Attackers are clever, opportunistic and relentless. As soon as you lock a door, they crawl through a window. They are constantly analyzing security controls of all types and generating insightful and effective ways to compromise the controls and then steal your assets, or launch a malicious attack. It is this simple truth that requires good security stewards to never stop protecting. Network security and compliance is not a snapshot in time, it is not something you can cross of your “To Do List”, it is never 100% complete. Why? The world is too dynamic. Organizations are constantly creating new data, adding new assets, upgrading existing ones and changing in general. In parallel, attackers are always refining their skills and searching for new ways to exploit your controls. The threat and vulnerability landscape never stops evolving. If you choose to install a new firewall and then wipe your hands clean of responsibility, it will be a matter of time until you find yourself and your organization on the front page of the newspaper classified as the latest victim of cyber-crime. TAG Solutions provides a security and compliance programs that is based on industry standards and offers a cyclic approach to protecting the crown jewels of your company.
Before we determine what improvements need to be made to your company’s overall security posture, we must first establish a baseline to understand what threats and vulnerabilities exist and what controls are currently in place to combat them today. Our Security Assessment is designed to compare your security posture with industry standards such as ISO27000, NIST guidelines and SANS 20 Critical Controls. The annual security assessment is a process designed to evaluate the security risks facing a business and the controls or countermeasures adopted by the business to mitigate those risks. It is largely a human process, managed by a team of “assessors” with technical and business knowledge of the company’s information technology assets and business processes. As part of the assessment, TAG Solutions will interview key personnel, catalog existing security policies, procedures and controls, and examine Information Technology assets covered by the scope of the assessment. Ultimately we will produce a formal findings document that clearly defines the results of the assessment, complete with recommendations. Typically there are a number of “gaps” that exist between your company’s current security practice and the industry standards. We will categorize these gaps and use them as input data for the next exercise, Risk Management.
Most organizations find that they have more “Gaps” than they can afford to address. Do not panic, that is ok. Although industry standards offer a great framework for comparison, it does not determine your risk appetite. During Risk Management, our Security Professionals will guide you through an exercise where each “Gap”, “Finding” or “Risk” is critiqued. We will determine the likelihood of exploit and also the impact of exploit. By doing so, we will very quickly be able to determine which risks need to be prioritized and addressed, how quickly we should address them and lastly, which risks we accept and choose not to react too. Essentially we will determine what needs to get fixed and when it needs to get fixed by. And then, we start fixing.
Once we understand our baseline, have identified gaps that exist when compared to industry standards and prioritized our risks – we can roll up our sleeves and start to implement or modify security controls. There are hundreds, if not thousands of controls that can be used to protect your sensitive data and assets. The lock on a physical door, the awareness of your employees, your policy and procedure library, and many cyber controls such as firewalls, intrusion detection, log correlation, etc.. We are ready to help implement any of them. During our remediation efforts we follow a strict project management approach that keep communication channels active, enforces deadlines and addresses risk. Think of this step as building the defenses that are necessary to combat the threats and vulnerabilities you are exposed to.
Typically, there can be a significant amount of changes during the remediation phase of our security program. New security policies can be created, new technologies can be installed, and workflows can be modified. Many times we find that a new control is only effective if used correctly. The deadbolt lock on the front door of your home can be very effective at keeping burglars out of your house, if you use it correctly. Otherwise you simply have an unlocked door. The same is true for security controls in your organization. Encryption technologies are fantastic… if end users use them. Parameter controls such as firewalls can prevent access to your private network… if they are configured correctly. The person who sits at the front desk can fight social engineer attacks… if they know how to. Get it? There is a definite educational component involved in protecting your company. New and enhanced controls are a really good idea, but we have to make sure that the people who are responsible for using them know when to and how to. Otherwise the effectiveness of these controls can be severely compromised. TAG offers many different forms of security awareness training, more importantly – we insist on measuring the effectiveness of this training over a period of time to make sure that it is working!
We have accomplished a tremendous amount of work so far but, we cannot forget the last step! Many organizations will celebrate completion of their new security program before ever testing it to see if it actually works! Security controls should always work, in theory. We beg you to verify that your security controls work. Test them. If you do not take the time to complete this critical step, then someone else will. You really do not want to turn your testing responsibilities over to the hackers and cyber criminals, do you? It is a silly question, but it is the absolute truth if you elect not to test your controls. During our last step we will provide a comprehensive penetration test were we will attempt to exploit cyber, physical, social controls. The test is meant to simulate a real world, in the wild attack. The results of testing activities will be documented and serve as valuable input criteria for the next security assessment. That’s correct the next security assessment. You see once we make it through the gauntlet of assessing, prioritizing, fixing, educating and testing – we start the process all over again. Why? The criminals do not sleep. They keep getting better, and they keep attacking. We need to reciprocate their efforts, otherwise they win and we lose.
Hopefully you understand our approach to becoming your genuine network security partner. Please, do not hesitate to contact us with additional questions and inquires. If you are ready to start protecting yourself, we recommend taking advantage of our FREE Vulnerability Scan. Consequences of not recognizing unknown security vulnerabilities are frightening to even think about. The loss of reputation, the impact of costly fines and potential loss of precious assets can be overwhelming and devastating. Vulnerabilities need to be identified quickly !
Put that credit card away! As a perspective customer, we’d like to give you a FREE Vulnerability Scan (a $2,000 Value) to:
There is ZERO cost or obligation to buy anything when you request this service. This is simply our way of giving you a risk-free method to ‘sample’ our services before having to make a commitment or payment. We don’t expect everyone to become a client, but we’re sure that a good percentage will end up being long-term cherished customers like the CIO of this Regional Bank:
“Ed has finished the scan and kept us in the loop. He found one case of open SSL and patched it. VPN was OK. This went exactly as I wanted it to. Thank you!” – CIO, Regional Bank
To claim your FREE Vulnerability Scan, simply fill out the request form on this page – or – FREE Network Assessment Fax Mail back form that can be mailed or faxed back to us – or – Call us at (518) 292-6500 – or – email your request to firstname.lastname@example.org.