One of the first steps in the journey to a more secure business is to assess the effectiveness of your existing security controls. Our job is to work with you to make that assessment by checking the security controls that you have in place and advise you about which direction you could travel, and if you like, carry you some of the way or at the very least provide you with a map to get there yourself.
The services outlined below are some of our services which enable us to assess your security:
The Cyber Risk Review is where our experts work with you to understand what information security threats you may be facing, what cyber security measures you may already have in place to mitigate those threats (risks) and what more could be done to reduce the risk. This latter stage is what is known as the capability gap. During the workshop we will discuss ways to explore any issues found in greater detail, or propose and prioritise any further actions required to close the gap.
The Cyber Risk Review is designed to help you bridge the gap between your current cyber security position and where you need to get to in order to mitigate or manage your cyber security risks.
The Cyber Risk Review is often our starting point for a number of our services such as the vCISO service, as it enables to us to rapidly immerse ourselves in how you operate and identify any risks that you may have. Although the Cyber Risk Review can equally stand alone in its own right.
The Cyber Risk Review is a one day workshop, lead by a CND cyber security Principal Consultant and attended by your stake holders and technical staff. Within the workshop, we discuss a multitude of cyber security controls from a number of popular frameworks. The day is spent delving into numerous topics including, security architecture, system hardening and insider threat with our experts offering advice and clarification.
The output is a report where the various risks are prioritised along with the recommended actions to remediate them or investigate them further.
An an increasingly popular choice is for an organisation to have a cyber security subject matter expert, not only on tap, but proactively engaging with you when situations arise which might impact the client.
The level of engagement is in your hands and according to your budget, with a number of service models to choose from, starting from Pay As You Go and extend up to a CISO being embedded within your organisation, as a contracted CISO (not virtual)
Your vCISO can undertake a variety activities determined by scoping of the role. From responding to your questions and security issues, to conducting onsite visits, attending meetings and delivering briefings.
You will additionally have access to CND threat intelligence updates, the latest security updates and notifications of relevant vulnerabilities to your declared assets.
Once your vCISO has been selected, they will work with you to scope the requirement and build a roadmap for delivery.
The number of days required each week or month may vary according to what is being delivered and will be reviewed every 3 months, providing you with flexibility and budgetary control.
The Cyber Profile Assessment combines several cyber security checks into a one day check of how your business and your staff may look to an attacker, the output is a report detailing any findings and also recommending what could be done to rectify any problems found.
The Cyber Profile Assessment is constrained to what can be found and reported upon within one day.
Our GCHQ trained Open Source Intelligence consultants will conduct external non-credentialed vulnerability and web applications scans of your website and boundary IP address and will search for hidden meta data which might have been inadvertently disclosed.
Our analysts will also examine your organisation's online presence for data leakage and risk, this will be performed not only on the "normal" Internet but also the Deep and Dark Web which isn't as accessible.
Finally, a domain level search for any email addresses which have been exposed in public breaches will be undertaken.
From their findings we produce a Cyber Profile Assessment report highlighting the risks to your organisation and enabling you to manage your online risk profile.
Cyber Profile Assessment. Take a look at our Cyber Profile Assessment. A one day service which examines your organisation's online risk profile. It includes a vulnerability scan, web application scan and open source intelligence research.
Continuous Scanning. A vulnerability scan provides a snapshot of your system vulnerabilities when the scan is run. We also offer a continuous service where the vulnerability assessment is scheduled to run on a regular basis, usually weekly or monthly.
Many websites now include interactive content which enables the visitor and the website host to derive maximum benefit from the visit through dynamic content. This is often achieved through the medium of a Website Application which runs in the browser that the visitor is using. In order to achieve the desired benefit the Web Application is given access to the backend of the website and if this isn't handled correctly could be exploited by an attacker. The Web application scan checks for problems.
Our Web Application Scanning (WAS) service utilises industry leading tools to scan your web apps for vulnerabilities that hackers could leverage against you. The output is a report detailing any findings along with recommendations on how to remediate any issues that were found.
Our Web Application Scanning (WAS) service provides a snapshot of how vulnerable your web application is to attack. This is undertaken by launching an industry leading automated tool that will actively scan your web applications for vulnerabilities.
We use the Common Vulnerability Scoring System (CVSS) framework to provide output in the form of a report containing a prioritised list of any vulnerabilities that require review & remediation. The WAS could be run just once or you could request a follow up scan. The benefit of this enables you to gauge the effectiveness of your remediation activity as well as discover any new vulnerabilities that have inadvertently been opened as a result.
"If you're on the Internet, you're already being Pen Tested, however, someone else is keeping the report"
Red Teaming is taking a Penetration Test to another level and whilst we will still attempt to break into your network digitally, we will also bring a whole host of other techniques out of the arsenal, such as social engineering and gaining physical access. It's as though we have a grudge and will do anything to gain entry to your systems, just as some attackers might.
We work with you to understand your requirements and the potential threat vectors (methods of entry) and threat actors (who is likely to attack you). We also define a scope around what is permitted and what isn't. As you can imagine, Red Teaming brings with it some risks for us and we will require a "Get Out Of Jail Free" card and a point of contact who is senior enough to calm a situation.
By adopting an adversarial approach towards the client we leave no stone unturned in our attempts to compromise them as though we were a highly motivated attacker.
We not only use the full spectrum of digital security techniques from penetration testing to open source intelligence which are available to us, but also deploy our intelligence experts and move into the physical realm.
We will use social engineering techniques to convince staff into helping us, as well trying to physically access the premises to test the security.
The moral courage of staff is also tested as we tailgate through doors and behave increasingly suspiciously until we are challenged.
Phishing, or Business Email Compromise (BEC) is currently the preferred (and easiest) method for an attacker to breach a network. With a Phishing Assessment we send a realistic phishing email and instead of it being malicious, any victims will be educated on what they could have done to identify the phishing email.
Our consultants will discuss your concerns around phishing and suggest some objectives to educate staff about this topic and other associated areas, the output is a campaign to not only assess the likelihood of staff falling victim to phishing but more importantly to educate them about phishing techniques and how they can identify and thwart an attack.
When we conduct a phishing assessment we send a very realistic phishing email to groups of employees to see how many fall for the ruse and in doing so, assess the need for further user awareness training.
We can either run the Phishing Assessment as a managed service, or work with you to identify which assessment product best suits your needs, resell it, configure it and get you started on a phishing assessment campaign
Cyber security compliance frameworks and standards are designed to demonstrate that an organisation has achieved the level of security defined within that standard and has been independently audited and certified as having met that standard.
Our consultants will work with you to understand which cyber security frameworks and standards you need to comply with.
A large part of being compliant is the presence of policies defining how you satisfy various controls. We have a wealth of cyber security policies to hand which we can adapt for use within organisation.
We will assess your organisation to see if you satisfy the controls within the selected security framework, such as NIST, ISO27001, Cyber Essentials, PCI DSS, etc. The output will be a gap analysis on where you don't comply with the certification. We can then work with you to implement any changes that are required and if the certification permits it, audit you again and certify you.
Note: Some standards do not permit the same consultancy to implement a framework and audit it, as it might constitute a conflict of interest, our consultants will advise on this, though we do also have partners who can provide independent implementation or audit.
We can also provide some great tooling such as monitoring and scanning which are configured towards maintaining compliance such as with PCI DSS.
Firewalls are your primary line of defence against an attacker and yet they are often neglected. Rules are often adjusted or added to resolve an crisis and left in place. The rule complexity coupled with the potential impact on service deters many from performing housekeeping on their firewalls.
Our firewall experts will closely inspect the configuration of your firewalls to ensure you are taking maximum benefit from the licensed features and suggesting updates if required.
We will also inspect the rules either manually or using our automated tools and report on redundant rules or rules which could be more granular.
When we audit a firewall we not only look at whether they are up to date, but also review all of the rules to ensure each rule is adequately granular and that the source and destinations are still appropriate, finishing off by checking for an explicit deny.
We also check the architecture for correct placement and to ensure there aren't any potential bypasses. The configuration for each firewall is checked to ensure that licensed functionality is turned on and configured correctly.
Rest assured that we won't make any changes to the firewalls during the audit, instead a report will be produced with observations made and recommendations to remediate the issues found.
If the remediation is beyond the capability of your staff we can be engaged to work with you to implement any agreed changes
After a security breach logs are gathered to understand what has happened and also as evidence to prosecute the attackers. All too often the logs gathered by default are inadequate, lacking in detail, or missing altogether. Our service ensures that you are prepared for the worst.
Our Forensic Readiness Review ensures that an organisation is collecting sufficient logs and storing them in a forensically sound manner in order to facilitate a thorough investigation of an incident and if necessary prosecute the attackers in a court of law.
By default most organisations do collect some logs from their network devices and various operating systems, however, most don't manage them or consider the "audit policy" which defines which events are recorded.
We start by conducting a Forensic Readiness Review workshop where we exercise some breach use cases to test the effectiveness of the available logs. A gap analysis is performed and where necessary changes suggested to increase the forensic readiness.