According to the Wiki page for Information Security, it's definition is "the practice of defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, or destruction."
OK cool, but what exactly does that mean? How do we know if we are defending our information? And if not, what can we do to fix our defenses or improve them? I will answer that, but first know that cyber criminals are continually inventing new ways to gain access to your vital business information. And if you think you are safe because you aren't a "Home Depot" or a "Sony", think again. The average hack lasts 8-10 months and is performed against small businesses for the purpose of gaining sustained access to data, such as SSN#'s, credit cards, or medical records, that can be sold on what's known as the Dark Web. Our job is to make sure you are doing everything you can reasonably due to protect against these threats.
We will subject your computing environment to a multi-phase targeted penetration test and security audit. We will use industry standard tools to employ attacks against your systems to see if they hold up. And yes, these are the same tools the bad guys use! You will sleep better at night knowing your system withstood the barrage of assaults we can throw at your I.T. infrastructure.
Phase one is knowing where and what to defend. We call this your attack surface and it usually starts with simply your company name and website. Your attack surface is anything that a possible attacker can find on you by either directly targeting you, or just happening across your systems presence, such as a firewall, wireless access point, website, etc. From the attack surface a specific attack can be planned and implemented. We will take on the role of an attacker, find this information, then attempt to exploit it.
Phase two is analyzing in detail your public facing and internal systems from the perspective of an attacker that has gained a certain level of access to your network via phase one. This phase involves a series of "discovery" scans to map out a network, expose vulnerabilities, and attempt to exploit them.
Phase three - the report. This is arguably the most important part and the one we take the most pride in. We will give you a detailed document outlining what was found, if and how it makes you vulnerable, and what you can do to fix it. They say information is power, well that's especially true regarding the protection of your data.
Phase four will follow up the report with assistance in remediation of the issues found, whether it be working side by side with your I.T. staff to resolve problems found or fully taking on that role ourselves and securing your network the way it should be, or recommending hardware and services you can implement to better protect your infrastructure. In addition, we can provide employee awareness training, which is especially useful after a successful social engineering campaign.
Each phase will involve one or more of the techniques listed below, but are not limited to those and every audit can be customized to only include certain facets of a penetration test. For example, performing only a social engineering campaign or only a recon of your public facing systems and what's exposed to the world via the Internet.