Vulnerability Assessment

Home>Cyber Security Services>Vulnerability Assessment

External Vulnerability Assessment

External Vulnerability Assessments are intended to evaluate the overall security posture of the enterprise from the perspective of an anonymous source on the Internet as it relates to services the enterprise makes available through their perimeter across the Internet. Our methodology starts with a process called “Fingerprinting,” during which time we do reconnaissance on the target organization by reviewing public sources of information (such as the network registrars, DNS servers, email servers, routing tables, public special interest groups, etc.) to evaluate the potential information that is available for an anonymous attacker to gather as base information to start an attack or even feed into a parallel route that might exploit non-technical weaknesses (Social Engineering).

Once fingerprinting is complete we perform technical testing with the QualysGuard Vulnerability Manager platform using a scanning profile that is mutually selected for the assets in scope of the review. The vulnerability assessment process gathers data on open ports and vulnerabilities for each asset exposed to the Internet (and within scope). The output from the vulnerability assessment is a summary report of findings and recommendations. The report of findings includes root cause analysis of the data collected during the engagement and offers the management team a project-based, prioritized view of remediation steps.

Internal Vulnerability Assessment

Internal Vulnerability Assessments differ from external assessments in that their goal is to evaluate the overall security posture of the enterprise against potential attacks from “insiders,” other trusted parties or an attacker who has already successfully penetrated the perimeter of the organization. In conjunction with the Enterprise Architecture Assessment as a first step, we perform technical testing with the QualysGuard Vulnerability Manager platform using a scanning profile that is mutually selected for the assets in scope of the review. With the data we collect during the technical testing phase and in conjunction with information gathered during the Architecture Assessment, we then perform extensive root cause analysis prior to compiling a summary report of findings.

The summary report of findings and recommendations are presented along with the detailed raw reporting from the vulnerability assessment. The reports provide comprehensive recommendations for addressing all issues discovered, while the summary report of findings identifies gaps in program components that, when viewed as remediation projects, address whole groups of vulnerabilities at a time by virtue of process improvements rather than one-off remediation activities.

Our Experts are Waiting!

Contact us to learn more about our vulnerability assessments and how we can help your organization.

Bundled Vulnerability Assessment Services

Baseline Security Assessment

The process starts with pre-assessment data collection, on-site data collection, analysis and reporting and ends with a report of findings presented in an interactive and educational workshop.

Our BSA includes the following components:

Technical Security Assessment

The Technical Security Assessment (TSA) takes a wholistic view of your technical environment by looking at vulnerabilities and the processes and procedures that are the root causes of risks in your enterprise. 

After data collection, we compile a summary report that details findings, observations, recommendations and detailed remediation steps in addition to trending data for our repeat customers to help provide input on overall technical program maturity.

Optional services can be added as desired to round out any areas that are not included as a base component of the TSA.

Our TSA includes the following components:

Quarterly PCI Compliance Testing

To address the PCI-DSS compliance requirement for quarterly external technical testing, CynergisTek has partnered with Qualys and offers the QualysGuard PCI application for all our client’s quarterly PCI compliance testing needs. QualysGuard PCI provides organizations an easy and cost-effective way to not only demonstrate compliance with PCI-DSS through their quarterly scanning, but also the ability to select and complete the requisite annual self assessment questionnaire. As an added benefit, with QualysGuard PCI, the entire compliance package can be submitted electronically to the acquiring bank, making the whole process paperless and as easy as pushing a button.

CynergisTek bundles several technical services to offer a Baseline Security Assessment over a 90-day period. This is an assessment to identify security gaps without conducting the HIPAA risk requirement. Many organizations find this type of security assessment helpful during the merger and acquisition process to have a third-party conduct a security assessment on behalf of the organization that is being acquired.

The process starts with pre-assessment data collection, on-site data collection, analysis and reporting and ends with a report of findings presented in an interactive and educational workshop.

What Our Clients Say

Having a partner that is actively monitoring our systems, trends, local and global threats not only saves the Virtua IT Security team time, but provides us with the ability to proactively look at potential threats to plan accordingly. The partnership with CynergisTek has allowed us to focus on compliance, developing risk programs, policy and procedures leading to a culture focused on making us more secure.

Tom Gordon, CIO, Virtua

Security has become a necessary and critical strategic pillar for our organization, and it is too broad and complex for a provider organization to keep up with on their own. Having a partner like CynergisTek with depth and breadth of knowledge and expertise is a crucial asset for our organization. I can’t imagine navigating these issues without them.

John Mangona, Vice President, Chief Information & Compliance Officer, Saratoga Hospital

Related Resources

Cybersecurity Services

Improving Readiness: Meeting Cyber Threats | 2018 Report

The Top 20 Security Vulnerabilities Healthcare Organizations Should Address

Emerging Security Threats: Keeping Your Healthcare Organization Protected