Info Sec Companies

EMPANELLED OF INFORMATION SECURITY AUDITING ORGANISATIONS

IT Security Audit (Full Scope of Audit) Within the broad scope, 'Information System Security Audit' or 'IT Security Audit' covers an assessment of security of an organisation's networked infrastructure comprising of computer systems, networks, operating system software, application software, etc. A security audit is a specified process designed to assess the security risks facing an organisation and the controls or countermeasures adopted by the organisation to mitigate those risks. It is a typical process by a human having technical and business knowledge of the company's information technology assets and business processes. As a part of any audit, the auditors will interview key personnel, conduct vulnerability assessments & penetration testing, catalog existing security policies and controls, and examine IT assets. The auditors rely heavily on technology, manual efforts & tools to perform the audit. For Customer Organisations The list of IT security auditing orgnisations, as given below, is up-to-date valid list of CERT-In empanelled Information security auditing orgnisations. This list is updated by us as soon as there is any change in it. Customer organisations may refer this list for availing their services on limited quotes / tender basis to carry out Information security audit of their networked infrastructure. While placing the order, customer organisations should again refer this list for the latest changes, if any, and should place order only on the organisation, which is in this list on that particular day.

1. M/s 3i Infotech Ltd #6/2, Brigade Champak, Union Street, Off Infantry Road, Banglore – 560001. Website URL : http://www.3i-infotech.com Telephone : 080-30541360 Fax : 080-30541306 Contact Person : Mr. Babji V S, General Manager, Managed Services e-mail : babji.vs[at]3i-infotech.com Mobile : 9945322113

2. M/s AAA Technologies Pvt Ltd 278-280, F-Wing, Solaris-1, Saki Vihar Road, Opp. L&T Gate No. 6, Powai, Andheri (East), Mumbai – 400072. Website URL : http://www.aaatechnologies.co.in Telephone : 022-28573815 Fax: 022-40152501 Contact Person : Mr. Anjay Agarwal, Director e-mail : anjay[at]aaatechnologies.co.in Mobile : 9821087283

3. M/s AKS Information Technology Services Pvt Ltd E-52, 1st Floor, Sector-3, Noida – 201301. Website URL : http://www.aksitservices.co.in Telefax : 0120-4243669 Contact Person : Mr. Ashish Kumar Saxena, Managing Director

e-mail : ashish[at]aksitservices.co.in Mobile : 9811943669

4. M/s Appin Software Security Pvt Ltd 9th Floor, Agarwal Metro Heights, Netaji Subhash Palace, Pitampura, New Delhi-110034 Website URL : http://security.appinonline.com Telephone : 011-64736970/71 Fax : 011-26581024 Contact Person : Mr. Rajat Khare, Director e-mail : appin.security[at]appinmail.com Mobile : 09212149267

5. M/s Auditime Information Systems (India) Pvt Ltd A-504, Kailash Esplanade, LBS Marg, Ghatkopar (West), Mumbai – 400086. Website URL : http://www.auditimeindia.com Telephone : 022-25006875 Fax: 022-25006876 Contact Person : Mr. Chetan Maheshwari, Director e-mail : csm[at]auditimeindia.com

6. M/s Aegis Tech Limited 2nd Floor, Equinox Business Park, Tower 1, (Peninsula Techno Park), Off Bandra Kurla Complex, LBS Marg, Kurla (West), Mumbai – 400070, INDIA Website URL : http://aegisglobal.com/section_level2.aspx?cont_id=zWj8z5qFobY= Telephone : +91 22 6661 7272 Fax: +91 22 6704 5888 Contact Person : Mr. Atul Khatavkar – VP - ITGRC e-mail : atul.khatavkar[at]agcnetworks[dot]com Mobile : +91 9930132135, 98200 19392

7. M/s Aujas Networks Pvt Ltd No. 4025/26, 2nd Floor, K R Road, Jayanagar, 7th Block West, Bangalore – 560082. Website URL : http://www.aujas.com Telephone : 080-40528527 Fax: 080-40528516 Contact Person : Ms. Sandhya Agnihotri, Manager - Sales Operations e-mail : sandhya.agnihotri[at]aujas.com Mobile : 9901133387

8. M/s Controlcase India Pvt Ltd 203, Town Center, Andheri-Kurla Road Saki Naka, Andheri(E) Mumbai-400059 Website URL : http://www.controlcase.com Telephone :+91-2266471800 Fax : +912266471810 Contact Person : Mr. Suresh Dadlani, Chief Operating Officer e-mail : sdadlani[at]controlcase.com Mobile : +91-9820293399

9. M/s CyberQ Consulting Pvt Ltd # 622, DLF Tower A, Jasola, New Delhi – 110044. Website URL : http://www.cyberqindia.com Telephone : 011-41066560, 41077561 Fax: 011-41077561 Contact Person : Mr. Debopriyo Kar, Head, Information Security e-mail : debopriyo.kar[at]cyberqindia.com

10. M/s Computer Science Corporation India Pvt. Ltd. DLF IT Park, A-44/45, Sector 62, Noida Website URL: http://www.csc.com/in Telephone : +91-120-4701015 Fax : +91-120-6700108 Contact Person : Narendra Nayak Email : india_busdev[at]csc[dot]com

11. M/s Cyber Security Works Pvt Ltd E Block, No. 3, 3rd Floor, 599, Anna Salai, Chennai - 600006 Website URL : http://www.cybersecurityworks.com Telephone : 044-42089337 Fax : 044-42089170 Contact Person : Mr Selva Kumar, Manager e-mail : info [at] cybersecurityworks[dot]com

12. M/s Deccan Infotech Pvt Ltd # 13, Jakkasandra Block, 7th Cross, Koramangala, Bangalore – 560034.

http://www.csc.com/in�

Website URL : http://www.deccaninfotech.in Telephone : 080-25530819 Fax : 080-25530947 Contact Person : Mr. Dilip. H. Ayyar, Director - Technical e-mail : dilip[at]deccaninfotech[dot]in Mobile : 9686455399

13. M/s Deloitte Touche Tohmatsu India Pvt. Ltd 7th Floor, Building 10, Tower B, DLF City Phase-II, Haryana India Gurgaon-122002 Website URL : http://www.deloitte.com Telephone : +91-1246792000 Fax : +91-1246792012 Contact Person : Mr. Sundeep Nehra, Senior Director e-mail : snehra[at]deloitte[dot]com Mobile : +91-9999003908

14. M/s Digital Age Strategies Pvt Ltd 204, Lakshminarayan Complex, 2nd Floor, Panduranganagar, Opp. HSBC, Bannerghatta Road, Bangalore – 560076. Website URL : http://www.digitalage.co.in Telephone : 080-41503825 Fax : 080-264085148 Contact Person : Mr. Dinesh S. Shastri, Director e-mail : digitalageaudit[at]airtelmail[dot]in Mobile : 9448088666

15. M/s Ernst & Young Pvt Ltd 2nd Floor, TPL House, 3, Cenotaph Road, Teynampet, Chennai – 600018. Website URL : http://www.ey.com/india Telephone : 044-42194650 Fax : 044-24311450 Contact Person : Mr. Terry Thomas, Partner e-mail : terry.thomas[at]in.ey.com Mobile : 9880325000

16. M/s Financial Technologies(India)Ltd 601, Bostan House, 6th Floor, Suren Road, Chakala, Andheri(East), Mumbai-400093 Website URL : http://www.ftindia.com/ Telephone : +912267099600

http://www.deccaninfotech.in/#_blank�

Fax : +912267099066 Contact Person : Mr. Parag Ajmera, Head

17. M/s Haribhakti & Co. 42, Free Press House, 215, Nariman Point, Mumbai – 400021. Website URL : http://www.haribhaktigroup.com Telephone : 022-66729999 Fax: 022-66729777 Contact Person : Mr. Milind Dharmadhikari, Director In-charge e-mail : milind.dharmadhikari[at]bdoindia.co.in

18. M/s HCL Comnet Ltd Head Office, A 10-11, Sector-3, Noida – 201301. Website URL : http://www.hclcomnet.co.in Telephone : 0120-4362800 Fax : 0120-2539799 Contact Person : Mr. Prasun Roy Barman, Global Practice Director - Security e-mail : prasunb[at]hcl.in

19. M/s HEXAWARE TECHNOLOGIES LTD. Plot No. H5, SIPCOT IT Park Navallur Post, Siruseri, Kanchipuram Dt. 603 103 (India) Website URL : http://www.hexaware.com Telephone : +91-44-47451000 Fax : +91-44-47451111 Contact Person : Mr. S. Elangovan e-mail : Elangovan[at]hexaware[dot]com Mobile : 98404 13778

20. M/s IBM India Pvt Ltd 4th Floor, The IL&FS Financial centre, Plot No C 22, G Block, Bandra Kurla Complex, Bandra (East),Mumbai-400051 Website URL : http://www.ibm.com/ Telephone : +91-022-40589000 Fax : +91-22-26533585 Contact Person : Mr. Jeffery Paul

e-mail : pjeffery[at]in[dot]ibm[dot]com Mobile : +91-9892502342

21. M/s IDBI Intech Ltd Plot No. 39-41, IDBI Building , Sector-11, CBD Belapur, Navi Mumbai – 400614. Website URL : http://www.idbiintech.com/ Telephone : 022-39148000 Fax : 022-27566313 Contact Person : Mr. Pramod Gosavi, Head - Professional Services e-mail : gosavi.pramod[at]idbiintech.com / is.audit[at]idbiintech.com Mobile : 9890304884

22. M/s Indusface Consulting Pvt Ltd A/2-3, 3rd Floor, Status Plaza, Opp. Relish Resorts, Akshar Chowk, Atladra - Old Padra Road, Vadodara – 390020. Website URL : http://www.indusfaceconsulting.com Telephone : 0265-6562666 Fax: 0265-2355820 Contact Person : Mr. Ashish Tandon, CEO e-mail : ashish.tandon[at]indusfaceconsulting.com Mobile : 9898866444

23. M/s Information Systems Auditors & Consultants Pvt Ltd 12/12 A, 3rd Floor, Dena Bank Building. 17B Horniman Circle, Fort, Mumbai – 400001. Telephone : 022-22663955 Fax: 022-22662661 Contact Person : Mr. Shashin Lotlikar, Director e-mail : smlotlikar[at]isaac.co.in

24. M/s iSec Services Pvt Ltd 608/609 Reliable Pride, Anand Nagar, Opp. Om Heera Panna Mall, Jogeshwari West Mumbai - 400102 Website URL: www.isec.co.in Telephone : 022-26368830 Fax : 022-26300209 Contact Person : Mr. C Karthikeyan, Sr Security Analyst e-mail : contactus[at]isec.co.in

25. M/s iViZ Techno Solutions Pvt Ltd RDB Boulevard, 4th Floor, Plot No. K-4, Sector 5, Block - EP & GP, Salt Lake, Kolkata – 700091. Website URL : http://www.ivizsecurity.com/ Telephone : 033-40217300 Fax : 033-40217308 Contact Person : Mr. Rudra Kamal Sinha Roy, Group Head, Project Managment e-mail : rudra[at]ivizsecurity.com Mobile : 9845838888

26. M/s KPMG 4B, DLF Corporate Park, DLF City, Phase-3, Gurgaon – 122002. Website URL : http://www.in.kpmg.com Telephone : 0124-2549191 Fax : 0124-2549101 Contact Person : Mr. Akhilesh Tuteja, Executive Director e-mail : atuteja[at]kpmg.com Mobile : 9871025500

27. M/s Locuz Enterprise Solutions Ltd 3, Tilak Road, Sudha House, Abids, Hyderabad – 500001. Website URL : http://www.locuz.com Telephone : 040-66115511 Fax : 040-66781111 Contact Person : Mr. Uttam Majumdar, Chief of Consulting & Professional Services e-mail : uttam.majumdar[at]locuz.com Mobile : 9848005089

28. M/s Microland Ltd 1B, Ecospace, Belandur, Outer Ring Road, Bangalore – 560037. Website URL : http://www.microland.com Telephone : 080-39180254 Fax : 080-39180044 Contact Person : Venugopal J D, Group Consultant e-mail : ptsdc[at]microland.com Mobile : +919845171663

29. M/s MIEL e-Security Pvt Ltd C-611/612, Floral Deck Plaza, MIDC, Central Road, Andheri (East), Mumbai – 400093. Website URL : http://www.mielesecurity.com Telephone : 022-28215050 Fax : 022-28215838 Contact Person : Mr. R. Giridhar, National Sales Manager e-mail : rgiridhar[at]mielesecurity.com Mobile : 9820142476

30. M/s Network Intelligence India Pvt Ltd 204 Ecospace IT Park, Off Old Nagardas Road, Andheri East, Mumbai-400069. Website URL: www.niiconsulting.com Telephone: 022-28392628 Fax: 022-28375454 Contact person: Mr K.K. Mookhey, Principal Consultant e-mail: kkmookhey[at]niiconsulting.com / info[at]niiconsulting.com mobile : +91-9820049549

31. M/s Network Security Solutions (India) Ltd 4 Kumar Pavilion, Gen Thimmayya Marg (East Street). Camp, Pune - 411 001 Website URL : http://www.mynetsec.com Telephone : 020-60601971 Contact Person : Mr. Rajendra Dave (COO), e-mail : coo[at]mynetsec.com Mobile : 9881122049

32. M/s Netmagic Solutions Pvt. Ltd B-2, 2nd Floor, Phase 1, Nirlon knowledge park, Goregaon East. Website URL : http://www.netmagiasolutions.com Telephone : +91 -22 - 40099099 Fax : +91 22 6785 1501 Contact Person : Mr. Yadavendra Awasthi, Chief Information Security Officer (CISO) e-mail : [email protected] Mobile : + 91 - 9820 2425 84

33. M/s NIIT Technologies Ltd 223-224, Udyog Vihar-I Gurgaon 122002. Website URL : http://www.niit-tech.com Telephone :0124-4374161 Fax : 011-40570933 Contact Person : Mr. Maneesh Bakhru, e-mail : maneesh.bakhru[at]niit-tech.com Mobile : +91 9818605093

34. M/s Paladion Networks 49, 1st Floor, Shilpa Vidya, 1st Main, 3rd Phase, J P Nagar, Bangalore – 560078. Website URL : http://www.paladion.net Telephone : 080-41135991 Fax: 080-41208559 Contact Person : Mr. Manoj Kumar, Marketing Manager e-mail : manoj.kumar[at]paladion.net Mobile : 9810488748

35. M/s Persistent Systems Limited Pingala-Aryabhatt, Plot No. 9A/12, CTS No. 12A/12, Erandwana, Near Padale Palace , Pune – 411004. Website URL : http://www.persistentsys.com Telephone : 020 – 30234000 Fax: 020 – 3023 4001 Contact Person : Mr. Anand Pande e-mail : security_info[at]persistentsys.com Mobile : +91 9552560590

36. M/s PricewaterhouseCoopers Pvt Ltd Building 8, 8th Floor, Tower B, DLF Cyber City, Gurgaon – 122002. Website URL : http://www.pwc.com Telephone : 0124-4620000 Fax: 0124-4620620 Contact Person : Mr. Neel Ratan, Executive Director e-mail : neel.ratan[at]in.pwc.com

37. M/s Progressive Infotech Pvt Ltd C-161, Phase-II Extension Noida-201305 Website URL : http://progressive.in/ Telephone : +91-120-4393939 Fax : +91-120-4393922

http://www.pwc.com/#_blank�

Contact Person : Mr. Ajay Batra, Practice Head e-mail : ajay.batra[at]progressive.in Mobile : +91-9811832622

38. M/s ProMinds Consulting Pvt Ltd 402, 4th Floor, ABK Olbee Plaza, Road No. 1, Banjara Hills, Hyderabad – 500034. Website URL : http://www.promindsglobal.com Telefax : 040-40207383 Contact Person : Mr. Balaji Selvaraju, CEO and Principal Consultant e-mail : balajis[at]promindsglobal.com Mobile : +91-9866673663

39. M/s Qadit Systems & Solutions Pvt Ltd 1st Floor, Balammal Building 33 Burkit Road T. Nagar Chennai 600017. Website URL : http://www.qadit.com Telephone : +91-44-42791150/ 51/ 52 Fax : +91-44-42791149 Contact Person : Mr. V. Vijayakumar, Director e-mail : vijay[at]qadit.com Mobile : 9444019232

40. M/s Secure Matrix India Pvt Ltd 12 Oricon House, 14 K Dubash Marg, Kala Ghoda, Fort, Mumbai – 400001. Website URL : http://www.securematrix.in Telephone : 022-32537579 Fax : 022-22886152 Contact Person : Mr. Saurabh B. Dani, Vice Chairman e-mail : saurabh[at]securematrix.in Mobile : 9821542619

41. M/s SecureSynergy Pvt Ltd #3332, 13th Main, 6th Cross, HAL II Stage, Indiranagar, Bangalore – 560038. Website URL : http://www.securesynergy.com Telephone : 080-25210556 Fax: 080-41151605 Contact Person : Mr. Santhosh Koratt, Head - Consulting & Compliance e-mail : santhoshkoratt[at]securesynergy.com

42. M/s SecurEyes Techno Services Pvt Ltd #3S, 3rd Floor,Swamy Towers, Chinapanahalli, Marathahalli, Outer Ring Road Bangalore – 560037. Website URL : http://www.secureyes.net Telephone : 080-41264078 Contact Person : Mr. Karmendra Kohli , Chief Operating Officer e-mail : karmendra.kohli[at]secureyes.net Mobile : 9448111432

43. M/s Security Brigade 1/47 Tardeo AC Market, Tardeo, Mumbai – 400034 Website URL : http://www.securitybrigade.com Telephone : 0651-6458865 Fax : 0651-2444545 Contact Person : Mr. Yash Kadakia, Chief Technology Officer e-mail : yash[at]securitybrigade.com Mobile : 9833375290

44. M/s Sify Technologies Ltd Brigade MLR Centre, No. 20, G Floor, Vanivilas Road, Basavanagudi, Bangalore – 560004. Website URL : http://www.sifycorp.com Telephone : 080-61263144 Fax: 022-26177662 Contact Person : Mr. Natarajan K R, DGM - Information Assurance e-mail : natarajan.karrirama[at]sifycorp.com Mobile : 9844374175

45. M/s Simos Computer Systems Pvt Ltd No. 5 (Old No. 3/1), Poes Road, 1st Floor, Teynampet, Chennai – 600018. Website URL : http://www.simosindia.com Telephone : 044-42110302 Fax : 044-42109436 Contact Person : Mr. Balamurugan R, Director e-mail : rbm[at]simosindia.com Mobile : 9884306004

46. M/s SISA Information Security Pvt Ltd 3029, SISA House, 13th Main Road,

Sri Sai Darshan Marg, HAL II Stage, Indiranagar, - Bangalore - 560008 Website URL: http://www.sisa.co.in Telephone: 080-41153769 Fax: 080-41153796 Contact person: Mr. Nitin Bhatnagar, Head Business Development e-mail: info[at]sisa.in mobile : +91-9820885922

47. M/s Spectrum IT Solution B–118, Sector 64, Noida,UP – 201307 Website URL : http://www.spectrumin.co.in Telephone : 0120-4236230 Fax : 0120-4236231 Contact Person : Mr. Mahesh Singh, Director e-mail : mahesh[at]spectrumin.co.in Mobile : 9811943670

48. STQC Directorate Department of Information Technology, Min. of Comm'ns & IT, Govt. of India, Electronics Niketan, 6, CGO Complex, Lodhi Road, New Delhi – 110003. Website URL : http://www.stqc.nic.in Telephone : 011-24363378 Fax: 011-24363083 Contact Person : Mr. Arvind Kumar, Scientist ‘F’ e-mail : arvind[at]mit.gov.in

49. M/s Suma Soft Pvt Ltd Suma Center, 2nd Floor, Opp. Himali Society, Near Mangeshkar Hospital, Erandawane, Pune - 411 004 Website URL:http://www.sumasoft.com Telephone: +91-20-40130400 Fax: +91-20-25438108 Contact Person: C Manivannan e-mail: mani[at]sumasoft.com Mobile: +91-9371011855

50. M/s Sumeru Software Solutions Pvt Ltd #40, Arth, 12th Main, Jayanagar, 4th Block,

http://www.sisa.co.in/�

http://www.sumasoft.com/�

Bangalore – 560041. Website URL : http://www.sumerusolutions.com Telephone : 080- 28432475 Fax : 080-41211434 Contact Person : Mr. Chidhanandham Arunachalam e-mail : infosec[at]sumerusolutions.com Mobile : 9538912774

51. M/s Sysman Computers Pvt Ltd 312, Sundram, Rani Laxmi Chowk, Sion Circle, Mumbai – 400022. Website URL : http://www.sysman.in Telephone : 9967247000 Telefax: 9967248000 Contact Person : Mr. Rakesh Goyal, Managing Director e-mail : rakesh[at]sysman.in

52. M/s Tata Consultancy Services Ltd Wellspring Phase-3, Godrej and Boyce Complex, Plant No. 12, Gate No. 4, LBS Marg, Vikhroli (West), Mumbai – 400079. Website URL : http://www.tcs.com Telephone : 022-67784139 Fax: 022-67784399 Contact Person : Mr. P V S Murthy, Global Head-Information Security Management Practice e-mail : pvs.murthy[at]tcs.com Mobile : 9223179277

53. M/s Tech Mahindra Ltd A-7, Sector-64, Noida – 201301. Website URL : http://www.techmahindra.com Telephone : 0120-4652000 Contact Person : Mr. Manoj Gilra, Director - Business Development e-mail : mgilra[at]techmahindra.com Mobile : 9810069966

54. M/s Technologics & Control 2/30, 3rd Floor , Sarai Julena, - New Delhi - 110025 Website URL: www.tech-controls.com Telephone: 011-26933733 Fax: 011-26910189

http://www.sumerusolutions.com/#_blank�

Contact person: Mr. Sanjiv Arora, Director e-mail: sa[at]tech-controls.com mobile : +91-9810293733

55. M/s Torrid Networks Pvt. Ltd. H-87, First Floor , Sector-63, Noida 201 301 Website URL: www.torridnetworks.com Telephone: 0120-4216622 Fax: 0120-4314996 Contact person: Mr. Salil Kapoor e-mail: info [at] torridnetworks.com mobile : +91-9266666883/9266666696

56. M/s TVSNet Technologies Ltd 3rd Floor, V B C Solitaire, 47 & 49, Bazullah Road, T Nagar, Chennai – 600017. Website URL : http://www.tvsnet.in Telephone : 044-42923900 Fax: 044-42923999 Contact Person : Mr. Sujit P Christy, ISecurity Manager - Solutions Architect e-mail : sujit.p[at]tvsnet.in Mobile : 9382122359

57. M/s Verizon Business

Radisson Commercial Plaza, A-Wing, 1st Floor, National Highway-8, New Delhi - 110037. Website URL : http://www.verizonbusiness.com/in/ Telephone : +91-11-42818101 Fax : +91-11-42818164 Contact Person : Mr. Prashant Gupta e-mail : Prashant.gupta[at]verizonbusiness.com Mobile : +91- 9899211162

58. M/s VISTA InfoSec Pvt. Ltd. 2/203 Vahatuk Nahar, Caesar Road, Amboli, Andheri (W), Mumbai - 400058 Website URL : http://www.vistainfosec.com Telephone : +91-22-65236292 Fax : Contact Person : [email protected] Mobile : +91-9619990923

59. M/s Wipro Ltd Consulting Division, 480 - 481, Udyog Vihar, Phase-3, Gurgaon – 122016. Website URL : http://www.wipro.co.in Telephone : 0124-3084407 Fax : 0124-3084700 Contact Person : Mr. Sachin Nagpal, Consultant e-mail : sachin.nagpal[at]wipro.com Mobile : 9711360534

CERT-In empanelled IT Security Auditing Organisations

M/s 3i Infotech Ltd Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation

1. Name & location of the empanelled Information Security Auditing Organisation : 3i Infotech Ltd, Navi

Mumbai

2. Carrying out Information Security Audits since : December 2000

3. Technical manpower deployed for informationsecurity audits :

CISSPs : 1

BS7799 / ISO27001 LAs : 7

CISAs : 2

DISAs / ISAs : 0

Total Nos. of Technical Personnel : 40

4. Outsourcing of External Information Security Auditors / Experts : No

Information Security Audit Tools used (owned, in possession) :

Freeware : 100

Commercial : 0

Proprietary: 1

Total Nos. of Audit Tools : 101

Details of the Audit Tools

Freeware

1. Nessus - Remote security scanner

2. Snort - Network intrusion prevention and detection system

3. Netcat - A simple Unix utility which reads and writes data across network connections, using

TCP or UDP protocol

Commercial

1. Retina - Retina's function is to scan all the hosts on a network and report on any vulnerability

found.

5. Information Security Audit Methodology : OSSTM, OWASP

6. Information Security Audits carried out since empanelment till now :

Govt. : 0

PSU : 0

Private : 22

Total Nos. of Information Security Audits done : 22

7. Business domain of auditee organisations : Banking, Financial, Manufacturing

8. Typical applications in use by auditee organisations : Banking and Financial Applications

9. Typical bandwidth (maximum) of any auditee organisations :

Internal Bandwidth (LAN / Intranet) : 16 Mbps

External Bandwidth (WAN / Internet) : 2 Mbps

10. Networked Infrastructure details of an organizations audited with most complex network :

No. of Computer Systems : 250

No. of Servers : 30

No. of Switches : 20

No. of Routers : 6

No. of Firewalls : 2

No. of IDS' : 0

11. Ability to carry out vulnerability assessment and penetration test : Yes

Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing Organisation).

Back

M/s AAA Technologies Pvt Ltd Snapshot of skills and competence of CERT-In empanelled Security Auditor

1. Name, Location of the Empanelled Security Auditing organisation : AAA Technologies Pvt. Ltd.,

Mumbai

2. Carrying out Information Security Audits since : 2000

3. Technical manpower deployed for security audits :

CISSPs : 3

BS7799 / ISO27001 LAs : 5

CISAs : 9

DISAs / ISAs : 3


4. Outsourcing of External IT Security Auditors / Experts : No

5. Security Audit Tools used (owned, in possession) :

Freeware : 19

Commercial : 0

Proprietary: 1



Freeware :

1. Nessus

2. Whisker

3. HUNT - TCP/IP protocol vulnerability exploiter, packet injector

4. DOMTOOLS - DNS-interrogation tools

5. SARA - Vulnerability scanner

6. RAT

7. Nikto - This tool scans for web-application vulnerabilities

8. Snort - IDS

9. Firewalk - Traceroute-like ACL & network inspection/mapping

10. Hping – TCP ping utilitiy Dsniff - Passively monitor a network for interesting data (passwords, e-

mail, files, etc.). facilitate the interception of network traffic normally unavailable to an attacker

11. HTTrack - Website Copier

12. Chkrootkit - Rootkit discovery tool

13. Tools from FoundStone - Variety of free security-tools

14. SQL Tools - MS SQL related tools

15. John the Ripper - Password-cracking utility

16. ITS4 - Scan C/C++ source-code for vulnerabilities

17. Paros

18. NMAP - The famous port-scanner

19. Ethereal - GUI for packet sniffing. Can analyse tcpdump-compatible logs

20. Nemesis - Packet injection suite

21. NetCat - Swiss Army-knife, very useful

22. RAT – CISecurity’s Router Auditing Tool

23. DSniff - A collection of different purpose sniffers

24. Achilles - An SSL-proxy allowing to change data

25. Whitehats - Snort IDS-signatures & other resources

26. Hping2 - TCP/IP packet analyzer/assembler, packet forgery, useful for ACL inspection

27. Brutus – password cracking for web applications, telnet, etc.

28. WebSleuth - web-app auditing tool

29. Mieliekoek - SQL Injection tool, use with HTTrack

30. NT Toolbox - Resources & tools for NT

31. [at]Stake Tools - Tools provided by [at]-Stake

32. TSCrack - Wordlist-based Terminal Server login-cracker L0phtcrack - NT-password cracking utility

33. HTTPrint – detect web server and version

34. Web proxy - web application testing

35. Web server vulnerability assessment tool

Commercial :

None

Proprietary :

1. AAA - Used for Finger Printing and identifying open ports, services and misconfiguration

6. Security Audit Methodology : ISACA, ISO 27001 / BS 7799, COBIT

7. Security Audits carried out since empanelment till now :

Govt. : 88

PSU : 34

Private : 15

Total Nos. of Security Audits : 137

8. Business domain of auditee organisations : Stock Brokers, Banking, Travel, Insurance, Railways, Govt.

9. Typical applications in use by auditee organisations : Banking, Tally, ERP, Home grown applications


Internal Bandwidth (LAN / Intranet) : 100 M bps

External Bandwidth (WAN / Internet) : 2 M bps


No. of Servers : 500


No. of Routers : 10



No. of IDS' : 20



BACK

M/s AKS Information Technology Services Pvt Ltd Snapshot of skills and competence of CERT-In Empanelled Information Security Auditing Organisation

1. Name, Location of the Empanelled Information Security Auditing Organisation : AKS Information

Technology Services Pvt Ltd, Noida

2. Carrying out Information Security Audits since : September 2006

3. Technical manpower deployed for information security audits :

CISSPs : 2

BS7799 / ISO27001 LAs : 3

CISAs / CISMs: 1

DISAs / ISAs : 0


4. Outsourcing of External Information Security Auditors / Experts : N


Freeware : 50

Commercial : 4

Proprietary: 1


Details of the Information Security Audit Tools

Freeware Tools

1. Nmap, Superscan and Fport - Port Scanners

2. Nessus – Vulnerability Scanner

3. Metasploit & Securityforest - Penetration Testing

4. Process explorer, Sigcheck, Kproccheck - Windows Kernel & malware detection

5. Netstumbler & Kismet – WLAN Auditing

6. Nikto - Web server vulnerability scanner

Commercial Tools

1. GFI Languard, Retina - Vulnerability Scanners

2. Burp Suite, Acunetix - Web application auditing

Proprietary Tools

1. ISA Log Analyzer

5. Information Security Audit Methodology : OSSTM, OWASP, ISO 27001, ISO 25999, CoBIT

http://www.cert-in.org.in/PoA/AKSInfoTools.htm�













Govt. : 650

PSU : 50

Private : 40


7. Business domain of auditee organisations : Telecom, BPO, Banking & Finance, Software Development,

Manufacturing, Defence

8. Typical applications in use by auditee organisations : Payment Gateway, PKI-based, Client-Server, Web

Based, MIS, Oracle ERP, NMS Web Applications


Internal Bandwidth (LAN / Intranet) : 1 Gbps


10. LAN Infrastructure details of an organizations audited with most complex network :


No. of Computers : 60

No. of Routers : 212



No. of IDS' : 2

11. Ability to carry out vulnerability assessment and penetration test : Y

Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing Organisation), Y = Yes, N = No, Std = Standard.

BACK

M/s Appin Software Security Pvt Ltd Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation

1. Name & location of the empanelled Information Security Auditing Organisation : Appin Software

Security Pvt. Ltd., Delhi



CISSPs : 1

BS7799 / ISO17799 / ISO27001 LAs : 7

CISAs / CISMs: 0

DISAs / ISAs : 0


4. Outsourcing of information security auditing work to external Information Security Auditors / Experts : No

5. Information Security Audit Tools being used (available, installed and licensed) :

Freeware : 11

Commercial : 7

Proprietary: 2

Total Nos. of Information Security Audit Tools : 20


Freeware Tools

1. Nessus

2. Nmap

3. Retina

4. SQL Injector

5. SQL Ninja

6. Backtrack

7. Wikto

8. Web Server Auditor

9. NS Auditor

10. Kismet

11. Ethereal

Commercial Tools

1. GFI languard

2. SSS

3. Accunetix

4. Core Impact

5. Appscan

6. Webinspect

7. QualysGuard

Proprietary Tools

1. Appin Guard

2. Appin Runner

6. Information Security Audit Methodology : OSSTM, OWASP, BS7799, ISO27001, ISO25999, CoBIT, SANS,

APPSEC

7. Information Security Audits carried out so far :

Govt. : 70

PSU : 8

Private : 50


8. Business domains of auditee organisations : Telecom, BPO, Manufacturing, Defence, Media, Infrastructure,

IT/ITES, Banking, Financial SW, Government, Education, Travel

9. Typical applications in use by auditee organisations : CBS, Oracle ERP, NMS, SAP, Peoplesoft, e-Gov.,

Mobile & Web Applications

10. Bandwidth available with an auditee organisation having most complex network :



11. LAN infrastructure details of an auditee organisation having most complex network :






No. of IDS' : 2



BACK

M/s Auditime Information Systems (India) Pvt Ltd Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation

1. Name, Location of the empanelled Information Security Auditing Organisation : AUDITime Information

Systems (I) Pvt. Ltd., Mumbai


3. Technical manpower deployed for Information security audits :

CISSPs : 1

BS7799 / ISO27001 LAs : 2

CISAs : 10

DISAs / ISAs : 2




Freeware : 36

Commercial : 0

Proprietary: 0



Freeware Tools

1. Achilles - A tool designed for testing the security of web applications

2. ADMFtp, ADMSnmp - Tools for remote brute-forcing

3. Brutus- An Windows GUI brute-force tool for FTP, telnet, POP3, SMB, HTTP, etc

4. Crack - A password cracker

5. CrypTool - A cryptanalysis utility

6. cURL - Curl is a tool for transferring files with URL syntax, supporting FTP, FTPS, HTTP, HTTPS,

GOPHER, TELNET, DICT, FILE and LDAP

7. Different network mapping tools - ping, traceroute, whois, snmp tools, dig, nslookup, DNS tools

etc

8. Elza - A family of tools for arbitrary HTTP communication with picky web sites for the purpose of

penetration testing and information gathering

9. Exploits - publicly available and home made exploit code for the different vulnerabilities around

10. FScan - A command-line port scanner. Supports TCP and UDP

11. Fragrouter - Utility that allows to fragment packets in funny ways

12. HPing - HPing is a command-line oriented TCP/IP packet assembler/analyzer. It supports TCP,

UDP, ICMP and RAW-IP protocols, has a traceroute mode, the ability to send files between a

covered channel, and many other features.

13 .ISNprober - Check an IP address for load-balancing.

14. ICMPush - ICMPush is a tool that sends ICMP packets fully customized from command line

http://www.cert-in.org.in/PoA/AudiTimeTools.htm�





















15. John The Ripper - A password cracker

16. L0phtcrack - NTLM/Lanman password auditing and recovery application (read: cracker)

17. Nessus - A free, powerful, up-to-date and easy to use remote security scanner. This tool could

be used when scanning a large range of IP addresses, or to verify the results of manual work.

18.Netcat - The swiss army knife of network tools. A simple utility which reads and writes data

across network connections, using TCP or UDP protocol

19. NMAP - The best known port scanner around.

20.p0f - Passive OS Fingerprinting: A tool that listens on the network and tries to identify the OS

versions from the information in the packets.

21. Pwdump - Tools that grab the hashes out of the SAM database, to use with a brute-forcer like

L0phtcrack or John

22. SamSpade - Graphical tool that allows to perform different network queries: ping, nslookup,

whois, IP block whois, dig, traceroute, finger, SMTP VRFY, web browser keep-alive, DNS zone

transfer, SMTP relay check,etc.

23.ScanDNS - Script that scans a range of IP addresses to find DNS names

24. Scripts - A number of custom developed scripts to test different security issues.

25. Sing - Send ICMP Nasty Garbage. A little tool that sends ICMP packets fully customized from

command line

26.SSLProxy, STunnel - Tools that allow to run non SSL-aware tools/programs over SSL.

27. Strobe - A command-line port scanner that also performs banner grabbing

28.Telesweep Secure - A commercial wardialer that also does fingerprinting and brute-forcing.

29. THC - A freeware wardialer

30. TCPdump - A packet sniffer

31. TCPtraceroute - Traceroute over TCP

32. UCD-Snmp - (aka NET-Snmp): Various tools relating to the Simple Network Management

Protocol including snmpget, snmpwalk and snmpset.

33.Web Session Editor - Custom made utility that allows to intercept and edit HTTP sessions.

34. Webinspect - CGI scanning, web crawling, etc.

35. Webreaper, wget - Software that mirrors websites to your hard disk

36. Whisker - The most famous CGI scanner. has updated the scanning databases with checks for

the latest vulnerabilities.

Commercial Tools None

Proprietary Tools None

5. Information Security Audit Methodology : ISO17799 / ISO27001


Govt. : 0

PSU : 15

Private : 105


7. Business domain of auditee organisations : Banking & Finance, Telecom, Manufacturing, Logistics,

Insurance

8. Typical applications in use by auditee organisations : Core banking, Insurance, Loan & Treasury

Management, Online trading, backoffice, CTCL, accounting, operations mangement, billing






No. of servers : 28

No. of switches : 0

No. of routers : 1

No. of firewalls : 1

No. of IDS' : 1



BACK

M/S Aegis Tech Limited Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation

1. Name & location of the empanelled Information Security Auditing Organisation :

2. Carrying out Information Security Audits since : 12 Years


CISSPs : 1 No.

BS7799 / ISO27001 LAs : 14 Nos.

CISAs : 5 Nos

DISAs / ISAs :


4. Outsourcing of External Information Security Auditors / Experts : DNV for ISO 27001 certification

5. Information Security Audit Tools used (owned, in possession) :

Freeware : Backtrack ver 5

Commercial : Nessus Ver 4.4.1, Accunetix Ver 7

Proprietary: -

Total Nos. of Audit Tools : 3 + Numerous Open Source Tools

6. Information Security Audit Methodology : Discovery (Scanning & probing), Exploitation & Analysis

(Penetrate Perimeter, Attack Resources) , Reporting (Assessment Report & Recommendations)


Govt. : 1

PSU :

Private : More than 50

Total Nos. of Information Security Audits done : More than 50

8. Business domain of auditee organisations : Banking, Telecom, Manufacturing etc

9. Typical applications in use by auditee organizations : SAP, Oracle Financials, Finacale etc





No. of Computer Systems : 27 (Internal)

No. of Servers : 11 (External)


No. of Routers : 5


No. of IDS' : 1



Freeware:

Commercial: ACL, IDEA

Key : NA = Not Available (data not provided by the CERT-In empanelled Information Security Auditing

Organisation).

BACK

M/s Aujas Networks Pvt Ltd Snapshot of skills and competence of CERT-In empanelled IT Security Auditing Organisation

1. Name & location of the empanelled Information Security Auditing Organisation : Aujas Networks Pvt

Ltd, Bangalore

2. Carrying out Information Security Audits since : February 2008


CISSPs : 7

BS7799 / ISO17799 / ISO27001 LAs : 10

CISAs / CISMs: 7

DISAs / ISAs : 0




Freeware : 24

Commercial : 3

Proprietary: 1


Details of the IT Security Audit Tools

Freeware Tools

1. NMAP - Port Scanning.

2. Super Scan - Port Scanning

3. Netcat - Network Utility.

4. Telnet Client - Network Utility.

5. Putty - Network Utility

6. SNMPWalk - SNMP Scanner

7. User2SID & SID2User - Look up Windows service identifiers.

8. John The Ripper - Unix and NT password Cracker

9. WireShark - Wireshark is a network protocol analyzer for Unix and Windows.

10. Snort - A free lightweight network intrusion detection system for UNIX and Windows.

11. MetaSpoilt - Exploitation Framework

12. Backtrack Live CD - Exploitation framework.

13. Nikto - Network Vulnerability Scanner.

14. BlackWidow - Website Profiling Tool.

15. Wget - Network Utility

16. Paros - HTTP Interceptor.

17. Burp Suite - HTTP Interceptor.

18. Brutus - Brute Force Password Attack

http://www.cert-in.org.in/PoA/AujasTools.htm�

19. WFetch - HTTP Raw Methods Debugging

20. AnEc Cookie Editor (Firefox Plug-in) - Cookie Editor

21. Netstumbler - Detection of Wireless LANs

22. Kismet - 802.11 wireless network detector, sniffer, and intrusion detection system.

23. MYSQL Administration Tool - MYSQL Administration.

24. GoCR Decoder - OCR reader.

Commercial Tools

1. Acunetix - Web Vulnerability Scanning Tool.

2. CodeSecure – Code Review Tool

3. Nessus – Network Vulnerability Scanner

Proprietary Tools

1. PHP Security Audit Script : This script checks for insecure web configurations.

6. Information Security Audit Methodology : Standard (ITIL, CoBIT 4.1, COCO ERM, ISO27001, NIST 800-30,

ISO27005, CIS Benchmarks, OWASP, OSSTM)


Govt. : 4

PSU : 1

Private : 35


8. Business domains of auditee organisations : Banking, Telecom, IT/ITES, Manufacturing, Retail,

Government

9. Typical applications in use by auditee organisations : Web, Banking & Financial Applications






No. of Servers : 30


No. of Routers : 2


No. of IDS' : 1



BACK

M/s Controlcase India Pvt Ltd Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation

1. Name & location of the empanelled Information Security Auditing Organisation : M/s ControlCase India

Pvt. Ltd., Mumbai



CISSPs : 7

BS7799 / ISO27001 LAs : 4

CISAs : 8

DISAs / ISAs : 0




Freeware : 140

Commercial : 3

Proprietary: 1


List of Tools used

Freeware:

• Nmap

• Netcat 0.7.1

• Netdiscover

• P0f

• PSK-Crack

• Protos

• Finger Google

• Firewalk

• Fport 2.0 (Windows Executable)

• Goog Mail Enum

• Google-search

• Googrape

• Gooscan

• Host

• InTrace 1.3

• Itrace

• Maltego 2.0

• Metagoofil 1.4

• Mbenum 1.5.0 (Windows Executable)

• Netenum

• Netmask

• Nmbscan 1.2.4

• Protos

• PsTools (Windows Executables)

• PStoreView 1.0 (Windows Binary)

• QGoogle

• Relay Scanner

• SMTP-Vrfy

• 0trace 0.01

• DMitry

• DNS-Ptr

• dnstracer 1.5

• dnswalk

• dns-bruteforce

• dnsenum

• dnsmap

• DNSPredict

• Subdomainer 1.3

• TCPtraceroute 1.5beta7

• TCtrace

• Whoami (Windows Executable)

• Network Mapping

• Amap 5.2

• Angry IP Scanner (ipscan) 3.0-beta3

• Autoscan 0.99_R1

• Fierce 0.9.9 beta 03/24/07

• Fping

• Genlist

• Hping

• IKE-Scan

• IKEProbe

• ScanLine 1.01 (Windows Executable)

• SinFP

• XProbe2

• Zenmap 4.60

• Absinthe

• Bed

• CIRT Fuzzer

• Checkpwd

• Cisco Auditing Tool

• Cisco Enable Bruteforcer

• Cisco Global Exploiter

• Cisco OCS Mass Scanner

• Cisco Scanner

• Cisco Torch

• Curl

• Fuzzer 1.2

• HTTP PUT

• Nikto

• OpenSSL-Scanner

• Paros Proxy

• RPCDump

• RevHosts

• SMB Bruteforcer

• SNMP Scanner

• SNMP Walk

• SQL Inject

• SQL Scanner

• SQLLibf

• SQLbrute

• Sidguess

• Smb4K

• Snmpcheck

• Snmp Enum

• Spike

• Stompy

• SuperScan

• TNScmd

• Taof

• VNC_bypauth

• Wapiti

• Yersinia

• sqlanlz

• sqldict

• sqldumplogins

• sqlquery

• sqlupload

• Metasploit Framework

• Milw0rm Archive

• Ascend attacker

• CDP Spoofer

• Cisco Enable Bruteforcer

• Crunch Dictgen

• DHCPX Flooder

• DNSspoof

• Driftnet

• Dsniff

• Etherape

• EtterCap

• File2Cable

• HSRP Spoofer

• Hydra

• John

• Mailsnarf

• SMB Sniffer

• TFTP-Brute

• VNCrack

• WebCrack

• Wireshark

• Wireshark Wifi

• HttpTunnel Client

• HttpTunnel Server

• Privoxy

• ProxyTunnel

• Rinetd

• AFrag

• ASLeap

• aircrack-ng

• Airoscript

• Kismet

• BTcrack

• Bluebugger

• Blueprint

• Bluesmash

• Bluesnarfer

• Btscanner

• GNU DDD

• Hexdump

• Hexedit

Commercial:

• AppScan

• IBM Appscan

• Teanable Nessus

• eEye Retina

6. Information Security Audit Methodology : Standard (OSSTM, OWASP, PCI DSS, PA DSS, PCI ASV, FISAP,

HIPPA, TG3 Certification, EI3PA Certification, ISO27001, ITIL, CoBIT, NIST 800-30, ISO27005, CIS

Benchmarks)


Govt. : 0

PSU : 0

Private : 55


8. Business domain of auditee organisations : Banking & Finance, Telecom, Manufacturing, Retail,

Government, Health, Logistics, Insurance

9. Typical applications in use by auditee organisations : Web, Banking & Financial Applications, Mobile

Applications, Payment Applications, Billing Applications






No. of Servers : 45

No. of Switches : 4

No. of Routers : 1


No. of IDS' : 1



BACK

M/s CyberQ Consulting Pvt Ltd

Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation

1. Name, Location of the empanelled Information Security Auditing Organisation : CyberQ Consulting Pvt.

Ltd., New Delhi



CISSPs : 0

BS7799 / ISO27001 LAs : 4

CISAs : 4

DISAs / ISAs : 1




Freeware : 44

Commercial : 1

Proprietary: 3



Freeware Tools :

1. Metaspolit 3.2 – Metasploit provides useful information to people who perform penetration testing,

IDS signature development, and exploit research.

2. Backtrack 3 – a Linux distribution, distributed as a Live CD which resulted from the merger of

WHAX and the Auditor Security Collection, which is used for Penetration testing.

3. Sam Spade – a Windows software tool designed to assist in tracking down sources of e-mail spam

4. Telnet – Can report information about an application or service; i.e., version, platform

5. Tcpdump – is a common packet sniffer that runs under the command line

6. Nmap 5.00 – powerful tool available for Unix that finds ports and services available via IP

7. Hping2 – powerful Unix based tool used to gain important information about a network

8. P0F – A versatile passive OS fingerprinting tool

9. Netcat – others have quoted this application as the “Swiss Army knife” of network utilities

10. Ping – Available on most every platform and operating system to test for IP connectivity

11. Traceroute – maps out the hops of the network to the target device or system

12. Tcptraceroute – traceroute implementation using TCP packets

13. Queso – can be used for operating system fingerprinting

14. WebInspect – Vulnerability Scanner

15. Assuria – System Scanner

16. Microsoft baseline analyzer – Specific for Microsoft O/S based system

17. Patchlink – for assessing patch status

18. nCircle – IP360

19. Nikto – Web server scanner that tests Web servers for dangerous files/CGIs, outdated server

software and other problems

20. Curl – command line tool for transferring files with URL syntax

21. BurpSuite – Burp Suite is an integrated platform for attacking web applications

22. Ollydbg – debugger that emphasizes binary code analysis, which is useful when source code is not

available

23. SNMP walk – To audit SNMP enabled devices

24. Cain & Able – The top password recovery tool for Windows

25. Brutus – This Windows-only cracker bangs against network services of remote systems trying to

guess passwords by using a dictionary and permutations thereof

26. LC4 – is the award-winning password auditing and recovery application, L0phtCrack.

27. Legion – SMB based tool

28. GetAcct – shows anonymous login information

29. Pwdump – A window password recovery tool

30. AMAP – Application mapper to verify the actual services running on the open port

31. Nslookup – Available on Unix and Windows Platforms

32. Whois Database – Available via any Internet browser client

33. ARIN – Available via any Internet browser client

34. Dig – Available on most Unix platforms and some web sites via a form

35. Web Based Tools – Hundreds if not thousands of sites offer various recon tools

36. Social Engineering – People are an organizations greatest asset, as well as their greatest risk

37. Wireshark – It can scan wireless and Ethernet data and comes with some robust filtering

capabilities.

38. Network Stumbler a.k.a NetStumbler – Windows based tool easily finds wireless signals being

broadcast within range

39. Kismet – One of the key functional elements missing from NetStumbler is the ability to display

Wireless Networks that are not broadcasting their SSID.

40. Airsnort – very easy to use tool that can be used to sniff and crack WEP keys. While many people

bash the use of WEP, it is certainly better than using nothing at all.

41. AiroPeek / Omnipeek – Sniffing & network health checkuptool

42. CowPatty – Is used as a brute force tool for cracking WPA-PSK, considered the “New WEP” for

home Wireless Security.

43. ASLeap – If a network is using LEAP, this tool can be used to gather the authentication data that is

being passed across the network, and these sniffed credentials can be cracked. LEAP doesn’t

protect the authentication like other “real” EAP types, which is the main reason why LEAP can be

broken

44. Cheops-ng – Cheops-ng is a Network management tool for mapping and monitoring your network.

It has host/network discovery functionality as well as OS detection of hosts

Commercial Tools :

1. Nessus Security Scanner (Professional feed) – Professional Vulnerability Scanner

Proprietary Tools :

1. CyberQ vulnerability database

2. Scripts for safe exploitation of vulnerabilities

3. CyberQ checklists

6. Information Security Audit Methodology : CISA, Own (CyberQ Method)


Govt. : 458

PSU : 45

Private : 29

Total Nos. of Information Security Audits : 532

8. Business domain of auditee organisations : PKI, Consultancy, Software Development, Telecom, Financial

Institutions, Government, PSUs, Energy, BPO/KPO, Manufacturing Design.

9. Typical applications in use by auditee organisations : PKI, ERP, Web, Client Server, MIS, Network Security

Audit.






No. of servers : 110

No. of switches : 60

No. of routers : 65


No. of IDS' : 0



BACK

M/s Computer Science Corporation India Pvt Ltd


1. Name & location of the empanelled Information Security Auditing Organisation : Computer Sciences

Corporation India Pvt. Ltd. NOIDA



CISSPs : 10

BS7799 / ISO27001 LAs : 10

CISAs : 9

DISAs / ISAs : 0


4. Outsourcing of External Information Security Auditors / Experts : NO


Freeware : 7

Commercial : 5

Proprietary: 2



Freeware

1. Nmap

2. Hydra

3. John the Ripper

4. Cain & Abel

5. Wireshark

6. Ettercap

7. Firewalk

Commercial

1. McAfee Foundstone

2. Cenzic Hailstorm Pro

3. Tenable Nessus Pro

4. Metasploit Pro

5. MetaGeek Chanalyzer Pro

6. Information Security Audit Methodology : Based on ISO 27001


Govt. : 0

PSU : 0

Private : 5


8. Business domain of auditee organisations : Visa and Immigration Services, Cloud Computing, BPO,

Software development

9. Typical applications in use by auditee organisations : Web and E-commerce applications, Client server


Internal Bandwidth (LAN / Intranet) : 100Mbps

External Bandwidth (WAN / Internet) : 16mbps



No. of Servers : 64


No. of Routers : 8


No. of IDS' : 8



BACK

M/s Cyber Security Works Pvt Ltd


1. Name & location of the empanelled Information Security Auditing Organisation : Cyber Security Works

Pvt. Ltd., Chennai

2. Carrying out Information Security Audits since : October 2008

3. Technical manpower deployed for informationsecurity audits :

CISSPs: 3

CISAs: 2

DISAs / ISAs: 0

Total Nos. of Technical Personnel: 8



Freeware: 19

Commercial: 6

Proprietary: 4

Total Nos. of Audit Tools: 29

Details of audit tools

Freeware Tools:

1. NMap

2. Paros Proxy

3. X-Scan

4. Wikto

5. Wire Shark

6. SQL Power Injector

7. Metasploit

8. Tamper Data

9. SNMP Tool

10. Netcat

11. Dump Sec

12. Look[at]Lan

13. Nipper

14. Kismet

15. Airsnort

16. SQLmap

17. Dsniff

18. Scuba

19. DB Audit

Commercial Tools:

1. Webinspect

2. Retina

3. Languard

4. Accunetix

5. Nessus

6. Network Director

Proprietary Tools:

1. WEBSPLOITTM (Vulnerability Assessment and Penetration Mining Engine)

2. VAPSPLOITTM (Web Apps Vulnerability Assessment & Penetration Framework)

3. DPTTM (Dynamic Penetration Testing Toolkit)

4. DCATTM (Digital Crime Analysis Tracking Toolkit)

6. Information Security Audit Methodology : OWASP, ISO27001, COBIT

7. Information Security Audits carried out so far:

Govt.: 6

PSU: 2

Private: 6

Total Nos. of Information Security Audits done: 14

8. Business domain of audited organizations: Banking, Financial, Power and Energy, Government, e-

Governance, Media, ISP

9. Typical applications in use by audited organizations: ERP , Web Based, Client-Server

10. Typical bandwidth (maximum) of any audited organizations :

Internal Bandwidth (LAN / Intranet): 1 Gbps

External Bandwidth (WAN / Internet): 140 Mbps

11. Networked Infrastructure details of an organizations audited with most complex network:

No. of Computer Systems: 8000

No. of Servers: 400

No. of Switches: 100

No. of Routers: 60

No. of Firewalls: 1

No. of IDS': 1



BACK

M/s Deccan Infotech Pvt Ltd Snapshot of skills and competence of CERT-In Empanelled Security Auditor

1. Name, Location of the Empanelled Security Auditing organisation: Deccan Infotech (P) Ltd, Bangalore

2. Carrying out Information Security Audits since : July 1998


CISSPs : 2

BS7799 / ISO27001 LAs : 2

CISAs : 5

DISAs / ISAs : 0



Security Audit Tools used (owned, in possession) :

Freeware : 26

Commercial : 10

Proprietary: 0



Freeware

1. NMAP - Scan Network for Specific Information like logical existence of active reconnaissance.

Check for open ports, services. Some of the tools above also act as vulnerability assessment tools,

Patch management and password auditing. Different kinds of scanning techniques may be used

such as - Open Scan, Half open scan, stealth Scan, sweeps, etc.

2. Demon dialer - War Dialers

3. Dsniff - Sniffers

4. Snort - Sniffers

5 .Ethereal - Sniffers

6. WinDump - Sniffers

7. Etherpeek - Sniffers

8 . ARP Spoofing - Sniffers

9. Man-in-the middle SMB/relay / SMB grind - Man in the middle attacks involves positioning

oneself between two systems and actively participating in the connection to gather data

10. AKL - Key Loggers: used to monitor and record keystrokes, keyword detection, screen activity,

all applications, emails, chat clinets etc.

11. Hunt- Session Hijacking, Tools to hijack TCP Sessions, Listen, Intercept and Hijack active

sessions.

12. TTY Watcher - Session Hijacking, Tools to hijack TCP Sessions, Listen, Intercept and Hijack

active sessions.

13. T-Sight - Session Hijacking, Tools to hijack TCP Sessions, Listen, Intercept and Hijack active

sessions.

14. IIS Hack/IIS - Buffer Overflow

15. KOEI.exe / ISAPI DLL - Buffer Overflow

16. IIS exploit - Buffer Overflow

17. IIS Crack - Buffer Overflow

18. IPP Printer Buffer Overflow - Buffer Overflow

19. Web Cracker - Web based password cracking

20. Brutus - Web based password cracking

21. Munga Bunga - Web based password cracking

22. SQL Injection - Attack methodology that targets the data residing in the database through the

firewall that shields it.

23. Trojan maker - Creating Viruses, worms and trojans

24. Sub Seven - Creating Viruses, worms and trojans

25. LOKI - Creating Viruses, worms and trojans

26. 007 shell - Creating Viruses, worms and trojans

Commercial

1. Symantec Net Recon --Scan Network for Specific Information like logical existence of active

reconnaissance. Check for open ports, services. Some of the tools above also act as vulnerability

assessment tools, Patch management and password auditing. Different kinds of scanning

techniques may be used such as - Open Scan, Half open scan, stealth Scan, sweeps, etc.

2. Shadow Security Scanner -- Scan Network for Specific Information like logical existence of active




3. GFI Languard scanner -- Scan Network for Specific Information like logical existence of active




4. Netscan Pro -- Scan Network for Specific Information like logical existence of active




5. IP-eye -- Scan Network for Specific Information like logical existence of active reconnaissance.

Check for open ports, services. Some of the tools above also act as vulnerability assessment tools,

Patch management and password auditing. Different kinds of scanning techniques may be used

such as - Open Scan, Half open scan, stealth Scan, sweeps, etc.

6. DOS & DDOS -- Involves breaking into several machines all over the internet. Then the attacker

installs software for DDOS like Ping of death, SSPING, SMURF, LAND EXPLOIT, SYN FLOOD, etc. to

launch coordinated attacks on victim's computer

7. LOPHT Crack -- Password crackers Use a combination of dictionary and brute force attacks

commonly used words list.

8. John the Ripper -- Password crackers Use a combination of dictionary and brute force attacks

commonly used words list.

9. Spector Soft -- Key Loggers: used to monitor and record keystrokes, keyword detection, screen

activity, all applications, emails, chat clinets etc.

10. E-Blaster -- Key Loggers: used to monitor and record keystrokes, keyword detection, screen

activity, all applications, emails, chat clinets etc.

5. Security Audit Methodology : COBIT, BS7799, ISO27001, OWASP, OCTAVE, OSSTM


Govt. : 0

PSU : 2

Private : 0


7. Business domain of auditee organisations : Banking, Shipping, BPO

8. Typical applications in use by auditee organisations : Core Banking, HelpDesk





No. of servers : 4


No. of routers : 0

No. of switches : 1


No. of IDS' : 1



BACK

M/s Deloitte Touche Tohmatsu India Pvt. Ltd


1. Name & location of the empanelled Information Security Auditing Organization : Deloitte Touche

Tohmatsu India Pvt. Ltd



CISSPs : 17

BS7799 / ISO27001 LAs : 24

CISAs : 100

DISAs / ISAs : 100


4. Outsourcing of External Information Security Auditors / Experts: Not Applicable.


Freeware : 27

Commercial : 9

Proprietary: 3


List of Tools used Freeware: • Xprobe

• Dnssecwalker

• Tcpdump/tcpshow

• Dsniff

• Ettercap

• Ethereal

• Fping/ Hping

• Queso

• Nmap

• SuperScan

• Netwag

• Firewalk

• Q-Tip

• Jack the Ripper

• Crack 5.0a

• NGS SQLCrack

• Hydra

• Cain and Abel

Commercial:

• AppScan

• LC4 (formerly L0phtcrack)

• Nessus

• Internet Security Scanner

• IP-Traf

• Firewalk

• Iris

• WS Ping ProPack

• SolarWinds

6. Information Security Audit Methodology : Own : Deloitte Methodology (Please refer Annexure I)


Govt. : 5+

PSU : 15+

Private : 150+

Total Nos. of Information Security Audits done : 170+

8. Business domain of auditee organizations : Banking & Finance, Information Technology, Third Party

Service Providers / BPOs, Manufacturing, Public Sector Undertakings, Life Sciences & Healthcare.

9. Typical applications in use by auditee organizations: Enterprise Resource Planning (ERPs), Web Services &

Web Applications etc.

10. Typical bandwidth (maximum) of any auditee organizations :




No. of Computer Systems : > 70000



No. of Routers : 50


No. of IDS' : 10



BACK

M/s Digital Age Strategies Pvt Ltd Snapshot of skills and competence of CERT-In Empanelled Security Auditor

1. Name, Location of the Empanelled Security Auditing organisation: Digital Age Stratergies Pvt. Ltd.,

Bangalore

2. Carrying out Information Security Audits since : March 2004


CISSPs : 2

BS7799 / ISO27001 LAs : 5

CISAs : 10

DISAs / ISAs : 0




Freeware : 11

Commercial : 3

Proprietary: 0



Freeware

1. Winaudit Ver 2.00 - System & HW Audit

Commercial

1. Idea 2004 - ETL & Data Format

2. Iaudit Net Ver 1.02 - ETL & Data Integrity

6. Security Audit Methodology : CoBIT, OWASP, ISACA, ISO 27001


Govt. : 167

PSU : 112

Private : 412


8. Business domain of auditee organisations :

Bank,Stock Exchange, BPO, Government, Financial Sector, Insurance and Manufacturing.

9. Typical applications in use by auditee organisations :

Internates Banking / Core Banking Application Package, TBA Packages, Web Applications, Online Trading

Packages.





No. of servers : 50


No. of routers : 443



No. of IDS' : 1



BACK

M/s Ernst & Young Pvt Ltd

Snapshot of skills and competence of CERT-In empanelled IT Security Auditing Organisation

1. Name, Location of the empanelled IT Security Auditing organisation : Ernst & Young Pvt. Ltd., Chennai

2. Carrying out Information Security Audits since : January 2001

3. Technical manpower deployed for IT security audits :

CISSPs : 9

BS7799 / ISO27001 LAs : 2

CISAs / CISM : 65

DISAs / ISAs : 1



5. IT Security Audit Tools used (owned, in possession) :

Freeware : 9

Commercial : 8

Proprietary: 9



Freeware

1. Nmap - Port scanner

2. Nessus - Vulnerability scanner

3. Nikto - Web server/application vulnerability scanner

4. Ethereal - Protocol analyzer

5. Somersoft - Security configuration, registry entries and access control lists on systems running the

Windows operating system.

Commercial

1. App Detective - Vulnerability assessment and review of security configuration of MySQL, Oracle,

Sybase, IBM DB2, MS SWQL Server, Lotus Notes/Domino, Oracle Application Server, Web

Applications.

2. Bv-Control Suite - Security assessment -Microsoft Windows, Active Directory, Microsoft Exchange,

Microsoft SQL Server, UNIX (Sun Solaris, HP-UX, AIX, Red Hat and SUSe Linux), Internet Security,

Check Point Firewall I

3. HP WebInspect - Web Application Security assessment

4. IPLocks VA - Database configuration and vulnerability assessment

5. eEye Retina - Network Security scans and IT infrastructure vulnerability assessment

6. Immunity Canvas - Vulnerability exploitation framework for penetration tests

7. eTrust - Online vulnerability management framework.

8. Bv-Control - Security and segregation of duty review for SAP

Proprietary

1. iNTerrogator - Review of security configuration of systems running the windows operating system.

2. *nix scripts - A collection of scripts to assess the security configuration including file level ACLs on

*nix systems (SCO OpenServer, Linux, HP-Ux, AIX, Solaris, *BSD).

3. Spider - Web application security assessment

4. FakeOra - Security assessment of 2-tier applications that use Oracle 8i (and above) as RDBMS.

5. S-SAT - A travelling SAP Security tool.

6. Permit - ERP risk assessment and control solution tool.

7. Assessor - Configuration review of Oracle Financials system.

8. WebSmack - Web Application inventory and vulnerability assessment .

9. EY/Mercury - Web based technical work plan generator to perform security configuration review of

IT infrastructure.

6. IT Security Audit Methodology : Beyond Standard

7. IT Security Audits carried out since empanelment till now :

Govt. : 4

PSU : 7

Private : 68


8. Business domain of auditee organisations : Banking, Financial Services, Software Development, Telecom,

FMCG, Manufacturing.

9. Typical applications in use by auditee organisations : Online Banking Solutions, Stock Trading Platforms,

Online / Mobile Payment Solutions, ERP, CRM, Billing Systems, Corporate Websites.










No. of IDS' : 24



Organisation).

BACK

M/s Financial Technologies(India)Ltd

Snapshot of skills and competence of CERT-In Empanelled Security Auditing Organisation

1. Name & location of the empanelled Information Security Auditing Organisation : Financial

Technologies(India)Ltd, Mumbai

2. Carrying out Information Security Audits since : 2003.


CISSPs / CISMs: 5

BS7799 / ISO27001 LAs : 6

CISAs : 14

DISAs / ISAs : 4


4. Outsourcing of External Information Security Auditors / Experts : NA


Freeware : 15

Commercial : 3

Proprietary: 2


Financial Technologies(India)Ltd, Mumbai

List of Tools used

Freeware:

• Nmap - Port scanner

• netcat – Networking Utility

• SNMP Scanner - Router and network management

• Metasploit – Penetration testing tool

• RAT - Cisco Router configuration analyzing tool

• MBSA – Windows Security Assessment

• Wireshark – Network Traffic sniffing tool

• Wikto – Web application scanner

• Johntheripper – Password cracking tool

• Acunitix - Web application scanner

• Firefox with addons – Source code reviewing tool

• DumpSec - Windows Security Assessment

• Achilles – Proxy application

• Brutus - Password cracking tool

• Hping2 – Packet crafting tool

Commercial:

• Nessus – Network / OS Vulnerability Assessment tool

• HP Web inspect – Web application scanner

• Network General's Sniffer with WAN book - Sniffer Portable™ - Network fault and performance

management tool

5. Information Security Audit Methodology : ISO / IEC 27001:2005, COBiT, PCIDSS, OWASP.


Govt. : 1

PSU : 0

Private : 25


7. Business domain of auditee organisations : Banks, Insurance Co.s, Asset Management co.s,

Financial Institutions, Brokerage Firms, Manufacturing, Media, Government, Retail.

8. Typical applications in use by auditee organisations : Multi tier, Client Server, Web Applications,

Databases, SAP, ERP, CRM.


Internal Bandwidth (LAN / Intranet) : 1 gbps

External Bandwidth (WAN / Internet) : 40 mbps





No. of Routers : 75


No. of IDS' : 2



BACK

M/s Haribhakti & Co. Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation

1. Name, Location of the empanelled Information Security Auditing Organisation : Haribhakti & Co. (CA),

Mumbai



CISSPs : 0

BS7799 / ISO27001 LAs : 3

CISAs : 10

DISAs / ISAs : 6


4. Outsourcing of External Information Security Auditors / Experts : Yes


Freeware : 3

Commercial : 3

Proprietary: 0



Freeware Tools

1. Nessus - Vulnerability Assessment

2. NMAP - Port Scanner

3. IP Tools - Network

Commercial Tools

1. App Detective - Database Vulnerability

2. GFI-Languard - Network Vulnerability

3. Acunetix

Proprietary Tools

None

6. Information Security Audit Methodology : COSO & COBIT, ISO 27001, BS 25999


Govt. : 4

PSU : 8

Private : 24


8. Business domain of auditee organisations : Tax Information Network, Depository, Banking & Financial

Services, Insurance, Call Centres, Regulators

9. Typical applications in use by auditee organisations : Online/Internet Trading, Dealing Room, Depository

Participant Modules, Treasury, CBS, Core Insurance, Bank Call Centre, Electronic Procurement, OLTAS






No. of servers : 20




No. of IDS' : 1



Organisation).

BACK

M/S HEXAWARE TECHNOLOGIES LTD


1. Name & location of the empanelled Information Security Auditing Organisation : M/S HEXAWARE TECHNOLOGIES LTD


3. Technical manpower deployed for information security audits : CISSPs : : 1 BS7799 / ISO27001 LAs : : 3 CISAs : : 4 DISAs / ISAs : : CEHs : : 4 LPT : : 1 (Licensed Penetration Tester) CPTS : : 1 (Certified Penetration Testing Specialist) Total Nos. of Technical Personnel : 25

4. Outsourcing of External Information Security Auditors / Experts : NIL

5. Information Security Audit Tools used (owned, in possession) : Freeware : : 25 Commercial : : 4 Proprietary: : Total Nos. of Audit Tools : 29


Freeware:

1. Nmap 2. Nping 3. Ncat 4. Nikto 5. NetStumbler 6. Wireshark 7. W3af 8. Metasploit 9. Paros Proxy 10. BackTrack 11. Tcpdump 12. Sqlmap 13. ScanDNS 14. Grendel 15. DirBuster 16. Brutus 17. Samurai Web Testing Framework 18. Crack 19. Google 20. Whisker 21. CrypTool 22. TCPtraceroute 23. NStalker 24. Snort 25. John the Ripper

Commercial:

1. Acunetix, 2. Nessus, 3. Saint, 4. GFI Languard

6. Information Security Audit Methodology : ISO27001, OWASP

7. Information Security Audits carried out so far : Govt. : 1 PSU : Private : 25+ Total Nos. of Information Security Audits done : 26+

8. Business domain of auditee organisations : IT and Process Outsourcing Services

9. Typical applications in use by auditee organisations : Peoplesoft HRMS, Peoplesoft Finance, Microsoft CRM, Glodyne Whizible Suite, Borland StarTeam, MS Exchange

10. Typical bandwidth (maximum) of any auditee organisations : Internal Bandwidth (LAN / Intranet) : 80 mbps External Bandwidth (WAN / Internet) : 35 mbps

11. Networked Infrastructure details of an organizations audited with most complex network : No. of Computer Systems : 5000 No. of Servers : 300 No. of Switches : 300 No. of Routers : 20 No. of Firewalls : 10 No. of IDS / IPS : 4



BACK

M/s HCL Comnet Ltd Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation

1. Name, Location of the empanelled Information Security Auditing Organisation : HCL Comnet Ltd., Noida



CISSPs : 10

BS7799 / ISO27001 LAs : 9

CISAs : 6

DISAs / ISAs : 0




Freeware : 21

Commercial : 9

Proprietary: 0



Freeware 1.Nessus -- Vulnerability Assessment

2. Database Scanner -- Vulnerability Assessment

3. NetRecon -- Vulnerability Assessment

4. Metasploit -- Penetration Testing

5. Underground Script -- Penetration Testing

6. Wax -- Penetration Testing

7. IMP -- Password Crackers for Penetration Testing

8. Pandora -- Password Crackers for Penetration Testing

9. Crack -- Password Crackers for Penetration Testing

10. John the Ripper -- Password Crackers for Penetration Testing

11. Cisco Crack -- Password Crackers for Penetration Testing

12. Nmap -- Port Scanners

13. Super Scan -- Port Scanners

14. Service Scanner -- Port Scanners

15. Cis-Rat -- to perform audit for Cisco Routers and PIX Firewall by assessing configuration files.

16. nslookup -- to perform initial information gathering of the Network.

17. Ping -- to perform initial information gathering of the Network.

18. tracreroute -- to perform initial information gathering of the Network.

19. Whois -- to perform initial information gathering of the Network.

20. Finger -- to perform initial information gathering of the Network.

Commercial

1. ISS -- Vulnerability Assessment

2 Qualys Guard -- Vulnerability Assessment

3 Core Impact -- Penetration Testing

4 L0phtCrack -- Password Crackers for Penetration Testing

5 Apps Scan -- Application Assessment

6 Web Inspect -- Web Application Assessment

7 App Detective -- Application and Database Assessment

6. Information Security Audit Methodology : Own


Govt. : 0

PSU : 0

Private : 55


8. Business domain of auditee organisations : Banking & Finance, SW, Manufacturing & Devlopment, IT &

ITES

9. Typical applications in use by auditee organisations : NA






No. of servers : 30


No. of routers : 2


No. of IDS' : 2



BACK

M/s IBM India Pvt Ltd Snapshot of skills and competence of CERT-In Empanelled Security Auditing Organisation

1. Name & location of the empanelled Information Security Auditing Organisation : IBM India Pvt Ltd,

Mumbai

2. Carrying out Information Security Audits since : Year 2000


CISSPs : 15

BS7799 / ISO27001 LAs : 30

CISAs : 15

DISAs / ISAs : NA




Freeware : 14

Commercial : 6

Proprietary: 5


List of Tools used

Freeware:

1. Metasploit: Penetration Testing Framework

2. NMAP : Port scanner

3. RAT : Router and firewall benchmarking

4. Wireshark - Protocol analyzer

5. MBSA : Windows security assessment

6. Nikto : Web Applications security

7. SNMPWalk : Router and network management

8. CAIN & Able : Traffic sniffing and Password cracking

9. Brutus : Password cracking

10. JohntheRipper : Password cracking

11. W3AF: Application auditing framework

12. Maltego: Intelligence and forensics application.

13. Unicornscan: Port Scanner and Information gathering.

14. Burp: Web proxy tool.

Commercial:

1. Nessus : Network Vulnerability Assessment

2. IBM Appscan : Web Systems & Applications security

3. Retina : Vulnerability Scanner

4. ISS : Vulnerability Scanner

5. Immunity Canvas : Penetration Testing Framework

6. Modulo: GRC Framework

Proprietary Tools:

1. Windows server Security assessment scripts

2. Unix/Linux/AIX server security assessment scripts

3. Oracle security assessment scripts

4. MSSQL security assessment scripts

5. ASP and Java Scripts : Web application assessment

6. Information Security Audit Methodology : ISO27001, COBIT, ISF(IBM Security framework), OWASP, IBM

Penetration Testing methodology.


Govt. : 5

PSU : 5

Private : 50


8. Business domain of auditee organisations : Government, PSU, ITES, Manufacturing, Financial

Services,Banking, Telecom

9. Typical applications in use by auditee organisations : Web Applications, Client Server, Banking, ERP, CRM,

telecom Applications


Internal Bandwidth (LAN / Intranet) : 100 Mbps- 1Gbps

External Bandwidth (WAN / Internet) : 2Mbps to 10 Mbps





No. of Routers : 80


No. of IDS' : 5



Organisation).

BACK

M/s IDBI Intech Ltd Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation

1. Name, Location of the empanelled Information Security Auditing Organisation : IDBI Intech Ltd.

2. Carrying out Information Security Audits since : November 2007


CISA : 15

CRISC : 2

CGEIT : 2

CEH : 5

BS25999 :1

Managed Security Service Professional : 11

BS7799/ISO27001 LA's : 7

Total Nos. of Technical Personnel: 900 +



Freeware : 17

Commercial : 2

Proprietary: 1

Total Nos. of Audit Tools: 20 (Details in the Attached File)


Freeware

1.Nmap –- Port scanning & OS fingerprinting Tool

2. Nessus –- Vulnerability Scanning Tool

3. Webscarab –- Captures the request & test the parameter manipulation

4. Burp proxy -- Captures the request & test the parameter manipulation

5. Wireshark –- Sniffs the data flowing on the network

6. Hydra –- Password brute forcing

7. W3af –- Application Security Scanner

8. Crowbar-- Password brute forcing

9. Paros -- A web application vulnerability assessment proxy

10. Wapiti –- Checks the SQL injection

11. Nikto –- Checks the web directory browsing

12. Metasploit –- Exploits vulnerabilities exist in the applications

13. OpenVas -- Vulnerability Scanning

14. Grendelscan-- Performs application security testing

15. SQLbrute –- Checks the SQL injection vulnerabilities

16. SQLiX -- Checks the SQL injection vulnerabilities

17. Httprint –- Webserver fingerprinting

Commercial

ACL Desktop Edition:

Auditing Tool for Data Analysis,

Data Cleansing and Exception

Reporting from ACL Services Ltd.

Proprietary

Customized script – To Perform the relay check & DNS checks

6. Information Security Audit Methodology : Own Also, COBIT, ISO27001, PCI-DSS, OWASP and OSSTMM.


Govt. : 5

PSU : 9

Private : 7


8. Business domain of auditee organisations, Banking and Financial services

9. Typical applications in use by auditee organisations

Finacle CBS, NSIPO, BSE Back office software, ICRA Online MF, Endorser, Crimson logic Stamping,

Snorkel, Transnet, Lidha-Didha and Other In-House developed Applications.

10. Typical bandwidth (maximum) of any auditee organisations

Internal Bandwidth (LAN / Intranet) : 256 kbps

External Bandwidth (WAN / Internet): 8mbps







No. of IDS : 5



BACK

M/s Indusface Consulting Pvt Ltd Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation

1. Name, Location of the empanelled Information Security Auditing Organisation : Indusface Consulting

Pvt Ltd, Baroda



CISSPs : 8

BS7799 / ISO27001 LAs : 12

CISAs : 1

DISAs / ISAs : 0




Freeware : 40

Commercial : 2

Proprietary: 0



Freeware : Information yet to be provided to CERT-In

Proprietary : Information yet to be provided to CERT-In

6. Information Security Audit Methodology : ISO27001, COBIT, OWASP, OSSTMM, PCI


Govt. : 250

PSU : 35

Private : 15


8. Business domain of auditee organisations : Finance, Healthcare, Government, Software / ITES,

Manufacturing, Power (Energy-utilities), Banking

9. Typical applications in use by auditee organisations : Banking, Web 2.0, Billing, PKI, Oracle ERP, VAT,

Document Management System, Content Management System, e-Tender






No. of servers : 90


No. of routers : 4


No. of IDS' : 2



BACK

M/s Information Systems Auditors & Consultants Pvt Ltd

Snapshot of skills and competence of the CERT-In empanelled Information Security Auditing Organisation

1. Name, Location of the empanelled Information Security Auditing Organisation: Information Systems

Auditors & Consultants Pvt Ltd, Mumbai



CISSPs : 1

BS7799 / ISO27001 LAs : 1

CISAs : 5

DISAs / ISAs : 0


4. Outsourcing of information security auditing work to other external Information Security Auditors /

Experts : Yes


Freeware : 6

Commercial : 0

Proprietary: 0



Freeware :

Information yet to be provided to CERT-In

Proprietary :


6. Information Security Audit Methodology : BS7799, COBIT


Govt. : 1

PSU : 2

Private : 13


8. Business domain of auditee organisations : IT Governance, Banking, Pharma

9. Typical applications in use by auditee organisations : Banking, ERP, web, MIS






No. of servers : 55




No. of IDS' : 1



BACK

M/s iSec Services Pvt Ltd Snapshot of skills and competence of CERT-In empanelled IT Security Auditing Organisation

1. Name & location of the empanelled Information Security Auditing Organisation : iSec Services Pvt Ltd,

Mumbai

2. Carrying out Information Security Audits since : January, 2003


CISSPs : 1

BS7799 / ISO27001 LAs : 8

CISAs : 1

DISAs / ISAs : 0




Freeware : 25

Commercial : 0

Proprietary: 0



Freeware :

1. Nessus

2. Whisker




6. RAT


8. Snort - IDS


10. Hping – TCP ping utilitiy Dsniff - Passively monitor a network for interesting data (passwords,

e-mail, files, etc.). facilitate the interception of network traffic normally unavailable to an attacker




14. Paros











25. Metasploit framework

Commercial :

None

Proprietary :

None

6. Information Security Audit Methodology : OSSTM, OWASP, COBIT


Govt. : 0

PSU : 0

Private : 15


8. Business domain of auditee organisations : Banking, Financial, Manufacturing, Software development, Business

process outsourcing

9. Typical applications in use by auditee organisations : Banking and Financial Applications, Trading Sofwtare








No. of Routers : 40


No. of IDS' : 2



BACK

M/s iViZ Techno Solutions Pvt Ltd

BACK

M/s KPMG Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation

1. Name, Location of the empanelled Information Security Auditing Organisation : KPMG, Gurgaon



CISSPs : 17

BS7799 / ISO27001 LAs : 17

CISAs : 50

DISAs / ISAs : 0




Freeware : 19

Commercial : 12

Proprietary: 7



Freeware Tools :

1. NMAP - Network security

2. NetStumbler - Network security

3. AirSnort - Network security

4. SuperScan - Network security

5. Nikto - Web Systems & Applications security

6. THC - Web Systems & Application security

7. CIS - Local Systems & Applications security

8. As400 - Local Systems & Applications security

9. CAIN - Password cracking

10. Brutus - Password cracking

11. JohntheRipper - Password cracking

12. SNMPWalk - Router and network management

13. SNMP Scanner - Router and network management

14. RIP query - Router and network management

15. RAT - Router and network management

16. DumpSec - Windows security

17. Wireshark - Network sniffing

18. MBSA - Windows security

19. SQL Scan - Database security

Commercial Tools :

1. ISS Internet - Network security

2. Webinspect - Web Systems & Applications security

3. AppScan - Web Systems &Applications security

4. Bindview - Local Systems & Applications security

5. ISS DB - Database Security

6. AppDetective - Database Security

7. Nessus - Network security

8. Power Tech

9. VeloSecure

10. IPLocks - Database Security

11. Qualsys Guard

12. Core Impact

Proprietary Tools :

1. *nix Scripts - Security Configuration review of *nix systems

2. Database Scripts - Security Configuration review of databases

3. SAP Security Explorer - Security and Configuration review of SAP

4. CHILLI (V. 1.2.0) - Network Discovery

5. OSCR - Oracle Security Review

6. KPMG Application Quality Assessment Tool

7. AS/400 User Profile Analysis - Security Review

6. Information Security Audit Methodology : Beyond Standard, COBIT, ISO27001


Govt. : 10

PSU : 50

Private : 230


8. Business domain of auditee organisations : Financial Services, InfoTech, Communication, Entertainment,

Infrastructure, Government, Marketing

9. Typical applications in use by auditee organisations : ERP, Email, Client-Server, Web based, Workflow,

Collaboration








No. of routers : 80


No. of IDS' : 45



BACK

M/s Locuz Enterprise Solutions Ltd Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation

1. Name, Location of the empanelled Information Security Auditing Organisation : Locuz Enterprise

Solutions Ltd, Hyderabad

2. Carrying out Information Security Audits since : August 2001


CISSPs : 1

BS7799 / ISO27001 LAs : 4

CISAs : 3

DISAs / ISAs : 0




Freeware : 6

Commercial : 5

Proprietary: 1


Details of the Information Security Auditing Tools

Freeware Tools

1. OSSIM : Network & System Scan + SCM +SIM

2. Nmap : Network Scan

3. AirSnort : Network Scan

4. Ethereal : Sniffing

5. Metaspoilt : PT

6. Crack

Commercial Tools

1. Locuz/Cisco PSA : Network and all Cisco device scans

2. CA-eTrust SCC : SOC with correlation engine

3. OCTAVE : Risk Management

4. Nessus : Vulnerability Assessments

5. Scan F1 : VA and Firewall Analyzer

Proprietary Tools

1. LITOC : Event correlation, Scan and Remediation

6. Security Audit Methodology : Own


Govt. : 20

PSU : 2

Private : 15


8. Business domain of auditee organisations : Software Developmemt, Banking, Manufacturing, e-

Commerce, e-Governance, Pharmaceuticals

9. Typical applications in use by auditee organisations : ERP, Banking, e-Commerce, Customised

applications.







No. of routers : 6



No. of IDS' : 4



Organisation).

BACK

M/s Microland Ltd

Snapshot of skills and competence of CERT-In Empanelled Security Auditor

1. Name, Location of the Empanelled Security Auditing organisation : Microland, Bangalore



CISSPs : 3

BS7799 / ISO27001 LAs : 6

CISAs : 2

DISAs / ISAs : 0




Freeware : 12

Commercial : 0

Proprietary: 0



Freeware Tools

Vulnerability Assessment and Penetration Testing

1. Nessus : Vulnerability scanner - Port scan/ Vulnerability scan /web application security

scan

2. Nikto : Web application vulnerability scanner

3. Superscan : Port scanner

4. Dsniff : collection of tools for network auditing and penetration testing

5. Whisker/Libwhisker : CGI vulnerability scanner

6. Network Stumbler : Tool to find open wireless access points

7. SARA : vulnerability assessment tool

8. Achillies : Web application security - proxy

9. Brutus : Password brute forcing tool

10. SPIKE Proxy : HTTP proxy for finding security flaws in web sites

11. Winfingerprint : Win32 Host/Network Enumeration Scanner

12. Auditor : Collection of Tools to conduct security audit.

Footprinting

1. Greenwhich

2. Whois

3. Gnetutil : Network Utilities

4. Itrace : ICMP traceroot

5. Tctrace : TCP traceroute

6. Traceroute

7. DNSwalk : DNS verification

8. Dig : DNS lookup

9. Host : DNS lookup

10. NSTXCD : IP over DNS client

11. NSTXD : IP over DNS server

12. Oxyman : DNS tunnel

13. Curl : URL transfer

14. Elinks : Console web browser

15. Konqueror : Web browser

16. Socat : Socket Cat

17. Stunnel : Universal SSL tunnel

18. Arpfetch : SNMP ARP/IP fetcher

19. SNMP Walk : SNMP tree walk

20. TKMib : Mib brower

21. Komba2 : KDE SMB browser

22. LinNeighborhood : Graphical SMB browser

23. Net utils : NET utilities

24. SMBClient : SMB client

25. SMBGet : SMB downloader

26. Smb4K : SMB share browser

27. Xsmbrowser : Graphical SMB browser

28. nmblookup : Netbios name lookup

29. smbdumpusers : User browser

30. smbgetserverinfo : Get server info

31. Cheops : Network neighborhood

32. NTP-fingerprint : Detection based on ntp fingerprint

33. Nmap : Network scanner

34. NmapFE : Graphical network scanner

35. P0f : Passive OS detection

36. Queso : OS detection

37. XProbe2 : OS detection

Scanning

1. Cisco global exploiter : Cisco scanner

2. Cisco torch : Cisco oriented scanner

3. ExploitTree search : ExploitTree collection

4. Metasploit : Metasploit commandline

5. Metasploit : Metasploit console GUI

6. Metasploit : Metasploit web interface

7. Nessus : security Scanner

8. Raccess : remote Scanner

9. Httprint : Webserver fingerprinting

10. Nikto : Webserver scanner

11. Stunnel : Universal SSL tunnel

12. Cheops : Network neighborhood

13. GTK-Knocker : Simple GUI portscanner

14. IKE-Scan : IKE scanner

15. Knocker : Simple portscanner

16. Netenum : Pingsweep

17. Netmask : Request neetmask

18. Nmap : Network Scanner

19. NmapFE : Graphical network scanner

20. Proxychains : Proxifier

21. Scanrand : Stateless scanner

22. Timestamp : Requests timestamp

23. Unicornscan : Fast port scanner

24. Isrscan : Source routed packets scanner

25. Amap : Application identification

26. Bed.pl : Application fuzzer

27. SNMP-Fuzzer : SNMP protocol fuzzer

28. ScanSSH : SSH identification

29. Nbtscan : Netbios scanner

30. SMB-Nat : SMB access scanner

31. Ozyman : DNS tunnel

32. Ass : Autonomous system scanner

33. Protos : Protocol identification

Analyzer

1. AIM-SNIFF : AIM sniffer

2. Driftnet : Image sniffer

3. Mailsnart : Mail sniffer

4. Paros : HTTP interception proxy

5. URLsnarf : URL sniffer

6. smbspy : SMB sniffer

7. Etherape : Network monitor

8. Ethereal : Network analyzer

9. Ettercap : Sniffer/Interceptor/Logger

10. Hunt : Sniffer/Interceptor

11. IPTraf : Traffic monitor

12. Ngrep : Network grep

13. NetSed : Network edit

14. SSLDump : SSLv3/TLS analyzer

15. Sniffit : Sniffer

16. TcPick : Packet stream editor

17. Dsniff : Password sniffer

Spoofing

1. Arpspoof : ARP spoofer

2. Macof : ARP spoofer/generator

3. Nemesis-ARP : ARP packet generator

4. Nemesis-Ethernet : Ethernet packet generator

5. CDP : CDP generator

6. DNSSpoof : DNS spoofer

7. Nemesis-DNS : DNS packet generator

8. DHCPX : DHCP flooder

9. Hping2 : Packet generator

10. ICMRRedirect : ICMP redirect packet generator

11. ICMPUSH : ICMP packet generator

12. Nemesis-ICMP : ICMP packet generator

13. Packit : Traffic inject/modify

14. TcPick : Packet stream editor

15. Yersinia : Layer 2 protocol injector

16. Fragroute : Egress rewrite

17. HSRP : HSRP generator

18. IGRP : IGRP injector

19. IRDP : IRDP generator

20. IRDPresponder : IRDP response generator

21. Nemesis-IGMP : IGMP generator

22. Nemesis-RIP : RIP generator

23. File2Cable : Traffic replay

24. Fragrouter : IDS evasion toolkit

25. Nemesis-IP : IP packet generator

26. Nemesis-TCP : TCP packet generator

27. Nemesis-UDP : UDP traffic generator

28. SendIP : IP packet generator

29. TCPReplay : Traffic replay

30. Etherwake : Generate wake-on-LAN

Bluetooth

1. BTScanner : Bluetooth scanner

2. Bluesnarfer : Bluesnarf attack

3. Ghettotooth : Bluetooth scanner

4. Kandy : Mobile phone tool

5. Obexftp Obexftp ftp client

6. Phone manager

7. RFComm : Bluetooth serial

8. RedFang : Bluetooth bruteforce

9. USSP-Push : Obex-push

10. Xminicom : Terminal

Wireless

1. apmde.sht : Act as accesspoin

2. Airpwn : Client penetration

3. Hotspotter : Client penetration

4. GpsDrive

5. start-gps-daemon : GPS daemon

6. stop-gps-daemon : GPS daemon

7. ASLeap : LEAP/PPTP cracker

8. Genkeys : Hash generator for ASLeap

9. Airforge

10. File2air : Packet injector

11. Void11

12. Void11-Hopper : Channel hopper

13. Gkismet : Graphical wireless scanner

14. GPSMAP : wireless mapping

15. KLV : Kismet Log Viewer

16. Kismet : Ncurses wireless scanner

17. Wellenreiter : Graphical Wireless scanner

18. 802ether : Dumpfile format convertor

19. airodump : Traffic recorder

20. aircrack : Modern WEP cracker

21. Aireplay : Wireless packet injector

22. Wep-Crack : Wep Cracker

23. Wep_Decrypt : Decrypt dump files

24. Airsnort : GUI based WEP cracker

25. ChopChop : Active WEP attack

26. DWEPCrack : WEP cracker

27. Decrypt : Dump file decrypter

28. WEPAtttack : Dictionary attack

29. WEPlab : Modem WEP cracker

30. Cowpatty : WPA PSK bruteforcer

31. changemac.sh : MAC address changer

Bruteforce

1. ADMsnmp : SNMP bruteforce

2. Guess-who : SSH bruteforce

3. Hydra : Multi purpose bruteforce

4. K0ldS : LDAP bruteforce

5. Obiwan III : HTTP bruteforce

6. SMB-Nat : SMB access scanner

7. TFTP : bruteforce

8. VNCrack : VNC bruteforce

9. Xhydra : Graphical bruteforcer

Password Cracker

1. BKHive : SAM recovery

2. Fcrackzip : Zip password cracker

3. John : Multi-purpose password cracker

4. Default password list :

5. Nasty : GPG secret key cracker

6. Rainbowcrack : Hash cracker

7. Samdump2 : SAM file dumper

8. Wordlists : Collection of wordlists

Forensics

1. Autopsy : Forensic GUI

2. Recover : Ext2 file recovery

3. Testdisk : Partition scanner

4. Wipe : Securely delete files

Honeypot

1. IMAP

2. POP3

3. Honeyd : Honeypot

4. IISEmulator : Honeypot

5. Tinyhoneypot : Simple honeypot

Commercial Tools

Proprietary Tools

6. Security Audit Methodology : BS7799, OSSTM, Own


Govt. : NA

PSU : NA

Private : NA

Total Nos. of Security Audits : NA

8. Business domain of auditee organisations : Petro, Banking, Insurance, BPO

9. Typical applications in use by auditee organisations : Core Banking, SAP, Workflow







No. of routers : 0

No. of switches :91


No. of IDS' : 4



Organisation).

BACK

M/s MIEL e-Security Pvt Ltd Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation

1. Name, Location of the empanelled Information Security Auditing Organisation : MIEL e-Security,

Mumbai



CISSPs : 13

BS7799 / ISO27001 LAs : 25

CISAs : 10

DISAs / ISAs : 0




Freeware : 20

Commercial : 1

Proprietary: 6





Information Security Audit Methodology : OSSTMM, OWASP, ISO/IEC 27001, COBIT


Govt. : 11

PSU : 15

Private : 110


7. Business domain of auditee organisations : BFSI, IT/ITES, Manufacturing, Shipping & Logistics, FMCG,

Pharma, PSUs, Aviation, Energy

8. Typical applications in use by auditee organisations : Core Banking, Ticketing, Client-Server, Web Server






No. of servers : 15

http://www.cert-in.org.in/PoA/MIELTools.htm�





No. of routers : 75


No. of IDS' : 0



BACK

M/s Network Intelligence India Pvt Ltd


1. Name, Location of the empanelled Information Security Auditing Organisation: Network Intelligence India Pvt.

Ltd., Mumbai



CISSPs : 2

BS7799 / ISO27001 LAs : 6

CISAs / CISMs : 2

DISAs / ISAs : 0




Freeware : 25

Commercial : 3

Proprietary : 2


Details of audit tools

Freeware

1. Nmap

2. Nessus

3. Burpsuite

4. Firefox plugins

5. Hydra

6. Paros Proxy

7. Brutus AES

8. Ikescan

9. Ipsecscan

10. Cain & Abel

11. John the Ripper

12. Netstumbler

13. Kismet

14. WEPCrack

15. Nipper

16. RATS

17. Unix shell scripts

18. Grease Monkey

19. Wireshark

20. Wikto/Nikto

21. Netcat

22. Phonesweep

23. MBSA

24. SNMPWalk

25. Ophcrack

Proprietary

• AuditPro

AuditPro Enterprise Edition is a proprietary security auditing and compliance tool used by many

organizations and auditors across the world. NII has developed this proprietary technology to help

organizations define assets, policies, and audit systems against these policies. Supported

technologies include Windows (all versions up to 2008), Unix (Sun Solaris, AIX, Linux), Oracle (8i,

9i, 106 and 11g), and SQL Server (2000 and 2005).

• Firesec

Firesec is an in-depth security and configuration audit tool for firewalls – helps review policy

conflicts, unused policy rules, groupable rules, unused configuration objects, as well as helps

check for PCI DSS compliance. Supported firewalls include Cisco, Netscreen, Cyberguard and

Checkpoint.

Commercial

• CodeSecure

CodeSecure is a commercial code review scanner, and is owned by NII and used extensively for

clients to ensure a comprehensive review of web application security.

CodeSecure is a commercial code review scanner, and is owned by NII and used extensively for

clients to ensure a comprehensive review of web application security.

• GFI Languard

GFI Languard Network Security Scanner is one of the most widely used network scanners

• Appscan/Webinspect

On client request, we have experience using these tools on a pay-per-use basis

6. Information Security Audit Methodology : OWASP, OSSTMM, ISO 27001, PCI DSS


Govt. : 7

PSU : 15

Private : 200


8. Business domain of auditee organisations : Banking, Telecom, IT/ITES, Manufacturing, Retail, Government,

FMCG, Healthcare, Retail

9. Typical applications in use by auditee organisations : Web applications, Core banking applications, ERP, CRM,

Telecom-specific applications


Internal Bandwidth (LAN / Intranet) : 10-100 Mbps

External Bandwidth (WAN / Internet) : 2-10 Mbps







No. of IDS' : 4



BACK

M/s Netmagic Solutions Pvt. Ltd


1. Name & location of the empanelled Information Security Auditing Organisation : Netmagic Solutions

Pvt. Ltd.



CISSP : 1

BS7799 / ISO27001 LA : 2

BS7799 / ISO27001 LI : 3

CISA : 1

CCNA : 65

CCNP : 4

CCIE : 4

CEH : 3

ITIL : 132

PMP : 6




Freeware : 27

Commercial: 2

Proprietary: 1



Freeware Tools

1. W3af

2. Nmap

3. Firefox with Firecat

4. Owasp CLASP

5. Themis

6. Paros

7. Burp

8. WebScarab

9. Paros

10. Websecurify

11. Owasp CSRF tester

12. SQLiX

13. Nikto

14. Labrat

15. Metasploit

16. Backtrack

17. Cain&Able

18. Grendal Scan

19. Kismet

20. Aircrack-NG

21. Ophcrack

22. BeEF

23. CISCO OCS

24. Brutus

25. WFetch

26. NetStumbler

27. OSSEC

Proprietary:

nmcrawler

Commercial:

1. Nessus 2. AppScan (Depending on customer request and engagements)

6. Information Security Audit Methodology: OWASP, OSSTMM, ISO27001, ISO20000, COBIT.


Govt. : 0

PSU : 5

Private : 100


8. Business domain of auditee organisations : Manufacturing, IT/ITES, Media & Entertainment (including

online portals), BFSI, Services, PSU, Telecommunications, etc.

9. Typical applications in use by auditee organisations : Web Applications, Web Server Applications,

SAP/CRM, Mobile Applications, Security & Monitoring Apps, Thick-Client Application, Network

Infrastructure Applications.


Internal Bandwidth (LAN / Intranet) : 1GBPS

External Bandwidth (WAN / Internet) : 400MBPS





No. of Routers : 20


No. of IDS' : 5



BACK

M/s Network Security Solutions (India) Ltd


1. Name, Location of the empanelled Information Security Auditing Organisation : Network Security

Solutions (India) Ltd., Noida



CISSPs : 5

BS7799 / ISO27001 LAs : 13

CISAs : 6

DISAs / ISAs : 2




Freeware : 29

Commercial : 4

Proprietary: 2



Freeware Tools

1. X-Scan

2. Hping

3. W Scanner

4. NMap

5. Metasploit

6. Burp Proxy

7. Solar Winds

8. Winhex

9. Achilles Proxy

10. N-Stealth : Security Scanner

11. Websphinx

12. Rainbow : Password Cracker

13. John the Ripper : Password Cracker

14. Stellar : Data Recovery

15. Easy : Data Recovery

16. Nikto

17. Snort

18. Ethereal

19. Backtrack 3

20. Helix

21. Auditor Pro

22. Ophcrack

23. Nessus

24. Super Scan

25. SATAN

26. Airmon

27. Aerodump

28. Airplay

29. Aircrack

Commercial Tools

1. eEye Retina

2. Shadow : Security Scanner

3. GFI LAN Guard

4. Core Impact

Proprietary Tools

1. Claymore : Vulnerability Scanner

2. Vulnerability Database

6. Information Security Audit Methodology : COBIT, ISACA, BS25999, OSSTM, OWASP, ISO27001, NIST


Govt. : 237

PSU : 3

Private : 107


8. Business domain of auditee organisations : Government, Defence, Electrical Power Generation, BPO / KPO,

Telecom, Manufacturing, Pharma, Banking & Finance

9. Typical applications in use by auditee organisations : Web, ERP, SAP, Finance, Proprietary Security








No. of routers : 0


No. of IDS' : 2



BACK

M/s NIIT Technologies Ltd Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation

1. Name, Location of the empanelled Information Security Auditing Organisation : Paladion Networks,

Bangalore

2. Carrying out Information Security Audits since : May 2000


CISSPs : 16

BS7799 / ISO27001 LAs : 29

CISAs / CISMs : 7

DISAs / ISAs : 0




Freeware : 19

Commercial : 0

Proprietary : 1




Proprietary :Information yet to be provided to CERT-In

6. Information Security Audit Methodology : BS7799, COBIT, SANS


Govt. : 51

PSU : 154

Private : 205


8. Business domain of auditee organisations : Banking, Telecom, IT/ITES, Manufacturing, Retail, Government

9. Typical applications in use by auditee organisations : Web, SAP, ERP










No. of IDS' : 4



BACK

M/s Paladion Networks Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation

1. Name, Location of the empanelled Information Security Auditing Organisation : Paladion Networks,

Bangalore

2. Carrying out Information Security Audits since : May 2000


CISSPs : 16

BS7799 / ISO27001 LAs : 29

CISAs / CISMs : 7

DISAs / ISAs : 0




Freeware : 19

Commercial : 0

Proprietary : 1



Freeware :


Proprietary :


6. Information Security Audit Methodology : BS7799, COBIT, SANS


Govt. : 51

PSU : 154

Private : 205


8. Business domain of auditee organisations : Banking, Telecom, IT/ITES, Manufacturing, Retail, Government

9. Typical applications in use by auditee organisations : Web, SAP, ERP










No. of IDS' : 4



BACK

M/s Persistent Systems Limited Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation

1. Name & location of the empanelled Information Security Auditing Organisation : Persistent Systems

Limited, Pune



CISSPs : 0

BS7799 / ISO27001 LAs : 6

CISAs : 4

DISAs / ISAs : 0




Freeware : 11

Commercial : 3

Proprietary: 0



Freeware: Paros Burp Proxy Webscarab Nikto Wikto Nmap SoapUI Netcat Fiddler Backtrack4 Nipper Commercial: IBM AppScan Nessus GFI Languard NSS

6. Information Security Audit Methodology : ISO 27001, COBIT


Govt. : 0

PSU : 3

Private : 18


8. Business domain of auditee organisations :

Educational, Biomedical Research, Health Care, Mail & Messaging, SaaS Email Archiving

9. Typical applications in use by auditee organisations :

IIS, Apache,Tomcat, JBoss, ASP.Net, PHP, MySQL, SQL server 2005


Internal Bandwidth (LAN / Intranet) : 100 MBPS

External Bandwidth (WAN / Internet) : 1 MBPS


No. of Computer Systems : NA

No. of Servers : 8

No. of Switches :2

No. of Routers : 1


No. of IDS' : NA



BACK

M/s PricewaterhouseCoopers Pvt Ltd Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation

1. Name, Location of the empanelled Information Security Auditing Organisation :

PricewaterhouseCoopers Pvt. Ltd., Gurgaon



CISSPs : 16

BS7799 / ISO27001 LAs : 20

CISAs / CISMs: 77

DISAs / ISAs : 4




Freeware : 20

Commercial : 7

Proprietary: 5



Freeware Tools :

1. Nessus : Network Vulnerability Assessmen

2. NMAP : Port scanner

3. RAT : Router and firewall benchmarking

4. Ethereal : Network traffic sniffing and analysis

5. MBSA : Windows security assessment

6. AirSnort : Wireless Network security

7. Phonesweep : War dialing

8. RIP query : Router security assessment

9. Netcat : Backdoor

10. Nikto : Web Applications security

11. CAIN & Able : Traffic sniffing and Password cracking

12. Brutus : Password cracking

13. JohntheRipper : Password cracking

14. SNMPWalk : Router and network management

15. SNMP Scanner : Router and network management

16. DumpSec : Windows security assessment

17. SQL Scan : Database security assessment

18. Absinthe : SQL Injection

19. Acunetix : Web Vulnerability Scanner

20. SiteDigger : Google Hacking

Commercial Tools :

1. Core Impact : Penetration Testing

2. Appscan : Web Systems & Applications security

3. ACL: Audit command La

4. Retina : Vulnerability Scanner

5. Languard : Vulnerability Scanner

6. SolarWinds : Network security

7. ISS : Vulnerability Scanner

Proprietary Tools:

1. Windows server Security assessment scripts

2. Unix/Linux/AIX server security assessment scripts

3. Oracle security assessment scripts

4. MSSQL security assessment scripts

5. ASP and Java Scripts : Web application assessment

6. Information Security Audit Methodology : ISO27001, COBIT, ESAS, ESBM


Govt. : 5

PSU : 10

Private : 55


8. Business domain of auditee organisations : ITES, Manufacturing, Government, PSU, Financial Services,

Telecom, Networking

9. Typical applications in use by auditee organisations : Client Server, Web Applications, Oracle, Finacle, ERP,

CRM, telecom Applications










No. of IDS' : 10



BACK

M/s Progressive Infotech Pvt Ltd

Snapshot of skills and competence of CERT-In Empanelled Security Auditing Organisation

1. Name & location of the empanelled Information Security Auditing Organisation : Progressive Infotech

(P) Limited, Noida



CISSPs : 02

BS7799 / ISO27001 LAs : 02

CISAs :

DISAs / ISAs :

Total Nos. of Technical Personnel : 40+



Freeware : 36+

Commercial :

Proprietary:

Total Nos. of Audit Tools : 36+


Freeware :

S. No.

Name of the

Information Security

Audit Tool

Whether freeware,

commercial or proprietary Functions (In brief)

1. Achilles Freeware A tool designed for testing the security of web

applications

2. ADMFtp, ADMSnmp Freeware Tools for remote brute-forcing

3. Brutus Freeware An Windows GUI brute-force tool for FTP, telnet,

POP3, SMB, HTTP, etc

4. Crack Freeware A password cracker

5. Cryp Tool Freeware A cryptanalysis utility

6. Curl Freeware Curl is a tool for transferring files with URL syntax,

supporting FTP, FTPS, HTTP, HTTPS, GOPHER,

TELNET, DICT, FILE and LDAP

7 Different network

mapping tools

Freeware Ping, traceroute, whois,snmp tools, dig, nslookup,

DNS tools.etc.

8 Elza Freeware A family of tools for arbitrary HTTP communication

with picky web sites for the purpose of penetration

testing and information gathering

9 Exploits Freeware publicly available and homemade exploit code for

the different vulnerabilities around

10 FScan Freeware A command-line port scanner. Supports TCP and

UDP

11 HPing Freeware HPing is a command-line oriented TCP/IP packet

assembler/analyzer. It supports TCP, UDP, ICMP

and RAW-IP protocols, has a traceroute mode, the

ability to send files between a covered channel,

and many other features.

12 ISNprober Freeware Check an IP address for load-balancing.

13 ICMPush Freeware ICMPush is a tool that sends ICMP packets fully

customized from command line

14 John the Ripper Freeware A password cracker

15 L0phtcrack Freeware NTLM/Lanman password auditing and recovery

application (read: cracker)

16 Nessus Freeware A free, powerful, up-to-date and easy to use

remote security scanner. This tool could be used

when scanning a large range of IP addresses, or to

verify the results of manual work.

17 Netcat Freeware The swiss army knife of network tools. A simple

utility which reads and writes data across network

connections, using TCP or UDP protocol

18 NMAP Freeware The best known port scanner tool

19 P0f Freeware Passive OS Fingerprinting: A tool that listens on

the network and tries to identify the OS versions

from the information in the packets.

20 Pwdump Freeware Tools that grab the hashes out of the SAM

database, to use with a brute-forcer like

L0phtcrack or John

21 SamSpade Freeware Graphical tool that allows to perform different

network queries: ping, nslookup, whois, IP block

whois, dig, traceroute, finger, SMTP VRFY, web

browser keep-alive, DNS zone transfer, SMTP relay

check,etc.

22 ScanDNS Freeware Script that scans a range of IP addresses to find

DNS names

23 Scripts Freeware A number of custom developed scripts to test

different security issues

24 Sing Freeware Send ICMP Nasty Garbage. A little tool that sends

ICMP packets fully customized from command line

25 SSLProxy, STunne Freeware Tools that allow to run non SSL-aware

tools/programs over SSL.

26 Strobe Freeware A command-line port scanner that also performs

banner grabbing

27 Telesweep Secure Freeware A commercial wardialer that also does

fingerprinting and brute-forcing.

28 THC Freeware A freeware wardialer

29 TCPdump Freeware A packet sniffer

30 UCD-Snmp- (aka NET-

Snmp)

Freeware Various tools relating to the Simple Network

Management Protocol including snmpget,

snmpwalk and snmpset

31 Web Session Editor Freeware Custom made utility that allows to intercept and

edit HTTP sessions.

32 Webinspect Freeware CGI scanning, web crawling, etc

33 Webreaper, wget Freeware Software that mirrors websites to your harddisk

34 Whisker Freeware The most famous CGI scanner. has updated the

scanning databases with checks for the latest

vulnerabilities.

35 Ethereal Freeware GUI for packet sniffing. Can analyse tcpdump-

compatible logs.

6. Information Security Audit Methodology : Attached


Govt. : Nil

PSU : Nil

Private : 08


8. Business domain of auditee organizations : Manufacturing, IT & ITES

9. Typical applications in use by auditee organizations : Email and IM applications, ERP, CRM etc

10. Typical bandwidth (maximum) of any auditee organizations :





No. of Servers : 20


No. of Routers : 6


No. of IDS' : 4



BACK

M/s ProMinds Consulting Pvt Ltd Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation

1. Name & location of the empanelled Information Security Auditing Organisation : ProMinds Consulting

Pvt Ltd, Hyderabad



CISSPs : 1

BS7799 / ISO17799 / ISO27001 LAs : 10

CISAs / CISMs: 2

DISAs / ISAs : 1




Freeware : 40

Commercial : 5

Proprietary: 0



Freeware Tools None



6. Information Security Audit Methodology : Own, COBIT, OCTAVE


Govt. : 20

PSU : 5

Private : 50


8. Business domains of auditee organisations : Govt, PSU, Defense, IT, ITES, BPO, Healthcare, Insurance,

Financial Services, Banking, KPO

9. Typical applications in use by auditee organisations : Client-Server, Web Applications, ERP, Database,

Office Applications, Software Development Tools, Testing Tools





No. of Computers : 500+

No. of Servers : 30


No. of Routers : 5


No. of IDS' : 5



BACK

M/s Qadit Systems & Solutions Pvt Ltd Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation

1. Name, Location of the empanelled Information Security Auditing Organisation : Qadit Systems &

Solutions Pvt. Ltd., Chennai

2. Carrying out Information Security Audits since : April 2002


CISSPs : 0

BS7799 / ISO27001 LAs : 2

CISAs : 10

DISAs / ISAs : 7




Freeware : 31

Commercial : 0

Proprietary: 5



Freeware Tools

1. Nessus - Vulnerability Assessment Tool

2. Metasploit – Vulnerability Assessment and Penetration Testing Tool

3. Paros Proxy - Vulnerability Assessment Tool

4. Samurai Framework – Vulneability Assessment Tool

5. Grendel - Vulnerability Assessment Tool

6. Retina Network Security Scanner – Vulnerability Assessment Tool

7. Webinspect – Vulnerability Assessment Tool

8. Burpsuite – Vulnerability Assessment and Penetration Testing Tool

9. Netcat – Vulnerability Assessment and Penetration Testing Tool

10. SAINT – Vulnerability Assessment and Penetration Tool

11. Firecat – Vulnerability Assessment Framework

12. SQLmap – SQL Injection Tool

13. Nmap - Network Auditing Tool

14. Wireshark - Network Auditing Tool

15. Dsniff – Network Auditing Tool

16. Sam Spade – Network Auditing Tool

17. Nipper – Network Auditing Tool

18. Look@Lan – Network Auditing Tool

19. Traceroute – Network Auditing Tool

20. Airsnort – Wireless network penetration testing tools

21. Kismet – Wireless network penetration testing tools

22. Netstumbler – Wireless network penetration testing tools

23. RAT – Risk Assessment Tool

24. MBSA – Security Analysis

25. WebScarab - Web application audit framework

26. W3af - Web application audit framework

27. Nikto - Web server scanner

28. Scuba – Database audit tool

29. DB Audit – Database audit tool

30. L0phtcrack – Password recovery tool

31. Pwdump – Password recovery tool

Commercial Tools

1. SAP User Profile Reviewer : Review user profiles in SAP environment

2. Oracle database Audit Scripts

3. SQL database Audit Scripts

4. ISO 27001 Risk Assessor

5. SAP SOD Analyser

Proprietary Tools

None

6. Information Security Audit Methodology : OSSTM, OWASP, ISACA/ITAF, ISO 27001/27002, COBIT, ISO

25999, SANS, ITIL, OCTAVE, COSO


Govt. : 5

PSU : 36

Private : 203


8. Business domain of auditee organisations : Banking, Manufacturing, Telecom, Pharma, Financial Service,

Software Development, e-Governance, Microfinance

9. Typical applications in use by auditee organisations : ATM Switch, SAP, Web, CBS, NMS, ERP, e-

Governance, Web Applications, Payroll, Telecom billing application, Telecom network Monitoring Software,

CRM Applications, Payment Portals






No. of servers : 60




No. of IDS' : 10



BACK

M/s Secure Matrix India Pvt Ltd

Snapshot of skills and competence of CERT-In empanelled IT Security Auditing organisation

1. Name, Location of the empanelled IT Security Auditing organisation : Secure Matrix India Pvt Ltd,

Mumbai

2. Carrying out Information Security Audits since : November 2004

3. Technical manpower deployed for IT security audits :

CISSPs : 2

BS7799 / ISO27001 LAs : 4

CISAs : 3

DISAs / ISAs : 2




Freeware : 6

Commercial : 1

Proprietary: 0



Freeware :

1. Nessus : Vulnerability Scanning and Reporting

2. Nmap : Port Scanning and finger printing

3. Sara : Vulnerability Assessment

4. MBSA : Security Analysis

5. Dsniff : Network Auditing

6. Sam Spade : Network Query

Commercial :

1. Core Impact

Proprietary :

6. IT Security Audit Methodology : NA


Govt. : NA

PSU : NA

Private : NA


8. Business domain of auditee organisations : Stock Broking, BFSI, BPO, Technology, Retail, Manufacturing

9. Typical applications in use by auditee organisations : ERP, Accounting, On-line stock trading, databases,

Proprietary applications


Internal Bandwidth (LAN / Intranet) : NA bps

External Bandwidth (WAN / Internet) : 64 K bps



No. of servers : 4

No. of switches : 6

No. of routers : 0


No. of IDS' : 1



BACK

M/s SecureSynergy Pvt Ltd Snapshot of skills and competence of CERT-In empanelled Information Security Auditing OrganisationSecurity Auditor

1. Name, Location of the empanelled Information Security Auditing Organisation : SecureSynergy Pvt.

Ltd., Mumbai



CISSPs : 2

BS7799 / ISO27001 LAs : 14

CISAs : 3

DISAs / ISAs : 0




Freeware : 35

Commercial : 3

Proprietary: 2



Freeware :


Proprietary :


6. Information Security Audit Methodology : COBIT, ISO 27001, NIST


Govt. : 11

PSU : 9

Private : 115


8. Business domain of auditee organisations : IT, ITES, Government, Telecom, Defence, Oil & Gas,

Manufacturing, Pharma

9. Typical applications in use by auditee organisations : ERP, CRM, Web/Middleware/Database, Client-Server








No. of routers : 15


No. of IDS' : 1



BACK

M/s SecurEyes Techno Services Pvt Ltd Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation

1. Name, Location of the empanelled Information Security Auditing Organisation : SecurEyes Techno

Services Pvt. Ltd., Bangalore



CISSPs : 0

BS7799 / ISO27001 LAs : 2

CISAs : 0

DISAs / ISAs : 2




Freeware : 84

Commercial : 0

Proprietary: 14



1. Name, Location of the empanelled Information Security Auditing Organisation : SecurEyes Techno

Services Pvt. Ltd., Bangalore



CISSPs : 0

BS7799 / ISO27001 LAs : 2

CISAs : 0

DISAs / ISAs : 2




Freeware : 84

Commercial : 0

Proprietary: 14



Freeware :

1. Nessus : Vulnerability scanner used for penetration testing

2. Nmap : Port Scanner

3. Metasploit framework : Vulnerability scanner

4. Hping2 : OS finger printing tool, also used for fire walking

5. Ring : Passive OS finger printing tool

6. Nmap-cronos : Passive OS finger printing tool

7. P0f : Passive OS finger printing tool

8. Smtpscan : Mail server profiling tool

9. Sprint : OS detection tool

10. Xprobe : OS detection tool

11. Fire and Water : Web Server discovery tool

12. Ethereal : Sniffer used for capturing and analysing traffic in a penetration test

13. AirSnort : Wireless network penetration testing tools.

14. Kismet : Wireless network penetration testing tools.

15. NetStumbler : Wireless network penetration testing tools.

16. WEPCrack : Wireless network penetration testing tools.

17. Achillies : Web application penetration testing tool

18. Spike Proxy : Automatic Vulnerability scanner for web applications.

19. Odysseus : Web application audit tool

20. Paros : Web application proxy, web application security vulnerability scanner.

21. WinHex : Physical Memory editor used for penetration testing of applications

22. Netcat : Network penetration testing tool.

Proprietary :

1. Windows-VA script : In house developed script used for vulnerability assessment of Windows

operating system

2. Linux-VA script : In house developed script used for vulnerability assessment Linux operating

system.

3. Solaris-VA script : In house developed script used for vulnerability assessment of Solaris operating

system.

4. AIX-VA script : In house developed script used for vulneability assessment of AIX operating

system.

5. Router-VA script : In house developed script used for vulnerability assessment of Routers

6. Switch-VA script : In house developed script used for vulnerability assessment of Switch.

7. WSDigger : Web Services profiling and attack tool.

8. Cookie Digger : Web application audit tool which helps in calculating the strength of cookies and

session ID's

9. Code Scoping tool : Code security audit tool

10. Validator. NET : Web application audit tool for applications built using.net techology

HACME Bank : Web Application audit trainer application

6. Information Security Audit Methodology : OSSTM, SANS, OWASP, Own


Govt. : 150

PSU : 5

Private : 15


8. Business domain of auditee organisations : Banking & Finance, Government, Telecom, IT, SW Dev,

Property Trading, Finance

9. Typical applications in use by auditee organisations : Internet Banking, HR Management, Payroll, Business

Workflow, Finance, Insurance










No. of IDS' : 8



BACK

M/s Security Brigade Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation

1. Name, Location of the empanelled Information Security Auditing Organisation : Security Brigade; Head

Office: Ranchi - India; Branch Offices: Mumbai - India, Pisa - Italy; Partner/Sales Offices:

Bengaluru - India, Chennai - India, Hyderabad - India, Pune - India, New Delhi - India, Kolkata

- India, Houston - US, Toronto - Canada, Lagos - Nigeria, Doha - Qatar, London - UK.

2. Carrying out Information Security Audits since : June 2006


BS7799 / ISO27001 LAs : 1

ECSAs : 1

LPTs : 1

CEHs : 2

CCNAs : 4




Freeware : 1000+

Commercial : 2

Proprietary: 15



Proprietary Tools

1. sdFinder - Identifies internal hosts on non-contiguous IP ranges. It allows us to detect sensitive

information about our clients commercial, intranet and extranet networks.

2. webDiscovery - Identifies as many applications as possible on Client web-servers. The applications

discovered through webDiscovery allow us to provide a superior web application security testing

service than competitive services and products. It allows us to increase the scope of the audit and

cover more areas that could be attacked by malicious users; that would not be covered by a

traditional audit.

3. networkMapper - Network Mapper uses proprietary technology to be able to identify alternative

network routes to bypass security mechanisms such as IDS/IPS/Firewall etc. It allows our experts

to bypass existing security implementations and gain direct access to the systems behind them.

4. webTester - Security Brigade’s in-house developed application utilizes our Benchmark

Development System to ensure that we can identify maximum vulnerabilities in applications

through automated mechanisms. Along with flaws that are known, it uses in-house research to

test for vulnerabilities that are not in the public domain. It allows us to automate the process of

http://www.cert-in.org.in/PoA/securitybrigadetools.htm�
















identifying and testing known and unknown vulnerabilities in web-applications and strike a cost-

effective time to effort ratio.

5. VA Framework - Security Brigade’s in-house developed framework is an integrated solution

developed by our security experts that have an expertise in the vulnerability assessment domain.

It allows us to integrate the manual and automated testing processes with commercial and open-

source software. Our Integrated Reporting Engine allows us to cross-reference information from all

the different components and generate a report based on our Client’s requirements.

6. PT Framework - Security Brigade’s in-house developed framework is an integrated solution

developed by our security experts that have an expertise in the penetration testing domain. It

allows us to integrate the manual and automated testing processes with commercial and open-

source software. Our Integrated Reporting Engine allows us to cross-reference information from all

the different components and generate a report based on our Client’s requirements.

7. webSpider - Security Brigade’s in-house developed application uses advanced HTML, Java Script,

Ajax, Flash and XML parsing engines to identify and map as much of the client applications as

possible. This not only assists our automated webTester engine, but also assists in carrying out

the manual testing process in an efficient manner. It allows us to attain a cost-effective balance

between thorough testing and time required.

8. sapScan - Security and Configuration Assistant for SAP Security Audits.

9. riskReview - General Risk Assessment Tool.

10. erpInterrogate - ERP Security and Configuration Assessment and Control Tool.

11. Windows Batch Scripts - Windows batch scripts to automate routine server hardening functions

and processes.

12. Linux Bash Scripts - Linux Bash scripts to automate routine server hardening functions and

processes.

13. Oracle Security Assessment Scripts - Oracle Security Assessment Scripts to automate routine

hardening functions and processes.

14. MSSQL Security Assessment Scripts - MSSQL Security Assessment Scripts to automate routine

hardening functions and processes.

15. Internal Vulnerability Database - Automated vulnerability database that is updated every 15

minutes from over 100 public and 20 private feeds.

Commercial Tools

1. Nessus - Premier vulnerability assessment tool with more than 20,000 plugins.

2. GFI LANguard - commercial network security scanner for Windows.

Freeware Tools

1. Wireshark - is an open-source network protocol analyzer for Unix and Windows.

2. Netcat - is a simple utility reads and writes data across TCP or UDP network connections.

3. Metasploit Framework - is an extensible model through which payloads, encoders, no-op

generators, and exploits can be integrated.

4. Hping 2 - is a utility sends custom ICMP, UDP, or TCP packets and then displays any replies.

5. Kismet - is a console based 802.11 layer2 wireless network detector, sniffer and intrusion

detection system.

6. Tcpdump - is an IP sniffer.

7. Cain and Abel - is a windows-only password recovery tool that can recover passwords by sniffing,

cracking, recording VoIP conversations, decoding scrambled passwords, revealing password boxes,

etc.

8. John the Ripper - is a fast password cracker.

9. Ettercap - is a terminal-based network/sniffer/interceptor/logger for ethernet LANs.

10. Nikto - is an open-source web-server scanner which performs comprehensive tests against web

servers for several thousand vulnerabilities.

11. THC Hydra - is a fast network authentication cracker.

12. Paros Proxy - java based web proxy for assessing web-application vulnerability.

13. Dsniff - is a powerful network auditing and penetration-testing tool.

14. NetStumbler - is a windows based 802.11 sniffer.

15. THC Amap - is a application fingerprint scanner.

16. Aircrack - is a suite of tools for 802.11a/b/g WEP and WPA cracking.

17. Superscan - is a windows-only port scanner, pinger and resolver.

18. Scapy - is an interactive packet manipulation tool.

19. BackTrack - is an penetration testing live linux distribution.

20. p0f - is a versatile passive OS fingerprinting tool.

21. WebScarab - a framework for analyzing applications that communicate using the HTTP and HTTPS

protocols.

22. Thousands of other open-source tools - We have an internal categorized archive of over 10,000

tools. We utilize these on an on-need basis for specific specialized purposes during engagements.

List can be provided in directory-listing format if required.

6. Information Security Audit Methodology : In-house Developed Hybrid Methodology based on BS7799,

ISO17799, ISO27001, OWASP Testing Guide and OSSTM.


Govt: 50+

PSU: 10+

Private: 100+

8. Business domain of auditee organisations : Banking & Finance, IT/ITES, Telecom, Manufacturing,

Logistics, Insurance, Retail, Government etc.

9. Typical applications in use by auditee organisations : Corporate Websites, Core Banking, Insurance Portal,

Loan & Treasury Management, Online Trading, Backoffice, CTCL, Accounting, Operations Management,

Billing





No. of Computer Systems : 8,000



No. of routers : 5


No. of IDS' : 1



BACK

M/s Sify Technologies Ltd Snapshot of skills and competence of CERT-In Empanelled Security Auditor

1. Name, Location of the Empanelled Security Auditing organisation: Sify, New Delhi

2. Carrying out Information Security Audits since : NA


CISSPs : 7

BS7799 / ISO27001 LAs : 14

CISAs : 26

DISAs / ISAs : 16




Freeware : 30

Commercial : 0

Proprietary: 0





6. Security Audit Methodology : COBIT, SAS70, BS7799


Govt. : NA

PSU : NA

Private : NA


8. Business domain of auditee organisations : Software Dev., BPO, Manuf, Govt.

9. Typical applications in use by auditee organisations : MS Exchange,Web server, SQL Server, Oracle, IIS



External Bandwidth (WAN / Internet) : 512 K bps


No. of servers : 27


No. of routers : 0

No. of switches : 2


No. of IDS' : 1



Organisation).

BACK

M/s Simos Computer Systems Pvt Ltd Snapshot of skills and competence of CERT-In Empanelled Security Auditor

1. Name, Location of the Empanelled Security Auditing organisation: SIMOS COMPUTER SYSTEMS PRIVATE

LIMITED, Chennai



CISSPs : 2

BS7799 / ISO27001 LAs : 1

CISAs : 2

DISAs / ISAs : 2




Freeware : 20+

Commercial : 1

Proprietary: 0



Freeware : Nmap, OpenVAS, Metasploit, Wikto, Cain & Abel, Netstumbler, Backtrack etc.

Commercial : Burpsuite Professional

6. Security Audit Methodology : ISO27001, COBIT, OWASP, SOGP, OSSTMM


Govt. : 1

PSU : NA

Private : 15


8. Business domain of auditee organisations : Banking, Software Dev., BPO, Manuf, Govt.

9. Typical applications in use by auditee organisations : Windows Server, MS Exchange, Linux, Apache, IIS, PHP,

ASP, ASP.NET, MSSQL, MySQL, Oracle





No. of servers : 30

No. of Computer Systems : 500+

No. of routers : 10



No. of IDS' : 2



BACK

M/s SISA Information Security Pvt Ltd


1. Name, Location of the empanelled Information Security Auditing Organisation : SISA Information

Security (P) Ltd., Bangalore



CISSPs : 4

BS7799 / ISO27001 LAs : 3

CISAs : 9

DISAs / ISAs : 2




Freeware : 25

Commercial : 3

Proprietary: 1



Freeware :

1. Nessus : Network Scanner

2. N Map : Network Scanner

3. MB Password Cracker : Password Cracker

4. Ethereal : Sniffer

5. WS_Ping Propack : Ping sweeps (Network Scanning)

6. Snort : Ping sweeps (Network Scanning)

7. user2sid and sid2user : Enumeration tools

8. Ping of Death/SMURF : DOS

9. SQLSmack : Hacking Tools

Commercial :

1. ISS Network Scanner : Network Scanner

2. GFI Languard : Network Scanner

3. Legion : Password Guessing Tool

6. Information Security Audit Methodology : SISA Proprietary


Govt. : 1

PSU : 5

Private : 99


8. Business domain of auditee organisations : Information Technology, Banking, IT services, Manufacturing,

Business Process Outsourcing, Telecom

9. Typical applications in use by auditee organisations : Banking Applications, Financial Applications, Mobile

Applications, Web Applications






No. of servers : 25


No. of routers : 30


No. of IDS' : 16



BACK

M/s Spectrum IT Solution Snapshot of skills and competence of the CERT-In Empanelled IT Security Auditing Organisation

1. Name, Location of the Empanelled IT Security Auditing Organisation : Spectrum Networks Solutions Pvt Ltd, Noida

2. Carrying out IT Security Audits since : May 2004 3. Technical manpower deployed for IT security audits :

CISSPs : 2 BS7799 / ISO27001 LAs : 5 CISAs / CISMs: 3 DISAs / ISAs : 1 Total Nos. of Technical Personnel : 24

4. Outsourcing of IT Security Auditing Work to External IT Security Auditors / Experts : Yes 5. IT Security Audit Tools used (owned, in possession) :

Freeware : 36 Commercial : 4 Proprietary: 2 Total Nos. of Audit Tools : 42


Freeware Tools

1. Achilles - A tool designed for testing the security of web applications

2. ADMFtp, ADMSnmp - Tools for remote brute-forcing

3. Brutus- An Windows GUI brute-force tool for FTP, telnet, POP3, SMB, HTTP, etc

4. Crack - A password cracker

5. CrypTool - A cryptanalysis utility

6. Curl - Curl is a tool for transferring files with URL syntax, supporting FTP, FTPS, HTTP, HTTPS,

GOPHER, TELNET, DICT, FILE and LDAP

7. Different network mapping tools - ping, traceroute, whois, snmp tools, dig, nslookup, DNS tools

etc

8. Elza - A family of tools for arbitrary HTTP communication with picky web sites for the purpose of

penetration testing and information gathering

9. Exploits - publicly available and home made exploit code for the different vulnerabilities around

10. FScan - A command-line port scanner. Supports TCP and UDP

11. Fragrouter - Utility that allows to fragment packets in funny ways

12. HPing - HPing is a command-line oriented TCP/IP packet assembler/analyzer. It supports TCP,

UDP, ICMP and RAW-IP protocols, has a traceroute mode, the ability to send files between a

covered channel, and many other features.

13. ISNprober - Check an IP address for load-balancing.

14. ICMPush - ICMPush is a tool that sends ICMP packets fully customized from command line

15. John The Ripper - A password cracker

16. L0phtcrack - NTLM/Lanman password auditing and recovery application (read: cracker)

17. Nessus - A free, powerful, up-to-date and easy to use remote security scanner. This tool could be

used when scanning a large range of IP addresses, or to verify the results of manual work.

18. Netcat - The swiss army knife of network tools. A simple utility which reads and writes data across

network connections, using TCP or UDP protocol

19. NMAP - The best known port scanner around.

20. p0f - Passive OS Fingerprinting: A tool that listens on the network and tries to identify the OS

versions from the information in the packets.

21. Pwdump - Tools that grab the hashes out of the SAM database, to use with a brute-forcer like

L0phtcrack or John

22. SamSpade - Graphical tool that allows to perform different network queries: ping, nslookup,

whois, IP block whois, dig, traceroute, finger, SMTP VRFY, web browser keep-alive, DNS zone

transfer, SMTP relay check,etc.

23. ScanDNS - Script that scans a range of IP addresses to find DNS names

24. Scripts - A number of custom developed scripts to test different security issues.

25. Sing - Send ICMP Nasty Garbage. A little tool that sends ICMP packets fully customized from

command line

26. SSLProxy, STunnel - Tools that allow to run non SSL-aware tools/programs over SSL.

27. Strobe - A command-line port scanner that also performs banner grabbing

28. Telesweep Secure - A commercial wardialer that also does fingerprinting and brute-forcing.

29. THC - A freeware wardialer

30. TCPdump - A packet sniffer

31. TCPtraceroute - Traceroute over TCP

32. UCD-Snmp - (aka NET-Snmp): Various tools relating to the Simple Network Management Protocol

including snmpget, snmpwalk and snmpset.

33. Web Session Editor - Custom made utility that allows to intercept and edit HTTP sessions.

34. Webinspect - CGI scanning, web crawling, etc.

35. Webreaper, wget - Software that mirrors websites to your hard disk

36. Whisker - The most famous CGI scanner. has updated the scanning databases with checks for the

latest vulnerabilities.

Commercial Tools

Proprietary Tools

6. Information Security Audit Methodology : OWASP, ISO27001, COBIT, ITIL


Govt. : 80

PSU : 25

Private : 95


8. Business domain of auditee organisations : Banking, Financial, Manufacturing, Government, IT/ITES,

Software Development

9. Typical applications in use by auditee organisations : Banking and Financial Applications




11. LAN Infrastructure details of an organizations audited with most complex network :

No. of Servers : 45


No. of Routers : 10



No. of IDS' : 2



BACK

STQC Directorate Snapshot of skills and competence of CERT-In Empanelled Security Auditor

1. Name, Location of the Empanelled Security Auditing organisation : STQC IT Services, New Delhi

2. Carrying out Information Security Audits since : NA


CISSPs : 0

BS7799 / ISO27001 LAs : 12

CISAs : 0

DISAs / ISAs : 9




Freeware : 23

Commercial : 0

Proprietary: 0



Freeware Tools :


Commercial Tools :


Proprietary Tools :


6. Security Audit Methodology : OSSTMM


Govt. : NA

PSU : NA

Private : NA


8. Business domain of auditee organisations : Mfg, software Services, BPO, Telecom, Govt.

9. Typical applications in use by auditee organisations : SAP, Oracle



External Bandwidth (WAN / Internet) : NA bps


No. of servers : 36


No. of routers : 0



No. of IDS' : 1



BACK

M/s Suma Soft Pvt Ltd


1. Name & location of the empanelled Information Security Auditing Organisation : Suma Soft Pvt Ltd


3. Technical manpower deployed for information security audits : CISSPs : BS7799 / ISO27001 LAs : 3 CISAs : 5 DISAs / ISAs :1 Total Nos. of Technical Personnel : 10


5. Information Security Audit Tools used (owned, in possession) : Freeware : 35 Commercial : 2 Proprietary: 0 Total Nos. of Audit Tools : 37


Freeware:

1. Nessus

2. Whisker




6. RAT


8. Snort - IDS


10. Hping – TCP ping utilitiy Dsniff - Passively monitor a network for interesting data

(passwords, e-mail, files, etc.). facilitate the interception of network traffic normally

unavailable to an attacker



13. Tools from FoundStone - Variety of free security-tools

14. SQL Tools - MS SQL related tools


16. ITS4 - Scan C/C++ source-code for vulnerabilities

17. Paros








25. Whitehats - Snort IDS-signatures & other resources




29. Mieliekoek - SQL Injection tool, use with HTTrack

30. NT Toolbox - Resources & tools for NT [at]Stake Tools - Tools provided by [at]-Stake 31. TSCrack - Wordlist-based Terminal Server login-cracker L0phtcrack - NT-password

cracking utility 32. HTTPrint – detect web server and version 33. Web proxy - web application testing 34. Web server vulnerability assessment tool

Commercial Tools

1. Nexpose - Vulnerability Scanners

2. Burp Suite, Acunetix - Web application auditing

6. Information Security Audit Methodology : ISACA, ISO 27001 / BS 7799, COBIT, OSSTM, OWASP


Govt. : 1

PSU : 1

Private : 25


8. Business domain of auditee organisations : Telecom, BPO, Banking & Finance, Software Development

9. Typical applications in use by auditee organisations : Client-Server, Web based MIS,Oracle,Web

Applications


Internal Bandwidth (LAN / Intranet) : 1 GBPS

External Bandwidth (WAN / Internet) : 12 MBPS



No. of Servers : 50


No. of Routers : 2


No. of IDS' : 1



BACK

M/s Sumeru Software Solutions Pvt Ltd


1. Name & location of the empanelled Information Security Auditing Organisation : Sumeru Software

Solutions Pvt Ltd, Bangalore



CISSPs : 1

BS7799 / ISO27001 LAs : 2

CISAs / CISMs : 2

DISAs / ISAs : 0




Freeware : 61

Commercial : 4

Proprietary: 0



Freeware Tools

1. Nmap / Superscan

2. WireShark

3. Paros Proxy

4. Metasploit Framework

5. Kismet / NetStumbler / Aircrack

6. Nikto / Wikto

7. BackTrack

8. WebScarab

Commercial Tools

1. Nessus

2. WebInspect

3. MegaPing

4. Retina

Proprietary Tools

None

6. Information Security Audit Methodology : OWASP, OSSTMM, ISO27001, BS 25999


Govt. : 7

PSU : 0

Private : 101


8. Business domains of auditee organisations: Manufacturing, Hospitality, Media, Defence, BSFI, IT/ITES,

Publishers, Human resources, Insurance, Government.

9. Typical applications in use by auditee organisations : e-Commerce Portals, Job Portals, News Portals,

Public Forum, Pay Roll Applications, Intranet Applications, Webmail, Insurance web porta.






No. of Servers : 70


No. of Routers : 2


No. of IDS' : 2



BACK

M/s Sysman Computers Pvt Ltd Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation

1. Name and location of the empanelled Information Security Auditing Organisation : Sysman Computers

Pvt. Ltd., Mumbai



CISSPs : 5

BS7799 / ISO27001 LAs : 7

CISAs : 12

DISAs / ISAs : 6




Freeware : 28

Commercial : 5

Proprietary: 0





6. Information Security Audit Methodology : COBIT, ISO 27001


Govt. : 5

PSU : 55

Private : 100


8. Business domain of auditee organisations : Banking, BPO, Manufacturing, Healthcare, Government

9. Typical applications in use by auditee organisations : Banking, Accounting, Data Processing, Call Centre,

Healthcare, Travel, Education






No. of servers : 25


No. of routers : 8


No. of IDS' : 2



BACK

M/s Tata Consultancy Services Ltd Snapshot of skills and competence of the CERT-In empanelled Information Security Auditing Organisation

1. Name, Location of the empanelled Information Security Auditing Organisation: Tata Consultancy

Services Ltd, Mumbai



CISSPs : 25

BS7799 / ISO27001 LAs : 60

CISAs : 15

DISAs / ISAs : 1


4. Outsourcing of Information Security Auditing Work to external Information Security Auditors / Experts :

No


Freeware : 5

Commercial : 2

Proprietary: 2



Freeware Tools None



6. Information Security Audit Methodology : Own


Govt. : 6

PSU : 4

Private : 12


8. Business domain of auditee organisations : Banking, Stock Exchange, Power, Manufacturing, Government.

9. Typical applications in use by auditee organisations : Core Banking, stock broking, power management,

Telecom, Governance.








No. of routers : 50


No. of IDS' : 20



BACK

M/s Tech Mahindra Ltd Snapshot of skills and competence of CERT-In empanelled IT Security Auditing Organisation

1. Name, Location of the empanelled IT Security auditing organisation : Tech Mahindra Ltd, Noida



CISSPs : 14

BS7799 / ISO27001 LAs : 56

CISAs : 10

DISAs / ISAs : 0




Freeware : 2

Commercial : 1

Proprietary: 1



Freeware Tools None



6. IT Security Audit Methodology : ISO 27001/BS7799


Govt. : 1

PSU : 0

Private : 34


8. Business domain of auditee organisations : Automobiles, Retailing, Pharma, Telecom, BPO, Finance

9. Typical applications in use by auditee organisations : SAP, Web Applications, CRM, Service Assurance,

Service Fulfilment, COTS Products






No. of servers : 60


No. of routers : 25


No. of IDS' : 10



M/s Technologics & Control Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation

1. Name & location of the empanelled Information Security Auditing Organisation : Technologics and Controls, New Delhi, India



CISSPs : 1

BS7799 / ISO17799 / ISO27001 LAs : 1

CISAs / CISMs: 4

DISAs / ISAs : 1



5. Information Security Audit Tools being used (available, installed and licensed):

Freeware : 10

Commercial : 3

Proprietary: 0



Freeware Tools

• Brutus,Superscan

• Nessus Vulnerability Scanner

• Belarc Advisor

• M Metasploit Framework 3

• Mozilla Firefox Extension AnEC Cookie Editor v0.2.1.3

• Wireshark

• HTTP Editor

• Tenable Nessus

• Mozilla Firefox Extension Hack Bar

• WebScarab

Commercial Tools

• Meycor Cobit suite

• IBM Rational AppScan v7.7

• Acunetix Web Vulnerability Scanner v6.5


6. Information Security Audit Methodology : OSSTM, OWASP, ISO27001, COBIT, Audit ICQ


Govt. : 2

PSU : 0

Private : 45


8. Business domains of auditee organisations : Banking, Insurance, Services, ITES, Finance, Stock traders, UN,

Manufacturing, Defence, NGO, Government

9. Typical applications in use by auditee organisations : ERP (SAP, MFGPro, Ingenium, others), HR and Payroll,

Document Imaging, Banking (CBS / TBA), Web and E-commerce Applications

10. Bandwidth available with an auditee organisation having most complex network:


External Bandwidth (WAN / Internet) : upto 16 MBPS







No. of IDS' : 1

12. Ability to carry out vulnerability assessment and penetration test : Y


BACK

M/s Torrid Networks Pvt. Ltd.


1. Name & location of the empanelled Information Security Auditing Organisation : M/s Torrid Networks

Pvt. Ltd.



CISSPs : 2

BS7799 / ISO27001 LAs : 2

CISAs : 1

DISAs / ISAs :


4. Outsourcing of External Information Security Auditors / Experts : None


Freeware : 20

Commercial : 7

Proprietary: 12



Freeware:

nmap

Nessus

Metasploit

Nikto

Burp

Paros

WebScarab

SQL injector

Ollydbg

WireShark

Cain & Abel

BackTrack Distro

Commercial: AppScan

Accunetix

CoreImpact

Nexpose

CodeSecure

Fortify

Qualys

6. Information Security Audit Methodology : OWASP, OSSTMM, ISO 27001


Govt. : 3

PSU : 3

Private : 54


8. Business domain of auditee organisations : BFSI, Telecom, BPO, IT/ITES, Manufacturing, Engineering

9. Typical applications in use by auditee organisations : HRMS, CRM, Exchange, Billing, ERP, Intranet, Payroll


Internal Bandwidth (LAN / Intranet) : 1Gpbs

External Bandwidth (WAN / Internet) : 5Mbps





No. of Routers : 25


No. of IDS' : 10



BACK

M/s TVSNet Technologies Ltd Snapshot of skills and competence of CERT-In Empanelled Information Security Auditor

1. Name, Location of the empanelled Information Security Auditing organisation : TVSNet Technologies

Ltd, Chennai



CISSPs : 2

BS7799 / ISO27001 LAs : 3

CISAs/CISMs : 1

DISAs / ISAs : 0




Freeware : 20

Commercial : 1

Proprietary: 0



Freeware :

1. Smartwhois: To perform initial information gathering of the network

2. SPIKE Proxy: is a full featured HTTP and HTTPS proxy built with Python

3. WebGoat: This is used to investigate common server-side application flaws

4. Nikto : Web Systems & Application Security

5. Paros proxy : A web application vulnerability assessment proxy

6. Burp suite: An integrated platform for attacking web applications

7. Nessus : Network Security

8. Nmap: Network Security

9. Whois: To perform initial information gathering of the network

10. SolarWinds : Used for Penetration Testing

11. Ethereal: Network Sniffing

12. Shadow security scanner: Web server Vulnerability Scanning

13. TamperIE: Proxy tool

14. Brutus: Password Cracker

15. Visual Trace Route : To perform initial information gathering of the network

16. Neo Trace Route : To perform initial information gathering of the network

Commercial :

1. Acunetix Web Vulnerability Scanner: Acunetix WVS automatically checks web applications for

vulnerabilities such as SQL Injection, cross site scripting, and weak password strength on

authentication pages.

6. Information Security Audit Methodology : OSSTMM, OWASP, ISO 27001


Govt. : 9

PSU : 7

Private : 25


8. Business domain of auditee organisations : Government, Banking, Telecom, Manufacturing, ITES

9. Typical applications in use by auditee organisations : Web Applications, ERP, Email







No. of routers : 25



No. of IDS' : 7



BACK

M/s Verizon Business Snapshot of skills and competence of CERT-In Empanelled Security Auditing Organisation

1. Name & location of the empanelled Information Security Auditing Organisation : Verizon Business,

Radisson Commercial Plaza, A-Wing, 1st Floor, National Highway-8, New Delhi - 110037



CISSPs : 74

BS7799 / ISO27001 LAs : 15

CISAs : 35

DISAs / ISAs : 2

Total Nos. of Technical Personnel : 500+

4. Outsourcing of External Information Security Auditors / Experts : Not Applicable


Freeware : 43

Commercial : 6

Proprietary: 8



1. Freeware:

2. Netcat

3. Ethereal

4. TCPdump

5. SSLdump

6. Brutus

7. Dig

8. Nmap

9. VisualRoute

10. Fscan

11. Cain & Abel

12. Firewalk

13. DumpACL

14. DumpEvt

15. DumpReg

16. DumpSec

17. Enum

18. Paros

19. WebSleuth

20. WebProxy

21. Nikto

22. Achilles

23. Cerberus

24. DDosPing

25. Brutus

26. John the Ripper

27. Absinthe

28. Metasploit

29. SNMP Walker

30. SQL Squirrel

31. Black Widow

32. Ettercap

33. Rainbowcrack

34. IISCat

35. IISHack

36. PipeUpAdmin

37. Pwdump2

38. GFI LanGuard

39. HFNetChk

40. ConfigDefence

41. UnixRecon

42. Titan

43. AppSecInc

44. VoIP Hopper

Commercial:

1. nCircle

2. Nessus Professional Feed

3. Ounce / IBM AppScan

4. WebInspect

5. Core Impact

6. Canvas

6. Information Security Audit Methodology : Verizon Business’ Proprietary


Govt. : 10

PSU : 4

Private : 150+

Total Nos. of Information Security Audits done : 164+

8. Business domain of auditee organisations : Banking & Finance, Information Technology, Government

Establishments, Service Providers / BPOs, Manufacturing, Public Sector Undertakings, Life Sciences &

Healthcare.

9. Typical applications in use by auditee organisations : Enterprise Resource Planning (ERPs), Online Banking

Solutions, Online Payment Solutions, CRM, Billing Systems, Corporate Websites, Web Services & Web

Applications.





No. of Computer Systems : >50000

No. of Servers : >350


No. of Routers : 80


No. of IDS' : 8



Back

M/s VISTA InfoSec Pvt. Ltd. Snapshot of skills and competence of CERT-In empanelled Information Security Auditing Organisation

1. Name & location of the empanelled Information Security Auditing Organisation : VISTA InfoSec Pvt.

Ltd., Mumbai – 400058.



CISSPs : 4

BS7799 / ISO27001 LAs : 5

CISAs : 5

DISAs / ISAs : 1




Freeware : 47

Commercial : 4

Proprietary : 3



Freeware:

1. Port Scanners - AngryIPScanner, SuperScan, NetScanTools, Unicornscan, Nmap, THC-

Amap, ike-scan.

2. Web Browser Addons – NoScript, Tamper Data, Firebug, etc.

3. Password Crackers – Aircrack, Cain & Abel, John the Ripper, THC Hydra, ophcrack,

Medusa, fgdump, L0pthCrack, solarwinds, RainbowCrack, Wfuzz, Brutus.

4. Encryption Tools – Stunnel, OpenVPN, Tor, OpenSSLGnuPG/PGP, OpenSSH/Putty/SSH.

5. Debuggers – IDA Pro, OllyDbg, WinDbg.

6. Forensics – Maltego, Helix, The Sleuth Kit, Encase.

7. Fuzzers – w3af, skipfish, Wapiti.

8. General Purpose – Netcat, cURL, Socat, Firefox, Google, Perl/Python/Ruby.

9. Packet Crafters – Netcat, Hping, Scapy, Yersinia, Nemsis, Socat.

10. Rootkit Detectors – Sysinternals, Tripwire, Dumpsec, AIDE.

11. Security Distros – BackTrack, Helix, Samurai Web Testing Framework, Knoppix, SELinux

12. Sniffers – Wireshark, Cain & Abel, tcpdump, kismet, Ethercap, Netstumbler, dsniff, Ntop,

Ngrep, P0f, inSSIDer, KisMAC.

13. Exploitation Tools – Metasploit Framework, w3af, Core Impact, sqlmap, SET, sqlninja,

BeEF, dradis, WebGoat, Brup Suite, ExploitPack.

14. Vulnerability Scanners – Nessus, OpenVAS, GFI Languard, MBSA, Nipper, SAINT,

NeXpose.

15. Web Proxy – Paros Proxy, Fiddler, sslstrip, ratproxy.

16. Web Scanners – Brup Suite, Nikto, w3af, Acunetix, Netsparker, Wikto, DirBuster,

Arachni.

17. Wireless Tools – Aircrack, Kismet, NetStumbler, inSSIDer, KisMAC.

18. Anti-Malware – MalwareBytes, ClamAV Signatures Toolkit, VirusTotal.

Commercial:

1. Rapid7 – NeXpose

2. Rapid7 – Metasploit

3. Tenable Nessus

4. IBM AppScan

6. Information Security Audit Methodology :

ISO27001/ISO20000/BS25999/ISO18028/SANS/OWASP/OSSTM/CIS/CHECK/NIST/RBI


Govt. : 10

PSU : 17

Private : 161


8. Business domain of auditee organisations : Banks, Insurance, Financial services, BPO, Software

development, Pharma, Manufacturing, Entertainment, Realty, Retail, Governance, Power and Petrochem.

9. Typical applications in use by auditee organisations : Core Banking, SAP, ERP, CRM, Internet Banking,

Time Management, Peoplesoft, Payment Gateway applications, Oracle, Financial Applications, Mobile

applications, SCADA Applications, etc.


Internal Bandwidth (LAN / Intranet) : 1000

External Bandwidth (WAN / Internet) : 2mb + 2mb





No. of Routers : 35


No. of IDS' : 4



Back

M/s Wipro Ltd Snapshot of skills and competence of CERT-In Empanelled Security Auditing Organisation

1. Name, Location of the Empanelled Information Security Auditing organisation : Wipro Ltd., Gurgaon

2. Carrying out Information Security Audits since : October 2000


CISSPs : 2

BS7799 / ISO27001 LAs : 1

CISAs : 1

DISAs / ISAs : 0




Freeware : 42

Commercial : 12

Proprietary: 1





6. Information Security Audit Methodology : NA


Govt. : NA

PSU : NA

Private : NA


8. Business domain of auditee organisations : Oil, Pharma, Manufacturing

9. Typical applications in use by auditee organisations : NA



External Bandwidth (WAN / Internet) : NA bps


No. of servers : 5


No. of routers : 0

No. of switches : 1


No. of IDS' : 1



TOP

Info Sec Companies

Documents

Transcript of Info Sec Companies