FAQ



Q: How do you pronounce "Syrinx"?
A: sir-i?(k)s or perhaps sear-inks

TOP

Q: What's the difference between a vulnerability assessment and a penetration test?
A: From "www.darknet.org":
Vulnerability assessment is the process of identifying and quantifying vulnerabilities in a system. The system being studied could be a physical facility like a nuclear power plant, a computer system, or a larger system (for example the communications infrastructure or water infrastructure of a region).
A penetration test is a method of evaluating the security of a computer system or network by simulating an attack by a malicious hacker. The process involves an active analysis of the system for any weaknesses, technical flaws or vulnerabilities. This analysis is carried out from the position of a potential attacker, and can involve active exploitation of security vulnerabilities. Any security issues that are found will be presented to the system owner together with an assessment of their impact and often with a proposal for mitigation or a technical solution.

TOP

Q: What are the normal billing terms for services?
A: All services performed by Syrinx Technologies are billed as fixed price projects. The normal terms are Net 15. Unless the project is large enough to be broken into sections with milestones the invoice is submitted once the final report is presented to the client.

TOP

Q: Does it still make sense to test for dial-in vulnerabilities?
A: Yes. Any method of accessing corporate resources from external sources should be tested. This could include just the known dial-in phone numbers or perhaps the entire DID block of phone numbers allotted to the client.

TOP

Q: Are wireless networks safe?
A: The answer has to be a qualified "maybe". Without any protection (including simple WEP) most wireless networks are extremely insecure. With additional security such as WPA/WPA2, two-factor authentication and 802.1x, wireless networks can be made much more secure.

TOP

Q: What's the difference between external and internal penetration testing?
A: An "external" penetration test will examine the various resources available from anyone outside the security perimeter (i.e., the firewall). This testing could include the web/email servers, dial-in, wireless and VPN access. The "internal" penetration test will examine resources available to anyone inside the security perimeter. This could include employees, contractors, temporary employees, partners and attackers who manage to break through the external security perimeter.

TOP

Q: What is "social engineering"?
A: From Wikipedia:
Social engineering is a collection of techniques used to manipulate people into performing actions or divulging confidential information. While similar to a confidence trick or simple fraud, the term typically applies to trickery for information gathering or computer system access and in most cases the attacker never comes face-to-face with the victim.

TOP

Q: Are IT security policies that important?
A: YES. Syrinx Technologies strongly recommends that accurate and comprehensive policies and procedures be developed before any money is spent on security hardware, software or services. After all, how do you program a firewall without knowing specifically what network traffic is being allowed and denied? A well written set of policies and procedures will guide all future security implementations.

TOP

Q: What's the average length of an external and internal penetration test?
A: The average external test is about 24-40 man hours, while the average internal test is 40 man hours. Factors that influence the external testing includes number of Internet-facing devices, the number of IP domains owned by the client and whether there is wireless or dial-in testing to be performed. Factors influencing the internal testing includes the number of servers, network users and remote locations.

TOP

Q: Does it make sense to routinely test my networks?
A: Absolutely! Like any regular health checkup, network security audits should be performed annually. Some clients choose to alternate internal and external testing each year. Others perform quarterly testing to ensure that any problems can be quickly discovered and fixed. On a related note, some clients choose to routinely swap among their vendors who perform security audits. This provides the client a fresh set of eyes, toolsets and methodologies every 2-3 years.

TOP

Q: What is PCI? Does it apply to my organization?
A: PCI stands for "Payment Card Industry". It consists of a collaboration between American Express, Discover, JCB, MasterCard and Visa. The PCI Data Security Standard (DSS) is a set of 12 requirements for protecting cardholder data. More information can be found here.

TOP