Types of assessments we offer
- Network Vulnerability – This is the most common assessment performed by consulting firms. Simply put, it consists of assessing all devices accessible from your network. The status of these devices operating systems and installed applications are analyzed. If credentials are supplied, the assessment’s accuracy increases and configuration analysis becomes possible. The complexity of this assessment grows with the number of IP addresses and network segments in use.
- Web Vulnerability – A web vulnerability assessment analyzes web servers and the applications running on them. Because of the immense popularity of the web, attacks have now shifted to abusing web architecture. Since these issues are not detectable with a traditional network vulnerability scan, a web vulnerability scan is required. The scoping process focuses on complexity of design and the ability to run long-term tests.
- Private Data – In order to know how potential threats will affect your organization, we must understand how data flows within your environment. This involves both assessing areas in which we know data is stored, but also ad-hoc areas of data storage such as personal data shares. By identifying and reducing the number of data locations, your organization can reduce both storage costs and security risks.
- Public Data – There is much more involved in security than defense. A public data assessment focuses on identifying which data is available on the Internet so the organization can identify what information is available to attackers. By containing what is containable and protecting against what is not, organizations can improve their defenses accordingly.
- Database Vulnerability – This analysis focuses on specific database technologies like Oracle, Microsoft SQL Server, MySQL or PostgreSQL databases. Common configuration problems are detected at several layers – from network to operating system to database-specific controls.
- Strategy – A strategy assessment directly feeds from other assessments. Once we understand your current IT infrastructure and planned security projects, we identify gaps and build a mutli-year plan to effectively improve your security posture. While this assessment is often combined with network and web vulnerability assessments, it can draw from others as well.
- Compliance – A compliance assessment considers the regulations to which an organization must comply. It not only focuses on preparation for a full-fledged audit and how compliance may be demonstrated to auditors, it also provides a long-term plan for both achieving and maintaining compliance. Often, to reduce costs, partial assessments may be done over time, resulting in a full assessment at the end of the process. Common compliance assessments include PCI, HIPAA and FDIC audit preparation.
Types of assessments we offer in partnership
- SSAE 16 andĀ ISAE 3402 – SSAE 16 SOC 1 (formerly SAS 70) and related assessments such as SOC 2 and SOC 3 come in numerous flavors. They can focus on Financial, Security, Availability, Processing Integrity, Confidentiality, Privacy and issues specific to the Web. These assessments must be approved by a competent CPA firm not just the opinion of a single security company. Eyra partners with a few, carefully vetted CPA firms so our clients get the best mix of technical, operations and financial assessment to prepare for a full fledged audit.
- Social Engineering – Social engineering attacks involve your technology, but their true targets are your employees. Assessing susceptibility to social engineering is very different from other assessments and requires people highly skilled in practical psychology. Due to this, we have partnered with the experts at Social-Engineer.com to provide the best social engineering assessment available, but within the Lean Security model.