Our Information Security Risk Assessments are always tailored to your needs, but we follow the same basic methodology.
Assessing the Threats
We begin by looking at threats to your specific industry and organization. For example, according to the Verizon Data Breach Investigations Report (DBIR), organizations in the manufacturing industry are the biggest targets from espionage threat actors.
Espionage threat actors are highly skilled and motivated – persistent, to say the least. They are focused on breaching your security and stealing your Intellectual property. They use advanced techniques, such as spear phishing attacks, which are highly targeted email attacks with malicious intent.
We formulate specific attack scenarios designed to accurately emulate the various threat actors and actions.
Assessing the Vulnerabilities
We execute our attack scenarios and identify potential vulnerabilities. Potential vulnerabilities are fully flushed out and explored to get rid of “false positives”. Exploiting vulnerabilities validates them. The difficulty level of exploitation feeds into the likelihood of attack.
Assessing the Impact
After we successfully exploit a particular vulnerability, we “follow the chain” just like a real attacker would do. We leverage the initial foothold to gain further access. We stop when we can go no further, or when we have the “keys to the kingdom”. We circle our wagons and ask ourselves, “so what?”. What does this actually mean to the organization.
Assessing the Likelihood
With the knowledge of threats, vulnerabilities, and impact, we determine the likelihood of a successful attack. For example – The likelihood of a nation state threat actor attacker exploiting a high-difficulty vulnerability on an Internet host is very high. If we were able to do it, they most certainly can.
Determining the Risk
We take the above factors and determine your risk level. We strategize with you and come up with ways to reduce, eliminate, or mitigate the risk.
What you get out of a Risk Assessment.
Assurance – you’ve done your due diligence. You hired a professional penetration testing team to emulate the bad guys to find vulnerabilities and determine how they impact your organization.