Information security covers a wide range of topics and issues. SeNet has gained substantial experience and expertise over the years, ranging from simple system security reviews to ground-up information security system deployments. We offer this experience and expertise through a range of services that are specifically tailored to our clients’ individual needs and are backed by our continuing commitment to excellence.
The purpose of penetration tests is to identify weaknesses in an information system and recommend mitigation measures to increase the resistance of the information technology (IT) infrastructure to unauthorized access, modification, or sabotage. Organizations often use the terms penetration test and vulnerability assessment interchangeably, when they are really two distinct tasks. SeNet works with our customers to ensure that the correct type of testing is selected. When a company's security maturity is at a high level penetration testing can add value. However, if the security program is still growing or early in it's life-cycle an overall vulnerability assessment may be a better option.
Conducting a successful penetration test or vulnerability assessment effort depends not only on the skills and expertise level of the practitioners, but also on meticulous planning and oversight throughout the project life cycle. SeNet has vast experience in performing these types of tests in both the commercial and government sectors.
SeNet follows an established multi-step methodology when performing penetration testing and vulnerability assessments. The exact process differs slightly based on whether the testing is being performed from an internal or external perspective. A key element of SeNet’s planning process is the development of a detailed test plan. The test plan will incorporate the rules of engagement. The test plan is developed following the kickoff meeting and a review of relevant documentation provided by the client. Its purpose is twofold: a working document to be used by the SeNet Team while engaged in this activity and a specific description for client stakeholders of planned testing activities.
When performing vulnerability assessments or penetration tests, one of the biggest obstacles in providing a valuable product is dealing with false positives. Once the raw results from the automated and manual tools are collected, SeNet’s team begins the process of verifying and cross-referencing them against not only our extensive vulnerability knowledge-base, but also against the Common Vulnerabilities and Exposure (CVE), National Vulnerability Database (NVD), and several other knowledge-base used throughout the security community. Findings discovered by the automated tools are further tested to ensure false positives, possibly caused by an organization's customizations, are eliminated. Weaknesses are also correlated against our knowledge-base to determine if potential false negatives were omitted.
A series of sophisticated tests then follow where our team leverages our extensive experience of security software, attack profiles, test scripts, and exploit programs to assess the security of the target environment.
Knowledge transfer is an important objective of this task. A study would be less valuable if the findings are not mitigated and changes are not made to reduce or eliminate the introduction of future security vulnerabilities. Full documentation of test results accompanied by formal presentations, informal work meetings, and discussions between the client and the test team, will ensure that knowledge transfer is complete and effective.
Application security covers a range of services from web and mobile application testing, secure code reviews, reverse engineering, and application design. We have performed these services for a wide range of customers such as Amtrak, Department of Education, Idaho Department of Health and Welfare, Parx Casino, and many more.
Web and mobile applications are becoming more prevalent and more sophisticated, and they are critical to almost all businesses. They are also one of the targets that attackers are looking to exploit. As the impact of insecure applications on data security becomes ever clearer, organizations with a strong commitment to data integrity and privacy are taking concrete, measurable steps to ensure the software that controls data is developed securely.
Vulnerabilities such as cross-site scripting (XSS), SQL injection, and command injection attacks result from inadequately designed or written secure code. Organizations now understand that it is imperative to find a way to identify and eliminate critical vulnerabilities in the applications that expose vital data and systems. SeNet can assist companies in designing and testing their applications to reduce overall risk to the business. This can be done both once an application is already in production, or ideally during the software development life cycle.
Security compliance and risk management are areas that we understand very well. Over the years we have performed security compliance work ranging from FISMA, PCI, ISO, HIPAA, CJIS, and others. We believe that many organizations approach security compliance incorrectly and in the process leave themselves with a false-sense of security. Our view is that compliance does not equal security, but if you are secure you will be compliant.
We are proud of all of the testing work we have performed and what makes SeNet successful is our passion for information security, approaching testing as more than a “check-box” exercise, our staff’s experience and technical skills, and management’s hands-on involvement.
SeNet’s focus and knowledge on Gaming makes us the only information security firm that specializes in Gaming and iGaming. Over the past four years we have turned our attention to the gaming and iGaming industry, largely in part due to the research and interest of SeNet's Chief Technology Officer (CTO), Mr. Gus Fritschie. Mr. Fritschie has performed extensive research on online gaming security, presented at multiple computer industry conferences such as DefCon on this subject and written articles for both print and on-line publications. Based on the efforts of our CTO, SeNet has established a new line of business focusing on this emerging and growing area. We have assembled a team that not only has more than a decade of proven information security expertise as a company, but also a strong understanding of the traditional gaming industry and the emerging iGaming market.
Over a fairly short period we have learned that while casinos vary greatly in their size, staff, and technical expertise most do face significant IT security challenges. We believe that SeNet can provide valuable services both for those organizations that have mature security programs and those that have never had a vulnerability assessment conducted before.
Our experience in gaming covers traditional land-based casinos, iGaming and daily fantasy sports sites, lotteries, and tribal gaming. Some of our customers include Borgata Hotel Casino and Spa, North Carolina Lottery, Multi‑State Lottery Association, Spirit Mountain Casino, Rush Street Gaming, Pala Interactive, Star Fantasy Leagues, and Akwesasne Mohawk Casino Resort.
Most gaming organizations have been expanding their Information Technology footprint in recent years, mirroring the trend in Federal, State and Local governments. While these new technologies provide increased productivity and better quality of service to the end users they also introduce new security risks if implemented incorrectly. This is the same for implementing a new firewall, upgrading point-of-sale (POS), moving into iGaming, or changing overall network design. Information security needs to be taken into consideration and your environment needs to be secured.
It is a misconception to believe that small, unknown organizations are immune. Attackers do not discriminate between a large organization with multiple casinos and a smaller one with only a few Internet resources. What does change is the level of risk. Most organizations, including casinos, will never be completely secure. Consequently, informed decisions must be made about reducing risks to acceptable levels commensurate with the possible damage and likelihood of occurrence. SeNet’s goal is to help identify vulnerabilities to help you make well-informed risk based business decisions and increase your organization’s overall security posture.
It seems that you cannot go a day without reading about another company or organization that has been “hacked.” The trend has been evolving from simple mischievous actions, such as defacing a Web page, to determined and dedicated attacks with a purpose to steal sensitive data or establish a foothold as part of an advanced persistent threat (APT).
When this occurs, SeNet can assist you in performing incident response and forensic analysis. Working as an extension of your team, we provide the technical ability to identify malicious activities, assess the results of these activities, and collect information that can be admitted as evidence in a court of law, if required. If you desire to pursue legal action, SeNet can assist your organization in the investigative proceedings. Our team of forensic analysts can testify as expert witnesses at the federal, state, and/or civil levels.
Below is a list of the services that our SeNet incident response and forensic analysis team can provide. We have experience performing these tasks in both commercial and government organizations. Our forensic analysis services can help you determine the following:
- Whether or not financial databases were tampered with.
- Whether covered data was compromised in a data security breach.
- The purpose for which a computer was primarily used.
- Whether a user possessed or disseminated a document or documents.
- Whether a specific file was ever printed.
- Whether a user wiped a drive or a file.
- Whether Web-based email accounts were used.
- Whether intentional deletion of materials occurred.
- Whether or not USB keys or other remote media were used.
- Whether files were copied to the USB or remote media and which files were copied.
- Whether a system was compromised or not.
- Whether computer misuse has occurred.
- Whether intellectual property was compromised.
This can be done in both physical and virtual environments, although different tools and techniques may be used. The SeNet Team is prepared to assist you on a very short notice, most of the time within 24 hours from your call.