect Vulnerability Assessment Tool Burpsuite Vulnerability Assessment and Penetration Testing Tool Netcat Vulnerability Assessment and Penetration Testing Tool
10. SAINT Vulnerability Assessment and Penetration Tool 11. Firecat Vulnerability Assessment Framework 12. SQLmap SQL Injection Tool 13. Nmap - Network Auditing Tool 14. Wireshark - Network Auditing Tool 15. Dsniff Network Auditing Tool 16. Sam Spade Network Auditing Tool 17. Nipper Network Auditing Tool
Page 110
18. Look@Lan Network Auditing Tool 19. Traceroute Network Auditing Tool 20. Airsnort Wireless network penetration testing tools 21. Kismet Wireless network penetration testing tools 22. Netstumbler Wireless network penetration testing tools 23. RAT Risk Assessment Tool 24. MBSA Security Analysis 25. WebScarab - Web application audit framework 26. W3af - Web application audit framework 27. Nikto - Web server scanner 28. Scuba Database audit tool 29. DB Audit Database audit tool 30. L0phtcrack Password recovery tool 31. Pwdump Password recovery tool Commercial Tools 1. 2. 3. 4. 5. SAP User Profile Reviewer : Review user profiles in SAP environment Oracle database Audit Scripts SQL database Audit Scripts ISO 27001 Risk Assessor SAP SOD Analyser
Proprietary Tools None 6. 7. Information Security Audit Methodology : OSSTM, OWASP, ISACA/ITAF, ISO 27001/27002, COBIT, ISO 25999, SANS, ITIL, OCTAVE, COSO Information Security Audits carried out since empanelment till now : Govt. : 5 PSU : 36 Private : 203 Total Nos. of Security Audits : 244 8. 9. Business domain of auditee organisations : Banking, Manufacturing, Telecom, Pharma, Financial Service, Software Development, e-Governance, Microfinance Typical applications in use by auditee organisations : ATM Switch, SAP, Web, CBS, NMS, ERP, eGovernance, Web Applications, Payroll, Telecom billing application, Telecom network Monitoring Software, CRM Applications, Payment Portals 10. Typical bandwidth (maximum) of any auditee organisations : Internal Bandwidth (LAN / Intranet) : 100 Mbps External Bandwidth (WAN / Internet) : 2 Mbps
Page 111
Page 112
M/s Secure Matrix India Pvt Ltd Snapshot of skills and competence of CERT-In empanelled IT Security Auditing organisation 1. 2. 3. Name, Location of the empanelled IT Security Auditing organisation : Secure Matrix India Pvt Ltd, Mumbai Carrying out Information Security Audits since : November 2004 Technical manpower deployed for IT security audits : CISSPs : 2 BS7799 / ISO27001 LAs : 4 CISAs : 3 DISAs / ISAs : 2 Total Nos. of Technical Personnel : 15 4. 5. Outsourcing of External IT Security Auditors / Experts : No IT Security Audit Tools used (owned, in possession) : Freeware : 6 Commercial : 1 Proprietary: 0 Total Nos. of Audit Tools : 7
Details of the IT Security Audit Tools Freeware : 1. 2. 3. 4. 5. 6. Nessus : Vulnerability Scanning and Reporting Nmap : Port Scanning and finger printing Sara : Vulnerability Assessment MBSA : Security Analysis Dsniff : Network Auditing Sam Spade : Network Query
Commercial : 1. Core Impact
Proprietary : 6. 7. IT Security Audit Methodology : NA IT Security Audits carried out since empanelment till now : Govt. : NA PSU : NA
Page 113
Private : NA Total Nos. of Security Audits : NA 8. 9. Business domain of auditee organisations : Stock Broking, BFSI, BPO, Technology, Retail, Manufacturing Typical applications in use by auditee organisations : ERP, Accounting, On-line stock trading, databases, Proprietary applications 10. Typical bandwidth (maximum) of any auditee organisations : Internal Bandwidth (LAN / Intranet) : NA bps External Bandwidth (WAN / Internet) : 64 K bps 11. Networked Infrastructure details of an organizations audited with most complex network : No. of Computer Systems : 60 No. of servers : 4 No. of switches : 6 No. of routers : 0 No. of firewalls : 2 No. of IDS' : 1 12. Ability to carry out vulnerability assessment and penetration test : Yes Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing Organisation). BACK
Page 114
M/s SecureSynergy Pvt Ltd Snapshot of skills and competence of CERT-In empanelled Information Security Auditing OrganisationSecurity Auditor 1. 2. 3. Name, Location of the empanelled Information Security Auditing Organisation : SecureSynergy Pvt. Ltd., Mumbai Carrying out Information Security Audits since : 2002 Technical manpower deployed for Information security audits : CISSPs : 2 BS7799 / ISO27001 LAs : 14 CISAs : 3 DISAs / ISAs : 0 Total Nos. of Technical Personnel : 29 4. 5. Outsourcing of External Information Security Auditors / Experts : No Information Security Audit Tools used (owned, in possession) : Freeware : 35 Commercial : 3 Proprietary: 2 Total Nos. of Audit Tools : 40
Details of the Audit Tools Freeware : Information yet to be provided to CERT-In Proprietary : Information yet to be provided to CERT-In 6. 7. Information Security Audit Methodology : COBIT, ISO 27001, NIST Information Security Audits carried out since empanelment till now : Govt. : 11 PSU : 9 Private : 115 Total Nos. of Security Audits : 135 8. 9. Business domain of auditee organisations : IT, ITES, Government, Telecom, Defence, Oil & Gas, Manufacturing, Pharma Typical applications in use by auditee organisations : ERP, CRM, Web/Middleware/Database, Client-Server
Page 115
10. Typical bandwidth (maximum) of any auditee organisations : Internal Bandwidth (LAN / Intranet) : 1 Gbps External Bandwidth (WAN / Internet) : 54 Mbps 11. Networked Infrastructure details of an organizations audited with most complex network : No. of Computer Systems : 3640 No. of servers : 198 No. of switches : 204 No. of routers : 15 No. of firewalls : 4 No. of IDS' : 1 12. Ability to carry out vulnerability assessment and penetration test : Yes
Page 116
M/s SecurEyes Techno Services Pvt Ltd Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation 1. 2. 3. Name, Location of the empanelled Information Security Auditing Organisation : SecurEyes Techno Services Pvt. Ltd., Bangalore Carrying out Information Security Audits since : January 2005 Technical manpower deployed for Information security audits : CISSPs : 0 BS7799 / ISO27001 LAs : 2 CISAs : 0 DISAs / ISAs : 2 Total Nos. of Technical Personnel : 10 4. 5. Outsourcing of External Information Security Auditors / Experts : Yes Information Security Audit Tools used (owned, in possession) : Freeware : 84 Commercial : 0 Proprietary: 14 Total Nos. of Audit Tools : 98
Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation 1. 2. 3. Name, Location of the empanelled Information Security Auditing Organisation : SecurEyes Techno Services Pvt. Ltd., Bangalore Carrying out Information Security Audits since : January 2005 Technical manpower deployed for Information security audits : CISSPs : 0 BS7799 / ISO27001 LAs : 2 CISAs : 0 DISAs / ISAs : 2 Total Nos. of Technical Personnel : 10 4. 5. Outsourcing of External Information Security Auditors / Experts : Yes Information Security Audit Tools used (owned, in possession) : Freeware : 84 Commercial : 0 Proprietary: 14 Total Nos. of Audit Tools : 98 Details of the Audit Tools Freeware : 1. Nessus : Vulnerability scanner used for penetration testing
Page 117
2. 3. 4. 5. 6. 7. 8. 9.
Nmap : Port Scanner Metasploit framework : Vulnerability scanner Hping2 : OS finger printing tool, also used for fire walking Ring : Passive OS finger printing tool Nmap-cronos : Passive OS finger printing tool P0f : Passive OS finger printing tool Smtpscan : Mail server profiling tool Sprint : OS detection tool
10. Xprobe : OS detection tool 11. Fire and Water : Web Server discovery tool 12. Ethereal : Sniffer used for capturing and analysing traffic in a penetration test 13. AirSnort : Wireless network penetration testing tools. 14. Kismet : Wireless network penetration testing tools. 15. NetStumbler : Wireless network penetration testing tools. 16. WEPCrack : Wireless network penetration testing tools. 17. Achillies : Web application penetration testing tool 18. Spike Proxy : Automatic Vulnerability scanner for web applications. 19. Odysseus : Web application audit tool 20. Paros : Web application proxy, web application security vulnerability scanner. 21. WinHex : Physical Memory editor used for penetration testing of applications 22. Netcat : Network penetration testing tool. Proprietary : 1. 2. 3. 4. 5. 6. 7. 8. 9. Windows-VA script : In house developed script used for vulnerability assessment of Windows operating system Linux-VA script : In house developed script used for vulnerability assessment Linux operating system. Solaris-VA script : In house developed script used for vulnerability assessment of Solaris operating system. AIX-VA script : In house developed script used for vulneability assessment of AIX operating system. Router-VA script : In house developed script used for vulnerability assessment of Routers Switch-VA script : In house developed script used for vulnerability assessment of Switch. WSDigger : Web Services profiling and attack tool. Cookie Digger : Web application audit tool which helps in calculating the strength of cookies and session ID's Code Scoping tool : Code security audit tool 10. Validator. NET : Web application audit tool for applications built using.net techology HACME Bank : Web Application audit trainer application 6. Information Security Audit Methodology : OSSTM, SANS, OWASP, Own
Page 118
7.
Information Security Audits carried out since empanelment till now : Govt. : 150 PSU : 5 Private : 15 Total Nos. of Security Audits : 170
8. 9.
Business domain of auditee organisations : Banking & Finance, Government, Telecom, IT, SW Dev, Property Trading, Finance Typical applications in use by auditee organisations : Internet Banking, HR Management, Payroll, Business Workflow, Finance, Insurance
10. Typical bandwidth (maximum) of any auditee organisations : Internal Bandwidth (LAN / Intranet) : 2 Gbps External Bandwidth (WAN / Internet) : 2 Mbps 11. Networked Infrastructure details of an organizations audited with most complex network : No. of Computer Systems : 1000 No. of servers : 100 No. of switches : 300 No. of routers : 100 No. of firewalls : 10 No. of IDS' : 8 12. Ability to carry out vulnerability assessment and penetration test : Yes Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing Organisation). BACK
Page 119
M/s Security Brigade Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation 1. Name, Location of the empanelled Information Security Auditing Organisation : Security Brigade; Head Office: Ranchi - India; Branch Offices: Mumbai - India, Pisa - Italy; Partner/Sales Offices: Bengaluru - India, Chennai - India, Hyderabad - India, Pune - India, New Delhi - India, Kolkata - India, Houston - US, Toronto - Canada, Lagos - Nigeria, Doha - Qatar, London - UK. 2. 3. Carrying out Information Security Audits since : June 2006 Technical manpower deployed for Information security audits : BS7799 / ISO27001 LAs : 1 ECSAs : 1 LPTs : 1 CEHs : 2 CCNAs : 4 Total Nos. of Technical Personnel : 7 4. 5. Outsourcing of External Information Security Auditors / Experts : No Information Security Audit Tools used (owned, in possession) : Freeware : 1000+ Commercial : 2 Proprietary: 15 Total Nos. of Audit Tools : 1017+
Details of the Audit Tools Proprietary Tools 1. 2. sdFinder - Identifies internal hosts on non-contiguous IP ranges. It allows us to detect sensitive information about our clients commercial, intranet and extranet networks. webDiscovery - Identifies as many applications as possible on Client web-servers. The applications discovered through webDiscovery allow us to provide a superior web application security testing service than competitive services and products. It allows us to increase the scope of the audit and cover more areas that could be attacked by malicious users; that would not be covered by a traditional audit. 3. networkMapper - Network Mapper uses proprietary technology to be able to identify alternative network routes to bypass security mechanisms such as IDS/IPS/Firewall etc. It allows our experts to bypass existing security implementations and gain direct access to the systems behind them. 4. webTester - Security Brigades in-house developed application utilizes our Benchmark Development System to ensure that we can identify maximum vulnerabilities in applications through automated mechanisms. Along with flaws that are known, it uses in-house research to test for vulnerabilities that are not in the public domain. It allows us to automate the process of
Page 120
identifying and testing known and unknown vulnerabilities in web-applications and strike a costeffective time to effort ratio. 5. VA Framework - Security Brigades in-house developed framework is an integrated solution developed by our security experts that have an expertise in the vulnerability assessment domain. It allows us to integrate the manual and automated testing processes with commercial and opensource software. Our Integrated Reporting Engine allows us to cross-reference information from all the different components and generate a report based on our Clients requirements. 6. PT Framework - Security Brigades in-house developed framework is an integrated solution developed by our security experts that have an expertise in the penetration testing domain. It allows us to integrate the manual and automated testing processes with commercial and opensource software. Our Integrated Reporting Engine allows us to cross-reference information from all the different components and generate a report based on our Clients requirements. 7. webSpider - Security Brigades in-house developed application uses advanced HTML, Java Script, Ajax, Flash and XML parsing engines to identify and map as much of the client applications as possible. This not only assists our automated webTester engine, but also assists in carrying out the manual testing process in an efficient manner. It allows us to attain a cost-effective balance between thorough testing and time required. 8. 9. sapScan - Security and Configuration Assistant for SAP Security Audits. riskReview - General Risk Assessment Tool.
10. erpInterrogate - ERP Security and Configuration Assessment and Control Tool. 11. Windows Batch Scripts - Windows batch scripts to automate routine server hardening functions and processes. 12. Linux Bash Scripts - Linux Bash scripts to automate routine server hardening functions and processes. 13. Oracle Security Assessment Scripts - Oracle Security Assessment Scripts to automate routine hardening functions and processes. 14. MSSQL Security Assessment Scripts - MSSQL Security Assessment Scripts to automate routine hardening functions and processes. 15. Internal Vulnerability Database - Automated vulnerability database that is updated every 15 minutes from over 100 public and 20 private feeds. Commercial Tools 1. 2. Nessus - Premier vulnerability assessment tool with more than 20,000 plugins. GFI LANguard - commercial network security scanner for Windows.
Freeware Tools 1. 2. 3. Wireshark - is an open-source network protocol analyzer for Unix and Windows. Netcat - is a simple utility reads and writes data across TCP or UDP network connections. Metasploit Framework - is an extensible model through which payloads, encoders, no-op generators, and exploits can be integrated.
Page 121
4. 5. 6. 7.
Hping 2 - is a utility sends custom ICMP, UDP, or TCP packets and then displays any replies. Kismet - is a console based 802.11 layer2 wireless network detector, sniffer and intrusion detection system. Tcpdump - is an IP sniffer. Cain and Abel - is a windows-only password recovery tool that can recover passwords by sniffing, cracking, recording VoIP conversations, decoding scrambled passwords, revealing password boxes, etc.
8. 9.
John the Ripper - is a fast password cracker. Ettercap - is a terminal-based network/sniffer/interceptor/logger for ethernet LANs. servers for several thousand vulnerabilities.
10. Nikto - is an open-source web-server scanner which performs comprehensive tests against web 11. THC Hydra - is a fast network authentication cracker. 12. Paros Proxy - java based web proxy for assessing web-application vulnerability. 13. Dsniff - is a powerful network auditing and penetration-testing tool. 14. NetStumbler - is a windows based 802.11 sniffer. 15. THC Amap - is a application fingerprint scanner. 16. Aircrack - is a suite of tools for 802.11a/b/g WEP and WPA cracking. 17. Superscan - is a windows-only port scanner, pinger and resolver. 18. Scapy - is an interactive packet manipulation tool. 19. BackTrack - is an penetration testing live linux distribution. 20. p0f - is a versatile passive OS fingerprinting tool. 21. WebScarab - a framework for analyzing applications that communicate using the HTTP and HTTPS protocols. 22. Thousands of other open-source tools - We have an internal categorized archive of over 10,000 tools. We utilize these on an on-need basis for specific specialized purposes during engagements. List can be provided in directory-listing format if required.
6. 7.
Information Security Audit Methodology : In-house Developed Hybrid Methodology based on BS7799, ISO17799, ISO27001, OWASP Testing Guide and OSSTM. Information Security Audits carried out so far: Govt: 50+ PSU: 10+ Private: 100+
8. 9.
Business domain of auditee organisations : Banking & Finance, IT/ITES, Telecom, Manufacturing, Logistics, Insurance, Retail, Government etc. Typical applications in use by auditee organisations : Corporate Websites, Core Banking, Insurance Portal, Loan & Treasury Management, Online Trading, Backoffice, CTCL, Accounting, Operations Management, Billing
10. Typical bandwidth (maximum) of any auditee organisations : Internal Bandwidth (LAN / Intranet) : 1 Gbps External Bandwidth (WAN / Internet) : 10 Mbps
Page 122
11. Networked Infrastructure details of an organizations audited with most complex network : No. of Computer Systems : 8,000 No. of servers : 300 No. of switches : 40 No. of routers : 5 No. of firewalls : 3 No. of IDS' : 1 12. Ability to carry out vulnerability assessment and penetration test : Yes Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing Organisation). BACK
Page 123
M/s Sify Technologies Ltd Snapshot of skills and competence of CERT-In Empanelled Security Auditor 1. 2. 3. Name, Location of the Empanelled Security Auditing organisation: Sify, New Delhi Carrying out Information Security Audits since : NA Technical manpower deployed for security audits : CISSPs : 7 BS7799 / ISO27001 LAs : 14 CISAs : 26 DISAs / ISAs : 16 Total Nos. of Technical Personnel : 63 4. 5. Outsourcing of External IT Security Auditors / Experts : No Security Audit Tools used (owned, in possession) : Freeware : 30 Commercial : 0 Proprietary: 0 Total Nos. of Audit Tools : 30 Details of the Audit Tools Freeware : Information yet to be provided to CERT-In Proprietary : Information yet to be provided to CERT-In 6. 7. Security Audit Methodology : COBIT, SAS70, BS7799 Security Audits carried out since empanelment till now : Govt. : NA PSU : NA Private : NA Total Nos. of Security Audits : NA 8. 9. Business domain of auditee organisations : Software Dev., BPO, Manuf, Govt. Typical applications in use by auditee organisations : MS Exchange,Web server, SQL Server, Oracle, IIS Internal Bandwidth (LAN / Intranet) : 100 M bps External Bandwidth (WAN / Internet) : 512 K bps 11. Networked Infrastructure details of an organizations audited with most complex network : No. of servers : 27 No. of Computer Systems : 165 No. of routers : 0 No. of switches : 2 No. of firewalls : 1 No. of IDS' : 1
Page 124
Page 125
M/s Simos Computer Systems Pvt Ltd Snapshot of skills and competence of CERT-In Empanelled Security Auditor 1. Name, Location of the Empanelled Security Auditing organisation: SIMOS COMPUTER SYSTEMS PRIVATE LIMITED, Chennai 2. 3. Carrying out Information Security Audits since : 2007 Technical manpower deployed for security audits : CISSPs : 2 BS7799 / ISO27001 LAs : 1 CISAs : 2 DISAs / ISAs : 2 Total Nos. of Technical Personnel : 10 4. 5. Outsourcing of External IT Security Auditors / Experts : No Security Audit Tools used (owned, in possession) : Freeware : 20+ Commercial : 1 Proprietary: 0 Total Nos. of Audit Tools : 21+
Details of the Audit Tools Freeware : Nmap, OpenVAS, Metasploit, Wikto, Cain & Abel, Netstumbler, Backtrack etc. Commercial : Burpsuite Professional 6. 7. Security Audit Methodology : ISO27001, COBIT, OWASP, SOGP, OSSTMM Security Audits carried out since empanelment till now : Govt. : 1 PSU : NA Private : 15 Total Nos. of Security Audits : 16 8. 9. Business domain of auditee organisations : Banking, Software Dev., BPO, Manuf, Govt. Typical applications in use by auditee organisations : Windows Server, MS Exchange, Linux, Apache, IIS, PHP, ASP, ASP.NET, MSSQL, MySQL, Oracle 10. Typical bandwidth (maximum) of any auditee organisations : Internal Bandwidth (LAN / Intranet) : 100 M bps External Bandwidth (WAN / Internet) : 1 Mbps 11. Networked Infrastructure details of an organizations audited with most complex network : No. of servers : 30 No. of Computer Systems : 500+ No. of routers : 10 No. of switches : 20
Page 126
No. of firewalls : 5 No. of IDS' : 2 12. Ability to carry out vulnerability assessment and penetration test : Yes
BACK
Page 127
M/s SISA Information Security Pvt Ltd Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation 1. 2. 3. Name, Location of the empanelled Information Security Auditing Organisation : SISA Information Security (P) Ltd., Bangalore Carrying out Information Security Audits since : September 2002 Technical manpower deployed for information security audits : CISSPs : 4 BS7799 / ISO27001 LAs : 3 CISAs : 9 DISAs / ISAs : 2 Total Nos. of Technical Personnel : 25 4. 5. Outsourcing of External Information Security Auditors / Experts : No Information Security Audit Tools used (owned, in possession) : Freeware : 25 Commercial : 3 Proprietary: 1 Total Nos. of Audit Tools : 29 Details of the Audit Tools Freeware :
1. 2. 3. 4. 5. 6. 7. 8. 9.
Nessus : Network Scanner N Map : Network Scanner MB Password Cracker : Password Cracker Ethereal : Sniffer WS_Ping Propack : Ping sweeps (Network Scanning) Snort : Ping sweeps (Network Scanning) user2sid and sid2user : Enumeration tools Ping of Death/SMURF : DOS SQLSmack : Hacking Tools
Commercial :
1. 2. 3.
ISS Network Scanner : Network Scanner GFI Languard : Network Scanner Legion : Password Guessing Tool
Page 128
6. 7.
Information Security Audit Methodology : SISA Proprietary Information Security Audits carried out since empanelment till now : Govt. : 1 PSU : 5 Private : 99 Total Nos. of Security Audits : 105
8. 9.
Business domain of auditee organisations : Information Technology, Banking, IT services, Manufacturing, Business Process Outsourcing, Telecom Typical applications in use by auditee organisations : Banking Applications, Financial Applications, Mobile Applications, Web Applications
10. Typical bandwidth (maximum) of any auditee organisations : Internal Bandwidth (LAN / Intranet) : 10 Mbps External Bandwidth (WAN / Internet) : 100 Mbps 11. Networked Infrastructure details of an organizations audited with most complex network : No. of Computer Systems : 10000 No. of servers : 25 No. of switches : 50 No. of routers : 30 No. of firewalls : 16 No. of IDS' : 16 12. Ability to carry out vulnerability assessment and penetration test : Yes Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing Organisation). BACK
Page 129
M/s Spectrum IT Solution Snapshot of skills and competence of the CERT-In Empanelled IT Security Auditing Organisation 1. 2. 3. Name, Location of the Empanelled IT Security Auditing Organisation : Spectrum Networks Solutions Pvt Ltd, Noida Carrying out IT Security Audits since : May 2004 Technical manpower deployed for IT security audits : CISSPs : 2 BS7799 / ISO27001 LAs : 5 CISAs / CISMs: 3 DISAs / ISAs : 1 Total Nos. of Technical Personnel : 24 Outsourcing of IT Security Auditing Work to External IT Security Auditors / Experts : Yes IT Security Audit Tools used (owned, in possession) : Freeware : 36 Commercial : 4 Proprietary: 2 Total Nos. of Audit Tools : 42
4. 5.
Details of the Information Security Audit Tools Freeware Tools 1. 2. 3. 4. 5. 6. 7. 8. 9. Achilles - A tool designed for testing the security of web applications ADMFtp, ADMSnmp - Tools for remote brute-forcing Brutus- An Windows GUI brute-force tool for FTP, telnet, POP3, SMB, HTTP, etc Crack - A password cracker CrypTool - A cryptanalysis utility Curl - Curl is a tool for transferring files with URL syntax, supporting FTP, FTPS, HTTP, HTTPS, GOPHER, TELNET, DICT, FILE and LDAP Different network mapping tools - ping, traceroute, whois, snmp tools, dig, nslookup, DNS tools etc Elza - A family of tools for arbitrary HTTP communication with picky web sites for the purpose of penetration testing and information gathering Exploits - publicly available and home made exploit code for the different vulnerabilities around 10. FScan - A command-line port scanner. Supports TCP and UDP 11. Fragrouter - Utility that allows to fragment packets in funny ways 12. HPing - HPing is a command-line oriented TCP/IP packet assembler/analyzer. It supports TCP, UDP, ICMP and RAW-IP protocols, has a traceroute mode, the ability to send files between a covered channel, and many other features. 13. ISNprober - Check an IP address for load-balancing. 14. ICMPush - ICMPush is a tool that sends ICMP packets fully customized from command line 15. John The Ripper - A password cracker 16. L0phtcrack - NTLM/Lanman password auditing and recovery application (read: cracker)
Page 130
17. Nessus - A free, powerful, up-to-date and easy to use remote security scanner. This tool could be used when scanning a large range of IP addresses, or to verify the results of manual work. 18. Netcat - The swiss army knife of network tools. A simple utility which reads and writes data across network connections, using TCP or UDP protocol 19. NMAP - The best known port scanner around. 20. p0f - Passive OS Fingerprinting: A tool that listens on the network and tries to identify the OS versions from the information in the packets. 21. Pwdump - Tools that grab the hashes out of the SAM database, to use with a brute-forcer like L0phtcrack or John 22. SamSpade - Graphical tool that allows to perform different network queries: ping, nslookup, whois, IP block whois, dig, traceroute, finger, SMTP VRFY, web browser keep-alive, DNS zone transfer, SMTP relay check,etc. 23. ScanDNS - Script that scans a range of IP addresses to find DNS names 24. Scripts - A number of custom developed scripts to test different security issues. 25. Sing - Send ICMP Nasty Garbage. A little tool that sends ICMP packets fully customized from command line 26. SSLProxy, STunnel - Tools that allow to run non SSL-aware tools/programs over SSL. 27. Strobe - A command-line port scanner that also performs banner grabbing 28. Telesweep Secure - A commercial wardialer that also does fingerprinting and brute-forcing. 29. THC - A freeware wardialer 30. TCPdump - A packet sniffer 31. TCPtraceroute - Traceroute over TCP 32. UCD-Snmp - (aka NET-Snmp): Various tools relating to the Simple Network Management Protocol including snmpget, snmpwalk and snmpset. 33. Web Session Editor - Custom made utility that allows to intercept and edit HTTP sessions. 34. Webinspect - CGI scanning, web crawling, etc. 35. Webreaper, wget - Software that mirrors websites to your hard disk 36. Whisker - The most famous CGI scanner. has updated the scanning databases with checks for the latest vulnerabilities. Commercial Tools
Proprietary Tools 6. 7. Information Security Audit Methodology : OWASP, ISO27001, COBIT, ITIL Information Security Audits carried out since empanelment till now : Govt. : 80 PSU : 25 Private : 95 Total Nos. of Security Audits : 200
Page 131
8. 9.
Business domain of auditee organisations : Banking, Financial, Manufacturing, Government, IT/ITES, Software Development Typical applications in use by auditee organisations : Banking and Financial Applications Internal Bandwidth (LAN / Intranet) : 16 Mbps External Bandwidth (WAN / Internet) : 2 Mbps
11. LAN Infrastructure details of an organizations audited with most complex network : No. of Servers : 45 No. of Computers : 1500 No. of Routers : 10 No. of Switches : 300 No. of Firewalls : 4 No. of IDS' : 2 12. Ability to carry out vulnerability assessment and penetration test : Yes
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing Organisation), Y = Yes, N = No, Std = Standard. BACK
Page 132
STQC Directorate Snapshot of skills and competence of CERT-In Empanelled Security Auditor 1. 2. 3. Name, Location of the Empanelled Security Auditing organisation : STQC IT Services, New Delhi Carrying out Information Security Audits since : NA Technical manpower deployed for security audits : CISSPs : 0 BS7799 / ISO27001 LAs : 12 CISAs : 0 DISAs / ISAs : 9 Total Nos. of Technical Personnel : 12 4. 5. Outsourcing of External IT Security Auditors / Experts : No Security Audit Tools used (owned, in possession) : Freeware : 23 Commercial : 0 Proprietary: 0 Total Nos. of Audit Tools : 23
Details of the IT Security Audit Tools Freeware Tools : Information yet to be provided to CERT-In Commercial Tools : Information yet to be provided to CERT-In Proprietary Tools : Information yet to be provided to CERT-In
6. 7.
Security Audit Methodology : OSSTMM Security Audits carried out since empanelment till now : Govt. : NA PSU : NA Private : NA Total Nos. of Security Audits : NA
8. 9.
Business domain of auditee organisations : Mfg, software Services, BPO, Telecom, Govt. Typical applications in use by auditee organisations : SAP, Oracle
Page 133
10. Typical bandwidth (maximum) of any auditee organisations : Internal Bandwidth (LAN / Intranet) : NA bps External Bandwidth (WAN / Internet) : NA bps 11. Networked Infrastructure details of an organizations audited with most complex network : No. of servers : 36 No. of Computer Systems : 500 No. of routers : 0 No. of switches : 68 No. of firewalls : 6 No. of IDS' : 1 12. Ability to carry out vulnerability assessment and penetration test : Yes Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing Organisation). BACK
Page 134
M/s Suma Soft Pvt Ltd
Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation 1. 2. 3. Name & location of the empanelled Information Security Auditing Organisation : Suma Soft Pvt Ltd Carrying out Information Security Audits since : 2008 Technical manpower deployed for information security audits : CISSPs : BS7799 / ISO27001 LAs : 3 CISAs : 5 DISAs / ISAs :1 Total Nos. of Technical Personnel : 10 Outsourcing of External Information Security Auditors / Experts : No Information Security Audit Tools used (owned, in possession) : Freeware : 35 Commercial : 2 Proprietary: 0 Total Nos. of Audit Tools : 37
4. 5.
Details of the Audit Tools Freeware: 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Nessus Whisker HUNT - TCP/IP protocol vulnerability exploiter, packet injector DOMTOOLS - DNS-interrogation tools SARA - Vulnerability scanner RAT Nikto - This tool scans for web-application vulnerabilities Snort - IDS Firewalk - Traceroute-like ACL & network inspection/mapping Hping TCP ping utilitiy Dsniff - Passively monitor a network for interesting data (passwords, e-mail, files, etc.). facilitate the interception of network traffic normally unavailable to an attacker 11. 12. 13. 14. 15. 16. 17. 18. 19. HTTrack - Website Copier Chkrootkit - Rootkit discovery tool Tools from FoundStone - Variety of free security-tools SQL Tools - MS SQL related tools John the Ripper - Password-cracking utility ITS4 - Scan C/C++ source-code for vulnerabilities Paros NMAP - The famous port-scanner Ethereal - GUI for packet sniffing. Can analyse tcpdump-compatible logs
Page 135
20. 21. 22. 23. 24. 25. 26. 27. 28. 29. 30. 31. 32. 33. 34.
Nemesis - Packet injection suite NetCat - Swiss Army-knife, very useful RAT CISecuritys Router Auditing Tool DSniff - A collection of different purpose sniffers Achilles - An SSL-proxy allowing to change data Whitehats - Snort IDS-signatures & other resources Hping2 - TCP/IP packet analyzer/assembler, packet forgery, useful for ACL inspection Brutus password cracking for web applications, telnet, etc. WebSleuth - web-app auditing tool Mieliekoek - SQL Injection tool, use with HTTrack NT Toolbox - Resources & tools for NT [at]Stake Tools - Tools provided by [at]-Stake TSCrack - Wordlist-based Terminal Server login-cracker L0phtcrack - NT-password cracking utility HTTPrint detect web server and version Web proxy - web application testing Web server vulnerability assessment tool
Commercial Tools 1. 2. Nexpose - Vulnerability Scanners Burp Suite, Acunetix - Web application auditing
6. 7.
Information Security Audit Methodology : ISACA, ISO 27001 / BS 7799, COBIT, OSSTM, OWASP Information Security Audits carried out so far : Govt. : 1 PSU : 1 Private : 25 Total Nos. of Information Security Audits done : 26
8. 9.
Business domain of auditee organisations : Telecom, BPO, Banking & Finance, Software Development Typical applications in use by auditee organisations : Client-Server, Web based MIS,Oracle,Web Applications
10. Typical bandwidth (maximum) of any auditee organisations : Internal Bandwidth (LAN / Intranet) : 1 GBPS External Bandwidth (WAN / Internet) : 12 MBPS 11. Networked Infrastructure details of an organizations audited with most complex network : No. of Computer Systems : 350 No. of Servers : 50 No. of Switches : 25
Page 136
No. of Routers : 2 No. of Firewalls : 2 No. of IDS' : 1 12. Ability to carry out vulnerability assessment and penetration test : Yes
Page 137
M/s Sumeru Software Solutions Pvt Ltd Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation 1. 2. 3. Name & location of the empanelled Information Security Auditing Organisation : Sumeru Software Solutions Pvt Ltd, Bangalore Carrying out Information Security Audits since : 2002 Technical manpower deployed for information security audits : CISSPs : 1 BS7799 / ISO27001 LAs : 2 CISAs / CISMs : 2 DISAs / ISAs : 0 Total Nos. of Technical Personnel : 10 4. 5. Outsourcing of information security auditing work to external Information Security Auditors / Experts : No Information Security Audit Tools being used (available, installed and licensed) : Freeware : 61 Commercial : 4 Proprietary: 0 Total Nos. of Information Security Audit Tools : 65 Details of the Information Security Audit Tools Freeware Tools 1. 2. 3. 4. 5. 6. 7. 8. Nmap / Superscan WireShark Paros Proxy Metasploit Framework Kismet / NetStumbler / Aircrack Nikto / Wikto BackTrack WebScarab
Commercial Tools 1. 2. 3. 4. Nessus WebInspect MegaPing Retina
Proprietary Tools None
Page 138
6. 7.
Information Security Audit Methodology : OWASP, OSSTMM, ISO27001, BS 25999 Information Security Audits carried out so far : Govt. : 7 PSU : 0 Private : 101 Total Nos. of Security Audits : 108
8. 9.
Business domains of auditee organisations: Manufacturing, Hospitality, Media, Defence, BSFI, IT/ITES, Publishers, Human resources, Insurance, Government. Typical applications in use by auditee organisations : e-Commerce Portals, Job Portals, News Portals, Public Forum, Pay Roll Applications, Intranet Applications, Webmail, Insurance web porta.
10. Bandwidth available with an auditee organisation having most complex network : Internal Bandwidth (LAN / Intranet) : 100 Mbps External Bandwidth (WAN / Internet) : 10 Mbps 11. LAN infrastructure details of an auditee organisation having most complex network : No. of Computers : 4500 No. of Servers : 70 No. of Switches : 300 No. of Routers : 2 No. of Firewalls : 135 No. of IDS' : 2 12. Ability to carry out vulnerability assessment and penetration test : Yes
Page 139
M/s Sysman Computers Pvt Ltd Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation 1. 2. 3. Name and location of the empanelled Information Security Auditing Organisation : Sysman Computers Pvt. Ltd., Mumbai Carrying out Information Security Audits since : 1991 Technical manpower deployed for security audits : CISSPs : 5 BS7799 / ISO27001 LAs : 7 CISAs : 12 DISAs / ISAs : 6 Total Nos. of Technical Personnel : 30 4. 5. Outsourcing of External Information Security Auditors / Experts : No Information Security Audit Tools used (owned, in possession) : Freeware : 28 Commercial : 5 Proprietary: 0 Total Nos. of Audit Tools : 33 Details of the Audit Tools Freeware : Information yet to be provided to CERT-In Proprietary : Information yet to be provided to CERT-In 6. 7. Information Security Audit Methodology : COBIT, ISO 27001 Information Security Audits carried out since empanelment till now : Govt. : 5 PSU : 55 Private : 100 Total Nos. of Security Audits : 160 8. 9. Business domain of auditee organisations : Banking, BPO, Manufacturing, Healthcare, Government Typical applications in use by auditee organisations : Banking, Accounting, Data Processing, Call Centre, Healthcare, Travel, Education 10. Typical bandwidth (maximum) of any auditee organisations : Internal Bandwidth (LAN / Intranet) : 100 M bps External Bandwidth (WAN / Internet) : 2 M bps 11. Networked Infrastructure details of an organizations audited with most complex network : No. of Computer Systems : 1500 No. of servers : 25 No. of switches : 55 No. of routers : 8
Page 140
No. of firewalls : 2 No. of IDS' : 2 12. Ability to carry out vulnerability assessment and penetration test : Yes Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing Organisation). BACK
Page 141
M/s Tata Consultancy Services Ltd Snapshot of skills and competence of the CERT-In empanelled Information Security Auditing Organisation 1. 2. 3. Name, Location of the empanelled Information Security Auditing Organisation: Tata Consultancy Services Ltd, Mumbai Carrying out Information Security Audits since : 2001 Technical manpower deployed for information security audits : CISSPs : 25 BS7799 / ISO27001 LAs : 60 CISAs : 15 DISAs / ISAs : 1 Total Nos. of Technical Personnel : 232 4. 5. Outsourcing of Information Security Auditing Work to external Information Security Auditors / Experts : No Information Security Audit Tools used (owned, in possession) : Freeware : 5 Commercial : 2 Proprietary: 2 Total Nos. of Audit Tools : 9 Details of the Information Security Audit Tools Freeware Tools None Commercial Tools None Proprietary Tools None 6. 7. Information Security Audit Methodology : Own Information Security Audits carried out since empanelment till now : Govt. : 6 PSU : 4 Private : 12 Total Nos. of Security Audits : 22 8. 9. Business domain of auditee organisations : Banking, Stock Exchange, Power, Manufacturing, Government. Typical applications in use by auditee organisations : Core Banking, stock broking, power management, Telecom, Governance. 10. Typical bandwidth (maximum) of any auditee organisations : Internal Bandwidth (LAN / Intranet) : 2 Mbps External Bandwidth (WAN / Internet) : 5 Mbps 11. Networked Infrastructure details of an organizations audited with most complex network : No. of Computer Systems : 200
Page 142
No. of servers : 100 No. of switches : 50 No. of routers : 50 No. of firewalls : 50 No. of IDS' : 20 12. Ability to carry out vulnerability assessment and penetration test : Yes
Page 143
M/s Tech Mahindra Ltd Snapshot of skills and competence of CERT-In empanelled IT Security Auditing Organisation 1. 2. 3. Name, Location of the empanelled IT Security auditing organisation : Tech Mahindra Ltd, Noida Carrying out Information Security Audits since : 2004 Technical manpower deployed for security audits : CISSPs : 14 BS7799 / ISO27001 LAs : 56 CISAs : 10 DISAs / ISAs : 0 Total Nos. of Technical Personnel : 97 4. 5. Outsourcing of External IT Security Auditors / Experts : No IT Security Audit Tools used (owned, in possession) : Freeware : 2 Commercial : 1 Proprietary: 1 Total Nos. of Audit Tools : 4 Details of the Information Security Audit Tools Freeware Tools None Commercial Tools None Proprietary Tools None 6. 7. IT Security Audit Methodology : ISO 27001/BS7799 IT Security Audits carried out since empanelment till now : Govt. : 1 PSU : 0 Private : 34 Total Nos. of Security Audits : 35 8. 9. Business domain of auditee organisations : Automobiles, Retailing, Pharma, Telecom, BPO, Finance Typical applications in use by auditee organisations : SAP, Web Applications, CRM, Service Assurance, Service Fulfilment, COTS Products 10. Typical bandwidth (maximum) of any auditee organisations : Internal Bandwidth (LAN / Intranet) : 1 Gbps External Bandwidth (WAN / Internet) : 2 Mbps 11. Networked Infrastructure details of an organizations audited with most complex network : No. of Computer Systems : 2000 No. of servers : 60 No. of switches : 100 No. of routers : 25
Page 144
No. of firewalls : 20 No. of IDS' : 10 12. Ability to carry out vulnerability assessment and penetration test : Yes Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing Organisation).
Page 145
M/s Technologics & Control Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation
1. Name & location of the empanelled Information Security Auditing Organisation : Technologics and Controls, New Delhi, India 2. Carrying out Information Security Audits since : December 2002 3. Technical manpower deployed for information security audits : CISSPs : 1 BS7799 / ISO17799 / ISO27001 LAs : 1 CISAs / CISMs: 4 DISAs / ISAs : 1 Total Nos. of Technical Personnel : 6 4. Outsourcing of information security auditing work to external Information Security Auditors / Experts : No 5. Information Security Audit Tools being used (available, installed and licensed): Freeware : 10 Commercial : 3 Proprietary: 0 Total Nos. of Information Security Audit Tools : 13 Details of the Information Security Audit Tools Freeware Tools Brutus,Superscan Nessus Vulnerability Scanner Belarc Advisor M Metasploit Framework 3 Mozilla Firefox Extension AnEC Cookie Editor v0.2.1.3 Wireshark HTTP Editor Tenable Nessus Mozilla Firefox Extension Hack Bar WebScarab
Commercial Tools Meycor Cobit suite IBM Rational AppScan v7.7 Acunetix Web Vulnerability Scanner v6.5
Page 146
Proprietary Tools None 6. Information Security Audit Methodology : OSSTM, OWASP, ISO27001, COBIT, Audit ICQ 7. Information Security Audits carried out so far : Govt. : 2 PSU : 0 Private : 45 Total Nos. of Security Audits : 47 8. Business domains of auditee organisations : Banking, Insurance, Services, ITES, Finance, Stock traders, UN, Manufacturing, Defence, NGO, Government 9. Typical applications in use by auditee organisations : ERP (SAP, MFGPro, Ingenium, others), HR and Payroll, Document Imaging, Banking (CBS / TBA), Web and E-commerce Applications 10. Bandwidth available with an auditee organisation having most complex network: Internal Bandwidth (LAN / Intranet) : 1 Gbps External Bandwidth (WAN / Internet) : upto 16 MBPS 11. LAN infrastructure details of an auditee organisation having most complex network : No. of Computers : 4000 No. of Servers : 190 No. of Switches : 400 No. of Routers : 150 No. of Firewalls : 4 No. of IDS' : 1 12. Ability to carry out vulnerability assessment and penetration test : Y Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing Organisation), Y = Yes, N = No, Std = Standard. BACK
Page 147
M/s Torrid Networks Pvt. Ltd. Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation 1. Name & location of the empanelled Information Security Auditing Organisation : M/s Torrid Networks Pvt. Ltd. 2. 3. Carrying out Information Security Audits since : 2006 Technical manpower deployed for information security audits : CISSPs : 2 BS7799 / ISO27001 LAs : 2 CISAs : 1 DISAs / ISAs : Total Nos. of Technical Personnel : 35 4. 5. Outsourcing of External Information Security Auditors / Experts : None Information Security Audit Tools used (owned, in possession) : Freeware : 20 Commercial : 7 Proprietary: 12 Total Nos. of Audit Tools : 39 Details of the Audit Tools Freeware: nmap Nessus Metasploit Nikto Burp Paros WebScarab SQL injector Ollydbg WireShark Cain & Abel BackTrack Distro Commercial: AppScan Accunetix
Page 148
CoreImpact Nexpose CodeSecure Fortify Qualys 6. 7. Information Security Audit Methodology : OWASP, OSSTMM, ISO 27001 Information Security Audits carried out so far : Govt. : 3 PSU : 3 Private : 54 Total Nos. of Information Security Audits done : 60 8. 9. Business domain of auditee organisations : BFSI, Telecom, BPO, IT/ITES, Manufacturing, Engineering Typical applications in use by auditee organisations : HRMS, CRM, Exchange, Billing, ERP, Intranet, Payroll
10. Typical bandwidth (maximum) of any auditee organisations : Internal Bandwidth (LAN / Intranet) : 1Gpbs External Bandwidth (WAN / Internet) : 5Mbps 11. Networked Infrastructure details of an organizations audited with most complex network : No. of Computer Systems : 10000 No. of Servers : 500 No. of Switches : 250 No. of Routers : 25 No. of Firewalls : 18 No. of IDS' : 10 12. Ability to carry out vulnerability assessment and penetration test : Yes Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing Organisation), Y = Yes, N = No, Std = Standard. BACK
Page 149
M/s TVSNet Technologies Ltd Snapshot of skills and competence of CERT-In Empanelled Information Security Auditor 1. 2. 3. Name, Location of the empanelled Information Security Auditing organisation : TVSNet Technologies Ltd, Chennai Carrying out Information Security Audits since : January 2000 Technical manpower deployed for information security audits : CISSPs : 2 BS7799 / ISO27001 LAs : 3 CISAs/CISMs : 1 DISAs / ISAs : 0 Total Nos. of Technical Personnel : 25 4. 5. Outsourcing of External Information Security Auditors / Experts : Yes Information Security Audit Tools used (owned, in possession) : Freeware : 20 Commercial : 1 Proprietary: 0 Total Nos. of Audit Tools : 21 Details of the Information Security Audit Tools Freeware : 1. 2. 3. 4. 5. 6. 7. 8. 9. Smartwhois: To perform initial information gathering of the network SPIKE Proxy: is a full featured HTTP and HTTPS proxy built with Python WebGoat: This is used to investigate common server-side application flaws Nikto : Web Systems & Application Security Paros proxy : A web application vulnerability assessment proxy Burp suite: An integrated platform for attacking web applications Nessus : Network Security Nmap: Network Security Whois: To perform initial information gathering of the network
10. SolarWinds : Used for Penetration Testing 11. Ethereal: Network Sniffing 12. Shadow security scanner: Web server Vulnerability Scanning 13. TamperIE: Proxy tool 14. Brutus: Password Cracker 15. Visual Trace Route : To perform initial information gathering of the network 16. Neo Trace Route : To perform initial information gathering of the network
Page 150
Commercial : 1. Acunetix Web Vulnerability Scanner: Acunetix WVS automatically checks web applications for vulnerabilities such as SQL Injection, cross site scripting, and weak password strength on authentication pages. 6. 7. Information Security Audit Methodology : OSSTMM, OWASP, ISO 27001 Information Security Audits carried out since empanelment till now : Govt. : 9 PSU : 7 Private : 25 Total Nos. of Security Audits : 41 8. 9. Business domain of auditee organisations : Government, Banking, Telecom, Manufacturing, ITES Typical applications in use by auditee organisations : Web Applications, ERP, Email Internal Bandwidth (LAN / Intranet) : 100 Mbps External Bandwidth (WAN / Internet) : 4 Mbps 11. Networked Infrastructure details of an organizations audited with most complex network : No. of servers : 180 No. of Computer Systems : 3000 No. of routers : 25 No. of switches : 20 No. of firewalls : 5 No. of IDS' : 7 12. Ability to carry out vulnerability assessment and penetration test : Yes
Page 151
M/s Verizon Business Snapshot of skills and competence of CERT-In Empanelled Security Auditing Organisation 1. Name & location of the empanelled Information Security Auditing Organisation : Verizon Business, Radisson Commercial Plaza, A-Wing, 1st Floor, National Highway-8, New Delhi - 110037 2. 3. Carrying out Information Security Audits since : 2004 Technical manpower deployed for information security audits : CISSPs : 74 BS7799 / ISO27001 LAs : 15 CISAs : 35 DISAs / ISAs : 2 Total Nos. of Technical Personnel : 500+ 4. 5. Outsourcing of External Information Security Auditors / Experts : Not Applicable Information Security Audit Tools used (owned, in possession) : Freeware : 43 Commercial : 6 Proprietary: 8 Total Nos. of Audit Tools : 57
Details of the Audit Tools 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. Freeware: Netcat Ethereal TCPdump SSLdump Brutus Dig Nmap VisualRoute Fscan Cain & Abel Firewalk DumpACL DumpEvt DumpReg DumpSec Enum
Page 152
18. 19. 20. 21. 22. 23. 24. 25. 26. 27. 28. 29. 30. 31. 32. 33. 34. 35. 36. 37. 38. 39. 40. 41. 42. 43. 44.
Paros WebSleuth WebProxy Nikto Achilles Cerberus DDosPing Brutus John the Ripper Absinthe Metasploit SNMP Walker SQL Squirrel Black Widow Ettercap Rainbowcrack IISCat IISHack PipeUpAdmin Pwdump2 GFI LanGuard HFNetChk ConfigDefence UnixRecon Titan AppSecInc VoIP Hopper Commercial:
1. nCircle 2. Nessus Professional Feed 3. Ounce / IBM AppScan 4. WebInspect 5. Core Impact 6. Canvas
6. 7.
Information Security Audit Methodology : Verizon Business Proprietary Information Security Audits carried out so far : Govt. : 10
Page 153
PSU : 4 Private : 150+ Total Nos. of Information Security Audits done : 164+ 8. Business domain of auditee organisations : Banking & Finance, Information Technology, Government Establishments, Service Providers / BPOs, Manufacturing, Public Sector Undertakings, Life Sciences & Healthcare. 9. Typical applications in use by auditee organisations : Enterprise Resource Planning (ERPs), Online Banking Solutions, Online Payment Solutions, CRM, Billing Systems, Corporate Websites, Web Services & Web Applications. 10. Typical bandwidth (maximum) of any auditee organisations : Internal Bandwidth (LAN / Intranet) : 1 Gbps External Bandwidth (WAN / Internet) : 100 Mbps 11. Networked Infrastructure details of an organizations audited with most complex network : No. of Computer Systems : >50000 No. of Servers : >350 No. of Switches : 200 No. of Routers : 80 No. of Firewalls : 40 No. of IDS' : 8 12. Ability to carry out vulnerability assessment and penetration test : Yes
Back
Page 154
M/s VISTA InfoSec Pvt. Ltd. Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation 1. Name & location of the empanelled Information Security Auditing Organisation : VISTA InfoSec Pvt. Ltd., Mumbai 400058. 2. 3. Carrying out Information Security Audits since : 2004 Technical manpower deployed for information security audits : CISSPs BS7799 / ISO27001 LAs CISAs DISAs / ISAs Total Nos. of Technical Personnel 4. 5. : 4 : 5 : 5 :1 : 16
Outsourcing of External Information Security Auditors / Experts : No Information Security Audit Tools used (owned, in possession) : Freeware Commercial Proprietary Total Nos. of Audit Tools : 47 :4 : 3 : 54
Details of the Audit Tools Freeware: 1. 2. 3. 4. 5. 6. 7. 8. 9. Port Scanners - AngryIPScanner, SuperScan, NetScanTools, Unicornscan, Nmap, THCAmap, ike-scan. Web Browser Addons NoScript, Tamper Data, Firebug, etc. Password Crackers Aircrack, Cain & Abel, John the Ripper, THC Hydra, ophcrack, Medusa, fgdump, L0pthCrack, solarwinds, RainbowCrack, Wfuzz, Brutus. Encryption Tools Stunnel, OpenVPN, Tor, OpenSSLGnuPG/PGP, OpenSSH/Putty/SSH. Debuggers IDA Pro, OllyDbg, WinDbg. Forensics Maltego, Helix, The Sleuth Kit, Encase. Fuzzers w3af, skipfish, Wapiti. General Purpose Netcat, cURL, Socat, Firefox, Google, Perl/Python/Ruby. Packet Crafters Netcat, Hping, Scapy, Yersinia, Nemsis, Socat.
10. Rootkit Detectors Sysinternals, Tripwire, Dumpsec, AIDE. 11. Security Distros BackTrack, Helix, Samurai Web Testing Framework, Knoppix, SELinux 12. Sniffers Wireshark, Cain & Abel, tcpdump, kismet, Ethercap, Netstumbler, dsniff, Ntop, Ngrep, P0f, inSSIDer, KisMAC.
Page 155
13. Exploitation Tools Metasploit Framework, w3af, Core Impact, sqlmap, SET, sqlninja, BeEF, dradis, WebGoat, Brup Suite, ExploitPack. 14. Vulnerability Scanners Nessus, OpenVAS, GFI Languard, MBSA, Nipper, SAINT, NeXpose. 15. Web Proxy Paros Proxy, Fiddler, sslstrip, ratproxy. 16. Web Scanners Brup Suite, Nikto, w3af, Acunetix, Netsparker, Wikto, DirBuster, Arachni. 17. Wireless Tools Aircrack, Kismet, NetStumbler, inSSIDer, KisMAC. 18. Anti-Malware MalwareBytes, ClamAV Signatures Toolkit, VirusTotal. Commercial: 1. 2. 3. 4. Rapid7 NeXpose Rapid7 Metasploit Tenable Nessus IBM AppScan
6.
Information Security Audit Methodology : ISO27001/ISO20000/BS25999/ISO18028/SANS/OWASP/OSSTM/CIS/CHECK/NIST/RBI
7.
Information Security Audits carried out so far : Govt. : 10 PSU : 17 Private : 161 Total Nos. of Information Security Audits done : 188
8.
Business domain of auditee organisations : Banks, Insurance, Financial services, BPO, Software development, Pharma, Manufacturing, Entertainment, Realty, Retail, Governance, Power and Petrochem.
9.
Typical applications in use by auditee organisations : Core Banking, SAP, ERP, CRM, Internet Banking, Time Management, Peoplesoft, Payment Gateway applications, Oracle, Financial Applications, Mobile applications, SCADA Applications, etc.
10. Typical bandwidth (maximum) of any auditee organisations : Internal Bandwidth (LAN / Intranet) : 1000 External Bandwidth (WAN / Internet) : 2mb + 2mb 11. Networked Infrastructure details of an organizations audited with most complex network : No. of Computer Systems : 8000 No. of Servers : 250 No. of Switches : 400 No. of Routers : 35
Page 156
No. of Firewalls : 35 No. of IDS' : 4 12. Ability to carry out vulnerability assessment and penetration test : Yes
Back
Page 157
M/s Wipro Ltd Snapshot of skills and competence of CERT-In Empanelled Security Auditing Organisation 1. 2. 3. Name, Location of the Empanelled Information Security Auditing organisation : Wipro Ltd., Gurgaon Carrying out Information Security Audits since : October 2000 Technical manpower deployed for information security audits : CISSPs : 2 BS7799 / ISO27001 LAs : 1 CISAs : 1 DISAs / ISAs : 0 Total Nos. of Technical Personnel : 55 4. 5. Outsourcing of External Information Security Auditors / Experts : No Information Security Audit Tools used (owned, in possession) : Freeware : 42 Commercial : 12 Proprietary: 1 Total Nos. of Audit Tools : 55 Details of the Audit Tools Freeware : Information yet to be provided to CERT-In Proprietary : Information yet to be provided to CERT-In 6. 7. Information Security Audit Methodology : NA Information Security Audits carried out since empanelment till now : Govt. : NA PSU : NA Private : NA Total Nos. of Security Audits : NA 8. 9. Business domain of auditee organisations : Oil, Pharma, Manufacturing Typical applications in use by auditee organisations : NA Internal Bandwidth (LAN / Intranet) : NA bps External Bandwidth (WAN / Internet) : NA bps 11. Networked Infrastructure details of an organizations audited with most complex network : No. of servers : 5 No. of Computer Systems : 8 No. of routers : 0 No. of switches : 1 No. of firewalls : 1 No. of IDS' : 1
Page 158
TOP
Page 159

Security Audit

Caricato da

Informazioni sul documento

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Security Audit

Caricato da

Copyright:

Formati disponibili

EMPANELLED OF INFORMATION SECURITY AUDITING ORGANISATIONS IT Security Audit (Full Scope of Audit) Within the broad scope, 'Information

Fax : +912267099066 Contact Person : Mr. Parag Ajmera, Head

e-mail : pjeffery[at]in[dot]ibm[dot]com Mobile : +91-9892502342

10. Typical bandwidth (maximum) of any auditee organisations :

11. Ability to carry out vulnerability assessment and penetration test : Y

Appscan Webinspect QualysGuard

Proprietary Tools 1. 2. 6. 7. Appin Guard Appin Runner

Ability to carry out vulnerability assessment and penetration test : Yes

Nessus Security Scanner (Professional feed) Professional Vulnerability Scanner

Bv-Control - Security and segregation of duty review for SAP

Financial Technologies(India)Ltd, Mumbai

M/s Haribhakti & Co.

M/S HEXAWARE TECHNOLOGIES LTD

Acunetix, Nessus, Saint, GFI Languard

ISO27001, OWASP : : : : 1 25+ 26+

IT and Process Outsourcing Services

10. Typical bandwidth (maximum) of any auditee organisations :

10. Typical bandwidth (maximum) of any auditee organisations :

Details of the Audit Tools

M/s iViZ Techno Solutions Pvt Ltd

Proprietary Tools 1. LITOC : Event correlation, Scan and Remediation

10. Hunt : Sniffer/Interceptor

10. Typical bandwidth (maximum) of any auditee organisations :

Proprietary Tools 1. 2. 6. 7. Claymore : Vulnerability Scanner Vulnerability Database

10. Typical bandwidth (maximum) of any auditee organisations :

10. Typical bandwidth (maximum) of any auditee organisations :

10. Typical bandwidth (maximum) of any auditee organisations :

Details of the Audit Tools

Information Security Audit Methodology : ISO 27001, COBIT

Exploits FScan HPing

Freeware Freeware Freeware

ISNprober ICMPush John the Ripper L0phtcrack

Freeware Freeware Freeware Freeware

ScanDNS Scripts Sing

Freeware Freeware Freeware

Telesweep Secure THC TCPdump Snmp)

Freeware Freeware Freeware

UCD-Snmp- (aka NET- Freeware

Web Session Editor Webinspect Webreaper, wget Whisker

Freeware Freeware Freeware Freeware

GUI for packet sniffing. Can analyse tcpdumpcompatible logs.

10. Typical bandwidth (maximum) of any auditee organizations :

Commercial : 1. Core Impact

10. Typical bandwidth (maximum) of any auditee organisations :

10. Typical bandwidth (maximum) of any auditee organisations :

M/s Suma Soft Pvt Ltd

Commercial Tools 1. 2. 3. 4. Nessus WebInspect MegaPing Retina

Proprietary Tools None

10. Typical bandwidth (maximum) of any auditee organisations :

Information Security Audit Methodology : ISO27001/ISO20000/BS25999/ISO18028/SANS/OWASP/OSSTM/CIS/CHECK/NIST/RBI

10. Typical bandwidth (maximum) of any auditee organisations :

Potrebbero piacerti anche