Security service details

The service is designed to identify security vulnerabilities in the installation of your Opigno LMS platform that could be exploited to obtain unauthorized access to critical network components. They may include:

• Weak user credentials
• Configuration faults, including excessive user privileges of your Opigno LMS platform
• Disclosure of sensitive information

Model

A Security assessment is carried out via the Internet with knowledge of your Opigno LMS installation.

Results

After the service, customers receive a report containing:

• High-level conclusions on security vulnerabilities and recommendations to remedy the gap;
• A detailed description of the vulnerabilities detected, including the severity level, possible impact on vulnerable systems, and evidence of the existence of vulnerabilities (where feasible);
• Recommendations for eliminating vulnerabilities;

Based on best cybersecurity practices and methodologies 

• Project testing according to Open Web Application Security (OWASP)
• NIST Special Publications 800-115 Technical Guide to Information Security Testing

And evaluation

• Information systems and security assessment framework (ISSAF)
• Threats from the Web Application Security Consortium (WASC)
• Classification
• Drupal Security Advisory

The service is designed to identify security flaws in the Opigno LMS which include vulnerabilities caused by the usage of outdated Opigno LMS, its modules and libraries versions without latest security updates.

Model

Security assessment conducted through the Internet with full knowledge of your Opigno LMS installation.

Results

• High-level conclusions on the security flaws and recommendations to remediate them;
• A detailed description of detected vulnerabilities, including severity level, possible impact on the vulnerable system, and evidence of the existence of vulnerabilities (where possible);
• Recommendations for eliminating vulnerabilities;

Based on cybersecurity world best methodologies and practices like:

• Open Web Application Security Project (OWASP) Testing Guide
• Web Application Security Consortium (WASC) Threat Classification
• Drupal Security advisories

The service is designed to identify security flaws in the Opigno LMS installation which include vulnerabilities caused by errors in custom change Opigno LMS code listed in WASC Threat Classification and OWASP Top 10

Model

Security assessment conducted through the Internet with full knowledge of your Opigno LMS installation.

Results

Following the service, customers receive a report containing the following:

• High-level conclusions on the security flaws and recommendations to remediate them;
• A detailed description of detected vulnerabilities, including severity level, possible impact on the vulnerable system, and evidence of the existence of vulnerabilities (where possible);
• Recommendations for eliminating vulnerabilities;

Based on cybersecurity world best methodologies and practices:

• Open Source Security Testing Methodology Manual (OSSTMM)
• Open Web Application Security Project (OWASP) Testing Guide
• NIST Special Publications 800-115 Technical Guide to Information Security Testing

and Assessment

• Information Systems Security Assessment Framework (ISSAF)
• Web Application Security Consortium (WASC) Threat Classification
• Drupal Security advisories

The Service is designed to reveal security shortcomings which could be exploited to gain unauthorized access to critical network components. These could include:

• Vulnerable network architecture, insufficient network protection
• Vulnerabilities leading to network traffic interception and redirection
• Insufficient authentication and authorization in different services
• Weak user credentials
• Configuration flaws, including excessive user privileges
• Vulnerabilities caused by the usage of outdated hardware and software versions without the latest security updates
• Information disclosure

The Service is also designed to provide OSINT or Open Source Intelligence refers to information about individuals or companies that can be freely and legally gathered from publicly available sources.

Model

Security assessment conducted through the Internet by an "attacker" with limited or no knowledge of your system.

Steps

• Passive information gathering
• Active information gathering (network discovery), including port scanning, identifying available services and manual requests to certain services (SSH, telnet, FTP, DNS, mail, etc.),
• External vulnerability scanning and analyzing
• Manual vulnerability analysis, including identification of resources without authentication, important publically available information, insufficient access control
• Guessing credentials
• Exploitation of the vulnerabilities and privilege escalation(if possible)
• Develop all attack methods available during testing that have been exhausted.

The analysis is performed using automated tools as well as manually by experts. The following security assessment tools can be used:

• Information gathering tools (Maltego, theHarvester, FOCA etc.)
• Various general-purpose and specialized scanners (NMap, OpenVAS, WPScan, nikto, w3af and others)
• Credentials guessing tools (Hydra, Medusa, potator and others)
• Web application security tools (OWASP ZAP, BurpSuite, Sn1per, SQLmap, etc.)
• And others, including limited access exploits and custom exploitation tools

Results:

Following the service, customers receive a report containing the following:

• High-level conclusions on the security flaws and recommendations to remediate them;
• A detailed description of detected vulnerabilities, including severity level, possible impact on the vulnerable system, and evidence of the existence of vulnerabilities (where possible);
• Recommendations for eliminating vulnerabilities;
• Recommendations on mitigating the identified issues;
• Detailed description of information that was detected concerning your organization.

Based on cybersecurity world best methodologies and practices:

• Open Source Security Testing Methodology Manual (OSSTMM);
• Open Web Application Security Project (OWASP) Testing Guide;
• Penetration Testing Execution Standard (PTES);
• NIST Special Publications 800-115 Technical Guide to Information Security Testing.

Assessment

• Information Systems Security Assessment Framework (ISSAF);
• Web Application Security Consortium (WASC) Threat Classification;
• Common Vulnerability Scoring System (CVSS).

The service is designed to identify vulnerabilities within your applications, from low to high risk, via a simulated attack to improve your security and mitigate risks.

The testing  includes the entire application or just specific areas of functionality. Our approach allow find many types of vulnerabilities on the areas we assess:

• Authentication
• Authorization and access control
• Cross-site scripting (XSS)
• SQL and other type injection vulnerabilities
• Cross-site request forgery (CSRF)
• Server-side request forgery (SSRF)
• Insecure file upload
• XML-related issues
• Unsafe deserialization
• Business logic flaws
• Unnecessary information disclosure

Model

• Black-box testing;
• Simulating an external attacker without prior knowledge of the application's internal structures and workings;
• Grey-box testing;
• Simulating legitimate users with a range of profiles;
• White-box testing;
• Analysis with full access to the application's source codes.

Steps

• Gathering Information; 
• Conducting reconnaissance activities to locate information leakage, identifying utilized technologies, map application entry and functionality, and other related tasks to guide testing;
• Vulnerability scanning and analyzing;
• Automated scans and manual tests to discover flaws in the application which could be exploited. Deep-analysis of vulnerabilities via typical hacker's techniques, such as banner-grabbing, HTTP header analysis, brute-forcing of login pages and examination of web forms to identify locations in the application that may be open for exploitation;
• Exploitation of vulnerabilities;
• Providing attempts to establish access to a system or resource by bypassing security restrictions and weaknesses in the design and development of your application. This sometimes encompasses user privilege escalation when available in your application and includes a range of techniques such as various injections, cross-site scripting (XSS), insufficient authorization and others;
• Analysis and Reporting;
• Analyzing the results and providing a detailed exploitation report identifying any vulnerabilities discovered; 
• The analysis is performed manually by experts and using automated tools hackers use. 

Results

Following the service, customers receive a report containing the following:

• High-level conclusions on the security flaws and recommendations to remediate them;
• A detailed description of detected vulnerabilities, including severity level, possible impact on the vulnerable system, and evidence of the existence of vulnerabilities (where possible);
• Recommendations for eliminating vulnerabilities

Our methodology based on cybersecurity world best methodologies and practices:

• Open Source Security Testing Methodology Manual (OSSTMM);
• Open Web Application Security Project (OWASP);
• Web Application Security Consortium (WASC) Threat Classification;
• Penetration Testing Execution Standard (PTES);
• NIST Special Publications 800-115 Technical Guide to Information Security Testing;
• Common Vulnerability Scoring System (CVSS);
• Information Systems Security Assessment Framework (ISSAF);