Understanding where you are and where you want to be as an organization is critical to success. Without a clear plan and target state, project budgets are not easily aligned and disparate application of security across the enterprise and out of control costs are a natural consequence. Executives need to be able to answer quickly these three questions:
- Where are we currently as an organization against regulatory obligations, industry recognized standards and guidance, and our own organizational defined values (ODV)?
- What strategy do we implement to ensure a consistent rollout of security at most efficient cost?
- Does our organization have the right people, process, and technology to adequately prevent, detect, and respond to rapidly evolving cyber threats?
Cyber Vulnerability Assessments (CVA) – Scanning infrastructure components for vulnerabilities both known and unknown. Different types of scanners are available, and which one is best is determined during initial discussions between the customer and the people doing the assessment. There are multiple types of vulnerability assessments that may be performed, using both passive and active techniques to ensure a solid balance between generating vulnerability information and limiting risk to production
- System Scanning – where network gear is scanned (FWs, Servers, Endpoints, IoT devices, OT devices, etc).
- Application Scanning – where applications running on the network are tested for specific types of well-known vulnerabilities. Typically, these would involve ports 80 and 443 but may involve other ports that the applications are known to be using.
- SAST – Static Application Security Testing is performed while an application or system is not running. This means the code itself or firmware itself is thoroughly analyzed.
- DAST – Dynamic Application Security Testing is performed while an application or system is running. The system is exercised, and weaknesses are noted.
- IAST – Interactive Application Security Testing consists of some combination of SAST and DAST strategies.
- ICS Protocol Assessment – are OT devices susceptible to harmful manipulation by using native ICS protocols launched from unauthorized locations?
Penetration Testing – An extension to CVA, a classic penetration test may involve simply leveraging a vulnerability assessment. The list of results is then taken, each entry is tested to see how far into the network any respective vulnerability would permit an attacker to go. Additionally, penetration tests may be performed against applications, firmware, chipsets, network cards, or other devices. RTI penetration tests extend this basic concept to understand how and why OT environments may be compromised through three attacker profiles:
- External Attacker – Attackers from the Internet with no prior system knowledge. How do they gain insight, what can they learn, and what can they accomplish based on your attack surface?
- Client Side Attack – How most attacks today initiate. How susceptible are you to threats including social engineering, malware, rootkits, botnets, browser hijacking, or ransomware?
- Insider Threat – Insider threats stretch even the best defenses. How are your internal systems prepared to prevent, detect, and respond to insider threats?
Social Engineering – Social engineering assessments consist of several types.
- Vishing – Where an assessor makes phone calls to the pre-determined list of targets and attempts to extract key information or access to the victims devices.
- Phishing – Where an assessor emails a pre-determined list of targets and attempts to extract key information or get the victim to run an application.
- Physical – Where a team of assessors physically attempt to enter a facility and gain access to a list of pre-determined targets or flags.