Find out where your organization is in relation to best practices or your industry peers. A great service to consider when you're unsure of your security posture or when you are looking for a general starting point. A general security assessment can be on-site or off-site depending on what specifics are needed. At the very least, a general security assessment includes an analysis of firewall configurations, an analysis of standard desktop and server implementations, and other basic security related items regarding an environment. Additional security needs can be added a la carte to a general security assessment in order to focus on areas of concern or to meet certain compliance requirements. For example, a wireless security assessment, analysis of VLAN segmentation (such as voice or credit card network segments), or vulnerability scanning are popular add-on services to a general security assessment.
A network penetration test is the perfect "next step" when you believe all of your network defenses are in place. A network penetration test will have us target your environment to see if we can gain access. In most cases, a penetration test is not recommended unless you are a fairly mature security environment. Even referencing some well-known security standards such as the Critical Security Controls (from the Center for Internet Security), penetration tests is often the last requirement (#20). Penetration tests are often mistaken as vulnerability assessments/scans by end users and many security firms alike. We offer vulnerability scans, but we don't call them penetration tests because they are not. We can also work with IT personnel to ensure proper mitigation plan takes place after the testing phase is completed.
Does your industry have technical guidelines or requirements? Whether you are bound to HIPAA, PCI, NERC/FERC, GLBA, or any other standard, we can help get you compliant and ready for what's next. We appreciate compliance and the need for it because it is helping to move many industries forward, but at the end of the day what we really appreciate is protecting data. So whether your sensitive data is PII, PHI, or even sensitive equipment, we will often protect it similarly. In addition, because we work in multiple industries, we will frequently take the best pieces from other standards and implement them in your environment. This fundamental understanding of security and the direction of compliance standards will help keep you ahead of the game.
Social engineering assessments test what is often the most overlooked component in your environment -- your people. Here we try to slide past your technical controls and gain access to information we simply shouldn't have. During a social engineering assessment, we can send highly targeted phishing emails to test the effectiveness of your security awareness training. Or we can call your office to gather data and see if a telephone conversation changes the level of trust. We can even perform a passive analysis and reconnaissance to find publicly accessible data that is readily available and then highlight areas that may be problematic in a directed attack.
Web applications are notoriously difficult to code securely. Whether you are bringing a new web application to market or you simply want to improve your web application security, we can help. Application security involves checking the actual application for potential flaws, not just the host operating system. Our testing can also include code auditing in cases where we have a thorough familiarity with the programming language in use. Typical findings include XSS (cross-site scripting) vulnerabilities, SQL injections, unsanitized form inputs, unintended data exposures, flaws in session cookies, etc. Through a rigorous combination of manual and automated processes, we can help make your web application much more secure!
A vulnerability assessment is used to proactively identify potential security flaws in your environment whether internal or external [to your firewall]. This in turn allows you (or us) to resolve the issues before they are exploited by bad actors. A vulnerability assessment goes one step further than a vulnerability scan in that many of the high or critical flaws are then manually tested to eliminate potential false positives. Many compliance standards now require vulnerability assessments/scans periodically in an effort to discover (and mitigate) new vulnerabilities before they are exploited by bad actors. We can also provide ongoing vulnerability scanning for customers who need assistance maintaining a vulnerability scanning engine, interpreting the results, or remediating the threats.
Has an auditor identified that your organization needs a CISO due to data sensitivity, but you don't feel you are big enough to warrant such an investment? That is where a virtual CISO (vCISO) comes in. A vCISO works with your IT staff to get security programs off the ground and ingrained in the environment. A vCISO also sits in on most IT meetings to determine how security might be impacted *before* the new product or software is implemented. The importance of a watchful security eye on projects prior to implementation simply cannot be overstated. Imagine having a resource who can look at your latest wireless implementation, new server install, new network install, etc. and educating your existing staff along the way.
Need help getting some sort of security program going, but not quite sure where to start? This option helps your organization with the direction to succeed, but it relies on your staff to implement the ongoing changes. Providing your organization with a direction on their security program is a small subset of the role a virtual CISO might help your organization with. Want to start a security awareness program? Need to start performing regular vulnerability scans, but want to identify the gotchas upfront? Want to simply get an idea on where your security dollars should be getting spent, i.e. the best bang for the buck? That is where this service can provide a huge benefit to any organization.
Did you purchase security software or hardware that is still in the box? Maybe you thought you could do it yourself or maybe the seller/VAR is giving you the runaround? We have implemented thousands of security products in thousands of environments, however, there is always the possibility we don't have experience with product XYZ. Here's a little tip and it goes back to our policy about honesty... we will tell you upfront. That being said, even with no experience on certain products, we found time and time again that our fundamental security knowledge often provided more benefit to ensure a successful implementation than anyone the VAR could have provided anyway. And we won't simply install the software/hardware and run out the door. It is our policy to provide your IT staff with a level of knowledge to ensure they can troubleshoot day-to-day care and maintenance.