Build & Configuration Security Review
Your critical applications and system environment comprise numerous components such as servers, network devices and middleware and accessed by client devices including desktops, laptops and mobile devices.
Each of these components and client devices, if configured incorrectly using only default or ‘out of the box’ settings, can introduce weaknesses in your security posture with default passwords, open ports and unnecessary services leaving your business exposed to a malicious attacker gaining a foot-hold in your network, accessing sensitive data or disrupting critical business services.
Our Build & Configuration Security Review will analyse the systems’ security in great detail and assess on how sensitive and critical data is protected by the assessed system, ideally following a ‘secure-by-default’ approach.
The Build & Configuration Security Review is especially cost effective if multiple systems are built in the same way (using a gold image standard build) since by using a sampled approach, this will uncover many quick wins to dramatically improve the business security posture across all devices in scope.
A full report will be provides with the results enabling the business to decide on the best course of action to address the vulnerability and therefore reduce the attack surface of the business following a risk based approach
Request a Build & Configuration Security Review Quotation
Speak to Our Experts
An assessment of over 300 control points are checked and reported per reviewed host. These control points are based on the CIS benchmarks for the applicable systems and applications.
Using a combination of industry best practice guidance, such as CIS (Centre for Internet Security) and real world experience, our consultants will perform a White Box Audit (with knowledge of the system architecture). A full authenticated review of the Operating System’s security posture will be investigated in line with industry best practices.
Build reviews cover the following areas of servers and workstation operating systems as well as the primary applications that run on the servers (like web, database, email or application service)running on the host: –
- Password Policy
- Account Lockout Policy
- Audit Policy
- User Rights and Least Privilege Assignment
- Host Operating System Security Options
- Secondary System Services
- Primary Host Application – Database, Web Server or Application Server
- Registry Configuration and Permissions
- File System Permissions
- Wired and Wireless Network Policies
- Host Firewall
- Patch and Support Level Status of Installed Software
- Surface Area Reduction
- Software Restriction and Application Control Policies
Additionally, JAW Consulting UK Ltd has extensive experience in performing research into privilege escalation attacks on systems and therefore our build reviews also include extra control points, based on that research. These are not part of the CIS standards but these controls will still facilitate attacks if set incorrectly. Unfortunately for the target business, the setting of these extra controls is usually the default insecure setting.
As this is an authenticated assessment, greater detail can usually be gleaned by the build review than from other types of security assessment.
The build review requires administrator privileges for the application and for the host operating system. It can be performed onsite or offsite. In the latter case JAW Consulting UK Ltd can provide a script based around Microsoft tools to be run by a local administrator and the results sent back securely to JAW Consulting UK for offline analysis.
The build review report will detail a short non-technical executive summary that will describe the security of the system as a whole. This summary of the issues will allow budget approvers to quickly understand the risk the systems currently pose and have a handle on the impacts to budget, timescales and resources any remediation will take.
The report will also include full detail of each of the vulnerabilities found including a risk rating, an ease of attack rating, if applicable a CVE reference, the CVSS v2 score including the associated vector, and any supporting evidence. Also included is how to fix each issue. There may be options for remediation and the pros and cons of each will be explained. If applicable, any potential problems a fix may cause will be noted. This will allow a technical person to reproduce the test findings, and be in a position to confirm if any remediation they subsequently apply actually was performed correctly.
JAW Consulting UK recommends allowing two man days per system including reporting, though economies of scale may apply if there are a large number of systems that require a build review.