www.hpt.

vn
DCH V PENETRATION TESTING
TNG QUAN
Ngy nay, Cng ngh thng tin ng vai tr quan
trng v gn nh gn lin vi mi hot ng kinh
doanh sn xut ca cc t chc, doanh nghip. Khng
th ph nhn nhng tin ch m cng ngh thng tin
mang li, nhng ng thi ko theo l nhng nguy
c v an ninh thng tin c th gy thit hi ln v ti
chnh v hnh nh ca cc t chc, doanh nghip. Thi
gian gn y, c th gii v Vit Nam chng kin
khng t cc cuc tn cng mng vi quy m, mc
tinh vi ngy cng cao, gy nh hng nghim trng
n hot ng ca doanh nghip, t chc ni ring v
c x hi ni chung.
Trc tnh hnh ng bo ng trn, nhim v bo v an
ton thng tin i vi cc t chc, doanh nghip cng
tr nn quan trng v bc thit hn bao gi ht. gp
phn gii quyt thch thc ny, HPT xin gii thiu n
cc t chc, doanh nghip dch v an ninh mng
chuyn nghip vi cc gi dch v a dng:
Dch v Penetration Testing (Kim th kh nng
xm nhp)
Dch v Auditing/ Monitoring (nh gi/ Theo di)
Dch v t vn gii php an ninh mng
Dch v c thc hin thng qua vic kim tra cc l
hng an ninh ca h thng, kim tra kh nng t
phng v trc cc cuc tn cng t bn ngoi vo
bn trong h thng, t pha ngi dng bn trong h
thng hoc nh i tc ca doanh nghip. Thng
qua vic khai thc cc l hng an ninh ca h thng
dch v ng thi a ra cc khuyn ngh x l l
hng cho doanh nghip. Cc hnh thc kim nh
bao gm:
Kim nh hp en (Black-box): Gi nh nh
ngi tn cng (hacker) khng bit cc thng tin
v h thng ca doanh nghip v tin hnh tn
cng vo cc thnh phn ca h thng.
Kim nh hp trng (White-box): Gi nh hacker
c cung cp y cc thng tin ca h thng
nh s h thng, danh sch cc ng dng v
h iu hnh ang vn hnh.
Dch v
AN NINH MNG
Network and Host
Mail Services
DNS Services
FTP Services
Wireless Network
Remote Control Services
Web Services
Information Gathering
Spoofng Testing
Snifer Testing
Session Hijacking
Escalate Privileges
GPO bypass Testing
Web Internal Testing
Evading Firewall/IDS/IPS
Network Testing
I. Black Box Testing
II. Gray box Testing(Option)
III. White box Testing
Penet rat i on Test i ng
Package
www.hpt.vn
DCH V AUDITING/ MONITORING
Dch v c thc hin thng qua vic kim tra tng th h
thng, bao gm cc chnh sch an ninh, cu hnh cc thit b
mng, cc ng dng trong h thng, an ton vt l ca h
thng, theo tiu chun ISO 27001, ng thi a ra cc
khuyn ngh bo mt ph hp cho h thng ca doanh nghip.
Bn cnh , HPT cng thc hin dch v gim st (monitoring)
h thng ca khch hng thng qua vic gi bo co v mc
bo mt ca h thng theo chu k v sn sng cho vic h
tr khch hng 24/24 x l s c khi h thng khch hng b
tn cng trong sut thi gian thc hin dch v.
Dch v bao gm cc kho st v nh gi nhng thng tin sau:
M hnh kt ni h thng
Thit b mng c bn (Router, Switch, )
Thit b, phn mm an ninh mng (Tng la, h thng
pht hin v ngn chn tn cng, h thng mng ring
o VPN, )
Cc chnh sch an ninh
H thng my ch
H thng sao lu v phc hi d liu
Kim nh hp xm (Gray-box): Gi nh hacker c
cung cp ti khon nh mt ngi dng thng thng
v tin hnh tn cng vo h thng nh mt nhn vin
ca doanh nghip.
Dch v Penetration Testing bao gm:
Kim nh h thng mng v my trm (Network and
hosts testing): cc l hng bo mt trn h thng mng
v my trm thng c tin tc tn dng v khai thc
xm nhp vo h thng. Dch v a ra bo co chi
tit v phng thc x l cc l hng an ninh ny.
Kim nh ng dng Web v h thng (Web application):
ng dng Web (Web application) ngy cng tr nn
ph bin v tr thnh cng c chnh yu trong vic
tng tc nh cung cp dch v trc tuyn, cung cp
thng tin hot ng gia doanh nghip v khch hng,
cung cp cc ng dng ni b trn nn web. Tuy vy,
bn cnh nhng ch li m ng dng Web mang li th
y cng thng l im yu trong h thng ca doanh
nghip. Tin tc thng tn dng cc l hng bo mt
trong qu trnh pht trin ng dng khai thc v tin
hnh cc hnh vi xm nhp h thng nh ph hoi ng
dng, thay i ni dung, chim cc phin giao dch
nhm phc v cc li ch c nhn, .Vic xm nhp c
th xut pht t ngi dng bn trong, bn ngoi hay
thm ch chnh ngi qun tr h thng. Dch v kim
tra an ninh cho ng dng Web ca HPT c thc hin
theo tiu chun ca OWASP s gip doanh nghip gim
thiu cc ri ro trn ng dng, gp phn kin ton mc
bo mt ca ton h thng.
OWASP (Open-source Web Application Security Project)
l mt chun m cho php t chc/ doanh nghip tin
hnh xy dng, pht trin, duy tr hot ng ca cc
ng dng trn nn Web mt cch bo mt nht thng
qua qu trnh nh gi da trn cc tiu ch c
cng ng xc nhn. OWASP bao gm 10 l hng c
nh gi mt cch chi tit v cp nht thng xuyn
cc nguy c m mt ng dng Web thng gp phi.
Kim nh h thng mng khng dy (Wireless LAN
testing): mng khng dy ngy cng ph dng gip
ngi dng thun tin trong vic truy cp ti nguyn
h thng, nhng cng mang ri ro cao nu cc h
thng mng khng dy b tin tc xm nhp v i su
vo h thng qua cc hnh thc tn cng leo thang c
quyn. Dch v cho php kim th kh nng h thng
mng khng dy c th b xm nhp hay khng t bn
ngoi, cng nh vic ngi dng thng thng li
dng cc s h trong chnh sch bo mt leo thang
ln cc quyn hn cao hn t h thng mng khng
dy, gy nh hng n hot ng ca h thng.
I. Injection
II. Cross-site Scripting (XSS)
III. Broken Authentication and Session Management
IX. Insufcient Transport Layer Protection
Web appl i cat i on
Test i ng ( OWASP)
IV. Insecure Direct Object References
V. Cross-site Request Forgery (CSRF)
VI. Security Misconfguration
VII. Insecure Cryptographic Storage
VIII. Failure to Restrict URL Access
X. Unvalidated Redirects and Forwards
Audi t - Moni tor
Package
I. Monitor Solution
1. Device Monitor
1. GPO
2. Log Setting
3. Application Security
4. OS Harderning
5. Services Setting
6. Backup Solution
7. Removal Devices
8. End-User Policy
1. Web Application
2. Web Server
3. Database
1. Topology
2. IDS/IPS
3. Firewall
4. Router-Switch
5. Wireless
2. Web Monitor
3. Log Monitor
4. Alert Solution
II. Domain Infratructure
III. Web and Database
IV. Device Audit
www.hpt.vn
DCH V T VN CC GII PHP AN NINH MNG
I TNG KHCH HNG
LI CH CA DCH V AN NINH MNG
Vi u th l Cng ty hng u trong lnh vc Cng ngh
thng tin, HPT s gip khch hng nh gi v xy dng mt
h thng an ninh thng tin mt cch hiu qu vi chi ph v
thi gian hp l nht. Mt cch c th, cc gi dch v trn s
mang li cho khch hng nhng li ch sau:
Pht hin sm cc nguy c, ri ro m h thng khch hng
ang i mt, t c a ra nhng gii php kp thi v
hiu qu.
Tng cng an ninh ca h thng da trn cc gii php
bo mt c HPT t vn.
Ti u v chun ha h thng theo chun quc t.
Nng cao kh nng t phng v khi h thng i mt vi
cc nguy c.
Nng cao nng lc cnh tranh ca doanh nghip so vi
cc n v khc, ng thi cng gip tng s tin cy t i
tc v khch hng i vi doanh nghip.
Dch v t vn, thit k v trin khai cc gii php an ninh tng
th da trn cc khuyn ngh sau qu trnh Penetration testing
hoc Auditing/ Monitoring, m bo h thng doanh nghip
t c yu cu an ninh vi hiu qu cao nht, cng vi chi ph
ti u nht. Cc gii php an ninh mng bao gm:
Thit k theo chun quc t v ti u cho h thng
Thit lp h thng tng la
Thit lp h thng pht hin v ngn chn tn cng
Thit lp h thng mng ring o
Thit lp h thng honeypot
Gii php gim st truy cp (Network Admission Control)
Gii php ngn chn cc nguy c mt mt khu ngi dng
Gii php ngn chn cc nguy c mt mt d liu trn my
ngi dng
Gii php h thng phng chng virus v ngn chn cc
cuc tn cng vo my ch
Gii php sao lu v phc hi d liu
Gii php ti u ng truyn Internet
Gii php qun tr h thng tp trung
Ty theo nhu cu v hin trng h thng khch hng, HPT s tin
hnh t vn tng th hoc cc gi gii php c th gip khch
hng gii quyt trit cc bi ton v an ninh an ton thng tin.
Cc cng ty v tp on nc ngoi c cc chnh sch v nh gi v
kim tra an ton an ninh thng tin nh k hng qu, hng nm.
Cc ngn hng, t chc ti chnh tun th theo cc tiu chun kim
ton bt buc phi c nh gi nh k hay bo co chng nhn an
ninh an ton thng tin, cc tiu chun nh ISO 27001, PCI DSS,
Cc t chc, c quan khi Nh nc cn c bo co v tnh hnh an
ton thng tin ca n v theo quy nh ca Nh nc.
Cc doanh nghip ang trong qu trnh chun ha h thng v ch
trng n cc vn an ninh bo mt h thng.
www.hpt.vn
Vn phng Chi nhnh H Ni
123 X n, Qun ng a, H Ni
Tel: +(84 4) 35 738 088 Fax: +(84 4) 35 738 089
Vn phng Chi nhnh Nng
Tng 12, Cng vin Phn mm Nng, s 2 Quang Trung, Nng
Tel: +(84 511) 73 050 60 Fax: +(84 511) 38 903 88
Vn phng i din ti Cambodia
123-125 Russian Federation Blvd, Teuk Thla Commune, Sen Sok District,
PhnomPenh, Cambodia.
Tel: +(855) 23 88 28 38
Vn phng Tng cng ty
Tng 9 ta nh Paragon, s 3 Nguyn Lng Bng, Qun 7, TP. HCM
Tel: +(84 8) 54 123 400 Fax: +(84 8) 54 108 801
www.hpt.vn
Trung tm Dch v Khch hng
S 47 Nguyn Trng T, Phng 12, Qun 4, Tp.HCM
Tel: +(84 8) 38 266 206 Fax: +(84 8) 38 266 044
Lin h:
NNG LC CA HPT
HPT i tc cp cao ca cc hng ng u th gii v thit b, gii
php bo mt nh: Cisco, Checkpoint, IBM, HP, Microsoftng thi
c quan h cht ch vi cc i tc c kh nng cung cp cc dch v
bo mt cao cp trong v ngoi nc nh Beyond Security, TUV
C i ng chuyn trch v bo mt tp hp cc chuyn gia nhiu
kinh nghim v c o to bi bn. Ngoi cc k nng chuyn
mn, i ng chuyn gia HPT cn c y cc chng ch cao cp v
an ninh, an ton thng tin nh CISSP, CCIE Security, CEH, Security+, ...
HPT c nhiu kinh nghim trin khai dch v an ninh thng tin
cho nhiu khch hng Vit nam v Quc t nh: cc tp on bo
him, cc t chc ti chnh, ngn hng, cc doanh nghip trong v
ngoi nc, cc c quan nh nc, chnh ph.
Dch v c u t chuyn su vi y trang thit b, c s h
tng, cng c nh gi, kim nh dng ngun m v thng mi.
Qu trnh thc hin dch v c kim sot theo mt quy trnh cht
ch m bo cht lng, bo mt v thi gian thc hin theo yu cu
khch hng.
Bo co cho POC
Pht hin/ Khai thc
l hng h thng
Thc thi k hoch Lp k hoch
Xc lp ngi i din
(POC)
K tha thun bo mt
thng tin (NDA)
p ng?
Tip nhn yu cu
BT U
Khng
C
Dng d n
Bo co kt qu d n
KT THC
Xc lp tiu ch
nh gi thnh cng
Xc lp mc tiu v
phm vi d n
Ghi log cc cng vic
thc hin
Quy trnh thc hin d n dch v an ninh mng