An active approach for greater security:
In order to remain competitive, enterprises and institutions today have to be communicative, which implies Information System infrastructures being open to the outside (clients, partners, subsidiaries, suppliers, etc...) according to security rules in conformity with the defined requirements and the current operational risks.
With its "Audits" offer, specifically developed for enterprises, Safe-Protect advises and partners its clients to define, assess and check the security in their Information System and to provide a response to their requirements in an appropriate and pragmatic way, but also as a function of their technical environments, corporate culture and budget.

VULNERABILITIES AUDIT

The vulnerabilities audit draws up a systematic inventory of security faults of various origins (default or inappropriate configuration, systems failures or uncorrected application, differences with security policy requirements, common discrepancies in terms of operation and administration, user behavior, etc.).

Using the expert assessment of its teams and vulnerability-search tools specially developed to carry out this type of audit, the vulnerability audit involves:

• Taking account of the technical context and environment.
• Analyzing the reports generated by standard tools or developed by Safe-Protect to distinguish significant vulnerabilities from false alerts.
• Supplementing reports by consulting public vulnerability databases as well as proprietary Safe-Protect ones.
• Writing an audit report and recommendations adapted to our clients' context.

INTRUSION AUDIT

Based on assumptions made by one of our security experts, the Safe-Protect teams have developed the HAIM methodology (Hacking Attack & Intrusion Methodology).

Only used by our teams, this very specific approach assesses the risk of intrusion and checks the security level of an infrastructure using the same methods as those used by hackers.

This audit is split into several phases

• A passive and active recognition phase (Mapping, OS Fingerprinting, service banners identification): allowing us to give an overview of the Information System as it is perceived by a hacker (Network mapping, accessible IP addresses, active machines, filtering rules, type of applications and versions visible from the outside, architecture, etc.).
• An attack phase: allowing us to assess the risk of compromising the various security perimeter resources, using manual or automated tests via specially developed tools for this type of service.
• A 'deliverable' phase: which systematically (passive, active recognition, attack) provides a clear and detailed report at each stage for the client to be able to monitor the progress of the service, guide it if necessary and validate the fed-back information.

At the end of the audit, Safe-Protect writes an overview report describing: security failures, tests which were carried out, the tools used, as well as recommendations for securing the audited Information System.

Carried out within a formal and contractual framework, allowing limits and responsibilities to be set for Safe-Protect, intrusion audits can be carried out either internally or externally, and either blind or on the basis of information previously supplied by the client.

CONFIGURATION AUDIT

When it is not possible to carry out a vulnerability or intrusion audit (the tested perimeter being in production or falling under a different responsibility), Safe-Protect then carries out a resource configuration analysis relative to the service perimeter.

GLOBAL AUDIT AND RISK ANALYSIS

With this type of service, Safe-Protect partners its clients in formulating their security policy by adopting a global approach. Using risk analysis approaches, Information System security is looked at from organizational, structural and procedural aspects to identify roles and responsibilities via interviews in our clients' functional/operational departments.
This service enables:

• An assessment to be made and overview to be written of the existing situation reflecting the Information System security status.
• Identification of security objectives and the expression of functional requirements in terms of security.
• Defining the current risk severity.
• Formulating the security policy and defining an action plan with identification of priorities.
• Writing of user guidelines.

DATABASE AUDIT

This allows us to detect critical points in the basic structure, in the operating system or even in the security arrangement.

It allows consideration to be taken of the whole data architecture. The inventory is drawn up via the following functions:

• System:
  • Use of system resources: split of the data hard disks, use of memory, etc
  • Quality of the Oracle engine installation
  • Validity of the installed version (patch, etc.)
  • Stopping/starting scripts and database backup
• Engine/Instances
  • Securing of 'redo logs'
  • Securing of check files
  • Processing in the case of growing database files
  • Validity of backups
  • Database access policy (passwords, SQL*Net, etc.)
• Internal Oracle architecture:
  • System parameters linked to the database (shm, sga, etc.)
  • Logical database parameters (max files, etc.)
• Data architecture:
  • Splitting of objects by table space
  • Use of partitioning
  • Sizing and growth of table spaces
  • Validity of Oracle objects
  • Monitoring of object growth
  • Observing field types used
  • History, stability and backup
  • Managing traces (rotation, backup, etc.)
  • Rereading the event alert file
  • Assessing the backup/security strategy (Archive Log)

• Tuning
  • Studying the collected statistics
    • Checking contentions, the correct use of cache (volatile and semi-permanent), distribution of data, consistency of the physical model, etc.
    • Selecting the most costly requests and suggesting optimizations (rewriting, modifying DDL, etc.) statistics on the stored procedures.