Contact Us
Home
Solving Your Complex Core Business Risks In An Innovative, Pragmatic, Cost-Effective Way
Solutions
Results
Tools
Resources
About KoreLogic

What people are saying:

"We hate you guys [sic]... but we love your work!" [... you keep finding security holes in our mobile distribution and tracking solution... but we're glad you found them before someone else who would do us harm did] — Fortune 500 Distribution, Lead IT Architect

"Thank you so much for your extra efforts on the recent security assessment! The team was working under very tight time constraints, and the audit was obviously critical to being able to keep the project on track. Again, thank you for rearranging your schedule and for your flexibility in accommodating our request for this last minute assessment!" — Fortune 500 Credit Bureau, Software Quality Assurance Manager

"... I didn't think you would find as many vulnerabilities as you did given all the previous testing that other vendors performed. ....I have to figure why you found all the vulnerabilities after all that previous security work had been performed..." — Fortune 500 Telecommunications, Project Lead

__



"KoreLogic has demonstrated qualities that are key to a trusting client/ vendor relationship and vital to our mutual success."

__

"We have been a repeat customer because you get the job done, and deliver it with quality and professionalism."

__

"KoreLogic services are delivered by seasoned security experts."

__

"We made the right decision when we chose KoreLogic."

Throughout our time as KoreLogic, we have worked on a wide variety of complex security projects. The following engagements illustrate our solution approaches:

Application Security Management Program - Clients have continually had web application security assessments completed by various vendors. They recognize, as many do, that an ongoing program to identify and correct critical vulnerabilities identified by such testing is an integral part of a web application security management program. However, the security robustness of applications significantly varies between different application development groups (both their internal and externally sourced groups). This is exacerbated by the inevitable addition of new developers, project managers, teams and outsourcing arrangements becoming involved as a result of acquisitions, new hires or pricing sensitiveness of outsourcing contracts. Inevitably, security vulnerabilities discovered during multiple testing efforts become a management and mitigation issue. The basic issue becomes: How can we maximize the Return On Investment (ROI) from our application testing program? Read More

Merger and Acquisition Due Diligence - While the security posture of an acquisition target is unlikely to influence management's decision to acquire the firm, an acquisition creates both opportunities and risks for the acquiring company. Several common issues that must be considered include:

bullet

Risk: How to securely and quickly interconnect/integrate the two firms while still protecting the combined information assets and business processes? By connecting the two firms, the acquirer potentially expands its network perimeter to that its acquisition.

bullet

Risk: Employees or affiliates of the acquired firm become internal users increasing their ability to potentially harm SSC assets, particularly if they are disgruntled about the acquisition and are privileged IT users.

bullet

Opportunity: Identify and help retain talented security staff and best practices within the acquired firm. Read More

Enterprise Resource Planning (ERP) Security Assessment - SAP, PeopleSoft and Oracle security testing services continue to be in demand from our to various Fortune 500 and other large firms. This case study is representative of our ERP testing services. Read More

The following are representative samples of our record of continued results:

Web Application Disassembly - A prominent financial institution requested a review of their online banking web application. Ironically, just weeks before the review, another Internet security firm had performed an assessment and had given the client high marks for security. The client had even been given a plaque to display in their lobby and a seal of approval for their website. The team reviewed the web application, and subsequently identified several high risk vulnerabilities including: the ability to access customer accounts, view financial histories, and transfer funds.

Fortune 500 Financial Services Firm — Incident Response: While on-site performing other security services, the client asked KoreLogic staff to provide ad hoc incident response to a customer-impacting malware attack. KoreLogic's team immediately collaborated with offsite KoreLogic team members who, within 4 hours, had reversed engineered the trojan malware and provided the client clean-up instructions. The client's anti-virus vendor was not able to respond until 12 hours later and still did not provide a clean-up approach. "The teamwork between us and KoreLogic was amazing" — Security Manager and Incident Response Leader.

Fortune 500 Telecommunications Firm — Mobile Service Security Assessment: Following extensive security assessment work including threat modeling, source code analysis, infrastructure penetration testing performed by KoreLogic's client other security vendors, KoreLogic was asked to perform a final pre-production security assessment of a new mobile service. Drawing on its extensive mobile security testing experience, KoreLogic tested the mobile devices, application servers, mobile web applications, mobile device-to-server communications and the hosting vendor's infrastructure. KoreLogic's testing revealed numerous high- and medium-risk vulnerabilities that had been previously missed by other vendors. KoreLogic provided mitigation steps for each vulnerability found and supported the client in briefing affected vendors and service providers.

Fortune 500 Mobile Services Provider — Malware Response and Forensics: A laptop was compromised while the client's employee was browsing a company-sponsored health website. The employee clicked on a link to a malicious site which downloaded malware that created a reverse tunnel to a Russian website and installed a malicious program. As part of its retainer-based support of the client, KoreLogic provided on-site incident response and forensics support including blocking the malicious site, malware reverse engineering, forensic examination/documentation of the laptop, verification that the malware was contained and sanitized, and mitigation of the vulnerabilities that allowed the attack.

Department of Defense Agency — Compliance Verification: The Agency asked for KoreLogic's support in meeting an urgent compliance request to verify that no Agency systems contained files with certain suspect MD5 hashes. KoreLogic designed a rapid response plan that leveraged the use of a KoreLogic-sponsored forensic tool (FTimes), which allowed the Agency to verify compliance in one day. Other agencies that faced the same requirement spent weeks before achieving required compliance.

Financial Services Firm — Intrusion Analysis: KoreLogic was requested to assess the impact of a successful compromise of the client's systems that hosted personally-identifiable financial data. The client, a California business, was concerned about addressing the breach and their responsibilities under SB1386 law, which requires protection and notification. KoreLogic performed a forensics analysis to determine the scope of the intrusion and provided recommendations to help prevent a re-occurrence of the incident. KoreLogic also provided suggestions to the client on how to communicate the incident to its customers.

Enterprise Systems Audit - A large ISP retained the team to assess the security of their heterogeneous server environment. The objective of the assessment was to identify vulnerabilities, configuration errors, and their root causes. Network-based assessments had always yield an incomplete picture because they are unable, in most cases, to examine the internal configurations of the systems being scanned. For this reason, the team elected to utilize custom harvesting tools and a WebJob framework to systematically inspect and harvest security information that provided an in-depth security posture of the systems. The end result was a wealth of information that was used to identify, prioritize, and mitigate the vulnerabilities and configuration errors found.

The following are additional samples of our results:

Business Solution

Industry

Summary

Architecture and Security Assessments

Fortune 500 Credit Reporting Agency

KoreLogic annually tests the enterprise reduced sign-on architecture, conducts over 50 web application tests and reviews application architectures for one of the largest credit-reporting agencies in the US. KoreLogic's testing is part of the agency's security due diligence program to protect the personally identifiable financial and credit data the firm handles.

Architecture and Security Assessments

Fortune 500 Consumer Goods Firm

KoreLogic performed a pre-deployment architectural review and penetration test of this firm's new enterprise web portal including its single-sign-on infrastructure, web applications, and the enterprise VPN. KoreLogic's findings were used to correct high risk vulnerabilities and to fine-tune the architecture.

Security Compliance Assessment

Nationally Ranked University

To meet an urgent compliance deadline, KoreLogic rapidly created automated security compliance architecture. The architecture was used to verify server security configurations and identify compromised systems and indicators of confidential data such as SSNs.

Architecture Assessment

Leading Forensics Firm

KoreLogic reviewed and validated the security architecture for a leading provider (+$500MM) of forensic accounting and litigation support.

Web Application Testing

Various Fortune 500 Firms

KoreLogic staff have tested greater than 400 applications for various firms as part of their security due diligence.
Note: KoreLogic is a sponsor and contributing member to the Open Web Application Security Project (OWASP).

Identity Management Product Testing

Fortune 500 Financial Services Firms

KoreLogic has provided these firms security architectural reviews, product selection support, pre-deployment testing of SSO solutions, security assessments of SSO products and SSO-protected web portals.

Validation of Third Party Service Provider

Fortune 500 Wireless Network Firm

KoreLogic performs on-going security assessments of third party service providers for this firm to ensure that the vendors meet their security service level obligations. Testing involved external testing, internal testing of servers, and testing of web applications. KoreLogic findings were used to mitigate the vulnerabilities found prior to the service being deployed.

Zero Knowledge Penetration Testing

Fortune 500 Telecom Firm

Various other Fortune 500 Firms

Due to this client's on-going acquisitions of other companies, daily changes in its infrastructure and the complexity of its IT environment, there was concern about the firm's "visibility" from the Internet and backdoors that could bypass the client's perimeter security. KoreLogic staff conducted zero knowledge tiger team testing to identify unauthorized or insecure ingress points into the firm's network.


Mobile Device Security Deconstruction - Forthcoming.

Financial Institution Forensic Investigation - Forthcoming.

Gateway Product Testing - Forthcoming.

Compliance Verification - Forthcoming.
© Copyright 2008. KoreLogic Security. All rights reserved.