Help AG application code review allows customers to get a security audit in the source code they have developed when creating in-house developed applications. Our application code review services take a practical approach to identifying source code defects from a security perspective.

The intention of these services is to ensure that applications are not developed with code related security issues embedded in the application, which will later lead to vulnerabilities and insecure applications. Our services include practical recommendations on how to address identified issues allowing developers to fast-track the mitigation process, hereby allowing a quicker time-to-service for new applications, while still delivering secure applications. The services can be delivered across a number of development languages such as JAVA, C, Python, Ruby on Rails etc.

About BS 25999-2

The British standard BS 25999-2 contains requirements for a business continuity management system.  The interest in business continuity is constantly growing, and while currently no international standard for a business continuity management system exists, certificates can only be given against the British standard BS 25999-2. The corresponding international standard is currently under development.

BS 25999-2 is supported by another British standard, BS 25999-1, which specifies a set of controls to support the management system. Whilst BS 25999-2 contains requirements, the controls contained in BS 25999-2 are optional, and it is up to the organization applying the standards to choose from them.

BS 25999-2 Services

help AG’s Strategic Security Services include the implementation of BS 25999-2, and several of the trainings offered also relate to BS 25999-2 and help AG has vast experience in providing these services. In addition, help AG has developed the Business Continuity Framework for aeCERT.

help AG can assist your organization in:

• Preparing for BS 25999-2 certification

• Carrying out Business Impact Analyses and Business Continuity Risk Assessments

• Gap Analysis against BS 25999-2 and BS 25999-1

• Internal BCMS Audit

• Implementation of Combined Management Systems

One of the cornerstones in any IT security solution is the Network Firewall. There are many vendors offering technical devices in this field, some with specific feature-sets and functionality, however, one common fact in all of the solutions available is that the firewall is never better than the policy installed on it.

Very often a firewall policy would be deployed and the environment would be changed, but the firewall rules would remain unchanged with the environment.

Due to the extensive exposure to firewall solutions from a wide field of vendors, help AG can offer expert advice on the current deployed firewall policy and matching the existing deployment against the IT Information Security standard deployed such as ISO27001, PCI and ADSIC.

help AG can also advise on operational aspects in firewall management such as log correlation, log retention and day to day investigation of events.

help AG Middle East employs a large team of Security Industry Experts who have a year-long experience in implementing innovative security solutions. help AG can assist in implementing solutions by the vendors, which help AG is working together with.

This means help AG can deliver turn-key security solutions and infrastructure projects in all phases from conceptualization to planning, implementation and operation.

With our consistent focus on achieving the highest possible technical capabilities in each of our core focus technologies we can deliver technical implementation services at the highest standard available in the industry.

With our vast experience we can assist in undertaking a full project, engage in any phase of a project or assist in controlling already implemented solutions. Any large scale project delivered is following the help AG SPIEC project management framework ensuring the timely delivery of a project and a clear impact analysis of any changes to design, scope and other changes that may surface during the life of a project.

About ISO/IEC 20000-1
IT Service Management System (ITSMS) standard ISO/IEC 20000-1 was published by ISO based on the British Standard (BS) 15000 in 2005 and has been very successful; certifications against it are constantly growing around the world.  There is a close collaboration between the standards committee responsible for ISO/IEC 20000-1 (ISO/IEC JTC 1 SC 7 / WG 25) and the standards group developing the 27000 series of standards, one of the reasons is the development of ISO/IEC 27013, more about this and also the involvement of Dr. Angelika Plate in these activities in Standards.

ISO/IEC 20000-1 specifies the requirements for an IT Service Management System (ITSMS) and organizations successfully implementing the requirements of ISO/IEC 20000-1 can be certified against this standard.  help AG offers a number of services around the implementation of this standard.

ISO/IEC 20000-1 is supported by a set of other standards and has been harmonized with the other management system standards ISO 9001:2000 and ISO 14001:2004 to facilitate combined implementations.

ISO/IEC 20000-1 Services
Implementing ISO/IEC 20000-1 is a growing business in help AG’s Strategic Security Services and several of the trainings offered also relate to ISO/IEC 20000-1.

help AG can assist your organization in:

- Preparing for ITSMS certification

- Building IT Service Management Processes

- Gap Analysis against ISO/IEC 20000-1 and other parts of the ISO/IEC 20000 series

- Internal ITSMS Audit

- Implementation of Combined Management Systems

About ISO/IEC 27001

ISMS standard ISO/IEC 27001 was published by ISO on 15th October 2005 and has been a tremendous success story ever since; the number of users and certificates is constantly growing.  It was developed by the standardization committee ISO/IEC JTC1 SC27.

ISO/IEC 27001:2005 specifies the requirements for an Information Security Management System (ISMS) and organizations successfully implementing the requirements of ISO/IEC 27001 can be certified against this standard.  An ISMS uses a risk based approach to develop information security in an organization supporting its business requirements, and uses measurements to ensure effectiveness of the implemented controls. help AG offers a number of services  around the implementation of this standard.

ISO/IEC 27001 is supported by a set of other standards and has been harmonized with the other management system standards ISO 9001:2000 und ISO 14001:2004 to facilitate combined implementations . ISO/IEC 27001 has also been the basis of the ADSIC Security Standards  and help AG has developed a methodology to facilitate a joint implementation of both standards.

ISO/IEC 27001 Services
An important part of help AG’s Strategic Security Services concentrates on the implementation of the ISMS standards, several of the trainings offered also relate to ISO/IEC 27001 and help AG has vast experience in providing these services.

help AG can assist your organization in:
• Preparing for ISMS certification
• Carrying out Risk Assessment and Risk Treatment
• Gap Analysis
• Internal ISMS Audit
• Implementation of Combined Management Systems
• Joint ISO/IEC 27001 and ADSIC Implementation

Preparing for ISO/IEC 27001 Certification

More and more organizations are interested in achieving certification against ISO/IEC 27001.  There are many benefits and motivations for an organization to become certified, including implementing a management system to have reliable information security and better internal control, fulfilling requirements of business partners, or to give a message to customers and business partners that the organization’s operations are secure.

help AG supports organizations in achieving the ISMS certificate, by leading them through the important ISMS processes (scope definition, carrying out risk assessment and risk treatment, defining the statement of applicability, conducting internal audits, carrying out management reviews and all the other ISMS processes required).

 
Risk Assessment and Risk Treatment
The core element of an ISMS is risk assessment – it is used to determine the amount of information security needed by the organization, based on the business requirements, and risk treatment determines how information security objectives are achieved. ISO/IEC 27001 sets clear requirements for risk assessments, including asset identification, asset valuation and identification of threats and vulnerabilities and the assessment of their likelihood.

Essential questions in this context are how to get to all the relevant information, the appropriate level of detail and how to ensure that no important risks are overlooked.  help AG has developed a method for conducting ISMS risk assessments that ensures quality output, which has been successfully tried and tested in many ISMS implementations. help AG has also developed the tool RA2 art of risk to support the risk assessment and treatment activities, which helps manage the amount of information processes and eases the regular updating process.

The details on how to conduct a risk assessment might vary, depending on the requirements to be fulfilled (e.g. if a combined ADSIC and ISMS implementation is to be achieved). The requirements in ISO/IEC 27001 are flexible enough to allow other requirements to be addressed at the same time.

Carrying out Gap Analysis
ISMS Gap Analysis (also known as Readiness Assessment or Compliance Check) checks the organization's arrangements against the requirements in ISO/IEC 27001 and the controls contained in ISO/IEC 27002.  Organizations can use gap analysis to check their information security status, or how far they are from achieving ISMS certification. The results of this gap analysis identify all ISMS processes and controls that are not or not completely and correctly implemented, and identify ways of improvement.  Gap Analysis is often used as a first step in ISMS certification.

 
Conducting Internal ISMS audits
Regular conduct of internal ISMS audits is a requirement of ISO/IEC 27001, so any organization wishing to implement or already operating an ISMS needs to ensure that internal ISMS audits take place as planned. In this context, it is important to understand that the internal ISMS auditors need to be independent of the area being audited, i.e. all those people involved in the implementation and/or operation of the ISMS cannot conduct such audits.  In addition, internal ISMS auditors should be sufficiently competent to carry out ISMS audits.

One solution an organization can use is to employ an external party to conduct internal ISMS audits – even though that sounds contradictory, this is a perfectly viable solution.

The internal ISMS audits can also be combined with other, more technical activities, such as vulnerability assessments, penetration tests, application assessments and network security architecture reviews to carry out a comprehensive IT audit, covering all aspects of information security.

 
Implementation of Combined Management Systems
ISO/IEC 27001 can be combined with other management systems, frequently applied combinations are:

• ISO/IEC27001 and ISO/IEC 20000-1: This is a useful combination especially for IT departments or IT service providers, as especially ISO/IEC 20000-1 is highly IT oriented. Both standards have some overlap and address similar topics, just with a different aim, therefore a combination can reduce resources and time required. 

• ISO/IEC 27001 and BS 25999-2: Another useful combination of management systems is for information security and business continuity. One of the benefits of a combined implementation is that both standards need a risk assessment to be performed, and as information security incidents can lead to business continuity incidents and vice versa, it is important to have a connection between the management systems.

• ISO/IEC 27001 and ISO 9001 / 14001 / 18001: Other management system standards can also be easily combined with ISO/IEC 27001; which of these standards are chosen as combination is dependent on the business objectives of the organization applying it. All these combinations are possible and also help save time and resources as all management system standards have elements in common. This fact has led ISO to the consideration of common structure and identical text for all management systems.
 

Joint ISO/IEC 27001 and ADSIC Implementation
The Abu Dhabi Security Information Centre (ADSIC) has developed a set of security standards that are based on ISO/IEC 27001.  Therefore, the combined implementation of ISO/IEC 27001 and ADSIC seems a natural choice for all those organizations having to comply with the ADSIC scheme and, at the same time, wishing to have a management system that is internationally recognised.

As several of the requirements of the ADSIC Security Standards and of ISO/IEC 27001 are similar and have considerable overlap, help AG has developed a methodology which combines the requirements of both standards, where possible, to reduce heavy workload and minimize time and resources in these processes. This combined methodology has been discussed with ADSIC and successfully applied in a number of combined ISMS and ADSIC projects.

 
27001 Series of Standards
In addition to the development of ISO/IEC 27001, SC 27 is working on several other standards that are supporting the implementation of ISO/IEC 27001 and which might be an interesting read for all those wishing to implement an ISMS. 

The following is an overview of all standards currently in development in SC 27 and their status of development:

• ISO/IEC 27000: 2009, Information security management systems - Overview and vocabulary (1st edition, currently under revision) – this standard is freely available, contact Dr. Angelika Plate for details
• ISO/IEC 27001: 2005, Information security management systems - Requirements (1st edition, currently under revision) – Dr. Angelika Plate is the project manager of this revision
• ISO/IEC 27002: 2005, Code of practice for information security controls (1st edition, currently under rev revision)
• ISO/IEC 27003: 2010, Information security management system implementation guidance (1st edition)
• ISO/IEC 27004: 2009, Information security management measurements (1st edition)
• ISO/IEC 27005: 2008, Information security risk management (2nd edition)
• ISO/IEC 27006: 2007, Requirements for bodies providing audit and certification of certification of information security management systems (1st edition, currently under revision) – Dr. Angelika Plate is the project manager of this revision
• ISO/IEC 27007: 2010, Guidelines for information security management systems auditing (under development) – Dr. Angelika Plate is the project manager of this development
• ISO/IEC 27008: 2010, Guidance for auditors on ISMS controls (under development)
• ISO/IEC 27010: 2010, Information security management for inter-sector and inter-organizational communications (under development)
• ITU-T X.1051 I ISO/IEC 27011: 2008, Information security management guidelines for telecommunications organizations based on ISO/IEC 27002 (1st edition)
• ISO/IEC 27013: 2010, Guidance on the integrated implementation of ISO/IEC 20000-1 and ISO/IEC 27001 (under development)
• ISO/IEC 27014: 2010, Governance of Information security (under development)
• ISO/IEC 27015, 2010, Information security management guidelines for financial services (under development)
• ISO/IEC 27016: 2010, Information security management -- Organizational economics (under development)

The objective of information security training is to ensure that personnel is aware of the organization’s information security policy, guidelines and procedures.

In addition, these training sessions cover issues such as definition and purpose of information security, information security threats related to usage of e-mail, Internet and corporate networks, legislation concerning information security can also be covered.

Training can be customized to target a number of key personnel groups in the customer environment such as Information Security Training for management, IT personnel and users.

A Network Security Audit is an important tool for any organization in order to understand the precautions taken against the everyday security risks. Quite often many technical solutions have been deployed in order to fix a specific security problem, but due to misconfiguration or lack of understanding of the technology or the problem trying to be solved, only limited value is gained from the solution.

Through the extensive experience gained by the help AG senior technical team we can offer a holistic view of the network security implemented in an organization.

Our Network Security Assessment can be used as an important planning tool in addressing identified issues and handling security objectives at hand.

About PCI-DSS
The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM, and POS cards.

Defined by the Payment Card Industry Security Standards Council, the standard was created to increase controls around cardholder data to reduce credit card fraud via its exposure. Validation of compliance is done annually by an external Qualified Security Assessor (QSA) for organizations handling large volumes of transactions, or by Self-Assessment Questionnaire (SAQ) for companies handling smaller volumes.  The latest version is 2.0 and this version needs to be adopted from 1st January 2011 onwards.

PCI-DSS Services
help AG’s Strategic Security Services include support in implementing the PCI-DSS standard.

help AG can assist your organization in:

• Preparing for QSA assessments

• Vulnerability Tests and Penetration Tests

• Implementation of information security controls (firewalls, IPS, etc. as well as procedural controls and documentation)

The purpose of a help AG penetration test is to inspect the real impact of weaknesses and vulnerabilities of the target environment.

Testing concentrates on attacking the target environment with tools commonly used by hackers and other attackers. Also new tools are developed when it is required for the exploitation of a found vulnerability and even source code review can be included in a penetration test. Testing varies depending on the target environment, and therefore each penetration test is designed specifically according to the target system.

The goal of penetration testing is to break into the target system and/or to access confidential information. However, the success of penetration testing depends on the security level of target systems.

help AG does not guarantee that penetration tests result in a successful break-in, but in case a penetration test is successful, help AG can offer consulting in addressing detected issues, either by adding technical controls or changing the security setup fencing the tested system.

During a platform audit help AG engineers will perform a full platform audit on UNIX, Windows and other operating systems, mapping the services in use, if the services are outdated or unpatched hereby documenting the security risks related to the services. This approach is an essential part of ensuring the overall security of the systems in operation in an organization.

By verifying the configuration of individual machines, in addition to network penetration audits, a more in-depth security configuration can be achieved.

The results of the audit will show if the system’s security level is appropriate for the role and purpose of the system, and whether it encompasses any defense-in-depth or solely depends on external protection mechanisms.

In the field of IT Security technical controls, help AG is often faced with the issue that certain customer requirements may not be fully met by utilizing off-the-shelf IT Security Solutions. Therefore, help AG's team of skilled security consultants is  often enhancing the functionality of vendor solutions.

This could, for instance, be writing customer signatures for IPS and Antivirus for Symantec SEP, IPS signatures for IPS systems, client application enhancements for Symantec DLP and advanced website protection utilizing Ergon Airlock and the F5 BigIP Platform.

Custom functionality development is delivered as part of the help AG consultancy services and is priced based on consumption of time.

Help AG residential engineering services allow customers to outsource the full or partial operations of their security infrastructure to Help AG, which will provide residential engineers handling the day-to-day operation, configuration and tuning of security platforms.

Hybrid models where Help AG’s helpdesk handles issue management and configuration changes  combined with onsite resources within agreed timeframes can be delivered if required.

Involvement in Standardization
Dr. Angelika Plate, the Director of the Strategic Consultancy Services at help AG, has been involved in information security standardization in ISO/IEC JTC 1/SC 27 since 1994, which is the standards group dealing with the ISMS standards. There, she has successfully completed the editorship of the world-wide well known standard ISO/IEC 27002:2005 Code of practice for information security management and of ISO/IEC 27006:2006 Requirements for bodies providing audit and certification of information security management systems.

In addition, she is currently editing the ISMS auditor guidelines standard ISO/IEC 27007 and has also been selected as editor of the revision of ISO/IEC 27001 Information security management system requirements, which is currently ongoing.  This revision will have a major impact on the standard as there is a new ISO initiative to harmonize all management system standards through the use of a common structure and identical text.

UAENC 27
In collaboration with ESMA (Emirates Authority for Standardization and Metrology) and aeCERT, Dr. Angelika Plate has recently established a UAE mirror committee for SC 27, which is called UAENC 27 (United Arab Emirates National Committee 27). A first meeting took place already and further meetings are planned to discuss UAE contributions into the international standards work in SC 27.

Strategic Security Trainings offered by help AG
There is a set of trainings related to strategic security, management system standards and other topics related to these areas offered by help AG, including:

• ISO/IEC 27001 and all related standards, including their implementation

• ISO/IEC 20000-1 and all related standards, including their implementation

• BS 25999-2 and all related standards, including their implementation

These training sessions can take place in collaboration with other organizations or in-house, as it suits your organization.

In addition, other trainings concentrating on particular topics, such as business impact analysis, risk assessment, treatment and management, measuring effectiveness of information security controls and processes, and a lot more can always be offered.

Training Partners
help AG’s Strategic Security Services is currently collaborating with the following organizations to offer trainings:

• ISO – Dr Angelika Plate has been chosen by ISO to be there presenter for any ISO/IEC 27001 related courses around the world, two of which have already taken place this year, more are in planning

• IIR ME – The well known course provider is collaborating with Dr Angelika Plate to provide a set of courses

Vulnerability analysis externally or internally is a network security service, the objective of which is to find out possible vulnerabilities and security weaknesses in network components and to provide recommendations for actions to protect the organization network against discovered vulnerabilities and security weaknesses.

Vulnerabilities and security weaknesses are analysed by utilizing a highly effective combination of network security analysis tools, which provide extensive and up to date coverage of security checks. help AG security specialists analyse the reports and results produced by the different network security analysis tools. This is done to ensure that the given recommendations to solve security problems are suitable for the client’s network environment.

A comprehensive audit report categorizes the revealed security flaws according to their priority and provides recommendations for fixing the identified problems.

All organizations are constantly looking into optimizing work flows, information management and processes. Modern applications are replacing legacy workflow and optimizing how information can be stored and accessed. Due to the sensitivity of the data stored and accessed through applications it is of extreme importance to understand if an application is secure. 
 
help AG can assist in identifying security issues in applications by performing an application audit.
 
An application audit can consist of a number of procedures, the purpose of which is to identify potential  security issues in the application. Any identified issues will be covered in a comprehensive audit report, which can be used by the client in the efforts of addressing security issues either through internal development or in communication with external application developers.
 
Our audits can cover such areas as:
 
1.    Exploitation and Vulnerability Assessment
Programmatic security suffers due to a vulnerable algorithmic logic or failure to follow secure coding standards
exploiting platform’s vulnerabilities. This classification of attacks works regardless of coding practices since it exploits the hosting platform rather than the code itself.
 
2.    Authentication Analysis
Authentication methods have long been identified and developed into ready made components or modules, allowing developers to facilitate their applications with privilege granting and identification capabilities. However, the integrate working of those methods are very well known by malicious cyber groups, and well documented instructions on how to defeat those mechanisms are publicly available among those groups. The auditor will identify weak authentication implementations during this phase. All findings will be reported as well as their countermeasures.

3.    Application Authorization
Application authorization is the most commonly incorrectly implemented component in application programming. Authorization can be hijacked, tampered and enumerated, all of which would allow an anonymous user to escalate their access levels to administrative access. Our auditor(s) will be able to document and report necessary recommendations for counter-measuring such attacks.

4.  Input Validation and Coding Best Practices
Exploitation and penetration reveal known vulnerabilities of a system. But in order to protect against zero day risks, standards for input handling must be put into practice. The auditor will focus mainly on studying code handling of inputs through the application and recommending other controls that are to be put into practice.

5.  Database Targeting Attacks
The auditor will attempt to execute various attacks by exploiting database vulnerabilities during this phase. Database vulnerabilities are usually most dangerous whereby penetrating such security weaknesses the attacker can bypass all security measures and execute the desired malicious code. Database attacks can be tunnelled through the application layer which not only makes it dangerous, but also easily accessible.

6.  XML Targeting Attacks
XML is one of the fastest growing programmable technologies that is getting vast support by many browsers and other different gadget based applications. If XML is not well implemented, an attacker can manipulate XML entities in order to perform desired cross site scripting attacks and other malicious activity.

7.  Attacking the Application Management Console
In this phase, the auditor will focus on attacking various application management technologies such as remote desktop, SSH, content management systems and checking for other admin misconfigurations.

8. Web Client Cross Browser Attacks
The auditor will check for the possibility of hacking other users using the same system through cross browser attacks. Server countermeasures as well as other browser countermeasures that can be enforced via active directory will be reported.