Assessment consulting for successful security strategies
How do you get an objective overview of existing cyber attacks and vulnerabilities in the IT infrastructure?
Different companies – different starting scenarios: no two infrastructures or corporate risks are the same. The most dangerous cyber threats are individually designed for the vulnerabilities of the company in question. Our expertise and regular security assessments provide you with an overview of your security status and adherence to existing, sector-specific security standards.
We help you with or perform risk assessments, vulnerability assessments, penetration tests and audits for you. To do so, we use the latest standards of ISO 3100:2018 or B3S, as well as market-leading tools.
Identify, assess, control, review
Vulnerability and penetration testing
Revealing vulnerabilities in companies
Pre-audit, planning, certification
The foundation for a successful IT security strategy is laid in the risk assessment. In accordance with the applicable risk management standards of ISO 31000:2018, ISO 14971:2013, or B3S, plus others, we perform a four-stage risk assessment:
- Vulnerability identification
- Risk analysis
- Risk evaluation
- Risk monitoring
Here, our experts look at the relevant assessment methods for the sector, corporate organization and structure, and thus make completely sure that the risk assessment is precisely suited to your needs.
Efficient vulnerability management ensures that companies are not buried in the resulting vulnerability reports, but that these are prioritized according to their relevance to security in computer systems, applications and network infrastructures. It forms part of a sustainable IT security strategy. We formulate our recommendations for improvement simply, understandably, and independently of any specific products.
During the presentation of the test results, of course, you will have the opportunity to discuss the recommendations, possible alternatives, and any questions you might have. And your final report will also be simple and understandable enough to be of the greatest possible benefit to your management. You benefit from the IT management and communication skills of our team. That means you get a suitable, absolutely independent IT security consultation with directly implementable improvement approaches.
Penetration testing workflow
When the pen test is performed, it produces valuable strategic information for your IT and, at the same time, legal verifications for statutory requirements.
To be able to carry out the penetration test appropriately to your system and requirements, we will work with you in advance to build the overall test from individual test scenarios. The test scenarios originate from the following narrowly delineated test modules. We also discuss whether to perform active or passive information gathering in the penetration test.
- I. Social engineering attacks
- Phishing e-mails
- Web presence with and without login
- Phone calls to ask for passwords
- Compromised USB sticks
- Physical access (spying)
- II. Internal security
- Internal network without user account (black box approach)
- Wireless LAN
- Mobile workstation
- Client security (notebooks and desktops)
- III. External security
- Information gathering
- Port scanning
The external view of an attacker:
Cyber scoring uses Framework and publicly available data from intelligent open source tools and technologies (OSINT) to capture information the way attackers also use it.
Cyber scoring provides you with a management report at your disposal that simultaneously serves as documentation and an effectiveness check (GDPR compliant).
The fully automated scoring provides information on the following categories:
- cyber security score
- specific vulnerabilities
- reputation in cyberspace
- employee behavior in cyberspace
- organizational and process risks
- country risks
- trusted encryption
- configuration of the web servers
- attack surface on the Internet
Under "organizational and process risks" you can find out, for example, how well your service providers are prepared with regard to legal requirements (ISO 27001, ISO 9001, GDPR).
Standards create trust.
ISO 27001 has been around since 2005, and is an internationally recognized standard with which companies are not only able to substantiate strict IT security requirements, but also the implementation of specific IT Grundschutz measures.
ISO 27001 is the leading international standard for evaluating the security of information and IT environments. A central requirement for ISO 27001 and a main prerequisite for certification is the introduction of an Information Security Management System, or ISMS for short. The ISO 27001 standard prescribes requirements for implementing and documenting an ISMS. Accordingly, the ISMS defines rules and methods to not only guarantee information security, but also to be able to optimize it.
Consist - Information Security Management System - ISMS
Companies profit from an Information Security Management System in several ways:
- Statutory requirements like compliance regulations are met
- Stakeholders’ trust is strengthened
- Audits are made easier
- Greater security and performance of IT systems is achieved
Our consultants receive regular training and hold personal certification for:
- ISACA ISMS Auditor / Lead Auditor in accordance with ISO/IEC 27001:2013
- Additional auditing procedure competence for Section 8a of the Act on the Federal Office for Information Security (BSIG)
- Data security officer (TÜV)
- compTIA Security+
- IPMA Level D (GPM)
We consult, implement and assist you with the introduction and certification of an ISMS.
If we take a look at the operators of critical infrastructure (KRITIS companies), there are still no specific specifications for introducing an ISMS, however, KRITIS companies must provide verification of IT security every two years in the form of security audits or certification. Introducing an ISMS in accordance with ISO 27001 is currently the best solution for this and it is now mandatory for electricity and gas network operators according to IT security laws.
We provide assistance with or conduct the following for you:
- Training courses and awareness training
- Security audits
- Creation and maintenance of a rule base
- Risk management
- Supervision with external audits
- Support with the introduction of an ISMS
- External ISMS officer