For large firms – typically 50 people and over we strongly recommend a comprehensive solution that can handle the unexpected as well as maintain a consistent baseline operationally. An exemplary firm to work with is eSentire. They use their outstanding knowledge and technical skill to actively monitor your network as part of a constant process of limiting your risk.
To augment providers like eSentire and in an effort to provide our smaller clients a reasonably-priced alternative as part of the overall Cyber Security audit process, Humble Monkey is now offering internal and external penetration testing using Rapid7. The goal is not only to minimize your firm’s exposure but also to document the effort and progression over time. We believe it is important to demonstrate an ongoing operational effort in the face of an ever-changing threat environment.
From an SEC or FINRA point of view – this is where smaller firms need to be…actively involved in evaluating and managing their Cyber Security risk !
Why is HM Offering This Now?
The audit provides an objective look at your environment and demonstrates where improvements can be made and remediation accomplished. Most significant is that it presents the results and improvements in an easy to use format. The software we use is specifically designed to automate the process using the most current definition of “risk” in the cyber security world.
Audit and Exploitation
We also attempt access from outside your network to examine details of what may or may not be exposed externally. It validates firewall configurations as well as “visible” software such as Outlook Web Access, Terminal Services or Citrix.
Combined, these tools provide a comprehensive picture and the ability to remediate any issues – reducing the threat exposure from even the most arcane attacks.
Example Report Card
An initial internal scan may typically present a “C” grade, although we have seen some “F”s !
There are various reasons for what appears to be a mediocre grade. It could be something unique to your environment – or it could be something as mundane as the need for Java to be updated on a workstation. Even small things add up – creating the baseline metric. Having a lower grade is actually an advantage so that when we test again after having performed the appropriate work to close any exploits – the validation will show very clearly. Forward progression over the course of a year readily presents to external auditors or investors your active participation in maintaining your IT environment and reducing potential threats.
We provide graphic representations of the process of active threat reduction over time. Reports can be customized – for example – the below represent the following: Assets & Vulnerabilities, Severity, Vulnerabilities, and Vulnerability Age.
This approach moves the metrics of threat reduction and assessment to a different level. The historical documentation alone adds a new dimension in Cyber Security reporting. If the goal is to get ahead of the SEC, auditors or investors – this is a show stopper as far as documentation.
The software also provides insight into each issue as well as an expectation of time to fix the problem. With these reports in hand, Humble Monkey can formulate a plan of attack for increasing security throughout your organization. We also have the option to exclude certain items from the scoring if it can be determined that they do not present a threat to your environment.
The initial full vulnerability evaluation and remediation takes place over 2 weeks starting with an initial scan of the internal network to establish a baseline for your firm and an initial Risk Score Card. The key result underpinning the Risk Score Card is an often lengthy remediation document listing specific issues, recommended actions, and an estimate of time to remedy each issue. We can either work together with you or your IT staff in resolving these issues.
We review the document with you and present the specific collective actions we will take. It is important to recognize that some items defined as deficiencies may be deliberate. We document these items – evaluating the risk vs. the rationale – and then eliminate it from the Score Card if appropriate.
Remediation is accomplished as quickly and efficiently as possible of course !
Once remediation actions are completed, we run an additional scan which fortifies the firm’s historical record and clearly defines key metrics of a defined Cyber Security process.
At the same time we are running the internal network evaluation, we deploy our external tool which will define any issues from an external perspective. Any potential exploits and issues are documented and remediated, and a final t analysis is performed and documented concurrent with the final scan.
The last component of the initial engagement is to run a social engineering test with your staff, usually in the form of a phishing e-mail. The results are collated and presented as a report. This is usually the most effective time to have a brief and informal Cyber Security dialogue with your team. It’s a dialogue that is informative but also grounded in very practical matters relevant to your business. The popular phrase in security circles is “There is no patch for human stupidity (or naiveté) !” – the reality is that it’s a complex world out there and the best of us make mistakes.