Threat and Risk Assessment
An effective cyber-security system depends on an accurate assessment of the cyber security threats that face your organization. By understanding your threat context (who would want to hack you, what they are after, and their capacity to attack) you can develop appropriate and cost-effective security controls.
Of course threats are not only hackers, so our approach can encompass a full range of threats, from internal staff to natural disasters. Threat & Risk Assessments (TRAs) can be performed at an enterprise, network or systems level.
DELIVERABLESAfter establishing the scope and objectives of the TRA we work closely with your team to develop the TRA. We use an ISO 31000 based risk management framework, consisting of 6 steps:
- Understand the context: We start by understanding your industry profile. This allows us to leverage our extensive industry threat profiling research and one of the key Tobruk point of difference. This tells us the likely types of threat agents we need to consider.
- Profile the Threats: Identify all the threats to your security, threat actors, motivation, prevalence and capability.
- Identify potential vulnerabilities that can be exploited.
- Assess current controls selection.
- Assess likelihood and consequence to produce an overall risk score.
- Identify priorities for further controls (if required).
The challenge for your security team is that they only need to leave one server unpatched, one firewall misconfigured, one desktop without malware protection and your entire network can be compromised. Normal engineering and application testing take "happy day's" scenarios and verify the correct operation of the system or network.
In Penetration Testing our security experts take on the role of a hacker to see what access or information can be gained by not following the normal script. We look for any vulnerability that can be exploited to gain access. Depending on the scope of the testing (see our unique tiered model) we will even test the responses to attempted hacking via social engineering.
Of course we always do this to strict protocols, maintain continuous contact with your security team and do our best not to disrupt or damage your computer networks.
DELIVERABLESA Pen Test always starts with a detailed definition of the Rules of Engagement.
This defines in detail the scope of the testing, including targets, type of testing, hours of testing. Tobruk follow a rigorous process of profiling your network, conducting reconnaissance and planning our attack strategy. Depending on the scope we may report vulnerabilities or we may attempt to exploit them to gain access.
A Pen Test is much more than network or application vulnerability scanning. Most vulnerability scans use automated tools to locate vulnerabilities. A Pen tester thinks outside the box, considers your specific situation to devise plausible ways a hacker could gain system access using those vulnerabilities. The biggest system vulnerabilities are people and process centric. If it is within the ROEs we will certainly get your help desk to give us account access (as an example). If required we can extend this into actual exploitation of networks, providing evidence of risks.
A key difference of the Tobruk approach is that we work cooperatively with your security team to identify vulnerabilities, quantify the real risk and suggest approaches for mitigation. Our Assessment reports provide you with real actionable prioritized plans, not a list of unfiltered vulnerability scores.
A pen test is not an enduring assurance of security. It is one measure that in combination with best practice security design assurance provides confidence that your security management system is effective. Our experts, who have decades of experience, bring this holistic approach to your Cyber Defense solutions.
Contact Us to request further information on how Tobruk Security can help you with your Penetration Testing needs.
An Information Security Management System, is an integrated management approach to all aspects of information security. An effective ISMS ensures that both technical and human controls are in place and operating. The ISO/IEC 27001:2013 standard provides a recognized framework for an ISMS and Tobruks consultants are qualified as Lead Auditors in its application.
DELIVERABLESTobruk consultants first review the Statement of Applicability and ensure that it maps to real business requirements accepted by the organization before proceeding with a more conventional audit of controls.
A common mistake of internal and external auditors is conducted in isolation of the understanding of the businesses requirements. After an initial assessment we work with your ISMS project team to develop a road map to meet the defined end point. This may or may not mean getting to ISO 27001 certification.
Contact Us to request futher information on how Tobruk Security can help you with your ISMS Assessment needs.
Security Controls Design:
While standards such as ISO 27002 give you high-level conceptual approaches to design control design, they do not tell you how to design controls in detail.
System integrators offer expertise in configuring the technology and services they sell but how do you know they are following compliance and best practice. Tobruk consultants, with decades of security architecture experience, are available to design your security controls for you or review the designs of your existing integrator.
DELIVERABLESA Tobruk consultant will meet with your team to understand your deliverable requirements and then develop a scope of work. Traditionally these engagements are fixed price however, we are happy to work to a Time & Materials approach if your project requires an Agile methodology. In larger security and systems projects you can retain Tobruk Security to be available to your project teams on demand.
Contact Us to request further information on how Tobruk Security can help you with your Security Controls Design needs.
Tobruk are experts in assessing your Crisis Management / Business Continuity / Disaster Recovery plans. We have extensive experience in managing full CM/BCP/DR tests. We also have experience in theoretical reliability and availability studies for mission-critical systems.
DELIVERABLESTobruk will work with your internal team to scope one or more simulation exercises to test your preparedness. The approach we recommend is to start with smaller scale desktop exercises, to larger exercises involving key elements of the plan through to full Red Team / Blue Team exercises where your team is given a real work scenario to work through. Our CM team has extensive experience in private, public and national security organisations.
Contact Us to request further information on how Tobruk Security can help you with your Crisis Management needs.
Control Audit and Assurance:
A systematic audit of systems controls is essential for organisations who want confidence that their data, systems and people are protected. Our information systems auditors are highly experienced and follow international audit standards such as SSAE16 standard.
DELIVERABLESWe follow accepted audit procedures based on the requirement of the Certified Information Systems Auditor program. The baseline controls, if not specified already, can be based on industry standards such as PCI-DSS or IRAP. Unlike most chartered accounting firms our auditors have real-work hands on experience running security systems, meaning that our findings are related to practical and pragmatic application of controls. We aim to not just find faults but also identify opportunities to reduce the burden of controls on the organisation. Our Approach:
- An initial engagement to scope the Audit
- A meeting to agree the audit agenda
- Pre-audit data collection
- Onsite audit interviews
- Preliminary finding
- Draft report
- Incorporate feedback from draft report
- Final report
- Briefing to management
Contact Us to request further information on how Tobruk Security can help you with your Control Audit and Assurance needs.