IT Security Testing
Help protect your information assets through complete penetration testing and a vulnerability assessment.
With today's advanced threats, rapidly changing malware and constantly shifting legal and regulatory landscape, it's essential to clearly understand the risks associated with your information technology assets. While a third party may already be conducting your security testing, maybe it's time for a new perspective—because not all testing is the same.
The McGladrey difference - complete testing and personal attention
Contrary to what many believe, security testing isn't a commodity service. Real differences exist in capabilities and depth of testing, but the most drastic differences don't stem from purely technical factors. Rather than addressing a catalogue of technical findings as the final goal, security testing that delivers real value uses technical methods and results to support business-level risk management.
McGladrey's testing teams differentiate themselves by focusing on:
- Systemic issues—Using testing results to identify the root causes of various types of risks. Does your organization struggle to maintain web applications? Secure databases? Harden UNIX servers? If weaknesses in the underlying processes aren't identified, the same vulnerabilities will continually reappear.
- Multi-factor risks—While many security testing providers focus exclusively on a vulnerability's technical risks, true value comes from translating those technical risks into regulatory compliance, legal and operational risks. Two vulnerabilities may be completely identical but still present vastly different risks, depending on the system, applications, data, or business processes they affect.
- Consistent frameworks—How do you know if testing was done completely and correctly? How do testers validate they performed the appropriate levels and types of testing? At McGladrey, we base testing methodologies on widely accepted frameworks, such as OSSTMM, OWASP, PTES and SANS SCORES.
- Controls assessments—Assessment data is extremely valuable to validate the effectiveness or existence of controls and processes. While general "checklist" style audits work well to assess policies governing controls, or to perform spot checks of specific systems, full security testing is often needed to validate the effectiveness of technical controls across an enterprise. Processes tested can include patching and vulnerability management, configuration management, SDLC, security monitoring and incident response, security awareness training, data loss prevention and data protection.
The graphic below illustrates our penetration testing process:
McGladrey delivers a wide variety of security assessments:
- External network-level testing is the traditional form of testing and can include "black-box testing" and "white box testing."
- "Black-box testing"—testers have no prior knowledge of your organization's systems.
Testing is more realistic and represents what a real attacker would do.
- "White-box testing" testers have complete knowledge of your systems. Testing is more compete and focused than black-box testing, but the results are not as realistic.
- Internal network-level testing is similar to external network testing but is performed on your internal network and systems. This style of testing is useful for validating internal controls and mimicking the activities an attacker would take if they gained access to the internal environment via compromising external systems or delivering malware to employees.
- Application-level testing involves analyzing your applications to try to identify vulnerabilities created through maintenance, configuration, or architectural issues, often by testing from unauthenticated and authenticated perspectives. Testing can be performed against an application's production version, while it's in development status, and against the actual source code.
- Social engineering testing focuses on assessing the security awareness of an organization's employees. Testing styles include fake phone calls, emails, websites and pseudo-malware.
- Extrusion testing—This form of penetration testing determines how easily sensitive information can be pushed from the inside out, testing the effectiveness of the data leakage prevention (DLP) systems, proxies and security monitoring.
Your own client service coordinator
Security testing at McGladrey is a managed process, where a real-live person—your own client service coordinator (CSC)—is assigned to your organization. Your CSC is responsible for:
- Working with you to create a project plan, define the scope and goals of the testing.
- Tracking major milestones and performance expectations.
- Delivering meaningful reports that eliminate meaningless results and false positives. Our reports are concise and accurate, based on manual tools and cross-validation checks and take into account far more than sets of individual technical findings.
McGladrey digs deep
Unlike most, we provide you with experienced, dedicated testers who spend the time to deliver value-added, meaningful tests focused on business risk.
Because at McGladrey, we dig deep.