Evaluate Your Environment
Organizations who understand that everyone is a target–regardless of industry or size–also want to know what areas of their environment may be vulnerable at any given time. Some different ways you can evaluate risk include Security Assessments, Vulnerability Scans, and Penetration Testing.
Your reasons for wanting to identify weaknesses may include everything from wanting to move your organization to a more secure place in order to avoid costly hacks, to an upcoming compliance audit, to a mandate from your board.
Whatever the purpose, we can help you identify the right kind of evaluation for your unique organization.
What kind of security evaluation is right for me?
The purpose of a Risk Assessment is to give you a realistic picture of where you are today, customized recommendations for addressing your highest areas of risk, and a baseline against which you can measure ongoing improvements to your security posture.
Assessments are evaluations performed by our Risk Advisory Team. They will engage with you to understand your environment, policies, and security controls currently in-place, as well as how those measures hold up against industry standards and your unique threats and requirements. The end product is a prioritized roadmap for next steps in strengthening your security posture.
When is an Information Security Risk Assessment the best fit?
- If you are concerned you can’t see the forest for the trees, this is your test. It is often helpful for companies to have a risk assessment performed to see a macro view of their security program before moving to more specific evaluations like penetration testing.
- Compliance frameworks, such as PCI or HIPAA, require annual Risk Assessments. If you are working to meet compliance, be sure to ask your auditor to design their assessments to meet these requirements.
These tests consist of Red Hat teams who actively work to identify and exploit hidden vulnerabilities in your environment. This is not the same as a Vulnerability Scan, though there is often confusion between the two. A Pen Test might begin with some scans, but goes further to mimic the steps a cyber-criminal would likely take to show you just how far into your systems that person could get. For example, a hospital would want to know if hackers could penetrate their firewalls, navigate the network, and reach a patient’s actual room to take control of IoT health devices, so they would want to go well beyond just a scan.
A Pen Test can include any combination of:
- Testing authenticated and unauthenticated paths into your network
- Identifying vulnerabilities in a web application your company has
- Attempting to breach the physical security around your company’s technological assets
- Attempting to access and exploit proprietary hardware or IoT devices.
- Evaluating employee preparedness through phishing, vishing, and other types of social engineering
When is a Penetration Test the best fit?
- If you have already had a Risk Assessment, remediated known vulnerabilities, and want to offer a boardroom ready validation of your security, a pen test is for you.
- Annual pen tests are required under numerous compliance frameworks (e.g. PCI, HIPAA, FFIEC, ERC CIP, DFARS, FISMA, SOC2, etc.). Be sure your provider understands your unique compliance and reporting needs.
Vulnerability assessments combine automated scanning with expert analysis to provide a good entry-level evaluation of network vulnerabilities. TRUE’s vulnerability assessment evaluates the significance of your security weaknesses and vulnerabilities from an adversarial point of view with lower cost and risk than a full penetration test, enabling you confidently identify vulnerabilities and prioritize immediate security initiatives based on associated risks.
TRUE will assess each system’s security posture accordingly:
- System Hardening– Is the system protected from the next generation of threats?
- Secure Configuration– Is the system configured for secure operations?
- Vulnerability Analysis– Is the system free from known vulnerabilities and weaknesses?
When is a Vulnerability Assessment the best fit?
- You know you are not patching regularly and haven’t created hardening or configuration standards for your high-value systems, but you want prioritized recommendations for beginning to address system-level weaknesses.
- You are expecting to go through a full penetration test in the future and you want to prepare your environment for better results.
Let us know your business needs and we will make sure to get back with you promptly!* denotes required fields