Carnegie Mellon University

Security Assessments

The following is a list of security assessment services offered by ISO.  Each follows a standard process flow and can be customized in many ways to meet the needs of a particular customer.  In situations where ISO does not have the capability to assess a particular platform or application or when requested timeframes cannot be met, ISO may contract an external partner to assist with delivering requested services.  Associated costs may need to be passed along to the requesting organizational unit.

Application Vulnerability Assessment

An Application Security Assessment evaluates the functionality and resilience of an application to known security threats including but not limited to buffer overflows, cross site scripting, cross site request forgery, improper data sanitization, injection attacks and weak authentication.  This assessment analyzes all components of an application infrastructure including how each component is deployed and how each component communicates with both the client and server environments.  A collection of commercial and open-source tools are used to perform this assessment as well as manual testing.  Application credentials may be requested to conduct a more comprehensive review of a particular application.  Typically, some host and network security practices are reviewed as part of an Application Vulnerability Assessment.

Enterprise Security Assessment

An Enterprise Security Assessment is a comprehensive review of an entire infrastructure including host, network, application and environmental controls.  This assessment also includes a review of existing policies and procedures.

Host-Based Security Assessment

A Host-Based Security Assessment analyzes the security of a specific workstation or server.  ISO will look for both local and remotely exploitable vulnerabilities by analyzing access controls, patch levels and system configurations.  A collection of commercial and open source scanning tools are used for this type of assessment.  Additional hands-on inspection may also be necessary.

Network-Based Security Assessment (Attack and Penetration)

A Network-Based Security Assessment, commonly referred to as an Attack and Penetration Test, evaluates a system for network-based vulnerabilities such as missing patches, unnecessary services, weak authentication and weak encryption.  This type of assessment includes components of an Application Vulnerability Assessment and a Host-Based Security Assessment.  At the discretion of the customer, this type of assessment can be performed with no prior knowledge meaning ISO is provide only an IP address prior to the assessment.  This allows for a more accurate attack simulation.  A Network-Based Security Assessment will help determine how vulnerability a system is to Internet and intranet attacks, whether intruders can gain access to sensitive information, whether social engineering techniques are effective and whether current operational controls are effective.

Physical Security Assessment

A Physical Security Assessment typically involves interviews with key staff, review of existing documentation and a visit to the site to evaluate physical and environmental controls.  This type of assessment will help determine whether systems are susceptible to physical attacks and whether environmental controls are adequate.

Click here to get started! 


Revision History

Last Reviewed: 02/11/2014