Pathway to Security
Updated: Oct 18, 2019
CYSIAM's Security Pathway provides a tailored approach to assessing your organisation and systems. Combining market-leading vulnerability scanning and bespoke penetration testing with assessments of business processes, employee awareness and policy documentation, enables a thorough understanding of an organisation’s security posture and resilience.
Our comprehensive methodology provides you with clear and unambiguous direction and can be customised to suit any business, large or small, using some or all of the elements available to create a bespoke testing package. This approach is ideal for organisations looking to achieve Cyber Essentials Plus and/or ISO27001, or those striving to build a sustainable cyber security programme that recognises all aspects of cyber-risk.
It’s important to us that customers don’t spend thousands getting something they don’t need! We find that after a few probing questions, we are able to get a good understanding of the customer and ensure that our offer is tailored to their actual need:
What’s the problem you’re trying to solve? (e.g. I haven’t got any security accreditations. I don’t understand my risk.)
Why do you need to solve it? (e.g. I am under pressure from my clients / investors. I am concerned about a specific component of my business.)
What are your constraints? (e.g. Time. Money. Skills. Staff availability.)
Our expert and accredited team carry out security testing in accordance with the following steps:
Information Gathering - Passive reconnaissance. This is an important step for our security researchers, especially if an element of social engineering is required as part of the engagement.
Enumeration and vulnerability scanning - Scanning networks, devices, servers and applications. This stage gives our researchers and the customer a near-complete picture of vulnerabilities and misconfigurations that could potentially be exploited.
Analysis - After the scan our team will manually check and verify the vulnerabilities and misconfigurations found. Interim reporting point to develop an exploitation plan, this will feature as part of the overall report. For vulnerability analysis, the activity stops here.
Exploitation - Attempt to exploit everything that can be exploited, escalate privileges to administrator level. Our researchers will throw what they can at a target in the time window they have. It is important to note that a real attacker wouldn’t have the same constraints.
Reporting - Risk assessment, remediation advice. This can be entirely customised to the client and normally we will issue an executive report and a technical report. We will include screen-shots of our activity so the customer can see exactly what steps we took to exploit a system.
For CYSIAM, understanding the customer is the most important part of any engagement and therefore time spent understanding the requirement is critical. As a values-based organisation, building a good relationship and treating each engagement like a partnership is an essential part of our offer. Therefore, for us at least, a happy customer and a strong rapport is the most important part of any engagement.
As our Sean says: “it’s nice to be nice”.