The dependence on cutting-edge information systems and increasingly complex operating environments means that organizations are more vulnerable than ever to security risks. Protecting the confidentiality, integrity, and availability of information assets in such complicated environments has never been a more difficult task. Improving the security of information systems requires knowledge of where key systems are vulnerable to unauthorized access, tampering and other forms of compromise by hackers, disgruntled employees, business rivals and other potential attackers. Our Security Assessment Services are designed to identify and offer comprehensive explanations of known security vulnerabilities, giving organizations an effective and accurate measure of how to improve their information security posture.
Vulnerability Assessments: An independent technical security review of your environment using “Ethical Hacking” techniques to identify potential gaps in security controls, weaknesses in your applications, common security short comings. Vulnerability assessments help organizations address key concerns including:
- Are the current security controls adequately protecting our organization?
- How can we effectively address our shortcomings?
- What strategic/tactical remediation steps are required to better protect our organization?
- Are we compliant with the standards and regulations that govern us?
Penetration Testing: In addition to vulnerability assessment, RGS Specialists has a broad penetration testing capability. During a penetration test we further explore the vulnerabilities identified during a vulnerability assessment to determine what level of access to systems, networks, and/or data can be obtained by exploiting identified weaknesses.
Our approach to vulnerability and penetration testing services is to look at all internal and external components of your infrastructure and applications to include:
- Networking components: i.e. Routers, Switches, Wireless Networks
- Systems – Servers, Databases, Storage, End User workstations, Mobile Devices
- Applications – Web Facing Applications, Mobile Applications, Thick Client Applications, Source Code Analysis
- Social Engineering – Phishing, Malware Deployment, User Manipulation
While every engagement is geared towards our client's specific needs/requirements, Vulnerability and Penetration Testing typically follow the following methodology:
- Recon - Identifying and gaining details for the in scope systems, applications, services, ports, people, sites, etc.
- Analysis - Determining the weaknesses associated with systems identified during the Recon phase.
- Exploitation - If penetration testing services are included, weaknesses identified will be exploited and the exposures measured
- Reporting - A business aligned view into the organization's vulnerabilities and the strategic/tactical remediation plans to resolve issues. Each risk/finding identified is ranked in order of importance to assist organization in planning the remediation efforts.
Choosing the right partner
Choosing the right partner is the most critical aspect of getting the most value out of vulnerability assessments.
There exists an anomaly with security assessments that does not exist in other traditional security services - instead of gaining knowledge through years of experience and training, anyone can stand up an assessment service using the plethora of freely available security tools, security distros, and testing methodologies, with little or no experience. It is these companies that offer low end services packaged with the latest buzz words and catch phrases that make it hard for an organization to effectively choose the right partner for assessments. Instead of choosing a partner that has the skills and experience coupled with an understanding of the business, a company’s choice often boils down to Fear Uncertainty and Doubt (FUD) sales tactics and worse yet - price.
So how does a company search through the noise and find the right partner for them. The following questions will help:
- Trust – Vulnerability assessments uncover a vast amount of detail on the operating environment within an organization. Do you trust the partner with that sensitive information?
- Experience – Many companies use experienced individuals to build the practice, then turn around and use junior staff on the engagements. Does the person performing the assessment have real life “hands-on” experience? If so how much?
- Business Context – In order to analyze and report on the business impact the business processes must be understood. Does the potential partner understand your business model?
- Working Relationship – Assessments are only a small part of an ongoing security program. Does the potential partner offer other tactical and strategic security services – can they be more than your “auditor” and become your “trusted advisor”?
- Protection – The raw data will reside on the partner’s machines until the final report is delivered. How will they protect that data and more importantly can they demonstrate that?
- Competition – Many organizations face strict competition in their market place. Can you afford to be wrong? Relying on incomplete or worse yet inaccurate data, can leave an organization susceptible to attack from competitors or other malicious users. Having a true understanding of the weaknesses and strengths as they relate to business context will allow an organization to better mitigate findings and thus improve their security posture.
A full overview of our services can be found here.