Emprog

EMPANELLED OF INFORMATION SECURITY AUDITING ORGANISATIONS
IT Security Audit (Full Scope of Audit)

Within the broad scope, 'Information System Security Audit' or 'IT Security Audit' covers an assessment of
security of an organisation's networked infrastructure comprising of computer systems, networks, operating
system software, application software, etc. A security audit is a specified process designed to assess the security
risks facing an organisation and the controls or countermeasures adopted by the organisation to mitigate those
risks. It is a typical process by a human having technical and business knowledge of the company's information
technology assets and business processes. As a part of any audit, the auditors will interview key personnel,
conduct vulnerability assessments & penetration testing, catalog existing security policies and controls, and
examine IT assets. The auditors rely heavily on technology, manual efforts & tools to perform the audit.
For Customer Organisations
The list of IT security auditing orgnisations, as given below, is up-to-date valid list of CERT-In empanelled
Information security auditing orgnisations. This list is updated by us as soon as there is any change in it.
Customer organisations may refer this list for availing their services on limited quotes / tender basis to carry out
Information security audit of their networked infrastructure. While placing the order, customer organisations
should again refer this list for the latest changes, if any, and should place order only on the organisation, which is
in this list on that particular day.
1. M/s 3i Infotech Ltd
#6/2, Brigade Champak,
Union Street, Off Infantry Road,
Banglore 560001.
Website URL : http://www.3i-infotech.com
Telephone : 080-30541360
Fax : 080-30541306
Contact Person : Mr. Babji V S, General Manager, Managed Services
e-mail : babji.vs[at]3i-infotech.com
Mobile : 9945322113
2.
M/s AAA Technologies Pvt Ltd
278-280, F-Wing, Solaris-1,

Saki Vihar Road, Opp. L&T Gate No. 6,
Powai, Andheri (East),
Mumbai 400072.
Website URL : http://www.aaatechnologies.co.in
Telephone : 022-28573815
Fax: 022-40152501
Contact Person : Mr. Anjay Agarwal, Director
e-mail : anjay[at]aaatechnologies.co.in
Mobile : 9821087283
3. M/s AKS Information Technology Services Pvt Ltd
E-52, 1st Floor,
Sector-3,
Noida 201301.
Website URL : http://www.aksitservices.co.in
Telefax : 0120-4243669
Contact Person : Mr. Ashish Kumar Saxena, Managing Director
Page 1
e-mail : ashish[at]aksitservices.co.in
Mobile : 9811943669
4. M/s Appin Software Security Pvt Ltd
9th Floor, Agarwal Metro Heights,
Netaji Subhash Palace,
Pitampura, New Delhi-110034
Website URL : http://security.appinonline.com
Telephone : 011-64736970/71
Fax : 011-26581024
Contact Person : Mr. Rajat Khare, Director
e-mail : appin.security[at]appinmail.com
Mobile : 09212149267
5. M/s Auditime Information Systems (India) Pvt Ltd
A-504, Kailash Esplanade,
LBS Marg, Ghatkopar (West),
Mumbai 400086.
Website URL : http://www.auditimeindia.com
Telephone : 022-25006875
Fax: 022-25006876
Contact Person : Mr. Chetan Maheshwari, Director
e-mail : csm[at]auditimeindia.com
6. M/s Aegis Tech Limited

2nd Floor, Equinox Business Park,
Tower 1, (Peninsula Techno Park),
Off Bandra Kurla Complex, LBS Marg,
Kurla (West), Mumbai 400070, INDIA
Website URL : http://aegisglobal.com/section_level2.aspx?cont_id=zWj8z5qFobY=
Telephone : +91 22 6661 7272
Fax: +91 22 6704 5888
Contact Person : Mr. Atul Khatavkar VP - ITGRC
e-mail : atul.khatavkar[at]agcnetworks[dot]com
Mobile : +91 9930132135, 98200 19392
7. M/s Aujas Networks Pvt Ltd

No. 4025/26, 2nd Floor, K R Road,
Jayanagar, 7th Block West,
Bangalore 560082.
Website URL : http://www.aujas.com
Telephone : 080-40528527
Fax: 080-40528516
Contact Person : Ms. Sandhya Agnihotri, Manager - Sales Operations
e-mail : sandhya.agnihotri[at]aujas.com
Mobile : 9901133387
Page 2
8. M/s Controlcase India Pvt Ltd

203, Town Center, Andheri-Kurla Road
Saki Naka, Andheri(E)
Mumbai-400059
Website URL : http://www.controlcase.com
Telephone :+91-2266471800
Fax : +912266471810
Contact Person : Mr. Suresh Dadlani, Chief Operating Officer
e-mail : sdadlani[at]controlcase.com
Mobile : +91-9820293399
9. M/s CyberQ Consulting Pvt Ltd
# 622, DLF Tower A,
Jasola,
New Delhi 110044.
Website URL : http://www.cyberqindia.com
Telephone : 011-41066560, 41077561
Fax: 011-41077561
Contact Person : Mr. Debopriyo Kar, Head, Information Security
e-mail : debopriyo.kar[at]cyberqindia.com
10. M/s Computer Science Corporation India Pvt. Ltd.
DLF IT Park,
A-44/45, Sector 62, Noida
Website URL: http://www.csc.com/in
Telephone : +91-120-4701015
Fax : +91-120-6700108
Contact Person : Narendra Nayak
Email : india_busdev[at]csc[dot]com
11. M/s Cyber Security Works Pvt Ltd

E Block, No. 3, 3rd Floor,
599, Anna Salai,
Chennai - 600006
Website URL : http://www.cybersecurityworks.com
Telephone : 044-42089337
Fax : 044-42089170
Contact Person : Mr Selva Kumar, Manager
e-mail : info [at] cybersecurityworks[dot]com
12. M/s Deccan Infotech Pvt Ltd

# 13, Jakkasandra Block,
7th Cross, Koramangala,
Bangalore 560034.
Page 3
Website URL : http://www.deccaninfotech.in

Telephone : 080-25530819
Fax : 080-25530947
Contact Person : Mr. Dilip. H. Ayyar, Director - Technical
e-mail : dilip[at]deccaninfotech[dot]in
Mobile : 9686455399
13. M/s Deloitte Touche Tohmatsu India Pvt. Ltd

7th Floor, Building 10, Tower B, DLF City Phase-II,
Haryana India
Gurgaon-122002
Website URL : http://www.deloitte.com
Telephone : +91-1246792000
Fax : +91-1246792012
Contact Person : Mr. Sundeep Nehra, Senior Director
e-mail : snehra[at]deloitte[dot]com
Mobile : +91-9999003908
14. M/s Digital Age Strategies Pvt Ltd

204, Lakshminarayan Complex, 2nd Floor,
Panduranganagar, Opp. HSBC, Bannerghatta Road,
Bangalore 560076.
Website URL : http://www.digitalage.co.in
Telephone : 080-41503825
Fax : 080-264085148
Contact Person : Mr. Dinesh S. Shastri, Director
e-mail : digitalageaudit[at]airtelmail[dot]in
Mobile : 9448088666
15. M/s Ernst & Young Pvt Ltd

2nd Floor, TPL House,
3, Cenotaph Road, Teynampet,
Chennai 600018.
Website URL : http://www.ey.com/india
Telephone : 044-42194650
Fax : 044-24311450
Contact Person : Mr. Terry Thomas, Partner
e-mail : terry.thomas[at]in.ey.com
Mobile : 9880325000
16. M/s Financial Technologies(India)Ltd

601, Bostan House, 6th Floor,
Suren Road, Chakala, Andheri(East),
Mumbai-400093
Website URL : http://www.ftindia.com/
Telephone : +912267099600
Page 4
Fax : +912267099066
Contact Person : Mr. Parag Ajmera, Head
17. M/s Haribhakti & Co.

42, Free Press House,
215, Nariman Point,
Mumbai 400021.
Website URL : http://www.haribhaktigroup.com
Telephone : 022-66729999
Fax: 022-66729777
Contact Person : Mr. Milind Dharmadhikari, Director In-charge
e-mail : milind.dharmadhikari[at]bdoindia.co.in
18. M/s HCL Comnet Ltd

Head Office,
A 10-11, Sector-3,
Noida 201301.
Website URL : http://www.hclcomnet.co.in
Telephone : 0120-4362800
Fax : 0120-2539799
Contact Person : Mr. Prasun Roy Barman, Global Practice Director - Security
e-mail : prasunb[at]hcl.in
19. M/s HEXAWARE TECHNOLOGIES LTD.

Plot No. H5, SIPCOT IT Park
Navallur Post, Siruseri,
Kanchipuram Dt. 603 103 (India)
Website URL : http://www.hexaware.com
Telephone : +91-44-47451000
Fax : +91-44-47451111
Contact Person : Mr. S. Elangovan
e-mail : Elangovan[at]hexaware[dot]com
Mobile : 98404 13778
20. M/s IBM India Pvt Ltd

4th Floor, The IL&FS Financial centre,
Plot No C 22, G Block, Bandra Kurla Complex,
Bandra (East),Mumbai-400051
Website URL : http://www.ibm.com/
Telephone : +91-022-40589000
Fax : +91-22-26533585
Contact Person : Mr. Jeffery Paul
Page 5
e-mail : pjeffery[at]in[dot]ibm[dot]com
Mobile : +91-9892502342
21. M/s IDBI Intech Ltd

Plot No. 39-41, IDBI Building ,
Sector-11, CBD Belapur,
Navi Mumbai 400614.
Website URL : http://www.idbiintech.com/
Telephone : 022-39148000
Fax : 022-27566313
Contact Person : Mr. Pramod Gosavi, Head - Professional Services
e-mail : gosavi.pramod[at]idbiintech.com / is.audit[at]idbiintech.com
Mobile : 9890304884
22. M/s Indusface Consulting Pvt Ltd

A/2-3, 3rd Floor, Status Plaza, Opp. Relish Resorts,
Akshar Chowk, Atladra - Old Padra Road,
Vadodara 390020.
Website URL : http://www.indusfaceconsulting.com
Telephone : 0265-6562666
Fax: 0265-2355820
Contact Person : Mr. Ashish Tandon, CEO
e-mail : ashish.tandon[at]indusfaceconsulting.com
Mobile : 9898866444
23. M/s Information Systems Auditors & Consultants Pvt Ltd

12/12 A, 3rd Floor, Dena Bank Building.
17B Horniman Circle, Fort,
Mumbai 400001.
Telephone : 022-22663955
Fax: 022-22662661
Contact Person : Mr. Shashin Lotlikar, Director
e-mail : smlotlikar[at]isaac.co.in
24. M/s iSec Services Pvt Ltd

608/609 Reliable Pride, Anand Nagar,
Opp. Om Heera Panna Mall, Jogeshwari West
Mumbai - 400102
Website URL: www.isec.co.in
Telephone : 022-26368830
Fax : 022-26300209
Contact Person : Mr. C Karthikeyan, Sr Security Analyst
e-mail : contactus[at]isec.co.in
Page 6
25. M/s iViZ Techno Solutions Pvt Ltd

RDB Boulevard, 4th Floor, Plot No. K-4,
Sector 5, Block - EP & GP, Salt Lake,
Kolkata 700091.
Website URL : http://www.ivizsecurity.com/
Telephone : 033-40217300
Fax : 033-40217308
Contact Person : Mr. Rudra Kamal Sinha Roy, Group Head, Project Managment
e-mail : rudra[at]ivizsecurity.com
Mobile : 9845838888
26. M/s KPMG

4B, DLF Corporate Park,
DLF City, Phase-3,
Gurgaon 122002.
Website URL : http://www.in.kpmg.com
Telephone : 0124-2549191
Fax : 0124-2549101
Contact Person : Mr. Akhilesh Tuteja, Executive Director
e-mail : atuteja[at]kpmg.com
Mobile : 9871025500
27. M/s K. R. Information Security Solutions

176 First Floor, Gulmohar Club Road, Gautam Nagar
New Delhi-110011
Website URL : http://www.kriss.in/
Telephone : +91-11-26536578
Fax : +91-11-26536582
Contact Person : Cdr. Subhash Dutta, Principal Consultant
e-mail : subhash.dutta[at]kriss.in
Mobile : +91-9818610194
28. M/s Locuz Enterprise Solutions Ltd

3, Tilak Road,
Sudha House, Abids,
Hyderabad 500001.
Website URL : http://www.locuz.com
Telephone : 040-66115511
Fax : 040-66781111
Contact Person : Mr. Uttam Majumdar, Chief of Consulting & Professional Services
e-mail : uttam.majumdar[at]locuz.com
Mobile : 9848005089
29. M/s Microland Ltd

1B, Ecospace,
Page 7
Belandur, Outer Ring Road,

Bangalore 560037.
Website URL : http://www.microland.com
Telephone : 080-39180254
Fax : 080-39180044
Contact Person : Venugopal J D, Group Consultant
e-mail : ptsdc[at]microland.com
Mobile : +919845171663
30. M/s MIEL e-Security Pvt Ltd

C-611/612, Floral Deck Plaza,
MIDC, Central Road, Andheri (East),
Mumbai 400093.
Website URL : http://www.mielesecurity.com
Telephone : 022-28215050
Fax : 022-28215838
Contact Person : Mr. R. Giridhar, National Sales Manager
e-mail : rgiridhar[at]mielesecurity.com
Mobile : 9820142476
31. M/s Network Intelligence India Pvt Ltd

204 Ecospace IT Park,
Off Old Nagardas Road,
Andheri East,
Mumbai-400069.
Website URL: www.niiconsulting.com
Telephone: 022-28392628
Fax: 022-28375454
Contact person: Mr K.K. Mookhey, Principal Consultant
e-mail: kkmookhey[at]niiconsulting.com / info[at]niiconsulting.com
mobile : +91-9820049549
32. M/s Network Security Solutions (India) Ltd

A-100, 1st Floor, Sector-5,
Noida 201301.
Website URL : http://www.mynetsec.com
Telephone : 0120-4256136
Fax : 0120-2420124
Contact Person : Mr. Sandeep K. Sikka, General Manager Operations
e-mail : sandeep.sikka[at]mynetsec.com
Mobile : 9811943673
33. M/s Netmagic Solutions Pvt. Ltd

B-2, 2nd Floor, Phase 1,
Nirlon knowledge park,
Page 8
Goregaon East.
Website URL : http://www.netmagiasolutions.com
Telephone : +91 -22 - 40099099
Fax : +91 22 6785 1501
Contact Person : Mr. Yadavendra Awasthi, Chief Information Security Officer (CISO)
e-mail : yadu@netmagicsolutions.com
Mobile : + 91 - 9820 2425 84
34. M/s NIIT Technologies Ltd

223-224, Udyog Vihar-I
Gurgaon 122002.
Website URL : http://www.niit-tech.com
Telephone :0124-4374161
Fax : 011-40570933
Contact Person : Mr. Maneesh Bakhru,
e-mail : maneesh.bakhru[at]niit-tech.com
Mobile : +91 9818605093
35. M/s Paladion Networks

49, 1st Floor, Shilpa Vidya,
1st Main, 3rd Phase, J P Nagar,
Bangalore 560078.
Website URL : http://www.paladion.net
Telephone : 080-41135991
Fax: 080-41208559
Contact Person : Mr. Manoj Kumar, Marketing Manager
e-mail : manoj.kumar[at]paladion.net
Mobile : 9810488748
36. M/s Persistent Systems Limited

Pingala-Aryabhatt, Plot No. 9A/12,
CTS No. 12A/12, Erandwana, Near Padale Palace ,
Pune 411004.
Website URL : http://www.persistentsys.com
Telephone : 020 30234000
Fax: 020 3023 4001
Contact Person : Mr. Anand Pande
e-mail : security_info[at]persistentsys.com
Mobile : +91 9552560590
37. M/s PricewaterhouseCoopers Pvt Ltd
Building 8, 8th Floor,
Tower B, DLF Cyber City,
Gurgaon 122002.
Website URL : http://www.pwc.com
Telephone : 0124-4620000
Fax: 0124-4620620
Page 9
Contact Person : Mr. Neel Ratan, Executive Director

e-mail : neel.ratan[at]in.pwc.com
38. M/s Progressive Infotech Pvt Ltd
C-161, Phase-II Extension
Noida-201305
Website URL : http://progressive.in/
Telephone : +91-120-4393939
Fax : +91-120-4393922
Contact Person : Mr. Ajay Batra, Practice Head
e-mail : ajay.batra[at]progressive.in
Mobile : +91-9811832622
39. M/s ProMinds Consulting Pvt Ltd
402, 4th Floor, ABK Olbee Plaza,
Road No. 1, Banjara Hills,
Hyderabad 500034.
Website URL : http://www.promindsglobal.com
Telefax : 040-40207383
Contact Person : Mr. Balaji Selvaraju, CEO and Principal Consultant
e-mail : balajis[at]promindsglobal.com
Mobile : +91-9866673663
40. M/s Qadit Systems & Solutions Pvt Ltd

1st Floor, Balammal Building
33 Burkit Road
T. Nagar
Chennai 600017.
Website URL : http://www.qadit.com
Telephone : +91-44-42791150/ 51/ 52
Fax : +91-44-42791149
Contact Person : Mr. V. Vijayakumar, Director
e-mail : vijay[at]qadit.com
Mobile : 9444019232
41. M/s Secure Matrix India Pvt Ltd

12 Oricon House, 14 K Dubash Marg,
Kala Ghoda, Fort,
Mumbai 400001.
Website URL : http://www.securematrix.in
Telephone : 022-32537579
Fax : 022-22886152
Contact Person : Mr. Saurabh B. Dani, Vice Chairman
e-mail : saurabh[at]securematrix.in
Mobile : 9821542619
Page 10
42. M/s SecureSynergy Pvt Ltd

#3332, 13th Main, 6th Cross,
HAL II Stage, Indiranagar,
Bangalore 560038.
Website URL : http://www.securesynergy.com
Telephone : 080-25210556
Fax: 080-41151605
Contact Person : Mr. Santhosh Koratt, Head - Consulting & Compliance
e-mail : santhoshkoratt[at]securesynergy.com
43. M/s SecurEyes Techno Services Pvt Ltd

#3S, 3rd Floor,Swamy Towers,
Chinapanahalli, Marathahalli,
Outer Ring Road
Bangalore 560037.
Website URL : http://www.secureyes.net
Telephone : 080-41264078
Contact Person : Mr. Karmendra Kohli , Chief Operating Officer
e-mail : karmendra.kohli[at]secureyes.net
Mobile : 9448111432
44. M/s Security Brigade

1/47 Tardeo AC Market,
Tardeo,
Mumbai 400034
Website URL : http://www.securitybrigade.com
Telephone : 0651-6458865
Fax : 0651-2444545
Contact Person : Mr. Yash Kadakia, Chief Technology Officer
e-mail : yash[at]securitybrigade.com
Mobile : 9833375290
45. M/s Sify Technologies Ltd
Brigade MLR Centre, No. 20, G Floor,
Vanivilas Road, Basavanagudi,
Bangalore 560004.
Website URL : http://www.sifycorp.com
Telephone : 080-61263144
Fax: 022-26177662
Contact Person : Mr. Natarajan K R, DGM - Information Assurance
e-mail : natarajan.karrirama[at]sifycorp.com
Mobile : 9844374175
46. M/s Simos Computer Systems Pvt Ltd

No. 5 (Old No. 3/1), Poes Road, 1st Floor,
Teynampet,
Page 11
Chennai 600018.
Website URL : http://www.simosindia.com
Telephone : 044-42110302
Fax : 044-42109436
Contact Person : Mr. Balamurugan R, Director
e-mail : rbm[at]simosindia.com
Mobile : 9884306004
47. M/s SISA Information Security Pvt Ltd

3029, SISA House, 13th Main Road,
Sri Sai Darshan Marg, HAL II Stage, Indiranagar, - Bangalore - 560008
Website URL: http://www.sisa.co.in
Telephone: 080-41153769
Fax: 080-41153796
Contact person: Mr. Nitin Bhatnagar, Head Business Development
e-mail: info[at]sisa.in
mobile : +91-9820885922
48. M/s Spectrum IT Solution

B118,
Sector 64,
Noida,UP 201307
Website URL : http://www.spectrumin.co.in
Telephone : 0120-4236230
Fax : 0120-4236231
Contact Person : Mr. Mahesh Singh, Director
e-mail : mahesh[at]spectrumin.co.in
Mobile : 9811943670
49. STQC Directorate

Department of Information Technology,
Min. of Comm'ns & IT, Govt. of India,
Electronics Niketan,
6, CGO Complex, Lodhi Road,
New Delhi 110003.
Website URL : http://www.stqc.nic.in
Telephone : 011-24363378
Fax: 011-24363083
Contact Person : Mr. Arvind Kumar, Scientist F
e-mail : arvind[at]mit.gov.in
50. M/s Suma Soft Pvt Ltd

Suma Center, 2nd Floor,
Opp. Himali Society,
Near Mangeshkar Hospital,
Erandawane, Pune - 411 004
Website URL:http://www.sumasoft.com
Page 12
Telephone: +91-20-40130400
Fax: +91-20-25438108
Contact Person: C Manivannan
e-mail: mani[at]sumasoft.com
Mobile: +91-9371011855
51. M/s Sumeru Software Solutions Pvt Ltd

#40, Arth, 12th Main,
Jayanagar, 4th Block,
Bangalore 560041.
Website URL : http://www.sumerusolutions.com
Telephone : 080- 28432475
Fax : 080-41211434
Contact Person : Mr. Chidhanandham Arunachalam
e-mail : infosec[at]sumerusolutions.com
Mobile : 9538912774
52. M/s Sysman Computers Pvt Ltd

312, Sundram,
Rani Laxmi Chowk, Sion Circle,
Mumbai 400022.
Website URL : http://www.sysman.in
Telephone : 9967247000
Telefax: 9967248000
Contact Person : Mr. Rakesh Goyal, Managing Director
e-mail : rakesh[at]sysman.in
53. M/s Tata Consultancy Services Ltd

Wellspring Phase-3,
Godrej and Boyce Complex,
Plant No. 12, Gate No. 4,
LBS Marg, Vikhroli (West),
Mumbai 400079.
Website URL : http://www.tcs.com
Telephone : 022-67784139
Fax: 022-67503300
Contact Person : Mr. P V S Murthy, Consultant
e-mail : pvs.murthy[at]tcs.com
Mobile : 9867743050
54. M/s Tech Mahindra Ltd

A-7, Sector-64,
Noida 201301.
Page 13
Website URL : http://www.techmahindra.com

Telephone : 0120-4652000
Contact Person : Mr. Manoj Gilra, Director - Business Development
e-mail : mgilra[at]techmahindra.com
Mobile : 9810069966
55. M/s Technologics & Control
2/30, 3rd Floor ,
Sarai Julena, - New Delhi - 110025
Website URL: www.tech-controls.com
Telephone: 011-26933733
Fax: 011-26910189
Contact person: Mr. Sanjiv Arora, Director
e-mail: sa[at]tech-controls.com
mobile : +91-9810293733
56. M/s Torrid Networks Pvt. Ltd.
H-87, First Floor ,
Sector-63, Noida 201 301
Website URL: www.torridnetworks.com
Telephone: 0120-4216622
Fax: 0120-4314996
Contact person: Mr. Salil Kapoor
e-mail: info [at] torridnetworks.com
mobile : +91-9266666883/9266666696
57. M/s TVSNet Technologies Ltd

3rd Floor, V B C Solitaire,
47 & 49, Bazullah Road,
T Nagar,
Chennai 600017.
Website URL : http://www.tvsnet.in
Telephone : 044-42923900
Fax: 044-42923999
Contact Person : Mr. Sujit P Christy, ISecurity Manager - Solutions Architect
e-mail : sujit.p[at]tvsnet.in
Mobile : 9382122359
58. M/s Verizon Business

Radisson Commercial Plaza,
A-Wing, 1st Floor, National Highway-8,
New Delhi - 110037.
Website URL : http://www.verizonbusiness.com/in/
Telephone : +91-11-42818101
Fax : +91-11-42818164
Contact Person : Mr. Prashant Gupta
e-mail : Prashant.gupta[at]verizonbusiness.com
Mobile : +91- 9899211162
Page 14
59. M/s VISTA InfoSec Pvt. Ltd.

2/203 Vahatuk Nahar,
Caesar Road, Amboli,
Andheri (W), Mumbai - 400058
Website URL : http://www.vistainfosec.com
Telephone : +91-22-65236292
Fax :
Contact Person : Rohan.Patil@vistainfosec.com
Mobile : +91-9619990923
60. M/s Wipro Ltd

Consulting Division,
480 - 481, Udyog Vihar, Phase-3,
Gurgaon 122016.
Website URL : http://www.wipro.co.in
Telephone : 0124-3084407
Fax : 0124-3084700
Contact Person : Mr. Sachin Nagpal, Consultant
e-mail : sachin.nagpal[at]wipro.com
Mobile : 9711360534
Page 15
CERT-In empanelled IT Security Auditing Organisations

M/s 3i Infotech Ltd
Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation
1.
2.
3.
4.
Name & location of the empanelled Information Security Auditing Organisation : 3i Infotech Ltd, Navi
Mumbai
Carrying out Information Security Audits since : December 2000
Technical manpower deployed for informationsecurity audits :
CISSPs : 1
BS7799 / ISO27001 LAs : 7
CISAs : 2
DISAs / ISAs : 0
Total Nos. of Technical Personnel : 40
Outsourcing of External Information Security Auditors / Experts : No
Information Security Audit Tools used (owned, in possession) :
Freeware : 100
Commercial : 0
Proprietary: 1
Total Nos. of Audit Tools : 101
Details of the Audit Tools
Freeware
1. Nessus - Remote security scanner
2. Snort - Network intrusion prevention and detection system
3. Netcat - A simple Unix utility which reads and writes data across network connections, using
TCP or UDP protocol
Commercial
1. Retina - Retina's function is to scan all the hosts on a network and report on any vulnerability
found.
5.
6.
Information Security Audit Methodology : OSSTM, OWASP

Information Security Audits carried out since empanelment till now :
Govt. : 0
PSU : 0
Private : 22
Total Nos. of Information Security Audits done : 22
7. Business domain of auditee organisations : Banking, Financial, Manufacturing
8. Typical applications in use by auditee organisations : Banking and Financial Applications
9. Typical bandwidth (maximum) of any auditee organisations :
Internal Bandwidth (LAN / Intranet) : 16 Mbps
External Bandwidth (WAN / Internet) : 2 Mbps
10. Networked Infrastructure details of an organizations audited with most complex network :
No. of Computer Systems : 250
No. of Servers : 30
No. of Switches : 20
No. of Routers : 6
No. of Firewalls : 2
No. of IDS' : 0
11. Ability to carry out vulnerability assessment and penetration test : Yes
Page 16
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing
Organisation).
Back
M/s AAA Technologies Pvt Ltd
Snapshot of skills and competence of CERT-In empanelled Security Auditor
1.
2.
3.
4.
5.
Name, Location of the Empanelled Security Auditing organisation : AAA Technologies Pvt. Ltd.,
Mumbai
Carrying out Information Security Audits since : 2000
Technical manpower deployed for security audits :
CISSPs : 3
BS7799 / ISO27001 LAs : 5
CISAs : 9
DISAs / ISAs : 3
Outsourcing of External IT Security Auditors / Experts : No
Security Audit Tools used (owned, in possession) :
Freeware : 19
Commercial : 0
Proprietary: 1

Freeware :
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
Nessus
Whisker
HUNT - TCP/IP protocol vulnerability exploiter, packet injector
DOMTOOLS - DNS-interrogation tools
SARA - Vulnerability scanner
RAT
Nikto - This tool scans for web-application vulnerabilities
Snort - IDS
Firewalk - Traceroute-like ACL & network inspection/mapping
Hping TCP ping utilitiy Dsniff - Passively monitor a network for interesting data (passwords, email, files, etc.). facilitate the interception of network traffic normally unavailable to an attacker
HTTrack - Website Copier
Chkrootkit - Rootkit discovery tool
Tools from FoundStone - Variety of free security-tools
SQL Tools - MS SQL related tools
John the Ripper - Password-cracking utility
ITS4 - Scan C/C++ source-code for vulnerabilities
Paros
NMAP - The famous port-scanner
Ethereal - GUI for packet sniffing. Can analyse tcpdump-compatible logs
Nemesis - Packet injection suite
NetCat - Swiss Army-knife, very useful
RAT CISecuritys Router Auditing Tool
Page 17
23. DSniff - A collection of different purpose sniffers

24. Achilles - An SSL-proxy allowing to change data
25. Whitehats - Snort IDS-signatures & other resources
26. Hping2 - TCP/IP packet analyzer/assembler, packet forgery, useful for ACL inspection
27. Brutus password cracking for web applications, telnet, etc.
28. WebSleuth - web-app auditing tool
29. Mieliekoek - SQL Injection tool, use with HTTrack
30. NT Toolbox - Resources & tools for NT
31. [at]Stake Tools - Tools provided by [at]-Stake
32. TSCrack - Wordlist-based Terminal Server login-cracker L0phtcrack - NT-password cracking utility
33. HTTPrint detect web server and version
34. Web proxy - web application testing
35. Web server vulnerability assessment tool
Commercial :
None
Proprietary :
1.
AAA - Used for Finger Printing and identifying open ports, services and misconfiguration
6.
7.
Security Audit Methodology : ISACA, ISO 27001 / BS 7799, COBIT

Security Audits carried out since empanelment till now :
Govt. : 88
PSU : 34
Private : 15
Total Nos. of Security Audits : 137
8. Business domain of auditee organisations : Stock Brokers, Banking, Travel, Insurance, Railways, Govt.
9. Typical applications in use by auditee organisations : Banking, Tally, ERP, Home grown applications
Internal Bandwidth (LAN / Intranet) : 100 M bps
External Bandwidth (WAN / Internet) : 2 M bps
No. of Servers : 500
No. of Routers : 10
No. of IDS' : 20
Organisation).
BACK
Page 18
M/s AKS Information Technology Services Pvt Ltd

Snapshot of skills and competence of CERT-In Empanelled Information Security Auditing Organisation
1. Name, Location of the Empanelled Information Security Auditing Organisation : AKS Information
Technology Services Pvt Ltd, Noida
2. Carrying out Information Security Audits since : September 2006
3. Technical manpower deployed for information security audits :
CISSPs : 2
BS7799 / ISO27001 LAs : 3
CISAs / CISMs: 1
DISAs / ISAs : 0
4. Outsourcing of External Information Security Auditors / Experts : N
Freeware : 50
Commercial : 4
Proprietary: 1
Details of the Information Security Audit Tools

Freeware Tools
1.
2.
3.
4.
5.
6.
Nmap, Superscan and Fport - Port Scanners

Nessus Vulnerability Scanner
Metasploit & Securityforest - Penetration Testing
Process explorer, Sigcheck, Kproccheck - Windows Kernel & malware detection
Netstumbler & Kismet WLAN Auditing
Nikto - Web server vulnerability scanner
Commercial Tools
1.
2.
GFI Languard, Retina - Vulnerability Scanners

Burp Suite, Acunetix - Web application auditing
Proprietary Tools
1. ISA Log Analyzer
5.
6.
7.
8.
Information Security Audit Methodology : OSSTM, OWASP, ISO 27001, ISO 25999, CoBIT
Govt. : 650
PSU
: 50
Private : 40
Business domain of auditee organisations : Telecom, BPO, Banking & Finance, Software Development,
Manufacturing, Defence
Typical applications in use by auditee organisations : Payment Gateway, PKI-based, Client-Server, Web
Based, MIS, Oracle ERP, NMS Web Applications
Page 19
9.
Typical bandwidth (maximum) of any auditee organisations :

Internal Bandwidth (LAN / Intranet) : 1 Gbps
10. LAN Infrastructure details of an organizations audited with most complex network :
No. of Servers
: 262
No. of Computers
: 60
No. of Routers
: 212
No. of Switches
: 162
No. of Firewalls
: 16
No. of IDS'
:2
11. Ability to carry out vulnerability assessment and penetration test : Y
Organisation), Y = Yes, N = No, Std = Standard.
BACK
Page 20
M/s Appin Software Security Pvt Ltd

1.
2.
3.
4.
5.
Name & location of the empanelled Information Security Auditing Organisation : Appin Software
Security Pvt. Ltd., Delhi
Carrying out Information Security Audits since : September 2005
Technical manpower deployed for information security audits :
CISSPs : 1
BS7799 / ISO17799 / ISO27001 LAs : 7
CISAs / CISMs: 0
DISAs / ISAs : 0
Outsourcing of information security auditing work to external Information Security Auditors / Experts : No
Information Security Audit Tools being used (available, installed and licensed) :
Freeware : 11
Commercial : 7
Proprietary: 2
Total Nos. of Information Security Audit Tools : 20
Freeware Tools
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
Nessus
Nmap
Retina
SQL Injector
SQL Ninja
Backtrack
Wikto
Web Server Auditor
NS Auditor
Kismet
Ethereal
Commercial Tools
1.
2.
3.
4.
5.
6.
7.
GFI languard
SSS
Accunetix
Core Impact
Appscan
Webinspect
QualysGuard
Proprietary Tools
1.
2.
Appin Guard
Appin Runner
Page 21
6.
Information Security Audit Methodology : OSSTM, OWASP, BS7799, ISO27001, ISO25999, CoBIT, SANS,
APPSEC
7. Information Security Audits carried out so far :
Govt. : 70
PSU : 8
Private : 50
8. Business domains of auditee organisations : Telecom, BPO, Manufacturing, Defence, Media, Infrastructure,
IT/ITES, Banking, Financial SW, Government, Education, Travel
9. Typical applications in use by auditee organisations : CBS, Oracle ERP, NMS, SAP, Peoplesoft, e-Gov.,
Mobile & Web Applications
10. Bandwidth available with an auditee organisation having most complex network :
11. LAN infrastructure details of an auditee organisation having most complex network :
No. of Computers : 4000
No. of Routers : 200
No. of IDS' : 2
Organisation).
BACK
Page 22
M/s Auditime Information Systems (India) Pvt Ltd

1.
2.
3.
4.
Name, Location of the empanelled Information Security Auditing Organisation : AUDITime Information
Systems (I) Pvt. Ltd., Mumbai
Technical manpower deployed for Information security audits :
CISSPs : 1
BS7799 / ISO27001 LAs : 2
CISAs : 10
DISAs / ISAs : 2
Freeware : 36
Commercial : 0
Proprietary: 0
Freeware Tools
1. Achilles - A tool designed for testing the security of web applications
2. ADMFtp, ADMSnmp - Tools for remote brute-forcing
3. Brutus- An Windows GUI brute-force tool for FTP, telnet, POP3, SMB, HTTP, etc
4. Crack - A password cracker
5. CrypTool - A cryptanalysis utility
6. cURL - Curl is a tool for transferring files with URL syntax, supporting FTP, FTPS, HTTP, HTTPS,
GOPHER, TELNET, DICT, FILE and LDAP
7. Different network mapping tools - ping, traceroute, whois, snmp tools, dig, nslookup, DNS tools
etc
8. Elza - A family of tools for arbitrary HTTP communication with picky web sites for the purpose of
penetration testing and information gathering
9. Exploits - publicly available and home made exploit code for the different vulnerabilities around
10. FScan - A command-line port scanner. Supports TCP and UDP
11. Fragrouter - Utility that allows to fragment packets in funny ways
12. HPing - HPing is a command-line oriented TCP/IP packet assembler/analyzer. It supports TCP,
UDP, ICMP and RAW-IP protocols, has a traceroute mode, the ability to send files between a
covered channel, and many other features.
13 .ISNprober - Check an IP address for load-balancing.
14. ICMPush - ICMPush is a tool that sends ICMP packets fully customized from command line
15. John The Ripper - A password cracker
16. L0phtcrack - NTLM/Lanman password auditing and recovery application (read: cracker)
17. Nessus - A free, powerful, up-to-date and easy to use remote security scanner. This tool could
be used when scanning a large range of IP addresses, or to verify the results of manual work.
18.Netcat - The swiss army knife of network tools. A simple utility which reads and writes data
across network connections, using TCP or UDP protocol
19. NMAP - The best known port scanner around.
20.p0f - Passive OS Fingerprinting: A tool that listens on the network and tries to identify the OS
versions from the information in the packets.
21. Pwdump - Tools that grab the hashes out of the SAM database, to use with a brute-forcer like
L0phtcrack or John
Page 23
22. SamSpade - Graphical tool that allows to perform different network queries: ping, nslookup,
whois, IP block whois, dig, traceroute, finger, SMTP VRFY, web browser keep-alive, DNS zone
transfer, SMTP relay check,etc.
23.ScanDNS - Script that scans a range of IP addresses to find DNS names
24. Scripts - A number of custom developed scripts to test different security issues.
25. Sing - Send ICMP Nasty Garbage. A little tool that sends ICMP packets fully customized from
command line
26.SSLProxy, STunnel - Tools that allow to run non SSL-aware tools/programs over SSL.
27. Strobe - A command-line port scanner that also performs banner grabbing
28.Telesweep Secure - A commercial wardialer that also does fingerprinting and brute-forcing.
29. THC - A freeware wardialer
30. TCPdump - A packet sniffer
31. TCPtraceroute - Traceroute over TCP
32. UCD-Snmp - (aka NET-Snmp): Various tools relating to the Simple Network Management
Protocol including snmpget, snmpwalk and snmpset.
33.Web Session Editor - Custom made utility that allows to intercept and edit HTTP sessions.
34. Webinspect - CGI scanning, web crawling, etc.
35. Webreaper, wget - Software that mirrors websites to your hard disk
36. Whisker - The most famous CGI scanner. has updated the scanning databases with checks for
the latest vulnerabilities.
Commercial Tools None
Proprietary Tools None
5.
6.
Information Security Audit Methodology : ISO17799 / ISO27001

Govt. : 0
PSU : 15
Private : 105
7. Business domain of auditee organisations : Banking & Finance, Telecom, Manufacturing, Logistics,
Insurance
8. Typical applications in use by auditee organisations : Core banking, Insurance, Loan & Treasury
Management, Online trading, backoffice, CTCL, accounting, operations mangement, billing
No. of servers : 28
No. of switches : 0
No. of routers : 1
No. of firewalls : 1
No. of IDS' : 1
Organisation).
BACK
Page 24
M/S Aegis Tech Limited

1.
Name & location of the empanelled Information Security Auditing Organisation :
2.
Carrying out Information Security Audits since : 12 Years
3.

CISSPs : 1 No.
BS7799 / ISO27001 LAs : 14 Nos.
CISAs : 5 Nos
DISAs / ISAs :
4.
Outsourcing of External Information Security Auditors / Experts : DNV for ISO 27001 certification
5.

Freeware : Backtrack ver 5
Commercial : Nessus Ver 4.4.1, Accunetix Ver 7
Proprietary: Total Nos. of Audit Tools : 3 + Numerous Open Source Tools
6.
Information Security Audit Methodology : Discovery (Scanning & probing), Exploitation & Analysis
(Penetrate Perimeter, Attack Resources) , Reporting (Assessment Report & Recommendations)
7.
Information Security Audits carried out so far :

Govt. : 1
PSU :
Private : More than 50
Total Nos. of Information Security Audits done : More than 50
8.
Business domain of auditee organisations : Banking, Telecom, Manufacturing etc
9.
Typical applications in use by auditee organizations : SAP, Oracle Financials, Finacale etc

No. of Computer Systems : 27 (Internal)
No. of Servers : 11 (External)
No. of Routers : 5
No. of IDS' : 1
Freeware:
Commercial: ACL, IDEA
Organisation).
BACK
Page 25
M/s Aujas Networks Pvt Ltd

Snapshot of skills and competence of CERT-In empanelled IT Security Auditing Organisation
1.
2.
3.
4.
5.
Name & location of the empanelled Information Security Auditing Organisation : Aujas Networks Pvt
Ltd, Bangalore
Carrying out Information Security Audits since : February 2008
CISSPs : 7
BS7799 / ISO17799 / ISO27001 LAs : 10
CISAs / CISMs: 7
DISAs / ISAs : 0
Freeware : 24
Commercial : 3
Proprietary: 1
Details of the IT Security Audit Tools

Freeware Tools
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
24.
NMAP - Port Scanning.

Super Scan - Port Scanning
Netcat - Network Utility.
Telnet Client - Network Utility.
Putty - Network Utility
SNMPWalk - SNMP Scanner
User2SID & SID2User - Look up Windows service identifiers.
John The Ripper - Unix and NT password Cracker
WireShark - Wireshark is a network protocol analyzer for Unix and Windows.
Snort - A free lightweight network intrusion detection system for UNIX and Windows.
MetaSpoilt - Exploitation Framework
Backtrack Live CD - Exploitation framework.
Nikto - Network Vulnerability Scanner.
BlackWidow - Website Profiling Tool.
Wget - Network Utility
Paros - HTTP Interceptor.
Burp Suite - HTTP Interceptor.
Brutus - Brute Force Password Attack
WFetch - HTTP Raw Methods Debugging
AnEc Cookie Editor (Firefox Plug-in) - Cookie Editor
Netstumbler - Detection of Wireless LANs
Kismet - 802.11 wireless network detector, sniffer, and intrusion detection system.
MYSQL Administration Tool - MYSQL Administration.
GoCR Decoder - OCR reader.
Commercial Tools
1.
Acunetix - Web Vulnerability Scanning Tool.
Page 26
2.
3.
CodeSecure Code Review Tool

Nessus Network Vulnerability Scanner
Proprietary Tools
1.
6.
7.
8.
9.
10.
11.
12.
PHP Security Audit Script : This script checks for insecure web configurations.
Information Security Audit Methodology : Standard (ITIL, CoBIT 4.1, COCO ERM, ISO27001, NIST 800-30,
ISO27005, CIS Benchmarks, OWASP, OSSTM)
Govt. : 4
PSU : 1
Private : 35
Business domains of auditee organisations : Banking, Telecom, IT/ITES, Manufacturing, Retail,
Government
Typical applications in use by auditee organisations : Web, Banking & Financial Applications
Bandwidth available with an auditee organisation having most complex network :
LAN infrastructure details of an auditee organisation having most complex network :
No. of Servers : 30
No. of Routers : 2
No. of IDS' : 1
Ability to carry out vulnerability assessment and penetration test : Yes
Organisation).
BACK
Page 27
M/s Controlcase India Pvt Ltd

1.
Name & location of the empanelled Information Security Auditing Organisation : M/s ControlCase India
Pvt. Ltd., Mumbai
2. Carrying out Information Security Audits since : 2004
CISSPs : 7
BS7799 / ISO27001 LAs : 4
CISAs : 8
DISAs / ISAs : 0
4. Outsourcing of External Information Security Auditors / Experts : No
5. Information Security Audit Tools used (owned, in possession) :
Freeware : 140
Commercial : 3
Proprietary: 1
List of Tools used

Freeware:
Nmap
Netcat 0.7.1
Netdiscover
P0f
PSK-Crack
Protos
Finger Google
Firewalk
Fport 2.0 (Windows Executable)
Goog Mail Enum
Google-search
Googrape
Gooscan
Host
InTrace 1.3
Itrace
Maltego 2.0
Metagoofil 1.4
Mbenum 1.5.0 (Windows Executable)
Netenum
Netmask
Nmbscan 1.2.4
Protos
PsTools (Windows Executables)
PStoreView 1.0 (Windows Binary)
QGoogle
Relay Scanner
SMTP-Vrfy
Page 28
0trace 0.01
DMitry
DNS-Ptr
dnstracer 1.5
dnswalk
dns-bruteforce
dnsenum
dnsmap
DNSPredict
Subdomainer 1.3
TCPtraceroute 1.5beta7
TCtrace
Whoami (Windows Executable)
Network Mapping
Amap 5.2
Angry IP Scanner (ipscan) 3.0-beta3
Autoscan 0.99_R1
Fierce 0.9.9 beta 03/24/07
Fping
Genlist
Hping
IKE-Scan
IKEProbe
ScanLine 1.01 (Windows Executable)
SinFP
XProbe2
Zenmap 4.60
Absinthe
Bed
CIRT Fuzzer
Checkpwd
Cisco Auditing Tool
Cisco Enable Bruteforcer
Cisco Global Exploiter
Cisco OCS Mass Scanner
Cisco Scanner
Cisco Torch
Curl
Fuzzer 1.2
HTTP PUT
Nikto
OpenSSL-Scanner
Paros Proxy
RPCDump
RevHosts
SMB Bruteforcer
SNMP Scanner
SNMP Walk
SQL Inject
SQL Scanner
SQLLibf
SQLbrute
Sidguess
Smb4K
Page 29
Snmpcheck
Snmp Enum
Spike
Stompy
SuperScan
TNScmd
Taof
VNC_bypauth
Wapiti
Yersinia
sqlanlz
sqldict
sqldumplogins
sqlquery
sqlupload
Metasploit Framework
Milw0rm Archive
Ascend attacker
CDP Spoofer
Cisco Enable Bruteforcer
Crunch Dictgen
DHCPX Flooder
DNSspoof
Driftnet
Dsniff
Etherape
EtterCap
File2Cable
HSRP Spoofer
Hydra
John
Mailsnarf
SMB Sniffer
TFTP-Brute
VNCrack
WebCrack
Wireshark
Wireshark Wifi
HttpTunnel Client
HttpTunnel Server
Privoxy
ProxyTunnel
Rinetd
AFrag
ASLeap
aircrack-ng
Airoscript
Kismet
BTcrack
Bluebugger
Blueprint
Bluesmash
Bluesnarfer
Btscanner
Page 30
GNU DDD
Hexdump
Hexedit
Commercial:
AppScan
IBM Appscan
Teanable Nessus
eEye Retina
6.
Information Security Audit Methodology : Standard (OSSTM, OWASP, PCI DSS, PA DSS, PCI ASV, FISAP,
HIPPA, TG3 Certification, EI3PA Certification, ISO27001, ITIL, CoBIT, NIST 800-30, ISO27005, CIS
Benchmarks)
Govt. : 0
PSU : 0
Private : 55
8. Business domain of auditee organisations : Banking & Finance, Telecom, Manufacturing, Retail,
Government, Health, Logistics, Insurance
9. Typical applications in use by auditee organisations : Web, Banking & Financial Applications, Mobile
Applications, Payment Applications, Billing Applications
No. of Servers : 45
No. of Switches : 4
No. of Routers : 1
No. of IDS' : 1
Organisation).
BACK
Page 31
M/s CyberQ Consulting Pvt Ltd

Snapshot of skills and competence of CERT-In empanelled Information Security Auditing
Organisation
1.
2.
3.
4.
5.
Name, Location of the empanelled Information Security Auditing Organisation : CyberQ Consulting Pvt.
Ltd., New Delhi
CISSPs : 0
BS7799 / ISO27001 LAs : 4
CISAs : 4
DISAs / ISAs : 1
Freeware : 44
Commercial : 1
Proprietary: 3

Freeware Tools :
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
Metaspolit 3.2 Metasploit provides useful information to people who perform penetration testing,
IDS signature development, and exploit research.
Backtrack 3 a Linux distribution, distributed as a Live CD which resulted from the merger of
WHAX and the Auditor Security Collection, which is used for Penetration testing.
Sam Spade a Windows software tool designed to assist in tracking down sources of e-mail spam
Telnet Can report information about an application or service; i.e., version, platform
Tcpdump is a common packet sniffer that runs under the command line
Nmap 5.00 powerful tool available for Unix that finds ports and services available via IP
Hping2 powerful Unix based tool used to gain important information about a network
P0F A versatile passive OS fingerprinting tool
Netcat others have quoted this application as the Swiss Army knife of network utilities
Ping Available on most every platform and operating system to test for IP connectivity
Traceroute maps out the hops of the network to the target device or system
Tcptraceroute traceroute implementation using TCP packets
Queso can be used for operating system fingerprinting
WebInspect Vulnerability Scanner
Assuria System Scanner
Microsoft baseline analyzer Specific for Microsoft O/S based system
Patchlink for assessing patch status
nCircle IP360
Nikto Web server scanner that tests Web servers for dangerous files/CGIs, outdated server
software and other problems
Curl command line tool for transferring files with URL syntax
BurpSuite Burp Suite is an integrated platform for attacking web applications
Ollydbg debugger that emphasizes binary code analysis, which is useful when source code is not
available
SNMP walk To audit SNMP enabled devices
Page 32
24. Cain & Able The top password recovery tool for Windows
25. Brutus This Windows-only cracker bangs against network services of remote systems trying to
guess passwords by using a dictionary and permutations thereof
26. LC4 is the award-winning password auditing and recovery application, L0phtCrack.
27. Legion SMB based tool
28. GetAcct shows anonymous login information
29. Pwdump A window password recovery tool
30. AMAP Application mapper to verify the actual services running on the open port
31. Nslookup Available on Unix and Windows Platforms
32. Whois Database Available via any Internet browser client
33. ARIN Available via any Internet browser client
34. Dig Available on most Unix platforms and some web sites via a form
35. Web Based Tools Hundreds if not thousands of sites offer various recon tools
36. Social Engineering People are an organizations greatest asset, as well as their greatest risk
37. Wireshark It can scan wireless and Ethernet data and comes with some robust filtering
capabilities.
38. Network Stumbler a.k.a NetStumbler Windows based tool easily finds wireless signals being
broadcast within range
39. Kismet One of the key functional elements missing from NetStumbler is the ability to display
Wireless Networks that are not broadcasting their SSID.
40. Airsnort very easy to use tool that can be used to sniff and crack WEP keys. While many people
bash the use of WEP, it is certainly better than using nothing at all.
41. AiroPeek / Omnipeek Sniffing & network health checkuptool
42. CowPatty Is used as a brute force tool for cracking WPA-PSK, considered the New WEP for
home Wireless Security.
43. ASLeap If a network is using LEAP, this tool can be used to gather the authentication data that is
being passed across the network, and these sniffed credentials can be cracked. LEAP doesnt
protect the authentication like other real EAP types, which is the main reason why LEAP can be
broken
44. Cheops-ng Cheops-ng is a Network management tool for mapping and monitoring your network.
It has host/network discovery functionality as well as OS detection of hosts
Commercial Tools :
1.
Nessus Security Scanner (Professional feed) Professional Vulnerability Scanner
Proprietary Tools :
1.
2.
3.
6.
7.
8.
CyberQ vulnerability database

Scripts for safe exploitation of vulnerabilities
CyberQ checklists
Information Security Audit Methodology : CISA, Own (CyberQ Method)

Govt. : 458
PSU : 45
Private : 29
Total Nos. of Information Security Audits : 532
Business domain of auditee organisations : PKI, Consultancy, Software Development, Telecom, Financial
Institutions, Government, PSUs, Energy, BPO/KPO, Manufacturing Design.
Page 33
9.
Typical applications in use by auditee organisations : PKI, ERP, Web, Client Server, MIS, Network Security
Audit.
No. of servers : 110
No. of switches : 60
No. of routers : 65
No. of IDS' : 0
Organisation).
BACK
Page 34
M/s Computer Science Corporation India Pvt Ltd

1.
Name & location of the empanelled Information Security Auditing Organisation : Computer Sciences
Corporation India Pvt. Ltd. NOIDA
2.
3.

CISSPs : 10
BS7799 / ISO27001 LAs : 10
CISAs : 9
DISAs / ISAs : 0
4.
Outsourcing of External Information Security Auditors / Experts : NO
5.

Freeware : 7
Commercial : 5
Proprietary: 2

Freeware
1.
2.
3.
4.
5.
6.
7.
Nmap
Hydra
John the Ripper
Cain & Abel
Wireshark
Ettercap
Firewalk
Commercial
1.
2.
3.
4.
5.
McAfee Foundstone
Cenzic Hailstorm Pro
Tenable Nessus Pro
Metasploit Pro
MetaGeek Chanalyzer Pro
6.
Information Security Audit Methodology : Based on ISO 27001
7.

Govt. : 0
PSU : 0
Private : 5
8.
Business domain of auditee organisations : Visa and Immigration Services, Cloud Computing, BPO,
Software development
9.
Typical applications in use by auditee organisations : Web and E-commerce applications, Client server
Page 35

Internal Bandwidth (LAN / Intranet) : 100Mbps
External Bandwidth (WAN / Internet) : 16mbps
No. of Servers : 64
No. of Routers : 8
No. of IDS' : 8
Organisation).
BACK
Page 36
M/s Cyber Security Works Pvt Ltd

1.
2.
3.
4.
5.
Name & location of the empanelled Information Security Auditing Organisation : Cyber Security Works
Pvt. Ltd., Chennai
Carrying out Information Security Audits since : October 2008
Technical manpower deployed for informationsecurity audits :
CISSPs: 3
CISAs: 2
DISAs / ISAs: 0
Total Nos. of Technical Personnel: 8
Freeware: 19
Commercial: 6
Proprietary: 4
Total Nos. of Audit Tools: 29
Details of audit tools

Freeware Tools:
1. NMap
2. Paros Proxy
3. X-Scan
4. Wikto
5. Wire Shark
6. SQL Power Injector
7. Metasploit
8. Tamper Data
9. SNMP Tool
10. Netcat
11. Dump Sec
12. Look[at]Lan
13. Nipper
14. Kismet
15. Airsnort
16. SQLmap
17. Dsniff
18. Scuba
19. DB Audit
Commercial Tools:
1. Webinspect
2. Retina
3. Languard
4. Accunetix
5. Nessus
6. Network Director
Page 37
Proprietary Tools:
1. WEBSPLOITTM (Vulnerability Assessment and Penetration Mining Engine)
2. VAPSPLOITTM (Web Apps Vulnerability Assessment & Penetration Framework)
3. DPTTM (Dynamic Penetration Testing Toolkit)
4. DCATTM (Digital Crime Analysis Tracking Toolkit)
6.
7.
Information Security Audit Methodology : OWASP, ISO27001, COBIT

Information Security Audits carried out so far:
Govt.: 6
PSU: 2
Private: 6
Total Nos. of Information Security Audits done: 14
8. Business domain of audited organizations: Banking, Financial, Power and Energy, Government, eGovernance, Media, ISP
9. Typical applications in use by audited organizations: ERP , Web Based, Client-Server
10. Typical bandwidth (maximum) of any audited organizations :
Internal Bandwidth (LAN / Intranet): 1 Gbps
External Bandwidth (WAN / Internet): 140 Mbps
11. Networked Infrastructure details of an organizations audited with most complex network:
No. of Computer Systems: 8000
No. of Servers: 400
No. of Switches: 100
No. of Routers: 60
No. of Firewalls: 1
No. of IDS': 1
Organisation).
BACK
Page 38
M/s Deccan Infotech Pvt Ltd

Snapshot of skills and competence of CERT-In Empanelled Security Auditor
1.
2.
3.
4.
Name, Location of the Empanelled Security Auditing organisation: Deccan Infotech (P) Ltd, Bangalore
Carrying out Information Security Audits since : July 1998
CISSPs : 2
BS7799 / ISO27001 LAs : 2
CISAs : 5
DISAs / ISAs : 0

Freeware : 26
Commercial : 10
Proprietary: 0

Freeware
1. NMAP - Scan Network for Specific Information like logical existence of active reconnaissance.
Check for open ports, services. Some of the tools above also act as vulnerability assessment tools,
Patch management and password auditing. Different kinds of scanning techniques may be used
such as - Open Scan, Half open scan, stealth Scan, sweeps, etc.
2. Demon dialer - War Dialers
3. Dsniff - Sniffers
4. Snort - Sniffers
5 .Ethereal - Sniffers
6. WinDump - Sniffers
7. Etherpeek - Sniffers
8 . ARP Spoofing - Sniffers
9. Man-in-the middle SMB/relay / SMB grind - Man in the middle attacks involves positioning
oneself between two systems and actively participating in the connection to gather data
10. AKL - Key Loggers: used to monitor and record keystrokes, keyword detection, screen activity,
all applications, emails, chat clinets etc.
11. Hunt- Session Hijacking, Tools to hijack TCP Sessions, Listen, Intercept and Hijack active
sessions.
12. TTY Watcher - Session Hijacking, Tools to hijack TCP Sessions, Listen, Intercept and Hijack
active sessions.
13. T-Sight - Session Hijacking, Tools to hijack TCP Sessions, Listen, Intercept and Hijack active
sessions.
14. IIS Hack/IIS - Buffer Overflow
15. KOEI.exe / ISAPI DLL - Buffer Overflow
16. IIS exploit - Buffer Overflow
17. IIS Crack - Buffer Overflow
Page 39
18. IPP Printer Buffer Overflow - Buffer Overflow

19. Web Cracker - Web based password cracking
20. Brutus - Web based password cracking
21. Munga Bunga - Web based password cracking
22. SQL Injection - Attack methodology that targets the data residing in the database through the
firewall that shields it.
23. Trojan maker - Creating Viruses, worms and trojans
24. Sub Seven - Creating Viruses, worms and trojans
25. LOKI - Creating Viruses, worms and trojans
26. 007 shell - Creating Viruses, worms and trojans
Commercial
1. Symantec Net Recon --Scan Network for Specific Information like logical existence of active
reconnaissance. Check for open ports, services. Some of the tools above also act as vulnerability
assessment tools, Patch management and password auditing. Different kinds of scanning
techniques may be used such as - Open Scan, Half open scan, stealth Scan, sweeps, etc.
2. Shadow Security Scanner -- Scan Network for Specific Information like logical existence of
active reconnaissance. Check for open ports, services. Some of the tools above also act as
vulnerability assessment tools, Patch management and password auditing. Different kinds of
scanning techniques may be used such as - Open Scan, Half open scan, stealth Scan, sweeps, etc.
3. GFI Languard scanner -- Scan Network for Specific Information like logical existence of active
4. Netscan Pro -- Scan Network for Specific Information like logical existence of active
5. IP-eye -- Scan Network for Specific Information like logical existence of active reconnaissance.
Check for open ports, services. Some of the tools above also act as vulnerability assessment tools,
Patch management and password auditing. Different kinds of scanning techniques may be used
such as - Open Scan, Half open scan, stealth Scan, sweeps, etc.
6. DOS & DDOS -- Involves breaking into several machines all over the internet. Then the attacker
installs software for DDOS like Ping of death, SSPING, SMURF, LAND EXPLOIT, SYN FLOOD, etc. to
launch coordinated attacks on victim's computer
7. LOPHT Crack -- Password crackers Use a combination of dictionary and brute force attacks
commonly used words list.
8. John the Ripper -- Password crackers Use a combination of dictionary and brute force attacks
commonly used words list.
9. Spector Soft -- Key Loggers: used to monitor and record keystrokes, keyword detection, screen
activity, all applications, emails, chat clinets etc.
10. E-Blaster -- Key Loggers: used to monitor and record keystrokes, keyword detection, screen
activity, all applications, emails, chat clinets etc.
Page 40
5.
6.
Security Audit Methodology : COBIT, BS7799, ISO27001, OWASP, OCTAVE, OSSTM

Govt. : 0
PSU : 2
Private : 0
7. Business domain of auditee organisations : Banking, Shipping, BPO
8. Typical applications in use by auditee organisations : Core Banking, HelpDesk
No. of servers : 4
No. of routers : 0
No. of switches : 1
No. of IDS' : 1
Organisation).
BACK
Page 41
M/s Deloitte Touche Tohmatsu India Pvt. Ltd

1.
2.
3.
4.
5.
Name & location of the empanelled Information Security Auditing Organization : Deloitte Touche
Tohmatsu India Pvt. Ltd
CISSPs : 17
BS7799 / ISO27001 LAs : 24
CISAs : 100
DISAs / ISAs : 100
Outsourcing of External Information Security Auditors / Experts: Not Applicable.
Freeware : 27
Commercial : 9
Proprietary: 3
List of Tools used

Freeware:
Xprobe
Dnssecwalker
Tcpdump/tcpshow
Dsniff
Ettercap
Ethereal
Fping/ Hping
Queso
Nmap
SuperScan
Netwag
Firewalk
Q-Tip
Jack the Ripper
Crack 5.0a
NGS SQLCrack
Hydra
Cain and Abel
Commercial:
AppScan
LC4 (formerly L0phtcrack)
Nessus
Internet Security Scanner
IP-Traf
Firewalk
Iris
WS Ping ProPack
SolarWinds
Page 42
6.
7.
Information Security Audit Methodology : Own : Deloitte Methodology (Please refer Annexure I)
Govt. : 5+
PSU : 15+
Private : 150+
Total Nos. of Information Security Audits done : 170+
8. Business domain of auditee organizations : Banking & Finance, Information Technology, Third Party
Service Providers / BPOs, Manufacturing, Public Sector Undertakings, Life Sciences & Healthcare.
9. Typical applications in use by auditee organizations: Enterprise Resource Planning (ERPs), Web Services &
Web Applications etc.
10. Typical bandwidth (maximum) of any auditee organizations :
No. of Computer Systems : > 70000
No. of Routers : 50
No. of IDS' : 10
Organisation).
BACK
Page 43
M/s Digital Age Strategies Pvt Ltd

1.
2.
3.
4.
5.
Name, Location of the Empanelled Security Auditing organisation: Digital Age Stratergies Pvt. Ltd.,
Bangalore
Carrying out Information Security Audits since : March 2004
CISSPs : 2
BS7799 / ISO27001 LAs : 5
CISAs : 10
DISAs / ISAs : 0
Freeware : 11
Commercial : 3
Proprietary: 0
Freeware
1. Winaudit Ver 2.00 - System & HW Audit
Commercial
1. Idea 2004 - ETL & Data Format
2. Iaudit Net Ver 1.02 - ETL & Data Integrity
6.
7.
Security Audit Methodology : CoBIT, OWASP, ISACA, ISO 27001

Govt. : 167
PSU : 112
Private : 412
8. Business domain of auditee organisations :
Bank,Stock Exchange, BPO, Government, Financial Sector, Insurance and Manufacturing.
9. Typical applications in use by auditee organisations :
Internates Banking / Core Banking Application Package, TBA Packages, Web Applications, Online Trading
Packages.
No. of servers : 50
No. of routers : 443
No. of IDS' : 1
Organisation).
Page 44
BACK
Page 45
M/s Ernst & Young Pvt Ltd

1.
2.
3.
4.
5.
Name, Location of the empanelled IT Security Auditing organisation : Ernst & Young Pvt. Ltd., Chennai
Carrying out Information Security Audits since : January 2001
Technical manpower deployed for IT security audits :
CISSPs : 9
BS7799 / ISO27001 LAs : 2
CISAs / CISM : 65
DISAs / ISAs : 1
IT Security Audit Tools used (owned, in possession) :
Freeware : 9
Commercial : 8
Proprietary: 9

Freeware
1. Nmap - Port scanner
2. Nessus - Vulnerability scanner
3. Nikto - Web server/application vulnerability scanner
4. Ethereal - Protocol analyzer
5. Somersoft - Security configuration, registry entries and access control lists on systems running the
Windows operating system.
Commercial
1.
App Detective - Vulnerability assessment and review of security configuration of MySQL, Oracle,
Sybase, IBM DB2, MS SWQL Server, Lotus Notes/Domino, Oracle Application Server, Web
Applications.
2. Bv-Control Suite - Security assessment -Microsoft Windows, Active Directory, Microsoft Exchange,
Microsoft SQL Server, UNIX (Sun Solaris, HP-UX, AIX, Red Hat and SUSe Linux), Internet Security,
Check Point Firewall I
3. HP WebInspect - Web Application Security assessment
4. IPLocks VA - Database configuration and vulnerability assessment
5. eEye Retina - Network Security scans and IT infrastructure vulnerability assessment
6. Immunity Canvas - Vulnerability exploitation framework for penetration tests
7. eTrust - Online vulnerability management framework.
8. Bv-Control - Security and segregation of duty review for SAP
Proprietary
1.
2.
3.
4.
iNTerrogator - Review of security configuration of systems running the windows operating system.
*nix scripts - A collection of scripts to assess the security configuration including file level ACLs on
*nix systems (SCO OpenServer, Linux, HP-Ux, AIX, Solaris, *BSD).
Spider - Web application security assessment
FakeOra - Security assessment of 2-tier applications that use Oracle 8i (and above) as RDBMS.
Page 46
5.
6.
7.
8.
9.
S-SAT - A travelling SAP Security tool.

Permit - ERP risk assessment and control solution tool.
Assessor - Configuration review of Oracle Financials system.
WebSmack - Web Application inventory and vulnerability assessment .
EY/Mercury - Web based technical work plan generator to perform security configuration review of
IT infrastructure.
6.
7.
IT Security Audit Methodology : Beyond Standard

IT Security Audits carried out since empanelment till now :
Govt. : 4
PSU : 7
Private : 68
8. Business domain of auditee organisations : Banking, Financial Services, Software Development, Telecom,
FMCG, Manufacturing.
9. Typical applications in use by auditee organisations : Online Banking Solutions, Stock Trading Platforms,
Online / Mobile Payment Solutions, ERP, CRM, Billing Systems, Corporate Websites.
No. of IDS' : 24
Organisation).
BACK
Page 47
M/s Financial Technologies(India)Ltd

Snapshot of skills and competence of CERT-In Empanelled Security Auditing Organisation
1.
2.
3.
4.
Name & location of the empanelled Information Security Auditing Organisation : Financial
Technologies(India)Ltd, Mumbai
Carrying out Information Security Audits since : 2003.
CISSPs / CISMs: 5
BS7799 / ISO27001 LAs : 6
CISAs : 14
DISAs / ISAs : 4
Outsourcing of External Information Security Auditors / Experts : NA
Freeware : 15
Commercial : 3
Proprietary: 2
Financial Technologies(India)Ltd, Mumbai
List of Tools used

Freeware:
Nmap - Port scanner
netcat Networking Utility
SNMP Scanner - Router and network management
Metasploit Penetration testing tool
RAT - Cisco Router configuration analyzing tool
MBSA Windows Security Assessment
Wireshark Network Traffic sniffing tool
Wikto Web application scanner
Johntheripper Password cracking tool
Acunitix - Web application scanner
Firefox with addons Source code reviewing tool
DumpSec - Windows Security Assessment
Achilles Proxy application
Brutus - Password cracking tool
Hping2 Packet crafting tool
Commercial:
Nessus Network / OS Vulnerability Assessment tool
HP Web inspect Web application scanner
Network General's Sniffer with WAN book - Sniffer Portable - Network fault and performance
management tool
5.
6.
7.
Information Security Audit Methodology : ISO / IEC 27001:2005, COBiT, PCIDSS, OWASP.
Govt. : 1
PSU : 0
Private : 25
Business domain of auditee organisations : Banks, Insurance Co.s, Asset Management co.s,
Financial Institutions, Brokerage Firms, Manufacturing, Media, Government, Retail.
Page 48
8.
Typical applications in use by auditee organisations : Multi tier, Client Server, Web Applications,
Databases, SAP, ERP, CRM.
Internal Bandwidth (LAN / Intranet) : 1 gbps
External Bandwidth (WAN / Internet) : 40 mbps
No. of Routers : 75
No. of IDS' : 2
Organisation).
BACK
Page 49
M/s Haribhakti & Co.
1. Name, Location of the empanelled Information Security Auditing Organisation : Haribhakti & Co. (CA),
Mumbai
2. Carrying out Information Security Audits since : July 1998
3. Technical manpower deployed for Information security audits :
CISSPs : 0
BS7799 / ISO27001 LAs : 3
CISAs : 10
DISAs / ISAs : 6
4. Outsourcing of External Information Security Auditors / Experts : Yes
Freeware : 3
Commercial : 3
Proprietary: 0
Freeware Tools
1. Nessus - Vulnerability Assessment
2. NMAP - Port Scanner
3. IP Tools - Network
Commercial Tools
1. App Detective - Database Vulnerability
2. GFI-Languard - Network Vulnerability
3. Acunetix
Proprietary Tools
None
6.
7.
Information Security Audit Methodology : COSO & COBIT, ISO 27001, BS 25999
Govt. : 4
PSU : 8
Private : 24
8. Business domain of auditee organisations : Tax Information Network, Depository, Banking & Financial
Services, Insurance, Call Centres, Regulators
9. Typical applications in use by auditee organisations : Online/Internet Trading, Dealing Room, Depository
Participant Modules, Treasury, CBS, Core Insurance, Bank Call Centre, Electronic Procurement, OLTAS
No. of servers : 20
No. of IDS' : 1
Organisation).
BACK
Page 50
M/S HEXAWARE TECHNOLOGIES LTD
1.
Name & location of the empanelled Information Security Auditing Organisation : M/S HEXAWARE
TECHNOLOGIES LTD
2.
3.
Technical manpower deployed for information

CISSPs :
BS7799 / ISO27001 LAs :
CISAs :
DISAs / ISAs :
CEHs :
LPT :
CPTS :
Total Nos. of Technical Personnel
security
:
:
:
:
:
:
:
:
audits :
1
3
4
4
1 (Licensed Penetration Tester)
1 (Certified Penetration Testing Specialist)
25
4.
Outsourcing of External Information Security Auditors / Experts : NIL
5.
Information Security Audit Tools used (owned,

Freeware :
:
Commercial :
:
Proprietary:
:
Total Nos. of Audit Tools
:
in possession) :
25
4
29

Freeware:
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
24.
25.
Nmap
Nping
Ncat
Nikto
NetStumbler
Wireshark
W3af
Metasploit
Paros Proxy
BackTrack
Tcpdump
Sqlmap
ScanDNS
Grendel
DirBuster
Brutus
Samurai Web Testing Framework
Crack
Google
Whisker
CrypTool
TCPtraceroute
NStalker
Snort
John the Ripper
Commercial:
Page 51
1.
2.
3.
4.
Acunetix,
Nessus,
Saint,
GFI Languard
6.
Information Security Audit Methodology :
ISO27001, OWASP
7.

Govt.
PSU
Private
Total Nos. of Information Security Audits done
:
:
:
:
8.
Business domain of auditee organisations :
IT and Process Outsourcing Services
9.
Typical applications in use by auditee organisations : Peoplesoft HRMS, Peoplesoft Finance, Microsoft
CRM, Glodyne Whizible Suite, Borland StarTeam, MS Exchange
1
25+
26+

Internal Bandwidth (LAN / Intranet) :
80 mbps
External Bandwidth (WAN / Internet) :
35 mbps
No. of Computer Systems
:
5000
No. of Servers
:
300
No. of Switches
:
300
No. of Routers
:
20
No. of Firewalls
:
10
No. of IDS / IPS
:
4
12. Ability to carry out vulnerability assessment and penetration test :
Yes
Organisation).
BACK
Page 52
M/s HCL Comnet Ltd

1.
2.
3.
4.
5.
Name, Location of the empanelled Information Security Auditing Organisation : HCL Comnet Ltd., Noida
CISSPs : 10
BS7799 / ISO27001 LAs : 9
CISAs : 6
DISAs / ISAs : 0
Freeware : 21
Commercial : 9
Proprietary: 0

Freeware
1.Nessus -- Vulnerability Assessment
2. Database Scanner -- Vulnerability Assessment
3. NetRecon -- Vulnerability Assessment
4. Metasploit -- Penetration Testing
5. Underground Script -- Penetration Testing
6. Wax -- Penetration Testing
7. IMP -- Password Crackers for Penetration Testing
8. Pandora -- Password Crackers for Penetration Testing
9. Crack -- Password Crackers for Penetration Testing
10. John the Ripper -- Password Crackers for Penetration Testing
11. Cisco Crack -- Password Crackers for Penetration Testing
12. Nmap -- Port Scanners
13. Super Scan -- Port Scanners
14. Service Scanner -- Port Scanners
15. Cis-Rat -- to perform audit for Cisco Routers and PIX Firewall by assessing configuration files.
16. nslookup -- to perform initial information gathering of the Network.
17. Ping -- to perform initial information gathering of the Network.
18. tracreroute -- to perform initial information gathering of the Network.
19. Whois -- to perform initial information gathering of the Network.
20. Finger -- to perform initial information gathering of the Network.
Commercial
1. ISS -- Vulnerability Assessment
2 Qualys Guard -- Vulnerability Assessment
3 Core Impact -- Penetration Testing
4 L0phtCrack -- Password Crackers for Penetration Testing
5 Apps Scan -- Application Assessment
6 Web Inspect -- Web Application Assessment
7 App Detective -- Application and Database Assessment
Page 53
6.
7.
Information Security Audit Methodology : Own

Govt. : 0
PSU : 0
Private : 55
8. Business domain of auditee organisations : Banking & Finance, SW, Manufacturing & Devlopment, IT &
ITES
9. Typical applications in use by auditee organisations : NA
No. of servers : 30
No. of routers : 2
No. of IDS' : 2
Organisation).
BACK
Page 54
M/s IBM India Pvt Ltd

1.
2.
3.
4.
5.
Name & location of the empanelled Information Security Auditing Organisation : IBM India Pvt Ltd,
Mumbai
Carrying out Information Security Audits since : Year 2000
CISSPs : 15
BS7799 / ISO27001 LAs : 30
CISAs : 15
DISAs / ISAs : NA
Freeware : 14
Commercial : 6
Proprietary: 5
List of Tools used
Freeware:
1. Metasploit: Penetration Testing Framework
2. NMAP : Port scanner
3. RAT : Router and firewall benchmarking
4. Wireshark - Protocol analyzer
5. MBSA : Windows security assessment
6. Nikto : Web Applications security
7. SNMPWalk : Router and network management
8. CAIN & Able : Traffic sniffing and Password cracking
9. Brutus : Password cracking
10. JohntheRipper : Password cracking
11. W3AF: Application auditing framework
12. Maltego: Intelligence and forensics application.
13. Unicornscan: Port Scanner and Information gathering.
14. Burp: Web proxy tool.
Commercial:
1. Nessus : Network Vulnerability Assessment
2. IBM Appscan : Web Systems & Applications security
3. Retina : Vulnerability Scanner
4. ISS : Vulnerability Scanner
5. Immunity Canvas : Penetration Testing Framework
6. Modulo: GRC Framework
Proprietary Tools:
1. Windows server Security assessment scripts
2. Unix/Linux/AIX server security assessment scripts
3. Oracle security assessment scripts
4. MSSQL security assessment scripts
5. ASP and Java Scripts : Web application assessment
6.
Information Security Audit Methodology : ISO27001, COBIT, ISF(IBM Security framework), OWASP, IBM
Penetration Testing methodology.
Page 55
7.

Govt. : 5
PSU : 5
Private : 50
8. Business domain of auditee organisations : Government, PSU, ITES, Manufacturing, Financial
Services,Banking, Telecom
9. Typical applications in use by auditee organisations : Web Applications, Client Server, Banking, ERP, CRM,
telecom Applications
Internal Bandwidth (LAN / Intranet) : 100 Mbps- 1Gbps
External Bandwidth (WAN / Internet) : 2Mbps to 10 Mbps
No. of Routers : 80
No. of IDS' : 5
Organisation).
BACK
Page 56
M/s IDBI Intech Ltd

1.
2.
3.
4.
5.
Name, Location of the empanelled Information Security Auditing Organisation : IDBI Intech Ltd.
Carrying out Information Security Audits since : November 2007
CISA : 15
CRISC : 2
CGEIT : 2
CEH : 5
BS25999 :1
Managed Security Service Professional : 11
BS7799/ISO27001 LA's : 7
Total Nos. of Technical Personnel: 900 +
Freeware : 17
Commercial : 2
Proprietary: 1
Total Nos. of Audit Tools: 20 (Details in the Attached File)

Freeware
1.Nmap - Port scanning & OS fingerprinting Tool
2. Nessus - Vulnerability Scanning Tool
3. Webscarab - Captures the request & test the parameter manipulation
4. Burp proxy -- Captures the request & test the parameter manipulation
5. Wireshark - Sniffs the data flowing on the network
6. Hydra - Password brute forcing
7. W3af - Application Security Scanner
8. Crowbar-- Password brute forcing
9. Paros -- A web application vulnerability assessment proxy
10. Wapiti - Checks the SQL injection
11. Nikto - Checks the web directory browsing
12. Metasploit - Exploits vulnerabilities exist in the applications
13. OpenVas -- Vulnerability Scanning
14. Grendelscan-- Performs application security testing
15. SQLbrute - Checks the SQL injection vulnerabilities
16. SQLiX -- Checks the SQL injection vulnerabilities
17. Httprint - Webserver fingerprinting
Commercial
ACL Desktop Edition:
Auditing Tool for Data Analysis,
Data Cleansing and Exception
Reporting from ACL Services Ltd.
Proprietary
Customized script To Perform the relay check & DNS checks
6.
Information Security Audit Methodology : Own Also, COBIT, ISO27001, PCI-DSS, OWASP and OSSTMM.
Page 57
7.

Govt. : 5
PSU : 9
Private : 7
8. Business domain of auditee organisations, Banking and Financial services
9. Typical applications in use by auditee organisations
Finacle CBS, NSIPO, BSE Back office software, ICRA Online MF, Endorser, Crimson logic Stamping,
Snorkel, Transnet, Lidha-Didha and Other In-House developed Applications.
10. Typical bandwidth (maximum) of any auditee organisations
Internal Bandwidth (LAN / Intranet) : 256 kbps
External Bandwidth (WAN / Internet): 8mbps
No. of IDS : 5
Organisation).
BACK
Page 58
M/s Indusface Consulting Pvt Ltd

1.
2.
3.
4.
5.
Name, Location of the empanelled Information Security Auditing Organisation : Indusface Consulting
Pvt Ltd, Baroda
CISSPs : 8
BS7799 / ISO27001 LAs : 12
CISAs : 1
DISAs / ISAs : 0
Freeware : 40
Commercial : 2
Proprietary: 0

Freeware : Information yet to be provided to CERT-In
Proprietary : Information yet to be provided to CERT-In
6.
7.
Information Security Audit Methodology : ISO27001, COBIT, OWASP, OSSTMM, PCI

Govt. : 250
PSU : 35
Private : 15
8. Business domain of auditee organisations : Finance, Healthcare, Government, Software / ITES,
Manufacturing, Power (Energy-utilities), Banking
9. Typical applications in use by auditee organisations : Banking, Web 2.0, Billing, PKI, Oracle ERP, VAT,
Document Management System, Content Management System, e-Tender
No. of servers : 90
No. of routers : 4
No. of IDS' : 2
Organisation).
Page 59
BACK
Page 60
M/s Information Systems Auditors & Consultants Pvt Ltd

Snapshot of skills and competence of the CERT-In empanelled Information Security Auditing
Organisation
1.
2.
3.
4.
5.
Name, Location of the empanelled Information Security Auditing Organisation: Information Systems
Auditors & Consultants Pvt Ltd, Mumbai
CISSPs : 1
BS7799 / ISO27001 LAs : 1
CISAs : 5
DISAs / ISAs : 0
Outsourcing of information security auditing work to other external Information Security Auditors /
Experts : Yes
Freeware : 6
Commercial : 0
Proprietary: 0

Freeware :
Information yet to be provided to CERT-In
Proprietary :
6.
7.
Information Security Audit Methodology : BS7799, COBIT

Govt. : 1
PSU : 2
Private : 13
8. Business domain of auditee organisations : IT Governance, Banking, Pharma
9. Typical applications in use by auditee organisations : Banking, ERP, web, MIS
No. of servers : 55
No. of IDS' : 1
Page 61
Organisation).
BACK
Page 62
M/s iSec Services Pvt Ltd

1. Name & location of the empanelled Information Security Auditing Organisation : iSec Services Pvt Ltd,
Mumbai
2. Carrying out Information Security Audits since : January, 2003
CISSPs : 1
BS7799 / ISO27001 LAs : 8
CISAs : 1
DISAs / ISAs : 0
Freeware : 25
Commercial : 0
Proprietary: 0
Freeware :
1. Nessus
2. Whisker
3. HUNT - TCP/IP protocol vulnerability exploiter, packet injector
4. DOMTOOLS - DNS-interrogation tools
5. SARA - Vulnerability scanner
6. RAT
7. Nikto - This tool scans for web-application vulnerabilities
8. Snort - IDS
9. Firewalk - Traceroute-like ACL & network inspection/mapping
10. Hping TCP ping utilitiy Dsniff - Passively monitor a network for interesting data (passwords,
e-mail, files, etc.). facilitate the interception of network traffic normally unavailable to an attacker
11. HTTrack - Website Copier
12. Chkrootkit - Rootkit discovery tool
13. John the Ripper - Password-cracking utility
14. Paros
15. NMAP - The famous port-scanner
16. Ethereal - GUI for packet sniffing. Can analyse tcpdump-compatible logs
17. Nemesis - Packet injection suite
18. NetCat - Swiss Army-knife, very useful
19. RAT CISecuritys Router Auditing Tool
20. DSniff - A collection of different purpose sniffers
21. Achilles - An SSL-proxy allowing to change data
22. Hping2 - TCP/IP packet analyzer/assembler, packet forgery, useful for ACL inspection
23. Brutus password cracking for web applications, telnet, etc.
24. WebSleuth - web-app auditing tool
25. Metasploit framework
Page 63
Commercial :
None
Proprietary :
None
6. Information Security Audit Methodology : OSSTM, OWASP, COBIT
7. Information Security Audits carried out so far:
Govt. : 0
PSU : 0
Private : 15
8. Business domain of auditee organisations : Banking, Financial, Manufacturing, Software development, Business
process outsourcing
9. Typical applications in use by auditee organisations : Banking and Financial Applications, Trading Sofwtare
No. of Routers : 40
No. of IDS' : 2
Organisation).
BACK
Page 64
M/s iViZ Techno Solutions Pvt Ltd
BACK
Page 65
M/s KPMG
1.
2.
3.
4.
5.
Name, Location of the empanelled Information Security Auditing Organisation : KPMG, Gurgaon
CISSPs : 17
BS7799 / ISO27001 LAs : 17
CISAs : 50
DISAs / ISAs : 0
Freeware : 19
Commercial : 12
Proprietary: 7

Freeware Tools :
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
NMAP - Network security

NetStumbler - Network security
AirSnort - Network security
SuperScan - Network security
Nikto - Web Systems & Applications security
THC - Web Systems & Application security
CIS - Local Systems & Applications security
As400 - Local Systems & Applications security
CAIN - Password cracking
Brutus - Password cracking
JohntheRipper - Password cracking
SNMPWalk - Router and network management
SNMP Scanner - Router and network management
RIP query - Router and network management
RAT - Router and network management
DumpSec - Windows security
Wireshark - Network sniffing
MBSA - Windows security
SQL Scan - Database security
Commercial Tools :
1. ISS Internet - Network security
2. Webinspect - Web Systems & Applications security
3. AppScan - Web Systems &Applications security
4. Bindview - Local Systems & Applications security
5. ISS DB - Database Security
6. AppDetective - Database Security
7. Nessus - Network security
Page 66
8.
9.
10.
11.
12.
Power Tech
VeloSecure
IPLocks - Database Security
Qualsys Guard
Core Impact
Proprietary Tools :
1.
2.
3.
4.
5.
6.
7.
*nix Scripts - Security Configuration review of *nix systems

Database Scripts - Security Configuration review of databases
SAP Security Explorer - Security and Configuration review of SAP
CHILLI (V. 1.2.0) - Network Discovery
OSCR - Oracle Security Review
KPMG Application Quality Assessment Tool
AS/400 User Profile Analysis - Security Review
6.
7.
Information Security Audit Methodology : Beyond Standard, COBIT, ISO27001

Govt. : 10
PSU : 50
Private : 230
8. Business domain of auditee organisations : Financial Services, InfoTech, Communication, Entertainment,
Infrastructure, Government, Marketing
9. Typical applications in use by auditee organisations : ERP, Email, Client-Server, Web based, Workflow,
Collaboration
No. of routers : 80
No. of IDS' : 45
Organisation).
BACK
Page 67
M/s K. R. Information Security Solutions

1. Name & location of the empanelled Information Security Auditing Organisation : KR Information Security
Solutions
2. Carrying out Information Security Audits since : October, 2008
CISSPs : 1
BS7799 / ISO27001 LAs : 1
CISAs : 1
DISAs / ISAs : None
Freeware : 5
Commercial : 5
Proprietary: 0
List of Tools used
Freeware:
Nmap/Hping2/Hscan
Metasploit
Backtrack
Nikto/Wikto/paros Proxy
Nipper/ FiregenPIX
Commercial:
CANVAS Exploit Framework.
Acunetix
GFI LANGuard
Nessus
SolarWinds
6. Information Security Audit Methodology : ISO 27001:2005, OWASP, OSSTMM

Govt. : None
PSU :1
Private : 5
Page 68
8. Business domain of auditee organisations : Shipping , Natural Gas Company , Telecommunication , IT Solution
Company , Steel , Power , Manufacturing/Chemical , Financial Auditing
9. Typical applications in use by auditee organisations : SAP Web Application Server (Netweaver), Web Services,
Database, AIX, Mainframe, Citrix, Telecommunication services, Tally.
No.
No.
No.
No.
No.
No.
of
of
of
of
of
of
Computer Systems : 72
Servers : 33
Switches :
Routers :
Firewalls : 1
IDS' :
BACK
Page 69
M/s Locuz Enterprise Solutions Ltd

1.
2.
3.
4.
5.
Name, Location of the empanelled Information Security Auditing Organisation : Locuz Enterprise
Solutions Ltd, Hyderabad
Carrying out Information Security Audits since : August 2001
CISSPs : 1
BS7799 / ISO27001 LAs : 4
CISAs : 3
DISAs / ISAs : 0
Freeware : 6
Commercial : 5
Proprietary: 1
Details of the Information Security Auditing Tools
Freeware Tools
1.
2.
3.
4.
5.
6.
OSSIM : Network & System Scan + SCM +SIM

Nmap : Network Scan
AirSnort : Network Scan
Ethereal : Sniffing
Metaspoilt : PT
Crack
Commercial Tools
1.
2.
3.
4.
5.
Locuz/Cisco PSA : Network and all Cisco device scans

CA-eTrust SCC : SOC with correlation engine
OCTAVE : Risk Management
Nessus : Vulnerability Assessments
Scan F1 : VA and Firewall Analyzer
Proprietary Tools
1.
6.
7.
8.
LITOC : Event correlation, Scan and Remediation
Security Audit Methodology : Own

Govt. : 20
PSU : 2
Private : 15
Business domain of auditee organisations : Software Developmemt, Banking, Manufacturing, eCommerce, e-Governance, Pharmaceuticals
Page 70
9.
Typical applications in use by auditee organisations : ERP, Banking, e-Commerce, Customised

applications.
No. of routers : 6
No. of IDS' : 4
Organisation).
BACK
Page 71
M/s Microland Ltd

1.
2.
3.
4.
5.
Name, Location of the Empanelled Security Auditing organisation : Microland, Bangalore

Carrying out Information Security Audits since : December 1998
CISSPs : 3
BS7799 / ISO27001 LAs : 6
CISAs : 2
DISAs / ISAs : 0
Freeware : 12
Commercial : 0
Proprietary: 0
Freeware Tools
Vulnerability Assessment and Penetration Testing
1.
Nessus : Vulnerability scanner - Port scan/ Vulnerability scan /web application security
scan
2. Nikto : Web application vulnerability scanner
3. Superscan : Port scanner
4. Dsniff : collection of tools for network auditing and penetration testing
5. Whisker/Libwhisker : CGI vulnerability scanner
6. Network Stumbler : Tool to find open wireless access points
7. SARA : vulnerability assessment tool
8. Achillies : Web application security - proxy
9. Brutus : Password brute forcing tool
10. SPIKE Proxy : HTTP proxy for finding security flaws in web sites
11. Winfingerprint : Win32 Host/Network Enumeration Scanner
12. Auditor : Collection of Tools to conduct security audit.
Footprinting
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Greenwhich
Whois
Gnetutil : Network Utilities
Itrace : ICMP traceroot
Tctrace : TCP traceroute
Traceroute
DNSwalk : DNS verification
Dig : DNS lookup
Host : DNS lookup
NSTXCD : IP over DNS client
Page 72
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
24.
25.
26.
27.
28.
29.
30.
31.
32.
33.
34.
35.
36.
37.
NSTXD : IP over DNS server

Oxyman : DNS tunnel
Curl : URL transfer
Elinks : Console web browser
Konqueror : Web browser
Socat : Socket Cat
Stunnel : Universal SSL tunnel
Arpfetch : SNMP ARP/IP fetcher
SNMP Walk : SNMP tree walk
TKMib : Mib brower
Komba2 : KDE SMB browser
LinNeighborhood : Graphical SMB browser
Net utils : NET utilities
SMBClient : SMB client
SMBGet : SMB downloader
Smb4K : SMB share browser
Xsmbrowser : Graphical SMB browser
nmblookup : Netbios name lookup
smbdumpusers : User browser
smbgetserverinfo : Get server info
Cheops : Network neighborhood
NTP-fingerprint : Detection based on ntp fingerprint
Nmap : Network scanner
NmapFE : Graphical network scanner
P0f : Passive OS detection
Queso : OS detection
XProbe2 : OS detection
Scanning
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
24.
Cisco global exploiter : Cisco scanner

Cisco torch : Cisco oriented scanner
ExploitTree search : ExploitTree collection
Metasploit : Metasploit commandline
Metasploit : Metasploit console GUI
Metasploit : Metasploit web interface
Nessus : security Scanner
Raccess : remote Scanner
Httprint : Webserver fingerprinting
Nikto : Webserver scanner
Stunnel : Universal SSL tunnel
Cheops : Network neighborhood
GTK-Knocker : Simple GUI portscanner
IKE-Scan : IKE scanner
Knocker : Simple portscanner
Netenum : Pingsweep
Netmask : Request neetmask
Nmap : Network Scanner
NmapFE : Graphical network scanner
Proxychains : Proxifier
Scanrand : Stateless scanner
Timestamp : Requests timestamp
Unicornscan : Fast port scanner
Isrscan : Source routed packets scanner
Page 73
25.
26.
27.
28.
29.
30.
31.
32.
33.
Amap : Application identification

Bed.pl : Application fuzzer
SNMP-Fuzzer : SNMP protocol fuzzer
ScanSSH : SSH identification
Nbtscan : Netbios scanner
SMB-Nat : SMB access scanner
Ozyman : DNS tunnel
Ass : Autonomous system scanner
Protos : Protocol identification
Analyzer
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
AIM-SNIFF : AIM sniffer

Driftnet : Image sniffer
Mailsnart : Mail sniffer
Paros : HTTP interception proxy
URLsnarf : URL sniffer
smbspy : SMB sniffer
Etherape : Network monitor
Ethereal : Network analyzer
Ettercap : Sniffer/Interceptor/Logger
Hunt : Sniffer/Interceptor
IPTraf : Traffic monitor
Ngrep : Network grep
NetSed : Network edit
SSLDump : SSLv3/TLS analyzer
Sniffit : Sniffer
TcPick : Packet stream editor
Dsniff : Password sniffer
Spoofing
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
Arpspoof : ARP spoofer

Macof : ARP spoofer/generator
Nemesis-ARP : ARP packet generator
Nemesis-Ethernet : Ethernet packet generator
CDP : CDP generator
DNSSpoof : DNS spoofer
Nemesis-DNS : DNS packet generator
DHCPX : DHCP flooder
Hping2 : Packet generator
ICMRRedirect : ICMP redirect packet generator
ICMPUSH : ICMP packet generator
Nemesis-ICMP : ICMP packet generator
Packit : Traffic inject/modify
TcPick : Packet stream editor
Yersinia : Layer 2 protocol injector
Fragroute : Egress rewrite
HSRP : HSRP generator
IGRP : IGRP injector
IRDP : IRDP generator
IRDPresponder : IRDP response generator
Nemesis-IGMP : IGMP generator
Nemesis-RIP : RIP generator
Page 74
23.
24.
25.
26.
27.
28.
29.
30.
File2Cable : Traffic replay

Fragrouter : IDS evasion toolkit
Nemesis-IP : IP packet generator
Nemesis-TCP : TCP packet generator
Nemesis-UDP : UDP traffic generator
SendIP : IP packet generator
TCPReplay : Traffic replay
Etherwake : Generate wake-on-LAN
Bluetooth
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
BTScanner : Bluetooth scanner

Bluesnarfer : Bluesnarf attack
Ghettotooth : Bluetooth scanner
Kandy : Mobile phone tool
Obexftp Obexftp ftp client
Phone manager
RFComm : Bluetooth serial
RedFang : Bluetooth bruteforce
USSP-Push : Obex-push
Xminicom : Terminal
Wireless
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
24.
25.
26.
27.
28.
29.
30.
apmde.sht : Act as accesspoin

Airpwn : Client penetration
Hotspotter : Client penetration
GpsDrive
start-gps-daemon : GPS daemon
stop-gps-daemon : GPS daemon
ASLeap : LEAP/PPTP cracker
Genkeys : Hash generator for ASLeap
Airforge
File2air : Packet injector
Void11
Void11-Hopper : Channel hopper
Gkismet : Graphical wireless scanner
GPSMAP : wireless mapping
KLV : Kismet Log Viewer
Kismet : Ncurses wireless scanner
Wellenreiter : Graphical Wireless scanner
802ether : Dumpfile format convertor
airodump : Traffic recorder
aircrack : Modern WEP cracker
Aireplay : Wireless packet injector
Wep-Crack : Wep Cracker
Wep_Decrypt : Decrypt dump files
Airsnort : GUI based WEP cracker
ChopChop : Active WEP attack
DWEPCrack : WEP cracker
Decrypt : Dump file decrypter
WEPAtttack : Dictionary attack
WEPlab : Modem WEP cracker
Cowpatty : WPA PSK bruteforcer
Page 75
31. changemac.sh : MAC address changer

Bruteforce
1.
2.
3.
4.
5.
6.
7.
8.
9.
ADMsnmp : SNMP bruteforce

Guess-who : SSH bruteforce
Hydra : Multi purpose bruteforce
K0ldS : LDAP bruteforce
Obiwan III : HTTP bruteforce
SMB-Nat : SMB access scanner
TFTP : bruteforce
VNCrack : VNC bruteforce
Xhydra : Graphical bruteforcer
Password Cracker
1.
2.
3.
4.
5.
6.
7.
8.
BKHive : SAM recovery

Fcrackzip : Zip password cracker
John : Multi-purpose password cracker
Default password list :
Nasty : GPG secret key cracker
Rainbowcrack : Hash cracker
Samdump2 : SAM file dumper
Wordlists : Collection of wordlists
Forensics
1.
2.
3.
4.
Autopsy : Forensic GUI

Recover : Ext2 file recovery
Testdisk : Partition scanner
Wipe : Securely delete files
Honeypot
1.
2.
3.
4.
5.
IMAP
POP3
Honeyd : Honeypot
IISEmulator : Honeypot
Tinyhoneypot : Simple honeypot
Commercial Tools
Proprietary Tools
6.
7.
Security Audit Methodology : BS7799, OSSTM, Own

Govt. : NA
PSU : NA
Page 76
Private : NA
Total Nos. of Security Audits : NA
8. Business domain of auditee organisations : Petro, Banking, Insurance, BPO
9. Typical applications in use by auditee organisations : Core Banking, SAP, Workflow
No. of routers : 0
No. of switches :91
No. of IDS' : 4
Organisation).
BACK
Page 77
M/s MIEL e-Security Pvt Ltd

1.
2.
3.
4.
5.
Name, Location of the empanelled Information Security Auditing Organisation : MIEL e-Security,
Mumbai
CISSPs : 13
BS7799 / ISO27001 LAs : 25
CISAs : 10
DISAs / ISAs : 0
Outsourcing of External Information Security Auditors / Experts : Yes
Freeware : 20
Commercial : 1
Proprietary: 6

Information Security Audit Methodology : OSSTMM, OWASP, ISO/IEC 27001, COBIT
6.

Govt. : 11
PSU : 15
Private : 110
7. Business domain of auditee organisations : BFSI, IT/ITES, Manufacturing, Shipping & Logistics, FMCG,
Pharma, PSUs, Aviation, Energy
8. Typical applications in use by auditee organisations : Core Banking, Ticketing, Client-Server, Web Server
No. of servers : 15
No. of routers : 75
No. of IDS' : 0
Organisation).
BACK
Page 78
M/s Network Intelligence India Pvt Ltd

Organisation
1. Name, Location of the empanelled Information Security Auditing Organisation: Network Intelligence India Pvt.
Ltd., Mumbai
2. Carrying out Information Security Audits since : July 2001
3. Technical manpower deployed for Information security audits :
CISSPs : 2
BS7799 / ISO27001 LAs : 6
CISAs / CISMs : 2
DISAs / ISAs : 0
Freeware : 25
Commercial : 3
Proprietary : 2
Details of audit tools
Freeware
1. Nmap
2. Nessus
3. Burpsuite
4. Firefox plugins
5. Hydra
6. Paros Proxy
7. Brutus AES
8. Ikescan
9. Ipsecscan
10. Cain & Abel
11. John the Ripper
12. Netstumbler
13. Kismet
14. WEPCrack
15. Nipper
16. RATS
17. Unix shell scripts
18. Grease Monkey
19. Wireshark
20. Wikto/Nikto
21. Netcat
22. Phonesweep
23. MBSA
Page 79
24. SNMPWalk
25. Ophcrack
Proprietary
AuditPro
AuditPro Enterprise Edition is a proprietary security auditing and compliance tool used by many
organizations and auditors across the world. NII has developed this proprietary technology to help
organizations define assets, policies, and audit systems against these policies. Supported
technologies include Windows (all versions up to 2008), Unix (Sun Solaris, AIX, Linux), Oracle (8i,
9i, 106 and 11g), and SQL Server (2000 and 2005).
Firesec
Firesec is an in-depth security and configuration audit tool for firewalls helps review policy
conflicts, unused policy rules, groupable rules, unused configuration objects, as well as helps
check for PCI DSS compliance. Supported firewalls include Cisco, Netscreen, Cyberguard and
Checkpoint.
Commercial
CodeSecure
CodeSecure is a commercial code review scanner, and is owned by NII and used extensively for
clients to ensure a comprehensive review of web application security.
CodeSecure is a commercial code review scanner, and is owned by NII and used extensively for
clients to ensure a comprehensive review of web application security.
GFI Languard
GFI Languard Network Security Scanner is one of the most widely used network scanners
Appscan/Webinspect
On client request, we have experience using these tools on a pay-per-use basis
6. Information Security Audit Methodology : OWASP, OSSTMM, ISO 27001, PCI DSS
Govt. : 7
PSU : 15
Private : 200
8. Business domain of auditee organisations : Banking, Telecom, IT/ITES, Manufacturing, Retail, Government,
FMCG, Healthcare, Retail
9. Typical applications in use by auditee organisations : Web applications, Core banking applications, ERP, CRM,
Telecom-specific applications
Internal Bandwidth (LAN / Intranet) : 10-100 Mbps
External Bandwidth (WAN / Internet) : 2-10 Mbps
Page 80
No. of IDS' : 4
BACK
Page 81
M/s Netmagic Solutions Pvt. Ltd

1. Name & location of the empanelled Information Security Auditing Organisation : Netmagic Solutions
Pvt. Ltd.
2.
3.

CISSP : 1
BS7799 / ISO27001 LA : 2
BS7799 / ISO27001 LI : 3
CISA : 1
CCNA : 65
CCNP : 4
CCIE : 4
CEH : 3
ITIL : 132
PMP : 6
4.
5.

Freeware : 27
Commercial: 2
Proprietary: 1
Freeware Tools
1. W3af
2. Nmap
3. Firefox with Firecat
4. Owasp CLASP
5. Themis
6. Paros
7. Burp
8. WebScarab
9. Paros
10. Websecurify
11. Owasp CSRF tester
12. SQLiX
13. Nikto
14. Labrat
15. Metasploit
16. Backtrack
17. Cain&Able
18. Grendal Scan
19. Kismet
20. Aircrack-NG
21. Ophcrack
22. BeEF
Page 82
23. CISCO OCS

24. Brutus
25. WFetch
26. NetStumbler
27. OSSEC
Proprietary:
nmcrawler
Commercial:
1. Nessus
2. AppScan (Depending on customer request and engagements)
6.
Information Security Audit Methodology: OWASP, OSSTMM, ISO27001, ISO20000, COBIT.
7.

Govt. : 0
PSU : 5
Private : 100
8.
Business domain of auditee organisations : Manufacturing, IT/ITES, Media & Entertainment (including
online portals), BFSI, Services, PSU, Telecommunications, etc.
9.
Typical applications in use by auditee organisations : Web Applications, Web Server Applications,
SAP/CRM, Mobile Applications, Security & Monitoring Apps, Thick-Client Application, Network
Infrastructure Applications.

Internal Bandwidth (LAN / Intranet) : 1GBPS
External Bandwidth (WAN / Internet) : 400MBPS
No. of Routers : 20
No. of IDS' : 5
Organisation).
BACK
Page 83
M/s Network Security Solutions (India) Ltd

1.
2.
3.
4.
5.
Name, Location of the empanelled Information Security Auditing Organisation : Network Security
Solutions (India) Ltd., Noida
CISSPs : 5
BS7799 / ISO27001 LAs : 13
CISAs : 6
DISAs / ISAs : 2
Freeware : 29
Commercial : 4
Proprietary: 2

Freeware Tools
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
24.
25.
26.
27.
28.
X-Scan
Hping
W Scanner
NMap
Metasploit
Burp Proxy
Solar Winds
Winhex
Achilles Proxy
N-Stealth : Security Scanner
Websphinx
Rainbow : Password Cracker
John the Ripper : Password Cracker
Stellar : Data Recovery
Easy : Data Recovery
Nikto
Snort
Ethereal
Backtrack 3
Helix
Auditor Pro
Ophcrack
Nessus
Super Scan
SATAN
Airmon
Aerodump
Airplay
Page 84
29. Aircrack
Commercial Tools
1.
2.
3.
4.
eEye Retina
Shadow : Security Scanner
GFI LAN Guard
Core Impact
Proprietary Tools
1.
2.
Claymore : Vulnerability Scanner

Vulnerability Database
6.
7.
Information Security Audit Methodology : COBIT, ISACA, BS25999, OSSTM, OWASP, ISO27001, NIST
Govt. : 237
PSU : 3
Private : 107
8. Business domain of auditee organisations : Government, Defence, Electrical Power Generation, BPO / KPO,
Telecom, Manufacturing, Pharma, Banking & Finance
9. Typical applications in use by auditee organisations : Web, ERP, SAP, Finance, Proprietary Security
No. of routers : 0
No. of IDS' : 2
Organisation).
BACK
Page 85
M/s NIIT Technologies Ltd

1.
2.
3.
4.
5.
Name, Location of the empanelled Information Security Auditing Organisation : Paladion Networks,
Bangalore
Carrying out Information Security Audits since : May 2000
CISSPs : 16
BS7799 / ISO27001 LAs : 29
CISAs / CISMs : 7
DISAs / ISAs : 0
Freeware : 19
Commercial : 0
Proprietary : 1

Proprietary :Information yet to be provided to CERT-In
6.
7.
Information Security Audit Methodology : BS7799, COBIT, SANS

Govt. : 51
PSU : 154
Private : 205
8. Business domain of auditee organisations : Banking, Telecom, IT/ITES, Manufacturing, Retail, Government
9. Typical applications in use by auditee organisations : Web, SAP, ERP
No. of IDS' : 4
Organisation).
BACK
Page 86
M/s Paladion Networks

1.
2.
3.
4.
5.
Name, Location of the empanelled Information Security Auditing Organisation : Paladion Networks,
Bangalore
Carrying out Information Security Audits since : May 2000
CISSPs : 16
BS7799 / ISO27001 LAs : 29
CISAs / CISMs : 7
DISAs / ISAs : 0
Freeware : 19
Commercial : 0
Proprietary : 1
Freeware :
Proprietary :
6.
7.
Information Security Audit Methodology : BS7799, COBIT, SANS

Govt. : 51
PSU : 154
Private : 205
8. Business domain of auditee organisations : Banking, Telecom, IT/ITES, Manufacturing, Retail, Government
9. Typical applications in use by auditee organisations : Web, SAP, ERP
No. of IDS' : 4
Organisation).
Page 87
BACK
Page 88
M/s Persistent Systems Limited

13. Name & location of the empanelled Information Security Auditing Organisation : Persistent Systems
Limited, Pune
14. Carrying out Information Security Audits since : 2008
CISSPs : 0
BS7799 / ISO27001 LAs : 6
CISAs : 4
DISAs / ISAs : 0
Freeware : 11
Commercial : 3
Proprietary: 0
Freeware:
Paros
Burp Proxy
Webscarab
Nikto
Wikto
Nmap
SoapUI
Netcat
Fiddler
Backtrack4
Nipper
Commercial:
IBM AppScan
Nessus
GFI Languard NSS
18. Information Security Audit Methodology : ISO 27001, COBIT

Govt. : 0
PSU : 3
Private : 18
20. Business domain of auditee organisations :
Educational, Biomedical Research, Health Care, Mail & Messaging, SaaS Email Archiving
21. Typical applications in use by auditee organisations :
IIS, Apache,Tomcat, JBoss, ASP.Net, PHP, MySQL, SQL server 2005
Page 89

Internal Bandwidth (LAN / Intranet) : 100 MBPS
External Bandwidth (WAN / Internet) : 1 MBPS
No. of Computer Systems : NA
No. of Servers : 8
No. of Switches :2
No. of Routers : 1
No. of IDS' : NA
Organisation).
BACK
Page 90
M/s PricewaterhouseCoopers Pvt Ltd

1.
2.
3.
4.
5.
Name, Location of the empanelled Information Security Auditing Organisation :

PricewaterhouseCoopers Pvt. Ltd., Gurgaon
CISSPs : 16
BS7799 / ISO27001 LAs : 20
CISAs / CISMs: 77
DISAs / ISAs : 4
Freeware : 20
Commercial : 7
Proprietary: 5
Freeware Tools :
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
Nessus : Network Vulnerability Assessmen

NMAP : Port scanner
RAT : Router and firewall benchmarking
Ethereal : Network traffic sniffing and analysis
MBSA : Windows security assessment
AirSnort : Wireless Network security
Phonesweep : War dialing
RIP query : Router security assessment
Netcat : Backdoor
Nikto : Web Applications security
CAIN & Able : Traffic sniffing and Password cracking
Brutus : Password cracking
JohntheRipper : Password cracking
SNMPWalk : Router and network management
SNMP Scanner : Router and network management
DumpSec : Windows security assessment
SQL Scan : Database security assessment
Absinthe : SQL Injection
Acunetix : Web Vulnerability Scanner
SiteDigger : Google Hacking
Commercial Tools :
1.
2.
3.
4.
5.
6.
Core Impact : Penetration Testing

Appscan : Web Systems & Applications security
ACL: Audit command La
Retina : Vulnerability Scanner
Languard : Vulnerability Scanner
SolarWinds : Network security
Page 91
7.
ISS : Vulnerability Scanner
Proprietary Tools:
1.
2.
3.
4.
5.
Windows server Security assessment scripts

Unix/Linux/AIX server security assessment scripts
Oracle security assessment scripts
MSSQL security assessment scripts
ASP and Java Scripts : Web application assessment
6.
7.
Information Security Audit Methodology : ISO27001, COBIT, ESAS, ESBM

Govt. : 5
PSU : 10
Private : 55
8. Business domain of auditee organisations : ITES, Manufacturing, Government, PSU, Financial Services,
Telecom, Networking
9. Typical applications in use by auditee organisations : Client Server, Web Applications, Oracle, Finacle, ERP,
CRM, telecom Applications
No. of IDS' : 10
Organisation).
BACK
Page 92
M/s Progressive Infotech Pvt Ltd

1.
2.
3.
4.
5.
Name & location of the empanelled Information Security Auditing Organisation : Progressive Infotech
(P) Limited, Noida
CISSPs : 02
BS7799 / ISO27001 LAs : 02
CISAs :
DISAs / ISAs :
Total Nos. of Technical Personnel : 40+
Freeware : 36+
Commercial :
Proprietary:
Total Nos. of Audit Tools : 36+

Freeware :
S. No.
1.
2.
3.
4.
5.
6.
7
8
9
10
11
12
13
Name of the
Whether freeware,
Information Security
Functions (In brief)
commercial or proprietary
Audit Tool
Achilles
Freeware
A tool designed for testing the security of web
applications
ADMFtp, ADMSnmp
Freeware
Tools for remote brute-forcing
Brutus
Freeware
An Windows GUI brute-force tool for FTP, telnet,
POP3, SMB, HTTP, etc
Crack
Freeware
A password cracker
Cryp Tool
Freeware
A cryptanalysis utility
Curl
Freeware
Curl is a tool for transferring files with URL syntax,
supporting FTP, FTPS, HTTP, HTTPS, GOPHER,
TELNET, DICT, FILE and LDAP
Different network
Freeware
Ping, traceroute, whois,snmp tools, dig, nslookup,
mapping tools
DNS tools.etc.
Elza
Freeware
A family of tools for arbitrary HTTP communication
with picky web sites for the purpose of penetration
testing and information gathering
Exploits
Freeware
publicly available and homemade exploit code for
the different vulnerabilities around
FScan
Freeware
A command-line port scanner. Supports TCP and
UDP
HPing
Freeware
HPing is a command-line oriented TCP/IP packet
assembler/analyzer. It supports TCP, UDP, ICMP
and RAW-IP protocols, has a traceroute mode, the
ability to send files between a covered channel,
and many other features.
ISNprober
Freeware
Check an IP address for load-balancing.
ICMPush
Freeware
ICMPush is a tool that sends ICMP packets fully
customized from command line
Page 93
14
15
John the Ripper

L0phtcrack
Freeware
Freeware
A password cracker
NTLM/Lanman password auditing and recovery
application (read: cracker)
16
Nessus
Freeware
17
Netcat
Freeware
18
19
NMAP
P0f
Freeware
Freeware
20
Pwdump
Freeware
21
SamSpade
Freeware
22
ScanDNS
Freeware
23
Scripts
Freeware
24
Sing
Freeware
25
SSLProxy, STunne
Freeware
26
Strobe
Freeware
A free, powerful, up-to-date and easy to use

remote security scanner. This tool could be used
when scanning a large range of IP addresses, or to
verify the results of manual work.
The swiss army knife of network tools. A simple
utility which reads and writes data across network
connections, using TCP or UDP protocol
The best known port scanner tool
Passive OS Fingerprinting: A tool that listens on
the network and tries to identify the OS versions
from the information in the packets.
Tools that grab the hashes out of the SAM
database, to use with a brute-forcer like
L0phtcrack or John
Graphical tool that allows to perform different
network queries: ping, nslookup, whois, IP block
whois, dig, traceroute, finger, SMTP VRFY, web
browser keep-alive, DNS zone transfer, SMTP relay
check,etc.
Script that scans a range of IP addresses to find
DNS names
A number of custom developed scripts to test
different security issues
Send ICMP Nasty Garbage. A little tool that sends
ICMP packets fully customized from command line
Tools that allow to run non SSL-aware
tools/programs over SSL.
A command-line port scanner that also performs
banner grabbing
27
Telesweep Secure
Freeware
28
29
30
THC
Freeware
TCPdump
Freeware
UCD-Snmp- (aka NET- Freeware
Snmp)
31
Web Session Editor
Freeware
32
33
34
Webinspect
Webreaper, wget
Whisker
Freeware
Freeware
Freeware
35
Ethereal
Freeware
6.
A commercial wardialer that also does

fingerprinting and brute-forcing.
A freeware wardialer
A packet sniffer
Various tools relating to the Simple Network
Management Protocol including snmpget,
snmpwalk and snmpset
Custom made utility that allows to intercept and
edit HTTP sessions.
CGI scanning, web crawling, etc
Software that mirrors websites to your harddisk
The most famous CGI scanner. has updated the
scanning databases with checks for the latest
vulnerabilities.
GUI for packet sniffing. Can analyse tcpdumpcompatible logs.
Information Security Audit Methodology : Attached
Page 94
7.

Govt. : Nil
PSU : Nil
Private : 08
8. Business domain of auditee organizations : Manufacturing, IT & ITES
9. Typical applications in use by auditee organizations : Email and IM applications, ERP, CRM etc
10. Typical bandwidth (maximum) of any auditee organizations :
No. of Servers : 20
No. of Routers : 6
No. of IDS' : 4
Organisation).
BACK
Page 95
M/s ProMinds Consulting Pvt Ltd

1.
Name & location of the empanelled Information Security Auditing Organisation : ProMinds Consulting
Pvt Ltd, Hyderabad
2.
3.

CISSPs : 1
BS7799 / ISO17799 / ISO27001 LAs : 10
CISAs / CISMs: 2
DISAs / ISAs : 1
4.
5. Information Security Audit Tools being used (available, installed and licensed) :
Freeware : 40
Commercial : 5
Proprietary: 0
Freeware Tools None
6.
Information Security Audit Methodology : Own, COBIT, OCTAVE
7.

Govt. : 20
PSU : 5
Private : 50
8.
Business domains of auditee organisations : Govt, PSU, Defense, IT, ITES, BPO, Healthcare, Insurance,
Financial Services, Banking, KPO
9.
Typical applications in use by auditee organisations : Client-Server, Web Applications, ERP, Database,
Office Applications, Software Development Tools, Testing Tools
No. of Computers : 500+
No. of Servers : 30
No. of Routers : 5
No. of IDS' : 5
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security
Auditing Organisation).
Page 96
BACK
M/s Qadit Systems & Solutions Pvt Ltd
1.
2.
3.
4.
5.
Name, Location of the empanelled Information Security Auditing Organisation : Qadit Systems &
Solutions Pvt. Ltd., Chennai
Carrying out Information Security Audits since : April 2002
CISSPs : 0
BS7799 / ISO27001 LAs : 2
CISAs : 10
DISAs / ISAs : 7
Freeware : 31
Commercial : 0
Proprietary: 5
Freeware Tools
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
24.
25.
26.
27.
28.
Nessus - Vulnerability Assessment Tool

Metasploit Vulnerability Assessment and Penetration Testing Tool
Paros Proxy - Vulnerability Assessment Tool
Samurai Framework Vulneability Assessment Tool
Grendel - Vulnerability Assessment Tool
Retina Network Security Scanner Vulnerability Assessment Tool
Webinspect Vulnerability Assessment Tool
Burpsuite Vulnerability Assessment and Penetration Testing Tool
Netcat Vulnerability Assessment and Penetration Testing Tool
SAINT Vulnerability Assessment and Penetration Tool
Firecat Vulnerability Assessment Framework
SQLmap SQL Injection Tool
Nmap - Network Auditing Tool
Wireshark - Network Auditing Tool
Dsniff Network Auditing Tool
Sam Spade Network Auditing Tool
Nipper Network Auditing Tool
Look@Lan Network Auditing Tool
Traceroute Network Auditing Tool
Airsnort Wireless network penetration testing tools
Kismet Wireless network penetration testing tools
Netstumbler Wireless network penetration testing tools
RAT Risk Assessment Tool
MBSA Security Analysis
WebScarab - Web application audit framework
W3af - Web application audit framework
Nikto - Web server scanner
Scuba Database audit tool
Page 97
29. DB Audit Database audit tool

30. L0phtcrack Password recovery tool
31. Pwdump Password recovery tool
Commercial Tools
1.
2.
3.
4.
5.
SAP User Profile Reviewer : Review user profiles in SAP environment

Oracle database Audit Scripts
SQL database Audit Scripts
ISO 27001 Risk Assessor
SAP SOD Analyser
Proprietary Tools
None
6.
Information Security Audit Methodology : OSSTM, OWASP, ISACA/ITAF, ISO 27001/27002, COBIT, ISO
25999, SANS, ITIL, OCTAVE, COSO
7. Information Security Audits carried out since empanelment till now :
Govt. : 5
PSU : 36
Private : 203
8. Business domain of auditee organisations : Banking, Manufacturing, Telecom, Pharma, Financial Service,
Software Development, e-Governance, Microfinance
9. Typical applications in use by auditee organisations : ATM Switch, SAP, Web, CBS, NMS, ERP, eGovernance, Web Applications, Payroll, Telecom billing application, Telecom network Monitoring Software,
CRM Applications, Payment Portals
No. of servers : 60
No. of IDS' : 10
Organisation).
BACK
Page 98
M/s Secure Matrix India Pvt Ltd

Snapshot of skills and competence of CERT-In empanelled IT Security Auditing organisation
1.
2.
3.
4.
5.
Name, Location of the empanelled IT Security Auditing organisation : Secure Matrix India Pvt Ltd,
Mumbai
Carrying out Information Security Audits since : November 2004
CISSPs : 2
BS7799 / ISO27001 LAs : 4
CISAs : 3
DISAs / ISAs : 2
Freeware : 6
Commercial : 1
Proprietary: 0

Freeware :
1.
2.
3.
4.
5.
6.
Nessus : Vulnerability Scanning and Reporting

Nmap : Port Scanning and finger printing
Sara : Vulnerability Assessment
MBSA : Security Analysis
Dsniff : Network Auditing
Sam Spade : Network Query
Commercial :
1.
Core Impact
Proprietary :
6.
7.
IT Security Audit Methodology : NA

Govt. : NA
PSU : NA
Private : NA
8. Business domain of auditee organisations : Stock Broking, BFSI, BPO, Technology, Retail, Manufacturing
9. Typical applications in use by auditee organisations : ERP, Accounting, On-line stock trading, databases,
Proprietary applications
Internal Bandwidth (LAN / Intranet) : NA bps
External Bandwidth (WAN / Internet) : 64 K bps
Page 99
No. of servers : 4
No. of switches : 6
No. of routers : 0
No. of IDS' : 1
Organisation).
BACK
Page 100
M/s SecureSynergy Pvt Ltd

OrganisationSecurity Auditor
1.
2.
3.
4.
5.
Name, Location of the empanelled Information Security Auditing Organisation : SecureSynergy Pvt.
Ltd., Mumbai
CISSPs : 2
BS7799 / ISO27001 LAs : 14
CISAs : 3
DISAs / ISAs : 0
Freeware : 35
Commercial : 3
Proprietary: 2

Freeware :
Proprietary :
6.
7.
Information Security Audit Methodology : COBIT, ISO 27001, NIST

Govt. : 11
PSU : 9
Private : 115
8. Business domain of auditee organisations : IT, ITES, Government, Telecom, Defence, Oil & Gas,
Manufacturing, Pharma
9. Typical applications in use by auditee organisations : ERP, CRM, Web/Middleware/Database, Client-Server
No. of routers : 15
No. of IDS' : 1
Page 101
Organisation).
BACK
Page 102
M/s SecurEyes Techno Services Pvt Ltd

1.
2.
3.
4.
5.
Name, Location of the empanelled Information Security Auditing Organisation : SecurEyes Techno
Services Pvt. Ltd., Bangalore
CISSPs : 0
BS7799 / ISO27001 LAs : 2
CISAs : 0
DISAs / ISAs : 2
Freeware : 84
Commercial : 0
Proprietary: 14
1.
2.
3.
4.
5.
Name, Location of the empanelled Information Security Auditing Organisation : SecurEyes Techno
Services Pvt. Ltd., Bangalore
CISSPs : 0
BS7799 / ISO27001 LAs : 2
CISAs : 0
DISAs / ISAs : 2
Freeware : 84
Commercial : 0
Proprietary: 14
Freeware :
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Nessus : Vulnerability scanner used for penetration testing

Nmap : Port Scanner
Metasploit framework : Vulnerability scanner
Hping2 : OS finger printing tool, also used for fire walking
Ring : Passive OS finger printing tool
Nmap-cronos : Passive OS finger printing tool
P0f : Passive OS finger printing tool
Smtpscan : Mail server profiling tool
Sprint : OS detection tool
Xprobe : OS detection tool
Page 103
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
Fire and Water : Web Server discovery tool

Ethereal : Sniffer used for capturing and analysing traffic in a penetration test
AirSnort : Wireless network penetration testing tools.
Kismet : Wireless network penetration testing tools.
NetStumbler : Wireless network penetration testing tools.
WEPCrack : Wireless network penetration testing tools.
Achillies : Web application penetration testing tool
Spike Proxy : Automatic Vulnerability scanner for web applications.
Odysseus : Web application audit tool
Paros : Web application proxy, web application security vulnerability scanner.
WinHex : Physical Memory editor used for penetration testing of applications
Netcat : Network penetration testing tool.
Proprietary :
1.
Windows-VA script : In house developed script used for vulnerability assessment of Windows
operating system
2. Linux-VA script : In house developed script used for vulnerability assessment Linux operating
system.
3. Solaris-VA script : In house developed script used for vulnerability assessment of Solaris operating
system.
4. AIX-VA script : In house developed script used for vulneability assessment of AIX operating
system.
5. Router-VA script : In house developed script used for vulnerability assessment of Routers
6. Switch-VA script : In house developed script used for vulnerability assessment of Switch.
7. WSDigger : Web Services profiling and attack tool.
8. Cookie Digger : Web application audit tool which helps in calculating the strength of cookies and
session ID's
9. Code Scoping tool : Code security audit tool
10. Validator. NET : Web application audit tool for applications built using.net techology
HACME Bank : Web Application audit trainer application
6.
7.
Information Security Audit Methodology : OSSTM, SANS, OWASP, Own

Govt. : 150
PSU : 5
Private : 15
8. Business domain of auditee organisations : Banking & Finance, Government, Telecom, IT, SW Dev,
Property Trading, Finance
9. Typical applications in use by auditee organisations : Internet Banking, HR Management, Payroll, Business
Workflow, Finance, Insurance
No. of IDS' : 8
Page 104
Organisation).
BACK
M/s Security Brigade
1.
2.
3.
4.
5.
Name, Location of the empanelled Information Security Auditing Organisation : Security Brigade; Head
Office: Ranchi - India; Branch Offices: Mumbai - India, Pisa - Italy; Partner/Sales Offices:
Bengaluru - India, Chennai - India, Hyderabad - India, Pune - India, New Delhi - India, Kolkata
- India, Houston - US, Toronto - Canada, Lagos - Nigeria, Doha - Qatar, London - UK.
Carrying out Information Security Audits since : June 2006
BS7799 / ISO27001 LAs : 1
ECSAs : 1
LPTs : 1
CEHs : 2
CCNAs : 4
Freeware : 1000+
Commercial : 2
Proprietary: 15

Proprietary Tools
1.
2.
3.
4.
5.
sdFinder - Identifies internal hosts on non-contiguous IP ranges. It allows us to detect sensitive

information about our clients commercial, intranet and extranet networks.
webDiscovery - Identifies as many applications as possible on Client web-servers. The applications
discovered through webDiscovery allow us to provide a superior web application security testing
service than competitive services and products. It allows us to increase the scope of the audit and
cover more areas that could be attacked by malicious users; that would not be covered by a
traditional audit.
networkMapper - Network Mapper uses proprietary technology to be able to identify alternative
network routes to bypass security mechanisms such as IDS/IPS/Firewall etc. It allows our experts
to bypass existing security implementations and gain direct access to the systems behind them.
webTester - Security Brigades in-house developed application utilizes our Benchmark
Development System to ensure that we can identify maximum vulnerabilities in applications
through automated mechanisms. Along with flaws that are known, it uses in-house research to
test for vulnerabilities that are not in the public domain. It allows us to automate the process of
identifying and testing known and unknown vulnerabilities in web-applications and strike a costeffective time to effort ratio.
VA Framework - Security Brigades in-house developed framework is an integrated solution
developed by our security experts that have an expertise in the vulnerability assessment domain.
It allows us to integrate the manual and automated testing processes with commercial and open-
Page 105
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
source software. Our Integrated Reporting Engine allows us to cross-reference information from all
the different components and generate a report based on our Clients requirements.
PT Framework - Security Brigades in-house developed framework is an integrated solution
developed by our security experts that have an expertise in the penetration testing domain. It
allows us to integrate the manual and automated testing processes with commercial and opensource software. Our Integrated Reporting Engine allows us to cross-reference information from all
the different components and generate a report based on our Clients requirements.
webSpider - Security Brigades in-house developed application uses advanced HTML, Java Script,
Ajax, Flash and XML parsing engines to identify and map as much of the client applications as
possible. This not only assists our automated webTester engine, but also assists in carrying out
the manual testing process in an efficient manner. It allows us to attain a cost-effective balance
between thorough testing and time required.
sapScan - Security and Configuration Assistant for SAP Security Audits.
riskReview - General Risk Assessment Tool.
erpInterrogate - ERP Security and Configuration Assessment and Control Tool.
Windows Batch Scripts - Windows batch scripts to automate routine server hardening functions
and processes.
Linux Bash Scripts - Linux Bash scripts to automate routine server hardening functions and
processes.
Oracle Security Assessment Scripts - Oracle Security Assessment Scripts to automate routine
hardening functions and processes.
MSSQL Security Assessment Scripts - MSSQL Security Assessment Scripts to automate routine
hardening functions and processes.
Internal Vulnerability Database - Automated vulnerability database that is updated every 15
minutes from over 100 public and 20 private feeds.
Commercial Tools
1.
2.
Nessus - Premier vulnerability assessment tool with more than 20,000 plugins.
GFI LANguard - commercial network security scanner for Windows.
Freeware Tools
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
Wireshark - is an open-source network protocol analyzer for Unix and Windows.

Netcat - is a simple utility reads and writes data across TCP or UDP network connections.
Metasploit Framework - is an extensible model through which payloads, encoders, no-op
generators, and exploits can be integrated.
Hping 2 - is a utility sends custom ICMP, UDP, or TCP packets and then displays any replies.
Kismet - is a console based 802.11 layer2 wireless network detector, sniffer and intrusion
detection system.
Tcpdump - is an IP sniffer.
Cain and Abel - is a windows-only password recovery tool that can recover passwords by sniffing,
cracking, recording VoIP conversations, decoding scrambled passwords, revealing password boxes,
etc.
John the Ripper - is a fast password cracker.
Ettercap - is a terminal-based network/sniffer/interceptor/logger for ethernet LANs.
Nikto - is an open-source web-server scanner which performs comprehensive tests against web
servers for several thousand vulnerabilities.
THC Hydra - is a fast network authentication cracker.
Paros Proxy - java based web proxy for assessing web-application vulnerability.
Dsniff - is a powerful network auditing and penetration-testing tool.
NetStumbler - is a windows based 802.11 sniffer.
THC Amap - is a application fingerprint scanner.
Aircrack - is a suite of tools for 802.11a/b/g WEP and WPA cracking.
Page 106
17.
18.
19.
20.
21.
Superscan - is a windows-only port scanner, pinger and resolver.

Scapy - is an interactive packet manipulation tool.
BackTrack - is an penetration testing live linux distribution.
p0f - is a versatile passive OS fingerprinting tool.
WebScarab - a framework for analyzing applications that communicate using the HTTP and HTTPS
protocols.
22. Thousands of other open-source tools - We have an internal categorized archive of over 10,000
tools. We utilize these on an on-need basis for specific specialized purposes during engagements.
List can be provided in directory-listing format if required.
6.
Information Security Audit Methodology : In-house Developed Hybrid Methodology based on BS7799,
ISO17799, ISO27001, OWASP Testing Guide and OSSTM.
Govt: 50+
PSU: 10+
Private: 100+
8. Business domain of auditee organisations : Banking & Finance, IT/ITES, Telecom, Manufacturing,
Logistics, Insurance, Retail, Government etc.
9. Typical applications in use by auditee organisations : Corporate Websites, Core Banking, Insurance Portal,
Loan & Treasury Management, Online Trading, Backoffice, CTCL, Accounting, Operations Management,
Billing
No. of Computer Systems : 8,000
No. of routers : 5
No. of IDS' : 1
Organisation).
BACK
Page 107
M/s Sify Technologies Ltd

1.
2.
3.
4.
5.
Name, Location of the Empanelled Security Auditing organisation: Sify, New Delhi
Carrying out Information Security Audits since : NA
CISSPs : 7
BS7799 / ISO27001 LAs : 14
CISAs : 26
DISAs / ISAs : 16
Freeware : 30
Commercial : 0
Proprietary: 0
6.
7.
Security Audit Methodology : COBIT, SAS70, BS7799

Govt. : NA
PSU : NA
Private : NA
8. Business domain of auditee organisations : Software Dev., BPO, Manuf, Govt.
9. Typical applications in use by auditee organisations : MS Exchange,Web server, SQL Server, Oracle, IIS
External Bandwidth (WAN / Internet) : 512 K bps
No. of servers : 27
No. of routers : 0
No. of switches : 2
No. of IDS' : 1
Organisation).
BACK
Page 108
M/s Simos Computer Systems Pvt Ltd

1.
Name, Location of the Empanelled Security Auditing organisation: SIMOS COMPUTER SYSTEMS PRIVATE
LIMITED, Chennai
2.
3.

CISSPs : 2
BS7799 / ISO27001 LAs : 1
CISAs : 2
DISAs / ISAs : 2
4.
5.
6.
7.
8.
9.

Freeware : 20+
Commercial : 1
Proprietary: 0
Freeware : Nmap, OpenVAS, Metasploit, Wikto, Cain & Abel, Netstumbler, Backtrack etc.
Commercial : Burpsuite Professional
Security Audit Methodology : ISO27001, COBIT, OWASP, SOGP, OSSTMM
Govt. : 1
PSU : NA
Private : 15
Business domain of auditee organisations : Banking, Software Dev., BPO, Manuf, Govt.
Typical applications in use by auditee organisations : Windows Server, MS Exchange, Linux, Apache, IIS, PHP,
ASP, ASP.NET, MSSQL, MySQL, Oracle

No. of servers : 30
No. of Computer Systems : 500+
No. of routers : 10
No. of IDS' : 2
Organisation).
BACK
Page 109
M/s SISA Information Security Pvt Ltd

Organisation
1.
2.
3.
4.
5.
Name, Location of the empanelled Information Security Auditing Organisation : SISA Information
Security (P) Ltd., Bangalore
CISSPs : 4
BS7799 / ISO27001 LAs : 3
CISAs : 9
DISAs / ISAs : 2
Freeware : 25
Commercial : 3
Proprietary: 1
Freeware :
1.
2.
3.
4.
5.
6.
7.
8.
9.
Nessus : Network Scanner

N Map : Network Scanner
MB Password Cracker : Password Cracker
Ethereal : Sniffer
WS_Ping Propack : Ping sweeps (Network Scanning)
Snort : Ping sweeps (Network Scanning)
user2sid and sid2user : Enumeration tools
Ping of Death/SMURF : DOS
SQLSmack : Hacking Tools
Commercial :
1.
2.
3.
6.
7.
8.
ISS Network Scanner : Network Scanner

GFI Languard : Network Scanner
Legion : Password Guessing Tool
Information Security Audit Methodology : SISA Proprietary

Govt. : 1
PSU : 5
Private : 99
Business domain of auditee organisations : Information Technology, Banking, IT services, Manufacturing,
Business Process Outsourcing, Telecom
Page 110
9.
Typical applications in use by auditee organisations : Banking Applications, Financial Applications, Mobile
Applications, Web Applications
No. of servers : 25
No. of routers : 30
No. of IDS' : 16
Organisation).
BACK
Page 111
M/s Spectrum IT Solution

Snapshot of skills and competence of the CERT-In Empanelled IT Security Auditing Organisation
1.
2.
3.
4.
5.
Name, Location of the Empanelled IT Security Auditing Organisation : Spectrum Networks Solutions
Pvt Ltd, Noida
Carrying out IT Security Audits since : May 2004
CISSPs : 2
BS7799 / ISO27001 LAs : 5
CISAs / CISMs: 3
DISAs / ISAs : 1
Outsourcing of IT Security Auditing Work to External IT Security Auditors / Experts : Yes
Freeware : 36
Commercial : 4
Proprietary: 2

Freeware Tools
1. Achilles - A tool designed for testing the security of web applications
2. ADMFtp, ADMSnmp - Tools for remote brute-forcing
3. Brutus- An Windows GUI brute-force tool for FTP, telnet, POP3, SMB, HTTP, etc
4. Crack - A password cracker
5. CrypTool - A cryptanalysis utility
6. Curl - Curl is a tool for transferring files with URL syntax, supporting FTP, FTPS, HTTP, HTTPS,
GOPHER, TELNET, DICT, FILE and LDAP
7. Different network mapping tools - ping, traceroute, whois, snmp tools, dig, nslookup, DNS tools
etc
8. Elza - A family of tools for arbitrary HTTP communication with picky web sites for the purpose of
penetration testing and information gathering
9. Exploits - publicly available and home made exploit code for the different vulnerabilities around
10. FScan - A command-line port scanner. Supports TCP and UDP
11. Fragrouter - Utility that allows to fragment packets in funny ways
12. HPing - HPing is a command-line oriented TCP/IP packet assembler/analyzer. It supports TCP,
UDP, ICMP and RAW-IP protocols, has a traceroute mode, the ability to send files between a
covered channel, and many other features.
13. ISNprober - Check an IP address for load-balancing.
14. ICMPush - ICMPush is a tool that sends ICMP packets fully customized from command line
15. John The Ripper - A password cracker
16. L0phtcrack - NTLM/Lanman password auditing and recovery application (read: cracker)
17. Nessus - A free, powerful, up-to-date and easy to use remote security scanner. This tool could be
used when scanning a large range of IP addresses, or to verify the results of manual work.
18. Netcat - The swiss army knife of network tools. A simple utility which reads and writes data across
network connections, using TCP or UDP protocol
19. NMAP - The best known port scanner around.
Page 112
20. p0f - Passive OS Fingerprinting: A tool that listens on the network and tries to identify the OS
versions from the information in the packets.
21. Pwdump - Tools that grab the hashes out of the SAM database, to use with a brute-forcer like
L0phtcrack or John
22. SamSpade - Graphical tool that allows to perform different network queries: ping, nslookup,
whois, IP block whois, dig, traceroute, finger, SMTP VRFY, web browser keep-alive, DNS zone
transfer, SMTP relay check,etc.
23. ScanDNS - Script that scans a range of IP addresses to find DNS names
24. Scripts - A number of custom developed scripts to test different security issues.
25. Sing - Send ICMP Nasty Garbage. A little tool that sends ICMP packets fully customized from
command line
26. SSLProxy, STunnel - Tools that allow to run non SSL-aware tools/programs over SSL.
27. Strobe - A command-line port scanner that also performs banner grabbing
28. Telesweep Secure - A commercial wardialer that also does fingerprinting and brute-forcing.
29. THC - A freeware wardialer
30. TCPdump - A packet sniffer
31. TCPtraceroute - Traceroute over TCP
32. UCD-Snmp - (aka NET-Snmp): Various tools relating to the Simple Network Management Protocol
including snmpget, snmpwalk and snmpset.
33. Web Session Editor - Custom made utility that allows to intercept and edit HTTP sessions.
34. Webinspect - CGI scanning, web crawling, etc.
35. Webreaper, wget - Software that mirrors websites to your hard disk
36. Whisker - The most famous CGI scanner. has updated the scanning databases with checks for the
latest vulnerabilities.
Commercial Tools
Proprietary Tools
6.
7.
Information Security Audit Methodology : OWASP, ISO27001, COBIT, ITIL

Govt. : 80
PSU : 25
Private : 95
8. Business domain of auditee organisations : Banking, Financial, Manufacturing, Government, IT/ITES,
Software Development
9. Typical applications in use by auditee organisations : Banking and Financial Applications
11. LAN Infrastructure details of an organizations audited with most complex network :
No. of Servers : 45
No. of Routers : 10
No. of IDS' : 2
Page 113
BACK
Page 114
STQC Directorate
1.
2.
3.
4.
5.
Name, Location of the Empanelled Security Auditing organisation : STQC IT Services, New Delhi
Carrying out Information Security Audits since : NA
CISSPs : 0
BS7799 / ISO27001 LAs : 12
CISAs : 0
DISAs / ISAs : 9
Freeware : 23
Commercial : 0
Proprietary: 0

Freeware Tools :
Commercial Tools :
Proprietary Tools :
6.
7.
Security Audit Methodology : OSSTMM

Govt. : NA
PSU : NA
Private : NA
8. Business domain of auditee organisations : Mfg, software Services, BPO, Telecom, Govt.
9. Typical applications in use by auditee organisations : SAP, Oracle
External Bandwidth (WAN / Internet) : NA bps
No. of servers : 36
No. of routers : 0
Page 115
No. of IDS' : 1
Organisation).
BACK
Page 116
M/s Suma Soft Pvt Ltd
1.
Name & location of the empanelled Information Security Auditing Organisation : Suma Soft Pvt Ltd
2.
3.

CISSPs :
BS7799 / ISO27001 LAs : 3
CISAs : 5
DISAs / ISAs :1
4.
5.

Freeware : 35
Commercial : 2
Proprietary: 0

Freeware:
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
24.
25.
26.
27.
Nessus
Whisker
HUNT - TCP/IP protocol vulnerability exploiter, packet injector
DOMTOOLS - DNS-interrogation tools
SARA - Vulnerability scanner
RAT
Nikto - This tool scans for web-application vulnerabilities
Snort - IDS
Firewalk - Traceroute-like ACL & network inspection/mapping
Hping TCP ping utilitiy Dsniff - Passively monitor a network for interesting data
(passwords, e-mail, files, etc.). facilitate the interception of network traffic normally
unavailable to an attacker
HTTrack - Website Copier
Chkrootkit - Rootkit discovery tool
Tools from FoundStone - Variety of free security-tools
SQL Tools - MS SQL related tools
John the Ripper - Password-cracking utility
ITS4 - Scan C/C++ source-code for vulnerabilities
Paros
NMAP - The famous port-scanner
Ethereal - GUI for packet sniffing. Can analyse tcpdump-compatible logs
Nemesis - Packet injection suite
NetCat - Swiss Army-knife, very useful
RAT CISecuritys Router Auditing Tool
DSniff - A collection of different purpose sniffers
Achilles - An SSL-proxy allowing to change data
Whitehats - Snort IDS-signatures & other resources
Hping2 - TCP/IP packet analyzer/assembler, packet forgery, useful for ACL inspection
Brutus password cracking for web applications, telnet, etc.
Page 117
28.
29.
30.
31.
32.
33.
34.
WebSleuth - web-app auditing tool

Mieliekoek - SQL Injection tool, use with HTTrack
NT Toolbox - Resources & tools for NT [at]Stake Tools - Tools provided by [at]-Stake
TSCrack - Wordlist-based Terminal Server login-cracker L0phtcrack - NT-password
cracking utility
HTTPrint detect web server and version
Web proxy - web application testing
Web server vulnerability assessment tool
Commercial Tools
1.
Nexpose - Vulnerability Scanners
2.
Burp Suite, Acunetix - Web application auditing
6.
Information Security Audit Methodology : ISACA, ISO 27001 / BS 7799, COBIT, OSSTM, OWASP
7.

Govt. : 1
PSU : 1
Private : 25
8.
Business domain of auditee organisations : Telecom, BPO, Banking & Finance, Software Development
9.
Typical applications in use by auditee organisations : Client-Server, Web based MIS,Oracle,Web

Applications

Internal Bandwidth (LAN / Intranet) : 1 GBPS
External Bandwidth (WAN / Internet) : 12 MBPS
No. of Servers : 50
No. of Routers : 2
No. of IDS' : 1
Organisation).
BACK
Page 118
M/s Sumeru Software Solutions Pvt Ltd

1.
2.
3.
4.
5.
Name & location of the empanelled Information Security Auditing Organisation : Sumeru Software
Solutions Pvt Ltd, Bangalore
CISSPs : 1
BS7799 / ISO27001 LAs : 2
CISAs / CISMs : 2
DISAs / ISAs : 0
Freeware : 61
Commercial : 4
Proprietary: 0
Freeware Tools
1.
2.
3.
4.
5.
6.
7.
8.
Nmap / Superscan
WireShark
Paros Proxy
Metasploit Framework
Kismet / NetStumbler / Aircrack
Nikto / Wikto
BackTrack
WebScarab
Commercial Tools
1.
2.
3.
4.
Nessus
WebInspect
MegaPing
Retina
Proprietary Tools
None
6.
7.
Information Security Audit Methodology : OWASP, OSSTMM, ISO27001, BS 25999

Govt. : 7
Page 119
PSU : 0
Private : 101
8. Business domains of auditee organisations: Manufacturing, Hospitality, Media, Defence, BSFI, IT/ITES,
Publishers, Human resources, Insurance, Government.
9. Typical applications in use by auditee organisations : e-Commerce Portals, Job Portals, News Portals,
Public Forum, Pay Roll Applications, Intranet Applications, Webmail, Insurance web porta.
No. of Servers : 70
No. of Routers : 2
No. of IDS' : 2
Organisation).
BACK
Page 120
M/s Sysman Computers Pvt Ltd

1.
2.
3.
4.
5.
Name and location of the empanelled Information Security Auditing Organisation : Sysman Computers
Pvt. Ltd., Mumbai
CISSPs : 5
BS7799 / ISO27001 LAs : 7
CISAs : 12
DISAs / ISAs : 6
Freeware : 28
Commercial : 5
Proprietary: 0
6.
7.
Information Security Audit Methodology : COBIT, ISO 27001

Govt. : 5
PSU : 55
Private : 100
8. Business domain of auditee organisations : Banking, BPO, Manufacturing, Healthcare, Government
9. Typical applications in use by auditee organisations : Banking, Accounting, Data Processing, Call Centre,
Healthcare, Travel, Education
No. of servers : 25
No. of routers : 8
No. of IDS' : 2
Organisation).
BACK
Page 121
M/s Tata Consultancy Services Ltd

Snapshot of skills and competence of the CERT-In empanelled Information Security Auditing
Organisation
1.
2.
3.
4.
5.
Name, Location of the empanelled Information Security Auditing Organisation: Tata Consultancy
Services Ltd, Mumbai
CISSPs : 25
BS7799 / ISO27001 LAs : 60
CISAs : 15
DISAs / ISAs : 1
Outsourcing of Information Security Auditing Work to external Information Security Auditors / Experts :
No
Freeware : 5
Commercial : 2
Proprietary: 2
Freeware Tools None
6.
7.
Information Security Audit Methodology : Own

Govt. : 6
PSU : 4
Private : 12
8. Business domain of auditee organisations : Banking, Stock Exchange, Power, Manufacturing, Government.
9. Typical applications in use by auditee organisations : Core Banking, stock broking, power management,
Telecom, Governance.
No. of routers : 50
No. of IDS' : 20
Page 122
Organisation).
BACK
Page 123
M/s Tech Mahindra Ltd

1.
2.
3.
4.
5.
Name, Location of the empanelled IT Security auditing organisation : Tech Mahindra Ltd, Noida
CISSPs : 14
BS7799 / ISO27001 LAs : 56
CISAs : 10
DISAs / ISAs : 0
Freeware : 2
Commercial : 1
Proprietary: 1
Freeware Tools None
6.
7.
IT Security Audit Methodology : ISO 27001/BS7799

Govt. : 1
PSU : 0
Private : 34
8. Business domain of auditee organisations : Automobiles, Retailing, Pharma, Telecom, BPO, Finance
9. Typical applications in use by auditee organisations : SAP, Web Applications, CRM, Service Assurance,
Service Fulfilment, COTS Products
No. of servers : 60
No. of routers : 25
No. of IDS' : 10
Organisation).
Page 124
M/s Technologics & Control

1. Name & location of the empanelled Information Security Auditing Organisation : Technologics and Controls,
New Delhi, India
2. Carrying out Information Security Audits since : December 2002
CISSPs : 1
BS7799 / ISO17799 / ISO27001 LAs : 1
CISAs / CISMs: 4
DISAs / ISAs : 1
4. Outsourcing of information security auditing work to external Information Security Auditors / Experts : No
5. Information Security Audit Tools being used (available, installed and licensed):
Freeware : 10
Commercial : 3
Proprietary: 0
Freeware Tools
Brutus,Superscan
Nessus Vulnerability Scanner
Belarc Advisor
M Metasploit Framework 3
Mozilla Firefox Extension AnEC Cookie Editor v0.2.1.3
Wireshark
HTTP Editor
Tenable Nessus
Mozilla Firefox Extension Hack Bar
WebScarab
Commercial Tools
Meycor Cobit suite

IBM Rational AppScan v7.7
Acunetix Web Vulnerability Scanner v6.5

6. Information Security Audit Methodology : OSSTM, OWASP, ISO27001, COBIT, Audit ICQ
Govt. : 2
Page 125
PSU : 0
Private : 45
8. Business domains of auditee organisations : Banking, Insurance, Services, ITES, Finance, Stock traders, UN,
Manufacturing, Defence, NGO, Government
9. Typical applications in use by auditee organisations : ERP (SAP, MFGPro, Ingenium, others), HR and Payroll,
Document Imaging, Banking (CBS / TBA), Web and E-commerce Applications
10. Bandwidth available with an auditee organisation having most complex network:
External Bandwidth (WAN / Internet) : upto 16 MBPS
No. of Routers : 150
No. of IDS' : 1
12. Ability to carry out vulnerability assessment and penetration test : Y
BACK
Page 126
M/s Torrid Networks Pvt. Ltd.

Organisation
1.
Name & location of the empanelled Information Security Auditing Organisation : M/s Torrid Networks
Pvt. Ltd.
2.
3.

CISSPs : 2
BS7799 / ISO27001 LAs : 2
CISAs : 1
DISAs / ISAs :
4.
Outsourcing of External Information Security Auditors / Experts : None
5.

Freeware : 20
Commercial : 7
Proprietary: 12
Freeware:
nmap
Nessus
Metasploit
Nikto
Burp
Paros
WebScarab
SQL injector
Ollydbg
WireShark
Cain & Abel
BackTrack Distro
Commercial:
AppScan
Accunetix
CoreImpact
Nexpose
CodeSecure
Fortify
Qualys
6.
Information Security Audit Methodology : OWASP, OSSTMM, ISO 27001
7.

Govt. : 3
PSU : 3
Private : 54
Page 127
8.
Business domain of auditee organisations : BFSI, Telecom, BPO, IT/ITES, Manufacturing, Engineering
9.
Typical applications in use by auditee organisations : HRMS, CRM, Exchange, Billing, ERP, Intranet, Payroll

Internal Bandwidth (LAN / Intranet) : 1Gpbs
External Bandwidth (WAN / Internet) : 5Mbps
No. of Routers : 25
No. of IDS' : 10
BACK
Page 128
M/s TVSNet Technologies Ltd

Snapshot of skills and competence of CERT-In Empanelled Information Security Auditor
1.
2.
3.
4.
5.
Name, Location of the empanelled Information Security Auditing organisation : TVSNet Technologies
Ltd, Chennai
CISSPs : 2
BS7799 / ISO27001 LAs : 3
CISAs/CISMs : 1
DISAs / ISAs : 0
Freeware : 20
Commercial : 1
Proprietary: 0
Freeware :
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
Smartwhois: To perform initial information gathering of the network

SPIKE Proxy: is a full featured HTTP and HTTPS proxy built with Python
WebGoat: This is used to investigate common server-side application flaws
Nikto : Web Systems & Application Security
Paros proxy : A web application vulnerability assessment proxy
Burp suite: An integrated platform for attacking web applications
Nessus : Network Security
Nmap: Network Security
Whois: To perform initial information gathering of the network
SolarWinds : Used for Penetration Testing
Ethereal: Network Sniffing
Shadow security scanner: Web server Vulnerability Scanning
TamperIE: Proxy tool
Brutus: Password Cracker
Visual Trace Route : To perform initial information gathering of the network
Neo Trace Route : To perform initial information gathering of the network
Commercial :
1.
6.
7.
Acunetix Web Vulnerability Scanner: Acunetix WVS automatically checks web applications for
vulnerabilities such as SQL Injection, cross site scripting, and weak password strength on
authentication pages.
Information Security Audit Methodology : OSSTMM, OWASP, ISO 27001

Govt. : 9
PSU : 7
Private : 25
Page 129
8. Business domain of auditee organisations : Government, Banking, Telecom, Manufacturing, ITES

9. Typical applications in use by auditee organisations : Web Applications, ERP, Email
No. of routers : 25
No. of IDS' : 7
Organisation).
BACK
Page 130
M/s Verizon Business

1.
Name & location of the empanelled Information Security Auditing Organisation : Verizon Business,
Radisson Commercial Plaza, A-Wing, 1st Floor, National Highway-8, New Delhi - 110037
2.
3.

CISSPs : 74
BS7799 / ISO27001 LAs : 15
CISAs : 35
DISAs / ISAs : 2
Total Nos. of Technical Personnel : 500+
4.
Outsourcing of External Information Security Auditors / Experts : Not Applicable
5.

Freeware : 43
Commercial : 6
Proprietary: 8

1. Freeware:
2. Netcat
3. Ethereal
4. TCPdump
5. SSLdump
6. Brutus
7. Dig
8. Nmap
9. VisualRoute
10. Fscan
11. Cain & Abel
12. Firewalk
13. DumpACL
14. DumpEvt
15. DumpReg
16. DumpSec
17. Enum
18. Paros
19. WebSleuth
20. WebProxy
21. Nikto
22. Achilles
23. Cerberus
24. DDosPing
25. Brutus
26. John the Ripper
27. Absinthe
28. Metasploit
29. SNMP Walker
30. SQL Squirrel
31. Black Widow
32. Ettercap
33. Rainbowcrack
Page 131
34. IISCat
35. IISHack
36. PipeUpAdmin
37. Pwdump2
38. GFI LanGuard
39. HFNetChk
40. ConfigDefence
41. UnixRecon
42. Titan
43. AppSecInc
44. VoIP Hopper
Commercial:
1.
2.
3.
4.
5.
6.
nCircle
Nessus Professional Feed
Ounce / IBM AppScan
WebInspect
Core Impact
Canvas
6.
Information Security Audit Methodology : Verizon Business Proprietary
7.

Govt. : 10
PSU : 4
Private : 150+
Total Nos. of Information Security Audits done : 164+
8.
Business domain of auditee organisations : Banking & Finance, Information Technology, Government
Establishments, Service Providers / BPOs, Manufacturing, Public Sector Undertakings, Life Sciences &
Healthcare.
9.
Typical applications in use by auditee organisations : Enterprise Resource Planning (ERPs), Online Banking
Solutions, Online Payment Solutions, CRM, Billing Systems, Corporate Websites, Web Services & Web
Applications.

No. of Computer Systems : >50000
No. of Servers : >350
No. of Routers : 80
No. of IDS' : 8
Organisation).
Back
Page 132
M/s VISTA InfoSec Pvt. Ltd.

1.
Name & location of the empanelled Information Security Auditing Organisation : VISTA InfoSec Pvt.
Ltd., Mumbai 400058.
2.
3.

CISSPs
: 4
BS7799 / ISO27001 LAs
: 5
CISAs
: 5
DISAs / ISAs
:1
Total Nos. of Technical Personnel
: 16
4.
5.

Freeware
: 47
Commercial
:4
Proprietary
: 3
Total Nos. of Audit Tools
: 54

Freeware:
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
Port Scanners - AngryIPScanner, SuperScan, NetScanTools, Unicornscan, Nmap, THCAmap, ike-scan.

Web Browser Addons NoScript, Tamper Data, Firebug, etc.
Password Crackers Aircrack, Cain & Abel, John the Ripper, THC Hydra, ophcrack,
Medusa, fgdump, L0pthCrack, solarwinds, RainbowCrack, Wfuzz, Brutus.
Encryption Tools Stunnel, OpenVPN, Tor, OpenSSLGnuPG/PGP, OpenSSH/Putty/SSH.
Debuggers IDA Pro, OllyDbg, WinDbg.
Forensics Maltego, Helix, The Sleuth Kit, Encase.
Fuzzers w3af, skipfish, Wapiti.
General Purpose Netcat, cURL, Socat, Firefox, Google, Perl/Python/Ruby.
Packet Crafters Netcat, Hping, Scapy, Yersinia, Nemsis, Socat.
Rootkit Detectors Sysinternals, Tripwire, Dumpsec, AIDE.
Security Distros BackTrack, Helix, Samurai Web Testing Framework, Knoppix, SELinux
Sniffers Wireshark, Cain & Abel, tcpdump, kismet, Ethercap, Netstumbler, dsniff, Ntop,
Ngrep, P0f, inSSIDer, KisMAC.
Exploitation Tools Metasploit Framework, w3af, Core Impact, sqlmap, SET, sqlninja,
BeEF, dradis, WebGoat, Brup Suite, ExploitPack.
Vulnerability Scanners Nessus, OpenVAS, GFI Languard, MBSA, Nipper, SAINT,
NeXpose.
Web Proxy Paros Proxy, Fiddler, sslstrip, ratproxy.
Web Scanners Brup Suite, Nikto, w3af, Acunetix, Netsparker, Wikto, DirBuster,
Arachni.
Wireless Tools Aircrack, Kismet, NetStumbler, inSSIDer, KisMAC.
Anti-Malware MalwareBytes, ClamAV Signatures Toolkit, VirusTotal.
Commercial:
1.
2.
3.
4.
Rapid7 NeXpose
Rapid7 Metasploit
Tenable Nessus
IBM AppScan
Page 133
6.
Information Security Audit Methodology :

ISO27001/ISO20000/BS25999/ISO18028/SANS/OWASP/OSSTM/CIS/CHECK/NIST/RBI
7.

Govt. : 10
PSU : 17
Private : 161
8.
Business domain of auditee organisations : Banks, Insurance, Financial services, BPO, Software
development, Pharma, Manufacturing, Entertainment, Realty, Retail, Governance, Power and Petrochem.
9.
Typical applications in use by auditee organisations : Core Banking, SAP, ERP, CRM, Internet Banking,
Time Management, Peoplesoft, Payment Gateway applications, Oracle, Financial Applications, Mobile
applications, SCADA Applications, etc.

Internal Bandwidth (LAN / Intranet) : 1000
External Bandwidth (WAN / Internet) : 2mb + 2mb
No. of Routers : 35
No. of IDS' : 4
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security
Auditing Organisation).
TOP
Page 134
M/s Wipro Ltd

1.
2.
3.
4.
5.
Name, Location of the Empanelled Information Security Auditing organisation : Wipro Ltd., Gurgaon
Carrying out Information Security Audits since : October 2000
CISSPs : 2
BS7799 / ISO27001 LAs : 1
CISAs : 1
DISAs / ISAs : 0
Freeware : 42
Commercial : 12
Proprietary: 1
6.
7.
Information Security Audit Methodology : NA

Govt. : NA
PSU : NA
Private : NA
8. Business domain of auditee organisations : Oil, Pharma, Manufacturing
9. Typical applications in use by auditee organisations : NA
External Bandwidth (WAN / Internet) : NA bps
No. of servers : 5
No. of routers : 0
No. of switches : 1
No. of IDS' : 1
Organisation).
TOP
Page 135

Emprog

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Emprog

Uploaded by

Copyright:

Available Formats

EMPANELLED OF INFORMATION SECURITY AUDITING ORGANISATIONS

IT Security Audit (Full Scope of Audit)

M/s AAA Technologies Pvt Ltd

278-280, F-Wing, Solaris-1,

6. M/s Aegis Tech Limited

7. M/s Aujas Networks Pvt Ltd

8. M/s Controlcase India Pvt Ltd

11. M/s Cyber Security Works Pvt Ltd

12. M/s Deccan Infotech Pvt Ltd

Website URL : http://www.deccaninfotech.in

13. M/s Deloitte Touche Tohmatsu India Pvt. Ltd

14. M/s Digital Age Strategies Pvt Ltd

15. M/s Ernst & Young Pvt Ltd

16. M/s Financial Technologies(India)Ltd

17. M/s Haribhakti & Co.

18. M/s HCL Comnet Ltd

19. M/s HEXAWARE TECHNOLOGIES LTD.

20. M/s IBM India Pvt Ltd

21. M/s IDBI Intech Ltd

22. M/s Indusface Consulting Pvt Ltd

23. M/s Information Systems Auditors & Consultants Pvt Ltd

24. M/s iSec Services Pvt Ltd

25. M/s iViZ Techno Solutions Pvt Ltd

26. M/s KPMG

27. M/s K. R. Information Security Solutions

28. M/s Locuz Enterprise Solutions Ltd

29. M/s Microland Ltd

Belandur, Outer Ring Road,

30. M/s MIEL e-Security Pvt Ltd

31. M/s Network Intelligence India Pvt Ltd

32. M/s Network Security Solutions (India) Ltd

33. M/s Netmagic Solutions Pvt. Ltd

34. M/s NIIT Technologies Ltd

35. M/s Paladion Networks

36. M/s Persistent Systems Limited

Contact Person : Mr. Neel Ratan, Executive Director

40. M/s Qadit Systems & Solutions Pvt Ltd

41. M/s Secure Matrix India Pvt Ltd

42. M/s SecureSynergy Pvt Ltd

43. M/s SecurEyes Techno Services Pvt Ltd

44. M/s Security Brigade

46. M/s Simos Computer Systems Pvt Ltd

47. M/s SISA Information Security Pvt Ltd

48. M/s Spectrum IT Solution

49. STQC Directorate

50. M/s Suma Soft Pvt Ltd

51. M/s Sumeru Software Solutions Pvt Ltd

52. M/s Sysman Computers Pvt Ltd

53. M/s Tata Consultancy Services Ltd

54. M/s Tech Mahindra Ltd

Website URL : http://www.techmahindra.com

57. M/s TVSNet Technologies Ltd

58. M/s Verizon Business

59. M/s VISTA InfoSec Pvt. Ltd.

60. M/s Wipro Ltd

CERT-In empanelled IT Security Auditing Organisations

Information Security Audit Methodology : OSSTM, OWASP

Details of the Audit Tools

23. DSniff - A collection of different purpose sniffers

Security Audit Methodology : ISACA, ISO 27001 / BS 7799, COBIT

M/s AKS Information Technology Services Pvt Ltd

Details of the Information Security Audit Tools

Nmap, Superscan and Fport - Port Scanners