Security Assessment Service
LAC offers total penetration testing services for a wide range of environments from Web Applications, Network (including Wi-Fi), and Servers to Smart Devices to detect vulnerabilities in your IT network system and Protect you from cyber-attacks.
Strengths
We perform deep penetration scans not just with simple machine scans, but include manual testing to give you high-quality diagnostic results from real pseudo attacks.
Our network security experts perform sophisticated penetration testing from the attackers' point of view with their eyes and hands. Knowing the characteristics of your IT system, our network analysts and network engineers execute the best-fit methods to detect vulnerabilities.
Visualizing the latest attack methods and threats with our penetration techniques
Equipped with the most modern know-how and with many years of actual experience, our JSOC (24 x 7 security monitoring center), Cyber Grid Japan (R&D, dedicated to cyber security techniques and the latest threats) and our Cyber Emergency Center (cyber incident response team), collaborate together in performing various penetration techniques.
Track Record
Starting from 1995, LAC has achieved 6,300 testing as of Mar. 2015 both to private and public sectors.
Corresponding to Security Regulation and Guidelines
We follow security guidelines such as the "OWASP Top 10" required in PCI-DSS, as well as the local guidelines by the Japanese government; hence, the results could be used as evidence and a record for audit.
Service Flow
Major Assessment Items for Web Applications Assessment
| No. | Penetration Test Items | Description |
|---|---|---|
| 1 | Security Against Cross-Site Scripting | Verify whether the insertion of the script is possible. This makes it possible for malicious scripts to penetrate into the Web server and in response; the script will be executed on the Web browser of the clients. As a result, the attacker can steal the cookie information of the clients, and there is a risk that the attacker is able to log in pretending to be someone else. |
| 2 | Security Against SQL Injection | Verify whether it is possible to use SQL command to illegally operate the database. If SQL injection to the database is possible, this could lead to unauthorized access to stored procedures and illegal calls to external programs. As a result, personal information may be accessed (information leakage), or changed (information falsification or loss) and, there is also a risk of unauthorized access and arbitrary commands on the server. |
| 3 | Session Management Security | Verify whether there is a problem with the session management of Web applications. If the information that is used for session management can be guessed, screens that require authentication become accessible even without authentication or one is able to log in by pretending to be someone else. As a result, personal information may be accessed (information leakage), and, there is also a risk of unauthorized access to make changes (information falsification or loss). |
| 4 | Authentication Function Security | Investigate safety against unauthorized access to bypass authentication. If authentication is bypassed, illegal access to a system will be carried out through login spoofing. As a result, personal information may be accessed (information leakage), and, there is also a risk of unauthorized access to make changes (information falsification or loss) |
| 5 | File Extensions Confirmation | Verify the confirmation of the presence of common backup files and that data files are in accordance with the URL of the Web application. Successful exploitation may result in unauthorized access to restricted resources including personal information of users within the target Web application. |
| 6 | Security Against OS Command Injection | An item to evaluate if it is possible to execute arbitrary OS commands by injecting meta characters or using SSI. If it is possible to execute arbitrary OS commands, the Web server OS may be controlled. Successful exploitation may result in theft of the Web server password file and administrator privileges. |
Major Assessment Items for Platform Assessment
| No. | Category |
|---|---|
| 1 | Backdoors and Trojan horses |
| 2 | Brute force attack |
| 3 | CGI |
| 4 | DNS |
| 5 | Database |
| 6 | FTP |
| 7 | Finger |
| 8 | General remote services |
| 9 | Network appliance |
| 10 | Information gathering |
| 11 | Local |
| 12 | |
| 13 | NFS |
| 14 | NNTP |
| 15 | Proxy |
| 16 | RPC |
| 17 | SMB / NETBIOS |
| 18 | SNMP |
| 19 | TCP/IP |
| 20 | Web |
| 21 | Windows |
Output sample
The final report tells you about not only the level of security on your system but also details of findings and a recommendation for countermeasures.
