Identify the vulnerabilities that open your business up to cyber threats.

Prioritise your cyber security response and budget according to the weaknesses you have and how easily they could be exploited by attackers.

What is an Enhanced Vulnerability Assessment (EVA)?

Vulnerabilities are defects that require some sort of remedial action.  Once a vulnerability is discovered it is only a matter of time before attackers can take advantage of it.  The Enhanced Vulnerability Assessment (EVA) looks at your technical and human security to hunt for vulnerabilities that could be exploited.  It ranks each vulnerability found according to a matrix of factors including whether any known exploits exist.

The EVA is a more comprehensive test than an automated vulnerability test but not as extensive as a full penetration test.  It is therefore perfect for organisations wishing to identify and remedy security vulnerabilities but are not at a level suitable for a penetration test, or who wish to conduct enhanced assessments between penetration tests.

Why have an Enhanced Vulnerability Assessment?

The ICO recently issued a large fine to the Carphone Warehouse citing “inadequate vulnerability testing & penetration testing” as one justification for the fine.

Social engineering is one of the biggest threats to company security at the moment and the EVA includes 2 social engineering assessments.

GDPR requires you to provide evidence of your commitment to security such as our final report.

Your clients are becoming increasingly aware of cyber security and are impressed by companies that engage in external testing.

It helps you identify where to spend your security budget so you don’t waste money.

The Process

Pre-engagement meeting

The scope of the test is discussed & agreed.  Terms of testing are drawn up & signed.  You have an opportunity to design the social engineering parts of the test.

Threat Modelling

We gather intelligence on your organisation & staff to help us develop our attack vectors.

Assessment

We test your infrastructure, website, staff and online presence and formulate a detailed report.

Report and debrief

We write up the report & then present it to you as part of a full debrief.  We make recommendations to improve your security.

Testing elements

Phishing

Email attacks can be easy to spot or sophisticated & targeted. Email is the biggest attack vector being used. Can your staff spot them?

We test employees against 2 levels of phishing attack (an easy one with lots of clues & mistakes & a harder to spot spear phishing attack). This tells us what level of security awareness your staff have.

You can decide whether to use links, attachments or the input of login credentials for the test.

We work with your I.T team to measure the click rate and the reporting rate coming back from your staff. Both are used to calculate the final score for this part of the test.

Vishing

Phone call attack to gather intelligence for another attack. Would your staff hand over valuable information over the phone?

Usually employed by attackers as a recon tool to gather sensitive information about your organisation before an attack is launched.

A log of the call is made and included in the final report.

Vishing can help test how well your staff follow policies & procedures.

The recon done during a vishing call often helps us set up our teams for the impersonation attacks later on in the test.

Website

The security of your website is vital for your business reputation and operations.  We perform a thorough vulnerability assessment of your website including checking the site against the OWASP top 10 security risks.

Infrastructure

We scan your network looking for known vulnerabilities and security holes in your operating systems, ports and services. This can be done from both within your network and from outside, to see network vulnerabilities from a potential attackers perspective.

Policy

We review your current policies and procedures to check they meet national & international best practice.

Osint

What can we find out about you and your staff online? How would an attacker use this? Is your online footprint too large?

We collect & analyse Open Source Intelligence (OSINT) to mount a convincing attack.

Some of the sources we look at include:

• Corporate website & job adverts

• Document & photo metadata

• Reverse image searches

• Email addresses & enumeration

• Social media

• DNS records

• Geolocation data

 

Why choose us?

Subject matter experts speaking at events around the world on cyber security & social engineering.

We specialise in producing high quality reports that translate complicated technical concepts for a non-technical audience to understand.

We handle the entire process and are vendor neutral.  Our priority is your security & nothing else.