ASK YOURSELF THESE

  • Do you see exponential growth in your business by going digital but are not sure about how secured this transition would be?
  • How would you cope up with the increasing amount of legislative, corporate and regulatory requirements to convince your stakeholders that you are confidently managing and protecting critical information completely?
  • Can you evidently convince yourself and your stakeholders that this corporate is secured from the threats from cyber criminals and hacktivists who are growing in scale and sophistication?
  • Do you model tactical and cyber security strategies while projecting your 5-year plan?
  • Are you continually evolving your cyber security architecture to respond to the changing digital environment?

NOW ASK US-

  • Do I need help assessing whether the mechanisms to manage our risks are mature?
  • Should I consider to create a stronger security culture within my organisation?
  • Do I need a better understanding of whether I comply with the varied regulatory requirements?
  • Am I looking to take greater control, ensuring that my organisation is prepared for evolving cyber security landscape?
  • What should I be considering as part of a cyber security strategy?

By conducting a combination of interviews, workshops, policy and process reviews and technical testing, our team takes a positive view to managing cyber security, and the assessment –

  • Identifies current gaps in compliance and risk management of information assets;
  • Assesses the scale of cyber vulnerabilities;
  • Sets out prioritised areas for a management action plan.

This will allow you to feel free to navigate the cyber security landscape and achieve their business aspirations.

What is a cyber maturity assessment

A very comprehensive plan that covers every dimension of cyber security, provides an in-depth review of an organisation’s ability to protect its information assets and its preparedness against cyber threats.

  • Governance
  • Human Factor
  • Leadership
  • Operations
  • Privileges
  • Information Management
  • Hardware and Software
  • Business Continuity
  • Crisis Management
  • Legal and Compliance

CORE DOMAINS

  • Security Management
  • Risk management
  • Asset Management
  • Third-party risk Management
  • Human Resource
  • Policy Framework
  • Governance

Infrastructure Management

  • Database and Data Center Security
  • Web, Network, Mobile and Application
  • Hardware and Software Components
  • Red Team based Assessment

CyberSecurity Engineering

  • Security Configuration and Review
  • Malware Défense and Data Protection
  • Updated Security Architecture and Policy

Legal and Compliance

  • Integrity, Confidentiality and accessibility.

ASSESSMENT BASED ON NIST STANDARD

Identify:

Develop an organizational understanding to manage cybersecurity risk tosystems, people, assets, data, and capabilities.

Categories within this Function include: Asset Management;
Business Environment; Governance; Risk Assessment; and Risk Management Strategy.

Protect

Develop and implement appropriate safeguards to ensure delivery of critical services.

Categories within this Function include:
Identity Management and Access Control; Awareness and Training; Data Security; Information Protection Processes and Procedures; Maintenance; and Protective Technology.

Detect

Develop and implement appropriate activities to identify the occurrence of a cybersecurity event.

Categories within this Function include: Anomalies and Events; Security Continuous Monitoring; and Detection Processes.

 

Respond

Develop and implement appropriate activities to take action regarding adetected cybersecurity incident.

Categories within this Function include:
Response Planning; Communications; Analysis; Mitigation; and Improvements.

 

Recover –

Develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident.

Categories within this Function include: Recovery Planning; Improvements; and Communications.

ASSESSMENT INCLUSIONS

Security is concerned with ensuring legitimate use, maintaining confidentiality, data integrity, and auditing in the network. Cyber Maturity Assessment involves security management which is the process of identifying the assets, threats, vulnerabilities, and taking protective measures, which if not done may lead to unintended use of computing systems.

The following are the three important aspects of information security that will be taken care from the security service point of view:

  • Security Attack – Any action that comprises the security information owned by your organization.
  • Security Mechanism – A mechanism that is designed to detect, prevent, or recover from a security attack.
  • Security Service – A service that enhances the security of the data processing systems and the information transfers in the network.

RISK MANAGEMENT

  1. We recommend that the risk management process follow the Capability Maturity Model approach, with the following five levels:
  2. Initial (chaotic, ad hoc, individual heroics) – the starting point for use of a new or undocumented repeat process
  3. Repeatable – the process is at least documented sufficiently such that repeating the same steps may be attempted
  4. Defined – the process is defined and confirmed as a standard business process
  5. Managed – the process is quantitatively managed in accordance with agreed-upon metrics
  6. Optimizing – process management includes deliberate process optimization/improvement

SECURITY MANAGEMENT

ASSET MANAGEMENT

DATA – It’s important to know all the data moving in and out of your organization, where it is stored, and how important it is.

HARDWARE AND SOFTWARE—We identify all the hardware devices and software applications that process the data. We strongly encourage application white-listing (only allowing approved applications) to help you maintain control over your environment.

PHYSICAL PROPERTY AND FACILITIES—Making sure you have the appropriate security processes in place to protect the physical assets that house those systems is vital. This is also critical to having up-to-date and effective disaster recovery plans.

PEOPLE—When it comes to asset management, we often think about hardware and software but forget people. Without making sure you’re adequately managing and equipping people to run those systems, you’re putting your assets at risk for a potential cyber-attack. We make sure employees have an understanding of their role in cybersecurity. It also means creating accountability for the people who are running the systems and processes and establishing contingency plans that consider the loss or lack of availability of critical team members.

THIRD PARTY RISK MANAGEMENT

  • Building a Framework for third party categorization to identify which partners need a deeper assessment based on their role in the organization’s business activities, and the size and criticality of the relationship.
  • Develop workflow to address the intersection of risk and criticality.
  • Ensure appropriate risk transfer.

POLICY FWK.  AND GOVERNANCE

 

  • Cyber-security policy framework elucidates the strategy containing an appropriate approach to combat cyber threats given the level of complexity of business and acceptable levels of risk, duly approved by their Board.
  • Cyber security governance comprises of the responsibilities and engagement of Board of Directors and senior management, organizational structures, and processes that protect information and mitigation of growing cyber security threats. Cyber security governance ensures alignment of cyber security with business strategy to support organizational objectives.

THREAT ANALYSIS

The severity assigned to each vulnerability was calculated using the NIST 800-30 standard. This standard determines the risk posed by application based on the exploitability metrics of the vulnerability and the impact that it would have on the business

EXPLOITABILITY METRICS

The difficulty of exploiting  the described security vulnerability includes required skill level and the amount of access necessary to visit the element susceptible to the vulnerability. The difficulty is rated with the following values:

CRITICAL: An attacker is almost certain to initiate the threat event.

 HIGH: Anybody can also exploit the vulnerability or the vulnerability is very obvious and easily accessible.

MEDIUM: The vulnerability requires some hacking knowledge or access is restricted in some way.

 LOW: Exploiting the vulnerability requires application access,  significant time, many social engineering techniques tricks required or a specialized skill set.

 MINIMAL: To exploit the vulnerability the attacker might need high  privilege or not exploitable.

IMPACT

The impact the vulnerability would have on the organization if it were successfully exploited is rated with the following values:

 CRITICAL:  The issue causes multiple severe or catastrophic effects on  organizational operations, organizational assets or other organizations.

 HIGH: Exploitation produces severe degradation in mission capability  to the point that the organization is not able to perform primary functions or results in damage to organizational assets.

 MEDIUM: Application is able to perform its primary functions, but their effectiveness is reduced and there may be damage to organizational assets.

 LOW: Successful exploitation has limited degradation in mission  capability; the     organization is able to perform its primary functions, but their effectiveness is noticeably reduced.

MINIMAL: The threat could have a negligible adverse effect on organizational operations or organizational assets.

BUG CLASSIFICATION

PRIORITY DESCRIPTION VULNERABILITY TYPES
CRITICAL Vulnerabilities that cause a privilege Escalation from unprivileged to admin or allow for remote execution, financial theft, etc. •Remote Code Execution

•Vertical Authentication Bypass

•XML External Entities Injection with

•significant impact

•SQL Injection with significant impact

HIGH Vulnerabilities that affect the security of the platform including the processes it supports. • Stored XSS with significant impact

• CSRF with significant impact

• Direct object reference with significant impact

• Internal SSRF

MEDIUM Vulnerabilities that affect multiple users and require little or no user Interaction to trigger • Reflective XSS with impact

• Direct object reference

• CSRF with impact

LOW Vulnerabilities that affect singular user and require interaction or significant prerequisites to  trigger (MITM). •SSL misconfigurations with little impact

• URL Redirection

• XSS with limited impact

• CSRF with limited impact

ACCEPTABLE Non-exploitable vulnerabilities in functionality. Vulnerabilities that are by design or are deemed acceptable business risk to the customer. • Debug information

• Use of CAPTCHAs

• Code obfuscation

• Rate limiting, etc

 

Top security issues tested

VULNERABILITIES TESTED EXPLOITABILITY IMPACT
Configuration and Deployment Misconfiguration Easy Moderate
Application or Framework Specific Vulnerabilities Difficult Severe
Business Logic Flaws Average High
Shopping Cart & Payment Gateway Manipulation Difficult Severe
Known Security Issues (CVEs) Average Moderate
Weak Identity Management Average High
Broken Authentication Average Severe
Improper Authorization Average Severe
Broken Session Management Average High
Weak Input Validation Easy Moderate
Error Handling Difficult Moderate
SQL Injection Easy Severe
Weak or Broken Cryptography Difficult High
Client Side Script Security Easy Moderate
Cross-Site Request Forgery (CSRF) Average Moderate

Top security issues tested

VULNERABILITIES TESTED EXPLOITABILITY IMPACT
Cross-Site Scripting (XSS) Average Moderate
Clickjacking Easy Moderate
Unrestricted File Upload Difficult Severe
Sensitive Data Exposure Difficult Severe
Insufficient Attack Protection Easy Moderate
Under-protected APIs Average Moderate
HTTP Security Header Information Average Moderate

Our Security experts use a combination of commercial and proprietary tools to run Vulnerability Assessment to discover the potential flaws in your application’s code that can be exploited and then run manual Penetration Tests to help you understand the severity of the flaws and how exploitation of these by hackers can impact your organization in real life.

In web application testing we cover Covers all OWASP Top 10, WASC 26 and moreover CVE / NVDB / SANS Top 20 vulnerabilities.

Apart from these we can find new updated attacks like subdomain takeover, XXE, XSPA, 2FA and Captcha bypass, Race condition bug, CSV injection, reflected file download vulnerability, pixel flood attack, OAuth &API bugs.

INFRASTRUCTURE MANAGEMENT

Stop hackers before they have a chance to attack your system

The most volatile threat against your IT infrastructure is a security breach. The very nature of cybercrime is stealth: hackers find every exposed opening in your network to strike with great speed and without warning, putting sensitive customer and corporate intellectual property in jeopardy. This can include trade secrets, customer payment information and other personal information such as social security numbers. The expense to an organization is multiplied exponentially by the intangible cost lack of public trust can incur.

No “cyber” insurance exists that a company could buy to protect itself completely from cybercrime. However, we can customize a state-of-the-art cyber security plan for you using best security practices, expert advice and the latest security resources available.

RED TEAM BASED ASSESSMENT

A Red Team assessment (Red Teaming) is an advanced security test that imitate a full-scale personalized attack on an organization. The aim is to compromise critical data resources in the organization’s network that could be exploited by an attacker.

Red team assessments are one level above usual penetration testing schemes. It helps to fully test the organization’s ability to detect, protect and respond to an attack. Red team assessments provide the status of the organization’s preparedness in case of a real attack.

Through our RED TEAM ASSESSMENT SERVICE we aim to provide our clients with:

  • A real-world perspective of threat actors
  • Holistic view of security controls
  • Evaluate security incident response capabilities

RED TEAM BASED ASSESSMENT

RedTeam Security’s network penetration test combines the results from industry-leading scanning tools with manual testing to enumerate and validate vulnerabilities, configuration errors, and business logic flaws. In-depth manual application testing enables us to find what scanners often miss. Using this approach, Red Team’s comprehensive approach covers the classes of vulnerabilities in the Open Web Application Security Project (OWASP) Top 10 2013 and beyond:

  • Injection (i.e.: SQL injection)
  • Broken Authentication and Session Management
  • Cross-site Scripting (XSS)
  • Insecure Direct Object Access
  • Security Misconfiguration5.Sensitive Data Exposure
  • Missing Function Level Access Control
  • Cross-site Request Forgery (CSRF)
  • Using Components with Known Vulnerabilities
  • Unvalidated Redirects and Forwards

We make use of tools from the following categories (not a complete list):

  • Commercial tools (i.e.: Burp Suite Pro, AppScan, WebInspect)
  • Open source / Hacker tools (i.e.: Metasploit, BEeF, Kali Linux, OWASP Zap)

RedTeam developed tools (i.e.: nmapcli, Metasploit modules, PlugBot, various scripts

RED TEAM BASED ASSESSMENT – RISK RATING

RISK RATING FACTORS

OVERVIEW

Our Red Team Assessment has adopted an industry-standard approach to assigning risk ratings to vulnerabilities. This  approach is used in all our assessments and provides our clients with risk ratings that take into account a number of factors ranging from:

Skill Level

Motive

Ease of Exploit

Loss of Integrity to Privacy/Reputational Damage.

Our comprehensive approach ensures that our clients’ vulnerabilities are represented by their true real-world likelihood and potential impact to their business.

RED TEAM BASED ASSESSMENT – RISK RATING

RISK CALCULATION

OVERVIEW

Risk Calculation is carried out through a quantitative method. The calculation is an industry standard approach and is widely adopted by many organizations across the globe. Please see the detail below for a walkthrough of the risk calculation process.

Calculation of Likelihood is achieved by the equation:

AVERAGE(Threat Agent + Vulnerability Factors) = Likelihood

Calculation of Impact is achieved by the equation:

AVERAGE(Technical Impact + Business Impact) = Impact

Calculation of the finding’s overall Risk Rating is achieved by the following equation:

AVERAGE(Likelihood + Impact) = Risk Rating

 

RED TEAM BASED ASSESSMENT – REPORT

The charts below are designed to provide a quick snapshot of the assessment.

RED TEAM BASED ASSESSMENT – SUMMARY

The table below is designed to provide a quick view of all the identified findings and their respective risk ratings.

CYBER SECURITY ENGINEERING

Our review methodology produces actionable results. You receive observations, perceived deficiencies and remediation recommendations that address the following in your environment

SECURITY CONFIGURATION

  • Configuration Review

  • User Account Management
  • Group Policy Management
  • Patch Management
  • Network Management
  • Auditing and Login
  • Site Security Management

MALWARE PROTECTION

  • Ransomware Analysis

  • Data Backup/Recovery
  • Security Patches
  • Training
  • Malware Analysis

  • Baseline process list & approved programs
  • Suspicious accounts
  • File Permissions
  • Port Service Identification
  • Log Analysis

  • System Logs
  • Network Logs
  • Technical Logs

SECURITY ARCHITECTURE

  • LAN Architecture
  • WAN and Remove-Access Architecture
  • Wireless Architecture
  • Security Operations
  • Tools and Solutions

OUR EXPERTISE

  • Web / Mobile Application Penetration testing
  • Network Penetration Testing
  • API penetration testing.
  • Ethical hackers.
  • The Red Team
  • Information Securities Assessment and Implementation
  • Remote Secure Access Solution
  • Cloud Web security
  • Multi Factor Authentication
  • OSINT ( Open Source Intelligence) Service
  • Dark Web Monitoring Service

 Experienced and Qualified Security Researchers

Our strength is our security researchers who are heavily certified, and we believe that if we have consultants who are motivated, trained, and qualified, we will automatically be able to fulfill our commitments to our clients. All the technical as well as management team members have at least 5-6 years of experience in their own domain.

WHAT WILL YOU GET

The final output will consist of the following:

  • A one page summary with an executive analysis and scorecard
  • A roadmap for your organization
  • Key tactical and strategic recommendations
  • Observations by the consultant(s)
  • Identified gaps and focus areas
  • A detailed report to help management

The report is intended to address the highest impact and risk areas, and give your subject matter experts detailed information for implementation within your organization.

Why us?

INDEPENDENT SOLUTION

Our technical strategies and recommendations are solely based on what is fit and appropriate for your business.

COLLABORATIVE

We and our partner association are always devising solutions for the ever-emerging cyber threats.

LOW-COST

We commit quality at a cost which is highly competitive and genuine.

PEACE OF MIND

Our working pattern is highly customisable and adapts itself to the client’s comfort.

TRUSTED

We have a long list of certifications and experience enabling us to work comfortably in a critical scenario.

24X7 SUPPORT

We are available and will always be for any genuine client’s concern.

Testimonial
What people are saying
Jaspal Singh

Outstanding and inexplicable services were received by us as a Stellar from GIS consulting team for the ISO 27001 implementation and Cybersecurity. It would,indeed, have become a major hurdle for us to obtain this most desired certification if we hadn’t got accompanied by this incredible consultancy team of professionals. To be honest, the team members present in GIS consulting team are extremely high knowledgeable, professional and skilled. A special and big thanks to Mr. Naveen Dham, for being with us everytime we felt struggled while implementing any stuffs related to infosec. Hats off.

Jaspal Singh, Sr. Quality & Compliance, Stellar Data Recovery,
Ashish Agarwal

Strength of Global IS Consulting lies in their team of seasoned professionals led by their CEO who has helped Interglobe in strengthening it’s security posture by conducting regular vulnerability assessment and penetration testing to help us secure our environment.

Ashish Agarwal, Assistant Manager, Interglobe Enterprise Ltd,
Aditya Khullar

Thanks to Cybersecurity Team of Global IS Consulting who has been instrumental in protecting us from latest cyber threats through their extensive penetration testing done on our networks and financial webportals. We appreciate the remediation actions implemented by the team to make us compliant to PCI DSS Standard.

Aditya Khullar, Manager Information Security, Interglobe Enterprise Ltd.,
Sandeep Chauhan

Global IS Consulting is one of the most professional and committed consulting organization that we have come across. Helmed by Mr Naveen Dham, the company efficiently and effectively built a Management System based on IS 27001:2013 standard for our organization. The best part was the level of involvement and keen participation in all the activities pertaining to the certification process of the organization.

Sandeep Chauhan, DGM Quality, PL Engineering (Punj Lloyd Group),
Amandeep Bawa

Thanks to CEO of Global IS Consulting for helping us achieve ISO27001 Certification by indepth implementation and maintaining it for last 5 years in row. Appreciate the professional approach, dedication and massive knowledge carried by the team.

Amandeep Bawa, IT Head, Panasonic India Pvt Ltd, Corporate Office Gurgaon,
Durgesh Upadhyaya

We appreciate the support provided by CEO of Global IS Consulting; Mr. Naveen Dham for helping us achieve ISO 27001 and every year ISMS maintenance provided for real time compliance to ISO 27001 standard

Durgesh Upadhyaya, Admin Head, Panasonic India Pvt Ltd, Corporate Office Gurgaon,
Navjeevan Kumar

Global IS Consulting is a group of experienced, talented and committed professionals. The CEO of the organization with his team has always shown his best in every project handled by them in the past. He has been instrumental in certifying our client Aircel for ISO 27001:2013 and maintaining it for last 3 years.

Navjeevan Kumar, Head Infra, Wipro Infotech Ltd.,
Sandhya Khamesra

CEO of Global IS Consulting, Naveen Dham is very professional in his work. He has an indepth knowledge of ISO 27001, PCI DSS, ISO 20000 and various other IT Standards and is able to quickly adapt the requirements of the standards required with what the client wants to accomplish, resulting in a lot of value addition to the clients. He has a wide variety of implementation scenarios in his background that he can draw information from. We highly recommend Naveen for any ISMS, ITSMS, PCI DSS and cybersecurity consultation projects.

Sandhya Khamesra, North Business Head, BSI Group,
Rumila

Hats off to CEO of Global IS consulting who has been maintaining our ISO 27001 & ISO 20000 standard maintenance since our inception. Their Cybersecurity experts have been instrumental in protecting us from latest cyber threats through their extensive penetration of our network and patching them in time.

Rumila, Senior Vice President, Silaris Informations Pvt. Ltd.,
get in touch
We are accepting new projects

GIS Consulting was incorporated with Mission to Empower Customers, effectively manage their "Digital Assets", to protect, comply and grow the business profitably, in the Data, Network and Application (DNA of every business) protection and management space.

Get in touch with our experts for all your Information Security Needs.

Clients
Happy business industry Clients
whatsapp