We offer full operating system and physical build reviews for any devices. We cover all the major operating systems from Microsoft and Unix/Linux such as Microsoft Windows (desktop and server versions), RedHat, Ubuntu, Debian, SuSe and Scientific Linux.
A build review assesses the configuration of the operating system, device configuration and its settings against industry benchmarks.
Typical build reviews include:
- Operating system version and patch checking
- Third-party software reviews
- User permission and privileges
- Security policy configuration
- Password and lockout policies
- Event auditing and logging
- Service permissions
- Anti-Virus reviews
- Network configuration/connectivity review
- Share permissions
Authenticated build reviews are typically the best way to ensure your hardware or operating systems are securely configured. This is more beneficial than just an unauthenticated vulnerability assessment alone.
The best approach is to select a sample of key roles, devices and operating systems for authenticated build reviews and combine these with a vulnerability assessment.
Build reviews can help identify build issues at the configuration stage within documentation or templates and prevent future deployments suffering from repeat issues.
Build reviews are conducted by logging into the operating system or device with credentials and reviewing settings against industry security benchmarks.
We can provide the following build reviews:
- Physical review – boot options, encryption, BIOS protection and media ports
- Operating system review – build review against industry standard settings, covering all aspects such as patching, password policies, Anti-Virus, Firewall, auditing, event logging, third-party software versions, services and overall security configuration
- Physical, virtual and docker images can be reviewed
- Laptops, desktops, kiosks, servers, networking and mobile devices
- Build review audit against company policies – ensure that the build meets any company defined build documentation
Armadillo Sec are a CREST approved member company and our security consultants are fully certified by CREST to the highest level in application and infrastructure testing. This allows our consultants to give complete assurance when testing any elements of your environment. We have many years of experience leading large complex government and commercial cyber security tests. Our lead consultants will work with your from start to finish on the project to ensure all requirements are met.
Frequently Asked Questions
A typical penetration test normally targets a group of systems or applications and does not always include a detailed configuration build review of the operating system itself.
Penetration testing tends to look for vulnerabilities across multiple systems, whereas a build review is a detailed review of a specific system and it's settings are manually compared to industry best practice recommendation benchmarks.
Our testers are fully certified by CREST to the highest CCT level in both application and infrastructure testing.
Our CREST member status can be viewed, along with the certified tester types we have on the below link:
It is recommended that build reviews or testing should be conducted annually as cyber threats are constantly evolving.
If major changes are made to the operating systems or configurations, then it is recommended that additional testing is conducted. This ensures that any recent changes are not introducing new vulnerabilities into the environment.
Some certifications such as ISO 27001 or PCI DSS, require a certain frequency of testing to remain compliant.
Build review prices are based on the number and type of systems that are required to be reviewed, therefore there is not an off-the-shelf price for a build review.
For each project we will technically scope your requirements and establish the time needed to complete the work. We will then provide a detailed proposal and breakdown of costs and options.
We supply a full build review report, which covers the following:
- Executive management summary - Non technical overview of issues for management board level
- Detailed technical findings - A complete list of all issues identified
- Affected hosts - A list of all hosts affected, including the associated network port
- Policy compliance - A list of all non-compliant settings compared again industry recommendations
- Risk level - Impact, likelihood and overall risk ratings are listed for each issue
- Examples - Output or screenshots to demonstrate the issue
- Recommendations - Recommendations of how to remediate the issues, including any reference to documents that can assist
A sample report can be supplied upon request.
We have a full methodology for all testing services we provide, which is supplied with each project proposal. This outlines the testing steps and all the requirements in order to deliver the test.