Our Methodology

Framework for Information Security Testing - FIST
One of the crucial factors in the success of a penetration test is the underlying methodology. A lack of a formal methodology for security testing will ensure tests that have little consistency. Methodologies provide a disciplined framework for conducting a complete and accurate penetration test.

Our Methodology and framework promotes the active management of an engagement. It provides a hierarchy that takes into consideration the relationships that are formed when executing tasks given a specific method. By formatting a penetration testing into a framework, rather than a simplistic collection of methods, elements and tactics can be easily tailored to accommodate and support specific requirements of the test. This assures the value of the test is realized.

The phases in our framework are:

Phase	Action
Planning	We perform a threat analysis that develops threat models and attack profiles specifically for your testing requirements. We establish Red and White teams that we employ for team deployment and project management. A project plan is developed.
Operations	The project plan identifies how testing will be supported and controlled as well as defining underlying actions to be performed regardless of scope. This is the logistical portion of our process. It will drive and determine how information is shared and to what degree each characteristic of the test will be performed to achieve desired results.
Reconnaissance	Search for any and all relevant information that can aid in the attack. Information gathering can include social, internet and technical reconnaissance and the passive interaction with target systems.
Enumeration	Active interaction with target systems, applications and network infrastructure takes place to build a picture of the target environment.
Vulnerability Analysis	Logical and pragmatic approach to data collected in the previous phases takes place. We identify relationships that may lead to exposures that can be exploited. It is during this phase that vulnerability mapping occurs.
Exploitation	Attack processes are put into action that achieve the exploitation of target systems, applications and infrastructures. Critical planning and attack profiling are key points in meeting the objectives within the specified scope and attack profile leading to direct exploitation and compromise.
Results Analysis:	Final analysis of all data and exploits is performed. Results are correlated to determine if previous actions can lead to further exploitation and deeper attack depths and provides a comprehensive view of the entire engagement.
Deliverable	Threat analysis is performed providing step-by-step details and ranking of vulnerabilities that relate directly to the expectations of the test. The deliverable provides measurable risk levels, raw results, exploit / vulnerability data and the required remediation steps.

Our framework provides operational structure to the test, incorporating control of the engagement from a management and technical perspective. It provides vital information that directly relates to how and when to perform a task which is as important as the task itself.

Risk Management is a key part of any security test and methodology. iVOLUTION Security will provide you with actionable information that can be easily understood and integrated into your network and security infrastructure.

iVOLUTION Security Technologies provides a full complement of vendor-provided professional services and can meet compliance demands for third-party testing.

"Through 2008, insiders, working alone or with outsiders, will account for the majority of financial losses from the unauthorized use of computers and networks."
Gartner Group