Your IT is as strong as its weakest asset
Which one is right for my organization?
If you are proactive about your health you would normally get a health check done regularly. Similarly, it is recommend that ever company get an overall security assessment done every 6-12 months as systems and policies change constantly.
Security is complicated, so we have broken it down into the following pieces of the puzzle.
Risk grows exponentially with time. Now is the right time to take action.
Cyber Security Awareness Training
Security touches everything in life today. This course is designed for everyone, from sales, marketing, HR, doctors, lawyers, to IT.
We make this fun!
It is full of practical, real life scenarios with demonstrations, screenshots, interaction and donuts! This course is meant to open your eyes on how easy it is to fall prey to Cyber Criminals. We will demonstrate hacker techniques and educate on the basics on how to protect yourself without jumping into any advanced topics.
- 2 hours on-site presentation
- Focus group of up to 15 individuals per sessions
- Training follow-up: Short monthly emails to refresh important topics for 12 months
Everyone is vulnerable. Let us help you secure your greatest asset.
Checks whether an organization is following a set of standard security policies or procedures defined in either security frameworks, or compliance standards.
a. Security Frameworks
There are a number of major industry standard security frameworks: CIS 20, NIST CSF and ISO27001
To develop a strong foundation and roadmap for a secure infrastructure, we help organizations identify these security controls, and assist in planning and implementing security best practices.
The quickest way to get started is by adopting the CIS Controls (Cyber Security Frameworks by the Center of Internet Security; Critical Security Controls for Effective Cyber Defense.
Click here for the 20 CIS Controls.
b. Compliance Checks
HIPAA Compliance Check
The Health Insurance Portability and Accountability Act (HIPAA) establishes national standards for the protection of Electronic Protected Health Information (e-PHI) that is held or transferred in electronic form using Electronic Health Record (EHC) applications.
The Security Rule and Privacy Rules address the technical and non-technical safeguards that organizations must put in place to secure individuals’ e-PHI
We will assist organizations in going through the requirements that help to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI.
We will help identify the gaps if any and advise on remediation steps as needed.
PCI DSS Compliance Check
Payment Card Industry Data Security Standard (PCI DSS) sets the requirements for organizations and sellers to safely and securely accept, store, process, and transmit cardholder data during credit card transaction to prevent fraud and data breaches.
We will go through the compliance checklist and report on how the organization scores, where they fall short and what the remediation actions look like.
A Vulnerability Assessment takes a broader approach and identifies risks and vulnerabilities and how to mitigate them. Primary tasks include:
- Device Discovery
- Scanning for known vulnerabilities in systems, services, protocols, OSs
- Open Source Intelligence (OSINT) gathering
- Catalog resources & categorize the threats and risk
- Identify False Positives
- Identifying security holes and vulnerabilities
- Analyse information security posture
- Security Assessment Report
- Identify sensitive data that may be at risk of being compromised
- Investigate potential business impact
- Evaluation of Risk
- Investigate and develop remediation strategies
- Prioritization of vulnerabilities
- Explanation of weaknesses
- Security Roadmap
The results highlight the gaps and weaknesses and develop a remediation plan on how to mitigate those threats or bring them to an acceptable level of risk.
Ethical Hacking/Penetration Testing
The best way to test your security is to put it to the test.
No car manufacturer will sell a vehicle without a crash test. A penetration test is the logical next step. It will show how effective your strategy is against attackers. Without it, you are just guessing and hoping for the best.
Penetration Testing (pentesting or Ethical Hacking) is the act of gaining access to a network, much like a hacker, by exploiting security vulnerabilities. The attack can be performed from internal or external means. The goal is to gain sensitive information, like in a data breach, and determine effectiveness of security investments against a controlled and simulated attack. It involves many techniques and toolsets a hacker may use and generally involves:
- Intelligence gathering: Collect publically available open source data (OSINT)
- Search for Personally Identifiable Information (PII)
- Identify infrastructure
- Determine attack surface
- fingerprinting services running, versions, port numbers, network architecture
- Social Engineering (Phishing, Vishing, Impersonations)
- Simulating Attacks
- Exploiting vulnerabilities in the firewall, routers, switches, APs, servers, workstations or Operating Systems
- Using techniques like: brute forcing, social engineering, traffic manipulation, noting possible service disruption, malware, trojans
- Data Exfiltration and collection
- Summary of findings, Methodology, Recommendations
- Other types of focussed Penetration testing
- Application penetration testing (cloud or mobile)
- Cloud distributed denial of service (DDoS) testing
- Device penetration testing, (including workstations, servers, laptops, mobile devices, tablets and smartphones)
- Wireless penetration testing
- Telephony or VoIP penetration testing
- Social Engineering testing
- Validation of 3rd party assessment results
The results re-assess your security plans and develop strategies to mitigate such attacks.