Cyber Security Assessments

Cyber Security Review
Our questionnaire and interview-based cyber security review is designed to provide a high-level assessment of a client’s information security capabilities. The assessment covers business, operations and technical requirements associated with information security and will specifically cover cyber controls and objectives for your people, processes and technology.
Vulnerability Assessment
With threats originating from all parts of the globe, as well as from within ones own network, it is now becoming more important for organisations to secure their resources. The benefits that can result from conducting frequent, pro-active vulnerability assessments can be numerous. The most obvious advantage would be the ability to identify known security exposures before potential attackers do.

By completing continual assessments it is easy to identify possible security concerns that may be present on the network, both from an internal and an external perspective. Early detection introduces the opportunity to address the issues before the attackers can exploit the weakness which may cause serious damage to the companies assets and possibly their reputation. No one wants to hear about their security deficiencies on BBC.

Another benefit of conducting routine vulnerability assessments is that it can assist in updating or creating a detailed network map of the enterprise. An organization should have an accurate idea of what systems are present in their environment. However, it is not impossible for someone to connect a new system to the network without informing the right people or going through the correct change management process. If these machines were unofficially connected to the network, chances of them being hardened or secured is probably low. These rogue machines can introduce unwanted and unnecessary risks into the enterprise and need to be dealt with in a timely manner.

Our vulnerability assessment starts from the outside of your organisation and works inwards. Through the use of both open source and commercial tools and techniques we will conduct an electronic technical scan and assessment of an organisations IT infrastructure to identify and report on any potential vulnerabilities that may exist.

Our vulnerability assessment can cover the following (but will be agreed with you):
- Firewalls
- Routers
- Managed / Un-Managed Switches
- Hubs
- User Access Devices (UAD)
- Servers (Windows / *nix)
- Wireless Access Points
- Web Applications
- Public Website
Penetration Testing
There are a variety of reasons for performing a penetration test. One of the main reasons is to find vulnerabilities and fix them before an attacker does. Sometimes, the IT department is aware of reported vulnerabilities but they need an outside expert to officially report them so that management will approve the resources necessary to fix them. Having a second set of eyes check out a critical computer system is a good security practice.

Testing a new system before it goes on-line is also a good idea. Another reason for a penetration test is to give the IT department at the target company a chance to respond to an attack. The Payment Card Industry (PCI) Data Security Standard, and other recent security recommendations and regulations, require external security testing.

Find Holes Now Before Somebody Else Does

At any given time, attackers are employing any number of automated tools and network attacks looking for ways to penetrate systems. Only a handful of those people will have access to 0-day exploits, most will be using well known (and hence preventable) attacks and exploits. Penetration testing provides IT management with a view of their network from a malicious point of view.
The goal is that the penetration tester will find ways into the network so that they can be fixed before someone with less than honorable intentions discovers the same holes. In a sense, think of a Penetration Test as an annual medical physical.
Report Problems to Management
If a Security Team has already pointed out to upper management the lack of security in the environment, penetration testing results help to justify the resources to address those needs. Often an internal network team will be aware of weaknesses in the security of their systems but will have trouble getting management to support the changes that would be necessary to secure the system.

By having an outside group with a reputation for security expertise analyse a system, management will often respect that opinion more. Furthermore, an outside tester has no vested interest in their results. Inside a corporation of any size, there will be political struggles and resource constraints. Administrators and techies are always asking for budget increases for new technology. By using an independent third party to verify the need, management will have an additional justification for approving or denying the expenditure of money on security technologies. Similarly, system administrators who know the intricacies of their environment are often aware of how to compromise their network. As such, it is not uncommon for management to assume that without such knowledge, an attacker would be unable to gain unauthorised entry. By using a third party who operates with no inside knowledge, the penetration testing team may be able to identify the same vulnerability and help convince management that it needs to be resolved.

A penetration testing team may also be able to prove that an exploit exists while the internal network staff “knew”it was there but wasn’t quite able to pull all the pieces together to demonstrate the exploit effectively. Remember that ultimate responsibility for the security of IT assets rests with Management. This responsibility rests with management because it is they, not the administrators, who decide what the acceptable level of risk is for the organisation.
Verify Secure Configurations
If the Security Team are confident in their actions and final results, the penetration test report verifies that they are doing a good job. Having an outside entity verify the security of the system provides a view that is devoid of internal preferences. An outside entity can also measure the team’s efficiency as security operators. The penetration test doesn’t make the network more secure, but it does identify gaps between knowledge and implementation.
Our penetration test uses open source information and specialist capabilities to act and behave as an aggressive and disruptive force to assess the identified systems and vulnerabilities.
Security Training for Network Teams
Penetration testing gives security people a chance to recognise and respond to a network attack. For example, if the penetration tester successfully compromises a system without anyone knowing, this could be indicative of a failure to adequately train staff on proper security monitoring. Testing the monitoring and incident handling teams can show if they are able to figure out what is going on and how effective their response is. When the security staff doesn’t identify hostile activity, the post-testing reporting can be used to help them hone their incident response skills.
Discover Gaps in Compliance
Using penetration testing as a means to identify gaps in compliance is a bit closer to auditing than true security engineering, but experienced penetration testers often breach a perimeter because someone did not get all the machines patched, or possibly because a non-compliant machine was put up “temporarily” and ended up becoming a critical resource. In today’s heavily regulated environment, many organisations are looking for better ways to continually assess their compliance posture. Most regulations have multiple components specifically related to system auditing and security.
Testing New Technology
The ideal time to test new technology is before it goes into production. Performing a penetration test on new technologies, applications and environments before they go into production can often save time and money because it is easier to test and modify new technology while nobody is relying on it. Some examples might include a new externally facing web server with SOAP enabled, a new wireless infrastructure, or the introduction of mobile messaging gateways.

Cyber Secuirty Associates will cover the following cyber attack techniques (but is not limited to):
- SQL Injection
- Cross Site Scripting
- Covert Data Harvesting
- Password and Credential Harvesting
- Denial of Service
- Application and Operating System Exploitation
- Server and Network Shutdown

This highly technical assessment phase will be undertaken by our cyber technical experts and managed both safely and securely to ensure the availability, confidentiality and integrity of all client information assets.

For more information about our Security Assessment services please Contact Us
Download our Full Service Catalogue