Cybersecurity Maturity Assessment
ASK YOURSELF THESE
- Do you see exponential growth in your business by going digital but are not sure about how secured this transition would be?
- How would you cope up with the increasing amount of legislative, corporate and regulatory requirements to convince your stakeholders that you are confidently managing and protecting critical information completely?
- Can you evidently convince yourself and your stakeholders that this corporate is secured from the threats from cyber criminals and hacktivists who are growing in scale and sophistication?
- Do you model tactical and cyber security strategies while projecting your 5-year plan?
- Are you continually evolving your cyber security architecture to respond to the changing digital environment?
NOW ASK US-
- Do I need help assessing whether the mechanisms to manage our risks are mature?
- Should I consider to create a stronger security culture within my organisation?
- Do I need a better understanding of whether I comply with the varied regulatory requirements?
- Am I looking to take greater control, ensuring that my organisation is prepared for evolving cyber security landscape?
- What should I be considering as part of a cyber security strategy?
By conducting a combination of interviews, workshops, policy and process reviews and technical testing, our team takes a positive view to managing cyber security, and the assessment –
- Identifies current gaps in compliance and risk management of information assets;
- Assesses the scale of cyber vulnerabilities;
- Sets out prioritised areas for a management action plan.
This will allow you to feel free to navigate the cyber security landscape and achieve their business aspirations.
What is a cyber maturity assessment
A very comprehensive plan that covers every dimension of cyber security, provides an in-depth review of an organisation’s ability to protect its information assets and its preparedness against cyber threats.
- Human Factor
- Information Management
- Hardware and Software
- Business Continuity
- Crisis Management
- Legal and Compliance
- Security Management
- Risk management
- Asset Management
- Third-party risk Management
- Human Resource
- Policy Framework
- Database and Data Center Security
- Web, Network, Mobile and Application
- Hardware and Software Components
- Red Team based Assessment
- Security Configuration and Review
- Malware Défense and Data Protection
- Updated Security Architecture and Policy
Legal and Compliance
- Integrity, Confidentiality and accessibility.
ASSESSMENT BASED ON NIST STANDARD
Develop an organizational understanding to manage cybersecurity risk tosystems, people, assets, data, and capabilities.
Categories within this Function include: Asset Management;
Business Environment; Governance; Risk Assessment; and Risk Management Strategy.
Develop and implement appropriate safeguards to ensure delivery of critical services.
Categories within this Function include:
Identity Management and Access Control; Awareness and Training; Data Security; Information Protection Processes and Procedures; Maintenance; and Protective Technology.
Develop and implement appropriate activities to identify the occurrence of a cybersecurity event.
Categories within this Function include: Anomalies and Events; Security Continuous Monitoring; and Detection Processes.
Develop and implement appropriate activities to take action regarding adetected cybersecurity incident.
Categories within this Function include:
Response Planning; Communications; Analysis; Mitigation; and Improvements.
Develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident.
Categories within this Function include: Recovery Planning; Improvements; and Communications.
Security is concerned with ensuring legitimate use, maintaining confidentiality, data integrity, and auditing in the network. Cyber Maturity Assessment involves security management which is the process of identifying the assets, threats, vulnerabilities, and taking protective measures, which if not done may lead to unintended use of computing systems.
The following are the three important aspects of information security that will be taken care from the security service point of view:
- Security Attack – Any action that comprises the security information owned by your organization.
- Security Mechanism – A mechanism that is designed to detect, prevent, or recover from a security attack.
- Security Service – A service that enhances the security of the data processing systems and the information transfers in the network.
- We recommend that the risk management process follow the Capability Maturity Model approach, with the following five levels:
- Initial (chaotic, ad hoc, individual heroics) – the starting point for use of a new or undocumented repeat process
- Repeatable – the process is at least documented sufficiently such that repeating the same steps may be attempted
- Defined – the process is defined and confirmed as a standard business process
- Managed – the process is quantitatively managed in accordance with agreed-upon metrics
- Optimizing – process management includes deliberate process optimization/improvement
DATA – It’s important to know all the data moving in and out of your organization, where it is stored, and how important it is.
HARDWARE AND SOFTWARE—We identify all the hardware devices and software applications that process the data. We strongly encourage application white-listing (only allowing approved applications) to help you maintain control over your environment.
PHYSICAL PROPERTY AND FACILITIES—Making sure you have the appropriate security processes in place to protect the physical assets that house those systems is vital. This is also critical to having up-to-date and effective disaster recovery plans.
PEOPLE—When it comes to asset management, we often think about hardware and software but forget people. Without making sure you’re adequately managing and equipping people to run those systems, you’re putting your assets at risk for a potential cyber-attack. We make sure employees have an understanding of their role in cybersecurity. It also means creating accountability for the people who are running the systems and processes and establishing contingency plans that consider the loss or lack of availability of critical team members.
THIRD PARTY RISK MANAGEMENT
- Building a Framework for third party categorization to identify which partners need a deeper assessment based on their role in the organization’s business activities, and the size and criticality of the relationship.
- Develop workflow to address the intersection of risk and criticality.
- Ensure appropriate risk transfer.
POLICY FWK. AND GOVERNANCE
- Cyber-security policy framework elucidates the strategy containing an appropriate approach to combat cyber threats given the level of complexity of business and acceptable levels of risk, duly approved by their Board.
- Cyber security governance comprises of the responsibilities and engagement of Board of Directors and senior management, organizational structures, and processes that protect information and mitigation of growing cyber security threats. Cyber security governance ensures alignment of cyber security with business strategy to support organizational objectives.
The severity assigned to each vulnerability was calculated using the NIST 800-30 standard. This standard determines the risk posed by application based on the exploitability metrics of the vulnerability and the impact that it would have on the business
The difficulty of exploiting the described security vulnerability includes required skill level and the amount of access necessary to visit the element susceptible to the vulnerability. The difficulty is rated with the following values:
CRITICAL: An attacker is almost certain to initiate the threat event.
HIGH: Anybody can also exploit the vulnerability or the vulnerability is very obvious and easily accessible.
MEDIUM: The vulnerability requires some hacking knowledge or access is restricted in some way.
LOW: Exploiting the vulnerability requires application access, significant time, many social engineering techniques tricks required or a specialized skill set.
MINIMAL: To exploit the vulnerability the attacker might need high privilege or not exploitable.
The impact the vulnerability would have on the organization if it were successfully exploited is rated with the following values:
CRITICAL: The issue causes multiple severe or catastrophic effects on organizational operations, organizational assets or other organizations.
HIGH: Exploitation produces severe degradation in mission capability to the point that the organization is not able to perform primary functions or results in damage to organizational assets.
MEDIUM: Application is able to perform its primary functions, but their effectiveness is reduced and there may be damage to organizational assets.
LOW: Successful exploitation has limited degradation in mission capability; the organization is able to perform its primary functions, but their effectiveness is noticeably reduced.
MINIMAL: The threat could have a negligible adverse effect on organizational operations or organizational assets.
|CRITICAL||Vulnerabilities that cause a privilege Escalation from unprivileged to admin or allow for remote execution, financial theft, etc.||•Remote Code Execution
•Vertical Authentication Bypass
•XML External Entities Injection with
•SQL Injection with significant impact
|HIGH||Vulnerabilities that affect the security of the platform including the processes it supports.||• Stored XSS with significant impact
• CSRF with significant impact
• Direct object reference with significant impact
• Internal SSRF
|MEDIUM||Vulnerabilities that affect multiple users and require little or no user Interaction to trigger||• Reflective XSS with impact
• Direct object reference
• CSRF with impact
|LOW||Vulnerabilities that affect singular user and require interaction or significant prerequisites to trigger (MITM).||•SSL misconfigurations with little impact
• URL Redirection
• XSS with limited impact
• CSRF with limited impact
|ACCEPTABLE||Non-exploitable vulnerabilities in functionality. Vulnerabilities that are by design or are deemed acceptable business risk to the customer.||• Debug information
• Use of CAPTCHAs
• Code obfuscation
• Rate limiting, etc
Top security issues tested
|Configuration and Deployment Misconfiguration||Easy||Moderate|
|Application or Framework Specific Vulnerabilities||Difficult||Severe|
|Business Logic Flaws||Average||High|
|Shopping Cart & Payment Gateway Manipulation||Difficult||Severe|
|Known Security Issues (CVEs)||Average||Moderate|
|Weak Identity Management||Average||High|
|Broken Session Management||Average||High|
|Weak Input Validation||Easy||Moderate|
|Weak or Broken Cryptography||Difficult||High|
|Client Side Script Security||Easy||Moderate|
|Cross-Site Request Forgery (CSRF)||Average||Moderate|
Top security issues tested
|Cross-Site Scripting (XSS)||Average||Moderate|
|Unrestricted File Upload||Difficult||Severe|
|Sensitive Data Exposure||Difficult||Severe|
|Insufficient Attack Protection||Easy||Moderate|
|HTTP Security Header Information||Average||Moderate|
Our Security experts use a combination of commercial and proprietary tools to run Vulnerability Assessment to discover the potential flaws in your application’s code that can be exploited and then run manual Penetration Tests to help you understand the severity of the flaws and how exploitation of these by hackers can impact your organization in real life.
In web application testing we cover Covers all OWASP Top 10, WASC 26 and moreover CVE / NVDB / SANS Top 20 vulnerabilities.
Apart from these we can find new updated attacks like subdomain takeover, XXE, XSPA, 2FA and Captcha bypass, Race condition bug, CSV injection, reflected file download vulnerability, pixel flood attack, OAuth &API bugs.
Stop hackers before they have a chance to attack your system
The most volatile threat against your IT infrastructure is a security breach. The very nature of cybercrime is stealth: hackers find every exposed opening in your network to strike with great speed and without warning, putting sensitive customer and corporate intellectual property in jeopardy. This can include trade secrets, customer payment information and other personal information such as social security numbers. The expense to an organization is multiplied exponentially by the intangible cost lack of public trust can incur.
No “cyber” insurance exists that a company could buy to protect itself completely from cybercrime. However, we can customize a state-of-the-art cyber security plan for you using best security practices, expert advice and the latest security resources available.
RED TEAM BASED ASSESSMENT
A Red Team assessment (Red Teaming) is an advanced security test that imitate a full-scale personalized attack on an organization. The aim is to compromise critical data resources in the organization’s network that could be exploited by an attacker.
Red team assessments are one level above usual penetration testing schemes. It helps to fully test the organization’s ability to detect, protect and respond to an attack. Red team assessments provide the status of the organization’s preparedness in case of a real attack.
Through our RED TEAM ASSESSMENT SERVICE we aim to provide our clients with:
- A real-world perspective of threat actors
- Holistic view of security controls
- Evaluate security incident response capabilities
RED TEAM BASED ASSESSMENT
RedTeam Security’s network penetration test combines the results from industry-leading scanning tools with manual testing to enumerate and validate vulnerabilities, configuration errors, and business logic flaws. In-depth manual application testing enables us to find what scanners often miss. Using this approach, Red Team’s comprehensive approach covers the classes of vulnerabilities in the Open Web Application Security Project (OWASP) Top 10 2013 and beyond:
- Injection (i.e.: SQL injection)
- Broken Authentication and Session Management
- Cross-site Scripting (XSS)
- Insecure Direct Object Access
- Security Misconfiguration5.Sensitive Data Exposure
- Missing Function Level Access Control
- Cross-site Request Forgery (CSRF)
- Using Components with Known Vulnerabilities
- Unvalidated Redirects and Forwards
We make use of tools from the following categories (not a complete list):
- Commercial tools (i.e.: Burp Suite Pro, AppScan, WebInspect)
- Open source / Hacker tools (i.e.: Metasploit, BEeF, Kali Linux, OWASP Zap)
RedTeam developed tools (i.e.: nmapcli, Metasploit modules, PlugBot, various scripts
RED TEAM BASED ASSESSMENT – RISK RATING
RISK RATING FACTORS
Our Red Team Assessment has adopted an industry-standard approach to assigning risk ratings to vulnerabilities. This approach is used in all our assessments and provides our clients with risk ratings that take into account a number of factors ranging from:
Ease of Exploit
Loss of Integrity to Privacy/Reputational Damage.
Our comprehensive approach ensures that our clients’ vulnerabilities are represented by their true real-world likelihood and potential impact to their business.
RED TEAM BASED ASSESSMENT – RISK RATING
Risk Calculation is carried out through a quantitative method. The calculation is an industry standard approach and is widely adopted by many organizations across the globe. Please see the detail below for a walkthrough of the risk calculation process.
Calculation of Likelihood is achieved by the equation:
AVERAGE(Threat Agent + Vulnerability Factors) = Likelihood
Calculation of Impact is achieved by the equation:
AVERAGE(Technical Impact + Business Impact) = Impact
Calculation of the finding’s overall Risk Rating is achieved by the following equation:
AVERAGE(Likelihood + Impact) = Risk Rating
RED TEAM BASED ASSESSMENT – REPORT
The charts below are designed to provide a quick snapshot of the assessment.
RED TEAM BASED ASSESSMENT – SUMMARY
The table below is designed to provide a quick view of all the identified findings and their respective risk ratings.
CYBER SECURITY ENGINEERING
Our review methodology produces actionable results. You receive observations, perceived deficiencies and remediation recommendations that address the following in your environment
- User Account Management
- Group Policy Management
- Patch Management
- Network Management
- Auditing and Login
- Site Security Management
- Data Backup/Recovery
- Security Patches
- Baseline process list & approved programs
- Suspicious accounts
- File Permissions
- Port Service Identification
- System Logs
- Network Logs
- Technical Logs
- LAN Architecture
- WAN and Remove-Access Architecture
- Wireless Architecture
- Security Operations
- Tools and Solutions
- Web / Mobile Application Penetration testing
- Network Penetration Testing
- API penetration testing.
- Ethical hackers.
- The Red Team
- Information Securities Assessment and Implementation
- Remote Secure Access Solution
- Cloud Web security
- Multi Factor Authentication
- OSINT ( Open Source Intelligence) Service
- Dark Web Monitoring Service
Experienced and Qualified Security Researchers
Our strength is our security researchers who are heavily certified, and we believe that if we have consultants who are motivated, trained, and qualified, we will automatically be able to fulfill our commitments to our clients. All the technical as well as management team members have at least 5-6 years of experience in their own domain.
WHAT WILL YOU GET
The final output will consist of the following:
- A one page summary with an executive analysis and scorecard
- A roadmap for your organization
- Key tactical and strategic recommendations
- Observations by the consultant(s)
- Identified gaps and focus areas
- A detailed report to help management
The report is intended to address the highest impact and risk areas, and give your subject matter experts detailed information for implementation within your organization.
Our technical strategies and recommendations are solely based on what is fit and appropriate for your business.
We and our partner association are always devising solutions for the ever-emerging cyber threats.
We commit quality at a cost which is highly competitive and genuine.
PEACE OF MIND
Our working pattern is highly customisable and adapts itself to the client’s comfort.
We have a long list of certifications and experience enabling us to work comfortably in a critical scenario.
We are available and will always be for any genuine client’s concern.