Information security testing services

With the swift evolution

of technology and the fast
changing threat landscape
that organisations today are
exposed to, organisations
across the world are realizing
the importance of information
security and the implications
of inadequately protecting its
information/information assets.
Security is fast becoming
one of the top concerns of
organisation, and is finding its
way into board room agendas.
Leading organizations have
realized that a proactive
approach to security is a cost
effective option to address
the issue at hand. Solving any
problem first typically requires
the identification of the problem
and KPMGs information
security testing services help
organisations proactively
identify and address their cyber
security risks and risks related
to their information ecosystem.

What we do
KPMG in India can provide information security testing services to address the
challenges faced by organizations.

Secure
configuration
review

Telecom network
security testing
Infrastructure
security testing

Wireless security
testing

Application
security testing

Information
security testing
services

Secure code
review
SCADA security
testing

Network security
architecture
review
Mobile application
security testing

Voice over IP
(VoIP)
security testing
Firewall rule base
review

Cloud security
assessments

Our services

Our Application Security testing process includes VAPT of

applications to identify security loopholes in the development and
implementation of applications, both web and desktop based. The
tests are performed first as an unauthorized user (Blackbox) and
then, using a valid user account (GrayBox). The tests performed
help cover OWASP Top 10, WASC Threat Classification and CWE/
SANS TOP 25 application security vulnerabilities.

Mobile application security testing

Our Mobile Application Security Testing approach emphasizes

on the security model around the client-side code. The tests
performed help cover OWASP Top 10 Mobile Risks. KPMGs

Secure configuration review

KPMGs Configuration Review provides an independent

assessment of the configuration of critical servers, databases,
network, and perimeter security devices. The assessment
is performed against the CIS benchmarks / Organizations
benchmarks, if available; for the respective devices.

Secure code review

Application security testing

Security Testing Team can conduct Mobile Application Security

Testing on Mobile Operating Systems and Applications to help
security loopholes exposed to malicious users.

AF

Our Infrastructure Security testing process includes Vulnerability

Assessment and Penetration Testing (VAPT) of the network and
the infrastructure to help identify the vulnerabilities present and
their exploitability from an attackers point of view.

KPMGs Secure Code Review includes manual and automated

security review of the application code base to identify potential
vulnerabilities leading to an insecure application. The KPMG
Security Team conducts Secure Code Review of, but not limited to,
Java, Classic ASP, PHP, C/C++, MySQL, and PLSQL applications.

DR

Infrastructure security testing

2014 KPMG, an Indian Registered Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.

Voice over IP (VoIP) security testing

KPMGs VoIP infrastructure security testing is carried out to

simulate an attack by a malicious user or an attacker with access
to the organisations VoIP network, from within the organization as
well as the Internet.

Why information security testing

Challenges faced by CIOs and CISOs today include:

SCADA security testing

The need to test SCADA (supervisory control and data acquisition)

systems has become critical as they usually control complex
industrial processes. KPMGs SCADA Security Review consists
of a multi-pronged approach comprising of Profiling Tools, Known
Flaw Testing, Resource Starvation Testing, Specification testing,
and Fuzz Testing.

Cloud security assessments

KPMGs cloud security assessment includes the major cloud

computing architectures, including Infrastructure-as-a-Service
(IaaS), Platform-as-a-Service (PaaS), and Software-as-a-Service
(SaaS). KPMG creates a customized approach for each assessment
that helps reviews the implementations infrastructure and
application security.

Telecom network security testing

KPMGs telecom security review consists of testing of the Access

Network, the Core Network, the Application and Management
Network, the Internal network, and the External Network
components of the given telecom network.
KPMGs firewall rule base review includes review of the access
rules configured on the firewalls to help identify security loopholes
that could allow insecure access to the critical internal servers and
devices.

Network security architecture review

KPMGs network security architecture review comprises

ofassessment of the existing network design including topology,
existence, and design of security components tohelp identifythe
security risks to the organization.

Wireless security testing

KPMGs wireless security assessment helps stimulate the

identified weakness in the wireless infrastructure of the
organization. Our assessment targets include:

Wi-Fi 802.11a/b/g/n infrastructure

Organization devices connecting to wireless infrastructure, e.g.
laptops and PDA
Non-Wi-Fi systems, such as RFID access and payment
systems, Bluetooth devices.

Rising incidents and variance of attack vectors in cyber

crime
Precedence of organized cyber crime often leading to rising
cost due to dataloss and breaches
Lack of stakeholder and customer awareness on data
protection
Rapid evolution in technology and associated risk
management
Difficulty in maintaining IT costs without compromising on
technology or value.

Potential benefits

Firewall rule base review

Increasing regulations / compliance requirements around

Privacy and Data Protection

Informed decision making capability for board members on

IT security strategy leading to better return on investments
(RoI)
Effective data protection through proactive prevention of
identified security risks aligned to business imperatives
Sustained compliance with legislative and regulatory
requirements across privacy and data security
Implementation of defense in depth measures through
efficient integration of security across the organizations IT
ecosystem.

Who we are
KPMGs information security testing services has nationwide
presence with around 46 plus dedicated information security
and ethical hacking professionals across various locations
within India. Our professionals hold CISA (Certified Information
Systems Auditor), CISSP (Certified Information Systems Security
Professional), GPEN (GIAC Certified Penetration Tester) and CEH
(Certified Ethical Hacker) certifications.
Our information security testing team is also actively involved in
individual research and group proof of concept projects. Our team
has contributed to a multitude of areas in the ever-evolving field of
information security.
KPMG has an ISO 27001 certified testing laboratory with
dedicated public IP addresses for conducting external penetration
testing activity.

KPMG in India contacts:

Atul Gupta
Partner
IT Advisory
T: +91 124 307 4134
E: atulgupta@kpmg.com

Kunal Pande
Partner
IT Advisory
T: +91 22 3090 1959
E: kpande@kpmg.com

Sony Anthony
Director
IT Advisory Services
T: +91 80 3065 4353
E: santhony@kpmg.com

Vijay S
Partner
IT Advisory
T: +91 80 3065 4321
E: vsubramanyam@kpmg.com

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity.
Although we endeavour to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date
it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice
after a thorough examination of the particular situation.

AF

Akhilesh Tuteja
Partner
IT Advisory
T: +91 124 307 4800
E: atuteja@kpmg.com

www.kpmg.com/in

DR

2014 KPMG, an Indian Registered Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG
International Cooperative (KPMG International), a Swiss entity. All rights reserved.
The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International. Printed in India.