Professional Documents
Culture Documents
Emprog
Emprog
Page 1
e-mail : ashish[at]aksitservices.co.in
Mobile : 9811943669
4. M/s Appin Software Security Pvt Ltd
9th Floor, Agarwal Metro Heights,
Netaji Subhash Palace,
Pitampura, New Delhi-110034
Website URL : http://security.appinonline.com
Telephone : 011-64736970/71
Fax : 011-26581024
Contact Person : Mr. Rajat Khare, Director
e-mail : appin.security[at]appinmail.com
Mobile : 09212149267
5. M/s Auditime Information Systems (India) Pvt Ltd
A-504, Kailash Esplanade,
LBS Marg, Ghatkopar (West),
Mumbai 400086.
Website URL : http://www.auditimeindia.com
Telephone : 022-25006875
Fax: 022-25006876
Contact Person : Mr. Chetan Maheshwari, Director
e-mail : csm[at]auditimeindia.com
Page 2
Page 3
Page 4
Fax : +912267099066
Contact Person : Mr. Parag Ajmera, Head
Page 5
e-mail : pjeffery[at]in[dot]ibm[dot]com
Mobile : +91-9892502342
Page 6
Page 7
Page 8
Goregaon East.
Website URL : http://www.netmagiasolutions.com
Telephone : +91 -22 - 40099099
Fax : +91 22 6785 1501
Contact Person : Mr. Yadavendra Awasthi, Chief Information Security Officer (CISO)
e-mail : yadu@netmagicsolutions.com
Mobile : + 91 - 9820 2425 84
Page 9
Page 10
Page 11
Chennai 600018.
Website URL : http://www.simosindia.com
Telephone : 044-42110302
Fax : 044-42109436
Contact Person : Mr. Balamurugan R, Director
e-mail : rbm[at]simosindia.com
Mobile : 9884306004
Page 12
Telephone: +91-20-40130400
Fax: +91-20-25438108
Contact Person: C Manivannan
e-mail: mani[at]sumasoft.com
Mobile: +91-9371011855
Page 13
Page 14
Page 15
4.
Name & location of the empanelled Information Security Auditing Organisation : 3i Infotech Ltd, Navi
Mumbai
Carrying out Information Security Audits since : December 2000
Technical manpower deployed for informationsecurity audits :
CISSPs : 1
BS7799 / ISO27001 LAs : 7
CISAs : 2
DISAs / ISAs : 0
Total Nos. of Technical Personnel : 40
Outsourcing of External Information Security Auditors / Experts : No
Information Security Audit Tools used (owned, in possession) :
Freeware : 100
Commercial : 0
Proprietary: 1
Total Nos. of Audit Tools : 101
Details of the Audit Tools
Freeware
1. Nessus - Remote security scanner
2. Snort - Network intrusion prevention and detection system
3. Netcat - A simple Unix utility which reads and writes data across network connections, using
TCP or UDP protocol
Commercial
1. Retina - Retina's function is to scan all the hosts on a network and report on any vulnerability
found.
5.
6.
Page 16
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing
Organisation).
Back
M/s AAA Technologies Pvt Ltd
Snapshot of skills and competence of CERT-In empanelled Security Auditor
1.
2.
3.
4.
5.
Name, Location of the Empanelled Security Auditing organisation : AAA Technologies Pvt. Ltd.,
Mumbai
Carrying out Information Security Audits since : 2000
Technical manpower deployed for security audits :
CISSPs : 3
BS7799 / ISO27001 LAs : 5
CISAs : 9
DISAs / ISAs : 3
Total Nos. of Technical Personnel : 20
Outsourcing of External IT Security Auditors / Experts : No
Security Audit Tools used (owned, in possession) :
Freeware : 19
Commercial : 0
Proprietary: 1
Total Nos. of Audit Tools : 20
Nessus
Whisker
HUNT - TCP/IP protocol vulnerability exploiter, packet injector
DOMTOOLS - DNS-interrogation tools
SARA - Vulnerability scanner
RAT
Nikto - This tool scans for web-application vulnerabilities
Snort - IDS
Firewalk - Traceroute-like ACL & network inspection/mapping
Hping TCP ping utilitiy Dsniff - Passively monitor a network for interesting data (passwords, email, files, etc.). facilitate the interception of network traffic normally unavailable to an attacker
HTTrack - Website Copier
Chkrootkit - Rootkit discovery tool
Tools from FoundStone - Variety of free security-tools
SQL Tools - MS SQL related tools
John the Ripper - Password-cracking utility
ITS4 - Scan C/C++ source-code for vulnerabilities
Paros
NMAP - The famous port-scanner
Ethereal - GUI for packet sniffing. Can analyse tcpdump-compatible logs
Nemesis - Packet injection suite
NetCat - Swiss Army-knife, very useful
RAT CISecuritys Router Auditing Tool
Page 17
AAA - Used for Finger Printing and identifying open ports, services and misconfiguration
6.
7.
Page 18
Commercial Tools
1.
2.
Proprietary Tools
1. ISA Log Analyzer
5.
6.
7.
8.
Information Security Audit Methodology : OSSTM, OWASP, ISO 27001, ISO 25999, CoBIT
Information Security Audits carried out since empanelment till now :
Govt. : 650
PSU
: 50
Private : 40
Total Nos. of Security Audits : 740
Business domain of auditee organisations : Telecom, BPO, Banking & Finance, Software Development,
Manufacturing, Defence
Typical applications in use by auditee organisations : Payment Gateway, PKI-based, Client-Server, Web
Based, MIS, Oracle ERP, NMS Web Applications
Page 19
9.
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing
Organisation), Y = Yes, N = No, Std = Standard.
BACK
Page 20
4.
5.
Name & location of the empanelled Information Security Auditing Organisation : Appin Software
Security Pvt. Ltd., Delhi
Carrying out Information Security Audits since : September 2005
Technical manpower deployed for information security audits :
CISSPs : 1
BS7799 / ISO17799 / ISO27001 LAs : 7
CISAs / CISMs: 0
DISAs / ISAs : 0
Total Nos. of Technical Personnel : 30
Outsourcing of information security auditing work to external Information Security Auditors / Experts : No
Information Security Audit Tools being used (available, installed and licensed) :
Freeware : 11
Commercial : 7
Proprietary: 2
Total Nos. of Information Security Audit Tools : 20
Details of the Information Security Audit Tools
Freeware Tools
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
Nessus
Nmap
Retina
SQL Injector
SQL Ninja
Backtrack
Wikto
Web Server Auditor
NS Auditor
Kismet
Ethereal
Commercial Tools
1.
2.
3.
4.
5.
6.
7.
GFI languard
SSS
Accunetix
Core Impact
Appscan
Webinspect
QualysGuard
Proprietary Tools
1.
2.
Appin Guard
Appin Runner
Page 21
6.
Information Security Audit Methodology : OSSTM, OWASP, BS7799, ISO27001, ISO25999, CoBIT, SANS,
APPSEC
7. Information Security Audits carried out so far :
Govt. : 70
PSU : 8
Private : 50
Total Nos. of Security Audits : 128
8. Business domains of auditee organisations : Telecom, BPO, Manufacturing, Defence, Media, Infrastructure,
IT/ITES, Banking, Financial SW, Government, Education, Travel
9. Typical applications in use by auditee organisations : CBS, Oracle ERP, NMS, SAP, Peoplesoft, e-Gov.,
Mobile & Web Applications
10. Bandwidth available with an auditee organisation having most complex network :
Internal Bandwidth (LAN / Intranet) : 1 Gbps
External Bandwidth (WAN / Internet) : 2 Mbps
11. LAN infrastructure details of an auditee organisation having most complex network :
No. of Computers : 4000
No. of Servers : 300
No. of Switches : 200
No. of Routers : 200
No. of Firewalls : 20
No. of IDS' : 2
12. Ability to carry out vulnerability assessment and penetration test : Yes
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing
Organisation).
BACK
Page 22
4.
Name, Location of the empanelled Information Security Auditing Organisation : AUDITime Information
Systems (I) Pvt. Ltd., Mumbai
Carrying out Information Security Audits since : September 2000
Technical manpower deployed for Information security audits :
CISSPs : 1
BS7799 / ISO27001 LAs : 2
CISAs : 10
DISAs / ISAs : 2
Total Nos. of Technical Personnel : 64
Outsourcing of External Information Security Auditors / Experts : No
Information Security Audit Tools used (owned, in possession) :
Freeware : 36
Commercial : 0
Proprietary: 0
Total Nos. of Audit Tools : 36
Details of the Audit Tools
Freeware Tools
1. Achilles - A tool designed for testing the security of web applications
2. ADMFtp, ADMSnmp - Tools for remote brute-forcing
3. Brutus- An Windows GUI brute-force tool for FTP, telnet, POP3, SMB, HTTP, etc
4. Crack - A password cracker
5. CrypTool - A cryptanalysis utility
6. cURL - Curl is a tool for transferring files with URL syntax, supporting FTP, FTPS, HTTP, HTTPS,
GOPHER, TELNET, DICT, FILE and LDAP
7. Different network mapping tools - ping, traceroute, whois, snmp tools, dig, nslookup, DNS tools
etc
8. Elza - A family of tools for arbitrary HTTP communication with picky web sites for the purpose of
penetration testing and information gathering
9. Exploits - publicly available and home made exploit code for the different vulnerabilities around
10. FScan - A command-line port scanner. Supports TCP and UDP
11. Fragrouter - Utility that allows to fragment packets in funny ways
12. HPing - HPing is a command-line oriented TCP/IP packet assembler/analyzer. It supports TCP,
UDP, ICMP and RAW-IP protocols, has a traceroute mode, the ability to send files between a
covered channel, and many other features.
13 .ISNprober - Check an IP address for load-balancing.
14. ICMPush - ICMPush is a tool that sends ICMP packets fully customized from command line
15. John The Ripper - A password cracker
16. L0phtcrack - NTLM/Lanman password auditing and recovery application (read: cracker)
17. Nessus - A free, powerful, up-to-date and easy to use remote security scanner. This tool could
be used when scanning a large range of IP addresses, or to verify the results of manual work.
18.Netcat - The swiss army knife of network tools. A simple utility which reads and writes data
across network connections, using TCP or UDP protocol
19. NMAP - The best known port scanner around.
20.p0f - Passive OS Fingerprinting: A tool that listens on the network and tries to identify the OS
versions from the information in the packets.
21. Pwdump - Tools that grab the hashes out of the SAM database, to use with a brute-forcer like
L0phtcrack or John
Page 23
22. SamSpade - Graphical tool that allows to perform different network queries: ping, nslookup,
whois, IP block whois, dig, traceroute, finger, SMTP VRFY, web browser keep-alive, DNS zone
transfer, SMTP relay check,etc.
23.ScanDNS - Script that scans a range of IP addresses to find DNS names
24. Scripts - A number of custom developed scripts to test different security issues.
25. Sing - Send ICMP Nasty Garbage. A little tool that sends ICMP packets fully customized from
command line
26.SSLProxy, STunnel - Tools that allow to run non SSL-aware tools/programs over SSL.
27. Strobe - A command-line port scanner that also performs banner grabbing
28.Telesweep Secure - A commercial wardialer that also does fingerprinting and brute-forcing.
29. THC - A freeware wardialer
30. TCPdump - A packet sniffer
31. TCPtraceroute - Traceroute over TCP
32. UCD-Snmp - (aka NET-Snmp): Various tools relating to the Simple Network Management
Protocol including snmpget, snmpwalk and snmpset.
33.Web Session Editor - Custom made utility that allows to intercept and edit HTTP sessions.
34. Webinspect - CGI scanning, web crawling, etc.
35. Webreaper, wget - Software that mirrors websites to your hard disk
36. Whisker - The most famous CGI scanner. has updated the scanning databases with checks for
the latest vulnerabilities.
Commercial Tools None
Proprietary Tools None
5.
6.
Page 24
2.
3.
4.
Outsourcing of External Information Security Auditors / Experts : DNV for ISO 27001 certification
5.
6.
Information Security Audit Methodology : Discovery (Scanning & probing), Exploitation & Analysis
(Penetrate Perimeter, Attack Resources) , Reporting (Assessment Report & Recommendations)
7.
8.
9.
Typical applications in use by auditee organizations : SAP, Oracle Financials, Finacale etc
Page 25
4.
5.
Name & location of the empanelled Information Security Auditing Organisation : Aujas Networks Pvt
Ltd, Bangalore
Carrying out Information Security Audits since : February 2008
Technical manpower deployed for information security audits :
CISSPs : 7
BS7799 / ISO17799 / ISO27001 LAs : 10
CISAs / CISMs: 7
DISAs / ISAs : 0
Total Nos. of Technical Personnel : 30
Outsourcing of information security auditing work to external Information Security Auditors / Experts : No
Information Security Audit Tools being used (available, installed and licensed) :
Freeware : 24
Commercial : 3
Proprietary: 1
Total Nos. of Information Security Audit Tools : 28
Commercial Tools
1.
Page 26
2.
3.
Proprietary Tools
1.
6.
7.
8.
9.
10.
11.
12.
PHP Security Audit Script : This script checks for insecure web configurations.
Information Security Audit Methodology : Standard (ITIL, CoBIT 4.1, COCO ERM, ISO27001, NIST 800-30,
ISO27005, CIS Benchmarks, OWASP, OSSTM)
Information Security Audits carried out so far :
Govt. : 4
PSU : 1
Private : 35
Total Nos. of Security Audits : 40
Business domains of auditee organisations : Banking, Telecom, IT/ITES, Manufacturing, Retail,
Government
Typical applications in use by auditee organisations : Web, Banking & Financial Applications
Bandwidth available with an auditee organisation having most complex network :
Internal Bandwidth (LAN / Intranet) : 1 Gbps
External Bandwidth (WAN / Internet) : 6 Mbps
LAN infrastructure details of an auditee organisation having most complex network :
No. of Computers : 1120
No. of Servers : 30
No. of Switches : 10
No. of Routers : 2
No. of Firewalls : 1
No. of IDS' : 1
Ability to carry out vulnerability assessment and penetration test : Yes
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing
Organisation).
BACK
Page 27
Name & location of the empanelled Information Security Auditing Organisation : M/s ControlCase India
Pvt. Ltd., Mumbai
2. Carrying out Information Security Audits since : 2004
3. Technical manpower deployed for information security audits :
CISSPs : 7
BS7799 / ISO27001 LAs : 4
CISAs : 8
DISAs / ISAs : 0
Total Nos. of Technical Personnel : 20
4. Outsourcing of External Information Security Auditors / Experts : No
5. Information Security Audit Tools used (owned, in possession) :
Freeware : 140
Commercial : 3
Proprietary: 1
Total Nos. of Audit Tools : 144
Nmap
Netcat 0.7.1
Netdiscover
P0f
PSK-Crack
Protos
Finger Google
Firewalk
Fport 2.0 (Windows Executable)
Goog Mail Enum
Google-search
Googrape
Gooscan
Host
InTrace 1.3
Itrace
Maltego 2.0
Metagoofil 1.4
Mbenum 1.5.0 (Windows Executable)
Netenum
Netmask
Nmbscan 1.2.4
Protos
PsTools (Windows Executables)
PStoreView 1.0 (Windows Binary)
QGoogle
Relay Scanner
SMTP-Vrfy
Page 28
0trace 0.01
DMitry
DNS-Ptr
dnstracer 1.5
dnswalk
dns-bruteforce
dnsenum
dnsmap
DNSPredict
Subdomainer 1.3
TCPtraceroute 1.5beta7
TCtrace
Whoami (Windows Executable)
Network Mapping
Amap 5.2
Angry IP Scanner (ipscan) 3.0-beta3
Autoscan 0.99_R1
Fierce 0.9.9 beta 03/24/07
Fping
Genlist
Hping
IKE-Scan
IKEProbe
ScanLine 1.01 (Windows Executable)
SinFP
XProbe2
Zenmap 4.60
Absinthe
Bed
CIRT Fuzzer
Checkpwd
Cisco Auditing Tool
Cisco Enable Bruteforcer
Cisco Global Exploiter
Cisco OCS Mass Scanner
Cisco Scanner
Cisco Torch
Curl
Fuzzer 1.2
HTTP PUT
Nikto
OpenSSL-Scanner
Paros Proxy
RPCDump
RevHosts
SMB Bruteforcer
SNMP Scanner
SNMP Walk
SQL Inject
SQL Scanner
SQLLibf
SQLbrute
Sidguess
Smb4K
Page 29
Snmpcheck
Snmp Enum
Spike
Stompy
SuperScan
TNScmd
Taof
VNC_bypauth
Wapiti
Yersinia
sqlanlz
sqldict
sqldumplogins
sqlquery
sqlupload
Metasploit Framework
Milw0rm Archive
Ascend attacker
CDP Spoofer
Cisco Enable Bruteforcer
Crunch Dictgen
DHCPX Flooder
DNSspoof
Driftnet
Dsniff
Etherape
EtterCap
File2Cable
HSRP Spoofer
Hydra
John
Mailsnarf
SMB Sniffer
TFTP-Brute
VNCrack
WebCrack
Wireshark
Wireshark Wifi
HttpTunnel Client
HttpTunnel Server
Privoxy
ProxyTunnel
Rinetd
AFrag
ASLeap
aircrack-ng
Airoscript
Kismet
BTcrack
Bluebugger
Blueprint
Bluesmash
Bluesnarfer
Btscanner
Page 30
GNU DDD
Hexdump
Hexedit
Commercial:
AppScan
IBM Appscan
Teanable Nessus
eEye Retina
6.
Information Security Audit Methodology : Standard (OSSTM, OWASP, PCI DSS, PA DSS, PCI ASV, FISAP,
HIPPA, TG3 Certification, EI3PA Certification, ISO27001, ITIL, CoBIT, NIST 800-30, ISO27005, CIS
Benchmarks)
7. Information Security Audits carried out so far :
Govt. : 0
PSU : 0
Private : 55
Total Nos. of Information Security Audits done : 55
8. Business domain of auditee organisations : Banking & Finance, Telecom, Manufacturing, Retail,
Government, Health, Logistics, Insurance
9. Typical applications in use by auditee organisations : Web, Banking & Financial Applications, Mobile
Applications, Payment Applications, Billing Applications
10. Typical bandwidth (maximum) of any auditee organisations :
Internal Bandwidth (LAN / Intranet) : 100 Mbps
External Bandwidth (WAN / Internet) : 4 Mbps
11. Networked Infrastructure details of an organizations audited with most complex network :
No. of Computer Systems : 30
No. of Servers : 45
No. of Switches : 4
No. of Routers : 1
No. of Firewalls : 2
No. of IDS' : 1
12. Ability to carry out vulnerability assessment and penetration test : Yes
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing
Organisation).
BACK
Page 31
4.
5.
Name, Location of the empanelled Information Security Auditing Organisation : CyberQ Consulting Pvt.
Ltd., New Delhi
Carrying out Information Security Audits since : 2002
Technical manpower deployed for Information security audits :
CISSPs : 0
BS7799 / ISO27001 LAs : 4
CISAs : 4
DISAs / ISAs : 1
Total Nos. of Technical Personnel : 28
Outsourcing of External Information Security Auditors / Experts : No
Information Security Audit Tools used (owned, in possession) :
Freeware : 44
Commercial : 1
Proprietary: 3
Total Nos. of Information Security Audit Tools : 48
Metaspolit 3.2 Metasploit provides useful information to people who perform penetration testing,
IDS signature development, and exploit research.
Backtrack 3 a Linux distribution, distributed as a Live CD which resulted from the merger of
WHAX and the Auditor Security Collection, which is used for Penetration testing.
Sam Spade a Windows software tool designed to assist in tracking down sources of e-mail spam
Telnet Can report information about an application or service; i.e., version, platform
Tcpdump is a common packet sniffer that runs under the command line
Nmap 5.00 powerful tool available for Unix that finds ports and services available via IP
Hping2 powerful Unix based tool used to gain important information about a network
P0F A versatile passive OS fingerprinting tool
Netcat others have quoted this application as the Swiss Army knife of network utilities
Ping Available on most every platform and operating system to test for IP connectivity
Traceroute maps out the hops of the network to the target device or system
Tcptraceroute traceroute implementation using TCP packets
Queso can be used for operating system fingerprinting
WebInspect Vulnerability Scanner
Assuria System Scanner
Microsoft baseline analyzer Specific for Microsoft O/S based system
Patchlink for assessing patch status
nCircle IP360
Nikto Web server scanner that tests Web servers for dangerous files/CGIs, outdated server
software and other problems
Curl command line tool for transferring files with URL syntax
BurpSuite Burp Suite is an integrated platform for attacking web applications
Ollydbg debugger that emphasizes binary code analysis, which is useful when source code is not
available
SNMP walk To audit SNMP enabled devices
Page 32
24. Cain & Able The top password recovery tool for Windows
25. Brutus This Windows-only cracker bangs against network services of remote systems trying to
guess passwords by using a dictionary and permutations thereof
26. LC4 is the award-winning password auditing and recovery application, L0phtCrack.
27. Legion SMB based tool
28. GetAcct shows anonymous login information
29. Pwdump A window password recovery tool
30. AMAP Application mapper to verify the actual services running on the open port
31. Nslookup Available on Unix and Windows Platforms
32. Whois Database Available via any Internet browser client
33. ARIN Available via any Internet browser client
34. Dig Available on most Unix platforms and some web sites via a form
35. Web Based Tools Hundreds if not thousands of sites offer various recon tools
36. Social Engineering People are an organizations greatest asset, as well as their greatest risk
37. Wireshark It can scan wireless and Ethernet data and comes with some robust filtering
capabilities.
38. Network Stumbler a.k.a NetStumbler Windows based tool easily finds wireless signals being
broadcast within range
39. Kismet One of the key functional elements missing from NetStumbler is the ability to display
Wireless Networks that are not broadcasting their SSID.
40. Airsnort very easy to use tool that can be used to sniff and crack WEP keys. While many people
bash the use of WEP, it is certainly better than using nothing at all.
41. AiroPeek / Omnipeek Sniffing & network health checkuptool
42. CowPatty Is used as a brute force tool for cracking WPA-PSK, considered the New WEP for
home Wireless Security.
43. ASLeap If a network is using LEAP, this tool can be used to gather the authentication data that is
being passed across the network, and these sniffed credentials can be cracked. LEAP doesnt
protect the authentication like other real EAP types, which is the main reason why LEAP can be
broken
44. Cheops-ng Cheops-ng is a Network management tool for mapping and monitoring your network.
It has host/network discovery functionality as well as OS detection of hosts
Commercial Tools :
1.
Proprietary Tools :
1.
2.
3.
6.
7.
8.
Page 33
9.
Typical applications in use by auditee organisations : PKI, ERP, Web, Client Server, MIS, Network Security
Audit.
10. Typical bandwidth (maximum) of any auditee organisations :
Internal Bandwidth (LAN / Intranet) : 100 Mbps
External Bandwidth (WAN / Internet) : 2 Mbps
11. Networked Infrastructure details of an organizations audited with most complex network :
No. of Computer Systems : 2000
No. of servers : 110
No. of switches : 60
No. of routers : 65
No. of firewalls : 1
No. of IDS' : 0
12. Ability to carry out vulnerability assessment and penetration test : Yes
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing
Organisation).
BACK
Page 34
Name & location of the empanelled Information Security Auditing Organisation : Computer Sciences
Corporation India Pvt. Ltd. NOIDA
2.
3.
4.
5.
Nmap
Hydra
John the Ripper
Cain & Abel
Wireshark
Ettercap
Firewalk
Commercial
1.
2.
3.
4.
5.
McAfee Foundstone
Cenzic Hailstorm Pro
Tenable Nessus Pro
Metasploit Pro
MetaGeek Chanalyzer Pro
6.
7.
8.
Business domain of auditee organisations : Visa and Immigration Services, Cloud Computing, BPO,
Software development
9.
Typical applications in use by auditee organisations : Web and E-commerce applications, Client server
Page 35
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing
Organisation).
BACK
Page 36
4.
5.
Name & location of the empanelled Information Security Auditing Organisation : Cyber Security Works
Pvt. Ltd., Chennai
Carrying out Information Security Audits since : October 2008
Technical manpower deployed for informationsecurity audits :
CISSPs: 3
CISAs: 2
DISAs / ISAs: 0
Total Nos. of Technical Personnel: 8
Outsourcing of External Information Security Auditors / Experts : No
Information Security Audit Tools used (owned, in possession) :
Freeware: 19
Commercial: 6
Proprietary: 4
Total Nos. of Audit Tools: 29
Commercial Tools:
1. Webinspect
2. Retina
3. Languard
4. Accunetix
5. Nessus
6. Network Director
Page 37
Proprietary Tools:
1. WEBSPLOITTM (Vulnerability Assessment and Penetration Mining Engine)
2. VAPSPLOITTM (Web Apps Vulnerability Assessment & Penetration Framework)
3. DPTTM (Dynamic Penetration Testing Toolkit)
4. DCATTM (Digital Crime Analysis Tracking Toolkit)
6.
7.
Page 38
4.
Name, Location of the Empanelled Security Auditing organisation: Deccan Infotech (P) Ltd, Bangalore
Carrying out Information Security Audits since : July 1998
Technical manpower deployed for security audits :
CISSPs : 2
BS7799 / ISO27001 LAs : 2
CISAs : 5
DISAs / ISAs : 0
Total Nos. of Technical Personnel : 9
Outsourcing of External IT Security Auditors / Experts : No
Page 39
Page 40
5.
6.
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing
Organisation).
BACK
Page 41
4.
5.
Name & location of the empanelled Information Security Auditing Organization : Deloitte Touche
Tohmatsu India Pvt. Ltd
Carrying out Information Security Audits since : 1999
Technical manpower deployed for information security audits :
CISSPs : 17
BS7799 / ISO27001 LAs : 24
CISAs : 100
DISAs / ISAs : 100
Total Nos. of Technical Personnel : 290
Outsourcing of External Information Security Auditors / Experts: Not Applicable.
Information Security Audit Tools used (owned, in possession) :
Freeware : 27
Commercial : 9
Proprietary: 3
Total Nos. of Audit Tools : 39
Page 42
6.
7.
Information Security Audit Methodology : Own : Deloitte Methodology (Please refer Annexure I)
Information Security Audits carried out so far :
Govt. : 5+
PSU : 15+
Private : 150+
Total Nos. of Information Security Audits done : 170+
8. Business domain of auditee organizations : Banking & Finance, Information Technology, Third Party
Service Providers / BPOs, Manufacturing, Public Sector Undertakings, Life Sciences & Healthcare.
9. Typical applications in use by auditee organizations: Enterprise Resource Planning (ERPs), Web Services &
Web Applications etc.
10. Typical bandwidth (maximum) of any auditee organizations :
Internal Bandwidth (LAN / Intranet) : 1 Gbps
External Bandwidth (WAN / Internet) : 10 Mbps
11. Networked Infrastructure details of an organizations audited with most complex network :
No. of Computer Systems : > 70000
No. of Servers : 500
No. of Switches : 100
No. of Routers : 50
No. of Firewalls : 25
No. of IDS' : 10
12. Ability to carry out vulnerability assessment and penetration test : Yes
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing
Organisation).
BACK
Page 43
4.
5.
Name, Location of the Empanelled Security Auditing organisation: Digital Age Stratergies Pvt. Ltd.,
Bangalore
Carrying out Information Security Audits since : March 2004
Technical manpower deployed for security audits :
CISSPs : 2
BS7799 / ISO27001 LAs : 5
CISAs : 10
DISAs / ISAs : 0
Total Nos. of Technical Personnel : 17
Outsourcing of External IT Security Auditors / Experts : No
Security Audit Tools used (owned, in possession) :
Freeware : 11
Commercial : 3
Proprietary: 0
Total Nos. of Audit Tools : 14
Details of the Audit Tools
Freeware
1. Winaudit Ver 2.00 - System & HW Audit
Commercial
1. Idea 2004 - ETL & Data Format
2. Iaudit Net Ver 1.02 - ETL & Data Integrity
6.
7.
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing
Organisation).
Page 44
BACK
Page 45
4.
5.
Name, Location of the empanelled IT Security Auditing organisation : Ernst & Young Pvt. Ltd., Chennai
Carrying out Information Security Audits since : January 2001
Technical manpower deployed for IT security audits :
CISSPs : 9
BS7799 / ISO27001 LAs : 2
CISAs / CISM : 65
DISAs / ISAs : 1
Total Nos. of Technical Personnel : 145
Outsourcing of External IT Security Auditors / Experts : No
IT Security Audit Tools used (owned, in possession) :
Freeware : 9
Commercial : 8
Proprietary: 9
Total Nos. of Audit Tools : 26
App Detective - Vulnerability assessment and review of security configuration of MySQL, Oracle,
Sybase, IBM DB2, MS SWQL Server, Lotus Notes/Domino, Oracle Application Server, Web
Applications.
2. Bv-Control Suite - Security assessment -Microsoft Windows, Active Directory, Microsoft Exchange,
Microsoft SQL Server, UNIX (Sun Solaris, HP-UX, AIX, Red Hat and SUSe Linux), Internet Security,
Check Point Firewall I
3. HP WebInspect - Web Application Security assessment
4. IPLocks VA - Database configuration and vulnerability assessment
5. eEye Retina - Network Security scans and IT infrastructure vulnerability assessment
6. Immunity Canvas - Vulnerability exploitation framework for penetration tests
7. eTrust - Online vulnerability management framework.
8. Bv-Control - Security and segregation of duty review for SAP
Proprietary
1.
2.
3.
4.
iNTerrogator - Review of security configuration of systems running the windows operating system.
*nix scripts - A collection of scripts to assess the security configuration including file level ACLs on
*nix systems (SCO OpenServer, Linux, HP-Ux, AIX, Solaris, *BSD).
Spider - Web application security assessment
FakeOra - Security assessment of 2-tier applications that use Oracle 8i (and above) as RDBMS.
Page 46
5.
6.
7.
8.
9.
6.
7.
Page 47
4.
Name & location of the empanelled Information Security Auditing Organisation : Financial
Technologies(India)Ltd, Mumbai
Carrying out Information Security Audits since : 2003.
Technical manpower deployed for information security audits :
CISSPs / CISMs: 5
BS7799 / ISO27001 LAs : 6
CISAs : 14
DISAs / ISAs : 4
Total Nos. of Technical Personnel : 78
Outsourcing of External Information Security Auditors / Experts : NA
Information Security Audit Tools used (owned, in possession) :
Freeware : 15
Commercial : 3
Proprietary: 2
Total Nos. of Audit Tools : 20
5.
6.
7.
Information Security Audit Methodology : ISO / IEC 27001:2005, COBiT, PCIDSS, OWASP.
Information Security Audits carried out so far :
Govt. : 1
PSU : 0
Private : 25
Total Nos. of Information Security Audits done : 26
Business domain of auditee organisations : Banks, Insurance Co.s, Asset Management co.s,
Financial Institutions, Brokerage Firms, Manufacturing, Media, Government, Retail.
Page 48
8.
Typical applications in use by auditee organisations : Multi tier, Client Server, Web Applications,
Databases, SAP, ERP, CRM.
9. Typical bandwidth (maximum) of any auditee organisations :
Internal Bandwidth (LAN / Intranet) : 1 gbps
External Bandwidth (WAN / Internet) : 40 mbps
10. Networked Infrastructure details of an organizations audited with most complex network :
No. of Computer Systems : 1000
No. of Servers : 100
No. of Switches : 40
No. of Routers : 75
No. of Firewalls : 4
No. of IDS' : 2
11. Ability to carry out vulnerability assessment and penetration test : Yes
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing
Organisation).
BACK
Page 49
Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation
1. Name, Location of the empanelled Information Security Auditing Organisation : Haribhakti & Co. (CA),
Mumbai
2. Carrying out Information Security Audits since : July 1998
3. Technical manpower deployed for Information security audits :
CISSPs : 0
BS7799 / ISO27001 LAs : 3
CISAs : 10
DISAs / ISAs : 6
Total Nos. of Technical Personnel : 21
4. Outsourcing of External Information Security Auditors / Experts : Yes
5. Information Security Audit Tools used (owned, in possession) :
Freeware : 3
Commercial : 3
Proprietary: 0
Total Nos. of Information Security Audit Tools : 6
Details of the Information Security Audit Tools
Freeware Tools
1. Nessus - Vulnerability Assessment
2. NMAP - Port Scanner
3. IP Tools - Network
Commercial Tools
1. App Detective - Database Vulnerability
2. GFI-Languard - Network Vulnerability
3. Acunetix
Proprietary Tools
None
6.
7.
Information Security Audit Methodology : COSO & COBIT, ISO 27001, BS 25999
Information Security Audits carried out since empanelment till now :
Govt. : 4
PSU : 8
Private : 24
Total Nos. of Security Audits : 26
8. Business domain of auditee organisations : Tax Information Network, Depository, Banking & Financial
Services, Insurance, Call Centres, Regulators
9. Typical applications in use by auditee organisations : Online/Internet Trading, Dealing Room, Depository
Participant Modules, Treasury, CBS, Core Insurance, Bank Call Centre, Electronic Procurement, OLTAS
10. Typical bandwidth (maximum) of any auditee organisations :
Internal Bandwidth (LAN / Intranet) : 100 Mbps
External Bandwidth (WAN / Internet) : 2 Mbps
11. Networked Infrastructure details of an organizations audited with most complex network :
No. of Computer Systems : 300
No. of servers : 20
No. of switches : 10
No. of routers : 300
No. of firewalls : 3
No. of IDS' : 1
12. Ability to carry out vulnerability assessment and penetration test : Yes
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing
Organisation).
BACK
Page 50
Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation
1.
Name & location of the empanelled Information Security Auditing Organisation : M/S HEXAWARE
TECHNOLOGIES LTD
2.
3.
security
:
:
:
:
:
:
:
:
audits :
1
3
4
4
1 (Licensed Penetration Tester)
1 (Certified Penetration Testing Specialist)
25
4.
5.
in possession) :
25
4
29
Nmap
Nping
Ncat
Nikto
NetStumbler
Wireshark
W3af
Metasploit
Paros Proxy
BackTrack
Tcpdump
Sqlmap
ScanDNS
Grendel
DirBuster
Brutus
Samurai Web Testing Framework
Crack
Google
Whisker
CrypTool
TCPtraceroute
NStalker
Snort
John the Ripper
Commercial:
Page 51
1.
2.
3.
4.
Acunetix,
Nessus,
Saint,
GFI Languard
6.
ISO27001, OWASP
7.
:
:
:
:
8.
9.
Typical applications in use by auditee organisations : Peoplesoft HRMS, Peoplesoft Finance, Microsoft
CRM, Glodyne Whizible Suite, Borland StarTeam, MS Exchange
1
25+
26+
Yes
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing
Organisation).
BACK
Page 52
4.
5.
Name, Location of the empanelled Information Security Auditing Organisation : HCL Comnet Ltd., Noida
Carrying out Information Security Audits since : January 2001
Technical manpower deployed for information security audits :
CISSPs : 10
BS7799 / ISO27001 LAs : 9
CISAs : 6
DISAs / ISAs : 0
Total Nos. of Technical Personnel : 350
Outsourcing of External Information Security Auditors / Experts : No
Information Security Audit Tools used (owned, in possession) :
Freeware : 21
Commercial : 9
Proprietary: 0
Total Nos. of Audit Tools : 30
Page 53
6.
7.
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing
Organisation).
BACK
Page 54
4.
5.
Name & location of the empanelled Information Security Auditing Organisation : IBM India Pvt Ltd,
Mumbai
Carrying out Information Security Audits since : Year 2000
Technical manpower deployed for information security audits :
CISSPs : 15
BS7799 / ISO27001 LAs : 30
CISAs : 15
DISAs / ISAs : NA
Total Nos. of Technical Personnel : 400
Outsourcing of External Information Security Auditors / Experts : No
Information Security Audit Tools used (owned, in possession) :
Freeware : 14
Commercial : 6
Proprietary: 5
Total Nos. of Audit Tools : 25
List of Tools used
Freeware:
1. Metasploit: Penetration Testing Framework
2. NMAP : Port scanner
3. RAT : Router and firewall benchmarking
4. Wireshark - Protocol analyzer
5. MBSA : Windows security assessment
6. Nikto : Web Applications security
7. SNMPWalk : Router and network management
8. CAIN & Able : Traffic sniffing and Password cracking
9. Brutus : Password cracking
10. JohntheRipper : Password cracking
11. W3AF: Application auditing framework
12. Maltego: Intelligence and forensics application.
13. Unicornscan: Port Scanner and Information gathering.
14. Burp: Web proxy tool.
Commercial:
1. Nessus : Network Vulnerability Assessment
2. IBM Appscan : Web Systems & Applications security
3. Retina : Vulnerability Scanner
4. ISS : Vulnerability Scanner
5. Immunity Canvas : Penetration Testing Framework
6. Modulo: GRC Framework
Proprietary Tools:
1. Windows server Security assessment scripts
2. Unix/Linux/AIX server security assessment scripts
3. Oracle security assessment scripts
4. MSSQL security assessment scripts
5. ASP and Java Scripts : Web application assessment
6.
Information Security Audit Methodology : ISO27001, COBIT, ISF(IBM Security framework), OWASP, IBM
Penetration Testing methodology.
Page 55
7.
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing
Organisation).
BACK
Page 56
4.
5.
Name, Location of the empanelled Information Security Auditing Organisation : IDBI Intech Ltd.
Carrying out Information Security Audits since : November 2007
Technical manpower deployed for information security audits :
CISA : 15
CRISC : 2
CGEIT : 2
CEH : 5
BS25999 :1
Managed Security Service Professional : 11
BS7799/ISO27001 LA's : 7
Total Nos. of Technical Personnel: 900 +
Outsourcing of External Information Security Auditors / Experts : No
Information Security Audit Tools used (owned, in possession) :
Freeware : 17
Commercial : 2
Proprietary: 1
Total Nos. of Audit Tools: 20 (Details in the Attached File)
Information Security Audit Methodology : Own Also, COBIT, ISO27001, PCI-DSS, OWASP and OSSTMM.
Page 57
7.
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing
Organisation).
BACK
Page 58
4.
5.
Name, Location of the empanelled Information Security Auditing Organisation : Indusface Consulting
Pvt Ltd, Baroda
Carrying out Information Security Audits since : July 2004
Technical manpower deployed for information security audits :
CISSPs : 8
BS7799 / ISO27001 LAs : 12
CISAs : 1
DISAs / ISAs : 0
Total Nos. of Technical Personnel : 40
Outsourcing of External Information Security Auditors / Experts : No
Information Security Audit Tools used (owned, in possession) :
Freeware : 40
Commercial : 2
Proprietary: 0
Total Nos. of Audit Tools : 42
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing
Organisation).
Page 59
BACK
Page 60
4.
5.
Name, Location of the empanelled Information Security Auditing Organisation: Information Systems
Auditors & Consultants Pvt Ltd, Mumbai
Carrying out Information Security Audits since : July 1997
Technical manpower deployed for information security audits :
CISSPs : 1
BS7799 / ISO27001 LAs : 1
CISAs : 5
DISAs / ISAs : 0
Total Nos. of Technical Personnel : 6
Outsourcing of information security auditing work to other external Information Security Auditors /
Experts : Yes
Information Security Audit Tools used (owned, in possession) :
Freeware : 6
Commercial : 0
Proprietary: 0
Total Nos. of Audit Tools : 6
Page 61
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing
Organisation).
BACK
Page 62
Freeware :
1. Nessus
2. Whisker
3. HUNT - TCP/IP protocol vulnerability exploiter, packet injector
4. DOMTOOLS - DNS-interrogation tools
5. SARA - Vulnerability scanner
6. RAT
7. Nikto - This tool scans for web-application vulnerabilities
8. Snort - IDS
9. Firewalk - Traceroute-like ACL & network inspection/mapping
10. Hping TCP ping utilitiy Dsniff - Passively monitor a network for interesting data (passwords,
e-mail, files, etc.). facilitate the interception of network traffic normally unavailable to an attacker
11. HTTrack - Website Copier
12. Chkrootkit - Rootkit discovery tool
13. John the Ripper - Password-cracking utility
14. Paros
15. NMAP - The famous port-scanner
16. Ethereal - GUI for packet sniffing. Can analyse tcpdump-compatible logs
17. Nemesis - Packet injection suite
18. NetCat - Swiss Army-knife, very useful
19. RAT CISecuritys Router Auditing Tool
20. DSniff - A collection of different purpose sniffers
21. Achilles - An SSL-proxy allowing to change data
22. Hping2 - TCP/IP packet analyzer/assembler, packet forgery, useful for ACL inspection
23. Brutus password cracking for web applications, telnet, etc.
24. WebSleuth - web-app auditing tool
25. Metasploit framework
Page 63
Commercial :
None
Proprietary :
None
6. Information Security Audit Methodology : OSSTM, OWASP, COBIT
7. Information Security Audits carried out so far:
Govt. : 0
PSU : 0
Private : 15
Total Nos. of Information Security Audits done : 15
8. Business domain of auditee organisations : Banking, Financial, Manufacturing, Software development, Business
process outsourcing
9. Typical applications in use by auditee organisations : Banking and Financial Applications, Trading Sofwtare
10. Typical bandwidth (maximum) of any auditee organisations :
Internal Bandwidth (LAN / Intranet) : 100 Mbps
External Bandwidth (WAN / Internet) : 20 Mbps
11. Networked Infrastructure details of an organizations audited with most complex network :
No. of Computer Systems : 12000
No. of Servers : 150
No. of Switches : 100
No. of Routers : 40
No. of Firewalls : 8
No. of IDS' : 2
12. Ability to carry out vulnerability assessment and penetration test : Yes
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing
Organisation).
BACK
Page 64
BACK
Page 65
M/s KPMG
Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation
1.
2.
3.
4.
5.
Name, Location of the empanelled Information Security Auditing Organisation : KPMG, Gurgaon
Carrying out Information Security Audits since : September 1996
Technical manpower deployed for Information security audits :
CISSPs : 17
BS7799 / ISO27001 LAs : 17
CISAs : 50
DISAs / ISAs : 0
Total Nos. of Technical Personnel : 200
Outsourcing of External Information Security Auditors / Experts : No
Information Security Audit Tools used (owned, in possession) :
Freeware : 19
Commercial : 12
Proprietary: 7
Total Nos. of Information Security Audit Tools : 38
Commercial Tools :
1. ISS Internet - Network security
2. Webinspect - Web Systems & Applications security
3. AppScan - Web Systems &Applications security
4. Bindview - Local Systems & Applications security
5. ISS DB - Database Security
6. AppDetective - Database Security
7. Nessus - Network security
Page 66
8.
9.
10.
11.
12.
Power Tech
VeloSecure
IPLocks - Database Security
Qualsys Guard
Core Impact
Proprietary Tools :
1.
2.
3.
4.
5.
6.
7.
6.
7.
Page 67
Page 68
8. Business domain of auditee organisations : Shipping , Natural Gas Company , Telecommunication , IT Solution
Company , Steel , Power , Manufacturing/Chemical , Financial Auditing
9. Typical applications in use by auditee organisations : SAP Web Application Server (Netweaver), Web Services,
Database, AIX, Mainframe, Citrix, Telecommunication services, Tally.
10. Typical bandwidth (maximum) of any auditee organisations :
Internal Bandwidth (LAN / Intranet) : 1000 Mbps
External Bandwidth (WAN / Internet) : 2 Mbps
11. Networked Infrastructure details of an organizations audited with most complex network :
No.
No.
No.
No.
No.
No.
of
of
of
of
of
of
Computer Systems : 72
Servers : 33
Switches :
Routers :
Firewalls : 1
IDS' :
12. Ability to carry out vulnerability assessment and penetration test : Yes
BACK
Page 69
4.
5.
Name, Location of the empanelled Information Security Auditing Organisation : Locuz Enterprise
Solutions Ltd, Hyderabad
Carrying out Information Security Audits since : August 2001
Technical manpower deployed for security audits :
CISSPs : 1
BS7799 / ISO27001 LAs : 4
CISAs : 3
DISAs / ISAs : 0
Total Nos. of Technical Personnel : 35
Outsourcing of External IT Security Auditors / Experts : No
Security Audit Tools used (owned, in possession) :
Freeware : 6
Commercial : 5
Proprietary: 1
Total Nos. of Audit Tools : 12
Details of the Information Security Auditing Tools
Freeware Tools
1.
2.
3.
4.
5.
6.
Commercial Tools
1.
2.
3.
4.
5.
Proprietary Tools
1.
6.
7.
8.
Page 70
9.
Page 71
4.
5.
Nessus : Vulnerability scanner - Port scan/ Vulnerability scan /web application security
scan
2. Nikto : Web application vulnerability scanner
3. Superscan : Port scanner
4. Dsniff : collection of tools for network auditing and penetration testing
5. Whisker/Libwhisker : CGI vulnerability scanner
6. Network Stumbler : Tool to find open wireless access points
7. SARA : vulnerability assessment tool
8. Achillies : Web application security - proxy
9. Brutus : Password brute forcing tool
10. SPIKE Proxy : HTTP proxy for finding security flaws in web sites
11. Winfingerprint : Win32 Host/Network Enumeration Scanner
12. Auditor : Collection of Tools to conduct security audit.
Footprinting
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Greenwhich
Whois
Gnetutil : Network Utilities
Itrace : ICMP traceroot
Tctrace : TCP traceroute
Traceroute
DNSwalk : DNS verification
Dig : DNS lookup
Host : DNS lookup
NSTXCD : IP over DNS client
Page 72
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
24.
25.
26.
27.
28.
29.
30.
31.
32.
33.
34.
35.
36.
37.
Scanning
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
24.
Page 73
25.
26.
27.
28.
29.
30.
31.
32.
33.
Analyzer
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
Spoofing
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
Page 74
23.
24.
25.
26.
27.
28.
29.
30.
Bluetooth
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Wireless
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
24.
25.
26.
27.
28.
29.
30.
Page 75
Password Cracker
1.
2.
3.
4.
5.
6.
7.
8.
Forensics
1.
2.
3.
4.
Honeypot
1.
2.
3.
4.
5.
IMAP
POP3
Honeyd : Honeypot
IISEmulator : Honeypot
Tinyhoneypot : Simple honeypot
Commercial Tools
Proprietary Tools
6.
7.
Page 76
Private : NA
Total Nos. of Security Audits : NA
8. Business domain of auditee organisations : Petro, Banking, Insurance, BPO
9. Typical applications in use by auditee organisations : Core Banking, SAP, Workflow
10. Typical bandwidth (maximum) of any auditee organisations :
Internal Bandwidth (LAN / Intranet) : 8 Mbps
External Bandwidth (WAN / Internet) : 4 Mbps
11. Networked Infrastructure details of an organizations audited with most complex network :
No. of servers : 243
No. of Computer Systems : 6000
No. of routers : 0
No. of switches :91
No. of firewalls : 4
No. of IDS' : 4
12. Ability to carry out vulnerability assessment and penetration test : Yes
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing
Organisation).
BACK
Page 77
4.
5.
Name, Location of the empanelled Information Security Auditing Organisation : MIEL e-Security,
Mumbai
Carrying out Information Security Audits since : July 1999
Technical manpower deployed for information security audits :
CISSPs : 13
BS7799 / ISO27001 LAs : 25
CISAs : 10
DISAs / ISAs : 0
Total Nos. of Technical Personnel : 50
Outsourcing of External Information Security Auditors / Experts : Yes
Information Security Audit Tools used (owned, in possession) :
Freeware : 20
Commercial : 1
Proprietary: 6
Total Nos. of Audit Tools : 27
Page 78
Page 79
24. SNMPWalk
25. Ophcrack
Proprietary
AuditPro
AuditPro Enterprise Edition is a proprietary security auditing and compliance tool used by many
organizations and auditors across the world. NII has developed this proprietary technology to help
organizations define assets, policies, and audit systems against these policies. Supported
technologies include Windows (all versions up to 2008), Unix (Sun Solaris, AIX, Linux), Oracle (8i,
9i, 106 and 11g), and SQL Server (2000 and 2005).
Firesec
Firesec is an in-depth security and configuration audit tool for firewalls helps review policy
conflicts, unused policy rules, groupable rules, unused configuration objects, as well as helps
check for PCI DSS compliance. Supported firewalls include Cisco, Netscreen, Cyberguard and
Checkpoint.
Commercial
CodeSecure
CodeSecure is a commercial code review scanner, and is owned by NII and used extensively for
clients to ensure a comprehensive review of web application security.
CodeSecure is a commercial code review scanner, and is owned by NII and used extensively for
clients to ensure a comprehensive review of web application security.
GFI Languard
GFI Languard Network Security Scanner is one of the most widely used network scanners
Appscan/Webinspect
On client request, we have experience using these tools on a pay-per-use basis
6. Information Security Audit Methodology : OWASP, OSSTMM, ISO 27001, PCI DSS
7. Information Security Audits carried out so far:
Govt. : 7
PSU : 15
Private : 200
Total Nos. of Security Audits : 222
8. Business domain of auditee organisations : Banking, Telecom, IT/ITES, Manufacturing, Retail, Government,
FMCG, Healthcare, Retail
9. Typical applications in use by auditee organisations : Web applications, Core banking applications, ERP, CRM,
Telecom-specific applications
10. Typical bandwidth (maximum) of any auditee organisations :
Internal Bandwidth (LAN / Intranet) : 10-100 Mbps
External Bandwidth (WAN / Internet) : 2-10 Mbps
Page 80
11. Networked Infrastructure details of an organizations audited with most complex network :
No. of Computer Systems : 50000
No. of servers : 500
No. of switches : 7000
No. of routers : 1500
No. of firewalls : 25
No. of IDS' : 4
12. Ability to carry out vulnerability assessment and penetration test : Yes
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing
Organisation), Y = Yes, N = No, Std = Standard.
BACK
Page 81
3.
4.
5.
Freeware Tools
1. W3af
2. Nmap
3. Firefox with Firecat
4. Owasp CLASP
5. Themis
6. Paros
7. Burp
8. WebScarab
9. Paros
10. Websecurify
11. Owasp CSRF tester
12. SQLiX
13. Nikto
14. Labrat
15. Metasploit
16. Backtrack
17. Cain&Able
18. Grendal Scan
19. Kismet
20. Aircrack-NG
21. Ophcrack
22. BeEF
Page 82
6.
7.
8.
Business domain of auditee organisations : Manufacturing, IT/ITES, Media & Entertainment (including
online portals), BFSI, Services, PSU, Telecommunications, etc.
9.
Typical applications in use by auditee organisations : Web Applications, Web Server Applications,
SAP/CRM, Mobile Applications, Security & Monitoring Apps, Thick-Client Application, Network
Infrastructure Applications.
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing
Organisation).
BACK
Page 83
4.
5.
Name, Location of the empanelled Information Security Auditing Organisation : Network Security
Solutions (India) Ltd., Noida
Carrying out Information Security Audits since : September 2002
Technical manpower deployed for Information security audits :
CISSPs : 5
BS7799 / ISO27001 LAs : 13
CISAs : 6
DISAs / ISAs : 2
Total Nos. of Technical Personnel : 26
Outsourcing of External Information Security Auditors / Experts : No
Information Security Audit Tools used (owned, in possession) :
Freeware : 29
Commercial : 4
Proprietary: 2
Total Nos. of Audit Tools : 35
X-Scan
Hping
W Scanner
NMap
Metasploit
Burp Proxy
Solar Winds
Winhex
Achilles Proxy
N-Stealth : Security Scanner
Websphinx
Rainbow : Password Cracker
John the Ripper : Password Cracker
Stellar : Data Recovery
Easy : Data Recovery
Nikto
Snort
Ethereal
Backtrack 3
Helix
Auditor Pro
Ophcrack
Nessus
Super Scan
SATAN
Airmon
Aerodump
Airplay
Page 84
29. Aircrack
Commercial Tools
1.
2.
3.
4.
eEye Retina
Shadow : Security Scanner
GFI LAN Guard
Core Impact
Proprietary Tools
1.
2.
6.
7.
Information Security Audit Methodology : COBIT, ISACA, BS25999, OSSTM, OWASP, ISO27001, NIST
Information Security Audits carried out since empanelment till now :
Govt. : 237
PSU : 3
Private : 107
Total Nos. of Information Security Audits : 347
8. Business domain of auditee organisations : Government, Defence, Electrical Power Generation, BPO / KPO,
Telecom, Manufacturing, Pharma, Banking & Finance
9. Typical applications in use by auditee organisations : Web, ERP, SAP, Finance, Proprietary Security
10. Typical bandwidth (maximum) of any auditee organisations :
Internal Bandwidth (LAN / Intranet) : 1000 Mbps
External Bandwidth (WAN / Internet) : 2 Mbps
11. Networked Infrastructure details of an organizations audited with most complex network :
No. of Computer Systems : 3000
No. of servers : 125
No. of switches : 250
No. of routers : 0
No. of firewalls : 8
No. of IDS' : 2
12. Ability to carry out vulnerability assessment and penetration test : Yes
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing
Organisation).
BACK
Page 85
4.
5.
Name, Location of the empanelled Information Security Auditing Organisation : Paladion Networks,
Bangalore
Carrying out Information Security Audits since : May 2000
Technical manpower deployed for Information security audits :
CISSPs : 16
BS7799 / ISO27001 LAs : 29
CISAs / CISMs : 7
DISAs / ISAs : 0
Total Nos. of Technical Personnel : 150
Outsourcing of External Information Security Auditors / Experts : No
Information Security Audit Tools used (owned, in possession) :
Freeware : 19
Commercial : 0
Proprietary : 1
Total Nos. of Audit Tools : 20
Page 86
4.
5.
Name, Location of the empanelled Information Security Auditing Organisation : Paladion Networks,
Bangalore
Carrying out Information Security Audits since : May 2000
Technical manpower deployed for Information security audits :
CISSPs : 16
BS7799 / ISO27001 LAs : 29
CISAs / CISMs : 7
DISAs / ISAs : 0
Total Nos. of Technical Personnel : 150
Outsourcing of External Information Security Auditors / Experts : No
Information Security Audit Tools used (owned, in possession) :
Freeware : 19
Commercial : 0
Proprietary : 1
Total Nos. of Audit Tools : 20
Details of the Audit Tools
Freeware :
Information yet to be provided to CERT-In
Proprietary :
Information yet to be provided to CERT-In
6.
7.
Page 87
BACK
Page 88
Freeware:
Paros
Burp Proxy
Webscarab
Nikto
Wikto
Nmap
SoapUI
Netcat
Fiddler
Backtrack4
Nipper
Commercial:
IBM AppScan
Nessus
GFI Languard NSS
Page 89
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing
Organisation).
BACK
Page 90
4.
5.
Commercial Tools :
1.
2.
3.
4.
5.
6.
Page 91
7.
Proprietary Tools:
1.
2.
3.
4.
5.
6.
7.
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing
Organisation).
BACK
Page 92
4.
5.
Name & location of the empanelled Information Security Auditing Organisation : Progressive Infotech
(P) Limited, Noida
Carrying out Information Security Audits since : 2009
Technical manpower deployed for information security audits :
CISSPs : 02
BS7799 / ISO27001 LAs : 02
CISAs :
DISAs / ISAs :
Total Nos. of Technical Personnel : 40+
Outsourcing of External Information Security Auditors / Experts : No
Information Security Audit Tools used (owned, in possession) :
Freeware : 36+
Commercial :
Proprietary:
Total Nos. of Audit Tools : 36+
7
8
9
10
11
12
13
Name of the
Whether freeware,
Information Security
Functions (In brief)
commercial or proprietary
Audit Tool
Achilles
Freeware
A tool designed for testing the security of web
applications
ADMFtp, ADMSnmp
Freeware
Tools for remote brute-forcing
Brutus
Freeware
An Windows GUI brute-force tool for FTP, telnet,
POP3, SMB, HTTP, etc
Crack
Freeware
A password cracker
Cryp Tool
Freeware
A cryptanalysis utility
Curl
Freeware
Curl is a tool for transferring files with URL syntax,
supporting FTP, FTPS, HTTP, HTTPS, GOPHER,
TELNET, DICT, FILE and LDAP
Different network
Freeware
Ping, traceroute, whois,snmp tools, dig, nslookup,
mapping tools
DNS tools.etc.
Elza
Freeware
A family of tools for arbitrary HTTP communication
with picky web sites for the purpose of penetration
testing and information gathering
Exploits
Freeware
publicly available and homemade exploit code for
the different vulnerabilities around
FScan
Freeware
A command-line port scanner. Supports TCP and
UDP
HPing
Freeware
HPing is a command-line oriented TCP/IP packet
assembler/analyzer. It supports TCP, UDP, ICMP
and RAW-IP protocols, has a traceroute mode, the
ability to send files between a covered channel,
and many other features.
ISNprober
Freeware
Check an IP address for load-balancing.
ICMPush
Freeware
ICMPush is a tool that sends ICMP packets fully
customized from command line
Page 93
14
15
Freeware
Freeware
A password cracker
NTLM/Lanman password auditing and recovery
application (read: cracker)
16
Nessus
Freeware
17
Netcat
Freeware
18
19
NMAP
P0f
Freeware
Freeware
20
Pwdump
Freeware
21
SamSpade
Freeware
22
ScanDNS
Freeware
23
Scripts
Freeware
24
Sing
Freeware
25
SSLProxy, STunne
Freeware
26
Strobe
Freeware
27
Telesweep Secure
Freeware
28
29
30
THC
Freeware
TCPdump
Freeware
UCD-Snmp- (aka NET- Freeware
Snmp)
31
Freeware
32
33
34
Webinspect
Webreaper, wget
Whisker
Freeware
Freeware
Freeware
35
Ethereal
Freeware
6.
Page 94
7.
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing
Organisation).
BACK
Page 95
Name & location of the empanelled Information Security Auditing Organisation : ProMinds Consulting
Pvt Ltd, Hyderabad
2.
3.
4.
Outsourcing of information security auditing work to external Information Security Auditors / Experts : No
5. Information Security Audit Tools being used (available, installed and licensed) :
Freeware : 40
Commercial : 5
Proprietary: 0
Total Nos. of Information Security Audit Tools : 45
Details of the Information Security Audit Tools
Freeware Tools None
Commercial Tools None
Proprietary Tools None
6.
7.
8.
Business domains of auditee organisations : Govt, PSU, Defense, IT, ITES, BPO, Healthcare, Insurance,
Financial Services, Banking, KPO
9.
Typical applications in use by auditee organisations : Client-Server, Web Applications, ERP, Database,
Office Applications, Software Development Tools, Testing Tools
10. Bandwidth available with an auditee organisation having most complex network :
Internal Bandwidth (LAN / Intranet) : 1 Gbps
External Bandwidth (WAN / Internet) : 10 Mbps
11. LAN infrastructure details of an auditee organisation having most complex network :
No. of Computers : 500+
No. of Servers : 30
No. of Switches : 15
No. of Routers : 5
No. of Firewalls : 3
No. of IDS' : 5
12. Ability to carry out vulnerability assessment and penetration test : Yes
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security
Auditing Organisation).
Page 96
BACK
M/s Qadit Systems & Solutions Pvt Ltd
Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation
1.
2.
3.
4.
5.
Name, Location of the empanelled Information Security Auditing Organisation : Qadit Systems &
Solutions Pvt. Ltd., Chennai
Carrying out Information Security Audits since : April 2002
Technical manpower deployed for Information security audits :
CISSPs : 0
BS7799 / ISO27001 LAs : 2
CISAs : 10
DISAs / ISAs : 7
Total Nos. of Technical Personnel : 17
Outsourcing of External Information Security Auditors / Experts : No
Information Security Audit Tools used (owned, in possession) :
Freeware : 31
Commercial : 0
Proprietary: 5
Total Nos. of Information Security Audit Tools : 36
Details of the IT Security Audit Tools
Freeware Tools
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
24.
25.
26.
27.
28.
Page 97
Proprietary Tools
None
6.
Information Security Audit Methodology : OSSTM, OWASP, ISACA/ITAF, ISO 27001/27002, COBIT, ISO
25999, SANS, ITIL, OCTAVE, COSO
7. Information Security Audits carried out since empanelment till now :
Govt. : 5
PSU : 36
Private : 203
Total Nos. of Security Audits : 244
8. Business domain of auditee organisations : Banking, Manufacturing, Telecom, Pharma, Financial Service,
Software Development, e-Governance, Microfinance
9. Typical applications in use by auditee organisations : ATM Switch, SAP, Web, CBS, NMS, ERP, eGovernance, Web Applications, Payroll, Telecom billing application, Telecom network Monitoring Software,
CRM Applications, Payment Portals
10. Typical bandwidth (maximum) of any auditee organisations :
Internal Bandwidth (LAN / Intranet) : 100 Mbps
External Bandwidth (WAN / Internet) : 2 Mbps
11. Networked Infrastructure details of an organizations audited with most complex network :
No. of Computer Systems : 4500
No. of servers : 60
No. of switches : 75
No. of routers : 1000
No. of firewalls : 30
No. of IDS' : 10
12. Ability to carry out vulnerability assessment and penetration test : Yes
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing
Organisation).
BACK
Page 98
4.
5.
Name, Location of the empanelled IT Security Auditing organisation : Secure Matrix India Pvt Ltd,
Mumbai
Carrying out Information Security Audits since : November 2004
Technical manpower deployed for IT security audits :
CISSPs : 2
BS7799 / ISO27001 LAs : 4
CISAs : 3
DISAs / ISAs : 2
Total Nos. of Technical Personnel : 15
Outsourcing of External IT Security Auditors / Experts : No
IT Security Audit Tools used (owned, in possession) :
Freeware : 6
Commercial : 1
Proprietary: 0
Total Nos. of Audit Tools : 7
Commercial :
1.
Core Impact
Proprietary :
6.
7.
Page 99
11. Networked Infrastructure details of an organizations audited with most complex network :
No. of Computer Systems : 60
No. of servers : 4
No. of switches : 6
No. of routers : 0
No. of firewalls : 2
No. of IDS' : 1
12. Ability to carry out vulnerability assessment and penetration test : Yes
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing
Organisation).
BACK
Page 100
4.
5.
Name, Location of the empanelled Information Security Auditing Organisation : SecureSynergy Pvt.
Ltd., Mumbai
Carrying out Information Security Audits since : 2002
Technical manpower deployed for Information security audits :
CISSPs : 2
BS7799 / ISO27001 LAs : 14
CISAs : 3
DISAs / ISAs : 0
Total Nos. of Technical Personnel : 29
Outsourcing of External Information Security Auditors / Experts : No
Information Security Audit Tools used (owned, in possession) :
Freeware : 35
Commercial : 3
Proprietary: 2
Total Nos. of Audit Tools : 40
6.
7.
Page 101
12. Ability to carry out vulnerability assessment and penetration test : Yes
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing
Organisation).
BACK
Page 102
4.
5.
Name, Location of the empanelled Information Security Auditing Organisation : SecurEyes Techno
Services Pvt. Ltd., Bangalore
Carrying out Information Security Audits since : January 2005
Technical manpower deployed for Information security audits :
CISSPs : 0
BS7799 / ISO27001 LAs : 2
CISAs : 0
DISAs / ISAs : 2
Total Nos. of Technical Personnel : 10
Outsourcing of External Information Security Auditors / Experts : Yes
Information Security Audit Tools used (owned, in possession) :
Freeware : 84
Commercial : 0
Proprietary: 14
Total Nos. of Audit Tools : 98
Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation
1.
2.
3.
4.
5.
Name, Location of the empanelled Information Security Auditing Organisation : SecurEyes Techno
Services Pvt. Ltd., Bangalore
Carrying out Information Security Audits since : January 2005
Technical manpower deployed for Information security audits :
CISSPs : 0
BS7799 / ISO27001 LAs : 2
CISAs : 0
DISAs / ISAs : 2
Total Nos. of Technical Personnel : 10
Outsourcing of External Information Security Auditors / Experts : Yes
Information Security Audit Tools used (owned, in possession) :
Freeware : 84
Commercial : 0
Proprietary: 14
Total Nos. of Audit Tools : 98
Details of the Audit Tools
Freeware :
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Page 103
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
Proprietary :
1.
Windows-VA script : In house developed script used for vulnerability assessment of Windows
operating system
2. Linux-VA script : In house developed script used for vulnerability assessment Linux operating
system.
3. Solaris-VA script : In house developed script used for vulnerability assessment of Solaris operating
system.
4. AIX-VA script : In house developed script used for vulneability assessment of AIX operating
system.
5. Router-VA script : In house developed script used for vulnerability assessment of Routers
6. Switch-VA script : In house developed script used for vulnerability assessment of Switch.
7. WSDigger : Web Services profiling and attack tool.
8. Cookie Digger : Web application audit tool which helps in calculating the strength of cookies and
session ID's
9. Code Scoping tool : Code security audit tool
10. Validator. NET : Web application audit tool for applications built using.net techology
HACME Bank : Web Application audit trainer application
6.
7.
Page 104
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing
Organisation).
BACK
M/s Security Brigade
Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation
1.
2.
3.
4.
5.
Name, Location of the empanelled Information Security Auditing Organisation : Security Brigade; Head
Office: Ranchi - India; Branch Offices: Mumbai - India, Pisa - Italy; Partner/Sales Offices:
Bengaluru - India, Chennai - India, Hyderabad - India, Pune - India, New Delhi - India, Kolkata
- India, Houston - US, Toronto - Canada, Lagos - Nigeria, Doha - Qatar, London - UK.
Carrying out Information Security Audits since : June 2006
Technical manpower deployed for Information security audits :
BS7799 / ISO27001 LAs : 1
ECSAs : 1
LPTs : 1
CEHs : 2
CCNAs : 4
Total Nos. of Technical Personnel : 7
Outsourcing of External Information Security Auditors / Experts : No
Information Security Audit Tools used (owned, in possession) :
Freeware : 1000+
Commercial : 2
Proprietary: 15
Total Nos. of Audit Tools : 1017+
3.
4.
5.
Page 105
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
source software. Our Integrated Reporting Engine allows us to cross-reference information from all
the different components and generate a report based on our Clients requirements.
PT Framework - Security Brigades in-house developed framework is an integrated solution
developed by our security experts that have an expertise in the penetration testing domain. It
allows us to integrate the manual and automated testing processes with commercial and opensource software. Our Integrated Reporting Engine allows us to cross-reference information from all
the different components and generate a report based on our Clients requirements.
webSpider - Security Brigades in-house developed application uses advanced HTML, Java Script,
Ajax, Flash and XML parsing engines to identify and map as much of the client applications as
possible. This not only assists our automated webTester engine, but also assists in carrying out
the manual testing process in an efficient manner. It allows us to attain a cost-effective balance
between thorough testing and time required.
sapScan - Security and Configuration Assistant for SAP Security Audits.
riskReview - General Risk Assessment Tool.
erpInterrogate - ERP Security and Configuration Assessment and Control Tool.
Windows Batch Scripts - Windows batch scripts to automate routine server hardening functions
and processes.
Linux Bash Scripts - Linux Bash scripts to automate routine server hardening functions and
processes.
Oracle Security Assessment Scripts - Oracle Security Assessment Scripts to automate routine
hardening functions and processes.
MSSQL Security Assessment Scripts - MSSQL Security Assessment Scripts to automate routine
hardening functions and processes.
Internal Vulnerability Database - Automated vulnerability database that is updated every 15
minutes from over 100 public and 20 private feeds.
Commercial Tools
1.
2.
Nessus - Premier vulnerability assessment tool with more than 20,000 plugins.
GFI LANguard - commercial network security scanner for Windows.
Freeware Tools
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
Page 106
17.
18.
19.
20.
21.
6.
Information Security Audit Methodology : In-house Developed Hybrid Methodology based on BS7799,
ISO17799, ISO27001, OWASP Testing Guide and OSSTM.
7. Information Security Audits carried out so far:
Govt: 50+
PSU: 10+
Private: 100+
8. Business domain of auditee organisations : Banking & Finance, IT/ITES, Telecom, Manufacturing,
Logistics, Insurance, Retail, Government etc.
9. Typical applications in use by auditee organisations : Corporate Websites, Core Banking, Insurance Portal,
Loan & Treasury Management, Online Trading, Backoffice, CTCL, Accounting, Operations Management,
Billing
10. Typical bandwidth (maximum) of any auditee organisations :
Internal Bandwidth (LAN / Intranet) : 1 Gbps
External Bandwidth (WAN / Internet) : 10 Mbps
11. Networked Infrastructure details of an organizations audited with most complex network :
No. of Computer Systems : 8,000
No. of servers : 300
No. of switches : 40
No. of routers : 5
No. of firewalls : 3
No. of IDS' : 1
12. Ability to carry out vulnerability assessment and penetration test : Yes
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing
Organisation).
BACK
Page 107
4.
5.
Name, Location of the Empanelled Security Auditing organisation: Sify, New Delhi
Carrying out Information Security Audits since : NA
Technical manpower deployed for security audits :
CISSPs : 7
BS7799 / ISO27001 LAs : 14
CISAs : 26
DISAs / ISAs : 16
Total Nos. of Technical Personnel : 63
Outsourcing of External IT Security Auditors / Experts : No
Security Audit Tools used (owned, in possession) :
Freeware : 30
Commercial : 0
Proprietary: 0
Total Nos. of Audit Tools : 30
Details of the Audit Tools
Freeware : Information yet to be provided to CERT-In
Proprietary : Information yet to be provided to CERT-In
6.
7.
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing
Organisation).
BACK
Page 108
Name, Location of the Empanelled Security Auditing organisation: SIMOS COMPUTER SYSTEMS PRIVATE
LIMITED, Chennai
2.
3.
4.
5.
6.
7.
8.
9.
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing
Organisation).
BACK
Page 109
4.
5.
Name, Location of the empanelled Information Security Auditing Organisation : SISA Information
Security (P) Ltd., Bangalore
Carrying out Information Security Audits since : September 2002
Technical manpower deployed for information security audits :
CISSPs : 4
BS7799 / ISO27001 LAs : 3
CISAs : 9
DISAs / ISAs : 2
Total Nos. of Technical Personnel : 25
Outsourcing of External Information Security Auditors / Experts : No
Information Security Audit Tools used (owned, in possession) :
Freeware : 25
Commercial : 3
Proprietary: 1
Total Nos. of Audit Tools : 29
Details of the Audit Tools
Freeware :
1.
2.
3.
4.
5.
6.
7.
8.
9.
Commercial :
1.
2.
3.
6.
7.
8.
Page 110
9.
Typical applications in use by auditee organisations : Banking Applications, Financial Applications, Mobile
Applications, Web Applications
10. Typical bandwidth (maximum) of any auditee organisations :
Internal Bandwidth (LAN / Intranet) : 10 Mbps
External Bandwidth (WAN / Internet) : 100 Mbps
11. Networked Infrastructure details of an organizations audited with most complex network :
No. of Computer Systems : 10000
No. of servers : 25
No. of switches : 50
No. of routers : 30
No. of firewalls : 16
No. of IDS' : 16
12. Ability to carry out vulnerability assessment and penetration test : Yes
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing
Organisation).
BACK
Page 111
4.
5.
Name, Location of the Empanelled IT Security Auditing Organisation : Spectrum Networks Solutions
Pvt Ltd, Noida
Carrying out IT Security Audits since : May 2004
Technical manpower deployed for IT security audits :
CISSPs : 2
BS7799 / ISO27001 LAs : 5
CISAs / CISMs: 3
DISAs / ISAs : 1
Total Nos. of Technical Personnel : 24
Outsourcing of IT Security Auditing Work to External IT Security Auditors / Experts : Yes
IT Security Audit Tools used (owned, in possession) :
Freeware : 36
Commercial : 4
Proprietary: 2
Total Nos. of Audit Tools : 42
Page 112
20. p0f - Passive OS Fingerprinting: A tool that listens on the network and tries to identify the OS
versions from the information in the packets.
21. Pwdump - Tools that grab the hashes out of the SAM database, to use with a brute-forcer like
L0phtcrack or John
22. SamSpade - Graphical tool that allows to perform different network queries: ping, nslookup,
whois, IP block whois, dig, traceroute, finger, SMTP VRFY, web browser keep-alive, DNS zone
transfer, SMTP relay check,etc.
23. ScanDNS - Script that scans a range of IP addresses to find DNS names
24. Scripts - A number of custom developed scripts to test different security issues.
25. Sing - Send ICMP Nasty Garbage. A little tool that sends ICMP packets fully customized from
command line
26. SSLProxy, STunnel - Tools that allow to run non SSL-aware tools/programs over SSL.
27. Strobe - A command-line port scanner that also performs banner grabbing
28. Telesweep Secure - A commercial wardialer that also does fingerprinting and brute-forcing.
29. THC - A freeware wardialer
30. TCPdump - A packet sniffer
31. TCPtraceroute - Traceroute over TCP
32. UCD-Snmp - (aka NET-Snmp): Various tools relating to the Simple Network Management Protocol
including snmpget, snmpwalk and snmpset.
33. Web Session Editor - Custom made utility that allows to intercept and edit HTTP sessions.
34. Webinspect - CGI scanning, web crawling, etc.
35. Webreaper, wget - Software that mirrors websites to your hard disk
36. Whisker - The most famous CGI scanner. has updated the scanning databases with checks for the
latest vulnerabilities.
Commercial Tools
Proprietary Tools
6.
7.
Page 113
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing
Organisation), Y = Yes, N = No, Std = Standard.
BACK
Page 114
STQC Directorate
Snapshot of skills and competence of CERT-In Empanelled Security Auditor
1.
2.
3.
4.
5.
Name, Location of the Empanelled Security Auditing organisation : STQC IT Services, New Delhi
Carrying out Information Security Audits since : NA
Technical manpower deployed for security audits :
CISSPs : 0
BS7799 / ISO27001 LAs : 12
CISAs : 0
DISAs / ISAs : 9
Total Nos. of Technical Personnel : 12
Outsourcing of External IT Security Auditors / Experts : No
Security Audit Tools used (owned, in possession) :
Freeware : 23
Commercial : 0
Proprietary: 0
Total Nos. of Audit Tools : 23
6.
7.
Page 115
No. of firewalls : 6
No. of IDS' : 1
12. Ability to carry out vulnerability assessment and penetration test : Yes
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing
Organisation).
BACK
Page 116
Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation
1.
Name & location of the empanelled Information Security Auditing Organisation : Suma Soft Pvt Ltd
2.
3.
4.
5.
Nessus
Whisker
HUNT - TCP/IP protocol vulnerability exploiter, packet injector
DOMTOOLS - DNS-interrogation tools
SARA - Vulnerability scanner
RAT
Nikto - This tool scans for web-application vulnerabilities
Snort - IDS
Firewalk - Traceroute-like ACL & network inspection/mapping
Hping TCP ping utilitiy Dsniff - Passively monitor a network for interesting data
(passwords, e-mail, files, etc.). facilitate the interception of network traffic normally
unavailable to an attacker
HTTrack - Website Copier
Chkrootkit - Rootkit discovery tool
Tools from FoundStone - Variety of free security-tools
SQL Tools - MS SQL related tools
John the Ripper - Password-cracking utility
ITS4 - Scan C/C++ source-code for vulnerabilities
Paros
NMAP - The famous port-scanner
Ethereal - GUI for packet sniffing. Can analyse tcpdump-compatible logs
Nemesis - Packet injection suite
NetCat - Swiss Army-knife, very useful
RAT CISecuritys Router Auditing Tool
DSniff - A collection of different purpose sniffers
Achilles - An SSL-proxy allowing to change data
Whitehats - Snort IDS-signatures & other resources
Hping2 - TCP/IP packet analyzer/assembler, packet forgery, useful for ACL inspection
Brutus password cracking for web applications, telnet, etc.
Page 117
28.
29.
30.
31.
32.
33.
34.
Commercial Tools
1.
2.
6.
Information Security Audit Methodology : ISACA, ISO 27001 / BS 7799, COBIT, OSSTM, OWASP
7.
8.
Business domain of auditee organisations : Telecom, BPO, Banking & Finance, Software Development
9.
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing
Organisation).
BACK
Page 118
4.
5.
Name & location of the empanelled Information Security Auditing Organisation : Sumeru Software
Solutions Pvt Ltd, Bangalore
Carrying out Information Security Audits since : 2002
Technical manpower deployed for information security audits :
CISSPs : 1
BS7799 / ISO27001 LAs : 2
CISAs / CISMs : 2
DISAs / ISAs : 0
Total Nos. of Technical Personnel : 10
Outsourcing of information security auditing work to external Information Security Auditors / Experts : No
Information Security Audit Tools being used (available, installed and licensed) :
Freeware : 61
Commercial : 4
Proprietary: 0
Total Nos. of Information Security Audit Tools : 65
Details of the Information Security Audit Tools
Freeware Tools
1.
2.
3.
4.
5.
6.
7.
8.
Nmap / Superscan
WireShark
Paros Proxy
Metasploit Framework
Kismet / NetStumbler / Aircrack
Nikto / Wikto
BackTrack
WebScarab
Commercial Tools
1.
2.
3.
4.
Nessus
WebInspect
MegaPing
Retina
Proprietary Tools
None
6.
7.
Page 119
PSU : 0
Private : 101
Total Nos. of Security Audits : 108
8. Business domains of auditee organisations: Manufacturing, Hospitality, Media, Defence, BSFI, IT/ITES,
Publishers, Human resources, Insurance, Government.
9. Typical applications in use by auditee organisations : e-Commerce Portals, Job Portals, News Portals,
Public Forum, Pay Roll Applications, Intranet Applications, Webmail, Insurance web porta.
10. Bandwidth available with an auditee organisation having most complex network :
Internal Bandwidth (LAN / Intranet) : 100 Mbps
External Bandwidth (WAN / Internet) : 10 Mbps
11. LAN infrastructure details of an auditee organisation having most complex network :
No. of Computers : 4500
No. of Servers : 70
No. of Switches : 300
No. of Routers : 2
No. of Firewalls : 135
No. of IDS' : 2
12. Ability to carry out vulnerability assessment and penetration test : Yes
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing
Organisation).
BACK
Page 120
4.
5.
Name and location of the empanelled Information Security Auditing Organisation : Sysman Computers
Pvt. Ltd., Mumbai
Carrying out Information Security Audits since : 1991
Technical manpower deployed for security audits :
CISSPs : 5
BS7799 / ISO27001 LAs : 7
CISAs : 12
DISAs / ISAs : 6
Total Nos. of Technical Personnel : 30
Outsourcing of External Information Security Auditors / Experts : No
Information Security Audit Tools used (owned, in possession) :
Freeware : 28
Commercial : 5
Proprietary: 0
Total Nos. of Audit Tools : 33
Details of the Audit Tools
Freeware : Information yet to be provided to CERT-In
Proprietary : Information yet to be provided to CERT-In
6.
7.
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing
Organisation).
BACK
Page 121
4.
5.
Name, Location of the empanelled Information Security Auditing Organisation: Tata Consultancy
Services Ltd, Mumbai
Carrying out Information Security Audits since : 2001
Technical manpower deployed for information security audits :
CISSPs : 25
BS7799 / ISO27001 LAs : 60
CISAs : 15
DISAs / ISAs : 1
Total Nos. of Technical Personnel : 232
Outsourcing of Information Security Auditing Work to external Information Security Auditors / Experts :
No
Information Security Audit Tools used (owned, in possession) :
Freeware : 5
Commercial : 2
Proprietary: 2
Total Nos. of Audit Tools : 9
Details of the Information Security Audit Tools
Freeware Tools None
Commercial Tools None
Proprietary Tools None
6.
7.
Page 122
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing
Organisation).
BACK
Page 123
4.
5.
Name, Location of the empanelled IT Security auditing organisation : Tech Mahindra Ltd, Noida
Carrying out Information Security Audits since : 2004
Technical manpower deployed for security audits :
CISSPs : 14
BS7799 / ISO27001 LAs : 56
CISAs : 10
DISAs / ISAs : 0
Total Nos. of Technical Personnel : 97
Outsourcing of External IT Security Auditors / Experts : No
IT Security Audit Tools used (owned, in possession) :
Freeware : 2
Commercial : 1
Proprietary: 1
Total Nos. of Audit Tools : 4
Details of the Information Security Audit Tools
Freeware Tools None
Commercial Tools None
Proprietary Tools None
6.
7.
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing
Organisation).
Page 124
1. Name & location of the empanelled Information Security Auditing Organisation : Technologics and Controls,
New Delhi, India
2. Carrying out Information Security Audits since : December 2002
3. Technical manpower deployed for information security audits :
CISSPs : 1
BS7799 / ISO17799 / ISO27001 LAs : 1
CISAs / CISMs: 4
DISAs / ISAs : 1
Total Nos. of Technical Personnel : 6
4. Outsourcing of information security auditing work to external Information Security Auditors / Experts : No
5. Information Security Audit Tools being used (available, installed and licensed):
Freeware : 10
Commercial : 3
Proprietary: 0
Total Nos. of Information Security Audit Tools : 13
Details of the Information Security Audit Tools
Freeware Tools
Brutus,Superscan
Nessus Vulnerability Scanner
Belarc Advisor
M Metasploit Framework 3
Mozilla Firefox Extension AnEC Cookie Editor v0.2.1.3
Wireshark
HTTP Editor
Tenable Nessus
Mozilla Firefox Extension Hack Bar
WebScarab
Commercial Tools
Page 125
PSU : 0
Private : 45
Total Nos. of Security Audits : 47
8. Business domains of auditee organisations : Banking, Insurance, Services, ITES, Finance, Stock traders, UN,
Manufacturing, Defence, NGO, Government
9. Typical applications in use by auditee organisations : ERP (SAP, MFGPro, Ingenium, others), HR and Payroll,
Document Imaging, Banking (CBS / TBA), Web and E-commerce Applications
10. Bandwidth available with an auditee organisation having most complex network:
Internal Bandwidth (LAN / Intranet) : 1 Gbps
External Bandwidth (WAN / Internet) : upto 16 MBPS
11. LAN infrastructure details of an auditee organisation having most complex network :
No. of Computers : 4000
No. of Servers : 190
No. of Switches : 400
No. of Routers : 150
No. of Firewalls : 4
No. of IDS' : 1
12. Ability to carry out vulnerability assessment and penetration test : Y
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing
Organisation), Y = Yes, N = No, Std = Standard.
BACK
Page 126
Name & location of the empanelled Information Security Auditing Organisation : M/s Torrid Networks
Pvt. Ltd.
2.
3.
4.
5.
6.
7.
Page 127
8.
Business domain of auditee organisations : BFSI, Telecom, BPO, IT/ITES, Manufacturing, Engineering
9.
Typical applications in use by auditee organisations : HRMS, CRM, Exchange, Billing, ERP, Intranet, Payroll
Page 128
4.
5.
Name, Location of the empanelled Information Security Auditing organisation : TVSNet Technologies
Ltd, Chennai
Carrying out Information Security Audits since : January 2000
Technical manpower deployed for information security audits :
CISSPs : 2
BS7799 / ISO27001 LAs : 3
CISAs/CISMs : 1
DISAs / ISAs : 0
Total Nos. of Technical Personnel : 25
Outsourcing of External Information Security Auditors / Experts : Yes
Information Security Audit Tools used (owned, in possession) :
Freeware : 20
Commercial : 1
Proprietary: 0
Total Nos. of Audit Tools : 21
Details of the Information Security Audit Tools
Freeware :
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
Commercial :
1.
6.
7.
Acunetix Web Vulnerability Scanner: Acunetix WVS automatically checks web applications for
vulnerabilities such as SQL Injection, cross site scripting, and weak password strength on
authentication pages.
Page 129
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing
Organisation).
BACK
Page 130
Name & location of the empanelled Information Security Auditing Organisation : Verizon Business,
Radisson Commercial Plaza, A-Wing, 1st Floor, National Highway-8, New Delhi - 110037
2.
3.
4.
5.
Page 131
34. IISCat
35. IISHack
36. PipeUpAdmin
37. Pwdump2
38. GFI LanGuard
39. HFNetChk
40. ConfigDefence
41. UnixRecon
42. Titan
43. AppSecInc
44. VoIP Hopper
Commercial:
1.
2.
3.
4.
5.
6.
nCircle
Nessus Professional Feed
Ounce / IBM AppScan
WebInspect
Core Impact
Canvas
6.
7.
8.
Business domain of auditee organisations : Banking & Finance, Information Technology, Government
Establishments, Service Providers / BPOs, Manufacturing, Public Sector Undertakings, Life Sciences &
Healthcare.
9.
Typical applications in use by auditee organisations : Enterprise Resource Planning (ERPs), Online Banking
Solutions, Online Payment Solutions, CRM, Billing Systems, Corporate Websites, Web Services & Web
Applications.
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing
Organisation).
Back
Page 132
Name & location of the empanelled Information Security Auditing Organisation : VISTA InfoSec Pvt.
Ltd., Mumbai 400058.
2.
3.
4.
5.
Commercial:
1.
2.
3.
4.
Rapid7 NeXpose
Rapid7 Metasploit
Tenable Nessus
IBM AppScan
Page 133
6.
7.
8.
Business domain of auditee organisations : Banks, Insurance, Financial services, BPO, Software
development, Pharma, Manufacturing, Entertainment, Realty, Retail, Governance, Power and Petrochem.
9.
Typical applications in use by auditee organisations : Core Banking, SAP, ERP, CRM, Internet Banking,
Time Management, Peoplesoft, Payment Gateway applications, Oracle, Financial Applications, Mobile
applications, SCADA Applications, etc.
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security
Auditing Organisation).
TOP
Page 134
4.
5.
Name, Location of the Empanelled Information Security Auditing organisation : Wipro Ltd., Gurgaon
Carrying out Information Security Audits since : October 2000
Technical manpower deployed for information security audits :
CISSPs : 2
BS7799 / ISO27001 LAs : 1
CISAs : 1
DISAs / ISAs : 0
Total Nos. of Technical Personnel : 55
Outsourcing of External Information Security Auditors / Experts : No
Information Security Audit Tools used (owned, in possession) :
Freeware : 42
Commercial : 12
Proprietary: 1
Total Nos. of Audit Tools : 55
Details of the Audit Tools
Freeware : Information yet to be provided to CERT-In
Proprietary : Information yet to be provided to CERT-In
6.
7.
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing
Organisation).
TOP
Page 135