With today's advanced threats, rapidly changing malware and a constantly-shifting legal and regulatory landscape, it's essential to clearly understand the risks associated with your information technology assets.
While a third party may already be conducting your security testing, it might be time for a new perspective - because not all IT security testing is the same.
The RSM difference - complete testing and personal attention
Contrary to what many believe, IT security testing isn't a commodity service. Real differences exist in both capabilities and the depth of testing, but the most drastic differences don't stem from purely technical factors. Rather than addressing catalogue of technical findings as the final goal, IT security testing that delivers real value uses technical methods and results to support business-level risk management.
KEY CONTACT
Darren Booth National Head of Security and Privacy Risk Services |
T: +61 3 9286 8186
E: [email protected]
How can we help you?
Systemic issues—using testing results to identify the root causes of various types of risks. Does your organisation struggle to maintain Web applications? Secure databases? Harden UNIX servers? If weaknesses in the underlying processes aren't identified, the same vulnerabilities will continually reappear.
Multifactor risks—while many network security testing providers focus exclusively on a vulnerability's technical risk, true value comes from translating those technical risks into regulatory compliance, legal and operational risks. Two vulnerabilities may be completely identical but still present vastly different risks, depending on the system, applications, data or business processes they affect.
Consistent frameworks—how do you know if testing was done completely and correctly? How do testers validate they performed the appropriate levels and types of testing? At RSM, we base testing methodologies on widely accepted frameworks, such as OSSTMM, OWASP, PTES and SANS SCORES.
Controls assessments—assessment data is extremely valuable to validate the effectiveness or existence of controls and processes. While general checklist style audits work well to assess policies governing controls, or to perform spot checks of specific systems, full security testing is often needed to validate the effectiveness of technical controls across an enterprise. Processes tested can include patching and vulnerability management, configuration management, SDLC, security monitoring and incident response, network security awareness training, data loss prevention and data protection.
- External network-level testing is the traditional form of testing and can include "black-box testing" and "white box testing."
- Black-box testing—testers have no prior knowledge of your organisation's systems. Testing is more realistic and represents what a real attacker would do.
- White-box testing—testers have complete knowledge of your systems. Testing is more complete and focused than black-box testing, but the results are not as realistic.
- Internal network-level testing is similar to external network testing but is performed on your internal network and systems. This style of testing is useful for validating internal controls and mimicking the activities an attacker would take if they gained access to the internal environment via compromising external systems or delivering malware to employees. Failing to secure the internal network is the primary cause of many of today’s high-profile data breaches.
- In response to the needs of our clients, RSM developed Nomad Security Testing Appliances (Nomads), which are available in two forms―small form factor devices or downloadable virtual machines. These devices sit inside your firewall, remotely connect to RSM’s security testing labs over encrypted tunnels, with all testing data encrypted on the devices. Learn more about the easy-to-install Nomad.
- Application-level testing involves analysing your applications to try to identify vulnerabilities created through maintenance, configuration or architectural issues, often by testing from unauthenticated and authenticated perspectives. Testing can be performed against an application's production version, while it's in development status, and against the actual source code.
- Social engineering testing focuses on assessing the security awareness of an organisation's employees. Testing styles include fake phone calls, emails, websites and pseudo-malware.
- Extrusion testing as a form of penetration testing determines how easily sensitive information can be pushed from the inside out, testing the effectiveness of the data leakage prevention (DLP) systems, proxies and security monitoring.
IT security testing at RSM is a managed process, where a real-live person—your own dedicated client service coordinator (CSC)—is assigned to your organisation. Your CSC is responsible for:
- Working with you to create a project plan, define the scope and goals of the testing.
- Tracking major milestones and performance expectations.
- Delivering meaningful reports that eliminate meaningless results and false positives. Our reports are concise and accurate, based on manual tools and cross-validation checks and take into account far more than sets of individual technical findings.