ETSS Management is in “the business of serving”. We were born out of need — the need for a prioritized approach to securing client’s information. We specialize in information security services, including compliance, audit, advisory, and outsourcing.

We deliver with a focus on client service at the core, where our work is just a means to an end.

About

We are a firm of trio, established on the belief that the best results come from direct interaction with clients.

We do the work, and we maintain the relationship. No sales representatives, no account executives, and no big guns trying to represent the work of someone else.

We are simply three co-partners — one systems auditor, one security professional, one network specialist — motivated to listen and serve, from start to finish.

We believe in true collaboration, hence our process is collaboration-focused, where we meet, discuss, strategize, organize, prioritize, perform, report, review, deliver, and close.

Metasploitable 2 Series – NFS

The next service that we are going to look is NFS, which stands for Network File System. In our previous post, we performed a port scan and found out that TCP ports 111 and 2049 were open. In Unix systems, these ports are usually associated with rpcbind and NFS services respectively.


NFS
The NFS service allows users to access shared directories in the network. It allows anyone to remotely mount the local file system and read or modify its contents. System administrators must take caution while configuring NFS properly since a misconfiguration can allow any user unnecessary access or permissions to the file system. We will be using Metasploitable2 for demonstration purposes, since it has NFS misconfiguration by default.

In our setup, we are using Kali Linux as our attack box.

  • Metasploitable2 IP Address –> 10.0.19.235
  • Attack-Box IP Address –> 10.0.18.250



We already know that NFS service is running on the remote machine, we can also use tools like “rpcinfo” to check for such services.

Penetration Testing

Here, at ETSS Management, we believe offense is the best defense. Using our offensive methodology, we help organizations identify their weaknesses by simply hacking them. This enables organizations to understand their flaws, prioritize vulnerabilities and minimize risks associated with IT assets.

We use a variety of tools for Gathering Information, Vulnerability Identification and Exploitation. The automated scans are good at finding known and common vulnerabilities, therefore during engagements we develop our own scripts and attacks for finding complex security issues and application specific flaws. We also use our own risk rating scale to rank and prioritize the identified vulnerabilities.

Our methodology do include exploitation, but due to its disruptive nature some clients may elect to omit this phase and have only vulnerability assessment performed. For clients that require a proof of concept, we then exploit the vulnerabilities serving as proof once the initial findings are verified.

Our pentesting services include:

  • External Penetration Testing
  • Internal Penetration Testing
  • Application Penetration Testing
  • Mobile App Penetration Testing
  • Social Engineering Testing
  • Physical Penetration Testing
  • Vulnerability Scanning


Audit and Compliance

We, at ETSS Management, carry out comprehensive and detailed audit and reviews through an examination of the management controls within an information technology infrastructure. It is done by gathering and evaluating evidences to check if the information systems are safeguarding assets, maintaining data integrity, and operating effectively to achieve the organization goals and objectives.

We also assist in streamlining compliance with respect to information technology, which can be viewed as an added value to the business, where risk is mitigated, efficiency is enhanced, and external audit costs are reduced.

Our audit and compliance services include:

  • PCI DSS Compliance Program
  • Call Centre PCI Compliance
  • PA DSS Compliance Program
  • P2PE Solution
  • PCI Compliance Readiness
  • Payment Systems Security Audit
  • InfoSec Compliance
  • NFC Security Assessment
  • Risk Assessment
  • IT Controls Audit


Secure Code Review

The practice of security code review helps software development teams find code bugs early in their development cycle. A good code review methodology using automated analysis and manual inspection helps organizations to remediate many vulnerabilities before a software is fully developed.

We perform security code reviews by using multiple automated tools, including static and dynamic testing tools, as well as manual inspection. Since the studies have shown that even if all static analysis tools available in market today are used by the software team, still their combined results can only identify roughly 40 percent of security bugs within an application.

Therefore, we at ETSS Management not just rely on the outputs of automated tools, but validate and manually inspect the code to overcome their limitations. By applying our prior experience, knowledge of business logic, use and abuse cases, we can reduce the likelihood of false positives and false negatives. However, manual methods are labor intensive and expensive.

By using our approach of automated reviews combined with manual inspection enables us to identify security vulnerabilities in an efficient and cost effective manner.


Breach Assessment & Digital Forensics

During the past few years, cyber-attacks have continued to evolve in both scope and sophistication, and threats of breach for organizations are always present. For many companies, it is a struggle to understand whether a breach is actively going on or if it has happened in the past. A security breach can occur in a number of ways regardless of a disgruntled employee, hacker, malicious insider or a full scale malware phishing campaign.

ETSS Management breach assessment and digital forensics services focuses on core areas of servers, endpoints and network devices to determine whether a breach has occurred within the infrastructure. We analyze the traffic from components of those key areas and, with manual inspection as well as forensics techniques, determine the active behavior or dormant presence of malware, rootkits or backdoors in the organization.

To ensure that our clients sustain minimum damages after a breach, we prepare an investigative report that can be used for insurance claims, and also assist our clients as an expert witness for litigation support in the court of law.


Deliverable

A consolidated e-report is what you get on the completion of the work. It will include analysis of current state baseline of the assessed entity and future process model that needs to be adopted to attain an adequate level of assurance.

For managerial staff, high-level sections in the e-report will include:

  • Purpose of the engagement
  • Scope and approach of the project
  • Security controls identified
  • Risk mitigation strategy to avoid recurrence of issue

For technical staff, detailed sections in the e-report will include:

  • Sufficient appropriate pictorial evidence
  • Technical description of the issue
  • Recommendation for remediation of weakness