Technical Security Assessment
Most organisations face a security breach because of the vulnerabilities existing the IT Infrastructure or because of the use of insecure services.
Secure Core performs Technical Security Assessments to help your organisation understand the technical security vulnerabilities and provide solutions to remediate the identified vulnerabilities.
Dark Web Harvesting
Digital credentials, such as usernames and passwords, connect you and your employees to critical business applications and online services. Unfortunately, criminals know this — and that’s why digital credentials are among the most valuable assets found on the Dark Web. Unfortunately, usernames and passwords – the most common digital credentials used today – are all that stands between your employees and vital online services including corporate networks, social media sites, e-commerce sites and others. Secure Core offers Dark Web Harvesting to identify exposed credentials and alert our customers before hackers can do harm.
Project Cost – $500
Pre-requisite information – official email domain
Open Source Security Review (OSSR)
Throughout their lifecycle organisations leave a footprint of services on the internet. Many of these services continue to be published on the internet when no longer required and pose a security risk to the organisation. Secure Core will conduct a review of such publicly available information and present the findings to the organisation. The following vulnerabilities are normally identified:
- Compromised staff credentials available on the Dark Web;
- Listing of organisations external websites and associated vulnerabilities;
- Organisational information disclosed from services;
- Common attack vectors;
- Use of insecure services.
As an outcome of this review, Secure Core will provide a report of identified security vulnerabilities and remediation measures.
Project Cost – $2,500
Pre-requisite information – official email domain
Vulnerability Assessment (VA), is a process that defines, identifies, and classifies the security vulnerabilities in a computer, network, or communications infrastructure. VA can forecast the effectiveness of proposed countermeasures and evaluate their actual effectiveness after they are put into use.
The process involves an active analysis of the system for any potential vulnerabilities that could result from poor or improper system configuration, known and unknown hardware or software flaws, or operational weaknesses.
The VA exercise can identify vulnerabilities associated with all types of IT assets like:
- Operating systems e.g. Windows, *nix, Mac;
- Network devices e.g. Router, Load Balancers, Firewalls;
- Databases e.g. Oracle, MSSQL;
- Applications e.g. IIS, Apache.
Secure Core will perform the following tasks as part of the VA exercise:
- Conduct VA of your scoped network;
- Create and deliver a VA report; and
- Walk through the identified security vulnerabilities with the project sponsor.
Internal Vulnerability Assessment
Upto 100 Active IP’s – $2,500
Upto 500 Active IP’s – $4,000
Upto 1000 Active IP’s -$6,000
Upto 2000 Active IP’s – $8,000
Above 2000 Active IP’s – Request a quote
External Vulnerability Assessment
Upto 10 Active IP’s – $1,000
Upto 20 Active IP’s – $1,500
Upto 30 Active IP’s – $2,000
Upto 50 Active IP’s – $3,000
Above 50 Active IP’s – Request a quote
User Access Review and Password Audit
Unnecessary access rights and obsolete accounts are one of the most common causes of compromise. The issue and risks are amplified when combined with the use of weak and poor password practices.
To address this Secure Core will perform a user and privileged access review combined with a password audit to:
- Identify accounts using weak passwords;
- Identify accounts using non-unique passwords;
- Conduct account verification of the Active Directory (AD) Domains;
- Conduct privileged access verification of the Active Directory Domains;
- Audit and report on accounts with:
- ‘Password Never Expires’;
- ‘Password Not Required’;
- Cannot Change Password’;
- Audit and report on accounts which are:
- Inactive for more than 90 days;
- Passwords not changed for more than 90 days;
- Audit and report on access granted to ex-staff (will require an ex-employee / current employee and contractor list from your HR dept).
As an outcome of this audit, your organisation will be able to:
- Perform an Active Directory (AD) clean-up if required;
- Gain complete visibility into the access and password related weaknesses;
- Avoid unauthorised remote access;
- Reduce the likelihood of credential theft;
- Minimise access related security weaknesses.
Project Cost – $2,500
Pre-requisite information – Secure Core will need access to your organisational Active Directory.
Stakeholders expect you to undertake periodic security testing of your environment, with an agenda to check its strength and effectiveness in handling attacks. A penetration test is to simulate a real-world attack situation with a goal of identifying how far an attacker can penetrate your IT environment.
A penetration test gives you the following benefits:
- Test cyber security defence;
- Identify real risks;
- Third party expert opinion; and
- Comply with regulations and certifications.
Secure Core will determine the success criteria of the penetration test as follows:
- Direct observation of classified services or Client data;
- Compromise of IT devices;
- Compromise of the domain services; or
- No compromise of the target systems.
As an outcome of this penetration test, you will be enabled to –
- Understand the security risks existing in the IT infrastructure;
- Direct your efforts and investment to address the identified key security risks immediately;
- Produce a program of work to address the remaining security risks;
- Minimise likelihood of security incidents;
- Provide an assurance to the executive board and stakeholders that effective controls are in place to determine and address security risks;
- Satisfy security expectations from stakeholders, like Cyber Insurance Providers.
Pre-requisite information to provide quote –
- Internal – number of active IP’s
- External – number of active IP’s
- Web Application – URL’s of the websites
Governance, Risk and Compliance
In recent years, there has been a surge in the security expectations from your organisation when performing business operations.
These expectations include, security of:
- Personal information – Australian Privacy Act and the European Union GDPR;
- Card holder data – Payment Card Industry Data Security Standard (PCI DSS);
- Financial information – Australian Prudential Regulation Authority (APRA) CPS 234;
- Australian Government security requirements –
- Australian Government Information Security Manual;
- NSW Digital Information Security Policy;
- VIC Protective Data Security Standards;
- SA Information Security Management Framework;
- WA Digital Security Policy;
- QLD Information Security Policy;
- TAS Information Security Policy.
- Customer information – ISO 27001 security standard;
- Expectations from your senior executives to –
- prevent loss or misuse of classified information;
- reduce penalties and fines from regulations;
- reduce cyber security insurance costs;
- minimise damage to brand image because of security incidents;
- enhance organisations security posture;
- meet customer contractual obligations and enable business growth; and
- minimise security incidents.
Our services help organisations align with security standards, compliance and regulatory requirements. These services are designed to identify security gaps in implementation and provision remediation services to address those gaps. In this process, organisations enhance their security posture, expertise and minimise likelihood of security incidents, which further enhances business prospects.
Security Audit is the process of assessing the security policies, processes and practices followed within the organisational business operation.
Secure Core conducts this audit against ISO 27001 security standard. As part of the Security Audit, we evaluate effective implementation of security in the following areas:
- Security Governance
- Risk Management
- Information Security Policies
- Organisation of information security
- Human Resource Security
- Asset Management
- Access Control
- Physical and Environmental Security
- Operations Security
- Communications Security
- System Acquisition, Development and Maintenance
- Supplier Relationships
- Information Security Incident Management
- Information Security Aspects of Business Continuity Management
APRA CPS 234 Compliance
Financial institutions in Australia are regulated by Australian Prudential Regulation Authority (APRA). It is an expectation that an APRA regulated entity implements the security expectations from APRA CPS 234, which relates to the Management of Security Risk in Information and Information Technology.
The APRA CPS 234 mandates an ARPA regulated entity to implement the following –
- clearly define the information security-related roles and responsibilities of the board, senior management, governing bodies and individuals;
- maintain information security capability commensurate with the size and extent of threats to information assets, and which enables the continued sound operation of the entity;
- implement information security controls to protect its information assets, and undertake systematic testing and assurance regarding the effectiveness of those controls;
- have robust mechanisms in place to detect and respond to information security incidents in a timely manner; and
- notify APRA of material information security incidents.
Secure Core helps APRA required organisations to comply with these requirements by providing the following services:
- Risk Management
- Security Audit
- Formulating a Security Implementation Roadmap (SIR)
- Documenting security policies and procedures, including:
- Data Classification
- Risk Management
- Security Incident Management
- Vulnerability Management
- Conducting Security Awareness Training
- Penetration Test
- Vulnerability Assessment
- Conducting Supplier Security Reviews
Risk Assessment is the process of identifying risks prevalent in the organisation. This risk assessment is focused towards identifying and managing cyber security risks.
To complete the Risk Assessment, Secure Core will perform the following activities:
- We review your existing Risk Management Policy. If such a policy exists, we align our risk assessment methodology and the Risk Register with your policy, or else we create a Risk Register which aligns with ISO 27005, ISO 31000 & NIST SP 800-30 risk management standards;
- Schedule risk assessment workshops with key stakeholders;
- Prepare and present scenarios of security risks and understand the current risk mitigation controls;
- Finalise the security risks and discuss the acceptable risk remediation controls;
- Identify risk ownership and timelines for risk remediation.
As an outcome of the risk workshops, Secure Core will provide a Risk Register, which details the following:
- Vulnerability description;
- Risk description;
- Risk appetite;
- Root cause & worst-case assessment;
- Impact of the risk on Confidentiality, Integrity and Availability;
- Inherent and residual likelihood, consequence and risk rating;
- Current security controls;
- ISO 27001 reference;
- Risk treatment actions;
- Remediation action type;
- Risk resolution date;
- Risk ownership.
This risk assessment activity will enable you to:
- Identify security risks within the organisation;
- Determine the risk remediation strategy;
- Track progress of the risk remediation actions;
- Accountability for the remediation actions;
- Improve the organisational risk posture with remediation controls.
Project Cost – $7,000
ISO 27001 Certification Assistance
Many organisations and service providers chose to go down the ISO 27001 certification path. This helps in fulfilling security expectations from majority of the stakeholders and customers.
Attaining this certification will provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an Information Security Management System (ISMS) within your organisation.
Secure Core can take you through the entire ISO 27001:2013 Certification process by implementing an effective ISMS.
Security Policy Documentation
Organisations are expected to have documented security policies and procedures. Security policies identify the security controls an organisation would expect to see implemented within its business operations and can benchmark its security implementation against.
As part of this service, Secure Core will formulate the following security documentation:
- Information Security Policy – Document identifying the security controls, objectives and a central linkage for the individual security policies and procedures. This policy will cover the following domains –
- Security Objectives;
- Human Resource Security;
- Access Management;
- Asset Management;
- Information Classification, Labelling and Handling;
- Network Security;
- Malware Protection;
- Mobile Devices and Teleworking;
- Media Disposal;
- Cryptography and Key Management;
- Security in Information Transfer;
- Supplier Security Management;
- System Acquisition, Development and Maintenance;
- Acceptable Use;
- Physical Security.
- Risk Management Procedure – Document identifying the risk management process followed, based on which a risk assessment will be performed.
- Security Incidents and Actions Procedure – Document identifying procedures followed for identifying and addressing security incidents, corrective and improvement actions.
- Vulnerability Management Procedure – Document identifying the procedures followed for prioritising deployment of security vulnerabilities.
- Supplier Security Procedure – Document identifying the supplier related security requirements expected in supplier engagements.
- Password Standard – Document identifying composition, complexity and security of passwords.
Cyber Security Maturity Assessment
Secure Core has formulated a Cyber Security Maturity Assessment (CSMA) program to help organisations better understand their current security threats and associated risks. Secure Core will conduct an SMA workshop with the key leaders in your organisation and review 26 security objectives spread across the following 5 security domains:
- Security Management;
- Network Security;
- End Point Security;
- Data Protection;
- Security Monitoring.
The CSMA is designed to provide a consistent risk-based approach to evaluate the organisations security maturity and is aligned to the ACSC Essential 8 strategies to mitigate cyber security incidents. The CSMA report will provide a road map for future security improvements to increase the organisations security maturity level. As an output of the CSMA program, we can determine:
- Current security posture of your organisation;
- Provide recommendations on remediating the identified security risk areas.
Project Cost – $2,500
PCI DSS Gap Assessment
If your organisation stores, processes or transmits Cardholder Data (CHD), it is an expectation from the Payment Card Industry (PCI) council that your organisation complies with the PCI Data Security Standard (DSS).
If you manage payments using your own on-premise or in cloud solutions, then your organisation needs to comply with PCI DSS.
PCI DSS has security expectations around the following areas:
- Install and maintain a firewall configuration to protect cardholder data;
- Do not use vendor-supplied defaults for system passwords and other security parameters;
- Protect stored cardholder data;
- Encrypt transmission of cardholder data across open, public networks;
- Protect all systems against malware and regularly update anti-virus software or programs;
- Develop and maintain secure systems and applications;
- Restrict access to cardholder data by business need to know;
- Identify and authenticate access to system components;
- Restrict physical access to cardholder data;
- Track and monitor all access to network resources and cardholder data;
- Regularly test security systems and processes;
- Maintain a policy that addresses information security for all personnel.
Not complying with these security requirements may result in:
- Suspension of credit card acceptance (no longer being able to accept credit cards as a payment mechanism);
- You are vulnerable to cyber-attacks;
- Loss of reputation with customers, suppliers, and partners;
- Loss of customer trust impacting future sales;
- Penalties up to $500,000 by the merchant processor or card brand.
Secure Core provides end-to-end support to organisations with PCI DSS compliance requirements. Our services include:
- PCI DSS Gap Assessment;
- Self-Assessment Questionnaire (SAQs);
- Documentation of Security Policies and Procedures;
- Impart security awareness training on staff;
- Perform Risk Assessment;
- Vulnerability Assessment;
- Penetration Testing;
- Implementation of a Web Application Firewall (WAF);
- Network Security Architecture Review;
- User Access Review and Password Audit;
- Firewall and Router Rule Set Reviews.
CISO provides oversight and drive to implement and enhance information security management system implementation in an organisation.
To facilitate this process, Secure Core will work with you to:
- Establish a Security Governance structure –
- Identifying membership and formulate a security committee;
- Hold once a month Security Steering Committee meeting;
- Document and circulate minutes and actions.
- Impart security awareness amongst the key stakeholders
- Create security monitoring documentation
- Security Metrics and Measurements – Document capturing security objectives, metrics, and associated measurements.
- Management Review – Conduct a review, and document and track effectiveness of the ISMS.
- Security Calendar – Document identifying periodic list of security tasks and actions required to be performed.
Training and Awareness
Lack of security awareness amongst staff and contractors has resulted in the most serious breaches faced by most Organisations.
May it be because a Staff clicked on a malicious link received through a legitimate looking email Or a system administrator used a weak password for authentication which got compromised, the single reason is staff are not made aware of the current security threats and trends.
Secure Core engages with organisations to impart security awareness trainings and phishing campaigns.
Security Awareness Campaign
Staff are considered the weakest link in the security implementation chain. This training program is a means to communicate the organisational security expectations and safeguards against incidents.
Secure Core will formulate a security training program using the KnowBe4 training platform.
Supporting this training program, Secure Core will:
- Create a Phishing campaign to understand the effectiveness of the training and adoption of security principles in daily business operations;
- Provide a training completion and Phishing compliance report.
Project Cost – $5,000 + Licensing cost for KnowBe4
Classroom based training
Secure Core can help you engage your staff in training that has been specifically tailored to your organisation and designed to deliver excellent results. A typical workshop can run for two hours and will be expertly presented by one of our highly experienced security specialists.
Elderslie, NSW - 2570, Australia
Speak to our team of security experts to get started on your security enhancement journey.