YOU ARE VULNERABLEThe differences between vulnerability scanning & penetration

testing, and why your company needs both.

www.stealth-iss.com

YOU WILL GET HACKED. ARE YOU SECURE?

You have probably said all of these things. Unfortunately, a cyberattack will happen to you, no matter how big or small a business youare. However, cybersecurity is affordable and if aligned with yourbusiness strategy, can be an enabler for growth, or at least adifferentiator.

Vulnerability Scanning and Penetration Testing services help youidentify the weaknesses in your company’s infrastructure, so that youknow where to focus your resources.

The two terms are often grouped together, causing confusion. The goalof this presentation is to briefly showcase the differences between thetwo services and how you benefit from both.

“It will never happen to me.”

“I am a small business, hackers don’t care about me.”

“Cyber security? I can’t afford that.”

www.stealth-iss.com

YOU MAY HAVE PROBLEMS. What if you…

…knew where the security weaknesses are located that could comprise your company?

…could confidently identify and quantify your cyber risks?

…were sure that you are meeting compliance standards?

…were prioritizing and tackling risks based on their exploitability and impact?

…were aware of the probability of a cyber-attack on your company?

… knew if your efforts are being appropriately directed to ensure continuity of business operations?

… DIDN‘T HAVE A GRASP OF ANY OF THESE THINGS?

www.stealth-iss.com

A BRIEF DEFINITION

Vulnerability scanning is an essential component of youreffective information security program and can provide youwith a wealth of valuable information about your level ofexposure to threats.

This is the process of recognizing, identifying and prioritizingvulnerabilities in computer systems, applications and networkinfrastructures. These assessments provide your organizationwith the necessary awareness and knowledge to understandand act proactively to the threats within your businessenvironment.

Penetration testing is a proactive type of security testingtechnique that is used to assess and exploit the weaknesses inyour company’s environment. This is a time-constrained andauthorized attempt to breach the architecture of your systemusing attacker techniques.

This form of testing relates the most accurate andcomprehensive view of an organization's information securitystance, as it evaluates an entire system, exploitingvulnerabilities to determine precisely how an unauthorized usercan get control of valuable information assets.

www.stealth-iss.com

WHAT IS THE DIFFERENCE?

Vulnerability Scanning Penetration Testing

Frequency • Periodic, scheduled• After significant network or other changes• New equipment

• Once or twice per year• Significant system changes• Frequency can be driven by governancerequirements

Reports A vulnerability baseline of your infrastructure.A list of vulnerabilities, categorized by risk level.

A goal-oriented approach in charting where and howan attacker could take over your system.

Focus To list the known vulnerabilities that could beexploited within your enterprise system.

To find the vulnerabilities and exploit them to takeadvantage of your system.

Value The ability to tackle the highest risk projects first. Being able to see and know how a hacker couldexploit your systems and data.

www.stealth-iss.com

DON’T HAVE A SWISS CHEESE INFRASTRUCTURE.

High risk (uninformed) User Behavior

Misconfiguration

Third-Party Vulnerability

Poor patching policy‘any any’ firewall rules

Unsupported O/S

www.stealth-iss.com

TYPES OF PENETRATION TESTS

• External Penetration Testingo Focused on web server infrastructure and the underlying software comprising the target

• Internal Security Assessmento Provides a more complete view of the site security, typically performed from a number of network

access points.• Application Security Assessment

o Designed to identify and assess threats to the organization through bespoke, proprietaryapplications or systems

• Wireless/Remote Access Assessment (RAS) Security Assessmento addresses the security risks associated with an increasingly mobile workforce, BYoD and IoT in

scope• Telephony Security Assessment

o addresses security concerns relating to corporate voice technologies• Social Engineering

o addresses a non-technical kind of intrusion; relies heavily on human interaction and often involvestricking other people into breaking normal security procedures

Black Box:No prior

knowledge ofthe environment.

Grey Box:Some prior

knowledge ofthe environment.

White Box:Complete priorknowledge of

the environment.

www.stealth-iss.com

THE BENEFITS TO YOU

• Identify the threats facing your organization’s informationsystems

• Identify your security gaps to provide remediationguidance

• Prioritize your security initiatives to provide a betterreturn on IT Security Investment (ROI)

• Satisfy your regulatory compliance requirements

• Adopt best practices by conforming to industry standardsand best practices

• Protect customer loyalty and company image

• See the potential business operational impacts ofsuccessful attacks

www.stealth-iss.com

STEALTH GROUP TO THE RESCUE

• Assesso Your goals, objectives, timelines, budget and special

needs/requests• Plan

o Develop a tailored plan based on your needs, networkingcomplexity, business priorities

o Identify strategy, timeline, and budget that is right for yoursecurity needs

• Scanning & Penetrationo We find all the vulnerabilities that could bring down your

business and expose sensitive datao Use state of the art tools and proven test methodso Report major vulnerabilities immediately, and advise on

remediation• Deliver

o A final report that details information about the work doneo Summary of all testing performedo Full test results of every defecto Recommendations for remediation

www.stealth-iss.com

WHY STEALTH GROUP, YOU ASK?

• Confidentialityo We preserve and protect the information we develop and gain during testing from disclosure to any other parties

• Qualificationso Our security personnel have strong technical credentials, with the latest training in their field. They hold the highest

levels of accreditations such as CISA, CISSP, CCSP, CEH and others.• Methodology

o We follow a Stealth Group methodology, developed over years, that draws from standards such as OSSTMM,CHECK and OWASP.

o We perform all security audits and penetration test according to national and international security and IT standards• Security Policy

o We ask to review your security policy to help us understand where you measure up against prevailing securitystandards, practices, procedures and potential weaknesses

• Technologyo We use latest commercial technology for penetration tests with daily updates, and opensource software and the

years of know-how of our consultantso We perform manual checks on latest vulnerabilities

www.stealth-iss.com

OH, BUT THERE IS MORE!

• Reporting Resultso A written report is provided, containing manager-level overview, summary of the issues identified sorted by severity,

technical details of each issue complete with outline-associated recommendationso A full listing of the actual tests results, and notes on the scope and limitations of testso Copies of all logs, reports and other raw data collected during the testing process

• Projectso Our security staff have years of experience penetration testing for mid-size and large corporations in the US as well

as governmental institutions throughout Europe, international organizations and NATO member states andinstitutions

• Customer Cooperationo Our activities are always tailored to the requirements of the client. Full and open collaboration.

• Flexibilityo We provide our services in-house and/or externally, and have adopted a flexible and personable strategy in a client-

valued environment• Guaranteed Results

o We don't just testo We negotiate test priorities and goals with our clients and we guarantee to meet those goalso You get the testing and test results that we claim

www.stealth-iss.com

Stealth – ISS Group® Inc. (est. 2002) act as your extended IT, cyber security, risk and compliance team and providestrategic guidance, engineering and audit services, along with technical remediation and security operations. We prideourselves on the quality and professionalism of our workforce, collaborative relationships with our clients, and our ability tobring you innovative, customized but affordable vendor agnostic solutions based on your immediate needs while aligning withyour business strategy and operations. We add massive value and save you money on staffing a permanent securityorganization.

We are a passionate about protecting companies and agencies from all facets of cyber-crime, protecting your people andcompany data, reducing your information and financial losses, and protecting your reputation.

Stealth Group consistently delivers trusted, world-class cybersecurity and IT solutions. By delivering tailored solutions, andhighly qualified cyber experts, Stealth Group has earned its spot onthe Inc. 500 list, a list of America’s top entrepreneurs. We speak thetrust in security and go great lengths to build trust with ourcustomers by professional and high-quality service delivery, and byoffering effective, uncomplicated, and economical solutions.

ABOUT US

www.stealth-iss.com

PAST PERFORMANCE BY SECTOR

Information Technology - USA, EU, Asia, Central/South America:IT security consulting. ISO Audit review. NOC/SOC implementation. SIEMmanagement. Data Center Hosting services. IT and Security team TargetOperating Model design and implementation.

Financial Sector and Banks - US, EU, Middle East:ISO 9000 and ISO 27001/2 projects (implementation, review and audits).PCI-DSS credit card security including tokenization and QSA certification.SOX relevant application security assessments. Data encryption, DataLoss Prevention implementation and review. Data classification.Information Life Cycle Consulting. Data center security reviews.

Special Events - Global:SOC design, build and staffing, threat intel, nation state hack remediation,Security Incident Response and Forensics. Penetration Testing. Dark Webmonitoring. Social Engineering.

Healthcare / Insurance sector - US, EU. Middle East:Data protection and classification. HIPAA audit. Risk assessments.Secure Infrastructure design.

Education - US, EU, Asia:PCI-DSS compliancy review. Data Privacy. Data Breach IncidentResponse and Remediation.

Government, Utilities, Critical Infrastructure - US, Germany, CentralAmerica. Middle East:Data privacy projects including personal data protection laws. Firewall andIDS implementation. PCI-DSS credit card security. Risk Assessments.ISO 17799/2700x Audits, country wide surveillance system. PenetrationTesting.

Intelligence - US, Germany, Middle East:Secure encrypted/secure video conferencing system implementation. ITsecurity consulting. Business Impact Analysis, Disaster Recoveryimplementation and Testing

Defense/Military and Public Service - US, Germany, Central America,Middle East:IT security consulting. Big Data Security Architecture Design. Big DataRMF Assessments. FISMA. C&A accreditation. Business Intelligence.Review of existing systems for NIST compliancy. Policy and Procedurereview. Security gap analysis. Risk Assessments, NIST 800 -171 and 53.

Hotel, Gaming and Gastronomy - US and EU:Data Privacy. PCI DSS Audit. Security assessments. Design and build ofcasino resort IT and security architecture, ISF audit, NIST audit,penetration testing, phishing campaign. Cyber Security and SecurityOperations Center for Olympic Games 2016 and 2018.

www.stealth-iss.com

STEALTH GROUP DIMENSIONS OF CYBER

www.stealth-iss.com

THANK YOU

OFFICE LOCATIONS

Huntsville, Alabama

Las Vegas, Nevada

London, England

Dubai, United Arab Emirates

Bratislava, Slovakia

HQ – ARLINGTON, VIRGINIA

4601 North Fairfax Drive, Suite 1200 Arlington, VA 22203

Stealth-ISS Group® Inc. | www.stealth-iss.com | bizdev@stealth-iss.com