VULNERABILITY ASSESSMENT

AND PENETRATION TESTING

TATA COMMUNICATIONS – VAPT SERVICES OVERVIEW

MAR 2020
VULNERABILITY ASSESSMENT AND PENETRATION TESTING (VAPT)

We deliver Tata Communications’ ‘VAPT’ services via an SaaS (Software as a Service) cloud model in Manged Services and in
a Consulting Model (One time testing). They’re primarily for customers who need both their network and web applications
monitoring for new vulnerabilities and malware that could infect site visitors. Our Security Operations Centre (SOC) - part of
the Global Services Management Centre (GSMC) - monitors and manages service availability, and assists customers to
schedule remote scans on a 24/7/365 basis.

SERVICE OVERVIEW
● Network
✓ Vulnerability management – to identify network vulnerabilities before they’re breached
✓ Penetration testing – to verify potential network impact of vulnerability exploits
● Web application
✓ Vulnerability scanning for dynamic web applications
✓ Malware detection
✓ Penetration testing - to verify potential web app impact of vulnerability exploits

2
VAPT – DELIVERY MODEL
• Managed Services • Consulting Services (One time Testing
• Vulnerability Assessment Service Services)
• Network/Servers (Internal & • Vulnerability Assessment Service
External) • Penetration Testing Services (Internal
• Penetration Testing Services (Internal & External)
& External) • Web Application Security Assessment
• Web Application Security Assessment Service
Service • Mobile Application Security Testing
• Mobile Application Security Testing (Android/IOS)
(Android/IOS) • Phishing Simulation Campaign
• Phishing Simulation Campaign

3
TCL METHODOLOGY

At Tata Communications we follow a rigorously defined methodology to identify security findings within our clients’ infrastructure. All our
security assessments feature the following phases:
● Host identification: through detailed reconnaissance
● Vulnerability Identification and Evaluation: We perform detailed vulnerability scans against identified scope and evaluate the
vulnerabilities according to risk score and business criticality after discussion with Customer SPOC.
● Exploit: Final list of Vulnerabilities exploited with advance tools and manual technique to determine the impact on the scoped targets.
● False positive analysis: We analyse all findings for impact, severity and criticality.
● Reporting: We develop recommendations for mitigating risk or implementing compensating controls to reduce risk to an acceptable
level.
● Retest : Retest will be performed after the remediation.
ASSESSMENT APPROACH
➢ Assets Identification
➢ Stake holders identification
Planning &
➢ Detailed Schedule / test plan for each activity with date and time
Preparation ➢ Identify the business impacts if any for assessment
➢ Discuss and Meet Stakeholders, Communicate and get Approvals from stakeholder
Information ➢ Information about network segments
Gathering and ➢ Perform Network discovery to determine the reachable systems in the IT infrastructure. Project Management
Analysis ➢ Identify the targets for Vulnerability Assessment and Penetration Testing. • Project Management
➢ Internal VAPT, External VAP, Application Security Testing, Server VAPT & Wireless PT personnel to oversee the
Assessment Phase Project and interface
➢ Identify Vulnerabilities & Security Risk
(VA & PT) ➢ Exploit the Vulnerabilities & Clean-up between both companies.
➢ Review the scan results manually to eliminate false-positives. • Complete tracking of
➢ Consolidate the scan results once the false-positives are removed and final vulnerabilities Project schedule,
Review and Reports including CVE numbers along with recommendation for remediation. Execution and Reporting.
➢ Present executive summary report for senior management in word and ppt format.
➢ Detailed VA and PT assessment report.
➢ Customer asset owners will perform the remediation activity, TCL will be provide
Remediation Phase guidance wherever required.
Verification of the
➢ TCL will Re-perform the vulnerability or penetration test to verify the results.
Remediation
VULNERABILITY ASSESSMENT
Internal External
 PENETRATION TESTING
Tata Communications’ Penetration Testing simulates techniques used by hackers to help you understand potential threats while
providing detailed recommendations.
 APPLICATION SECURITY TESTING
Application security testing aims to emulate external and internal directed attacks on the web application to identify any weaknesses
which may provide unauthorized access or disruption to systems or data
VAPT – TOOLS IN FOCUS
TCL - OEM Partners :
✓ Qualys
✓ Tenable
✓ Rapid7
✓ Microfocus

Discovery/
Customized Recon/
Open Source
Scripts
Tools

9
TATA COMM VAPT TEAM – SKILLS & CERTIFICATION

VAPT Team Strength: Certified Resources spread across (India, Singapore and Dubai)

❖ CREST Certified and Trained professionals

❖ OSCP (Offensive Certified Security Professional)
❖ OSCE (Offensive Certified Security Expert)
❖ CEH (Certified Ethical Hacker)
❖ ECSA (EC-Council Certified Security Analyst)
❖ ITIL (Information Technology Infrastructure Library)
❖ Qualys Certifications for VA and Application
❖ Other Network Certifications
ADDING VALUE THROUGH ENGAGEMENT

SCOPING
TESTING Our four-step engagement model is designed to increase the success of our work
QUESTIONS
and the value to our clients. We first ask scoping questions and use the information
gathered to perform a penetration test. We then report on our findings and review
them with our client to inform remediation planning.

✓ Tailored approach – around the specifics of every client

ENGAGEMENT ✓ Structured methods and expert delivery - using a defined methodology
delivered by trained professionals
✓ Quantitative results - meaningful for clients and their remedial planning

REVIEW & REPORT

PLANNING PRESENTATION

11
PILLARS OF STRENGTH

Experienced Cov erage across Security consulting Security

security consultants the globe adv isories certifications

Senior security Global coverage for GRC Expertise in providing Security consultants
consultants with cross- security consulting and security advisories and certified with various
industry experience assessment projects benchmarking across the globally accepted
Experienced in through onsite / offshore industry. Provide daily standards including
providing consultation model delivered from threat advisories to CREST, OCSP, OSCE, CEH,
on security Singapore, India, Dubai esteemed customers ECSA, CISSP, CISA and
across globe. More.,
architecture,
frameworks and
compliance

https://www.tatacommunications.com/threat-advisory/
REPORTING

13
 TEST REPORTS OVERVIEW

MANAGEMENT EXCEL TECHNICAL

EXECUTIVE REPORT DASHBOARD REPORT
Executive
Summary Report

Excel Dashboard -
● High level summary ● Vulnerability details ● Detailed description VA Report

● Key metrics ● Risk scoring ● Proof of concepts

● Root cause analysis ● Detailed metrics ● How to fix with source-

code examples
● Risk analysis ● Track patch status and Technical Report -
action items ● Reference documents App Sec Test

14
DETAILED REPORTS

Our Penetration test report provides:

● Executive summary
● Risk statement
● Finding description
● Infrastructure impact
● Risk severity
● Recommendations

15
WEB APPLICATION ASSESSMENT - SAMPLE REPORTS

16
 KEY CUSTOMERS

Due to NDA in place, we will not be listing some of our key Banking and Finance Customers.

17
CASE STUDY
HCCBPL (Hindustan Coca-Cola Beverages Pvt Ltd) is an Indian Subsidy of Coca-Cola which acts as umbrella organization for all local and global
compliance requirements. HCCBPL requirement is to comply the Security assessment and compliance requirements with its parent organizatio n.

Customer’s Need Approach

▪ HCCBPL requi red Internal and External Posture to be • Scope confirmation
a s sessed on on-going basis in regular Interval for 3 years.
• Identify the target network IPs and range
▪ Identify the Internal/External posture and exposure.
▪ Exa mi ne the external i nfrastructure from internet • Ports/service identification
▪ Vul nerabilities that can be exploited by external
• Vulnerability identification
res ources
▪ Externa l Business Applications vul nerabilities • Correlate and analyze the vulnerability
▪ Cri ti ca l Mobile Applications Security Risks
• Identify the exploitable vulnerabilities

TCL Solution • M anual and automated method of exploiting

TCL Solution • Identify the risk level and impact
TCL proposed the Gray/Black box perspective of VA and Penetration
testing for the customer requirement. In this method, TCL VAPT • Recommend M itigation
team will act as an external resource who doesn’t know anything
about the target network and try to identify the information of the
target network and its associated vulnerabilities. Deliverables
TCL proposed the scanning activity over internet without whitelisting ▪ Detailed report
to identify the vulnerabilities in the black box perspective. o IP/Vulnerability
o Impact
o Risk Level/CVE
o Solution/Recommendation
WHY TATA COMMUNICATIONS?

• We provide our clients with customized, industry approved approaches for assessment.
• TCL customized framework and approach for network/application PT.
• Highly Experienced, CREST Trained and OSCP, OSCE, CEH certified professionals.
• Dedicated Lab setup with leading commercial and open source tools for assessing
public facing infrastructures.
• Retest
• OWASP Top 10 and CVE scoring based reports.
• Leading commercial tools for VA and Automated PT.
• Customized reports based on the requirement. Detailed finding Reports with
recommendations in Excel format and High-level executive reports.
• TCL have different customers across all the verticals. TCL provided the security
consulting services to leading national banks, logistics, retails and beverages industries
in India and other regions.

19