Accurate, safe, and timely information is essential to business. However, when security breaches occur, your operational landscape and competitive advantages can be turned upside down. Recovery is time consuming, painful, and costly! So how can you get a feel for the strength of your security program without first experiencing a costly breach?
By assessing your current security posture. Telkite’s Global Security Practice can help you assess your organization’s current security posture, which is the first step in implementing or improving a security program.
Comprehensive Security Analysis Uncovers Root Causes
Many security solution providers diagnose security issues by running automated tools against the target system. The results then become the body of the assessment. While the tools do identify vulnerabilities, commodity-type assessments like this can fall very short of the mark.
For example, with only a tool-generated report as a deliverable, you may wonder what it means. “I have FTP on a server – is this good or bad?” Without manually validating high vulnerabilities, there is a good chance that identified vulnerabilities are “false positives” (e.g., the tool is wrong). If the technical “fix” is applied to a vulnerability without finding the root cause, the fix will most likely be a “band aid” for symptoms that will no doubt surface again.
Seasoned practitioners understand the false sense of security that tool-only assessments provide. Telkite considers more than just technology when assessing your security position. We examine the people, processes, and technologies to uncover the root causes of problems and their impacts across all facets of business operations. We understand and solve the true underlying issue, rather than offering a technological “band aid” to the symptoms. The result is permanent reduction of risk.
Assessments Establish Your Security Baseline
Telkite offers a portfolio of tailored assessment services to identify your organization’s current security state. Each assessment targets the security controls in a specific area of your infrastructure. Assessments can be combined to provide an enterprise-level assessment, or they can be performed à la carte to check the effectiveness of remediation or to target a specific area—such as an audit or industry threat warning.
Objective: Identify the presence and effectiveness of security controls that mediate the data flow into and out of the enterprise.
Description: The Perimeter Assessment examines the presence and effectiveness of security controls on the perimeter of the enterprise from the outside looking in and from the inside looking out. We study the enterprise through the eyes of your clients, suppliers, and/or partners, examining devices which mediate access to and from your organization: firewalls, gateway routers and /switches, remote access servers, and other network devices. Information gathered from automated tools, manual device reviews, interviews, and documentation reviews provide the input for our analysis and the foundation of our recommendations.
Deliverable: The Perimeter Assessment Report is an in-depth analysis of the presence and performance of security controls. It describes your current security state and identifies vulnerabilities, associated risks, and root causes, while offering prioritized, actionable recommendations for improvement.
Objective: Follow a path of least resistance to access corporate resources without having the authority to do so.
Description: The Penetration Test, similar to “ethical hacking,” identifies and exploits vulnerabilities inside and outside the organization. It intentionally circumvents security controls to gain access to information without authorization. The Penetration Test follows a path of least resistance through an exploitable vulnerability in search of unauthorized information or elevated privileges. During the test, our certified professionals maintain direct contact with a “trusted agent” (a member of your staff), who can halt or modify the test if necessary or ensure that incident response activities are appropriately controlled. (Many clients like to run an incident response exercise with a Penetration Test.)
Deliverable: The Penetration Test Report documents the exploited vulnerabilities, the exploitation methods used, and the information or privileges that were “captured.”
Objective: Identify vulnerabilities within the internal corporate infrastructure.
Description: The Network Assessment inspects security controls in the networks and network devices that support your infrastructure. We conduct interviews and examine documents to understand your business needs and control requirements. We also employ automated tools and manual data gathering techniques to identify exploitable vulnerabilities.
Deliverable: The Network Assessment Report is an in-depth analysis of the current state and actual performance of security controls within your internal network. It identifies vulnerabilities, associated risks, and root causes that may pose unacceptable risks to the confidentiality, integrity, and availability of network resources. Actionable recommendations for improving and attaining your desired future state are included.
Security Architecture Review
Objective: Analyze the IT architecture and its tactical and strategic ability to provide an adequate level of security.
Description: Our certified security professionals interview key IT personnel and examine network diagrams and documentation to gain a high-level understanding of your technical infrastructure and security controls. We examine security policies that govern networking, system connections, and trust relationships. We look for best practices, such as isolation of public access systems from mission critical systems or the use of boundary mechanisms to separate computing systems and network infrastructures. We perform an analysis of the data collected, observations, and understandings to identify security vulnerabilities and potential areas of weakness in the current architecture.
Deliverable: The Security Architecture Report identifies current architectural vulnerabilities that may pose unacceptable risk to the confidentiality, integrity, and availability of your information. It also illustrates root causes for the identified vulnerabilities, and offers prioritized, actionable recommendations for improvement and migration to a desired future state.
Wireless Security Assessment
Objective: Identify authorized and/or unauthorized wireless networks, uncover vulnerabilities in their configuration, and evaluate their ability to provide proper information security.
Description: Our Wireless Security Assessment finds and examines authorized and “rogue” wireless networks within your enterprise, reviews wireless access point (WAP) deployments, and uses manual and automated tools to attempt to gain unauthorized access to the network and its services. We review the configuration of wireless devices, access controls, and encryption controls to evaluate the placement of network devices for consistency with industry standards. We interview personnel responsible for the administration of the wireless devices to determine the use and functionality of the WAPs and any governing policies and procedures.
Deliverable: The Wireless Security Report summarizes the presence, effectiveness, and vulnerabilities of observed security controls on the wireless network(s). It contains actionable recommendations for improving and migrating to a more strategically secure future state.
Host Configuration Assessment
Objective: Identify exploitable vulnerabilities in host (server and workstation) platforms that can introduce unacceptable security risks to the corporate computing environment that cannot be discovered from a network assessment.
Description: We use automated and manual inspection techniques to identify services, applications, patch levels, logging capabilities, etc. on targeted hosts. To provide an economy of scale, targeted hosts typically include samples of platforms built from different images.
Deliverable: The Host Configuration Report identifies vulnerabilities observed on the target hosts and offers actionable recommendations for improvement.
Application Security Assessment
Objective: Identify the vulnerabilities present within an application and its operational environment that may pose unacceptable risks to the confidentiality, integrity, and availability of information processed, stored, or communicated.
Description: The Application Security Assessment is more granular than the Network or Host Assessments. We use automated tools to scan the application and identify evidence of exploitable coding errors, such as cross-site scripting, lack of access controls, and susceptibility to buffer overflows. We use manual techniques to validate our findings, and conduct interviews and examine documentation to ensure that the application’s operational environment is also considered in the assessment. Using a holistic evaluation of people, processes, and technologies, we identify weaknesses in the controls that grant access to the application. We also evaluate processes in the application’s development lifecycle and the sufficiency of controls to implement the application’s legislated or contracted security requirements—essentially any items a “technology-only” process may miss.
Deliverable: The Application Security Report documents vulnerabilities in the application’s security controls and operational environment. It offers prioritized recommendations to remediate identified vulnerabilities and strategically improve the application’s security capabilities.
Program and Practices Assessment
Objective: Identify the presence and effectiveness of non-technical security controls provided by people and processes within the organization, and assess the risks if weaknesses in the current security program and practices are exploited.
Description: The Program and Practices Assessment examines the first and second elements of the people-process-technology triad of information security controls. It focuses on policies, standards, procedures, training, incident response, physical access, logical access management, configuration management, patch/vulnerability management, and legislative compliance. If desired, compliance with legislative requirements (HIPAA, SOX, FERPA, FISMA, GLB, etc.) can be added to the assessment areas.
Our experienced and certified professionals interview key members of your organization, examine documents, and make observations to understand the degree to which various people and process controls are integrated into the overall information security program. We then assess multiple programmatic control areas and provide executives with the current state of the security program and practices, and provide prioritized, actionable recommendations for improvement if needed.
Deliverable: The Program and Practices Report provides a comprehensive assessment of the presence and effectiveness of your people and process controls. It contains actionable recommendations for improving and migrating to a more secure future state.