Services
Our risk mitigation and limitation services consist of many of the same components including: Communications, Human/Physical and Management. These are offered in several common packages, however depending on the purpose and nature of your requested test we can add and remove components as necessary. See the bottom of this page for a longer list of components that go into these projects.
Vulnerability Assessment
A vulnerability assessment tests all network services, including; web sites, email, databases, file servers and wireless for known vulnerabilities such as misconfiguration errors, weaknesses in authentication, coding errors, missing patches and other exploitable conditions. Once the state of the network has been discovered the vulnerabilities are validated through communicating with in-house IT staff and management. At this point the validated gaps in controls are compared to industry best practices, regulations and standards in order to identify high value "quick fix" controls.
Penetration Testing
Penetration Tests are very similar to a vulnerability assessment but instead of focusing simply on known vulnerabilities, we discover unknown vulnerabilities and dive much deeper by exploiting software configuration errors, poor access controls, old and outdated software as well as human elements through social engineering if requested. The end goal of a penetration test is to identify systemic vulnerabilities and those things that would be missed during a vulnerability assessment with the objective of accessing important and sensitive electronically stored information by utilizing similar methods as a real attacker.
Social Engineering
Social Engineering exercises involves manipulating personnel instead of computers to provide access to sensitive information that should not be disclosed. Attack methods include distributing USB drives and CD-ROM discs that contain custom malicious code, on-site impersonation of maintenance workers, or pre-text phone calls designed to solicit for information that can be used to better leverage attacks. These methods are the same ones that are used by confidence men ("con man"), industrial intelligence gathering groups and every-day attackers.
Compliance
Compliance testing focuses closely on specific guidelines, regulations or standards such as:
- PCI-DSS (Payment Card Industry - Data Security Standard)
- ISO 27001/27002 (Information Security Management System)
- DPA (Data Protection Act of 1998)
- Sarbanes-Oxley (SOX)
- Gramm-Leach-Bliley Act (GLBA)
- SANS CSC (20 Critical Security Controls)
- Massachusetts Data Protection Law
- Health Insurance Portability and Accountability Act (HIPAA)
- Federal Financial Institutions Examination Council (FFIEC)
- Federal Deposit Insurance Corporation (FDIC)
- National Credit Union Administration (NCUA)
Each compliance group includes specific controls such as firewalls, anti-virus, encryption of data, disaster recovery, security policies and procedures as well as vendor assessments.