Armed with the answers to these questions, a company can evaluate its current posture and determine the ultimate size and shape of its cyber security program.
Top of mind with senior management and boards are the questions—How secure do we need to be? How do we measure up given that goal?
How secure is secure?
Other critical questions they should be asking are—What level of risk are we comfortable with? What threats are unique to the industry we are in and to our organization? What are the regulatory requirements? Armed with the answers to these questions, a company can evaluate its current posture and determine the ultimate size and shape of its cyber security program.
Lodestone Security works with small to mid-size companies to answer these critical questions, assess their information security posture and identify how they can best defend against the threats that impact the confidentiality, integrity, and availability of their information technology infrastructure. We partner to:
- Identify a company’s greatest information security risks and the steps to mitigate them
- Detect systemic weaknesses that underlie individual technical and tactical security vulnerabilities
- Understand the issues that affect an organization’s security regulatory compliance posture
- Determine security awareness issues and their significance to the organization
Evaluation and guidance to measure up
Understanding the business and vulnerabilities of the SMB market, Lodestone conducts thorough reviews to evaluate a company’s current security posture and guide security program enhancements—
External Network Vulnerability Assessment: We combine automated scanning with manual assessment techniques to evaluate the security of network devices and servers that are exposed to the Internet — a common point of entry for attackers. Activities include: host discovery, host enumeration, scanning for network and basic web application vulnerabilities, and manual verification of results.
Insider Threat Assessment: Working from inside your network, we use standard user account privileges to determine how a knowledgeable insider may be able to use his or her valid authorization credentials to access restricted or sensitive information.
Application Assessment: Vulnerabilities within web/mobile applications can provide attackers with an entry point into the network; even if firewall rules are appropriate and passwords are strong. While some vulnerabilities require sophisticated knowledge and techniques, others can be discovered and leveraged with less expertise and simpler tools. We perform assessments to identify issues such as server hardening deficiencies, forceful browsing, HTML-sifting, lack of server-side validation, and authentication weaknesses so they can be resolved before attackers exploit them.
Policy, Procedure and Standards Review: We evaluate the completeness and effectiveness of existing material to determine whether actual practices are consistent with established security guidelines. We apply best practices consistent with standards; such as, Payment Card Industry Data Security Standard (PCI-DSS), Health Insurance Portability and Accountability Act (HIPAA), General Data Protection Regulation(GDPR), National Institute of Standards and Technology (NIST) and International Organization for Standardization (ISO).
Network Architecture Review: Independent of individual device configuration, an organization’s overall network architecture can affect its security posture. Firewalls, remote access devices, network segmentation, logging and monitoring, can all impact how well an organization balances its business and security objectives. We review these factors and determine if changes are necessary. Firewall Review: Firewall rules evolve over time and If not managed properly, can contain logic and rules that provide attackers with a path into the system to remove data from the environment. We conduct detailed reviews to identify inappropriate defaults, obsolete rules, contradictory entries, inadequate logging, unstructured maintenance protocols and appliance vulnerabilities.
Security Awareness Evaluation (Social Engineering): People errors are at the root of all security issues. Programmers make software development mistakes. System and network administrators misconfigure systems. Users do things that expose their computers and networks to risks; such as conveying sensitive information by telephone, complying with phishing email instructions, and accessing USB devices of unknown origin. We conduct social engineering exercises to evaluate end-user understanding of the threats posed by common activities they perform.
Security Awareness Training: We offer end-user security training to provide them with an understanding of how technology works and how their actions might compromise the security of the network.