info sec companies
TRANSCRIPT
Page 1
EMPANELLED OF INFORMATION SECURITY AUDITING ORGANISATIONS
IT Security Audit (Full Scope of Audit) Within the broad scope, 'Information System Security Audit' or 'IT Security Audit' covers an assessment of security of an organisation's networked infrastructure comprising of computer systems, networks, operating system software, application software, etc. A security audit is a specified process designed to assess the security risks facing an organisation and the controls or countermeasures adopted by the organisation to mitigate those risks. It is a typical process by a human having technical and business knowledge of the company's information technology assets and business processes. As a part of any audit, the auditors will interview key personnel, conduct vulnerability assessments & penetration testing, catalog existing security policies and controls, and examine IT assets. The auditors rely heavily on technology, manual efforts & tools to perform the audit. For Customer Organisations The list of IT security auditing orgnisations, as given below, is up-to-date valid list of CERT-In empanelled Information security auditing orgnisations. This list is updated by us as soon as there is any change in it. Customer organisations may refer this list for availing their services on limited quotes / tender basis to carry out Information security audit of their networked infrastructure. While placing the order, customer organisations should again refer this list for the latest changes, if any, and should place order only on the organisation, which is in this list on that particular day.
1. M/s 3i Infotech Ltd #6/2, Brigade Champak, Union Street, Off Infantry Road, Banglore – 560001. Website URL : http://www.3i-infotech.com Telephone : 080-30541360 Fax : 080-30541306 Contact Person : Mr. Babji V S, General Manager, Managed Services e-mail : babji.vs[at]3i-infotech.com Mobile : 9945322113
2. M/s AAA Technologies Pvt Ltd 278-280, F-Wing, Solaris-1, Saki Vihar Road, Opp. L&T Gate No. 6, Powai, Andheri (East), Mumbai – 400072. Website URL : http://www.aaatechnologies.co.in Telephone : 022-28573815 Fax: 022-40152501 Contact Person : Mr. Anjay Agarwal, Director e-mail : anjay[at]aaatechnologies.co.in Mobile : 9821087283
3. M/s AKS Information Technology Services Pvt Ltd E-52, 1st Floor, Sector-3, Noida – 201301. Website URL : http://www.aksitservices.co.in Telefax : 0120-4243669 Contact Person : Mr. Ashish Kumar Saxena, Managing Director
Page 2
e-mail : ashish[at]aksitservices.co.in Mobile : 9811943669
4. M/s Appin Software Security Pvt Ltd 9th Floor, Agarwal Metro Heights, Netaji Subhash Palace, Pitampura, New Delhi-110034 Website URL : http://security.appinonline.com Telephone : 011-64736970/71 Fax : 011-26581024 Contact Person : Mr. Rajat Khare, Director e-mail : appin.security[at]appinmail.com Mobile : 09212149267
5. M/s Auditime Information Systems (India) Pvt Ltd A-504, Kailash Esplanade, LBS Marg, Ghatkopar (West), Mumbai – 400086. Website URL : http://www.auditimeindia.com Telephone : 022-25006875 Fax: 022-25006876 Contact Person : Mr. Chetan Maheshwari, Director e-mail : csm[at]auditimeindia.com
6. M/s Aegis Tech Limited 2nd Floor, Equinox Business Park, Tower 1, (Peninsula Techno Park), Off Bandra Kurla Complex, LBS Marg, Kurla (West), Mumbai – 400070, INDIA Website URL : http://aegisglobal.com/section_level2.aspx?cont_id=zWj8z5qFobY= Telephone : +91 22 6661 7272 Fax: +91 22 6704 5888 Contact Person : Mr. Atul Khatavkar – VP - ITGRC e-mail : atul.khatavkar[at]agcnetworks[dot]com Mobile : +91 9930132135, 98200 19392
7. M/s Aujas Networks Pvt Ltd No. 4025/26, 2nd Floor, K R Road, Jayanagar, 7th Block West, Bangalore – 560082. Website URL : http://www.aujas.com Telephone : 080-40528527 Fax: 080-40528516 Contact Person : Ms. Sandhya Agnihotri, Manager - Sales Operations e-mail : sandhya.agnihotri[at]aujas.com Mobile : 9901133387
Page 3
8. M/s Controlcase India Pvt Ltd 203, Town Center, Andheri-Kurla Road Saki Naka, Andheri(E) Mumbai-400059 Website URL : http://www.controlcase.com Telephone :+91-2266471800 Fax : +912266471810 Contact Person : Mr. Suresh Dadlani, Chief Operating Officer e-mail : sdadlani[at]controlcase.com Mobile : +91-9820293399
9. M/s CyberQ Consulting Pvt Ltd # 622, DLF Tower A, Jasola, New Delhi – 110044. Website URL : http://www.cyberqindia.com Telephone : 011-41066560, 41077561 Fax: 011-41077561 Contact Person : Mr. Debopriyo Kar, Head, Information Security e-mail : debopriyo.kar[at]cyberqindia.com
10. M/s Computer Science Corporation India Pvt. Ltd. DLF IT Park, A-44/45, Sector 62, Noida Website URL: http://www.csc.com/in Telephone : +91-120-4701015 Fax : +91-120-6700108 Contact Person : Narendra Nayak Email : india_busdev[at]csc[dot]com
11. M/s Cyber Security Works Pvt Ltd E Block, No. 3, 3rd Floor, 599, Anna Salai, Chennai - 600006 Website URL : http://www.cybersecurityworks.com Telephone : 044-42089337 Fax : 044-42089170 Contact Person : Mr Selva Kumar, Manager e-mail : info [at] cybersecurityworks[dot]com
12. M/s Deccan Infotech Pvt Ltd # 13, Jakkasandra Block, 7th Cross, Koramangala, Bangalore – 560034.
Page 4
Website URL : http://www.deccaninfotech.in Telephone : 080-25530819 Fax : 080-25530947 Contact Person : Mr. Dilip. H. Ayyar, Director - Technical e-mail : dilip[at]deccaninfotech[dot]in Mobile : 9686455399
13. M/s Deloitte Touche Tohmatsu India Pvt. Ltd 7th Floor, Building 10, Tower B, DLF City Phase-II, Haryana India Gurgaon-122002 Website URL : http://www.deloitte.com Telephone : +91-1246792000 Fax : +91-1246792012 Contact Person : Mr. Sundeep Nehra, Senior Director e-mail : snehra[at]deloitte[dot]com Mobile : +91-9999003908
14. M/s Digital Age Strategies Pvt Ltd 204, Lakshminarayan Complex, 2nd Floor, Panduranganagar, Opp. HSBC, Bannerghatta Road, Bangalore – 560076. Website URL : http://www.digitalage.co.in Telephone : 080-41503825 Fax : 080-264085148 Contact Person : Mr. Dinesh S. Shastri, Director e-mail : digitalageaudit[at]airtelmail[dot]in Mobile : 9448088666
15. M/s Ernst & Young Pvt Ltd 2nd Floor, TPL House, 3, Cenotaph Road, Teynampet, Chennai – 600018. Website URL : http://www.ey.com/india Telephone : 044-42194650 Fax : 044-24311450 Contact Person : Mr. Terry Thomas, Partner e-mail : terry.thomas[at]in.ey.com Mobile : 9880325000
16. M/s Financial Technologies(India)Ltd 601, Bostan House, 6th Floor, Suren Road, Chakala, Andheri(East), Mumbai-400093 Website URL : http://www.ftindia.com/ Telephone : +912267099600
Page 5
Fax : +912267099066 Contact Person : Mr. Parag Ajmera, Head
17. M/s Haribhakti & Co. 42, Free Press House, 215, Nariman Point, Mumbai – 400021. Website URL : http://www.haribhaktigroup.com Telephone : 022-66729999 Fax: 022-66729777 Contact Person : Mr. Milind Dharmadhikari, Director In-charge e-mail : milind.dharmadhikari[at]bdoindia.co.in
18. M/s HCL Comnet Ltd Head Office, A 10-11, Sector-3, Noida – 201301. Website URL : http://www.hclcomnet.co.in Telephone : 0120-4362800 Fax : 0120-2539799 Contact Person : Mr. Prasun Roy Barman, Global Practice Director - Security e-mail : prasunb[at]hcl.in
19. M/s HEXAWARE TECHNOLOGIES LTD. Plot No. H5, SIPCOT IT Park Navallur Post, Siruseri, Kanchipuram Dt. 603 103 (India) Website URL : http://www.hexaware.com Telephone : +91-44-47451000 Fax : +91-44-47451111 Contact Person : Mr. S. Elangovan e-mail : Elangovan[at]hexaware[dot]com Mobile : 98404 13778
20. M/s IBM India Pvt Ltd 4th Floor, The IL&FS Financial centre, Plot No C 22, G Block, Bandra Kurla Complex, Bandra (East),Mumbai-400051 Website URL : http://www.ibm.com/ Telephone : +91-022-40589000 Fax : +91-22-26533585 Contact Person : Mr. Jeffery Paul
Page 6
e-mail : pjeffery[at]in[dot]ibm[dot]com Mobile : +91-9892502342
21. M/s IDBI Intech Ltd Plot No. 39-41, IDBI Building , Sector-11, CBD Belapur, Navi Mumbai – 400614. Website URL : http://www.idbiintech.com/ Telephone : 022-39148000 Fax : 022-27566313 Contact Person : Mr. Pramod Gosavi, Head - Professional Services e-mail : gosavi.pramod[at]idbiintech.com / is.audit[at]idbiintech.com Mobile : 9890304884
22. M/s Indusface Consulting Pvt Ltd A/2-3, 3rd Floor, Status Plaza, Opp. Relish Resorts, Akshar Chowk, Atladra - Old Padra Road, Vadodara – 390020. Website URL : http://www.indusfaceconsulting.com Telephone : 0265-6562666 Fax: 0265-2355820 Contact Person : Mr. Ashish Tandon, CEO e-mail : ashish.tandon[at]indusfaceconsulting.com Mobile : 9898866444
23. M/s Information Systems Auditors & Consultants Pvt Ltd 12/12 A, 3rd Floor, Dena Bank Building. 17B Horniman Circle, Fort, Mumbai – 400001. Telephone : 022-22663955 Fax: 022-22662661 Contact Person : Mr. Shashin Lotlikar, Director e-mail : smlotlikar[at]isaac.co.in
24. M/s iSec Services Pvt Ltd 608/609 Reliable Pride, Anand Nagar, Opp. Om Heera Panna Mall, Jogeshwari West Mumbai - 400102 Website URL: www.isec.co.in Telephone : 022-26368830 Fax : 022-26300209 Contact Person : Mr. C Karthikeyan, Sr Security Analyst e-mail : contactus[at]isec.co.in
Page 7
25. M/s iViZ Techno Solutions Pvt Ltd RDB Boulevard, 4th Floor, Plot No. K-4, Sector 5, Block - EP & GP, Salt Lake, Kolkata – 700091. Website URL : http://www.ivizsecurity.com/ Telephone : 033-40217300 Fax : 033-40217308 Contact Person : Mr. Rudra Kamal Sinha Roy, Group Head, Project Managment e-mail : rudra[at]ivizsecurity.com Mobile : 9845838888
26. M/s KPMG 4B, DLF Corporate Park, DLF City, Phase-3, Gurgaon – 122002. Website URL : http://www.in.kpmg.com Telephone : 0124-2549191 Fax : 0124-2549101 Contact Person : Mr. Akhilesh Tuteja, Executive Director e-mail : atuteja[at]kpmg.com Mobile : 9871025500
27. M/s Locuz Enterprise Solutions Ltd 3, Tilak Road, Sudha House, Abids, Hyderabad – 500001. Website URL : http://www.locuz.com Telephone : 040-66115511 Fax : 040-66781111 Contact Person : Mr. Uttam Majumdar, Chief of Consulting & Professional Services e-mail : uttam.majumdar[at]locuz.com Mobile : 9848005089
28. M/s Microland Ltd 1B, Ecospace, Belandur, Outer Ring Road, Bangalore – 560037. Website URL : http://www.microland.com Telephone : 080-39180254 Fax : 080-39180044 Contact Person : Venugopal J D, Group Consultant e-mail : ptsdc[at]microland.com Mobile : +919845171663
Page 8
29. M/s MIEL e-Security Pvt Ltd C-611/612, Floral Deck Plaza, MIDC, Central Road, Andheri (East), Mumbai – 400093. Website URL : http://www.mielesecurity.com Telephone : 022-28215050 Fax : 022-28215838 Contact Person : Mr. R. Giridhar, National Sales Manager e-mail : rgiridhar[at]mielesecurity.com Mobile : 9820142476
30. M/s Network Intelligence India Pvt Ltd 204 Ecospace IT Park, Off Old Nagardas Road, Andheri East, Mumbai-400069. Website URL: www.niiconsulting.com Telephone: 022-28392628 Fax: 022-28375454 Contact person: Mr K.K. Mookhey, Principal Consultant e-mail: kkmookhey[at]niiconsulting.com / info[at]niiconsulting.com mobile : +91-9820049549
31. M/s Network Security Solutions (India) Ltd 4 Kumar Pavilion, Gen Thimmayya Marg (East Street). Camp, Pune - 411 001 Website URL : http://www.mynetsec.com Telephone : 020-60601971 Contact Person : Mr. Rajendra Dave (COO), e-mail : coo[at]mynetsec.com Mobile : 9881122049
32. M/s Netmagic Solutions Pvt. Ltd B-2, 2nd Floor, Phase 1, Nirlon knowledge park, Goregaon East. Website URL : http://www.netmagiasolutions.com Telephone : +91 -22 - 40099099 Fax : +91 22 6785 1501 Contact Person : Mr. Yadavendra Awasthi, Chief Information Security Officer (CISO) e-mail : [email protected] Mobile : + 91 - 9820 2425 84
Page 9
33. M/s NIIT Technologies Ltd 223-224, Udyog Vihar-I Gurgaon 122002. Website URL : http://www.niit-tech.com Telephone :0124-4374161 Fax : 011-40570933 Contact Person : Mr. Maneesh Bakhru, e-mail : maneesh.bakhru[at]niit-tech.com Mobile : +91 9818605093
34. M/s Paladion Networks 49, 1st Floor, Shilpa Vidya, 1st Main, 3rd Phase, J P Nagar, Bangalore – 560078. Website URL : http://www.paladion.net Telephone : 080-41135991 Fax: 080-41208559 Contact Person : Mr. Manoj Kumar, Marketing Manager e-mail : manoj.kumar[at]paladion.net Mobile : 9810488748
35. M/s Persistent Systems Limited Pingala-Aryabhatt, Plot No. 9A/12, CTS No. 12A/12, Erandwana, Near Padale Palace , Pune – 411004. Website URL : http://www.persistentsys.com Telephone : 020 – 30234000 Fax: 020 – 3023 4001 Contact Person : Mr. Anand Pande e-mail : security_info[at]persistentsys.com Mobile : +91 9552560590
36. M/s PricewaterhouseCoopers Pvt Ltd Building 8, 8th Floor, Tower B, DLF Cyber City, Gurgaon – 122002. Website URL : http://www.pwc.com Telephone : 0124-4620000 Fax: 0124-4620620 Contact Person : Mr. Neel Ratan, Executive Director e-mail : neel.ratan[at]in.pwc.com
37. M/s Progressive Infotech Pvt Ltd C-161, Phase-II Extension Noida-201305 Website URL : http://progressive.in/ Telephone : +91-120-4393939 Fax : +91-120-4393922
Page 10
Contact Person : Mr. Ajay Batra, Practice Head e-mail : ajay.batra[at]progressive.in Mobile : +91-9811832622
38. M/s ProMinds Consulting Pvt Ltd 402, 4th Floor, ABK Olbee Plaza, Road No. 1, Banjara Hills, Hyderabad – 500034. Website URL : http://www.promindsglobal.com Telefax : 040-40207383 Contact Person : Mr. Balaji Selvaraju, CEO and Principal Consultant e-mail : balajis[at]promindsglobal.com Mobile : +91-9866673663
39. M/s Qadit Systems & Solutions Pvt Ltd 1st Floor, Balammal Building 33 Burkit Road T. Nagar Chennai 600017. Website URL : http://www.qadit.com Telephone : +91-44-42791150/ 51/ 52 Fax : +91-44-42791149 Contact Person : Mr. V. Vijayakumar, Director e-mail : vijay[at]qadit.com Mobile : 9444019232
40. M/s Secure Matrix India Pvt Ltd 12 Oricon House, 14 K Dubash Marg, Kala Ghoda, Fort, Mumbai – 400001. Website URL : http://www.securematrix.in Telephone : 022-32537579 Fax : 022-22886152 Contact Person : Mr. Saurabh B. Dani, Vice Chairman e-mail : saurabh[at]securematrix.in Mobile : 9821542619
41. M/s SecureSynergy Pvt Ltd #3332, 13th Main, 6th Cross, HAL II Stage, Indiranagar, Bangalore – 560038. Website URL : http://www.securesynergy.com Telephone : 080-25210556 Fax: 080-41151605 Contact Person : Mr. Santhosh Koratt, Head - Consulting & Compliance e-mail : santhoshkoratt[at]securesynergy.com
Page 11
42. M/s SecurEyes Techno Services Pvt Ltd #3S, 3rd Floor,Swamy Towers, Chinapanahalli, Marathahalli, Outer Ring Road Bangalore – 560037. Website URL : http://www.secureyes.net Telephone : 080-41264078 Contact Person : Mr. Karmendra Kohli , Chief Operating Officer e-mail : karmendra.kohli[at]secureyes.net Mobile : 9448111432
43. M/s Security Brigade 1/47 Tardeo AC Market, Tardeo, Mumbai – 400034 Website URL : http://www.securitybrigade.com Telephone : 0651-6458865 Fax : 0651-2444545 Contact Person : Mr. Yash Kadakia, Chief Technology Officer e-mail : yash[at]securitybrigade.com Mobile : 9833375290
44. M/s Sify Technologies Ltd Brigade MLR Centre, No. 20, G Floor, Vanivilas Road, Basavanagudi, Bangalore – 560004. Website URL : http://www.sifycorp.com Telephone : 080-61263144 Fax: 022-26177662 Contact Person : Mr. Natarajan K R, DGM - Information Assurance e-mail : natarajan.karrirama[at]sifycorp.com Mobile : 9844374175
45. M/s Simos Computer Systems Pvt Ltd No. 5 (Old No. 3/1), Poes Road, 1st Floor, Teynampet, Chennai – 600018. Website URL : http://www.simosindia.com Telephone : 044-42110302 Fax : 044-42109436 Contact Person : Mr. Balamurugan R, Director e-mail : rbm[at]simosindia.com Mobile : 9884306004
46. M/s SISA Information Security Pvt Ltd 3029, SISA House, 13th Main Road,
Page 12
Sri Sai Darshan Marg, HAL II Stage, Indiranagar, - Bangalore - 560008 Website URL: http://www.sisa.co.in Telephone: 080-41153769 Fax: 080-41153796 Contact person: Mr. Nitin Bhatnagar, Head Business Development e-mail: info[at]sisa.in mobile : +91-9820885922
47. M/s Spectrum IT Solution B–118, Sector 64, Noida,UP – 201307 Website URL : http://www.spectrumin.co.in Telephone : 0120-4236230 Fax : 0120-4236231 Contact Person : Mr. Mahesh Singh, Director e-mail : mahesh[at]spectrumin.co.in Mobile : 9811943670
48. STQC Directorate Department of Information Technology, Min. of Comm'ns & IT, Govt. of India, Electronics Niketan, 6, CGO Complex, Lodhi Road, New Delhi – 110003. Website URL : http://www.stqc.nic.in Telephone : 011-24363378 Fax: 011-24363083 Contact Person : Mr. Arvind Kumar, Scientist ‘F’ e-mail : arvind[at]mit.gov.in
49. M/s Suma Soft Pvt Ltd Suma Center, 2nd Floor, Opp. Himali Society, Near Mangeshkar Hospital, Erandawane, Pune - 411 004 Website URL:http://www.sumasoft.com Telephone: +91-20-40130400 Fax: +91-20-25438108 Contact Person: C Manivannan e-mail: mani[at]sumasoft.com Mobile: +91-9371011855
50. M/s Sumeru Software Solutions Pvt Ltd #40, Arth, 12th Main, Jayanagar, 4th Block,
Page 13
Bangalore – 560041. Website URL : http://www.sumerusolutions.com Telephone : 080- 28432475 Fax : 080-41211434 Contact Person : Mr. Chidhanandham Arunachalam e-mail : infosec[at]sumerusolutions.com Mobile : 9538912774
51. M/s Sysman Computers Pvt Ltd 312, Sundram, Rani Laxmi Chowk, Sion Circle, Mumbai – 400022. Website URL : http://www.sysman.in Telephone : 9967247000 Telefax: 9967248000 Contact Person : Mr. Rakesh Goyal, Managing Director e-mail : rakesh[at]sysman.in
52. M/s Tata Consultancy Services Ltd Wellspring Phase-3, Godrej and Boyce Complex, Plant No. 12, Gate No. 4, LBS Marg, Vikhroli (West), Mumbai – 400079. Website URL : http://www.tcs.com Telephone : 022-67784139 Fax: 022-67784399 Contact Person : Mr. P V S Murthy, Global Head-Information Security Management Practice e-mail : pvs.murthy[at]tcs.com Mobile : 9223179277
53. M/s Tech Mahindra Ltd A-7, Sector-64, Noida – 201301. Website URL : http://www.techmahindra.com Telephone : 0120-4652000 Contact Person : Mr. Manoj Gilra, Director - Business Development e-mail : mgilra[at]techmahindra.com Mobile : 9810069966
54. M/s Technologics & Control 2/30, 3rd Floor , Sarai Julena, - New Delhi - 110025 Website URL: www.tech-controls.com Telephone: 011-26933733 Fax: 011-26910189
Page 14
Contact person: Mr. Sanjiv Arora, Director e-mail: sa[at]tech-controls.com mobile : +91-9810293733
55. M/s Torrid Networks Pvt. Ltd. H-87, First Floor , Sector-63, Noida 201 301 Website URL: www.torridnetworks.com Telephone: 0120-4216622 Fax: 0120-4314996 Contact person: Mr. Salil Kapoor e-mail: info [at] torridnetworks.com mobile : +91-9266666883/9266666696
56. M/s TVSNet Technologies Ltd 3rd Floor, V B C Solitaire, 47 & 49, Bazullah Road, T Nagar, Chennai – 600017. Website URL : http://www.tvsnet.in Telephone : 044-42923900 Fax: 044-42923999 Contact Person : Mr. Sujit P Christy, ISecurity Manager - Solutions Architect e-mail : sujit.p[at]tvsnet.in Mobile : 9382122359
57. M/s Verizon Business
Radisson Commercial Plaza, A-Wing, 1st Floor, National Highway-8, New Delhi - 110037. Website URL : http://www.verizonbusiness.com/in/ Telephone : +91-11-42818101 Fax : +91-11-42818164 Contact Person : Mr. Prashant Gupta e-mail : Prashant.gupta[at]verizonbusiness.com Mobile : +91- 9899211162
58. M/s VISTA InfoSec Pvt. Ltd. 2/203 Vahatuk Nahar, Caesar Road, Amboli, Andheri (W), Mumbai - 400058 Website URL : http://www.vistainfosec.com Telephone : +91-22-65236292 Fax : Contact Person : [email protected] Mobile : +91-9619990923
Page 15
59. M/s Wipro Ltd Consulting Division, 480 - 481, Udyog Vihar, Phase-3, Gurgaon – 122016. Website URL : http://www.wipro.co.in Telephone : 0124-3084407 Fax : 0124-3084700 Contact Person : Mr. Sachin Nagpal, Consultant e-mail : sachin.nagpal[at]wipro.com Mobile : 9711360534
Page 16
CERT-In empanelled IT Security Auditing Organisations
M/s 3i Infotech Ltd Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation
1. Name & location of the empanelled Information Security Auditing Organisation : 3i Infotech Ltd, Navi
Mumbai
2. Carrying out Information Security Audits since : December 2000
3. Technical manpower deployed for informationsecurity audits :
CISSPs : 1
BS7799 / ISO27001 LAs : 7
CISAs : 2
DISAs / ISAs : 0
Total Nos. of Technical Personnel : 40
4. Outsourcing of External Information Security Auditors / Experts : No
Information Security Audit Tools used (owned, in possession) :
Freeware : 100
Commercial : 0
Proprietary: 1
Total Nos. of Audit Tools : 101
Details of the Audit Tools
Freeware
1. Nessus - Remote security scanner
2. Snort - Network intrusion prevention and detection system
3. Netcat - A simple Unix utility which reads and writes data across network connections, using
TCP or UDP protocol
Commercial
1. Retina - Retina's function is to scan all the hosts on a network and report on any vulnerability
found.
5. Information Security Audit Methodology : OSSTM, OWASP
6. Information Security Audits carried out since empanelment till now :
Govt. : 0
PSU : 0
Private : 22
Total Nos. of Information Security Audits done : 22
7. Business domain of auditee organisations : Banking, Financial, Manufacturing
8. Typical applications in use by auditee organisations : Banking and Financial Applications
Page 17
9. Typical bandwidth (maximum) of any auditee organisations :
Internal Bandwidth (LAN / Intranet) : 16 Mbps
External Bandwidth (WAN / Internet) : 2 Mbps
10. Networked Infrastructure details of an organizations audited with most complex network :
No. of Computer Systems : 250
No. of Servers : 30
No. of Switches : 20
No. of Routers : 6
No. of Firewalls : 2
No. of IDS' : 0
11. Ability to carry out vulnerability assessment and penetration test : Yes
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing Organisation).
Back
Page 18
M/s AAA Technologies Pvt Ltd Snapshot of skills and competence of CERT-In empanelled Security Auditor
1. Name, Location of the Empanelled Security Auditing organisation : AAA Technologies Pvt. Ltd.,
Mumbai
2. Carrying out Information Security Audits since : 2000
3. Technical manpower deployed for security audits :
CISSPs : 3
BS7799 / ISO27001 LAs : 5
CISAs : 9
DISAs / ISAs : 3
Total Nos. of Technical Personnel : 20
4. Outsourcing of External IT Security Auditors / Experts : No
5. Security Audit Tools used (owned, in possession) :
Freeware : 19
Commercial : 0
Proprietary: 1
Total Nos. of Audit Tools : 20
Details of the Audit Tools
Freeware :
1. Nessus
2. Whisker
3. HUNT - TCP/IP protocol vulnerability exploiter, packet injector
4. DOMTOOLS - DNS-interrogation tools
5. SARA - Vulnerability scanner
6. RAT
7. Nikto - This tool scans for web-application vulnerabilities
8. Snort - IDS
9. Firewalk - Traceroute-like ACL & network inspection/mapping
10. Hping – TCP ping utilitiy Dsniff - Passively monitor a network for interesting data (passwords, e-
mail, files, etc.). facilitate the interception of network traffic normally unavailable to an attacker
11. HTTrack - Website Copier
12. Chkrootkit - Rootkit discovery tool
13. Tools from FoundStone - Variety of free security-tools
14. SQL Tools - MS SQL related tools
15. John the Ripper - Password-cracking utility
16. ITS4 - Scan C/C++ source-code for vulnerabilities
Page 19
17. Paros
18. NMAP - The famous port-scanner
19. Ethereal - GUI for packet sniffing. Can analyse tcpdump-compatible logs
20. Nemesis - Packet injection suite
21. NetCat - Swiss Army-knife, very useful
22. RAT – CISecurity’s Router Auditing Tool
23. DSniff - A collection of different purpose sniffers
24. Achilles - An SSL-proxy allowing to change data
25. Whitehats - Snort IDS-signatures & other resources
26. Hping2 - TCP/IP packet analyzer/assembler, packet forgery, useful for ACL inspection
27. Brutus – password cracking for web applications, telnet, etc.
28. WebSleuth - web-app auditing tool
29. Mieliekoek - SQL Injection tool, use with HTTrack
30. NT Toolbox - Resources & tools for NT
31. [at]Stake Tools - Tools provided by [at]-Stake
32. TSCrack - Wordlist-based Terminal Server login-cracker L0phtcrack - NT-password cracking utility
33. HTTPrint – detect web server and version
34. Web proxy - web application testing
35. Web server vulnerability assessment tool
Commercial :
None
Proprietary :
1. AAA - Used for Finger Printing and identifying open ports, services and misconfiguration
6. Security Audit Methodology : ISACA, ISO 27001 / BS 7799, COBIT
7. Security Audits carried out since empanelment till now :
Govt. : 88
PSU : 34
Private : 15
Total Nos. of Security Audits : 137
8. Business domain of auditee organisations : Stock Brokers, Banking, Travel, Insurance, Railways, Govt.
9. Typical applications in use by auditee organisations : Banking, Tally, ERP, Home grown applications
10. Typical bandwidth (maximum) of any auditee organisations :
Internal Bandwidth (LAN / Intranet) : 100 M bps
External Bandwidth (WAN / Internet) : 2 M bps
11. Networked Infrastructure details of an organizations audited with most complex network :
No. of Servers : 500
No. of Computer Systems : 1000
No. of Routers : 10
No. of Switches : 40
Page 20
No. of Firewalls : 30
No. of IDS' : 20
12. Ability to carry out vulnerability assessment and penetration test : Yes
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing Organisation).
BACK
Page 21
M/s AKS Information Technology Services Pvt Ltd Snapshot of skills and competence of CERT-In Empanelled Information Security Auditing Organisation
1. Name, Location of the Empanelled Information Security Auditing Organisation : AKS Information
Technology Services Pvt Ltd, Noida
2. Carrying out Information Security Audits since : September 2006
3. Technical manpower deployed for information security audits :
CISSPs : 2
BS7799 / ISO27001 LAs : 3
CISAs / CISMs: 1
DISAs / ISAs : 0
Total Nos. of Technical Personnel : 18
4. Outsourcing of External Information Security Auditors / Experts : N
Information Security Audit Tools used (owned, in possession) :
Freeware : 50
Commercial : 4
Proprietary: 1
Total Nos. of Audit Tools : 55
Details of the Information Security Audit Tools
Freeware Tools
1. Nmap, Superscan and Fport - Port Scanners
2. Nessus – Vulnerability Scanner
3. Metasploit & Securityforest - Penetration Testing
4. Process explorer, Sigcheck, Kproccheck - Windows Kernel & malware detection
5. Netstumbler & Kismet – WLAN Auditing
6. Nikto - Web server vulnerability scanner
Commercial Tools
1. GFI Languard, Retina - Vulnerability Scanners
2. Burp Suite, Acunetix - Web application auditing
Proprietary Tools
1. ISA Log Analyzer
5. Information Security Audit Methodology : OSSTM, OWASP, ISO 27001, ISO 25999, CoBIT
Page 22
6. Information Security Audits carried out since empanelment till now :
Govt. : 650
PSU : 50
Private : 40
Total Nos. of Security Audits : 740
7. Business domain of auditee organisations : Telecom, BPO, Banking & Finance, Software Development,
Manufacturing, Defence
8. Typical applications in use by auditee organisations : Payment Gateway, PKI-based, Client-Server, Web
Based, MIS, Oracle ERP, NMS Web Applications
9. Typical bandwidth (maximum) of any auditee organisations :
Internal Bandwidth (LAN / Intranet) : 1 Gbps
External Bandwidth (WAN / Internet) : 256 Mbps
10. LAN Infrastructure details of an organizations audited with most complex network :
No. of Servers : 262
No. of Computers : 60
No. of Routers : 212
No. of Switches : 162
No. of Firewalls : 16
No. of IDS' : 2
11. Ability to carry out vulnerability assessment and penetration test : Y
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing Organisation), Y = Yes, N = No, Std = Standard.
BACK
Page 23
M/s Appin Software Security Pvt Ltd Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation
1. Name & location of the empanelled Information Security Auditing Organisation : Appin Software
Security Pvt. Ltd., Delhi
2. Carrying out Information Security Audits since : September 2005
3. Technical manpower deployed for information security audits :
CISSPs : 1
BS7799 / ISO17799 / ISO27001 LAs : 7
CISAs / CISMs: 0
DISAs / ISAs : 0
Total Nos. of Technical Personnel : 30
4. Outsourcing of information security auditing work to external Information Security Auditors / Experts : No
5. Information Security Audit Tools being used (available, installed and licensed) :
Freeware : 11
Commercial : 7
Proprietary: 2
Total Nos. of Information Security Audit Tools : 20
Details of the Information Security Audit Tools
Freeware Tools
1. Nessus
2. Nmap
3. Retina
4. SQL Injector
5. SQL Ninja
6. Backtrack
7. Wikto
8. Web Server Auditor
9. NS Auditor
10. Kismet
11. Ethereal
Commercial Tools
1. GFI languard
2. SSS
3. Accunetix
4. Core Impact
Page 24
5. Appscan
6. Webinspect
7. QualysGuard
Proprietary Tools
1. Appin Guard
2. Appin Runner
6. Information Security Audit Methodology : OSSTM, OWASP, BS7799, ISO27001, ISO25999, CoBIT, SANS,
APPSEC
7. Information Security Audits carried out so far :
Govt. : 70
PSU : 8
Private : 50
Total Nos. of Security Audits : 128
8. Business domains of auditee organisations : Telecom, BPO, Manufacturing, Defence, Media, Infrastructure,
IT/ITES, Banking, Financial SW, Government, Education, Travel
9. Typical applications in use by auditee organisations : CBS, Oracle ERP, NMS, SAP, Peoplesoft, e-Gov.,
Mobile & Web Applications
10. Bandwidth available with an auditee organisation having most complex network :
Internal Bandwidth (LAN / Intranet) : 1 Gbps
External Bandwidth (WAN / Internet) : 2 Mbps
11. LAN infrastructure details of an auditee organisation having most complex network :
No. of Computers : 4000
No. of Servers : 300
No. of Switches : 200
No. of Routers : 200
No. of Firewalls : 20
No. of IDS' : 2
12. Ability to carry out vulnerability assessment and penetration test : Yes
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing Organisation).
BACK
Page 25
M/s Auditime Information Systems (India) Pvt Ltd Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation
1. Name, Location of the empanelled Information Security Auditing Organisation : AUDITime Information
Systems (I) Pvt. Ltd., Mumbai
2. Carrying out Information Security Audits since : September 2000
3. Technical manpower deployed for Information security audits :
CISSPs : 1
BS7799 / ISO27001 LAs : 2
CISAs : 10
DISAs / ISAs : 2
Total Nos. of Technical Personnel : 64
4. Outsourcing of External Information Security Auditors / Experts : No
Information Security Audit Tools used (owned, in possession) :
Freeware : 36
Commercial : 0
Proprietary: 0
Total Nos. of Audit Tools : 36
Details of the Audit Tools
Freeware Tools
1. Achilles - A tool designed for testing the security of web applications
2. ADMFtp, ADMSnmp - Tools for remote brute-forcing
3. Brutus- An Windows GUI brute-force tool for FTP, telnet, POP3, SMB, HTTP, etc
4. Crack - A password cracker
5. CrypTool - A cryptanalysis utility
6. cURL - Curl is a tool for transferring files with URL syntax, supporting FTP, FTPS, HTTP, HTTPS,
GOPHER, TELNET, DICT, FILE and LDAP
7. Different network mapping tools - ping, traceroute, whois, snmp tools, dig, nslookup, DNS tools
etc
8. Elza - A family of tools for arbitrary HTTP communication with picky web sites for the purpose of
penetration testing and information gathering
9. Exploits - publicly available and home made exploit code for the different vulnerabilities around
10. FScan - A command-line port scanner. Supports TCP and UDP
11. Fragrouter - Utility that allows to fragment packets in funny ways
12. HPing - HPing is a command-line oriented TCP/IP packet assembler/analyzer. It supports TCP,
UDP, ICMP and RAW-IP protocols, has a traceroute mode, the ability to send files between a
covered channel, and many other features.
13 .ISNprober - Check an IP address for load-balancing.
14. ICMPush - ICMPush is a tool that sends ICMP packets fully customized from command line
Page 26
15. John The Ripper - A password cracker
16. L0phtcrack - NTLM/Lanman password auditing and recovery application (read: cracker)
17. Nessus - A free, powerful, up-to-date and easy to use remote security scanner. This tool could
be used when scanning a large range of IP addresses, or to verify the results of manual work.
18.Netcat - The swiss army knife of network tools. A simple utility which reads and writes data
across network connections, using TCP or UDP protocol
19. NMAP - The best known port scanner around.
20.p0f - Passive OS Fingerprinting: A tool that listens on the network and tries to identify the OS
versions from the information in the packets.
21. Pwdump - Tools that grab the hashes out of the SAM database, to use with a brute-forcer like
L0phtcrack or John
22. SamSpade - Graphical tool that allows to perform different network queries: ping, nslookup,
whois, IP block whois, dig, traceroute, finger, SMTP VRFY, web browser keep-alive, DNS zone
transfer, SMTP relay check,etc.
23.ScanDNS - Script that scans a range of IP addresses to find DNS names
24. Scripts - A number of custom developed scripts to test different security issues.
25. Sing - Send ICMP Nasty Garbage. A little tool that sends ICMP packets fully customized from
command line
26.SSLProxy, STunnel - Tools that allow to run non SSL-aware tools/programs over SSL.
27. Strobe - A command-line port scanner that also performs banner grabbing
28.Telesweep Secure - A commercial wardialer that also does fingerprinting and brute-forcing.
29. THC - A freeware wardialer
30. TCPdump - A packet sniffer
31. TCPtraceroute - Traceroute over TCP
32. UCD-Snmp - (aka NET-Snmp): Various tools relating to the Simple Network Management
Protocol including snmpget, snmpwalk and snmpset.
33.Web Session Editor - Custom made utility that allows to intercept and edit HTTP sessions.
34. Webinspect - CGI scanning, web crawling, etc.
35. Webreaper, wget - Software that mirrors websites to your hard disk
36. Whisker - The most famous CGI scanner. has updated the scanning databases with checks for
the latest vulnerabilities.
Commercial Tools None
Proprietary Tools None
5. Information Security Audit Methodology : ISO17799 / ISO27001
6. Information Security Audits carried out since empanelment till now :
Govt. : 0
PSU : 15
Private : 105
Total Nos. of Security Audits : 120
Page 27
7. Business domain of auditee organisations : Banking & Finance, Telecom, Manufacturing, Logistics,
Insurance
8. Typical applications in use by auditee organisations : Core banking, Insurance, Loan & Treasury
Management, Online trading, backoffice, CTCL, accounting, operations mangement, billing
9. Typical bandwidth (maximum) of any auditee organisations :
Internal Bandwidth (LAN / Intranet) : 100 Mbps
External Bandwidth (WAN / Internet) : 2 Mbps
10. Networked Infrastructure details of an organizations audited with most complex network :
No. of Computer Systems : 15
No. of servers : 28
No. of switches : 0
No. of routers : 1
No. of firewalls : 1
No. of IDS' : 1
11. Ability to carry out vulnerability assessment and penetration test : Yes
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing Organisation).
BACK
Page 28
M/S Aegis Tech Limited Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation
1. Name & location of the empanelled Information Security Auditing Organisation :
2. Carrying out Information Security Audits since : 12 Years
3. Technical manpower deployed for information security audits :
CISSPs : 1 No.
BS7799 / ISO27001 LAs : 14 Nos.
CISAs : 5 Nos
DISAs / ISAs :
Total Nos. of Technical Personnel : 15
4. Outsourcing of External Information Security Auditors / Experts : DNV for ISO 27001 certification
5. Information Security Audit Tools used (owned, in possession) :
Freeware : Backtrack ver 5
Commercial : Nessus Ver 4.4.1, Accunetix Ver 7
Proprietary: -
Total Nos. of Audit Tools : 3 + Numerous Open Source Tools
6. Information Security Audit Methodology : Discovery (Scanning & probing), Exploitation & Analysis
(Penetrate Perimeter, Attack Resources) , Reporting (Assessment Report & Recommendations)
7. Information Security Audits carried out so far :
Govt. : 1
PSU :
Private : More than 50
Total Nos. of Information Security Audits done : More than 50
8. Business domain of auditee organisations : Banking, Telecom, Manufacturing etc
9. Typical applications in use by auditee organizations : SAP, Oracle Financials, Finacale etc
10. Typical bandwidth (maximum) of any auditee organisations :
Internal Bandwidth (LAN / Intranet) : 1 Gbps
External Bandwidth (WAN / Internet) : 8 Mbps
11. Networked Infrastructure details of an organizations audited with most complex network :
No. of Computer Systems : 27 (Internal)
No. of Servers : 11 (External)
No. of Switches : 10
Page 29
No. of Routers : 5
No. of Firewalls : 1
No. of IDS' : 1
12. Ability to carry out vulnerability assessment and penetration test : Yes
Details of the Audit Tools
Freeware:
Commercial: ACL, IDEA
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing
Organisation).
BACK
Page 30
M/s Aujas Networks Pvt Ltd Snapshot of skills and competence of CERT-In empanelled IT Security Auditing Organisation
1. Name & location of the empanelled Information Security Auditing Organisation : Aujas Networks Pvt
Ltd, Bangalore
2. Carrying out Information Security Audits since : February 2008
3. Technical manpower deployed for information security audits :
CISSPs : 7
BS7799 / ISO17799 / ISO27001 LAs : 10
CISAs / CISMs: 7
DISAs / ISAs : 0
Total Nos. of Technical Personnel : 30
4. Outsourcing of information security auditing work to external Information Security Auditors / Experts : No
5. Information Security Audit Tools being used (available, installed and licensed) :
Freeware : 24
Commercial : 3
Proprietary: 1
Total Nos. of Information Security Audit Tools : 28
Details of the IT Security Audit Tools
Freeware Tools
1. NMAP - Port Scanning.
2. Super Scan - Port Scanning
3. Netcat - Network Utility.
4. Telnet Client - Network Utility.
5. Putty - Network Utility
6. SNMPWalk - SNMP Scanner
7. User2SID & SID2User - Look up Windows service identifiers.
8. John The Ripper - Unix and NT password Cracker
9. WireShark - Wireshark is a network protocol analyzer for Unix and Windows.
10. Snort - A free lightweight network intrusion detection system for UNIX and Windows.
11. MetaSpoilt - Exploitation Framework
12. Backtrack Live CD - Exploitation framework.
13. Nikto - Network Vulnerability Scanner.
14. BlackWidow - Website Profiling Tool.
15. Wget - Network Utility
16. Paros - HTTP Interceptor.
17. Burp Suite - HTTP Interceptor.
18. Brutus - Brute Force Password Attack
Page 31
19. WFetch - HTTP Raw Methods Debugging
20. AnEc Cookie Editor (Firefox Plug-in) - Cookie Editor
21. Netstumbler - Detection of Wireless LANs
22. Kismet - 802.11 wireless network detector, sniffer, and intrusion detection system.
23. MYSQL Administration Tool - MYSQL Administration.
24. GoCR Decoder - OCR reader.
Commercial Tools
1. Acunetix - Web Vulnerability Scanning Tool.
2. CodeSecure – Code Review Tool
3. Nessus – Network Vulnerability Scanner
Proprietary Tools
1. PHP Security Audit Script : This script checks for insecure web configurations.
6. Information Security Audit Methodology : Standard (ITIL, CoBIT 4.1, COCO ERM, ISO27001, NIST 800-30,
ISO27005, CIS Benchmarks, OWASP, OSSTM)
7. Information Security Audits carried out so far :
Govt. : 4
PSU : 1
Private : 35
Total Nos. of Security Audits : 40
8. Business domains of auditee organisations : Banking, Telecom, IT/ITES, Manufacturing, Retail,
Government
9. Typical applications in use by auditee organisations : Web, Banking & Financial Applications
10. Bandwidth available with an auditee organisation having most complex network :
Internal Bandwidth (LAN / Intranet) : 1 Gbps
External Bandwidth (WAN / Internet) : 6 Mbps
11. LAN infrastructure details of an auditee organisation having most complex network :
No. of Computers : 1120
No. of Servers : 30
No. of Switches : 10
No. of Routers : 2
No. of Firewalls : 1
No. of IDS' : 1
12. Ability to carry out vulnerability assessment and penetration test : Yes
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing Organisation).
BACK
Page 32
M/s Controlcase India Pvt Ltd Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation
1. Name & location of the empanelled Information Security Auditing Organisation : M/s ControlCase India
Pvt. Ltd., Mumbai
2. Carrying out Information Security Audits since : 2004
3. Technical manpower deployed for information security audits :
CISSPs : 7
BS7799 / ISO27001 LAs : 4
CISAs : 8
DISAs / ISAs : 0
Total Nos. of Technical Personnel : 20
4. Outsourcing of External Information Security Auditors / Experts : No
5. Information Security Audit Tools used (owned, in possession) :
Freeware : 140
Commercial : 3
Proprietary: 1
Total Nos. of Audit Tools : 144
List of Tools used
Freeware:
• Nmap
• Netcat 0.7.1
• Netdiscover
• P0f
• PSK-Crack
• Protos
• Finger Google
• Firewalk
• Fport 2.0 (Windows Executable)
• Goog Mail Enum
• Google-search
• Googrape
• Gooscan
• Host
• InTrace 1.3
• Itrace
• Maltego 2.0
Page 33
• Metagoofil 1.4
• Mbenum 1.5.0 (Windows Executable)
• Netenum
• Netmask
• Nmbscan 1.2.4
• Protos
• PsTools (Windows Executables)
• PStoreView 1.0 (Windows Binary)
• QGoogle
• Relay Scanner
• SMTP-Vrfy
• 0trace 0.01
• DMitry
• DNS-Ptr
• dnstracer 1.5
• dnswalk
• dns-bruteforce
• dnsenum
• dnsmap
• DNSPredict
• Subdomainer 1.3
• TCPtraceroute 1.5beta7
• TCtrace
• Whoami (Windows Executable)
• Network Mapping
• Amap 5.2
• Angry IP Scanner (ipscan) 3.0-beta3
• Autoscan 0.99_R1
• Fierce 0.9.9 beta 03/24/07
• Fping
• Genlist
• Hping
• IKE-Scan
• IKEProbe
• ScanLine 1.01 (Windows Executable)
• SinFP
• XProbe2
• Zenmap 4.60
• Absinthe
• Bed
• CIRT Fuzzer
Page 34
• Checkpwd
• Cisco Auditing Tool
• Cisco Enable Bruteforcer
• Cisco Global Exploiter
• Cisco OCS Mass Scanner
• Cisco Scanner
• Cisco Torch
• Curl
• Fuzzer 1.2
• HTTP PUT
• Nikto
• OpenSSL-Scanner
• Paros Proxy
• RPCDump
• RevHosts
• SMB Bruteforcer
• SNMP Scanner
• SNMP Walk
• SQL Inject
• SQL Scanner
• SQLLibf
• SQLbrute
• Sidguess
• Smb4K
• Snmpcheck
• Snmp Enum
• Spike
• Stompy
• SuperScan
• TNScmd
• Taof
• VNC_bypauth
• Wapiti
• Yersinia
• sqlanlz
• sqldict
• sqldumplogins
• sqlquery
• sqlupload
• Metasploit Framework
• Milw0rm Archive
Page 35
• Ascend attacker
• CDP Spoofer
• Cisco Enable Bruteforcer
• Crunch Dictgen
• DHCPX Flooder
• DNSspoof
• Driftnet
• Dsniff
• Etherape
• EtterCap
• File2Cable
• HSRP Spoofer
• Hydra
• John
• Mailsnarf
• SMB Sniffer
• TFTP-Brute
• VNCrack
• WebCrack
• Wireshark
• Wireshark Wifi
• HttpTunnel Client
• HttpTunnel Server
• Privoxy
• ProxyTunnel
• Rinetd
• AFrag
• ASLeap
• aircrack-ng
• Airoscript
• Kismet
• BTcrack
• Bluebugger
• Blueprint
• Bluesmash
• Bluesnarfer
• Btscanner
• GNU DDD
• Hexdump
• Hexedit
Commercial:
Page 36
• AppScan
• IBM Appscan
• Teanable Nessus
• eEye Retina
6. Information Security Audit Methodology : Standard (OSSTM, OWASP, PCI DSS, PA DSS, PCI ASV, FISAP,
HIPPA, TG3 Certification, EI3PA Certification, ISO27001, ITIL, CoBIT, NIST 800-30, ISO27005, CIS
Benchmarks)
7. Information Security Audits carried out so far :
Govt. : 0
PSU : 0
Private : 55
Total Nos. of Information Security Audits done : 55
8. Business domain of auditee organisations : Banking & Finance, Telecom, Manufacturing, Retail,
Government, Health, Logistics, Insurance
9. Typical applications in use by auditee organisations : Web, Banking & Financial Applications, Mobile
Applications, Payment Applications, Billing Applications
10. Typical bandwidth (maximum) of any auditee organisations :
Internal Bandwidth (LAN / Intranet) : 100 Mbps
External Bandwidth (WAN / Internet) : 4 Mbps
11. Networked Infrastructure details of an organizations audited with most complex network :
No. of Computer Systems : 30
No. of Servers : 45
No. of Switches : 4
No. of Routers : 1
No. of Firewalls : 2
No. of IDS' : 1
12. Ability to carry out vulnerability assessment and penetration test : Yes
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing Organisation).
BACK
Page 37
M/s CyberQ Consulting Pvt Ltd
Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation
1. Name, Location of the empanelled Information Security Auditing Organisation : CyberQ Consulting Pvt.
Ltd., New Delhi
2. Carrying out Information Security Audits since : 2002
3. Technical manpower deployed for Information security audits :
CISSPs : 0
BS7799 / ISO27001 LAs : 4
CISAs : 4
DISAs / ISAs : 1
Total Nos. of Technical Personnel : 28
4. Outsourcing of External Information Security Auditors / Experts : No
5. Information Security Audit Tools used (owned, in possession) :
Freeware : 44
Commercial : 1
Proprietary: 3
Total Nos. of Information Security Audit Tools : 48
Details of the Information Security Audit Tools
Freeware Tools :
1. Metaspolit 3.2 – Metasploit provides useful information to people who perform penetration testing,
IDS signature development, and exploit research.
2. Backtrack 3 – a Linux distribution, distributed as a Live CD which resulted from the merger of
WHAX and the Auditor Security Collection, which is used for Penetration testing.
3. Sam Spade – a Windows software tool designed to assist in tracking down sources of e-mail spam
4. Telnet – Can report information about an application or service; i.e., version, platform
5. Tcpdump – is a common packet sniffer that runs under the command line
6. Nmap 5.00 – powerful tool available for Unix that finds ports and services available via IP
7. Hping2 – powerful Unix based tool used to gain important information about a network
8. P0F – A versatile passive OS fingerprinting tool
9. Netcat – others have quoted this application as the “Swiss Army knife” of network utilities
10. Ping – Available on most every platform and operating system to test for IP connectivity
11. Traceroute – maps out the hops of the network to the target device or system
12. Tcptraceroute – traceroute implementation using TCP packets
13. Queso – can be used for operating system fingerprinting
14. WebInspect – Vulnerability Scanner
15. Assuria – System Scanner
16. Microsoft baseline analyzer – Specific for Microsoft O/S based system
Page 38
17. Patchlink – for assessing patch status
18. nCircle – IP360
19. Nikto – Web server scanner that tests Web servers for dangerous files/CGIs, outdated server
software and other problems
20. Curl – command line tool for transferring files with URL syntax
21. BurpSuite – Burp Suite is an integrated platform for attacking web applications
22. Ollydbg – debugger that emphasizes binary code analysis, which is useful when source code is not
available
23. SNMP walk – To audit SNMP enabled devices
24. Cain & Able – The top password recovery tool for Windows
25. Brutus – This Windows-only cracker bangs against network services of remote systems trying to
guess passwords by using a dictionary and permutations thereof
26. LC4 – is the award-winning password auditing and recovery application, L0phtCrack.
27. Legion – SMB based tool
28. GetAcct – shows anonymous login information
29. Pwdump – A window password recovery tool
30. AMAP – Application mapper to verify the actual services running on the open port
31. Nslookup – Available on Unix and Windows Platforms
32. Whois Database – Available via any Internet browser client
33. ARIN – Available via any Internet browser client
34. Dig – Available on most Unix platforms and some web sites via a form
35. Web Based Tools – Hundreds if not thousands of sites offer various recon tools
36. Social Engineering – People are an organizations greatest asset, as well as their greatest risk
37. Wireshark – It can scan wireless and Ethernet data and comes with some robust filtering
capabilities.
38. Network Stumbler a.k.a NetStumbler – Windows based tool easily finds wireless signals being
broadcast within range
39. Kismet – One of the key functional elements missing from NetStumbler is the ability to display
Wireless Networks that are not broadcasting their SSID.
40. Airsnort – very easy to use tool that can be used to sniff and crack WEP keys. While many people
bash the use of WEP, it is certainly better than using nothing at all.
41. AiroPeek / Omnipeek – Sniffing & network health checkuptool
42. CowPatty – Is used as a brute force tool for cracking WPA-PSK, considered the “New WEP” for
home Wireless Security.
43. ASLeap – If a network is using LEAP, this tool can be used to gather the authentication data that is
being passed across the network, and these sniffed credentials can be cracked. LEAP doesn’t
protect the authentication like other “real” EAP types, which is the main reason why LEAP can be
broken
44. Cheops-ng – Cheops-ng is a Network management tool for mapping and monitoring your network.
It has host/network discovery functionality as well as OS detection of hosts
Commercial Tools :
Page 39
1. Nessus Security Scanner (Professional feed) – Professional Vulnerability Scanner
Proprietary Tools :
1. CyberQ vulnerability database
2. Scripts for safe exploitation of vulnerabilities
3. CyberQ checklists
6. Information Security Audit Methodology : CISA, Own (CyberQ Method)
7. Information Security Audits carried out since empanelment till now :
Govt. : 458
PSU : 45
Private : 29
Total Nos. of Information Security Audits : 532
8. Business domain of auditee organisations : PKI, Consultancy, Software Development, Telecom, Financial
Institutions, Government, PSUs, Energy, BPO/KPO, Manufacturing Design.
9. Typical applications in use by auditee organisations : PKI, ERP, Web, Client Server, MIS, Network Security
Audit.
10. Typical bandwidth (maximum) of any auditee organisations :
Internal Bandwidth (LAN / Intranet) : 100 Mbps
External Bandwidth (WAN / Internet) : 2 Mbps
11. Networked Infrastructure details of an organizations audited with most complex network :
No. of Computer Systems : 2000
No. of servers : 110
No. of switches : 60
No. of routers : 65
No. of firewalls : 1
No. of IDS' : 0
12. Ability to carry out vulnerability assessment and penetration test : Yes
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing Organisation).
BACK
Page 40
M/s Computer Science Corporation India Pvt Ltd
Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation
1. Name & location of the empanelled Information Security Auditing Organisation : Computer Sciences
Corporation India Pvt. Ltd. NOIDA
2. Carrying out Information Security Audits since : 2005
3. Technical manpower deployed for information security audits :
CISSPs : 10
BS7799 / ISO27001 LAs : 10
CISAs : 9
DISAs / ISAs : 0
Total Nos. of Technical Personnel : 31
4. Outsourcing of External Information Security Auditors / Experts : NO
5. Information Security Audit Tools used (owned, in possession) :
Freeware : 7
Commercial : 5
Proprietary: 2
Total Nos. of Audit Tools : 14
Details of the Audit Tools
Freeware
1. Nmap
2. Hydra
3. John the Ripper
4. Cain & Abel
5. Wireshark
6. Ettercap
7. Firewalk
Commercial
1. McAfee Foundstone
2. Cenzic Hailstorm Pro
3. Tenable Nessus Pro
4. Metasploit Pro
5. MetaGeek Chanalyzer Pro
Page 41
6. Information Security Audit Methodology : Based on ISO 27001
7. Information Security Audits carried out so far :
Govt. : 0
PSU : 0
Private : 5
Total Nos. of Information Security Audits done : 5
8. Business domain of auditee organisations : Visa and Immigration Services, Cloud Computing, BPO,
Software development
9. Typical applications in use by auditee organisations : Web and E-commerce applications, Client server
10. Typical bandwidth (maximum) of any auditee organisations :
Internal Bandwidth (LAN / Intranet) : 100Mbps
External Bandwidth (WAN / Internet) : 16mbps
11. Networked Infrastructure details of an organizations audited with most complex network :
No. of Computer Systems : 15000
No. of Servers : 64
No. of Switches : 168
No. of Routers : 8
No. of Firewalls : 8
No. of IDS' : 8
12. Ability to carry out vulnerability assessment and penetration test : Yes
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing Organisation).
BACK
Page 42
M/s Cyber Security Works Pvt Ltd
Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation
1. Name & location of the empanelled Information Security Auditing Organisation : Cyber Security Works
Pvt. Ltd., Chennai
2. Carrying out Information Security Audits since : October 2008
3. Technical manpower deployed for informationsecurity audits :
CISSPs: 3
CISAs: 2
DISAs / ISAs: 0
Total Nos. of Technical Personnel: 8
4. Outsourcing of External Information Security Auditors / Experts : No
5. Information Security Audit Tools used (owned, in possession) :
Freeware: 19
Commercial: 6
Proprietary: 4
Total Nos. of Audit Tools: 29
Details of audit tools
Freeware Tools:
1. NMap
2. Paros Proxy
3. X-Scan
4. Wikto
5. Wire Shark
6. SQL Power Injector
7. Metasploit
8. Tamper Data
9. SNMP Tool
10. Netcat
11. Dump Sec
12. Look[at]Lan
13. Nipper
14. Kismet
15. Airsnort
16. SQLmap
17. Dsniff
18. Scuba
19. DB Audit
Page 43
Commercial Tools:
1. Webinspect
2. Retina
3. Languard
4. Accunetix
5. Nessus
6. Network Director
Proprietary Tools:
1. WEBSPLOITTM (Vulnerability Assessment and Penetration Mining Engine)
2. VAPSPLOITTM (Web Apps Vulnerability Assessment & Penetration Framework)
3. DPTTM (Dynamic Penetration Testing Toolkit)
4. DCATTM (Digital Crime Analysis Tracking Toolkit)
6. Information Security Audit Methodology : OWASP, ISO27001, COBIT
7. Information Security Audits carried out so far:
Govt.: 6
PSU: 2
Private: 6
Total Nos. of Information Security Audits done: 14
8. Business domain of audited organizations: Banking, Financial, Power and Energy, Government, e-
Governance, Media, ISP
9. Typical applications in use by audited organizations: ERP , Web Based, Client-Server
10. Typical bandwidth (maximum) of any audited organizations :
Internal Bandwidth (LAN / Intranet): 1 Gbps
External Bandwidth (WAN / Internet): 140 Mbps
11. Networked Infrastructure details of an organizations audited with most complex network:
No. of Computer Systems: 8000
No. of Servers: 400
No. of Switches: 100
No. of Routers: 60
No. of Firewalls: 1
No. of IDS': 1
12. Ability to carry out vulnerability assessment and penetration test : Yes
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing Organisation).
BACK
Page 44
M/s Deccan Infotech Pvt Ltd Snapshot of skills and competence of CERT-In Empanelled Security Auditor
1. Name, Location of the Empanelled Security Auditing organisation: Deccan Infotech (P) Ltd, Bangalore
2. Carrying out Information Security Audits since : July 1998
3. Technical manpower deployed for security audits :
CISSPs : 2
BS7799 / ISO27001 LAs : 2
CISAs : 5
DISAs / ISAs : 0
Total Nos. of Technical Personnel : 9
4. Outsourcing of External IT Security Auditors / Experts : No
Security Audit Tools used (owned, in possession) :
Freeware : 26
Commercial : 10
Proprietary: 0
Total Nos. of Audit Tools : 36
Details of the Audit Tools
Freeware
1. NMAP - Scan Network for Specific Information like logical existence of active reconnaissance.
Check for open ports, services. Some of the tools above also act as vulnerability assessment tools,
Patch management and password auditing. Different kinds of scanning techniques may be used
such as - Open Scan, Half open scan, stealth Scan, sweeps, etc.
2. Demon dialer - War Dialers
3. Dsniff - Sniffers
4. Snort - Sniffers
5 .Ethereal - Sniffers
6. WinDump - Sniffers
7. Etherpeek - Sniffers
8 . ARP Spoofing - Sniffers
9. Man-in-the middle SMB/relay / SMB grind - Man in the middle attacks involves positioning
oneself between two systems and actively participating in the connection to gather data
10. AKL - Key Loggers: used to monitor and record keystrokes, keyword detection, screen activity,
all applications, emails, chat clinets etc.
11. Hunt- Session Hijacking, Tools to hijack TCP Sessions, Listen, Intercept and Hijack active
sessions.
12. TTY Watcher - Session Hijacking, Tools to hijack TCP Sessions, Listen, Intercept and Hijack
active sessions.
Page 45
13. T-Sight - Session Hijacking, Tools to hijack TCP Sessions, Listen, Intercept and Hijack active
sessions.
14. IIS Hack/IIS - Buffer Overflow
15. KOEI.exe / ISAPI DLL - Buffer Overflow
16. IIS exploit - Buffer Overflow
17. IIS Crack - Buffer Overflow
18. IPP Printer Buffer Overflow - Buffer Overflow
19. Web Cracker - Web based password cracking
20. Brutus - Web based password cracking
21. Munga Bunga - Web based password cracking
22. SQL Injection - Attack methodology that targets the data residing in the database through the
firewall that shields it.
23. Trojan maker - Creating Viruses, worms and trojans
24. Sub Seven - Creating Viruses, worms and trojans
25. LOKI - Creating Viruses, worms and trojans
26. 007 shell - Creating Viruses, worms and trojans
Commercial
1. Symantec Net Recon --Scan Network for Specific Information like logical existence of active
reconnaissance. Check for open ports, services. Some of the tools above also act as vulnerability
assessment tools, Patch management and password auditing. Different kinds of scanning
techniques may be used such as - Open Scan, Half open scan, stealth Scan, sweeps, etc.
2. Shadow Security Scanner -- Scan Network for Specific Information like logical existence of active
reconnaissance. Check for open ports, services. Some of the tools above also act as vulnerability
assessment tools, Patch management and password auditing. Different kinds of scanning
techniques may be used such as - Open Scan, Half open scan, stealth Scan, sweeps, etc.
3. GFI Languard scanner -- Scan Network for Specific Information like logical existence of active
reconnaissance. Check for open ports, services. Some of the tools above also act as vulnerability
assessment tools, Patch management and password auditing. Different kinds of scanning
techniques may be used such as - Open Scan, Half open scan, stealth Scan, sweeps, etc.
4. Netscan Pro -- Scan Network for Specific Information like logical existence of active
reconnaissance. Check for open ports, services. Some of the tools above also act as vulnerability
assessment tools, Patch management and password auditing. Different kinds of scanning
techniques may be used such as - Open Scan, Half open scan, stealth Scan, sweeps, etc.
5. IP-eye -- Scan Network for Specific Information like logical existence of active reconnaissance.
Check for open ports, services. Some of the tools above also act as vulnerability assessment tools,
Patch management and password auditing. Different kinds of scanning techniques may be used
such as - Open Scan, Half open scan, stealth Scan, sweeps, etc.
6. DOS & DDOS -- Involves breaking into several machines all over the internet. Then the attacker
installs software for DDOS like Ping of death, SSPING, SMURF, LAND EXPLOIT, SYN FLOOD, etc. to
launch coordinated attacks on victim's computer
Page 46
7. LOPHT Crack -- Password crackers Use a combination of dictionary and brute force attacks
commonly used words list.
8. John the Ripper -- Password crackers Use a combination of dictionary and brute force attacks
commonly used words list.
9. Spector Soft -- Key Loggers: used to monitor and record keystrokes, keyword detection, screen
activity, all applications, emails, chat clinets etc.
10. E-Blaster -- Key Loggers: used to monitor and record keystrokes, keyword detection, screen
activity, all applications, emails, chat clinets etc.
5. Security Audit Methodology : COBIT, BS7799, ISO27001, OWASP, OCTAVE, OSSTM
6. Security Audits carried out since empanelment till now :
Govt. : 0
PSU : 2
Private : 0
Total Nos. of Security Audits : 2
7. Business domain of auditee organisations : Banking, Shipping, BPO
8. Typical applications in use by auditee organisations : Core Banking, HelpDesk
9. Typical bandwidth (maximum) of any auditee organisations :
Internal Bandwidth (LAN / Intranet) : 100 M bps
External Bandwidth (WAN / Internet) : 2 M bps
10. Networked Infrastructure details of an organizations audited with most complex network :
No. of servers : 4
No. of Computer Systems : 800
No. of routers : 0
No. of switches : 1
No. of firewalls : 1
No. of IDS' : 1
11. Ability to carry out vulnerability assessment and penetration test : Yes
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing Organisation).
BACK
Page 47
M/s Deloitte Touche Tohmatsu India Pvt. Ltd
Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation
1. Name & location of the empanelled Information Security Auditing Organization : Deloitte Touche
Tohmatsu India Pvt. Ltd
2. Carrying out Information Security Audits since : 1999
3. Technical manpower deployed for information security audits :
CISSPs : 17
BS7799 / ISO27001 LAs : 24
CISAs : 100
DISAs / ISAs : 100
Total Nos. of Technical Personnel : 290
4. Outsourcing of External Information Security Auditors / Experts: Not Applicable.
5. Information Security Audit Tools used (owned, in possession) :
Freeware : 27
Commercial : 9
Proprietary: 3
Total Nos. of Audit Tools : 39
List of Tools used Freeware: • Xprobe
• Dnssecwalker
• Tcpdump/tcpshow
• Dsniff
• Ettercap
• Ethereal
• Fping/ Hping
• Queso
• Nmap
• SuperScan
• Netwag
• Firewalk
• Q-Tip
• Jack the Ripper
• Crack 5.0a
• NGS SQLCrack
• Hydra
• Cain and Abel
Page 48
Commercial:
• AppScan
• LC4 (formerly L0phtcrack)
• Nessus
• Internet Security Scanner
• IP-Traf
• Firewalk
• Iris
• WS Ping ProPack
• SolarWinds
6. Information Security Audit Methodology : Own : Deloitte Methodology (Please refer Annexure I)
7. Information Security Audits carried out so far :
Govt. : 5+
PSU : 15+
Private : 150+
Total Nos. of Information Security Audits done : 170+
8. Business domain of auditee organizations : Banking & Finance, Information Technology, Third Party
Service Providers / BPOs, Manufacturing, Public Sector Undertakings, Life Sciences & Healthcare.
9. Typical applications in use by auditee organizations: Enterprise Resource Planning (ERPs), Web Services &
Web Applications etc.
10. Typical bandwidth (maximum) of any auditee organizations :
Internal Bandwidth (LAN / Intranet) : 1 Gbps
External Bandwidth (WAN / Internet) : 10 Mbps
11. Networked Infrastructure details of an organizations audited with most complex network :
No. of Computer Systems : > 70000
No. of Servers : 500
No. of Switches : 100
No. of Routers : 50
No. of Firewalls : 25
No. of IDS' : 10
12. Ability to carry out vulnerability assessment and penetration test : Yes
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing Organisation).
BACK
Page 49
M/s Digital Age Strategies Pvt Ltd Snapshot of skills and competence of CERT-In Empanelled Security Auditor
1. Name, Location of the Empanelled Security Auditing organisation: Digital Age Stratergies Pvt. Ltd.,
Bangalore
2. Carrying out Information Security Audits since : March 2004
3. Technical manpower deployed for security audits :
CISSPs : 2
BS7799 / ISO27001 LAs : 5
CISAs : 10
DISAs / ISAs : 0
Total Nos. of Technical Personnel : 17
4. Outsourcing of External IT Security Auditors / Experts : No
5. Security Audit Tools used (owned, in possession) :
Freeware : 11
Commercial : 3
Proprietary: 0
Total Nos. of Audit Tools : 14
Details of the Audit Tools
Freeware
1. Winaudit Ver 2.00 - System & HW Audit
Commercial
1. Idea 2004 - ETL & Data Format
2. Iaudit Net Ver 1.02 - ETL & Data Integrity
6. Security Audit Methodology : CoBIT, OWASP, ISACA, ISO 27001
7. Security Audits carried out since empanelment till now :
Govt. : 167
PSU : 112
Private : 412
Total Nos. of Security Audits : 691
8. Business domain of auditee organisations :
Bank,Stock Exchange, BPO, Government, Financial Sector, Insurance and Manufacturing.
9. Typical applications in use by auditee organisations :
Internates Banking / Core Banking Application Package, TBA Packages, Web Applications, Online Trading
Packages.
10. Typical bandwidth (maximum) of any auditee organisations :
Internal Bandwidth (LAN / Intranet) : 100 M bps
External Bandwidth (WAN / Internet) : 2 M bps
Page 50
11. Networked Infrastructure details of an organizations audited with most complex network :
No. of servers : 50
No. of Computer Systems : 4030
No. of routers : 443
No. of switches : 485
No. of firewalls : 7
No. of IDS' : 1
12. Ability to carry out vulnerability assessment and penetration test : Yes
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing Organisation).
BACK
Page 51
M/s Ernst & Young Pvt Ltd
Snapshot of skills and competence of CERT-In empanelled IT Security Auditing Organisation
1. Name, Location of the empanelled IT Security Auditing organisation : Ernst & Young Pvt. Ltd., Chennai
2. Carrying out Information Security Audits since : January 2001
3. Technical manpower deployed for IT security audits :
CISSPs : 9
BS7799 / ISO27001 LAs : 2
CISAs / CISM : 65
DISAs / ISAs : 1
Total Nos. of Technical Personnel : 145
4. Outsourcing of External IT Security Auditors / Experts : No
5. IT Security Audit Tools used (owned, in possession) :
Freeware : 9
Commercial : 8
Proprietary: 9
Total Nos. of Audit Tools : 26
Details of the IT Security Audit Tools
Freeware
1. Nmap - Port scanner
2. Nessus - Vulnerability scanner
3. Nikto - Web server/application vulnerability scanner
4. Ethereal - Protocol analyzer
5. Somersoft - Security configuration, registry entries and access control lists on systems running the
Windows operating system.
Commercial
1. App Detective - Vulnerability assessment and review of security configuration of MySQL, Oracle,
Sybase, IBM DB2, MS SWQL Server, Lotus Notes/Domino, Oracle Application Server, Web
Applications.
2. Bv-Control Suite - Security assessment -Microsoft Windows, Active Directory, Microsoft Exchange,
Microsoft SQL Server, UNIX (Sun Solaris, HP-UX, AIX, Red Hat and SUSe Linux), Internet Security,
Check Point Firewall I
3. HP WebInspect - Web Application Security assessment
4. IPLocks VA - Database configuration and vulnerability assessment
5. eEye Retina - Network Security scans and IT infrastructure vulnerability assessment
6. Immunity Canvas - Vulnerability exploitation framework for penetration tests
7. eTrust - Online vulnerability management framework.
Page 52
8. Bv-Control - Security and segregation of duty review for SAP
Proprietary
1. iNTerrogator - Review of security configuration of systems running the windows operating system.
2. *nix scripts - A collection of scripts to assess the security configuration including file level ACLs on
*nix systems (SCO OpenServer, Linux, HP-Ux, AIX, Solaris, *BSD).
3. Spider - Web application security assessment
4. FakeOra - Security assessment of 2-tier applications that use Oracle 8i (and above) as RDBMS.
5. S-SAT - A travelling SAP Security tool.
6. Permit - ERP risk assessment and control solution tool.
7. Assessor - Configuration review of Oracle Financials system.
8. WebSmack - Web Application inventory and vulnerability assessment .
9. EY/Mercury - Web based technical work plan generator to perform security configuration review of
IT infrastructure.
6. IT Security Audit Methodology : Beyond Standard
7. IT Security Audits carried out since empanelment till now :
Govt. : 4
PSU : 7
Private : 68
Total Nos. of Security Audits : 79
8. Business domain of auditee organisations : Banking, Financial Services, Software Development, Telecom,
FMCG, Manufacturing.
9. Typical applications in use by auditee organisations : Online Banking Solutions, Stock Trading Platforms,
Online / Mobile Payment Solutions, ERP, CRM, Billing Systems, Corporate Websites.
10. Typical bandwidth (maximum) of any auditee organisations :
Internal Bandwidth (LAN / Intranet) : 150 Mbps
External Bandwidth (WAN / Internet) : 20 Mbps
11. Networked Infrastructure details of an organizations audited with most complex network :
No. of Computer Systems : 10000
No. of servers : 600
No. of switches : 400
No. of routers : 400
No. of firewalls : 15
No. of IDS' : 24
12. Ability to carry out vulnerability assessment and penetration test : Yes
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing
Organisation).
BACK
Page 53
M/s Financial Technologies(India)Ltd
Snapshot of skills and competence of CERT-In Empanelled Security Auditing Organisation
1. Name & location of the empanelled Information Security Auditing Organisation : Financial
Technologies(India)Ltd, Mumbai
2. Carrying out Information Security Audits since : 2003.
3. Technical manpower deployed for information security audits :
CISSPs / CISMs: 5
BS7799 / ISO27001 LAs : 6
CISAs : 14
DISAs / ISAs : 4
Total Nos. of Technical Personnel : 78
4. Outsourcing of External Information Security Auditors / Experts : NA
Information Security Audit Tools used (owned, in possession) :
Freeware : 15
Commercial : 3
Proprietary: 2
Total Nos. of Audit Tools : 20
Financial Technologies(India)Ltd, Mumbai
List of Tools used
Freeware:
• Nmap - Port scanner
• netcat – Networking Utility
• SNMP Scanner - Router and network management
• Metasploit – Penetration testing tool
• RAT - Cisco Router configuration analyzing tool
• MBSA – Windows Security Assessment
• Wireshark – Network Traffic sniffing tool
• Wikto – Web application scanner
• Johntheripper – Password cracking tool
• Acunitix - Web application scanner
• Firefox with addons – Source code reviewing tool
• DumpSec - Windows Security Assessment
• Achilles – Proxy application
• Brutus - Password cracking tool
• Hping2 – Packet crafting tool
Commercial:
Page 54
• Nessus – Network / OS Vulnerability Assessment tool
• HP Web inspect – Web application scanner
• Network General's Sniffer with WAN book - Sniffer Portable™ - Network fault and performance
management tool
5. Information Security Audit Methodology : ISO / IEC 27001:2005, COBiT, PCIDSS, OWASP.
6. Information Security Audits carried out so far :
Govt. : 1
PSU : 0
Private : 25
Total Nos. of Information Security Audits done : 26
7. Business domain of auditee organisations : Banks, Insurance Co.s, Asset Management co.s,
Financial Institutions, Brokerage Firms, Manufacturing, Media, Government, Retail.
8. Typical applications in use by auditee organisations : Multi tier, Client Server, Web Applications,
Databases, SAP, ERP, CRM.
9. Typical bandwidth (maximum) of any auditee organisations :
Internal Bandwidth (LAN / Intranet) : 1 gbps
External Bandwidth (WAN / Internet) : 40 mbps
10. Networked Infrastructure details of an organizations audited with most complex network :
No. of Computer Systems : 1000
No. of Servers : 100
No. of Switches : 40
No. of Routers : 75
No. of Firewalls : 4
No. of IDS' : 2
11. Ability to carry out vulnerability assessment and penetration test : Yes
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing Organisation).
BACK
Page 55
M/s Haribhakti & Co. Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation
1. Name, Location of the empanelled Information Security Auditing Organisation : Haribhakti & Co. (CA),
Mumbai
2. Carrying out Information Security Audits since : July 1998
3. Technical manpower deployed for Information security audits :
CISSPs : 0
BS7799 / ISO27001 LAs : 3
CISAs : 10
DISAs / ISAs : 6
Total Nos. of Technical Personnel : 21
4. Outsourcing of External Information Security Auditors / Experts : Yes
5. Information Security Audit Tools used (owned, in possession) :
Freeware : 3
Commercial : 3
Proprietary: 0
Total Nos. of Information Security Audit Tools : 6
Details of the Information Security Audit Tools
Freeware Tools
1. Nessus - Vulnerability Assessment
2. NMAP - Port Scanner
3. IP Tools - Network
Commercial Tools
1. App Detective - Database Vulnerability
2. GFI-Languard - Network Vulnerability
3. Acunetix
Proprietary Tools
None
6. Information Security Audit Methodology : COSO & COBIT, ISO 27001, BS 25999
7. Information Security Audits carried out since empanelment till now :
Govt. : 4
PSU : 8
Private : 24
Total Nos. of Security Audits : 26
8. Business domain of auditee organisations : Tax Information Network, Depository, Banking & Financial
Services, Insurance, Call Centres, Regulators
Page 56
9. Typical applications in use by auditee organisations : Online/Internet Trading, Dealing Room, Depository
Participant Modules, Treasury, CBS, Core Insurance, Bank Call Centre, Electronic Procurement, OLTAS
10. Typical bandwidth (maximum) of any auditee organisations :
Internal Bandwidth (LAN / Intranet) : 100 Mbps
External Bandwidth (WAN / Internet) : 2 Mbps
11. Networked Infrastructure details of an organizations audited with most complex network :
No. of Computer Systems : 300
No. of servers : 20
No. of switches : 10
No. of routers : 300
No. of firewalls : 3
No. of IDS' : 1
12. Ability to carry out vulnerability assessment and penetration test : Yes
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing
Organisation).
BACK
Page 57
M/S HEXAWARE TECHNOLOGIES LTD
Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation
1. Name & location of the empanelled Information Security Auditing Organisation : M/S HEXAWARE TECHNOLOGIES LTD
2. Carrying out Information Security Audits since : 2003
3. Technical manpower deployed for information security audits : CISSPs : : 1 BS7799 / ISO27001 LAs : : 3 CISAs : : 4 DISAs / ISAs : : CEHs : : 4 LPT : : 1 (Licensed Penetration Tester) CPTS : : 1 (Certified Penetration Testing Specialist) Total Nos. of Technical Personnel : 25
4. Outsourcing of External Information Security Auditors / Experts : NIL
5. Information Security Audit Tools used (owned, in possession) : Freeware : : 25 Commercial : : 4 Proprietary: : Total Nos. of Audit Tools : 29
Details of the Audit Tools
Freeware:
1. Nmap 2. Nping 3. Ncat 4. Nikto 5. NetStumbler 6. Wireshark 7. W3af 8. Metasploit 9. Paros Proxy 10. BackTrack 11. Tcpdump 12. Sqlmap 13. ScanDNS 14. Grendel 15. DirBuster 16. Brutus 17. Samurai Web Testing Framework 18. Crack 19. Google 20. Whisker 21. CrypTool 22. TCPtraceroute 23. NStalker 24. Snort 25. John the Ripper
Commercial:
Page 58
1. Acunetix, 2. Nessus, 3. Saint, 4. GFI Languard
6. Information Security Audit Methodology : ISO27001, OWASP
7. Information Security Audits carried out so far : Govt. : 1 PSU : Private : 25+ Total Nos. of Information Security Audits done : 26+
8. Business domain of auditee organisations : IT and Process Outsourcing Services
9. Typical applications in use by auditee organisations : Peoplesoft HRMS, Peoplesoft Finance, Microsoft CRM, Glodyne Whizible Suite, Borland StarTeam, MS Exchange
10. Typical bandwidth (maximum) of any auditee organisations : Internal Bandwidth (LAN / Intranet) : 80 mbps External Bandwidth (WAN / Internet) : 35 mbps
11. Networked Infrastructure details of an organizations audited with most complex network : No. of Computer Systems : 5000 No. of Servers : 300 No. of Switches : 300 No. of Routers : 20 No. of Firewalls : 10 No. of IDS / IPS : 4
12. Ability to carry out vulnerability assessment and penetration test : Yes
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing Organisation).
BACK
Page 59
M/s HCL Comnet Ltd Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation
1. Name, Location of the empanelled Information Security Auditing Organisation : HCL Comnet Ltd., Noida
2. Carrying out Information Security Audits since : January 2001
3. Technical manpower deployed for information security audits :
CISSPs : 10
BS7799 / ISO27001 LAs : 9
CISAs : 6
DISAs / ISAs : 0
Total Nos. of Technical Personnel : 350
4. Outsourcing of External Information Security Auditors / Experts : No
5. Information Security Audit Tools used (owned, in possession) :
Freeware : 21
Commercial : 9
Proprietary: 0
Total Nos. of Audit Tools : 30
Details of the Audit Tools
Freeware 1.Nessus -- Vulnerability Assessment
2. Database Scanner -- Vulnerability Assessment
3. NetRecon -- Vulnerability Assessment
4. Metasploit -- Penetration Testing
5. Underground Script -- Penetration Testing
6. Wax -- Penetration Testing
7. IMP -- Password Crackers for Penetration Testing
8. Pandora -- Password Crackers for Penetration Testing
9. Crack -- Password Crackers for Penetration Testing
10. John the Ripper -- Password Crackers for Penetration Testing
11. Cisco Crack -- Password Crackers for Penetration Testing
12. Nmap -- Port Scanners
13. Super Scan -- Port Scanners
14. Service Scanner -- Port Scanners
15. Cis-Rat -- to perform audit for Cisco Routers and PIX Firewall by assessing configuration files.
16. nslookup -- to perform initial information gathering of the Network.
17. Ping -- to perform initial information gathering of the Network.
18. tracreroute -- to perform initial information gathering of the Network.
19. Whois -- to perform initial information gathering of the Network.
Page 60
20. Finger -- to perform initial information gathering of the Network.
Commercial
1. ISS -- Vulnerability Assessment
2 Qualys Guard -- Vulnerability Assessment
3 Core Impact -- Penetration Testing
4 L0phtCrack -- Password Crackers for Penetration Testing
5 Apps Scan -- Application Assessment
6 Web Inspect -- Web Application Assessment
7 App Detective -- Application and Database Assessment
6. Information Security Audit Methodology : Own
7. Information Security Audits carried out since empanelment till now :
Govt. : 0
PSU : 0
Private : 55
Total Nos. of Security Audits : 55
8. Business domain of auditee organisations : Banking & Finance, SW, Manufacturing & Devlopment, IT &
ITES
9. Typical applications in use by auditee organisations : NA
10. Typical bandwidth (maximum) of any auditee organisations :
Internal Bandwidth (LAN / Intranet) : 100 Mbps
External Bandwidth (WAN / Internet) : 1 Mbps
11. Networked Infrastructure details of an organizations audited with most complex network :
No. of Computer Systems : 500
No. of servers : 30
No. of switches : 45
No. of routers : 2
No. of firewalls : 3
No. of IDS' : 2
12. Ability to carry out vulnerability assessment and penetration test : Yes
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing Organisation).
BACK
Page 61
M/s IBM India Pvt Ltd Snapshot of skills and competence of CERT-In Empanelled Security Auditing Organisation
1. Name & location of the empanelled Information Security Auditing Organisation : IBM India Pvt Ltd,
Mumbai
2. Carrying out Information Security Audits since : Year 2000
3. Technical manpower deployed for information security audits :
CISSPs : 15
BS7799 / ISO27001 LAs : 30
CISAs : 15
DISAs / ISAs : NA
Total Nos. of Technical Personnel : 400
4. Outsourcing of External Information Security Auditors / Experts : No
5. Information Security Audit Tools used (owned, in possession) :
Freeware : 14
Commercial : 6
Proprietary: 5
Total Nos. of Audit Tools : 25
List of Tools used
Freeware:
1. Metasploit: Penetration Testing Framework
2. NMAP : Port scanner
3. RAT : Router and firewall benchmarking
4. Wireshark - Protocol analyzer
5. MBSA : Windows security assessment
6. Nikto : Web Applications security
7. SNMPWalk : Router and network management
8. CAIN & Able : Traffic sniffing and Password cracking
9. Brutus : Password cracking
10. JohntheRipper : Password cracking
11. W3AF: Application auditing framework
12. Maltego: Intelligence and forensics application.
13. Unicornscan: Port Scanner and Information gathering.
14. Burp: Web proxy tool.
Commercial:
1. Nessus : Network Vulnerability Assessment
2. IBM Appscan : Web Systems & Applications security
3. Retina : Vulnerability Scanner
4. ISS : Vulnerability Scanner
5. Immunity Canvas : Penetration Testing Framework
Page 62
6. Modulo: GRC Framework
Proprietary Tools:
1. Windows server Security assessment scripts
2. Unix/Linux/AIX server security assessment scripts
3. Oracle security assessment scripts
4. MSSQL security assessment scripts
5. ASP and Java Scripts : Web application assessment
6. Information Security Audit Methodology : ISO27001, COBIT, ISF(IBM Security framework), OWASP, IBM
Penetration Testing methodology.
7. Information Security Audits carried out so far :
Govt. : 5
PSU : 5
Private : 50
Total Nos. of Information Security Audits done : 60
8. Business domain of auditee organisations : Government, PSU, ITES, Manufacturing, Financial
Services,Banking, Telecom
9. Typical applications in use by auditee organisations : Web Applications, Client Server, Banking, ERP, CRM,
telecom Applications
10. Typical bandwidth (maximum) of any auditee organisations :
Internal Bandwidth (LAN / Intranet) : 100 Mbps- 1Gbps
External Bandwidth (WAN / Internet) : 2Mbps to 10 Mbps
11. Networked Infrastructure details of an organizations audited with most complex network :
No. of Computer Systems : 2500
No. of Servers : 250
No. of Switches : 200
No. of Routers : 80
No. of Firewalls : 15
No. of IDS' : 5
12. Ability to carry out vulnerability assessment and penetration test : Yes
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing
Organisation).
BACK
Page 63
M/s IDBI Intech Ltd Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation
1. Name, Location of the empanelled Information Security Auditing Organisation : IDBI Intech Ltd.
2. Carrying out Information Security Audits since : November 2007
3. Technical manpower deployed for information security audits :
CISA : 15
CRISC : 2
CGEIT : 2
CEH : 5
BS25999 :1
Managed Security Service Professional : 11
BS7799/ISO27001 LA's : 7
Total Nos. of Technical Personnel: 900 +
4. Outsourcing of External Information Security Auditors / Experts : No
5. Information Security Audit Tools used (owned, in possession) :
Freeware : 17
Commercial : 2
Proprietary: 1
Total Nos. of Audit Tools: 20 (Details in the Attached File)
Details of the Audit Tools
Freeware
1.Nmap –- Port scanning & OS fingerprinting Tool
2. Nessus –- Vulnerability Scanning Tool
3. Webscarab –- Captures the request & test the parameter manipulation
4. Burp proxy -- Captures the request & test the parameter manipulation
5. Wireshark –- Sniffs the data flowing on the network
6. Hydra –- Password brute forcing
7. W3af –- Application Security Scanner
8. Crowbar-- Password brute forcing
9. Paros -- A web application vulnerability assessment proxy
10. Wapiti –- Checks the SQL injection
11. Nikto –- Checks the web directory browsing
12. Metasploit –- Exploits vulnerabilities exist in the applications
13. OpenVas -- Vulnerability Scanning
14. Grendelscan-- Performs application security testing
15. SQLbrute –- Checks the SQL injection vulnerabilities
16. SQLiX -- Checks the SQL injection vulnerabilities
17. Httprint –- Webserver fingerprinting
Page 64
Commercial
ACL Desktop Edition:
Auditing Tool for Data Analysis,
Data Cleansing and Exception
Reporting from ACL Services Ltd.
Proprietary
Customized script – To Perform the relay check & DNS checks
6. Information Security Audit Methodology : Own Also, COBIT, ISO27001, PCI-DSS, OWASP and OSSTMM.
7. Information Security Audits carried out since empanelment till now :
Govt. : 5
PSU : 9
Private : 7
Total Nos. of Security Audits : 26
8. Business domain of auditee organisations, Banking and Financial services
9. Typical applications in use by auditee organisations
Finacle CBS, NSIPO, BSE Back office software, ICRA Online MF, Endorser, Crimson logic Stamping,
Snorkel, Transnet, Lidha-Didha and Other In-House developed Applications.
10. Typical bandwidth (maximum) of any auditee organisations
Internal Bandwidth (LAN / Intranet) : 256 kbps
External Bandwidth (WAN / Internet): 8mbps
11. Networked Infrastructure details of an organizations audited with most complex network :
No. of Computer Systems : 2000
No. of servers : 150
No. of switches : 250
No. of routers : 250
No. of firewalls : 1
No. of IDS : 5
12. Ability to carry out vulnerability assessment and penetration test : Yes
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing Organisation).
BACK
Page 65
M/s Indusface Consulting Pvt Ltd Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation
1. Name, Location of the empanelled Information Security Auditing Organisation : Indusface Consulting
Pvt Ltd, Baroda
2. Carrying out Information Security Audits since : July 2004
3. Technical manpower deployed for information security audits :
CISSPs : 8
BS7799 / ISO27001 LAs : 12
CISAs : 1
DISAs / ISAs : 0
Total Nos. of Technical Personnel : 40
4. Outsourcing of External Information Security Auditors / Experts : No
5. Information Security Audit Tools used (owned, in possession) :
Freeware : 40
Commercial : 2
Proprietary: 0
Total Nos. of Audit Tools : 42
Details of the Audit Tools
Freeware : Information yet to be provided to CERT-In
Proprietary : Information yet to be provided to CERT-In
6. Information Security Audit Methodology : ISO27001, COBIT, OWASP, OSSTMM, PCI
7. Information Security Audits carried out since empanelment till now :
Govt. : 250
PSU : 35
Private : 15
Total Nos. of Information Security Audits done : 300
8. Business domain of auditee organisations : Finance, Healthcare, Government, Software / ITES,
Manufacturing, Power (Energy-utilities), Banking
9. Typical applications in use by auditee organisations : Banking, Web 2.0, Billing, PKI, Oracle ERP, VAT,
Document Management System, Content Management System, e-Tender
10. Typical bandwidth (maximum) of any auditee organisations :
Internal Bandwidth (LAN / Intranet) : 1 Gbps
External Bandwidth (WAN / Internet) : 6 Mbps
11. Networked Infrastructure details of an organizations audited with most complex network :
No. of Computer Systems : 1500
No. of servers : 90
Page 66
No. of switches : 30
No. of routers : 4
No. of firewalls : 4
No. of IDS' : 2
12. Ability to carry out vulnerability assessment and penetration test : Yes
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing Organisation).
BACK
Page 67
M/s Information Systems Auditors & Consultants Pvt Ltd
Snapshot of skills and competence of the CERT-In empanelled Information Security Auditing Organisation
1. Name, Location of the empanelled Information Security Auditing Organisation: Information Systems
Auditors & Consultants Pvt Ltd, Mumbai
2. Carrying out Information Security Audits since : July 1997
3. Technical manpower deployed for information security audits :
CISSPs : 1
BS7799 / ISO27001 LAs : 1
CISAs : 5
DISAs / ISAs : 0
Total Nos. of Technical Personnel : 6
4. Outsourcing of information security auditing work to other external Information Security Auditors /
Experts : Yes
5. Information Security Audit Tools used (owned, in possession) :
Freeware : 6
Commercial : 0
Proprietary: 0
Total Nos. of Audit Tools : 6
Details of the Audit Tools
Freeware :
Information yet to be provided to CERT-In
Proprietary :
Information yet to be provided to CERT-In
6. Information Security Audit Methodology : BS7799, COBIT
7. Information Security Audits carried out since empanelment till now :
Govt. : 1
PSU : 2
Private : 13
Total Nos. of Security Audits : 16
8. Business domain of auditee organisations : IT Governance, Banking, Pharma
9. Typical applications in use by auditee organisations : Banking, ERP, web, MIS
10. Typical bandwidth (maximum) of any auditee organisations :
Internal Bandwidth (LAN / Intranet) : 1 Gbps
External Bandwidth (WAN / Internet) : 16 Mbps
Page 68
11. Networked Infrastructure details of an organizations audited with most complex network :
No. of Computer Systems : 2000
No. of servers : 55
No. of switches : 200
No. of routers : 175
No. of firewalls : 2
No. of IDS' : 1
12. Ability to carry out vulnerability assessment and penetration test : Yes
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing Organisation).
BACK
Page 69
M/s iSec Services Pvt Ltd Snapshot of skills and competence of CERT-In empanelled IT Security Auditing Organisation
1. Name & location of the empanelled Information Security Auditing Organisation : iSec Services Pvt Ltd,
Mumbai
2. Carrying out Information Security Audits since : January, 2003
3. Technical manpower deployed for information security audits :
CISSPs : 1
BS7799 / ISO27001 LAs : 8
CISAs : 1
DISAs / ISAs : 0
Total Nos. of Technical Personnel : 14
4. Outsourcing of External Information Security Auditors / Experts : No
5. Information Security Audit Tools used (owned, in possession) :
Freeware : 25
Commercial : 0
Proprietary: 0
Total Nos. of Audit Tools : 25
Details of the Audit Tools
Freeware :
1. Nessus
2. Whisker
3. HUNT - TCP/IP protocol vulnerability exploiter, packet injector
4. DOMTOOLS - DNS-interrogation tools
5. SARA - Vulnerability scanner
6. RAT
7. Nikto - This tool scans for web-application vulnerabilities
8. Snort - IDS
9. Firewalk - Traceroute-like ACL & network inspection/mapping
10. Hping – TCP ping utilitiy Dsniff - Passively monitor a network for interesting data (passwords,
e-mail, files, etc.). facilitate the interception of network traffic normally unavailable to an attacker
11. HTTrack - Website Copier
12. Chkrootkit - Rootkit discovery tool
13. John the Ripper - Password-cracking utility
14. Paros
15. NMAP - The famous port-scanner
16. Ethereal - GUI for packet sniffing. Can analyse tcpdump-compatible logs
Page 70
17. Nemesis - Packet injection suite
18. NetCat - Swiss Army-knife, very useful
19. RAT – CISecurity’s Router Auditing Tool
20. DSniff - A collection of different purpose sniffers
21. Achilles - An SSL-proxy allowing to change data
22. Hping2 - TCP/IP packet analyzer/assembler, packet forgery, useful for ACL inspection
23. Brutus – password cracking for web applications, telnet, etc.
24. WebSleuth - web-app auditing tool
25. Metasploit framework
Commercial :
None
Proprietary :
None
6. Information Security Audit Methodology : OSSTM, OWASP, COBIT
7. Information Security Audits carried out so far:
Govt. : 0
PSU : 0
Private : 15
Total Nos. of Information Security Audits done : 15
8. Business domain of auditee organisations : Banking, Financial, Manufacturing, Software development, Business
process outsourcing
9. Typical applications in use by auditee organisations : Banking and Financial Applications, Trading Sofwtare
10. Typical bandwidth (maximum) of any auditee organisations :
Internal Bandwidth (LAN / Intranet) : 100 Mbps
External Bandwidth (WAN / Internet) : 20 Mbps
11. Networked Infrastructure details of an organizations audited with most complex network :
No. of Computer Systems : 12000
No. of Servers : 150
No. of Switches : 100
No. of Routers : 40
No. of Firewalls : 8
No. of IDS' : 2
12. Ability to carry out vulnerability assessment and penetration test : Yes
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing Organisation).
BACK
Page 71
M/s iViZ Techno Solutions Pvt Ltd
BACK
Page 72
M/s KPMG Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation
1. Name, Location of the empanelled Information Security Auditing Organisation : KPMG, Gurgaon
2. Carrying out Information Security Audits since : September 1996
3. Technical manpower deployed for Information security audits :
CISSPs : 17
BS7799 / ISO27001 LAs : 17
CISAs : 50
DISAs / ISAs : 0
Total Nos. of Technical Personnel : 200
4. Outsourcing of External Information Security Auditors / Experts : No
5. Information Security Audit Tools used (owned, in possession) :
Freeware : 19
Commercial : 12
Proprietary: 7
Total Nos. of Information Security Audit Tools : 38
Details of the Information Security Audit Tools
Freeware Tools :
1. NMAP - Network security
2. NetStumbler - Network security
3. AirSnort - Network security
4. SuperScan - Network security
5. Nikto - Web Systems & Applications security
6. THC - Web Systems & Application security
7. CIS - Local Systems & Applications security
8. As400 - Local Systems & Applications security
9. CAIN - Password cracking
10. Brutus - Password cracking
11. JohntheRipper - Password cracking
12. SNMPWalk - Router and network management
13. SNMP Scanner - Router and network management
14. RIP query - Router and network management
15. RAT - Router and network management
16. DumpSec - Windows security
Page 73
17. Wireshark - Network sniffing
18. MBSA - Windows security
19. SQL Scan - Database security
Commercial Tools :
1. ISS Internet - Network security
2. Webinspect - Web Systems & Applications security
3. AppScan - Web Systems &Applications security
4. Bindview - Local Systems & Applications security
5. ISS DB - Database Security
6. AppDetective - Database Security
7. Nessus - Network security
8. Power Tech
9. VeloSecure
10. IPLocks - Database Security
11. Qualsys Guard
12. Core Impact
Proprietary Tools :
1. *nix Scripts - Security Configuration review of *nix systems
2. Database Scripts - Security Configuration review of databases
3. SAP Security Explorer - Security and Configuration review of SAP
4. CHILLI (V. 1.2.0) - Network Discovery
5. OSCR - Oracle Security Review
6. KPMG Application Quality Assessment Tool
7. AS/400 User Profile Analysis - Security Review
6. Information Security Audit Methodology : Beyond Standard, COBIT, ISO27001
7. Information Security Audits carried out since empanelment till now :
Govt. : 10
PSU : 50
Private : 230
Total Nos. of Security Audits : 290
8. Business domain of auditee organisations : Financial Services, InfoTech, Communication, Entertainment,
Infrastructure, Government, Marketing
9. Typical applications in use by auditee organisations : ERP, Email, Client-Server, Web based, Workflow,
Collaboration
10. Typical bandwidth (maximum) of any auditee organisations :
Internal Bandwidth (LAN / Intranet) : 1 Gbps
External Bandwidth (WAN / Internet) : 100 Mbps
Page 74
11. Networked Infrastructure details of an organizations audited with most complex network :
No. of Computer Systems : 20000
No. of servers : 400
No. of switches : 150
No. of routers : 80
No. of firewalls : 30
No. of IDS' : 45
12. Ability to carry out vulnerability assessment and penetration test : Yes
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing Organisation).
BACK
Page 75
M/s Locuz Enterprise Solutions Ltd Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation
1. Name, Location of the empanelled Information Security Auditing Organisation : Locuz Enterprise
Solutions Ltd, Hyderabad
2. Carrying out Information Security Audits since : August 2001
3. Technical manpower deployed for security audits :
CISSPs : 1
BS7799 / ISO27001 LAs : 4
CISAs : 3
DISAs / ISAs : 0
Total Nos. of Technical Personnel : 35
4. Outsourcing of External IT Security Auditors / Experts : No
5. Security Audit Tools used (owned, in possession) :
Freeware : 6
Commercial : 5
Proprietary: 1
Total Nos. of Audit Tools : 12
Details of the Information Security Auditing Tools
Freeware Tools
1. OSSIM : Network & System Scan + SCM +SIM
2. Nmap : Network Scan
3. AirSnort : Network Scan
4. Ethereal : Sniffing
5. Metaspoilt : PT
6. Crack
Commercial Tools
1. Locuz/Cisco PSA : Network and all Cisco device scans
2. CA-eTrust SCC : SOC with correlation engine
3. OCTAVE : Risk Management
4. Nessus : Vulnerability Assessments
5. Scan F1 : VA and Firewall Analyzer
Proprietary Tools
1. LITOC : Event correlation, Scan and Remediation
Page 76
6. Security Audit Methodology : Own
7. Security Audits carried out since empanelment till now :
Govt. : 20
PSU : 2
Private : 15
Total Nos. of Security Audits : 37
8. Business domain of auditee organisations : Software Developmemt, Banking, Manufacturing, e-
Commerce, e-Governance, Pharmaceuticals
9. Typical applications in use by auditee organisations : ERP, Banking, e-Commerce, Customised
applications.
10. Typical bandwidth (maximum) of any auditee organisations :
Internal Bandwidth (LAN / Intranet) : 2 Mbps
External Bandwidth (WAN / Internet) : 6 Mbps
11. Networked Infrastructure details of an organizations audited with most complex network :
No. of servers : 370
No. of Computer Systems : 1800
No. of routers : 6
No. of switches : 22
No. of firewalls : 4
No. of IDS' : 4
12. Ability to carry out vulnerability assessment and penetration test : Yes
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing
Organisation).
BACK
Page 77
M/s Microland Ltd
Snapshot of skills and competence of CERT-In Empanelled Security Auditor
1. Name, Location of the Empanelled Security Auditing organisation : Microland, Bangalore
2. Carrying out Information Security Audits since : December 1998
3. Technical manpower deployed for security audits :
CISSPs : 3
BS7799 / ISO27001 LAs : 6
CISAs : 2
DISAs / ISAs : 0
Total Nos. of Technical Personnel : 25
4. Outsourcing of External IT Security Auditors / Experts : No
5. Security Audit Tools used (owned, in possession) :
Freeware : 12
Commercial : 0
Proprietary: 0
Total Nos. of Audit Tools : 12
Details of the Information Security Audit Tools
Freeware Tools
Vulnerability Assessment and Penetration Testing
1. Nessus : Vulnerability scanner - Port scan/ Vulnerability scan /web application security
scan
2. Nikto : Web application vulnerability scanner
3. Superscan : Port scanner
4. Dsniff : collection of tools for network auditing and penetration testing
5. Whisker/Libwhisker : CGI vulnerability scanner
6. Network Stumbler : Tool to find open wireless access points
7. SARA : vulnerability assessment tool
8. Achillies : Web application security - proxy
9. Brutus : Password brute forcing tool
10. SPIKE Proxy : HTTP proxy for finding security flaws in web sites
11. Winfingerprint : Win32 Host/Network Enumeration Scanner
12. Auditor : Collection of Tools to conduct security audit.
Footprinting
1. Greenwhich
2. Whois
Page 78
3. Gnetutil : Network Utilities
4. Itrace : ICMP traceroot
5. Tctrace : TCP traceroute
6. Traceroute
7. DNSwalk : DNS verification
8. Dig : DNS lookup
9. Host : DNS lookup
10. NSTXCD : IP over DNS client
11. NSTXD : IP over DNS server
12. Oxyman : DNS tunnel
13. Curl : URL transfer
14. Elinks : Console web browser
15. Konqueror : Web browser
16. Socat : Socket Cat
17. Stunnel : Universal SSL tunnel
18. Arpfetch : SNMP ARP/IP fetcher
19. SNMP Walk : SNMP tree walk
20. TKMib : Mib brower
21. Komba2 : KDE SMB browser
22. LinNeighborhood : Graphical SMB browser
23. Net utils : NET utilities
24. SMBClient : SMB client
25. SMBGet : SMB downloader
26. Smb4K : SMB share browser
27. Xsmbrowser : Graphical SMB browser
28. nmblookup : Netbios name lookup
29. smbdumpusers : User browser
30. smbgetserverinfo : Get server info
31. Cheops : Network neighborhood
32. NTP-fingerprint : Detection based on ntp fingerprint
33. Nmap : Network scanner
34. NmapFE : Graphical network scanner
35. P0f : Passive OS detection
36. Queso : OS detection
37. XProbe2 : OS detection
Scanning
1. Cisco global exploiter : Cisco scanner
2. Cisco torch : Cisco oriented scanner
3. ExploitTree search : ExploitTree collection
4. Metasploit : Metasploit commandline
Page 79
5. Metasploit : Metasploit console GUI
6. Metasploit : Metasploit web interface
7. Nessus : security Scanner
8. Raccess : remote Scanner
9. Httprint : Webserver fingerprinting
10. Nikto : Webserver scanner
11. Stunnel : Universal SSL tunnel
12. Cheops : Network neighborhood
13. GTK-Knocker : Simple GUI portscanner
14. IKE-Scan : IKE scanner
15. Knocker : Simple portscanner
16. Netenum : Pingsweep
17. Netmask : Request neetmask
18. Nmap : Network Scanner
19. NmapFE : Graphical network scanner
20. Proxychains : Proxifier
21. Scanrand : Stateless scanner
22. Timestamp : Requests timestamp
23. Unicornscan : Fast port scanner
24. Isrscan : Source routed packets scanner
25. Amap : Application identification
26. Bed.pl : Application fuzzer
27. SNMP-Fuzzer : SNMP protocol fuzzer
28. ScanSSH : SSH identification
29. Nbtscan : Netbios scanner
30. SMB-Nat : SMB access scanner
31. Ozyman : DNS tunnel
32. Ass : Autonomous system scanner
33. Protos : Protocol identification
Analyzer
1. AIM-SNIFF : AIM sniffer
2. Driftnet : Image sniffer
3. Mailsnart : Mail sniffer
4. Paros : HTTP interception proxy
5. URLsnarf : URL sniffer
6. smbspy : SMB sniffer
7. Etherape : Network monitor
8. Ethereal : Network analyzer
9. Ettercap : Sniffer/Interceptor/Logger
10. Hunt : Sniffer/Interceptor
Page 80
11. IPTraf : Traffic monitor
12. Ngrep : Network grep
13. NetSed : Network edit
14. SSLDump : SSLv3/TLS analyzer
15. Sniffit : Sniffer
16. TcPick : Packet stream editor
17. Dsniff : Password sniffer
Spoofing
1. Arpspoof : ARP spoofer
2. Macof : ARP spoofer/generator
3. Nemesis-ARP : ARP packet generator
4. Nemesis-Ethernet : Ethernet packet generator
5. CDP : CDP generator
6. DNSSpoof : DNS spoofer
7. Nemesis-DNS : DNS packet generator
8. DHCPX : DHCP flooder
9. Hping2 : Packet generator
10. ICMRRedirect : ICMP redirect packet generator
11. ICMPUSH : ICMP packet generator
12. Nemesis-ICMP : ICMP packet generator
13. Packit : Traffic inject/modify
14. TcPick : Packet stream editor
15. Yersinia : Layer 2 protocol injector
16. Fragroute : Egress rewrite
17. HSRP : HSRP generator
18. IGRP : IGRP injector
19. IRDP : IRDP generator
20. IRDPresponder : IRDP response generator
21. Nemesis-IGMP : IGMP generator
22. Nemesis-RIP : RIP generator
23. File2Cable : Traffic replay
24. Fragrouter : IDS evasion toolkit
25. Nemesis-IP : IP packet generator
26. Nemesis-TCP : TCP packet generator
27. Nemesis-UDP : UDP traffic generator
28. SendIP : IP packet generator
29. TCPReplay : Traffic replay
30. Etherwake : Generate wake-on-LAN
Bluetooth
Page 81
1. BTScanner : Bluetooth scanner
2. Bluesnarfer : Bluesnarf attack
3. Ghettotooth : Bluetooth scanner
4. Kandy : Mobile phone tool
5. Obexftp Obexftp ftp client
6. Phone manager
7. RFComm : Bluetooth serial
8. RedFang : Bluetooth bruteforce
9. USSP-Push : Obex-push
10. Xminicom : Terminal
Wireless
1. apmde.sht : Act as accesspoin
2. Airpwn : Client penetration
3. Hotspotter : Client penetration
4. GpsDrive
5. start-gps-daemon : GPS daemon
6. stop-gps-daemon : GPS daemon
7. ASLeap : LEAP/PPTP cracker
8. Genkeys : Hash generator for ASLeap
9. Airforge
10. File2air : Packet injector
11. Void11
12. Void11-Hopper : Channel hopper
13. Gkismet : Graphical wireless scanner
14. GPSMAP : wireless mapping
15. KLV : Kismet Log Viewer
16. Kismet : Ncurses wireless scanner
17. Wellenreiter : Graphical Wireless scanner
18. 802ether : Dumpfile format convertor
19. airodump : Traffic recorder
20. aircrack : Modern WEP cracker
21. Aireplay : Wireless packet injector
22. Wep-Crack : Wep Cracker
23. Wep_Decrypt : Decrypt dump files
24. Airsnort : GUI based WEP cracker
25. ChopChop : Active WEP attack
26. DWEPCrack : WEP cracker
27. Decrypt : Dump file decrypter
28. WEPAtttack : Dictionary attack
29. WEPlab : Modem WEP cracker
Page 82
30. Cowpatty : WPA PSK bruteforcer
31. changemac.sh : MAC address changer
Bruteforce
1. ADMsnmp : SNMP bruteforce
2. Guess-who : SSH bruteforce
3. Hydra : Multi purpose bruteforce
4. K0ldS : LDAP bruteforce
5. Obiwan III : HTTP bruteforce
6. SMB-Nat : SMB access scanner
7. TFTP : bruteforce
8. VNCrack : VNC bruteforce
9. Xhydra : Graphical bruteforcer
Password Cracker
1. BKHive : SAM recovery
2. Fcrackzip : Zip password cracker
3. John : Multi-purpose password cracker
4. Default password list :
5. Nasty : GPG secret key cracker
6. Rainbowcrack : Hash cracker
7. Samdump2 : SAM file dumper
8. Wordlists : Collection of wordlists
Forensics
1. Autopsy : Forensic GUI
2. Recover : Ext2 file recovery
3. Testdisk : Partition scanner
4. Wipe : Securely delete files
Honeypot
1. IMAP
2. POP3
3. Honeyd : Honeypot
4. IISEmulator : Honeypot
5. Tinyhoneypot : Simple honeypot
Commercial Tools
Page 83
Proprietary Tools
6. Security Audit Methodology : BS7799, OSSTM, Own
7. Security Audits carried out since empanelment till now :
Govt. : NA
PSU : NA
Private : NA
Total Nos. of Security Audits : NA
8. Business domain of auditee organisations : Petro, Banking, Insurance, BPO
9. Typical applications in use by auditee organisations : Core Banking, SAP, Workflow
10. Typical bandwidth (maximum) of any auditee organisations :
Internal Bandwidth (LAN / Intranet) : 8 Mbps
External Bandwidth (WAN / Internet) : 4 Mbps
11. Networked Infrastructure details of an organizations audited with most complex network :
No. of servers : 243
No. of Computer Systems : 6000
No. of routers : 0
No. of switches :91
No. of firewalls : 4
No. of IDS' : 4
12. Ability to carry out vulnerability assessment and penetration test : Yes
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing
Organisation).
BACK
Page 84
M/s MIEL e-Security Pvt Ltd Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation
1. Name, Location of the empanelled Information Security Auditing Organisation : MIEL e-Security,
Mumbai
2. Carrying out Information Security Audits since : July 1999
3. Technical manpower deployed for information security audits :
CISSPs : 13
BS7799 / ISO27001 LAs : 25
CISAs : 10
DISAs / ISAs : 0
Total Nos. of Technical Personnel : 50
4. Outsourcing of External Information Security Auditors / Experts : Yes
5. Information Security Audit Tools used (owned, in possession) :
Freeware : 20
Commercial : 1
Proprietary: 6
Total Nos. of Audit Tools : 27
Details of the Audit Tools
Freeware : Information yet to be provided to CERT-In
Proprietary : Information yet to be provided to CERT-In
Information Security Audit Methodology : OSSTMM, OWASP, ISO/IEC 27001, COBIT
6. Information Security Audits carried out since empanelment till now :
Govt. : 11
PSU : 15
Private : 110
Total Nos. of Security Audits : 136
7. Business domain of auditee organisations : BFSI, IT/ITES, Manufacturing, Shipping & Logistics, FMCG,
Pharma, PSUs, Aviation, Energy
8. Typical applications in use by auditee organisations : Core Banking, Ticketing, Client-Server, Web Server
9. Typical bandwidth (maximum) of any auditee organisations :
Internal Bandwidth (LAN / Intranet) : 100 Mbps
External Bandwidth (WAN / Internet) : 2 Mbps
10. Networked Infrastructure details of an organizations audited with most complex network :
No. of Computer Systems : 1000
No. of servers : 15
Page 85
No. of switches : 75
No. of routers : 75
No. of firewalls : 75
No. of IDS' : 0
11. Ability to carry out vulnerability assessment and penetration test : Yes
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing Organisation).
BACK
Page 86
M/s Network Intelligence India Pvt Ltd
Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation
1. Name, Location of the empanelled Information Security Auditing Organisation: Network Intelligence India Pvt.
Ltd., Mumbai
2. Carrying out Information Security Audits since : July 2001
3. Technical manpower deployed for Information security audits :
CISSPs : 2
BS7799 / ISO27001 LAs : 6
CISAs / CISMs : 2
DISAs / ISAs : 0
Total Nos. of Technical Personnel : 21
4. Outsourcing of External Information Security Auditors / Experts : No
5. Information Security Audit Tools used (owned, in possession) :
Freeware : 25
Commercial : 3
Proprietary : 2
Total Nos. of Audit Tools : 30
Details of audit tools
Freeware
1. Nmap
2. Nessus
3. Burpsuite
4. Firefox plugins
5. Hydra
6. Paros Proxy
7. Brutus AES
8. Ikescan
9. Ipsecscan
10. Cain & Abel
11. John the Ripper
12. Netstumbler
13. Kismet
14. WEPCrack
15. Nipper
16. RATS
Page 87
17. Unix shell scripts
18. Grease Monkey
19. Wireshark
20. Wikto/Nikto
21. Netcat
22. Phonesweep
23. MBSA
24. SNMPWalk
25. Ophcrack
Proprietary
• AuditPro
AuditPro Enterprise Edition is a proprietary security auditing and compliance tool used by many
organizations and auditors across the world. NII has developed this proprietary technology to help
organizations define assets, policies, and audit systems against these policies. Supported
technologies include Windows (all versions up to 2008), Unix (Sun Solaris, AIX, Linux), Oracle (8i,
9i, 106 and 11g), and SQL Server (2000 and 2005).
• Firesec
Firesec is an in-depth security and configuration audit tool for firewalls – helps review policy
conflicts, unused policy rules, groupable rules, unused configuration objects, as well as helps
check for PCI DSS compliance. Supported firewalls include Cisco, Netscreen, Cyberguard and
Checkpoint.
Commercial
• CodeSecure
CodeSecure is a commercial code review scanner, and is owned by NII and used extensively for
clients to ensure a comprehensive review of web application security.
CodeSecure is a commercial code review scanner, and is owned by NII and used extensively for
clients to ensure a comprehensive review of web application security.
• GFI Languard
GFI Languard Network Security Scanner is one of the most widely used network scanners
• Appscan/Webinspect
On client request, we have experience using these tools on a pay-per-use basis
Page 88
6. Information Security Audit Methodology : OWASP, OSSTMM, ISO 27001, PCI DSS
7. Information Security Audits carried out so far:
Govt. : 7
PSU : 15
Private : 200
Total Nos. of Security Audits : 222
8. Business domain of auditee organisations : Banking, Telecom, IT/ITES, Manufacturing, Retail, Government,
FMCG, Healthcare, Retail
9. Typical applications in use by auditee organisations : Web applications, Core banking applications, ERP, CRM,
Telecom-specific applications
10. Typical bandwidth (maximum) of any auditee organisations :
Internal Bandwidth (LAN / Intranet) : 10-100 Mbps
External Bandwidth (WAN / Internet) : 2-10 Mbps
11. Networked Infrastructure details of an organizations audited with most complex network :
No. of Computer Systems : 50000
No. of servers : 500
No. of switches : 7000
No. of routers : 1500
No. of firewalls : 25
No. of IDS' : 4
12. Ability to carry out vulnerability assessment and penetration test : Yes
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing Organisation), Y = Yes, N = No, Std = Standard.
BACK
Page 89
M/s Netmagic Solutions Pvt. Ltd
Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation
1. Name & location of the empanelled Information Security Auditing Organisation : Netmagic Solutions
Pvt. Ltd.
2. Carrying out Information Security Audits since : 2008
3. Technical manpower deployed for information security audits :
CISSP : 1
BS7799 / ISO27001 LA : 2
BS7799 / ISO27001 LI : 3
CISA : 1
CCNA : 65
CCNP : 4
CCIE : 4
CEH : 3
ITIL : 132
PMP : 6
Total Nos. of Technical Personnel : 300
4. Outsourcing of External Information Security Auditors / Experts : No
5. Information Security Audit Tools used (owned, in possession) :
Freeware : 27
Commercial: 2
Proprietary: 1
Total Nos. of Audit Tools : 30
Details of the Audit Tools
Freeware Tools
1. W3af
2. Nmap
3. Firefox with Firecat
4. Owasp CLASP
5. Themis
6. Paros
Page 90
7. Burp
8. WebScarab
9. Paros
10. Websecurify
11. Owasp CSRF tester
12. SQLiX
13. Nikto
14. Labrat
15. Metasploit
16. Backtrack
17. Cain&Able
18. Grendal Scan
19. Kismet
20. Aircrack-NG
21. Ophcrack
22. BeEF
23. CISCO OCS
24. Brutus
25. WFetch
26. NetStumbler
27. OSSEC
Proprietary:
nmcrawler
Commercial:
1. Nessus 2. AppScan (Depending on customer request and engagements)
6. Information Security Audit Methodology: OWASP, OSSTMM, ISO27001, ISO20000, COBIT.
7. Information Security Audits carried out so far :
Govt. : 0
PSU : 5
Private : 100
Total Nos. of Information Security Audits done : 105
8. Business domain of auditee organisations : Manufacturing, IT/ITES, Media & Entertainment (including
online portals), BFSI, Services, PSU, Telecommunications, etc.
Page 91
9. Typical applications in use by auditee organisations : Web Applications, Web Server Applications,
SAP/CRM, Mobile Applications, Security & Monitoring Apps, Thick-Client Application, Network
Infrastructure Applications.
10. Typical bandwidth (maximum) of any auditee organisations :
Internal Bandwidth (LAN / Intranet) : 1GBPS
External Bandwidth (WAN / Internet) : 400MBPS
11. Networked Infrastructure details of an organizations audited with most complex network :
No. of Computer Systems : 200
No. of Servers : 1400
No. of Switches : 25
No. of Routers : 20
No. of Firewalls : 5
No. of IDS' : 5
12. Ability to carry out vulnerability assessment and penetration test : Yes
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing Organisation).
BACK
Page 92
M/s Network Security Solutions (India) Ltd
Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation
1. Name, Location of the empanelled Information Security Auditing Organisation : Network Security
Solutions (India) Ltd., Noida
2. Carrying out Information Security Audits since : September 2002
3. Technical manpower deployed for Information security audits :
CISSPs : 5
BS7799 / ISO27001 LAs : 13
CISAs : 6
DISAs / ISAs : 2
Total Nos. of Technical Personnel : 26
4. Outsourcing of External Information Security Auditors / Experts : No
5. Information Security Audit Tools used (owned, in possession) :
Freeware : 29
Commercial : 4
Proprietary: 2
Total Nos. of Audit Tools : 35
Details of the Information Security Audit Tools
Freeware Tools
1. X-Scan
2. Hping
3. W Scanner
4. NMap
5. Metasploit
6. Burp Proxy
7. Solar Winds
8. Winhex
9. Achilles Proxy
10. N-Stealth : Security Scanner
11. Websphinx
12. Rainbow : Password Cracker
13. John the Ripper : Password Cracker
14. Stellar : Data Recovery
15. Easy : Data Recovery
16. Nikto
17. Snort
18. Ethereal
Page 93
19. Backtrack 3
20. Helix
21. Auditor Pro
22. Ophcrack
23. Nessus
24. Super Scan
25. SATAN
26. Airmon
27. Aerodump
28. Airplay
29. Aircrack
Commercial Tools
1. eEye Retina
2. Shadow : Security Scanner
3. GFI LAN Guard
4. Core Impact
Proprietary Tools
1. Claymore : Vulnerability Scanner
2. Vulnerability Database
6. Information Security Audit Methodology : COBIT, ISACA, BS25999, OSSTM, OWASP, ISO27001, NIST
7. Information Security Audits carried out since empanelment till now :
Govt. : 237
PSU : 3
Private : 107
Total Nos. of Information Security Audits : 347
8. Business domain of auditee organisations : Government, Defence, Electrical Power Generation, BPO / KPO,
Telecom, Manufacturing, Pharma, Banking & Finance
9. Typical applications in use by auditee organisations : Web, ERP, SAP, Finance, Proprietary Security
10. Typical bandwidth (maximum) of any auditee organisations :
Internal Bandwidth (LAN / Intranet) : 1000 Mbps
External Bandwidth (WAN / Internet) : 2 Mbps
11. Networked Infrastructure details of an organizations audited with most complex network :
No. of Computer Systems : 3000
No. of servers : 125
No. of switches : 250
No. of routers : 0
Page 94
No. of firewalls : 8
No. of IDS' : 2
12. Ability to carry out vulnerability assessment and penetration test : Yes
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing Organisation).
BACK
Page 95
M/s NIIT Technologies Ltd Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation
1. Name, Location of the empanelled Information Security Auditing Organisation : Paladion Networks,
Bangalore
2. Carrying out Information Security Audits since : May 2000
3. Technical manpower deployed for Information security audits :
CISSPs : 16
BS7799 / ISO27001 LAs : 29
CISAs / CISMs : 7
DISAs / ISAs : 0
Total Nos. of Technical Personnel : 150
4. Outsourcing of External Information Security Auditors / Experts : No
5. Information Security Audit Tools used (owned, in possession) :
Freeware : 19
Commercial : 0
Proprietary : 1
Total Nos. of Audit Tools : 20
Details of the Audit Tools
Freeware : Information yet to be provided to CERT-In
Proprietary :Information yet to be provided to CERT-In
6. Information Security Audit Methodology : BS7799, COBIT, SANS
7. Information Security Audits carried out since empanelment till now :
Govt. : 51
PSU : 154
Private : 205
Total Nos. of Security Audits : 410
8. Business domain of auditee organisations : Banking, Telecom, IT/ITES, Manufacturing, Retail, Government
9. Typical applications in use by auditee organisations : Web, SAP, ERP
10. Typical bandwidth (maximum) of any auditee organisations :
Internal Bandwidth (LAN / Intranet) : 4 Mbps
External Bandwidth (WAN / Internet) : 2 Mbps
11. Networked Infrastructure details of an organizations audited with most complex network :
No. of Computer Systems : 100000
No. of servers : 15000
No. of switches : 15000
No. of routers : 14000
Page 96
No. of firewalls : 24
No. of IDS' : 4
12. Ability to carry out vulnerability assessment and penetration test : Yes
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing Organisation).
BACK
Page 97
M/s Paladion Networks Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation
1. Name, Location of the empanelled Information Security Auditing Organisation : Paladion Networks,
Bangalore
2. Carrying out Information Security Audits since : May 2000
3. Technical manpower deployed for Information security audits :
CISSPs : 16
BS7799 / ISO27001 LAs : 29
CISAs / CISMs : 7
DISAs / ISAs : 0
Total Nos. of Technical Personnel : 150
4. Outsourcing of External Information Security Auditors / Experts : No
5. Information Security Audit Tools used (owned, in possession) :
Freeware : 19
Commercial : 0
Proprietary : 1
Total Nos. of Audit Tools : 20
Details of the Audit Tools
Freeware :
Information yet to be provided to CERT-In
Proprietary :
Information yet to be provided to CERT-In
6. Information Security Audit Methodology : BS7799, COBIT, SANS
7. Information Security Audits carried out since empanelment till now :
Govt. : 51
PSU : 154
Private : 205
Total Nos. of Security Audits : 410
8. Business domain of auditee organisations : Banking, Telecom, IT/ITES, Manufacturing, Retail, Government
9. Typical applications in use by auditee organisations : Web, SAP, ERP
10. Typical bandwidth (maximum) of any auditee organisations :
Internal Bandwidth (LAN / Intranet) : 4 Mbps
External Bandwidth (WAN / Internet) : 2 Mbps
11. Networked Infrastructure details of an organizations audited with most complex network :
No. of Computer Systems : 100000
No. of servers : 15000
Page 98
No. of switches : 15000
No. of routers : 14000
No. of firewalls : 24
No. of IDS' : 4
12. Ability to carry out vulnerability assessment and penetration test : Yes
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing Organisation).
BACK
Page 99
M/s Persistent Systems Limited Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation
1. Name & location of the empanelled Information Security Auditing Organisation : Persistent Systems
Limited, Pune
2. Carrying out Information Security Audits since : 2008
3. Technical manpower deployed for information security audits :
CISSPs : 0
BS7799 / ISO27001 LAs : 6
CISAs : 4
DISAs / ISAs : 0
Total Nos. of Technical Personnel : 7
4. Outsourcing of External Information Security Auditors / Experts : No
5. Information Security Audit Tools used (owned, in possession) :
Freeware : 11
Commercial : 3
Proprietary: 0
Total Nos. of Audit Tools : 14
Details of the Audit Tools
Freeware: Paros Burp Proxy Webscarab Nikto Wikto Nmap SoapUI Netcat Fiddler Backtrack4 Nipper Commercial: IBM AppScan Nessus GFI Languard NSS
6. Information Security Audit Methodology : ISO 27001, COBIT
Page 100
7. Information Security Audits carried out so far :
Govt. : 0
PSU : 3
Private : 18
Total Nos. of Information Security Audits done : 21
8. Business domain of auditee organisations :
Educational, Biomedical Research, Health Care, Mail & Messaging, SaaS Email Archiving
9. Typical applications in use by auditee organisations :
IIS, Apache,Tomcat, JBoss, ASP.Net, PHP, MySQL, SQL server 2005
10. Typical bandwidth (maximum) of any auditee organisations :
Internal Bandwidth (LAN / Intranet) : 100 MBPS
External Bandwidth (WAN / Internet) : 1 MBPS
11. Networked Infrastructure details of an organizations audited with most complex network :
No. of Computer Systems : NA
No. of Servers : 8
No. of Switches :2
No. of Routers : 1
No. of Firewalls : 1
No. of IDS' : NA
12. Ability to carry out vulnerability assessment and penetration test : Yes
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing Organisation).
BACK
Page 101
M/s PricewaterhouseCoopers Pvt Ltd Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation
1. Name, Location of the empanelled Information Security Auditing Organisation :
PricewaterhouseCoopers Pvt. Ltd., Gurgaon
2. Carrying out Information Security Audits since : 1994
3. Technical manpower deployed for information security audits :
CISSPs : 16
BS7799 / ISO27001 LAs : 20
CISAs / CISMs: 77
DISAs / ISAs : 4
Total Nos. of Technical Personnel : 160
4. Outsourcing of External Information Security Auditors / Experts : No
5. Information Security Audit Tools used (owned, in possession) :
Freeware : 20
Commercial : 7
Proprietary: 5
Total Nos. of Audit Tools : 32
Details of the Information Security Audit Tools
Freeware Tools :
1. Nessus : Network Vulnerability Assessmen
2. NMAP : Port scanner
3. RAT : Router and firewall benchmarking
4. Ethereal : Network traffic sniffing and analysis
5. MBSA : Windows security assessment
6. AirSnort : Wireless Network security
7. Phonesweep : War dialing
8. RIP query : Router security assessment
9. Netcat : Backdoor
10. Nikto : Web Applications security
11. CAIN & Able : Traffic sniffing and Password cracking
12. Brutus : Password cracking
13. JohntheRipper : Password cracking
14. SNMPWalk : Router and network management
15. SNMP Scanner : Router and network management
16. DumpSec : Windows security assessment
17. SQL Scan : Database security assessment
18. Absinthe : SQL Injection
19. Acunetix : Web Vulnerability Scanner
Page 102
20. SiteDigger : Google Hacking
Commercial Tools :
1. Core Impact : Penetration Testing
2. Appscan : Web Systems & Applications security
3. ACL: Audit command La
4. Retina : Vulnerability Scanner
5. Languard : Vulnerability Scanner
6. SolarWinds : Network security
7. ISS : Vulnerability Scanner
Proprietary Tools:
1. Windows server Security assessment scripts
2. Unix/Linux/AIX server security assessment scripts
3. Oracle security assessment scripts
4. MSSQL security assessment scripts
5. ASP and Java Scripts : Web application assessment
6. Information Security Audit Methodology : ISO27001, COBIT, ESAS, ESBM
7. Information Security Audits carried out since empanelment till now :
Govt. : 5
PSU : 10
Private : 55
Total Nos. of Information Security Audits : 70
8. Business domain of auditee organisations : ITES, Manufacturing, Government, PSU, Financial Services,
Telecom, Networking
9. Typical applications in use by auditee organisations : Client Server, Web Applications, Oracle, Finacle, ERP,
CRM, telecom Applications
10. Typical bandwidth (maximum) of any auditee organisations :
Internal Bandwidth (LAN / Intranet) : 100 Mbps
External Bandwidth (WAN / Internet) : 20 Mbps
11. Networked Infrastructure details of an organizations audited with most complex network :
No. of Computer Systems : 2000
No. of servers : 200
No. of switches : 80
No. of routers : 100
No. of firewalls : 20
No. of IDS' : 10
12. Ability to carry out vulnerability assessment and penetration test : Yes
Page 103
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing Organisation).
BACK
Page 104
M/s Progressive Infotech Pvt Ltd
Snapshot of skills and competence of CERT-In Empanelled Security Auditing Organisation
1. Name & location of the empanelled Information Security Auditing Organisation : Progressive Infotech
(P) Limited, Noida
2. Carrying out Information Security Audits since : 2009
3. Technical manpower deployed for information security audits :
CISSPs : 02
BS7799 / ISO27001 LAs : 02
CISAs :
DISAs / ISAs :
Total Nos. of Technical Personnel : 40+
4. Outsourcing of External Information Security Auditors / Experts : No
5. Information Security Audit Tools used (owned, in possession) :
Freeware : 36+
Commercial :
Proprietary:
Total Nos. of Audit Tools : 36+
Details of the Audit Tools
Freeware :
S. No.
Name of the
Information Security
Audit Tool
Whether freeware,
commercial or proprietary Functions (In brief)
1. Achilles Freeware A tool designed for testing the security of web
applications
2. ADMFtp, ADMSnmp Freeware Tools for remote brute-forcing
3. Brutus Freeware An Windows GUI brute-force tool for FTP, telnet,
POP3, SMB, HTTP, etc
4. Crack Freeware A password cracker
5. Cryp Tool Freeware A cryptanalysis utility
6. Curl Freeware Curl is a tool for transferring files with URL syntax,
supporting FTP, FTPS, HTTP, HTTPS, GOPHER,
TELNET, DICT, FILE and LDAP
7 Different network
mapping tools
Freeware Ping, traceroute, whois,snmp tools, dig, nslookup,
DNS tools.etc.
8 Elza Freeware A family of tools for arbitrary HTTP communication
with picky web sites for the purpose of penetration
testing and information gathering
Page 105
9 Exploits Freeware publicly available and homemade exploit code for
the different vulnerabilities around
10 FScan Freeware A command-line port scanner. Supports TCP and
UDP
11 HPing Freeware HPing is a command-line oriented TCP/IP packet
assembler/analyzer. It supports TCP, UDP, ICMP
and RAW-IP protocols, has a traceroute mode, the
ability to send files between a covered channel,
and many other features.
12 ISNprober Freeware Check an IP address for load-balancing.
13 ICMPush Freeware ICMPush is a tool that sends ICMP packets fully
customized from command line
14 John the Ripper Freeware A password cracker
15 L0phtcrack Freeware NTLM/Lanman password auditing and recovery
application (read: cracker)
16 Nessus Freeware A free, powerful, up-to-date and easy to use
remote security scanner. This tool could be used
when scanning a large range of IP addresses, or to
verify the results of manual work.
17 Netcat Freeware The swiss army knife of network tools. A simple
utility which reads and writes data across network
connections, using TCP or UDP protocol
18 NMAP Freeware The best known port scanner tool
19 P0f Freeware Passive OS Fingerprinting: A tool that listens on
the network and tries to identify the OS versions
from the information in the packets.
20 Pwdump Freeware Tools that grab the hashes out of the SAM
database, to use with a brute-forcer like
L0phtcrack or John
21 SamSpade Freeware Graphical tool that allows to perform different
network queries: ping, nslookup, whois, IP block
whois, dig, traceroute, finger, SMTP VRFY, web
browser keep-alive, DNS zone transfer, SMTP relay
check,etc.
22 ScanDNS Freeware Script that scans a range of IP addresses to find
DNS names
23 Scripts Freeware A number of custom developed scripts to test
different security issues
24 Sing Freeware Send ICMP Nasty Garbage. A little tool that sends
Page 106
ICMP packets fully customized from command line
25 SSLProxy, STunne Freeware Tools that allow to run non SSL-aware
tools/programs over SSL.
26 Strobe Freeware A command-line port scanner that also performs
banner grabbing
27 Telesweep Secure Freeware A commercial wardialer that also does
fingerprinting and brute-forcing.
28 THC Freeware A freeware wardialer
29 TCPdump Freeware A packet sniffer
30 UCD-Snmp- (aka NET-
Snmp)
Freeware Various tools relating to the Simple Network
Management Protocol including snmpget,
snmpwalk and snmpset
31 Web Session Editor Freeware Custom made utility that allows to intercept and
edit HTTP sessions.
32 Webinspect Freeware CGI scanning, web crawling, etc
33 Webreaper, wget Freeware Software that mirrors websites to your harddisk
34 Whisker Freeware The most famous CGI scanner. has updated the
scanning databases with checks for the latest
vulnerabilities.
35 Ethereal Freeware GUI for packet sniffing. Can analyse tcpdump-
compatible logs.
6. Information Security Audit Methodology : Attached
7. Information Security Audits carried out so far :
Govt. : Nil
PSU : Nil
Private : 08
Total Nos. of Information Security Audits done : 08
8. Business domain of auditee organizations : Manufacturing, IT & ITES
9. Typical applications in use by auditee organizations : Email and IM applications, ERP, CRM etc
10. Typical bandwidth (maximum) of any auditee organizations :
Internal Bandwidth (LAN / Intranet) : 100 Mbps
External Bandwidth (WAN / Internet) : 01 Mbps
11. Networked Infrastructure details of an organizations audited with most complex network :
No. of Computer Systems : 500
No. of Servers : 20
No. of Switches : 50
No. of Routers : 6
No. of Firewalls : 6
No. of IDS' : 4
Page 107
12. Ability to carry out vulnerability assessment and penetration test : Yes
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing Organisation).
BACK
Page 108
M/s ProMinds Consulting Pvt Ltd Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation
1. Name & location of the empanelled Information Security Auditing Organisation : ProMinds Consulting
Pvt Ltd, Hyderabad
2. Carrying out Information Security Audits since : 2006
3. Technical manpower deployed for information security audits :
CISSPs : 1
BS7799 / ISO17799 / ISO27001 LAs : 10
CISAs / CISMs: 2
DISAs / ISAs : 1
Total Nos. of Technical Personnel : 15
4. Outsourcing of information security auditing work to external Information Security Auditors / Experts : No
5. Information Security Audit Tools being used (available, installed and licensed) :
Freeware : 40
Commercial : 5
Proprietary: 0
Total Nos. of Information Security Audit Tools : 45
Details of the Information Security Audit Tools
Freeware Tools None
Commercial Tools None
Proprietary Tools None
6. Information Security Audit Methodology : Own, COBIT, OCTAVE
7. Information Security Audits carried out so far :
Govt. : 20
PSU : 5
Private : 50
Total Nos. of Security Audits : 75
8. Business domains of auditee organisations : Govt, PSU, Defense, IT, ITES, BPO, Healthcare, Insurance,
Financial Services, Banking, KPO
9. Typical applications in use by auditee organisations : Client-Server, Web Applications, ERP, Database,
Office Applications, Software Development Tools, Testing Tools
10. Bandwidth available with an auditee organisation having most complex network :
Internal Bandwidth (LAN / Intranet) : 1 Gbps
External Bandwidth (WAN / Internet) : 10 Mbps
Page 109
11. LAN infrastructure details of an auditee organisation having most complex network :
No. of Computers : 500+
No. of Servers : 30
No. of Switches : 15
No. of Routers : 5
No. of Firewalls : 3
No. of IDS' : 5
12. Ability to carry out vulnerability assessment and penetration test : Yes
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing Organisation).
BACK
Page 110
M/s Qadit Systems & Solutions Pvt Ltd Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation
1. Name, Location of the empanelled Information Security Auditing Organisation : Qadit Systems &
Solutions Pvt. Ltd., Chennai
2. Carrying out Information Security Audits since : April 2002
3. Technical manpower deployed for Information security audits :
CISSPs : 0
BS7799 / ISO27001 LAs : 2
CISAs : 10
DISAs / ISAs : 7
Total Nos. of Technical Personnel : 17
4. Outsourcing of External Information Security Auditors / Experts : No
5. Information Security Audit Tools used (owned, in possession) :
Freeware : 31
Commercial : 0
Proprietary: 5
Total Nos. of Information Security Audit Tools : 36
Details of the IT Security Audit Tools
Freeware Tools
1. Nessus - Vulnerability Assessment Tool
2. Metasploit – Vulnerability Assessment and Penetration Testing Tool
3. Paros Proxy - Vulnerability Assessment Tool
4. Samurai Framework – Vulneability Assessment Tool
5. Grendel - Vulnerability Assessment Tool
6. Retina Network Security Scanner – Vulnerability Assessment Tool
7. Webinspect – Vulnerability Assessment Tool
8. Burpsuite – Vulnerability Assessment and Penetration Testing Tool
9. Netcat – Vulnerability Assessment and Penetration Testing Tool
10. SAINT – Vulnerability Assessment and Penetration Tool
11. Firecat – Vulnerability Assessment Framework
12. SQLmap – SQL Injection Tool
13. Nmap - Network Auditing Tool
14. Wireshark - Network Auditing Tool
15. Dsniff – Network Auditing Tool
16. Sam Spade – Network Auditing Tool
17. Nipper – Network Auditing Tool
Page 111
18. Look@Lan – Network Auditing Tool
19. Traceroute – Network Auditing Tool
20. Airsnort – Wireless network penetration testing tools
21. Kismet – Wireless network penetration testing tools
22. Netstumbler – Wireless network penetration testing tools
23. RAT – Risk Assessment Tool
24. MBSA – Security Analysis
25. WebScarab - Web application audit framework
26. W3af - Web application audit framework
27. Nikto - Web server scanner
28. Scuba – Database audit tool
29. DB Audit – Database audit tool
30. L0phtcrack – Password recovery tool
31. Pwdump – Password recovery tool
Commercial Tools
1. SAP User Profile Reviewer : Review user profiles in SAP environment
2. Oracle database Audit Scripts
3. SQL database Audit Scripts
4. ISO 27001 Risk Assessor
5. SAP SOD Analyser
Proprietary Tools
None
6. Information Security Audit Methodology : OSSTM, OWASP, ISACA/ITAF, ISO 27001/27002, COBIT, ISO
25999, SANS, ITIL, OCTAVE, COSO
7. Information Security Audits carried out since empanelment till now :
Govt. : 5
PSU : 36
Private : 203
Total Nos. of Security Audits : 244
8. Business domain of auditee organisations : Banking, Manufacturing, Telecom, Pharma, Financial Service,
Software Development, e-Governance, Microfinance
9. Typical applications in use by auditee organisations : ATM Switch, SAP, Web, CBS, NMS, ERP, e-
Governance, Web Applications, Payroll, Telecom billing application, Telecom network Monitoring Software,
CRM Applications, Payment Portals
10. Typical bandwidth (maximum) of any auditee organisations :
Internal Bandwidth (LAN / Intranet) : 100 Mbps
External Bandwidth (WAN / Internet) : 2 Mbps
Page 112
11. Networked Infrastructure details of an organizations audited with most complex network :
No. of Computer Systems : 4500
No. of servers : 60
No. of switches : 75
No. of routers : 1000
No. of firewalls : 30
No. of IDS' : 10
12. Ability to carry out vulnerability assessment and penetration test : Yes
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing Organisation).
BACK
Page 113
M/s Secure Matrix India Pvt Ltd
Snapshot of skills and competence of CERT-In empanelled IT Security Auditing organisation
1. Name, Location of the empanelled IT Security Auditing organisation : Secure Matrix India Pvt Ltd,
Mumbai
2. Carrying out Information Security Audits since : November 2004
3. Technical manpower deployed for IT security audits :
CISSPs : 2
BS7799 / ISO27001 LAs : 4
CISAs : 3
DISAs / ISAs : 2
Total Nos. of Technical Personnel : 15
4. Outsourcing of External IT Security Auditors / Experts : No
5. IT Security Audit Tools used (owned, in possession) :
Freeware : 6
Commercial : 1
Proprietary: 0
Total Nos. of Audit Tools : 7
Details of the IT Security Audit Tools
Freeware :
1. Nessus : Vulnerability Scanning and Reporting
2. Nmap : Port Scanning and finger printing
3. Sara : Vulnerability Assessment
4. MBSA : Security Analysis
5. Dsniff : Network Auditing
6. Sam Spade : Network Query
Commercial :
1. Core Impact
Proprietary :
6. IT Security Audit Methodology : NA
7. IT Security Audits carried out since empanelment till now :
Govt. : NA
PSU : NA
Page 114
Private : NA
Total Nos. of Security Audits : NA
8. Business domain of auditee organisations : Stock Broking, BFSI, BPO, Technology, Retail, Manufacturing
9. Typical applications in use by auditee organisations : ERP, Accounting, On-line stock trading, databases,
Proprietary applications
10. Typical bandwidth (maximum) of any auditee organisations :
Internal Bandwidth (LAN / Intranet) : NA bps
External Bandwidth (WAN / Internet) : 64 K bps
11. Networked Infrastructure details of an organizations audited with most complex network :
No. of Computer Systems : 60
No. of servers : 4
No. of switches : 6
No. of routers : 0
No. of firewalls : 2
No. of IDS' : 1
12. Ability to carry out vulnerability assessment and penetration test : Yes
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing Organisation).
BACK
Page 115
M/s SecureSynergy Pvt Ltd Snapshot of skills and competence of CERT-In empanelled Information Security Auditing OrganisationSecurity Auditor
1. Name, Location of the empanelled Information Security Auditing Organisation : SecureSynergy Pvt.
Ltd., Mumbai
2. Carrying out Information Security Audits since : 2002
3. Technical manpower deployed for Information security audits :
CISSPs : 2
BS7799 / ISO27001 LAs : 14
CISAs : 3
DISAs / ISAs : 0
Total Nos. of Technical Personnel : 29
4. Outsourcing of External Information Security Auditors / Experts : No
5. Information Security Audit Tools used (owned, in possession) :
Freeware : 35
Commercial : 3
Proprietary: 2
Total Nos. of Audit Tools : 40
Details of the Audit Tools
Freeware :
Information yet to be provided to CERT-In
Proprietary :
Information yet to be provided to CERT-In
6. Information Security Audit Methodology : COBIT, ISO 27001, NIST
7. Information Security Audits carried out since empanelment till now :
Govt. : 11
PSU : 9
Private : 115
Total Nos. of Security Audits : 135
8. Business domain of auditee organisations : IT, ITES, Government, Telecom, Defence, Oil & Gas,
Manufacturing, Pharma
9. Typical applications in use by auditee organisations : ERP, CRM, Web/Middleware/Database, Client-Server
Page 116
10. Typical bandwidth (maximum) of any auditee organisations :
Internal Bandwidth (LAN / Intranet) : 1 Gbps
External Bandwidth (WAN / Internet) : 54 Mbps
11. Networked Infrastructure details of an organizations audited with most complex network :
No. of Computer Systems : 3640
No. of servers : 198
No. of switches : 204
No. of routers : 15
No. of firewalls : 4
No. of IDS' : 1
12. Ability to carry out vulnerability assessment and penetration test : Yes
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing Organisation).
BACK
Page 117
M/s SecurEyes Techno Services Pvt Ltd Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation
1. Name, Location of the empanelled Information Security Auditing Organisation : SecurEyes Techno
Services Pvt. Ltd., Bangalore
2. Carrying out Information Security Audits since : January 2005
3. Technical manpower deployed for Information security audits :
CISSPs : 0
BS7799 / ISO27001 LAs : 2
CISAs : 0
DISAs / ISAs : 2
Total Nos. of Technical Personnel : 10
4. Outsourcing of External Information Security Auditors / Experts : Yes
5. Information Security Audit Tools used (owned, in possession) :
Freeware : 84
Commercial : 0
Proprietary: 14
Total Nos. of Audit Tools : 98
Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation
1. Name, Location of the empanelled Information Security Auditing Organisation : SecurEyes Techno
Services Pvt. Ltd., Bangalore
2. Carrying out Information Security Audits since : January 2005
3. Technical manpower deployed for Information security audits :
CISSPs : 0
BS7799 / ISO27001 LAs : 2
CISAs : 0
DISAs / ISAs : 2
Total Nos. of Technical Personnel : 10
4. Outsourcing of External Information Security Auditors / Experts : Yes
5. Information Security Audit Tools used (owned, in possession) :
Freeware : 84
Commercial : 0
Proprietary: 14
Total Nos. of Audit Tools : 98
Details of the Audit Tools
Freeware :
1. Nessus : Vulnerability scanner used for penetration testing
Page 118
2. Nmap : Port Scanner
3. Metasploit framework : Vulnerability scanner
4. Hping2 : OS finger printing tool, also used for fire walking
5. Ring : Passive OS finger printing tool
6. Nmap-cronos : Passive OS finger printing tool
7. P0f : Passive OS finger printing tool
8. Smtpscan : Mail server profiling tool
9. Sprint : OS detection tool
10. Xprobe : OS detection tool
11. Fire and Water : Web Server discovery tool
12. Ethereal : Sniffer used for capturing and analysing traffic in a penetration test
13. AirSnort : Wireless network penetration testing tools.
14. Kismet : Wireless network penetration testing tools.
15. NetStumbler : Wireless network penetration testing tools.
16. WEPCrack : Wireless network penetration testing tools.
17. Achillies : Web application penetration testing tool
18. Spike Proxy : Automatic Vulnerability scanner for web applications.
19. Odysseus : Web application audit tool
20. Paros : Web application proxy, web application security vulnerability scanner.
21. WinHex : Physical Memory editor used for penetration testing of applications
22. Netcat : Network penetration testing tool.
Proprietary :
1. Windows-VA script : In house developed script used for vulnerability assessment of Windows
operating system
2. Linux-VA script : In house developed script used for vulnerability assessment Linux operating
system.
3. Solaris-VA script : In house developed script used for vulnerability assessment of Solaris operating
system.
4. AIX-VA script : In house developed script used for vulneability assessment of AIX operating
system.
5. Router-VA script : In house developed script used for vulnerability assessment of Routers
6. Switch-VA script : In house developed script used for vulnerability assessment of Switch.
7. WSDigger : Web Services profiling and attack tool.
8. Cookie Digger : Web application audit tool which helps in calculating the strength of cookies and
session ID's
9. Code Scoping tool : Code security audit tool
10. Validator. NET : Web application audit tool for applications built using.net techology
HACME Bank : Web Application audit trainer application
6. Information Security Audit Methodology : OSSTM, SANS, OWASP, Own
Page 119
7. Information Security Audits carried out since empanelment till now :
Govt. : 150
PSU : 5
Private : 15
Total Nos. of Security Audits : 170
8. Business domain of auditee organisations : Banking & Finance, Government, Telecom, IT, SW Dev,
Property Trading, Finance
9. Typical applications in use by auditee organisations : Internet Banking, HR Management, Payroll, Business
Workflow, Finance, Insurance
10. Typical bandwidth (maximum) of any auditee organisations :
Internal Bandwidth (LAN / Intranet) : 2 Gbps
External Bandwidth (WAN / Internet) : 2 Mbps
11. Networked Infrastructure details of an organizations audited with most complex network :
No. of Computer Systems : 1000
No. of servers : 100
No. of switches : 300
No. of routers : 100
No. of firewalls : 10
No. of IDS' : 8
12. Ability to carry out vulnerability assessment and penetration test : Yes
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing Organisation).
BACK
Page 120
M/s Security Brigade Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation
1. Name, Location of the empanelled Information Security Auditing Organisation : Security Brigade; Head
Office: Ranchi - India; Branch Offices: Mumbai - India, Pisa - Italy; Partner/Sales Offices:
Bengaluru - India, Chennai - India, Hyderabad - India, Pune - India, New Delhi - India, Kolkata
- India, Houston - US, Toronto - Canada, Lagos - Nigeria, Doha - Qatar, London - UK.
2. Carrying out Information Security Audits since : June 2006
3. Technical manpower deployed for Information security audits :
BS7799 / ISO27001 LAs : 1
ECSAs : 1
LPTs : 1
CEHs : 2
CCNAs : 4
Total Nos. of Technical Personnel : 7
4. Outsourcing of External Information Security Auditors / Experts : No
5. Information Security Audit Tools used (owned, in possession) :
Freeware : 1000+
Commercial : 2
Proprietary: 15
Total Nos. of Audit Tools : 1017+
Details of the Audit Tools
Proprietary Tools
1. sdFinder - Identifies internal hosts on non-contiguous IP ranges. It allows us to detect sensitive
information about our clients commercial, intranet and extranet networks.
2. webDiscovery - Identifies as many applications as possible on Client web-servers. The applications
discovered through webDiscovery allow us to provide a superior web application security testing
service than competitive services and products. It allows us to increase the scope of the audit and
cover more areas that could be attacked by malicious users; that would not be covered by a
traditional audit.
3. networkMapper - Network Mapper uses proprietary technology to be able to identify alternative
network routes to bypass security mechanisms such as IDS/IPS/Firewall etc. It allows our experts
to bypass existing security implementations and gain direct access to the systems behind them.
4. webTester - Security Brigade’s in-house developed application utilizes our Benchmark
Development System to ensure that we can identify maximum vulnerabilities in applications
through automated mechanisms. Along with flaws that are known, it uses in-house research to
test for vulnerabilities that are not in the public domain. It allows us to automate the process of
Page 121
identifying and testing known and unknown vulnerabilities in web-applications and strike a cost-
effective time to effort ratio.
5. VA Framework - Security Brigade’s in-house developed framework is an integrated solution
developed by our security experts that have an expertise in the vulnerability assessment domain.
It allows us to integrate the manual and automated testing processes with commercial and open-
source software. Our Integrated Reporting Engine allows us to cross-reference information from all
the different components and generate a report based on our Client’s requirements.
6. PT Framework - Security Brigade’s in-house developed framework is an integrated solution
developed by our security experts that have an expertise in the penetration testing domain. It
allows us to integrate the manual and automated testing processes with commercial and open-
source software. Our Integrated Reporting Engine allows us to cross-reference information from all
the different components and generate a report based on our Client’s requirements.
7. webSpider - Security Brigade’s in-house developed application uses advanced HTML, Java Script,
Ajax, Flash and XML parsing engines to identify and map as much of the client applications as
possible. This not only assists our automated webTester engine, but also assists in carrying out
the manual testing process in an efficient manner. It allows us to attain a cost-effective balance
between thorough testing and time required.
8. sapScan - Security and Configuration Assistant for SAP Security Audits.
9. riskReview - General Risk Assessment Tool.
10. erpInterrogate - ERP Security and Configuration Assessment and Control Tool.
11. Windows Batch Scripts - Windows batch scripts to automate routine server hardening functions
and processes.
12. Linux Bash Scripts - Linux Bash scripts to automate routine server hardening functions and
processes.
13. Oracle Security Assessment Scripts - Oracle Security Assessment Scripts to automate routine
hardening functions and processes.
14. MSSQL Security Assessment Scripts - MSSQL Security Assessment Scripts to automate routine
hardening functions and processes.
15. Internal Vulnerability Database - Automated vulnerability database that is updated every 15
minutes from over 100 public and 20 private feeds.
Commercial Tools
1. Nessus - Premier vulnerability assessment tool with more than 20,000 plugins.
2. GFI LANguard - commercial network security scanner for Windows.
Freeware Tools
1. Wireshark - is an open-source network protocol analyzer for Unix and Windows.
2. Netcat - is a simple utility reads and writes data across TCP or UDP network connections.
3. Metasploit Framework - is an extensible model through which payloads, encoders, no-op
generators, and exploits can be integrated.
Page 122
4. Hping 2 - is a utility sends custom ICMP, UDP, or TCP packets and then displays any replies.
5. Kismet - is a console based 802.11 layer2 wireless network detector, sniffer and intrusion
detection system.
6. Tcpdump - is an IP sniffer.
7. Cain and Abel - is a windows-only password recovery tool that can recover passwords by sniffing,
cracking, recording VoIP conversations, decoding scrambled passwords, revealing password boxes,
etc.
8. John the Ripper - is a fast password cracker.
9. Ettercap - is a terminal-based network/sniffer/interceptor/logger for ethernet LANs.
10. Nikto - is an open-source web-server scanner which performs comprehensive tests against web
servers for several thousand vulnerabilities.
11. THC Hydra - is a fast network authentication cracker.
12. Paros Proxy - java based web proxy for assessing web-application vulnerability.
13. Dsniff - is a powerful network auditing and penetration-testing tool.
14. NetStumbler - is a windows based 802.11 sniffer.
15. THC Amap - is a application fingerprint scanner.
16. Aircrack - is a suite of tools for 802.11a/b/g WEP and WPA cracking.
17. Superscan - is a windows-only port scanner, pinger and resolver.
18. Scapy - is an interactive packet manipulation tool.
19. BackTrack - is an penetration testing live linux distribution.
20. p0f - is a versatile passive OS fingerprinting tool.
21. WebScarab - a framework for analyzing applications that communicate using the HTTP and HTTPS
protocols.
22. Thousands of other open-source tools - We have an internal categorized archive of over 10,000
tools. We utilize these on an on-need basis for specific specialized purposes during engagements.
List can be provided in directory-listing format if required.
6. Information Security Audit Methodology : In-house Developed Hybrid Methodology based on BS7799,
ISO17799, ISO27001, OWASP Testing Guide and OSSTM.
7. Information Security Audits carried out so far:
Govt: 50+
PSU: 10+
Private: 100+
8. Business domain of auditee organisations : Banking & Finance, IT/ITES, Telecom, Manufacturing,
Logistics, Insurance, Retail, Government etc.
9. Typical applications in use by auditee organisations : Corporate Websites, Core Banking, Insurance Portal,
Loan & Treasury Management, Online Trading, Backoffice, CTCL, Accounting, Operations Management,
Billing
10. Typical bandwidth (maximum) of any auditee organisations :
Internal Bandwidth (LAN / Intranet) : 1 Gbps
External Bandwidth (WAN / Internet) : 10 Mbps
Page 123
11. Networked Infrastructure details of an organizations audited with most complex network :
No. of Computer Systems : 8,000
No. of servers : 300
No. of switches : 40
No. of routers : 5
No. of firewalls : 3
No. of IDS' : 1
12. Ability to carry out vulnerability assessment and penetration test : Yes
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing Organisation).
BACK
Page 124
M/s Sify Technologies Ltd Snapshot of skills and competence of CERT-In Empanelled Security Auditor
1. Name, Location of the Empanelled Security Auditing organisation: Sify, New Delhi
2. Carrying out Information Security Audits since : NA
3. Technical manpower deployed for security audits :
CISSPs : 7
BS7799 / ISO27001 LAs : 14
CISAs : 26
DISAs / ISAs : 16
Total Nos. of Technical Personnel : 63
4. Outsourcing of External IT Security Auditors / Experts : No
5. Security Audit Tools used (owned, in possession) :
Freeware : 30
Commercial : 0
Proprietary: 0
Total Nos. of Audit Tools : 30
Details of the Audit Tools
Freeware : Information yet to be provided to CERT-In
Proprietary : Information yet to be provided to CERT-In
6. Security Audit Methodology : COBIT, SAS70, BS7799
7. Security Audits carried out since empanelment till now :
Govt. : NA
PSU : NA
Private : NA
Total Nos. of Security Audits : NA
8. Business domain of auditee organisations : Software Dev., BPO, Manuf, Govt.
9. Typical applications in use by auditee organisations : MS Exchange,Web server, SQL Server, Oracle, IIS
10. Typical bandwidth (maximum) of any auditee organisations :
Internal Bandwidth (LAN / Intranet) : 100 M bps
External Bandwidth (WAN / Internet) : 512 K bps
11. Networked Infrastructure details of an organizations audited with most complex network :
No. of servers : 27
No. of Computer Systems : 165
No. of routers : 0
No. of switches : 2
No. of firewalls : 1
No. of IDS' : 1
Page 125
12. Ability to carry out vulnerability assessment and penetration test : Yes
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing
Organisation).
BACK
Page 126
M/s Simos Computer Systems Pvt Ltd Snapshot of skills and competence of CERT-In Empanelled Security Auditor
1. Name, Location of the Empanelled Security Auditing organisation: SIMOS COMPUTER SYSTEMS PRIVATE
LIMITED, Chennai
2. Carrying out Information Security Audits since : 2007
3. Technical manpower deployed for security audits :
CISSPs : 2
BS7799 / ISO27001 LAs : 1
CISAs : 2
DISAs / ISAs : 2
Total Nos. of Technical Personnel : 10
4. Outsourcing of External IT Security Auditors / Experts : No
5. Security Audit Tools used (owned, in possession) :
Freeware : 20+
Commercial : 1
Proprietary: 0
Total Nos. of Audit Tools : 21+
Details of the Audit Tools
Freeware : Nmap, OpenVAS, Metasploit, Wikto, Cain & Abel, Netstumbler, Backtrack etc.
Commercial : Burpsuite Professional
6. Security Audit Methodology : ISO27001, COBIT, OWASP, SOGP, OSSTMM
7. Security Audits carried out since empanelment till now :
Govt. : 1
PSU : NA
Private : 15
Total Nos. of Security Audits : 16
8. Business domain of auditee organisations : Banking, Software Dev., BPO, Manuf, Govt.
9. Typical applications in use by auditee organisations : Windows Server, MS Exchange, Linux, Apache, IIS, PHP,
ASP, ASP.NET, MSSQL, MySQL, Oracle
10. Typical bandwidth (maximum) of any auditee organisations :
Internal Bandwidth (LAN / Intranet) : 100 M bps
External Bandwidth (WAN / Internet) : 1 Mbps
11. Networked Infrastructure details of an organizations audited with most complex network :
No. of servers : 30
No. of Computer Systems : 500+
No. of routers : 10
No. of switches : 20
Page 127
No. of firewalls : 5
No. of IDS' : 2
12. Ability to carry out vulnerability assessment and penetration test : Yes
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing Organisation).
BACK
Page 128
M/s SISA Information Security Pvt Ltd
Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation
1. Name, Location of the empanelled Information Security Auditing Organisation : SISA Information
Security (P) Ltd., Bangalore
2. Carrying out Information Security Audits since : September 2002
3. Technical manpower deployed for information security audits :
CISSPs : 4
BS7799 / ISO27001 LAs : 3
CISAs : 9
DISAs / ISAs : 2
Total Nos. of Technical Personnel : 25
4. Outsourcing of External Information Security Auditors / Experts : No
5. Information Security Audit Tools used (owned, in possession) :
Freeware : 25
Commercial : 3
Proprietary: 1
Total Nos. of Audit Tools : 29
Details of the Audit Tools
Freeware :
1. Nessus : Network Scanner
2. N Map : Network Scanner
3. MB Password Cracker : Password Cracker
4. Ethereal : Sniffer
5. WS_Ping Propack : Ping sweeps (Network Scanning)
6. Snort : Ping sweeps (Network Scanning)
7. user2sid and sid2user : Enumeration tools
8. Ping of Death/SMURF : DOS
9. SQLSmack : Hacking Tools
Commercial :
1. ISS Network Scanner : Network Scanner
2. GFI Languard : Network Scanner
3. Legion : Password Guessing Tool
Page 129
6. Information Security Audit Methodology : SISA Proprietary
7. Information Security Audits carried out since empanelment till now :
Govt. : 1
PSU : 5
Private : 99
Total Nos. of Security Audits : 105
8. Business domain of auditee organisations : Information Technology, Banking, IT services, Manufacturing,
Business Process Outsourcing, Telecom
9. Typical applications in use by auditee organisations : Banking Applications, Financial Applications, Mobile
Applications, Web Applications
10. Typical bandwidth (maximum) of any auditee organisations :
Internal Bandwidth (LAN / Intranet) : 10 Mbps
External Bandwidth (WAN / Internet) : 100 Mbps
11. Networked Infrastructure details of an organizations audited with most complex network :
No. of Computer Systems : 10000
No. of servers : 25
No. of switches : 50
No. of routers : 30
No. of firewalls : 16
No. of IDS' : 16
12. Ability to carry out vulnerability assessment and penetration test : Yes
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing Organisation).
BACK
Page 130
M/s Spectrum IT Solution Snapshot of skills and competence of the CERT-In Empanelled IT Security Auditing Organisation
1. Name, Location of the Empanelled IT Security Auditing Organisation : Spectrum Networks Solutions Pvt Ltd, Noida
2. Carrying out IT Security Audits since : May 2004 3. Technical manpower deployed for IT security audits :
CISSPs : 2 BS7799 / ISO27001 LAs : 5 CISAs / CISMs: 3 DISAs / ISAs : 1 Total Nos. of Technical Personnel : 24
4. Outsourcing of IT Security Auditing Work to External IT Security Auditors / Experts : Yes 5. IT Security Audit Tools used (owned, in possession) :
Freeware : 36 Commercial : 4 Proprietary: 2 Total Nos. of Audit Tools : 42
Details of the Information Security Audit Tools
Freeware Tools
1. Achilles - A tool designed for testing the security of web applications
2. ADMFtp, ADMSnmp - Tools for remote brute-forcing
3. Brutus- An Windows GUI brute-force tool for FTP, telnet, POP3, SMB, HTTP, etc
4. Crack - A password cracker
5. CrypTool - A cryptanalysis utility
6. Curl - Curl is a tool for transferring files with URL syntax, supporting FTP, FTPS, HTTP, HTTPS,
GOPHER, TELNET, DICT, FILE and LDAP
7. Different network mapping tools - ping, traceroute, whois, snmp tools, dig, nslookup, DNS tools
etc
8. Elza - A family of tools for arbitrary HTTP communication with picky web sites for the purpose of
penetration testing and information gathering
9. Exploits - publicly available and home made exploit code for the different vulnerabilities around
10. FScan - A command-line port scanner. Supports TCP and UDP
11. Fragrouter - Utility that allows to fragment packets in funny ways
12. HPing - HPing is a command-line oriented TCP/IP packet assembler/analyzer. It supports TCP,
UDP, ICMP and RAW-IP protocols, has a traceroute mode, the ability to send files between a
covered channel, and many other features.
13. ISNprober - Check an IP address for load-balancing.
14. ICMPush - ICMPush is a tool that sends ICMP packets fully customized from command line
15. John The Ripper - A password cracker
16. L0phtcrack - NTLM/Lanman password auditing and recovery application (read: cracker)
Page 131
17. Nessus - A free, powerful, up-to-date and easy to use remote security scanner. This tool could be
used when scanning a large range of IP addresses, or to verify the results of manual work.
18. Netcat - The swiss army knife of network tools. A simple utility which reads and writes data across
network connections, using TCP or UDP protocol
19. NMAP - The best known port scanner around.
20. p0f - Passive OS Fingerprinting: A tool that listens on the network and tries to identify the OS
versions from the information in the packets.
21. Pwdump - Tools that grab the hashes out of the SAM database, to use with a brute-forcer like
L0phtcrack or John
22. SamSpade - Graphical tool that allows to perform different network queries: ping, nslookup,
whois, IP block whois, dig, traceroute, finger, SMTP VRFY, web browser keep-alive, DNS zone
transfer, SMTP relay check,etc.
23. ScanDNS - Script that scans a range of IP addresses to find DNS names
24. Scripts - A number of custom developed scripts to test different security issues.
25. Sing - Send ICMP Nasty Garbage. A little tool that sends ICMP packets fully customized from
command line
26. SSLProxy, STunnel - Tools that allow to run non SSL-aware tools/programs over SSL.
27. Strobe - A command-line port scanner that also performs banner grabbing
28. Telesweep Secure - A commercial wardialer that also does fingerprinting and brute-forcing.
29. THC - A freeware wardialer
30. TCPdump - A packet sniffer
31. TCPtraceroute - Traceroute over TCP
32. UCD-Snmp - (aka NET-Snmp): Various tools relating to the Simple Network Management Protocol
including snmpget, snmpwalk and snmpset.
33. Web Session Editor - Custom made utility that allows to intercept and edit HTTP sessions.
34. Webinspect - CGI scanning, web crawling, etc.
35. Webreaper, wget - Software that mirrors websites to your hard disk
36. Whisker - The most famous CGI scanner. has updated the scanning databases with checks for the
latest vulnerabilities.
Commercial Tools
Proprietary Tools
6. Information Security Audit Methodology : OWASP, ISO27001, COBIT, ITIL
7. Information Security Audits carried out since empanelment till now :
Govt. : 80
PSU : 25
Private : 95
Total Nos. of Security Audits : 200
Page 132
8. Business domain of auditee organisations : Banking, Financial, Manufacturing, Government, IT/ITES,
Software Development
9. Typical applications in use by auditee organisations : Banking and Financial Applications
10. Typical bandwidth (maximum) of any auditee organisations :
Internal Bandwidth (LAN / Intranet) : 16 Mbps
External Bandwidth (WAN / Internet) : 2 Mbps
11. LAN Infrastructure details of an organizations audited with most complex network :
No. of Servers : 45
No. of Computers : 1500
No. of Routers : 10
No. of Switches : 300
No. of Firewalls : 4
No. of IDS' : 2
12. Ability to carry out vulnerability assessment and penetration test : Yes
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing Organisation), Y = Yes, N = No, Std = Standard.
BACK
Page 133
STQC Directorate Snapshot of skills and competence of CERT-In Empanelled Security Auditor
1. Name, Location of the Empanelled Security Auditing organisation : STQC IT Services, New Delhi
2. Carrying out Information Security Audits since : NA
3. Technical manpower deployed for security audits :
CISSPs : 0
BS7799 / ISO27001 LAs : 12
CISAs : 0
DISAs / ISAs : 9
Total Nos. of Technical Personnel : 12
4. Outsourcing of External IT Security Auditors / Experts : No
5. Security Audit Tools used (owned, in possession) :
Freeware : 23
Commercial : 0
Proprietary: 0
Total Nos. of Audit Tools : 23
Details of the IT Security Audit Tools
Freeware Tools :
Information yet to be provided to CERT-In
Commercial Tools :
Information yet to be provided to CERT-In
Proprietary Tools :
Information yet to be provided to CERT-In
6. Security Audit Methodology : OSSTMM
7. Security Audits carried out since empanelment till now :
Govt. : NA
PSU : NA
Private : NA
Total Nos. of Security Audits : NA
8. Business domain of auditee organisations : Mfg, software Services, BPO, Telecom, Govt.
9. Typical applications in use by auditee organisations : SAP, Oracle
Page 134
10. Typical bandwidth (maximum) of any auditee organisations :
Internal Bandwidth (LAN / Intranet) : NA bps
External Bandwidth (WAN / Internet) : NA bps
11. Networked Infrastructure details of an organizations audited with most complex network :
No. of servers : 36
No. of Computer Systems : 500
No. of routers : 0
No. of switches : 68
No. of firewalls : 6
No. of IDS' : 1
12. Ability to carry out vulnerability assessment and penetration test : Yes
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing Organisation).
BACK
Page 135
M/s Suma Soft Pvt Ltd
Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation
1. Name & location of the empanelled Information Security Auditing Organisation : Suma Soft Pvt Ltd
2. Carrying out Information Security Audits since : 2008
3. Technical manpower deployed for information security audits : CISSPs : BS7799 / ISO27001 LAs : 3 CISAs : 5 DISAs / ISAs :1 Total Nos. of Technical Personnel : 10
4. Outsourcing of External Information Security Auditors / Experts : No
5. Information Security Audit Tools used (owned, in possession) : Freeware : 35 Commercial : 2 Proprietary: 0 Total Nos. of Audit Tools : 37
Details of the Audit Tools
Freeware:
1. Nessus
2. Whisker
3. HUNT - TCP/IP protocol vulnerability exploiter, packet injector
4. DOMTOOLS - DNS-interrogation tools
5. SARA - Vulnerability scanner
6. RAT
7. Nikto - This tool scans for web-application vulnerabilities
8. Snort - IDS
9. Firewalk - Traceroute-like ACL & network inspection/mapping
10. Hping – TCP ping utilitiy Dsniff - Passively monitor a network for interesting data
(passwords, e-mail, files, etc.). facilitate the interception of network traffic normally
unavailable to an attacker
11. HTTrack - Website Copier
12. Chkrootkit - Rootkit discovery tool
13. Tools from FoundStone - Variety of free security-tools
14. SQL Tools - MS SQL related tools
15. John the Ripper - Password-cracking utility
16. ITS4 - Scan C/C++ source-code for vulnerabilities
17. Paros
18. NMAP - The famous port-scanner
19. Ethereal - GUI for packet sniffing. Can analyse tcpdump-compatible logs
Page 136
20. Nemesis - Packet injection suite
21. NetCat - Swiss Army-knife, very useful
22. RAT – CISecurity’s Router Auditing Tool
23. DSniff - A collection of different purpose sniffers
24. Achilles - An SSL-proxy allowing to change data
25. Whitehats - Snort IDS-signatures & other resources
26. Hping2 - TCP/IP packet analyzer/assembler, packet forgery, useful for ACL inspection
27. Brutus – password cracking for web applications, telnet, etc.
28. WebSleuth - web-app auditing tool
29. Mieliekoek - SQL Injection tool, use with HTTrack
30. NT Toolbox - Resources & tools for NT [at]Stake Tools - Tools provided by [at]-Stake 31. TSCrack - Wordlist-based Terminal Server login-cracker L0phtcrack - NT-password
cracking utility 32. HTTPrint – detect web server and version 33. Web proxy - web application testing 34. Web server vulnerability assessment tool
Commercial Tools
1. Nexpose - Vulnerability Scanners
2. Burp Suite, Acunetix - Web application auditing
6. Information Security Audit Methodology : ISACA, ISO 27001 / BS 7799, COBIT, OSSTM, OWASP
7. Information Security Audits carried out so far :
Govt. : 1
PSU : 1
Private : 25
Total Nos. of Information Security Audits done : 26
8. Business domain of auditee organisations : Telecom, BPO, Banking & Finance, Software Development
9. Typical applications in use by auditee organisations : Client-Server, Web based MIS,Oracle,Web
Applications
10. Typical bandwidth (maximum) of any auditee organisations :
Internal Bandwidth (LAN / Intranet) : 1 GBPS
External Bandwidth (WAN / Internet) : 12 MBPS
11. Networked Infrastructure details of an organizations audited with most complex network :
No. of Computer Systems : 350
No. of Servers : 50
No. of Switches : 25
Page 137
No. of Routers : 2
No. of Firewalls : 2
No. of IDS' : 1
12. Ability to carry out vulnerability assessment and penetration test : Yes
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing Organisation).
BACK
Page 138
M/s Sumeru Software Solutions Pvt Ltd
Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation
1. Name & location of the empanelled Information Security Auditing Organisation : Sumeru Software
Solutions Pvt Ltd, Bangalore
2. Carrying out Information Security Audits since : 2002
3. Technical manpower deployed for information security audits :
CISSPs : 1
BS7799 / ISO27001 LAs : 2
CISAs / CISMs : 2
DISAs / ISAs : 0
Total Nos. of Technical Personnel : 10
4. Outsourcing of information security auditing work to external Information Security Auditors / Experts : No
5. Information Security Audit Tools being used (available, installed and licensed) :
Freeware : 61
Commercial : 4
Proprietary: 0
Total Nos. of Information Security Audit Tools : 65
Details of the Information Security Audit Tools
Freeware Tools
1. Nmap / Superscan
2. WireShark
3. Paros Proxy
4. Metasploit Framework
5. Kismet / NetStumbler / Aircrack
6. Nikto / Wikto
7. BackTrack
8. WebScarab
Commercial Tools
1. Nessus
2. WebInspect
3. MegaPing
4. Retina
Proprietary Tools
None
Page 139
6. Information Security Audit Methodology : OWASP, OSSTMM, ISO27001, BS 25999
7. Information Security Audits carried out so far :
Govt. : 7
PSU : 0
Private : 101
Total Nos. of Security Audits : 108
8. Business domains of auditee organisations: Manufacturing, Hospitality, Media, Defence, BSFI, IT/ITES,
Publishers, Human resources, Insurance, Government.
9. Typical applications in use by auditee organisations : e-Commerce Portals, Job Portals, News Portals,
Public Forum, Pay Roll Applications, Intranet Applications, Webmail, Insurance web porta.
10. Bandwidth available with an auditee organisation having most complex network :
Internal Bandwidth (LAN / Intranet) : 100 Mbps
External Bandwidth (WAN / Internet) : 10 Mbps
11. LAN infrastructure details of an auditee organisation having most complex network :
No. of Computers : 4500
No. of Servers : 70
No. of Switches : 300
No. of Routers : 2
No. of Firewalls : 135
No. of IDS' : 2
12. Ability to carry out vulnerability assessment and penetration test : Yes
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing Organisation).
BACK
Page 140
M/s Sysman Computers Pvt Ltd Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation
1. Name and location of the empanelled Information Security Auditing Organisation : Sysman Computers
Pvt. Ltd., Mumbai
2. Carrying out Information Security Audits since : 1991
3. Technical manpower deployed for security audits :
CISSPs : 5
BS7799 / ISO27001 LAs : 7
CISAs : 12
DISAs / ISAs : 6
Total Nos. of Technical Personnel : 30
4. Outsourcing of External Information Security Auditors / Experts : No
5. Information Security Audit Tools used (owned, in possession) :
Freeware : 28
Commercial : 5
Proprietary: 0
Total Nos. of Audit Tools : 33
Details of the Audit Tools
Freeware : Information yet to be provided to CERT-In
Proprietary : Information yet to be provided to CERT-In
6. Information Security Audit Methodology : COBIT, ISO 27001
7. Information Security Audits carried out since empanelment till now :
Govt. : 5
PSU : 55
Private : 100
Total Nos. of Security Audits : 160
8. Business domain of auditee organisations : Banking, BPO, Manufacturing, Healthcare, Government
9. Typical applications in use by auditee organisations : Banking, Accounting, Data Processing, Call Centre,
Healthcare, Travel, Education
10. Typical bandwidth (maximum) of any auditee organisations :
Internal Bandwidth (LAN / Intranet) : 100 M bps
External Bandwidth (WAN / Internet) : 2 M bps
11. Networked Infrastructure details of an organizations audited with most complex network :
No. of Computer Systems : 1500
No. of servers : 25
No. of switches : 55
No. of routers : 8
Page 141
No. of firewalls : 2
No. of IDS' : 2
12. Ability to carry out vulnerability assessment and penetration test : Yes
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing Organisation).
BACK
Page 142
M/s Tata Consultancy Services Ltd Snapshot of skills and competence of the CERT-In empanelled Information Security Auditing Organisation
1. Name, Location of the empanelled Information Security Auditing Organisation: Tata Consultancy
Services Ltd, Mumbai
2. Carrying out Information Security Audits since : 2001
3. Technical manpower deployed for information security audits :
CISSPs : 25
BS7799 / ISO27001 LAs : 60
CISAs : 15
DISAs / ISAs : 1
Total Nos. of Technical Personnel : 232
4. Outsourcing of Information Security Auditing Work to external Information Security Auditors / Experts :
No
5. Information Security Audit Tools used (owned, in possession) :
Freeware : 5
Commercial : 2
Proprietary: 2
Total Nos. of Audit Tools : 9
Details of the Information Security Audit Tools
Freeware Tools None
Commercial Tools None
Proprietary Tools None
6. Information Security Audit Methodology : Own
7. Information Security Audits carried out since empanelment till now :
Govt. : 6
PSU : 4
Private : 12
Total Nos. of Security Audits : 22
8. Business domain of auditee organisations : Banking, Stock Exchange, Power, Manufacturing, Government.
9. Typical applications in use by auditee organisations : Core Banking, stock broking, power management,
Telecom, Governance.
10. Typical bandwidth (maximum) of any auditee organisations :
Internal Bandwidth (LAN / Intranet) : 2 Mbps
External Bandwidth (WAN / Internet) : 5 Mbps
11. Networked Infrastructure details of an organizations audited with most complex network :
No. of Computer Systems : 200
Page 143
No. of servers : 100
No. of switches : 50
No. of routers : 50
No. of firewalls : 50
No. of IDS' : 20
12. Ability to carry out vulnerability assessment and penetration test : Yes
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing Organisation).
BACK
Page 144
M/s Tech Mahindra Ltd Snapshot of skills and competence of CERT-In empanelled IT Security Auditing Organisation
1. Name, Location of the empanelled IT Security auditing organisation : Tech Mahindra Ltd, Noida
2. Carrying out Information Security Audits since : 2004
3. Technical manpower deployed for security audits :
CISSPs : 14
BS7799 / ISO27001 LAs : 56
CISAs : 10
DISAs / ISAs : 0
Total Nos. of Technical Personnel : 97
4. Outsourcing of External IT Security Auditors / Experts : No
5. IT Security Audit Tools used (owned, in possession) :
Freeware : 2
Commercial : 1
Proprietary: 1
Total Nos. of Audit Tools : 4
Details of the Information Security Audit Tools
Freeware Tools None
Commercial Tools None
Proprietary Tools None
6. IT Security Audit Methodology : ISO 27001/BS7799
7. IT Security Audits carried out since empanelment till now :
Govt. : 1
PSU : 0
Private : 34
Total Nos. of Security Audits : 35
8. Business domain of auditee organisations : Automobiles, Retailing, Pharma, Telecom, BPO, Finance
9. Typical applications in use by auditee organisations : SAP, Web Applications, CRM, Service Assurance,
Service Fulfilment, COTS Products
10. Typical bandwidth (maximum) of any auditee organisations :
Internal Bandwidth (LAN / Intranet) : 1 Gbps
External Bandwidth (WAN / Internet) : 2 Mbps
11. Networked Infrastructure details of an organizations audited with most complex network :
No. of Computer Systems : 2000
No. of servers : 60
No. of switches : 100
No. of routers : 25
Page 145
No. of firewalls : 20
No. of IDS' : 10
12. Ability to carry out vulnerability assessment and penetration test : Yes
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing Organisation).
Page 146
M/s Technologics & Control Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation
1. Name & location of the empanelled Information Security Auditing Organisation : Technologics and Controls, New Delhi, India
2. Carrying out Information Security Audits since : December 2002
3. Technical manpower deployed for information security audits :
CISSPs : 1
BS7799 / ISO17799 / ISO27001 LAs : 1
CISAs / CISMs: 4
DISAs / ISAs : 1
Total Nos. of Technical Personnel : 6
4. Outsourcing of information security auditing work to external Information Security Auditors / Experts : No
5. Information Security Audit Tools being used (available, installed and licensed):
Freeware : 10
Commercial : 3
Proprietary: 0
Total Nos. of Information Security Audit Tools : 13
Details of the Information Security Audit Tools
Freeware Tools
• Brutus,Superscan
• Nessus Vulnerability Scanner
• Belarc Advisor
• M Metasploit Framework 3
• Mozilla Firefox Extension AnEC Cookie Editor v0.2.1.3
• Wireshark
• HTTP Editor
• Tenable Nessus
• Mozilla Firefox Extension Hack Bar
• WebScarab
Commercial Tools
• Meycor Cobit suite
• IBM Rational AppScan v7.7
• Acunetix Web Vulnerability Scanner v6.5
Page 147
Proprietary Tools None
6. Information Security Audit Methodology : OSSTM, OWASP, ISO27001, COBIT, Audit ICQ
7. Information Security Audits carried out so far :
Govt. : 2
PSU : 0
Private : 45
Total Nos. of Security Audits : 47
8. Business domains of auditee organisations : Banking, Insurance, Services, ITES, Finance, Stock traders, UN,
Manufacturing, Defence, NGO, Government
9. Typical applications in use by auditee organisations : ERP (SAP, MFGPro, Ingenium, others), HR and Payroll,
Document Imaging, Banking (CBS / TBA), Web and E-commerce Applications
10. Bandwidth available with an auditee organisation having most complex network:
Internal Bandwidth (LAN / Intranet) : 1 Gbps
External Bandwidth (WAN / Internet) : upto 16 MBPS
11. LAN infrastructure details of an auditee organisation having most complex network :
No. of Computers : 4000
No. of Servers : 190
No. of Switches : 400
No. of Routers : 150
No. of Firewalls : 4
No. of IDS' : 1
12. Ability to carry out vulnerability assessment and penetration test : Y
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing Organisation), Y = Yes, N = No, Std = Standard.
BACK
Page 148
M/s Torrid Networks Pvt. Ltd.
Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation
1. Name & location of the empanelled Information Security Auditing Organisation : M/s Torrid Networks
Pvt. Ltd.
2. Carrying out Information Security Audits since : 2006
3. Technical manpower deployed for information security audits :
CISSPs : 2
BS7799 / ISO27001 LAs : 2
CISAs : 1
DISAs / ISAs :
Total Nos. of Technical Personnel : 35
4. Outsourcing of External Information Security Auditors / Experts : None
5. Information Security Audit Tools used (owned, in possession) :
Freeware : 20
Commercial : 7
Proprietary: 12
Total Nos. of Audit Tools : 39
Details of the Audit Tools
Freeware:
nmap
Nessus
Metasploit
Nikto
Burp
Paros
WebScarab
SQL injector
Ollydbg
WireShark
Cain & Abel
BackTrack Distro
Commercial: AppScan
Accunetix
Page 149
CoreImpact
Nexpose
CodeSecure
Fortify
Qualys
6. Information Security Audit Methodology : OWASP, OSSTMM, ISO 27001
7. Information Security Audits carried out so far :
Govt. : 3
PSU : 3
Private : 54
Total Nos. of Information Security Audits done : 60
8. Business domain of auditee organisations : BFSI, Telecom, BPO, IT/ITES, Manufacturing, Engineering
9. Typical applications in use by auditee organisations : HRMS, CRM, Exchange, Billing, ERP, Intranet, Payroll
10. Typical bandwidth (maximum) of any auditee organisations :
Internal Bandwidth (LAN / Intranet) : 1Gpbs
External Bandwidth (WAN / Internet) : 5Mbps
11. Networked Infrastructure details of an organizations audited with most complex network :
No. of Computer Systems : 10000
No. of Servers : 500
No. of Switches : 250
No. of Routers : 25
No. of Firewalls : 18
No. of IDS' : 10
12. Ability to carry out vulnerability assessment and penetration test : Yes
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing Organisation), Y = Yes, N = No, Std = Standard.
BACK
Page 150
M/s TVSNet Technologies Ltd Snapshot of skills and competence of CERT-In Empanelled Information Security Auditor
1. Name, Location of the empanelled Information Security Auditing organisation : TVSNet Technologies
Ltd, Chennai
2. Carrying out Information Security Audits since : January 2000
3. Technical manpower deployed for information security audits :
CISSPs : 2
BS7799 / ISO27001 LAs : 3
CISAs/CISMs : 1
DISAs / ISAs : 0
Total Nos. of Technical Personnel : 25
4. Outsourcing of External Information Security Auditors / Experts : Yes
5. Information Security Audit Tools used (owned, in possession) :
Freeware : 20
Commercial : 1
Proprietary: 0
Total Nos. of Audit Tools : 21
Details of the Information Security Audit Tools
Freeware :
1. Smartwhois: To perform initial information gathering of the network
2. SPIKE Proxy: is a full featured HTTP and HTTPS proxy built with Python
3. WebGoat: This is used to investigate common server-side application flaws
4. Nikto : Web Systems & Application Security
5. Paros proxy : A web application vulnerability assessment proxy
6. Burp suite: An integrated platform for attacking web applications
7. Nessus : Network Security
8. Nmap: Network Security
9. Whois: To perform initial information gathering of the network
10. SolarWinds : Used for Penetration Testing
11. Ethereal: Network Sniffing
12. Shadow security scanner: Web server Vulnerability Scanning
13. TamperIE: Proxy tool
14. Brutus: Password Cracker
15. Visual Trace Route : To perform initial information gathering of the network
16. Neo Trace Route : To perform initial information gathering of the network
Page 151
Commercial :
1. Acunetix Web Vulnerability Scanner: Acunetix WVS automatically checks web applications for
vulnerabilities such as SQL Injection, cross site scripting, and weak password strength on
authentication pages.
6. Information Security Audit Methodology : OSSTMM, OWASP, ISO 27001
7. Information Security Audits carried out since empanelment till now :
Govt. : 9
PSU : 7
Private : 25
Total Nos. of Security Audits : 41
8. Business domain of auditee organisations : Government, Banking, Telecom, Manufacturing, ITES
9. Typical applications in use by auditee organisations : Web Applications, ERP, Email
10. Typical bandwidth (maximum) of any auditee organisations :
Internal Bandwidth (LAN / Intranet) : 100 Mbps
External Bandwidth (WAN / Internet) : 4 Mbps
11. Networked Infrastructure details of an organizations audited with most complex network :
No. of servers : 180
No. of Computer Systems : 3000
No. of routers : 25
No. of switches : 20
No. of firewalls : 5
No. of IDS' : 7
12. Ability to carry out vulnerability assessment and penetration test : Yes
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing Organisation).
BACK
Page 152
M/s Verizon Business Snapshot of skills and competence of CERT-In Empanelled Security Auditing Organisation
1. Name & location of the empanelled Information Security Auditing Organisation : Verizon Business,
Radisson Commercial Plaza, A-Wing, 1st Floor, National Highway-8, New Delhi - 110037
2. Carrying out Information Security Audits since : 2004
3. Technical manpower deployed for information security audits :
CISSPs : 74
BS7799 / ISO27001 LAs : 15
CISAs : 35
DISAs / ISAs : 2
Total Nos. of Technical Personnel : 500+
4. Outsourcing of External Information Security Auditors / Experts : Not Applicable
5. Information Security Audit Tools used (owned, in possession) :
Freeware : 43
Commercial : 6
Proprietary: 8
Total Nos. of Audit Tools : 57
Details of the Audit Tools
1. Freeware:
2. Netcat
3. Ethereal
4. TCPdump
5. SSLdump
6. Brutus
7. Dig
8. Nmap
9. VisualRoute
10. Fscan
11. Cain & Abel
12. Firewalk
13. DumpACL
14. DumpEvt
15. DumpReg
16. DumpSec
17. Enum
Page 153
18. Paros
19. WebSleuth
20. WebProxy
21. Nikto
22. Achilles
23. Cerberus
24. DDosPing
25. Brutus
26. John the Ripper
27. Absinthe
28. Metasploit
29. SNMP Walker
30. SQL Squirrel
31. Black Widow
32. Ettercap
33. Rainbowcrack
34. IISCat
35. IISHack
36. PipeUpAdmin
37. Pwdump2
38. GFI LanGuard
39. HFNetChk
40. ConfigDefence
41. UnixRecon
42. Titan
43. AppSecInc
44. VoIP Hopper
Commercial:
1. nCircle
2. Nessus Professional Feed
3. Ounce / IBM AppScan
4. WebInspect
5. Core Impact
6. Canvas
6. Information Security Audit Methodology : Verizon Business’ Proprietary
7. Information Security Audits carried out so far :
Govt. : 10
Page 154
PSU : 4
Private : 150+
Total Nos. of Information Security Audits done : 164+
8. Business domain of auditee organisations : Banking & Finance, Information Technology, Government
Establishments, Service Providers / BPOs, Manufacturing, Public Sector Undertakings, Life Sciences &
Healthcare.
9. Typical applications in use by auditee organisations : Enterprise Resource Planning (ERPs), Online Banking
Solutions, Online Payment Solutions, CRM, Billing Systems, Corporate Websites, Web Services & Web
Applications.
10. Typical bandwidth (maximum) of any auditee organisations :
Internal Bandwidth (LAN / Intranet) : 1 Gbps
External Bandwidth (WAN / Internet) : 100 Mbps
11. Networked Infrastructure details of an organizations audited with most complex network :
No. of Computer Systems : >50000
No. of Servers : >350
No. of Switches : 200
No. of Routers : 80
No. of Firewalls : 40
No. of IDS' : 8
12. Ability to carry out vulnerability assessment and penetration test : Yes
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing Organisation).
Back
Page 155
M/s VISTA InfoSec Pvt. Ltd. Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation
1. Name & location of the empanelled Information Security Auditing Organisation : VISTA InfoSec Pvt.
Ltd., Mumbai – 400058.
2. Carrying out Information Security Audits since : 2004
3. Technical manpower deployed for information security audits :
CISSPs : 4
BS7799 / ISO27001 LAs : 5
CISAs : 5
DISAs / ISAs : 1
Total Nos. of Technical Personnel : 16
4. Outsourcing of External Information Security Auditors / Experts : No
5. Information Security Audit Tools used (owned, in possession) :
Freeware : 47
Commercial : 4
Proprietary : 3
Total Nos. of Audit Tools : 54
Details of the Audit Tools
Freeware:
1. Port Scanners - AngryIPScanner, SuperScan, NetScanTools, Unicornscan, Nmap, THC-
Amap, ike-scan.
2. Web Browser Addons – NoScript, Tamper Data, Firebug, etc.
3. Password Crackers – Aircrack, Cain & Abel, John the Ripper, THC Hydra, ophcrack,
Medusa, fgdump, L0pthCrack, solarwinds, RainbowCrack, Wfuzz, Brutus.
4. Encryption Tools – Stunnel, OpenVPN, Tor, OpenSSLGnuPG/PGP, OpenSSH/Putty/SSH.
5. Debuggers – IDA Pro, OllyDbg, WinDbg.
6. Forensics – Maltego, Helix, The Sleuth Kit, Encase.
7. Fuzzers – w3af, skipfish, Wapiti.
8. General Purpose – Netcat, cURL, Socat, Firefox, Google, Perl/Python/Ruby.
9. Packet Crafters – Netcat, Hping, Scapy, Yersinia, Nemsis, Socat.
10. Rootkit Detectors – Sysinternals, Tripwire, Dumpsec, AIDE.
11. Security Distros – BackTrack, Helix, Samurai Web Testing Framework, Knoppix, SELinux
12. Sniffers – Wireshark, Cain & Abel, tcpdump, kismet, Ethercap, Netstumbler, dsniff, Ntop,
Ngrep, P0f, inSSIDer, KisMAC.
Page 156
13. Exploitation Tools – Metasploit Framework, w3af, Core Impact, sqlmap, SET, sqlninja,
BeEF, dradis, WebGoat, Brup Suite, ExploitPack.
14. Vulnerability Scanners – Nessus, OpenVAS, GFI Languard, MBSA, Nipper, SAINT,
NeXpose.
15. Web Proxy – Paros Proxy, Fiddler, sslstrip, ratproxy.
16. Web Scanners – Brup Suite, Nikto, w3af, Acunetix, Netsparker, Wikto, DirBuster,
Arachni.
17. Wireless Tools – Aircrack, Kismet, NetStumbler, inSSIDer, KisMAC.
18. Anti-Malware – MalwareBytes, ClamAV Signatures Toolkit, VirusTotal.
Commercial:
1. Rapid7 – NeXpose
2. Rapid7 – Metasploit
3. Tenable Nessus
4. IBM AppScan
6. Information Security Audit Methodology :
ISO27001/ISO20000/BS25999/ISO18028/SANS/OWASP/OSSTM/CIS/CHECK/NIST/RBI
7. Information Security Audits carried out so far :
Govt. : 10
PSU : 17
Private : 161
Total Nos. of Information Security Audits done : 188
8. Business domain of auditee organisations : Banks, Insurance, Financial services, BPO, Software
development, Pharma, Manufacturing, Entertainment, Realty, Retail, Governance, Power and Petrochem.
9. Typical applications in use by auditee organisations : Core Banking, SAP, ERP, CRM, Internet Banking,
Time Management, Peoplesoft, Payment Gateway applications, Oracle, Financial Applications, Mobile
applications, SCADA Applications, etc.
10. Typical bandwidth (maximum) of any auditee organisations :
Internal Bandwidth (LAN / Intranet) : 1000
External Bandwidth (WAN / Internet) : 2mb + 2mb
11. Networked Infrastructure details of an organizations audited with most complex network :
No. of Computer Systems : 8000
No. of Servers : 250
No. of Switches : 400
No. of Routers : 35
Page 157
No. of Firewalls : 35
No. of IDS' : 4
12. Ability to carry out vulnerability assessment and penetration test : Yes
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing Organisation).
Back
Page 158
M/s Wipro Ltd Snapshot of skills and competence of CERT-In Empanelled Security Auditing Organisation
1. Name, Location of the Empanelled Information Security Auditing organisation : Wipro Ltd., Gurgaon
2. Carrying out Information Security Audits since : October 2000
3. Technical manpower deployed for information security audits :
CISSPs : 2
BS7799 / ISO27001 LAs : 1
CISAs : 1
DISAs / ISAs : 0
Total Nos. of Technical Personnel : 55
4. Outsourcing of External Information Security Auditors / Experts : No
5. Information Security Audit Tools used (owned, in possession) :
Freeware : 42
Commercial : 12
Proprietary: 1
Total Nos. of Audit Tools : 55
Details of the Audit Tools
Freeware : Information yet to be provided to CERT-In
Proprietary : Information yet to be provided to CERT-In
6. Information Security Audit Methodology : NA
7. Information Security Audits carried out since empanelment till now :
Govt. : NA
PSU : NA
Private : NA
Total Nos. of Security Audits : NA
8. Business domain of auditee organisations : Oil, Pharma, Manufacturing
9. Typical applications in use by auditee organisations : NA
10. Typical bandwidth (maximum) of any auditee organisations :
Internal Bandwidth (LAN / Intranet) : NA bps
External Bandwidth (WAN / Internet) : NA bps
11. Networked Infrastructure details of an organizations audited with most complex network :
No. of servers : 5
No. of Computer Systems : 8
No. of routers : 0
No. of switches : 1
No. of firewalls : 1
No. of IDS' : 1
Page 159
12. Ability to carry out vulnerability assessment and penetration test : Yes
Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing Organisation).
TOP