VULNERABILITY ASSESSMENT

AND PENETRATION TESTING

TATA COMMUNICATIONS – VAPT SERVICES OVERVIEW

MAR 2020
VULNERABILITY ASSESSMENT AND PENETRATION TESTING (VAPT)

We deliver Tata Communications’ ‘VAPT’ services via an SaaS (Software as a Service) cloud model in Manged Services and in
a Consulting Model (One time testing). They’re primarily for customers who need both their network and web applications
monitoring for new vulnerabilities and malware that could infect site visitors. Our Security Operations Centre (SOC) - part of
the Global Services Management Centre (GSMC) - monitors and manages service availability, and assists customers to
schedule remote scans on a 24/7/365 basis.

SERVICE OVERVIEW
● Network
 Vulnerability management – to identify network vulnerabilities before they’re breached
 Penetration testing – to verify potential network impact of vulnerability exploits
● Web application
 Vulnerability scanning for dynamic web applications
 Malware detection
 Penetration testing - to verify potential web app impact of vulnerability exploits

2
VAPT – DELIVERY MODEL
• Managed Services • Consulting Services (One time Testing
• Vulnerability Assessment Service Services)
• Network/Servers (Internal • Vulnerability Assessment Service
& External) • Penetration Testing Services
• Penetration Testing Services (Internal (Internal & External)
& External) • Web Application Security
• Web Application Security Assessment Assessment Service
Service • Mobile Application Security Testing
• Mobile Application Security Testing (Android/IOS)
(Android/IOS) • Phishing Simulation Campaign
• Phishing Simulation Campaign

3
TCL METHODOLOGY

At Tata Communications we follow a rigorously defined methodology to identify security findings within our clients’ infrastructure. All our
security assessments feature the following phases:
● Host identification: through detailed reconnaissance
● Vulnerability Identification and Evaluation: We perform detailed vulnerability scans against identified scope and evaluate the
vulnerabilities according to risk score and business criticality after discussion with Customer SPOC.
● Exploit: Final list of Vulnerabilities exploited with advance tools and manual technique to determine the impact on the scoped targets.
● False positive analysis: We analyse all findings for impact, severity and criticality.
● Reporting: We develop recommendations for mitigating risk or implementing compensating controls to reduce risk to an acceptable
level.
● Retest : Retest will be performed after the remediation.
ASSESSMENT APPROACH
 Assets Identification
 Stake holders identification
Planning &
 Detailed Schedule / test plan for each activity with date and time
Preparation  Identify the business impacts if any for assessment
 Discuss and Meet Stakeholders, Communicate and get Approvals from stakeholder
Information  Information about network segments
Gathering and  Perform Network discovery to determine the reachable systems in the IT infrastructure. Project Management
Analysis  Identify the targets for Vulnerability Assessment and Penetration Testing. • Project Management
personnel to oversee the
 Internal VAPT, External VAP, Application Security Testing, Server VAPT & Wireless PT
Assessment Phase Project and interface
 Identify Vulnerabilities & Security Risk
(VA & PT)  Exploit the Vulnerabilities & Clean-up
between both companies.
• Complete tracking of
 Review the scan results manually to eliminate false-positives.
Project schedule,
 Consolidate the scan results once the false-positives are removed and final vulnerabilities
Execution and Reporting.
Review and Reports including CVE numbers along with recommendation for remediation.
 Present executive summary report for senior management in word and ppt format.
 Detailed VA and PT assessment report.
 Customer asset owners will perform the remediation activity, TCL will be provide
Remediation Phase guidance wherever required.

Verification of the
 TCL will Re-perform the vulnerability or penetration test to verify the results.
Remediation
VULNERABILITY ASSESSMENT
Internal External
 PENETRATION TESTING
Tata Communications’ Penetration Testing simulates techniques used by hackers to help you understand potential threats while
providing detailed recommendations.
 APPLICATION SECURITY TESTING
Application security testing aims to emulate external and internal directed attacks on the web application to identify any weaknesses
which may provide unauthorized access or disruption to systems or data
VAPT – TOOLS IN FOCUS
TCL - OEM Partners :
 Qualys
 Tenable
 Rapid7
 Microfocus

Discovery/
Customized Recon/
Open Source
Scripts
Tools

9
TATA COMM VAPT TEAM – SKILLS & CERTIFICATION

VAPT Team Strength: Certified Resources spread across (India, Singapore and Dubai)

 CREST Certified and Trained professionals

 OSCP (Offensive Certified Security Professional)
 OSCE (Offensive Certified Security Expert)
 CEH (Certified Ethical Hacker)
 ECSA (EC-Council Certified Security Analyst)
 ITIL (Information Technology Infrastructure Library)
 Qualys Certifications for VA and Application
 Other Network Certifications
ADDING VALUE THROUGH ENGAGEMENT

SCOPING
TESTING Our four-step engagement model is designed to increase the success of our work
QUESTIONS
and the value to our clients. We first ask scoping questions and use the information
gathered to perform a penetration test. We then report on our findings and review
them with our client to inform remediation planning.

 Tailored approach – around the specifics of every client

ENGAGEMENT  Structured methods and expert delivery - using a defined methodology
delivered by trained professionals
 Quantitative results - meaningful for clients and their remedial planning

REVIEW & REPORT

PLANNING PRESENTATION

11
PILLARS OF STRENGTH

Experienced Coverage across Security consulting Security

security consultants the globe advisories certifications

Senior security Global coverage for GRC Expertise in providing Security consultants
consultants with security consulting and security advisories and certified with various
cross- industry assessment projects benchmarking across the globally accepted
experience through onsite / offshore industry. Provide daily standards including
Experienced in model delivered from threat advisories to CREST, OCSP, OSCE, CEH,
providing consultation Singapore, India, Dubai esteemed customers ECSA, CISSP, CISA and
across globe. More.,
on security
architecture,
frameworks and
compliance
https://www.tatacommunications.com/threat-advisory/
REPORTING

13
 TEST REPORTS OVERVIEW

MANAGEMENT EXCEL TECHNICAL

EXECUTIVE REPORT DASHBOARD REPORT
Executive
Summary Report

Excel Dashboard -
● High level summary ● Vulnerability details ● Detailed description VA Report

● Key metrics ● Risk scoring ● Proof of concepts

● Root cause analysis ● Detailed metrics ● How to fix with

source- code examples
● Risk analysis ● Track patch status and Technical Report -
action items ● Reference documents App Sec Test

14
DETAILED REPORTS

Our Penetration test report provides:

● Executive summary
● Risk statement
● Finding description
● Infrastructure impact
● Risk severity
● Recommendations

15
WEB APPLICATION ASSESSMENT - SAMPLE REPORTS

16
 KEY CUSTOMERS

Due to NDA in place, we will not be listing some of our key Banking and Finance
Customers.

17
CASE STUDY
HCCBPL (Hindustan Coca-Cola Beverages Pvt Ltd) is an Indian Subsidy of Coca-Cola which acts as umbrella organization for all local and global
compliance requirements. HCCBPL requirement is to comply the Security assessment and compliance requirements with its parent organizatio
n.

Customer’s Need Approach

 HCCBPL required Internal and External Posture to be • Scope confirmation
assessed on on-going basis in regular Interval for 3 years.
• Identify the target network IPs and range
 Identify the Internal/External posture and exposure.
 Examine the external infrastructure from internet • Ports/service identification
 Vulnerabilities that can be exploited by external
• Vulnerability identification
resources
 External Business Applications vulnerabilities • Correlate and analyze the vulnerability
 Cri ti cal Mobile Applications Security Risks
• Identify the exploitable vulnerabilities

TCL Solution • Manual and automated method of exploiting

• Identify the risk level and impact
TCL proposed the Gray/Black box perspective of VA and Penetration
testing for the customer requirement. In this method, TCL VAPT • Recommend Mitigation
team will act as an external resource who doesn’t know anything
about the target network and try to identify the information of the
target network and its associated vulnerabilities. Deliverables
TCL proposed the scanning activity over internet without whitelisting  Detailed report
to identify the vulnerabilities in the black box perspective. o IP/Vulnerability
o Impact
o Risk Level/CVE
o Solution/Recommendation
WHY TATA COMMUNICATIONS?

• We provide our clients with customized, industry approved approaches for

assessment.
• TCL customized framework and approach for network/application PT.
• Highly Experienced, CREST Trained and OSCP, OSCE, CEH certified professionals.
• Dedicated Lab setup with leading commercial and open source tools for
assessing public facing infrastructures.
• Retest
• OWASP Top 10 and CVE scoring based reports.
• Leading commercial tools for VA and Automated PT.
• Customized reports based on the requirement. Detailed finding Reports
with recommendations in Excel format and High-level executive reports.
• TCL have different customers across all the verticals. TCL provided the security
consulting services to leading national banks, logistics, retails and beverages
industries in India and other regions.

19