HOME IT Security Service
  • IT Audit Services
  • Penetration Test Service
  • Web Application Code Audit Service
  • DRP & Implementation Services
  • IT Security Policy Development

IT Audit Services

IT Audit is the process of collecting and evaluating evidence to determine whether a computer system has been designed to maintain data integrity, safe guard assets, allow organizational goals to be achieved effectively, and use resources efficiently. Data integrity relates to the accuracy and completeness of information as well as to its validity in accordance with the norms. An effective information system leads the organization to achieve its objectives and an efficient information system uses minimum resources in achieving the required objectives. IT Auditor must know the characteristics of users of the information system and the decision making environment in the auditee organization while evaluating the effectiveness of any system.



ITIS’s Information Technology (IT) Audit professionals help organizations gain insight into the threats inherent in today’s highly complex technologies.
Our approach in IT audit appropriately assesses technology risks and the control environment as they relate to critical business processes. ITIS's deep expertise in IT audit can help ensure the integrity, reliability and performance of these processes. Through our methodologies, our clients realize more effective and efficient technology controls that better align the internal audit function with their business and IT strategies.

  • General Business Review
  • IT /IS/IM Strategy Review
  • IT Security Policy Review
  • Review of IT Risk in Business
  • IT Risk Probability Impact Analysis
  • DR and BCP Review
  • IT Operation Controls Review
  • Change Management Program review
  • IT Security policies Review and GAP analysis based on ISO27001

Know More..

Penetration Test Service

A penetration test is a method of evaluating the security of a computer system or network by simulating an attack from a malicious source, known as a Black Hat Hacker, or Cracker. The process involves an active analysis of the system for any potential vulnerabilities that may result from poor or improper system configuration, known and/or unknown hardware or software flaws, or operational weaknesses in process or technical counter measures. This analysis is carried out from the position of a potential attacker, and can involve active exploitation of security vulnerabilities. Any security issues that are found will be presented to the system owner together with an assessment of their impact and often with a proposal for mitigation or a technical solution. The intent of a penetration test is to determine feasibility of an attack and the amount of business impact of a successful exploit, if discovered. It is a component of a full security audit.



Our Approach

BG Tech follows a structured approach based on best practices and well-developed methodologies to ensure objectives are met. BG Tech approach to ethical hacking service(PT) is based on a combination of in-depth methodologies and continual innovation to ensure a thorough check of the customer’s network for vulnerabilities.

BG Tech IT Solutions proposes the following service to meet the objective of the customer.

Ethical Hacking (Penetration Testing)

  • Black Box PT
  • Finding Vulnerabilities
  • Finding open ports for outside
  • Exploiting the found Vulnerabilities if time permits
  • IReports & Recommendation

Penetration Testing by BG Tech is a systematic and structured high-end analysis, testing and reporting exercise conducted in order to:

  • Highlight the vulnerabilities associated with the customer’s network infrastructure
  • Mapping the found vulnerabilities with OWASP-Top-10 vulnerabilities
  • Provide recommendations for mitigating the identified vulnerabilities
  • Provide workaround, in case of non availability of a patch from the vendor, to minimize the potential impact in case of vulnerability assessment

Penetration Testing Methodology

Black Box Penetration Test (Ethical Hacking Service) cycle would pass through a series of tasks, specially designed to identify the security vulnerabilities in assets exposed to the public domain. Every stage of the methodology generates an output that may serve as a piece of information for individual reporting or as input for a subsequent task.

Black Box Penetration Test (Ethical Hacking Service) comprises five phases.

Enumeration

Network Surveying: This step involves gathering the customer’s information pertaining to the public domain through web sites, mail servers, public records and databases. This allows the PT team to discover and enumerate the target systems to be tested.

Port Scanning: Port scanning is the process of probing system ports on the transport and network layer of the target systems. Port scanning is used to enumerate live or accessible Internet services. Here, the scan is run in various modes such as connect, SYN, FIN, Xmas, Null, UDP, and FTP Bounce to identify the operating system, version and lists of services running on a target host.

System Finger-printing: System finger-printing is the process of probing target systems to confirm host operating systems and version levels. This process also gathers other explicit and implicit information about target systems.

Router ACL, Firewall Testing: This step involves using different methods to discover the routers and firewalls (from default ports, IP stack and TCP/IP fingerprinting). The BG Tech team will also use various techniques and tools to attempt the penetration of the firewall to reach target hosts.

Vulnerability Discovery

In this phase, the BG Tech PT team identifies, understands and verifies the weaknesses, misconfigurations and vulnerabilities of target hosts and maps the profile of the environment with the information gathered. This task involves:

  • Running vulnerability assessment tools against target hosts
  • Discovery and enumeration of the vulnerabilities of target hosts
  • Matching of discovered vulnerabilities to services
  • Collection and categorization of all vulnerabilities according to applications and operating systems
  • Mapping the found vulnerabilities with OWASP TOP 10 Vulnerabilities

The BG Tech team will use various commercial/non-commercial/proprietary tools to discover and enumerate vulnerabilities at different levels such as OS, Services & Applications.

Gaining Access and Privilege Escalation (Subject to the customer’s Approval)

Attempting Brute Force: The BG Tech team will run various brute-force attacks to attempt the acquisition of passwords and discover weak passwords of Applications, Services and OS accounts.

IP Attacks: In this step, the BG Tech team will run various DOS, DDOS and other attacks on discovered and enumerated services.

Following points are valid if fully exploited

Gaining Access to Target Hosts: Based on the vulnerabilities enumerated in Phase 2, the BG Tech team will attempt the exploitation of these vulnerabilities to gain unauthorized access to target hosts. Leaving Traces: Dependent on the success of each exploit, the BG Tech team will leave traces as proof of compromise, wherever possible. Privilege Escalation: Dependent on the success of the BG Tech team’s gaining valid user access, all possible privilege escalation will be attempted and documented.

Reporting and Documentation

  • The found vulnerabilities will be mapped with OWASP TOP 10 latest vulnerabilities
  • Summary of OS/Service/Application Vulnerabilities discovered using automated tools
  • Summary of manually identified vulnerabilities
  • Traces left behind on compromised hosts
  • Recommendations for vulnerability (and impact) mitigation

Know More..

Web Application Code Audit Service

BG Tech adopts a static source code analysis platform that leverages third generation software verification technologies to identify web application vulnerabilities throughout development. Our web-based solution provides automated compiler-independent code analysis that models tainted data flow within the application. Reports pinpoint vulnerable code locations and offer prioritized remediation guidance, while integration facilitates immediate hot-fix remediation. Our service offers proactive and cost-effective remediation for vulnerable code, representing a low-cost, risk-free alternative to the common build-first secure-later paradigm.



Proactive Vulnerability Remediation

BG Tech follows a structured approach based on best practices and well-developed methodologies to ensure objectives are met. BG Tech approach to ethical hacking service(PT) is based on a combination of in-depth methodologies and continual innovation to ensure a thorough check of the customer’s network for vulnerabilities.

  • Identifies vulnerable Web application source code throughout the application life cycle
  • Facilitates early, efficient and cost-effective vulnerability remediation
  • Detects vulnerabilities in ASP.NET, VB.NET, C#, Java/J2EE, JSP, EJB, PHP, Classic ASP and VBScript
  • Models Web application behavior and traces data flow from entry point to vulnerable file
  • Calculates outcome of tainted input propagation through the application
  • Scans source code non-intrusively with no impact on running applications
  • Integrates with code repository to enable automated code retrieval and analysis
  • Aligns secure coding efforts with development processes by integrating with IDE and code check-in

Third Generation Technology

  • Network appliance provides Web accessible role-based project and scan management interface
  • Built-in language parsers facilitate compiler-independent analysis and flexible deployment
  • Advanced formal verification algorithms and compiler-independence ensure fast and accurate vulnerability detection
  • Compiler-independent analysis engine requires only source code access; there is no build-integration requirement
  • Advanced Trace back feature traces tainted input from source code entry point, across functions, classes and files to resulting vulnerabilities

Precision and Coverage

  • Built-in language parsers analyze source code independent of build environment
  • Advanced formal verification algorithms and compiler-independence ensure extremely low false positive rates (<1%)
  • Advanced Trace back feature tracks tainted input from source code entry point, across functions, classes and files to resulting vulnerabilities
  • Interactive Web-based reports pinpoint vulnerable code locations

Advanced Reporting

  • Offers interactive analysis and reporting via Web interface
  • Includes detailed Trace back describing tainted data flow within application
  • Highlights vulnerable security-related entry points, functions, and classes
  • Prioritizes risk-based vulnerability remediation activities
  • Provides remediation guidance with detailed sample exploitation and remediation code
  • Automates customized technical and executive report distribution
  • Supports PDF, HTML, XML reports and WAF export integration

Know More..

DRP & Implementation Services

A disaster recovery plan (DRP) - sometimes referred to as a business continuity plan (BCP) or business process contingency plan (BPCP) - describes how an organization is to deal with potential disasters. Just as a disaster is an event that makes the continuation of normal functions impossible, a disaster recovery plan consists of the precautions taken so that the effects of a disaster will be minimized and the organization will be able to either maintain or quickly resume mission-critical functions. Typically, disaster recovery planning involves an analysis of business processes and continuity needs. Disaster recovery services can help companies recover from virtually any type of disaster and ensure ongoing availability of mission-critical resources.

Need of a Disaster Recovery Plan

As IT is increasingly being applied to the core of business, availability of Business Application Service and IT infrastructure are critical for organizations to conduct its business functions, and DR and contingency planning process helps in ensuring high availability and reduces the risk of business interruption.

The process itself can lead to significant improvements in business operations by identifying points of failure and making improvements in business process.

Development of DR capabilities is the key project is to be undertaken by the infrastructure group, along with other initiatives suggested.

What you need to know in the Disaster Recovery Plan

The recovery time objective (RTO) is the maximum allowable downtime after an outage for recovering systems, applications, and functions. RTO provides the basis for developing cost-effective recovery strategies and for determining when and how to implement these recovery strategies during a disaster situation. The recovery point, for example, defines how current the data is after a disaster.

The recovery point objective (RPO) is the earlier point in time to which systems and data must be recovered after an outage. RPO defines the maximum amount of data that your organization is willing to sacrifice after a disaster; i.e. a zero RPO business continuance solution can survive a disaster without any loss of data. Together, RTO and RPO provide a measurable target for your business continuance and disaster recovery solution to achieve. Improving RTO and RPO requires increasing your investment in networking and storage technologies and processes. Also, the physical distance between your data centers and how well your applications tolerate network latency affects how close you can get to zero RPO. That is why you should limit your RTO and RPO to whatever levels your organization can effectively tolerate.



We propose business group develop a strategic initiative to design a disaster recovery and business contingency plan to ensure the business systems and infrastructure availability.

Disaster Recovery and Contingency Planning

We recommend following structured methodology based on federal guidelines to design, develop, deploy, test and maintain DR/Contingency Planning programs.

We can assist organizations in development and integration of a series of procedures that direct the actions of personnel within a business unit, at the time of a business interruption, to minimize the impact of the business interruption and to achieve a timely continuation or resumption of business activities.

The figure shows the process that we can follow to develop a DR and Contingency Planning program for organisations. Over all the key elements of the process are as follows:

  • Get management buy-in
  • Obtain resources
  • Identify Essential functions
  • Conduct Risk Analysis
  • Conduct Impact Analysis
  • Develop Recovery Strategies
  • Develop the plan
  • Education, Training and Awareness
  • Exercise the plan
  • Maintain the plan



We will help Organizations identify a location and set up DR capability so as to free up much needed space for other business units to operate from HQ.

Identify facilities that are located in geographically separate regions that can be used to deliver and support IT services. Each location can serve as a backup facility for other facilities. We will propose a detailed DR response plan and implement the plan and the required infrastructure after we conduct a detailed assessment of the requirements and various options that are available to business.

Know More..

IT Security Policy Development

Information Security Policies are the cornerstone of information security effectiveness. The Security Policy is intended to define what is expected from an organization with respect to security of Information Systems. The overall objective is to control or guide human behavior in an attempt to reduce the risk to information assets by accidental or deliberate actions. Information security policies underpin the security and well-being of information resources. They are the foundation, the bottom line, of information security within an organization.

This policy should covers all information and information resources, including computers and communication devices owned or operated by organizations as well as information stored on a remote system operated by an outside entity. This policy should also cover any computer or communications device that is present on organizations premises and/or use organization communication infrastructure, but which may not be owned or operated by organizations. Information includes data stored on magnetic or other electronic media, data stored in computer memory, data displayed on a monitor, projector system or other output, data being transmitted over communication lines or verbal, written or printed documents.

IT Policy documentation broadly covers following policies

  • Policy for Classifying Information and Data
  • Policy for controlling Access to Information and Systems
  • Policy for Processing Information and Documents
  • Policy for Document Handling
  • Policy for Securing Data
  • Policy for Other Information Handling and Processing
  • Policy for purchasing and maintaining commercial software
  • Policy for Purchasing and Installing Software
  • Policy for Software Maintenance & Upgrade
  • Policy for Software Issues reporting
  • Policy for Disposing of Software
  • Policy for securing hardware, peripherals and other equipment
  • Policy for Cabling, UPS, Printers and Modems
  • Policy for Using Secure Storage
  • Policy for Documenting Hardware
  • Policy for Other Hardware Issues
  • Policy for combating Cyber Crime
  • Policy for E-Commerce Issues
  • Policy for developing and maintaining in-house software
  • Policy for Controlling Software Code
  • Policy for Software Development
  • Policy for Testing & Training
  • Policy for Documentation
  • Policy for Documenting New and Enhanced Systems
  • Policy for Acquiring Vendor Developed Software
  • Policy for Premises Security
  • Policy for Data Stores
  • Policy for addressing personnel issues relating to security
  • Policy for Confidential Personnel Data
  • Policy for Personnel Information Security Responsibilities
  • Policy for HR Management
  • Policy for HR Issues Other
  • Policy for Awareness
  • Policy for Training
  • Policy for complying with legal and policy requirements
  • Policy for Planning business Continuity

Know More..

Back to Top