Testing

Identifying and managing vulnerabilities in systems, networks, and applications is vital to keeping an organization secure. However, actively seeking out vulnerabilities and testing your vulnerabilities' susceptibility to exploitation takes your risk management program to the next level.  cyberTAP has a conservative methodology that balances the risk of active testing and system interruption by providing pragmatic advice and customized reports to assist with any remediation efforts.

External Vulnerability Assessment (generally performed semi-annually)

The cyberTAP security team will perform security testing of Internet-exposed environments to identify potential weaknesses that a remote adversary could exploit.

• External scan of hosts in 30 IP address increments
  • A scan seeking to identify vulnerabilities in Internet-facing hosts.  Both operating system-specific and application-specific scans will be conducted.
• Meta-data analysis of primary web domain
  • A review of documents and data publicly accessible from Healthcare Providers web presence.
• DNS / Whois record review
  • A review of externally facing domain name service and domain name registration records.

The following items are not in this project scope:

• Social engineering of staff.
• Physical penetration of facilities.
• Testing of identified vulnerabilities.

 Deliverables:

• A detailed report summarizing all identified critical, high, and medium level vulnerabilities and recommended action required to resolve or reduce the risk associated with vulnerabilities.
• The output of all technical tests performed.

External Vulnerability Assessment & Penetration Test

The cyberTAP security team will perform security testing of Internet-exposed environments to identify potential weaknesses that a remote adversary could exploit.  Once testing is completed, cyberTAP will attempt to exploit identified vulnerabilities to validate the finding and assist with developing a remediation plan.

• External scan of up to 30 IP addresses (additional systems can be added for larger organizations).
  • A scan seeking to identify vulnerabilities in Internet-facing hosts. Both operating system-specific and application-specific scans will be conducted.
• Meta-data analysis of clients web domain
  • A review of documents and data publicly accessible from Healthcare Providers web presence.
• DNS / Whois record review
  • A review of externally facing domain name service and domain name registration records.
• Manual and automated testing of identified vulnerabilities to gauge the likelihood of successful exploitation.
  • All efforts will be made to exploit networks, systems, and applications without impacting the availability of services or jeopardizing the confidentiality and integrity of data.
  • Interruption in service or availability is not guaranteed during the active testing phase.

The following items are not in this project scope:

• Social engineering of staff.
• Physical penetration of facilities.

Deliverables:

• A detailed report summarizing all identified critical, high, and medium level vulnerabilities and recommended action required to resolve or reduce the risk associated with vulnerabilities;
• Results of the penetration test and recommended steps to take to harden systems from remote exploitation;
• A follow-up scan 4-6 weeks after initial test to assist the client with remediation efforts;
• The output of all technical tests performed.

Password Audits 

 Passw0rd! will meet most basic password requirements but can be cracked in seconds. However, passwords are our first line of defense in protecting data and IT assets, and password audits provide evidence that employees are adhering to password-creation best practices.  cyberTAP can provide organizations great insight into their employee’s password creation habits.  Our password audit will also inform you if any of your employee’s password has been publicly disclosed in a known password dump on the Internet.