Organizations have got used to buying in security services, but how far should they push the idea? For services such as penetration testing, the answer is straightforward. Penetration testers are like auditors – the whole point of asking a third-party to assess security is that the report they deliver will be independent and unvarnished. Without that unbiased perspective, pen testing would have died out long ago. But the market for technical consultancy now encompasses a wide range of other specialized technical and advisory services that either build on the pen testing principle or supplement it with additional capabilities.
One level up from a basic pen test, red teaming is an advanced attack simulation designed to test every aspect of an organization’s defenses, including not only network security but weaknesses in employee behavior, business processes and even physical security. Conducted over an agreed timeframe, the benefit of red team penetration testing is that it gives an organization a realistic assessment of how well they might perform under real-world conditions, and measures how well it copes with incident response. Often, the weaknesses turned up by this kind of simulation are less obvious types of bypass – impersonating an employee to gain access to data, for instance.
A scan using automated tools for known software flaws in networks, applications, databases, servers and sometimes devices such as PCs. While this sort of test is always a component of penetration tests, a full vulnerability assessment is more extensive and looks for common misconfigurations such as a failure of access control or a security setting that has not been applied. The point in this type of test is simply to find as many vulnerabilities as possible rather than exploit them. Because networks constantly change, vulnerability assessments are best carried out on a regular basis to measure the effectiveness of patch management.
This offers a way to assess the security performance of a specific application (web, mobile or firmware) using dedicated tools, possibly down to source code level. It’s like a pen test in miniature, except that the objective is to look for weaknesses that might be hidden in an application’s programming or logic – a flaw allowing an insecure condition to exist, say – to gain unauthorized access to data. For web applications, the assessment typically cycles through common vulnerabilities as set out in the OWASP Top 10.
Sometimes, digital crimes require evidence gathering to legally admissible standards, which is where digital evidence management (DEM) forensics can be useful. This is a complex procedure that requires meeting evidence-gathering standards such as ISO/IEC 27037, and NIST’s SP 800-86, as well as demonstrating chain of custody. More generally, forensics is a way to reconstruct digital events to understand incidents in detail. The methodology of forensics involves data identification, the collection and preservation of evidence without compromising its integrity, data examination, data analysis, and final reporting. You’ll need to determine if you need high scaled digital forensics or regular data recovery services.
One of the stories of the last decade has been the rise of the security operations center (SoC) as a model for meeting the challenge of sophisticated cyberattacks. Large organizations often build their own SoCs although an increasing number acquire this capability as a managed security service (MSS). However, SoCs don’t build themselves, which has created a market for specialists who can guide customers through that process or assess the maturity of the SoCs they are already using in the form of a Capability and Maturity Assessment (CMA). This includes how an organization knows how well its SoC is performing, and how it carries out such assessments.
Cybersecurity compliance assessment
At the heart of all business risk lies the feared ‘c word’ – compliance. Organizations know they must comply with a complex patchwork of regulations but don’t always have a methodology to ensure that happens. In effect, a compliance assessment is a way to identify where gaps exist between how security design is being implanted and how it should be implemented to achieve legal compliance or best practice. At the end of this type of process, organizations will receive a report that outlines any missing controls and oversights with a recommendation of what should be done to address each issue. This can be demanding – regulations vary from country to country and simply addressing an issue is not always enough. Organizations must also examine how lack of compliance arose in the first place.