YOU ARE VULNERABLEThe differences between vulnerability scanning & penetration
testing, and why your company needs both.
www.stealth-iss.com
YOU WILL GET HACKED. ARE YOU SECURE?
You have probably said all of these things. Unfortunately, a cyberattack will happen to you, no matter how big or small a business youare. However, cybersecurity is affordable and if aligned with yourbusiness strategy, can be an enabler for growth, or at least adifferentiator.
Vulnerability Scanning and Penetration Testing services help youidentify the weaknesses in your company’s infrastructure, so that youknow where to focus your resources.
The two terms are often grouped together, causing confusion. The goalof this presentation is to briefly showcase the differences between thetwo services and how you benefit from both.
“It will never happen to me.”
“I am a small business, hackers don’t care about me.”
“Cyber security? I can’t afford that.”
www.stealth-iss.com
YOU MAY HAVE PROBLEMS. What if you…
…knew where the security weaknesses are located that could comprise your company?
…could confidently identify and quantify your cyber risks?
…were sure that you are meeting compliance standards?
…were prioritizing and tackling risks based on their exploitability and impact?
…were aware of the probability of a cyber-attack on your company?
… knew if your efforts are being appropriately directed to ensure continuity of business operations?
… DIDN‘T HAVE A GRASP OF ANY OF THESE THINGS?
www.stealth-iss.com
A BRIEF DEFINITION
Vulnerability scanning is an essential component of youreffective information security program and can provide youwith a wealth of valuable information about your level ofexposure to threats.
This is the process of recognizing, identifying and prioritizingvulnerabilities in computer systems, applications and networkinfrastructures. These assessments provide your organizationwith the necessary awareness and knowledge to understandand act proactively to the threats within your businessenvironment.
Penetration testing is a proactive type of security testingtechnique that is used to assess and exploit the weaknesses inyour company’s environment. This is a time-constrained andauthorized attempt to breach the architecture of your systemusing attacker techniques.
This form of testing relates the most accurate andcomprehensive view of an organization's information securitystance, as it evaluates an entire system, exploitingvulnerabilities to determine precisely how an unauthorized usercan get control of valuable information assets.
www.stealth-iss.com
WHAT IS THE DIFFERENCE?
Vulnerability Scanning Penetration Testing
Frequency • Periodic, scheduled• After significant network or other changes• New equipment
• Once or twice per year• Significant system changes• Frequency can be driven by governancerequirements
Reports A vulnerability baseline of your infrastructure.A list of vulnerabilities, categorized by risk level.
A goal-oriented approach in charting where and howan attacker could take over your system.
Focus To list the known vulnerabilities that could beexploited within your enterprise system.
To find the vulnerabilities and exploit them to takeadvantage of your system.
Value The ability to tackle the highest risk projects first. Being able to see and know how a hacker couldexploit your systems and data.
www.stealth-iss.com
DON’T HAVE A SWISS CHEESE INFRASTRUCTURE.
High risk (uninformed) User Behavior
Misconfiguration
Third-Party Vulnerability
Poor patching policy‘any any’ firewall rules
Unsupported O/S
www.stealth-iss.com
TYPES OF PENETRATION TESTS
• External Penetration Testingo Focused on web server infrastructure and the underlying software comprising the target
• Internal Security Assessmento Provides a more complete view of the site security, typically performed from a number of network
access points.• Application Security Assessment
o Designed to identify and assess threats to the organization through bespoke, proprietaryapplications or systems
• Wireless/Remote Access Assessment (RAS) Security Assessmento addresses the security risks associated with an increasingly mobile workforce, BYoD and IoT in
scope• Telephony Security Assessment
o addresses security concerns relating to corporate voice technologies• Social Engineering
o addresses a non-technical kind of intrusion; relies heavily on human interaction and often involvestricking other people into breaking normal security procedures
Black Box:No prior
knowledge ofthe environment.
Grey Box:Some prior
knowledge ofthe environment.
White Box:Complete priorknowledge of
the environment.
www.stealth-iss.com
THE BENEFITS TO YOU
• Identify the threats facing your organization’s informationsystems
• Identify your security gaps to provide remediationguidance
• Prioritize your security initiatives to provide a betterreturn on IT Security Investment (ROI)
• Satisfy your regulatory compliance requirements
• Adopt best practices by conforming to industry standardsand best practices
• Protect customer loyalty and company image
• See the potential business operational impacts ofsuccessful attacks
www.stealth-iss.com
STEALTH GROUP TO THE RESCUE
• Assesso Your goals, objectives, timelines, budget and special
needs/requests• Plan
o Develop a tailored plan based on your needs, networkingcomplexity, business priorities
o Identify strategy, timeline, and budget that is right for yoursecurity needs
• Scanning & Penetrationo We find all the vulnerabilities that could bring down your
business and expose sensitive datao Use state of the art tools and proven test methodso Report major vulnerabilities immediately, and advise on
remediation• Deliver
o A final report that details information about the work doneo Summary of all testing performedo Full test results of every defecto Recommendations for remediation
www.stealth-iss.com
WHY STEALTH GROUP, YOU ASK?
• Confidentialityo We preserve and protect the information we develop and gain during testing from disclosure to any other parties
• Qualificationso Our security personnel have strong technical credentials, with the latest training in their field. They hold the highest
levels of accreditations such as CISA, CISSP, CCSP, CEH and others.• Methodology
o We follow a Stealth Group methodology, developed over years, that draws from standards such as OSSTMM,CHECK and OWASP.
o We perform all security audits and penetration test according to national and international security and IT standards• Security Policy
o We ask to review your security policy to help us understand where you measure up against prevailing securitystandards, practices, procedures and potential weaknesses
• Technologyo We use latest commercial technology for penetration tests with daily updates, and opensource software and the
years of know-how of our consultantso We perform manual checks on latest vulnerabilities
www.stealth-iss.com
OH, BUT THERE IS MORE!
• Reporting Resultso A written report is provided, containing manager-level overview, summary of the issues identified sorted by severity,
technical details of each issue complete with outline-associated recommendationso A full listing of the actual tests results, and notes on the scope and limitations of testso Copies of all logs, reports and other raw data collected during the testing process
• Projectso Our security staff have years of experience penetration testing for mid-size and large corporations in the US as well
as governmental institutions throughout Europe, international organizations and NATO member states andinstitutions
• Customer Cooperationo Our activities are always tailored to the requirements of the client. Full and open collaboration.
• Flexibilityo We provide our services in-house and/or externally, and have adopted a flexible and personable strategy in a client-
valued environment• Guaranteed Results
o We don't just testo We negotiate test priorities and goals with our clients and we guarantee to meet those goalso You get the testing and test results that we claim
www.stealth-iss.com
Stealth – ISS Group® Inc. (est. 2002) act as your extended IT, cyber security, risk and compliance team and providestrategic guidance, engineering and audit services, along with technical remediation and security operations. We prideourselves on the quality and professionalism of our workforce, collaborative relationships with our clients, and our ability tobring you innovative, customized but affordable vendor agnostic solutions based on your immediate needs while aligning withyour business strategy and operations. We add massive value and save you money on staffing a permanent securityorganization.
We are a passionate about protecting companies and agencies from all facets of cyber-crime, protecting your people andcompany data, reducing your information and financial losses, and protecting your reputation.
Stealth Group consistently delivers trusted, world-class cybersecurity and IT solutions. By delivering tailored solutions, andhighly qualified cyber experts, Stealth Group has earned its spot onthe Inc. 500 list, a list of America’s top entrepreneurs. We speak thetrust in security and go great lengths to build trust with ourcustomers by professional and high-quality service delivery, and byoffering effective, uncomplicated, and economical solutions.
ABOUT US
www.stealth-iss.com
PAST PERFORMANCE BY SECTOR
Information Technology - USA, EU, Asia, Central/South America:IT security consulting. ISO Audit review. NOC/SOC implementation. SIEMmanagement. Data Center Hosting services. IT and Security team TargetOperating Model design and implementation.
Financial Sector and Banks - US, EU, Middle East:ISO 9000 and ISO 27001/2 projects (implementation, review and audits).PCI-DSS credit card security including tokenization and QSA certification.SOX relevant application security assessments. Data encryption, DataLoss Prevention implementation and review. Data classification.Information Life Cycle Consulting. Data center security reviews.
Special Events - Global:SOC design, build and staffing, threat intel, nation state hack remediation,Security Incident Response and Forensics. Penetration Testing. Dark Webmonitoring. Social Engineering.
Healthcare / Insurance sector - US, EU. Middle East:Data protection and classification. HIPAA audit. Risk assessments.Secure Infrastructure design.
Education - US, EU, Asia:PCI-DSS compliancy review. Data Privacy. Data Breach IncidentResponse and Remediation.
Government, Utilities, Critical Infrastructure - US, Germany, CentralAmerica. Middle East:Data privacy projects including personal data protection laws. Firewall andIDS implementation. PCI-DSS credit card security. Risk Assessments.ISO 17799/2700x Audits, country wide surveillance system. PenetrationTesting.
Intelligence - US, Germany, Middle East:Secure encrypted/secure video conferencing system implementation. ITsecurity consulting. Business Impact Analysis, Disaster Recoveryimplementation and Testing
Defense/Military and Public Service - US, Germany, Central America,Middle East:IT security consulting. Big Data Security Architecture Design. Big DataRMF Assessments. FISMA. C&A accreditation. Business Intelligence.Review of existing systems for NIST compliancy. Policy and Procedurereview. Security gap analysis. Risk Assessments, NIST 800 -171 and 53.
Hotel, Gaming and Gastronomy - US and EU:Data Privacy. PCI DSS Audit. Security assessments. Design and build ofcasino resort IT and security architecture, ISF audit, NIST audit,penetration testing, phishing campaign. Cyber Security and SecurityOperations Center for Olympic Games 2016 and 2018.
www.stealth-iss.com
THANK YOU
OFFICE LOCATIONS
Huntsville, Alabama
Las Vegas, Nevada
London, England
Dubai, United Arab Emirates
Bratislava, Slovakia
HQ – ARLINGTON, VIRGINIA
4601 North Fairfax Drive, Suite 1200 Arlington, VA 22203
Stealth-ISS Group® Inc. | www.stealth-iss.com | [email protected]