Assessing security defenses and testing for weakness is an essential feedback component of the continuous improvement cycle – canonized by several risk management frameworks. At RiPPUL, we look at Vulnerability Testing as an important component of a well managed risk management program. Traditionally, penetration testing was used to measure effectiveness of a matured and refined program. It now can also be an opener, or a way to present an argument for attention to a particular defined deficit of risk.
The technical details and scope for automated or manual scans depends largely on the assessment’s goals. Typical questions we answer and ask are:
- What is the true security posture of an environment?
- How many vulnerabilities exist?
- What is the honest evaluation in context of a business priorities
- Is there a need for testing reactions under certain circumstances?
- What are the ramifications, both technical and ethical, of performing our tests.
- Can this best serve our client?
When it’s time.
RiPPUL offers personnel testing, physical testing, and system/network testing.
Our tools enable us to act like the attacker. We gather all the information needed to conduct an efficient penetration test from sources you’ve never heard of! Once we analyse the weaknesses, we prioritize and and attack the biggest security risks, just like any real bad guy would do. Would they also perform remediation? Well, yes, *sometimes*. Most attackers like to close doors behind them, so long as they have left an opening for themselves. They are selfish when it comes to sharing the spoils of their labour, but this is where the good guys differ! Our reports tell you exactly what you need to know and what you need to do in order to close out attackers.
The Pain Points
Our approach is more than just gutting your systems – we view an engagement holistically. Usually the discovery of our clients is that Governance, Risk, and Compliance strategies are non-existent. Most SMB’s leave these choices to their technology implementer, which works well at first.
In time our clients come to understand that their legal liabilities and investors demands require more attention and due care. Structured reporting is important as it can identify gaps in knowledge, and even force an implementer to tend to items you would believe that were normally covered in a common-sense way, but instead were procrastinated upon.
While we’re at it, let’s look at Contingency Planning, Redundancy, and Business Continuity. What are the facts about ransomware, data loss, data leaks?
Three Disaster Recovery Plans
The Meat of an Assessment
- Application Security
- Configuration Management
- Data Security
- Endpoint Protection
- Identity and Access Management
- Infrastructure Security
- IOT Security
- Messaging Security
- System and Asset Management