Vulnerability Assessment - consists of multiple test cycles that are customized in order to ascertain the vulnerabilities and never to activate or exploit them.
Penetration testing - analyzes the outputs of Vulnerability Assessments and then utilizes various attack vectors and customized in-house exploits to penetrate the targeted environment.
Organizations nowadays have business requirements that demand the connectivity with public, business partners, vendors, different geographical locations, and etc. This interconnectivity is a foundation of our modern society. It has brought about many changes in the way organizations and individuals conduct business. Our reliance on it exposes organizations to various security risks. These may include loss of confidentiality of classified information, financial loss, loss of reputation, loss of system availability, and many more.
Securing today’s complex computational environment is challenging and demanding for any organization regardless of its size. Enterprise technology infrastructure nowadays encompasses the following:
Routing and Switching Devices
Firewall and Security Safeguard Devices
Network Access Points
Servers (Web, eMail, News, File, Application)
PBX Phone and/or VoIP
Dozens of new vulnerabilities are published every month along with acknowledgement from software vendors who issue security patches and fixes on weekly basis. Best Practices require that all computational resources must be patched and up to date — it is a difficult goal for any company to accomplish on their own.
The addition to the problem is the proliferation of ‘script-kiddies’ ready tools, found freely online accompanied with how-to step-by-step manuals. With this, there is no longer a need for an attacker to be a knowledgeable, sophisticated, or innovative in order to attack a company.
Furthermore, by not being aware of the vulnerabilities within its environment, a company faces the risk of being breached and not knowing it. This will not only place the company at risk, but also the entrusted information of business partners or its clients at the risk of being compromised. The outcome of the public relations fallout could be devastating for the business of the company. For this reason Infrastructure Vulnerability Assessments are part of security compliance and are usually exercised on a bi-annual basis. Organizations may not have internal resources to conduct testing activities that sole purpose is to enforce and assure compliance with corporate security governance.
With extensive experience in technology audits, RSS Inc. offers an Infrastructure Vulnerability Assessment (IVA) Service that caters to client needs, of all industries and sizes. Our service encompasses both security and privacy risks. Our seasoned professionals have performed vulnerability assessments and penetration testing engagements in various public and private sector organizations.
Prior to commencement of the IVA engagement, RSS Inc. jointly with client will establish the following:
Attacker Classification - Serves to identify the category of attacker, our team will mimic
Information Disclosure - What level of initial information disclosure between our team
and client's technical team will be exercised
Engagement Controls - Are different test-cycle scenarios
IVA outcomes will be summarized in a final written report along with the findings, recommendations and supporting evidence. RSS Inc. team will recommend the improvements in a pragmatic manner taking into consideration the current technology investments. This will ensure that our clients are familiar with the recommendations and improvements we are suggesting. Our team will ensure that a pragmatic plan of mitigation activities augments client's engagement goals and overall corporate security governance journey.
RSS Inc. team will work in tandem with the client assigned team throughout the entire engagement thus ensuring completeness of the knowledge sharing.
By engaging RSS Inc. as a neutral third party auditor, clientele will be provided with unbiased information of identified non-compliant computational resources to its corporate governance. Furthermore, it will enable companies to utilize seasoned professionals who have played a technology audit role in various public and private sector organizations. By bringing the external experience to the table, our clients will be in the position to shorten the information security governance maturing phase.
The immediate benefit of an infrastructure assessment for an organization is to identify known vulnerabilities within the environment before an adversary can find them. It allows for the chance to identify weaknesses in security controls set in place to prevent and/or detect vulnerabilities.
This provides a proactive approach towards identifying vulnerabilities, misconfigured settings, out-of-date software versions, applicable patches or system upgrades.
The results of the exercise will provide information for improvements in the configuration management process to ensure that systems are upgraded routinely and to validate compliance with, or deviations from, the organization's security governance.
By having access to industry-leading security specialists, the client can rest assure that the assessment will be non-intrusive to their operations.
The pragmatic recommendations, stemming from IVA findings, will enable companies to utilize their computational resources securely and to prioritize budgetary funds in the quest to enforce corporate compliance. IVA supports clients’ security risk management process for all major enterprise technology products.
Overall, IVA activities will help in corporate risk mitigation by minimizing the potential disruptions of business activities and deliver value by ensuring that the promised benefits match up against the strategy. RSS Inc. team will provide mid and long-term plans containing milestones for improving technical security controls.