Assessing Your Cyber Security Controls

One of the first steps in the journey to a more secure business is to assess the effectiveness of your existing security controls.  Our job is to work with you to make that assessment by checking the security controls that you have in place and advise you about which direction you could travel, and if you like, carry you some of the way or at the very least provide you with a map to get there yourself. 

The services outlined below are some of our services which enable us to assess your security:

Cyber Risk Review

A one day workshop lead by CND Experts to identify all of the cyber security risks within your organisation.

Service Overview

The Cyber Risk Review is where our experts work with you to understand what information security threats you may be facing, what cyber security measures you may already have in place to mitigate those threats (risks) and what more could be done to reduce the risk.  This latter stage is what is known as the capability gap.  During the workshop we will discuss ways to explore any issues found in greater detail, or propose and prioritise any further actions required to close the gap.

Service Detail

The Cyber Risk Review is designed to help you bridge the gap between your current cyber security position and where you need to get to in order to mitigate or manage your cyber security risks.

The Cyber Risk Review is often our starting point for a number of our services such as the vCISO service, as it enables to us to rapidly immerse ourselves in how you operate and identify any risks that you may have. Although the Cyber Risk Review can equally stand alone in its own right.

The Cyber Risk Review is a one day workshop, lead by a CND cyber security Principal Consultant and attended by your stake holders and technical staff. Within the workshop, we discuss a multitude of cyber security controls from a number of popular frameworks. The day is spent delving into numerous topics including, security architecture, system hardening and insider threat with our experts offering advice and clarification.

The output is a report where the various risks are prioritised along with the recommended actions to remediate them or investigate them further.

Virtual Chief Information Security Officer (vCISO)

Customer Friend - Cyber Technical Translator - Cyber Expert ‘on-demand’ - InfoSec Assistant

Your vCISO is on hand to help you on your cyber security journey as a trusted expert to answer questions and warn you about emerging threats.

Service Overview

An an increasingly popular choice is for an organisation to have a cyber security subject matter expert, not only on tap, but proactively engaging with you when situations arise which might impact the client.
The level of engagement is in your hands and according to your budget, with a number of service models to choose from, starting from Pay As You Go and extend up to a CISO being embedded within your organisation, as a contracted CISO (not virtual)

Service Detail

Your vCISO can undertake a variety activities determined by scoping of the role. From responding to your questions and security issues, to conducting onsite visits, attending meetings and delivering briefings. 
You will additionally have access to CND threat intelligence updates, the latest security updates and notifications of relevant vulnerabilities to your declared assets.

Once your vCISO has been selected, they will work with you to scope the requirement and build a roadmap for delivery.
The number of days required each week or month may vary according to what is being delivered and will be reviewed every 3 months, providing you with flexibility and budgetary control.

Cyber Profile Assessment

Have you ever considered what information you are inadvertently exposing online that could be exploited by an attacker. This service is a health check of your online presence which combines a number of techniques to identify any weak spots.

Service Overview

The Cyber Profile Assessment combines several cyber security checks into a one day check of how your business and your staff may look to an attacker, the output is a report detailing any findings and also recommending what could be done to rectify any problems found.

Service Detail

The Cyber Profile Assessment is constrained to what can be found and reported upon within one day.  

Our GCHQ trained Open Source Intelligence consultants will conduct external non-credentialed vulnerability and web applications scans of your website and boundary IP address and will search for hidden meta data which might have been inadvertently disclosed.

Our analysts will also examine your organisation's online presence for data leakage and risk, this will be performed not only on the "normal" Internet but also the Deep and Dark Web which isn't as accessible.

Finally, a domain level search for any email addresses which have been exposed in public breaches will be undertaken.

From their findings we produce a Cyber Profile Assessment report highlighting the risks to your organisation and enabling you to manage your online risk profile.

Vulnerability Assessment

The Vulnerability Assessment is probably one of the most common cyber security checks to be undertaken.  They enable your network and systems to be checked to identify ways which an attacker might use against you.

Service Overview

A Vulnerability Assessment or Scan, is a (mostly) automated test of computer systems which looks for vulnerabilities. Unlike a Penetration Test it does not try to exploit any vulnerabilities found, instead it just reports on them. As they are mostly automated, many systems can checked at a time, this makes Vulnerability Assessments extremely cost effective.

Service Detail

We offer comprehensive vulnerability assessments of your chosen environment to cover a multitude of common threats. Our scans are usually credentialed, which means that they not only look at what your systems are presenting to the outside world, but they also log onto each system and run thorough checks to identify any known issues and to check that the systems comply with a number of cyber security standards. To do this manually would take hours per host, however, our automated scans undertake the checks in a fraction of the time and without the risk of human error.

The Vulnerability Assessment could be run just once or you could schedule them to run regularly, the advantage of this is that any changes or new vulnerabilities will be quickly identified.

The Vulnerability Assessment really demonstrates value when you are

Choose from our 'Raw', 'Lite Touch' and 'Fully Analysed' service packages to find a competitively priced service level to meet your specific needs.

Raw. You receive the results direct from the scanning tool and have to interpret them yourselves, a level of cyber security expertise is required on your part.
Lite Touch. Our experts will go through the report and provide an overview of the findings, a level of IT knowledge is required on your part.
Full. Our analysts will review the output and work with you to prioritse the results and any remediation which might be required

Other Services Related to Vulnerability Assessment

Cyber Profile Assessment. Take a look at our Cyber Profile Assessment. A one day service which examines your organisation's online risk profile. It includes a vulnerability scan, web application scan and open source intelligence research.

Continuous Scanning. A vulnerability scan provides a snapshot of your system vulnerabilities when the scan is run. We also offer a continuous service where the vulnerability assessment is scheduled to run on a regular basis, usually weekly or monthly.

Web Application Scanning

Many websites now include interactive content which enables the visitor and the website host to derive maximum benefit from the visit through dynamic content. This is often achieved through the medium of a Website Application which runs in the browser that the visitor is using. In order to achieve the desired benefit the Web Application is given access to the backend of the website and if this isn't handled correctly could be exploited by an attacker. The Web application scan checks for problems. 

Service Overview

Our Web Application Scanning (WAS) service utilises industry leading tools to scan your web apps for vulnerabilities that hackers could leverage against you. The output is a report detailing any findings along with recommendations on how to remediate any issues that were found.

Service Detail

Our Web Application Scanning (WAS) service provides a snapshot of how vulnerable your web application is to attack. This is undertaken by launching an industry leading automated tool that will actively scan your web applications for vulnerabilities.

We use the Common Vulnerability Scoring System (CVSS) framework to provide output in the form of a report containing a prioritised list of any vulnerabilities that require review & remediation. The WAS could be run just once or you could request a follow up scan. The benefit of this enables you to gauge the effectiveness of your remediation activity as well as discover any new vulnerabilities that have inadvertently  been opened as a result.

Penetration Testing

"If you're on the Internet, you're already being Pen Tested, however, someone else is keeping the report"

A Penetration Test is a thorough test of the security of your network, conducted using the same tools and techniques as those used by various attackers who might wish to access your network.

Service Overview

Our consultants will work with you to identify the scope of the Test and discuss the various options available to you, we will also look at your timescales and match your needs to one of our testers, or if they are more appropriate, a tester from one of our partners.

Service Detail

A Penetration Test or "Pen Test" will try to attack and penetrate your systems using the same tools and techniques that a hacker would, these are mostly manual.  If vulnerabilities are found, an attempt will be made to exploit them and enter the exposed system and where permitted move laterally through your network. Unlike a hacker, our testers have very strict rules of engagement and a scope defined by you within which to work, they will liaise with you before transgressing from the scope to ensure your systems are not harmed and that you are comfortable with their actions.

The output from the Pen Test is a report on findings and recommendations on what you can do to remediate any problems which were identified. Our consultants will also be on hand to explain the report and assist in remediation if required.

Industry best practise suggests that you use a different Penetration Testing Company for each test, which are usually undertaken at least annually. In order to retain your business we have partnered with some other Pen Test suppliers in order for us to rotate in a different team for every test if this is your desire.

Some of examples of the different types of Penetration Testing which we will undertake are as follows:

Web & Infrastructure 
Application Security 
Database Security 
Social Engineering 
VPN / Remote Access Security 
VOIP Security
Wireless Security 
Mobile Application Security 
Source Code Review

Other Services Related to Penetration Testing

Red Teaming

Red Teaming is taking a Penetration Test to another level and whilst we will still attempt to break into your network digitally, we will also bring a whole host of other techniques out of the arsenal, such as social engineering and gaining physical access. It's as though we have a grudge and will do anything to gain entry to your systems, just as some attackers might.

Service Overview

We work with you to understand your requirements and the potential threat vectors (methods of entry) and threat actors (who is likely to attack you). We also define a scope around what is permitted and what isn't. As you can imagine, Red Teaming brings with it some risks for us and we will require a "Get Out Of Jail Free" card and a point of contact who is senior enough to calm a situation.

Service Detail

By adopting an adversarial approach towards the client we leave no stone unturned in our attempts to compromise them as though we were a highly motivated attacker.

We not only use the full spectrum of digital security techniques from penetration testing to open source intelligence which are available to us, but also deploy our intelligence experts and move into the physical realm.

We will use social engineering techniques to convince staff into helping us, as well trying to physically access the premises to test the security. 

The moral courage of staff is also tested as we tailgate through doors and behave increasingly suspiciously until we are challenged. 

Phishing Assessment

Phishing, or Business Email Compromise (BEC) is currently the preferred (and easiest) method for an attacker to breach a network. With a Phishing Assessment we send a realistic phishing email and instead of it being malicious, any victims will be educated on what they could have done to identify the phishing email.

Service Overview

Our consultants will discuss your concerns around phishing and suggest some objectives to educate staff about this topic and other associated areas, the output is a campaign to not only assess the likelihood of staff falling victim to phishing but more importantly to educate them about phishing techniques and how they can identify and thwart an attack.

Service Detail

When we conduct a phishing assessment we send a very realistic phishing email to groups of employees to see how many fall for the ruse and in doing so, assess the need for further user awareness training.

We can either run the Phishing Assessment as a managed service, or work with you to identify which assessment product best suits your needs, resell it, configure it and get you started on a phishing assessment campaign 

Compliance

Cyber security compliance frameworks and standards are designed to demonstrate that an organisation has achieved the level of security defined within that standard and has been independently audited and certified as having met that standard.

Service Overview

Our consultants will work with you to understand which cyber security  frameworks and standards you need to comply with.  

A large part of being compliant is the presence of policies defining how you satisfy various controls. We have a wealth of cyber security policies to hand which we can adapt for use within organisation.

Service Detail

We will assess your organisation to see if you satisfy the controls within the selected security framework, such as NIST, ISO27001, Cyber Essentials, PCI DSS, etc. The output will be a gap analysis on where you don't comply with the certification.  We can then work with you to implement any changes that are required and if the certification permits it, audit you again and certify you.

Note: Some standards do not permit the same consultancy to implement a framework and audit it, as it might constitute a conflict of interest, our consultants will advise on this, though we do also have partners who can provide independent implementation or audit.

We can also provide some great tooling such as monitoring and scanning which are configured towards maintaining compliance such as with PCI DSS.

Firewall Audit

Firewalls are your primary line of defence against an attacker and yet they are often neglected. Rules are often adjusted or added to resolve an crisis and left in place. The rule complexity coupled with the potential impact on service deters many from performing housekeeping on their firewalls.

Service Overview

Our firewall experts will closely inspect the configuration of your firewalls to ensure you are taking maximum benefit from the licensed features and suggesting updates if required.

We will also inspect the rules either manually or using our automated tools and report on redundant rules or rules which could be more granular.

Service Detail

When we audit a firewall we not only look at whether they are up to date, but also review all of the rules to ensure each rule is adequately granular and that the source and destinations are still appropriate, finishing off by checking for an explicit deny.

We also check the architecture for correct placement and to ensure there aren't any potential bypasses.  The configuration for each firewall is checked to ensure that licensed functionality is turned on and configured correctly. 

Rest assured that we won't make any changes to the firewalls during the audit, instead a report will be produced with observations made and recommendations to remediate the issues found.

If the remediation is beyond the capability of your staff we can be engaged to work with you to implement any agreed changes

Forensic Readiness Review

After a security breach logs are gathered to understand what has happened and also as evidence to prosecute the attackers.  All too often the logs gathered by default are inadequate, lacking in detail, or missing altogether. Our service ensures that you are prepared for the worst.

 

Service Overview

Our Forensic Readiness Review ensures that an organisation is collecting sufficient logs and storing them in a forensically sound manner in order to facilitate a thorough investigation of an incident and if necessary prosecute the attackers in a court of law.

By default most organisations do collect some logs from their network devices and various operating systems, however, most don't manage them or consider the "audit policy" which defines which events are recorded.

Service Detail

We start by conducting a Forensic Readiness Review workshop where we exercise some breach use cases to test the effectiveness of the available logs. A gap analysis is performed and where necessary changes suggested to increase the forensic readiness.

© Computer Network Defence Limited 2019