3. Vulnerability Assessment (also known as “security posture assessment”) – An in-depth examination of the assets from the inventory to gauge their weaknesses or vulnerabilities. [Our] vulnerability assessments uncover gaps in your security and drive our overall risk management. While threats can come from both inside and outside your organization, vulnerabilities are internal factors. We look for your organization’s structural flaws and weaknesses, how effective your current safeguards are (vulnerability appraisal), and the weaknesses that remain in spite of them. We captures a picture of your network’s and data’s security. Every possible contingency will be gauged for multiple vulnerabilities. Our team’s diverse backgrounds and experience enables us to consider all the weaknesses specific to your organization. Testing cyber infrastructure is an indispensable part of what we do. We use industry-standard tools like Nessus, Nmap, and Metasploit to test for vulnerabilities, examining every available host, services, OS, ports, firewalls, software and firmware vulnerabilities, unencrypted and sensitive data, and permissions. We may also conduct penetration testing and red team-blue team exercises, and examine your data that is online right now that may aid in a threat actor’s social engineering tactics.
4. Risk Assessment (also known as “risk posture assessment”) – Risk management looks at the dangers that an asset faces, from outside or inside, due to your vulnerabilities. We use the well-known equation Risk = Threat x Vulnerability. A risk is the combination of threat and vulnerability. Both must be present in order for them to be a risk to your organization. We combine them to get you your overall risk rating. What damages could result from threats that actively exploit or passively affect your organization’s weaknesses? We consider the effect that data exfiltration or breach, compromise of networks and apps, or environmental, structural, or accidental threats would have on your organization. What is the likelihood that the vulnerability would be a risk? Is your C.I.A. intact in spite of your vulnerabilities? We assign likelihood and impact ratings for the risk (low, medium, or high), identifying the magnitude of the impact on your C.I.A. We will repeat our assessment every quarter and after every change to your networks and systems, and can supplement any in-house assessments. As an objective 3rd party, we often find risks our clients overlooked and can perform official security compliance audits as well. Don’t worry. We have years of this.
5. Risk Mitigation – So, what to do about the risks? Realize that not every risk can be entirely eliminated. Time and money are involved, and some risks must simply be accepted. The question is, how much risk can you tolerate? Our cybersecurity professionals can reduce the likelihood and impact of the risks identified and can develop a custom set of technical (systems, devices, software and settings) and operational (practices and procedures that bolster security, e.g. conducting vulnerability assessments, penetration testing, or red-blue team exercises) security controls that mitigate those risks to acceptable levels.