External Vulnerability Assessment
During the External Vulnerability Assessment, our consultants will scan any internet facing devices managed by your institution for potential security vulnerabilities that might be used to penetrate your information systems. We will also scan the institution’s website for potential security vulnerabilities that may be used by attackers to deface the website or insert code to perform malicious activities. In addition, we will look for publicly accessible information about the institution that may be helpful to an attacker that is gathering information in preparation for a targeted attack.
Internal Network Vulnerability Assessment
During the Internal Network Vulnerability Assessment, our consultants will scan all devices on the institution’s internal network for potential security vulnerabilities that might be used to penetrate your information systems. In addition to the vulnerability scan, we will also perform tests to identify the existence of default credentials on network devices. The results of our assessment will include details about the identified vulnerabilities and recommendations for remediation.
During this assessment, we can perform either an uncredentialed scan or a credentialed scan. An uncredentialed scan assesses the vulnerabilities that can be detected without network credentials. The uncredentialed scan identifies the vulnerabilities that an attacker may find if a rogue wireless device or laptop is connected to your internal network without any known network credentials. A credentialed scan assesses the vulnerabilities that can be detected by a user that can log onto the network. The credentialed scan is more comprehensive than an uncredentialed scan and requires the provision of an administrator-level network account for our consultant.
Young & Associates, Inc. offers several options for evaluating and improving the effectiveness of your institution’s employee training program in regards to social engineering. Our consultants can perform a one-time phishing test as part of a Vulnerability Assessment or IT Audit, or we can perform quarterly Phishing Training.
For a one-time test, our consultants will send phishing emails in an attempt to manipulate employees into providing information about the institution’s customers and information systems. We will attempt to obtain sensitive information and/or unauthorized access to the institution’s information systems using the information provided by employees. Unauthorized access commonly includes access to employee email accounts, remote access to the network, or access to web-based applications.
For ongoing information security training, we offer a quarterly Phishing Training Service. Unlike do-it-yourself services that require someone at your institution to develop their own phishing scenarios, send emails and monitor the results, our consultants do all of the work. We have already developed highly effective training scenarios specifically for financial institutions. Our consultants send the phishing emails, monitor the results, and provide a report of the results to your institution’s management team. As a result, your institution receives a customized phishing training program for your employees.