Assessing Your Cyber Security Controls

Lao Tzu - A journey of a thousand miles begins with a single step

The first step to a secure network is to understand where you are now. Our job is to help you make that assessment and advise you about which direction you should travel, and if you like, carry you some of the way or at least provide you with a map to get there yourself. 

Cyber Risk Review

Bridging the gap between where you are now and where you need to be to reach the level of security which you are looking for.

This is the starting point for a number of our services including the vCISO service, though equally it can stand alone in its own right

The Cyber Risk Review is a CND lead one day workshop attended by the client's stake holders and technical staff, designed to discuss a multitude of cyber security controls from a number of popular frameworks. The day is spent delving into numerous topics including, security architecture, system hardening and insider threat with our experts offering advice and clarification.

The output is a report where the various risks are prioritised along with the recommended actions to remediate them or investigate them further.

The client is then free to tackle the issues themselves and is under no obligation to use CND.

Virtual Chief Information Security Officer (vCISO)

Customer Friend - Cyber Technical Translator - Cyber Expert ‘on-demand’ - InfoSec Assistant

An an increasingly popular choice is for an organisation to have a cyber security subject matter expert, not only on tap, but proactively engaging with you when situations arise which might impact the client.
The level of engagement is in your hands and according to your budget, with a number of service models to choose from, starting from Pay As You Go and extend up to a CISO being embedded within your organisation, as a contracted CISO (not virtual)

Your vCISO can undertake a variety activities determined by scoping of the role. From responding to your questions and security issues, to conducting onsite visits, attending meetings and delivering briefings.
You will additionally have access to CND threat intelligence updates, the latest security updates and notifications of relevant vulnerabilities to your declared assets.

Once your vCISO has been selected, they will work with you to scope the requirement and build a roadmap for delivery.
The number of days required each week or month may vary according to what is being delivered and will be reviewed every 3 months, providing you with flexibility and budgetary control.

Cyber Profile Assessment

Our one day Cyber Profile Assessment examines your organisation's online presence for data leakage and risk. Our GCHQ trained Open Source Intelligence consultants will externally scan your website and boundary for vulnerabilities and look for hidden meta data, known as "seeds".

Up to 10 of these discovered seeds, coupled with your domain name, will be used to trawl the deep and dark web for compromising information.

From their findings we produce a Cyber Profile Assessment report highlighting the risks to your organisation and enabling you to manage your online risk profile.

A Vulnerability Scan or Assessment, is a (mostly) automated test of computer systems which looks for vulnerabilities. Unlike a Penetration Test it does not try to exploit any vulnerabilities found, instead it just reports on them, this makes Vulnerability Assessments extremely cost effective.

We would recommend running a Vulnerability Assessment ahead of a Pen Test to enable you to remediate any easier vulnerabilities and increase the effectiveness of the Pen Test. We would also recommend running a Vulnerability Assessment after a Pen Test if vulnerabilities have been remediated to ensure the remediation has been successful.

A Vulnerability Assessment should never replace a Pen Test

We offer comprehensive vulnerability assessments of your chosen environment to cover a multitude of common threats. Choose from singular or continuous assessments, internal and external infrastructure scans and web application scanning.

Choose from our 'Raw', 'Lite Touch' and 'Fully Analysed' service packages to find a competitively priced service level to meet your specific needs.

Raw. You receive the results direct from the scanning tool and have to interpret them yourselves, a level of cyber security expertise is required on your part.

Lite Touch. Our experts will go through the report and provide an overview of the findings, a level of IT knowledge is required on your part.

Full. Our analysts will review the output and work with you to prioritse the results and any remediation which might be required

Related Services

Cyber Profile Assessment. Take a look at our Cyber Profile Assessment. A one day service which examines your organisation's online risk profile. It includes a vulnerability scan, web application scan and open source intelligence research.

Continuous Scanning. A vulnerability scan provides a snapshot of your system vulnerabilities when the scan is run. We also offer a continuous service where the vulnerability assessment is scheduled to run on a regular basis, usually weekly or monthly.

Web Application Scanning

Insecure web applications provide an attacker with an entry point into your network, potentially exposing large quantities of confidential information.  Our qualified testers will undertake dynamic deep scanning covering all apps on your perimeter or internal network.

We can also cover public cloud instances and provide you with visibility of vulnerabilities like SQLi and XSS. Authenticated, complex and progressive scans can also be undertaken.

"If you're on the Internet, you're already being Pen Tested, however, someone else is keeping the report"

A Penetration Test or "Pen Test" will try to attack and penetrate your systems using the same tools and techniques that a hacker would, these are mostly manual.  If vulnerabilities are found, an attempt will be made to exploit them and enter the exposed system. Unlike a hacker, our testers have very strict rules of engagement and a scope defined by you within which to work, they will liaise with you before transgressing from the scope to ensure your systems are not harmed and that you are comfortable with their actions.

The output from the Pen Test is a report on findings and recommendations on what you can do to remediate any problems which were identified. Our consultants will also be on hand to expalin the report and assist in remediation if required.

Industry best practise suggests that you use a different Penetration Testing Company for each test, which are usually undertaken at least annually. In order to retain your business we have partnered with some other Pen Test suppliers in order for us to rotate in a different team for every test if this is your desire.

 

Web & Infrastructure
Application Security
Database Security
Social Engineering
VPN / Remote Access Security
VOIP Security
Wireless Security
Mobile Application Security
Source Code Review

Red Teaming

By adopting an adversarial approach towards the client we leave no stone unturned in our attempts to compromise them as though we were a highly motivated attacker.

We not only use the full spectrum of digital security techniques from penetration testing to open source intelligence which are available to us, but also deploy our intelligence experts and move into the physical realm.

We will use social engineering techniques to convince staff into helping us, as well trying to physically access the premises to test the security. 

The moral courage of staff is also tested as we tailgate through doors and act increasingly suspicious until we are challenged. 

Phishing Assessment

Phishing, or Business Email Compromise (BEC) is currently the preferred (and easiest) method for an attacker to breach a network.

When we conduct a phishing assessment we send a very realistic phishing email to groups of employees to see how many fall for the ruse and in doing so, assess the need for further user awareness training.

We can either run the Phishing Assessment as a managed service, or work with you to identify which assessment product best suits your needs, resell it, configure it and get you started on a phishing assessment campaign  

Compliance

We will assess your organisation to see if you meet a number of security frameworks, such as NIST, ISO27001, Cyber Essentials, PCI DSS, etc. The output will be a gap analysis on where you don't comply with the certification.  We can then work with you to implement any changes that are required and if the certification permits it, audit you again and certify you.

We can also provide some great tooling such as monitoring and scanning which are configured towards maintaining compliance such as with PCI DSS.

Policies. We have a wealth of cyber security policies to hand which we can adapt for use within organisation.

Firewall Audit

Firewalls are your primary line of defence against an attacker and yet they are often neglected.  When we audit a firewall we not only look at whether they are up to date, but also review all of the rules to ensure each rule is adequately granular and that the source and destinations are still appropriate, finishing off by checking for an explicit deny.

We also check the architecture for correct placement and to ensure there aren't any potential bypasses.  The configuration for each firewall is checked to ensure that licensed functionality is turned on and configured correctly. 

Forensic Readiness Review

Ensuring that an organisation is collecting sufficient logs and storing them in a forensically sound manner in order to facilitate a thorough investigation of an incident and if necessary prosecute the attackers in a court of law.

By default most organisations do collect some logs from their network devices and various operating systems, however, most don't manage them or consider the "audit policy" which defines which events are recorded.

We start by conducting a Forensic Readiness Review workshop where we exercise some breach use cases to test the effectiveness of the available logs. A gap analysis is performed and where necessary changes suggested to increase the forensic readiness

© Computer Network Defence Limited 2019