When analyzing the security maturity of any organization, one of the most important stages of information security management is the identification of threats and risks. In order to be precise in this identification, multiple approaches are used, depending on the level of assessment or the required focus and rigor. In practice, unfortunately only limited and few types of actual engagements are practiced which in turn does not enable the organization to perceive real risk or to prepare its security mitigation strategy in an appropriate way. This results in an increased number of data breaches and successful exploitations by cyber criminals and other parties.
PreCog Security team focuses on performing a guided audit or test against an organization or a testing object. For example, this approach can include performing an audit and developing process according to ISO 27001 for an organization or verifying the security level of an application according to OWASP ASVS (Open Web Application Security Project – Application Security Verification Standard). When a company wants to simulate a realistic threat against a system and find vulnerabilities, it is suggested to perform penetration testing on an application, network or organization. The result is that the company simulates an attacker of a certain skill level, and aligns hired testers to that same skill set of an attacker in order to discover vulnerabilities or risks.
Our approach for strategic risk assessment and analytical red teaming takes a blended approach with three critical areas and phases:
Phase 1 – Baseline Assessment and Identification (where is the organization now)
Phase 2 – Customized Risk Framework Development (where the organization wants to be)
Phase 3 – Implementation of Risk Framework (how the organization is doing)