Cyber Risk Management Solutions
Top Cyber Security Testing Tools in 2019

Top Cyber Security Testing Tools in 2019

Which cyber security testing tools should you use in 2019? Check out the list of the top tools our security experts are using. 

security testing tools

Cyber attack is one of the nightmares of big companies.  Keeping their confidential records from being hacked is their biggest concern.  Banks, multi-national corporations and defense departments of every countries, they are all at risk.  This is the reason why, most of them invested a lot for securing their computer system and resulted in employing cyber specialists and buying modern technology.

Security Testing Tools

Cyber security is the reason of the birth of these many cyber security penetration testing tools.  These tools are use by security experts to test every computer systems for vulnerability of being hacked.  This testing tools are designed for different area of the system, checking its designed and pinpointing the possible area of attacked.

Here is a list of several security testing tools:

  • Metasploit. A collection of penetration tools which is used by cyber security experts to manage security evaluations and discover vulnerabilities. It used to evaluate the security condition of your infrastructure.
  • NMAP. Otherwise known as network mapper, this tool is used to monitor the host server and perform mapping of server vulnerability.
  • Wireshark. It is a very handy tool that is helpful in keeping up the real time details, of every activity that transpire in your system. It is an analyzer and an sniffer, which helps assess the vulnerability of your network.
  • Aircrack-ng. Set of utilities used to analyzing the weakness of a WIFI network. It captures data packet and export it to text files for analysis as a way of securing your WIFI network.
  • John the Ripper. Traditional password is the most popular security risk, as cyber criminals tend to take advantage of this weakness. Hackers used these passwords to compromise the system, by putting on damage on it or stealing important information. Expert used this tool, to simulate attack, to pen point its vulnerability.
  • Nessus. It is a paid-for tool, used to scan for vulnerabilities in your system. Easy to use, it also provides fast and accurate scanning for your system. In just a click of a button, it can also provide you with a complete and accurate result of the weaknesses of your network.
  • Burpsuite. Widely used, this is a utility to check the security of a web-based application. Consisting of various tools, it carries out different security tests. The tests includes mapping of attack surface, analyzing request and responses between servers and many more.

These are just some of the widely known cyber security penetration tools, which are being used by cyber security experts, to secure important credentials of big companies and other important government agencies worldwide.  It is up for the security experts, to determine, what types of tools your system requires.

Cyber security is a worldwide problem and unless this is addressed properly, every human and every businesses in this world, are at risk, of losing their vital information.  This information can be used by these criminals or sell it to syndicates, to be used in their illegal activities.  

Security Testing Tools: Penetration Testing

Penetration testing is commonly user service to check the viability of your cyber security stems.

When a penetration test is launched, the aim is to carry out a risk assessment on your organization’s security system and controls. This is done by evaluating and picking out the parts of your security firewall that may be targeted by attackers. These parts are then subjected to an attack through a penetration test. When vulnerabilities in the security system are detected, the individual or company may then find out ways to eliminate the potential risk that may arise from these loopholes. This may be done by either getting rid of the defective systems or strengthening them to ensure that they are not exploited.

Read more about the 7 Reasons you need a Penetration Test in 2019.

The evolution of the information technology is so fast, that everything is already dependent to computerization of everything.  From business industries, to governments in every country, they are all dependent on computers and the internet.  With this development, cyber security experts are trying their best, to be able to find ways to protect computer systems of big corporations, government agencies and private individuals.  The goal here is to keep their important information’s secured from being hacked.

What are these Security Penetration Testing tools?

Security Penetration Testing Tools are instruments that are used by cyber security experts, to check your computer system’s vulnerability to such cyber attacks.  It’s is because of the fast evolution of the computer technology, that system updates are inevitable.  Computer system should be tested, to able to determine, which part of their system is vulnerable. These is the reason employing these security testing tools.

Here is a list of some of popular Security Penetration Tools in addition to the tools listed above: 

  • Wifiphisher. This tool is an access point tool.  Using wifiphisher in assessment will lead to actual infection of the system.
  • Burp suite. This tool is best used with a web browser.  This tool is essential to check applications of their functionality and security risks.
  • OWASP ZAP. Another application tool, this one is better used for starters in application security.
  • CME. This exploitation tool helps to automate assessing the security of large active directory network.
  • PowerSploit. It’s a set of modules to be used for assessments.
  • Immunity Inc.-Debugger. This tool is use by security experts to write exploits, analyze malware and a lot more features.
  • THC-Hydra. A network log-in cracker, the tool holds several details to allow users to get started.

When is it necessary to do the testing?

The frequency of testing varies from each team.  It is up to the teams own life cycle and the availability of its application and resources.  Key exercises can performed with in a life cycle, such as in the design mode, while others can take place in the implementation mode.

A wider network and application analysis requires the acceptance of the customer and also done in the deployment phase of the project.

The methods used in penetration testing are:

  • Internal Testing.  Here, a tester which has the capability to access beyond the firewall will do a simulation attack on the system.
  • External Testing. This method targets company data that are visible to the web, such as the company’s website, emails and servers.
  • Blind Testing. Given only the name of the target, the tester gives security personnel real time scenario of an application assault.
  • Double Blind Testing.  Here in this method, security personnel have zero knowledge of the simulation, which make them unprepared of such eventuality.
  • Targeted testing.  This method shows teamwork between the tester and the security personnel, giving them a chance to hear from a hacker’s mindset.

Of course, if these tools aren’t familiar to you, penetration testing is a steep learning curve. It’s best to stick with a professional to do the work for you.

Conclusion: Security Testing Tools

There are many security testing tools on the market today. But none can match the experience of an educated and tested security team or individual.  Contact us for more questions about penetration testing. 


Assessment and Testing Services

7 Reasons You Need a Penetration Test in 2019

7 Reasons You Need a Penetration Test in 2019

Penetration tests are an important piece of the cybersecurity puzzle. We like to begin with the end in mind and understand your goals before we recommend any assessments, gap analyses, or pen tests. Read more to find out why you should consider a penetration test. 


What is a Penetration Test?

A penetration test, also called a pen test, is a common test that is done to find out if there are issues with an organizations’ network or cybersecurity system.

The test is performed to identify both weaknesses or vulnerabilities, including the potential for unauthorized parties to gain access to the system’s features and data, as well as strengths, enabling a full risk assessment to be completed. [Source]

It may also be referred to as a form of cyber attack due to the procedure that is followed when making the test. However, it is not an illegal attack as it requires authorization from the owner of the systems the test is being carried. This test helps to evaluate if there are any potential loopholes in your security system which may be exploited by cybercriminals.

How a Penetration Test Works

When a penetration test is launched, the aim is to carry out a risk assessment on your organizations’ security system and controls. This is done by evaluating and picking out the parts of your security firewall that may be targeted by attackers. These parts are then subjected to an attack through a penetration test. When vulnerabilities in the security system are detected, the individual or company may then find out ways to eliminate the potential risk that may arise from these loopholes. This may be done by either getting rid of the defective systems or strengthening them to ensure that they are not exploited.

7 Reasons to Carry Out a Penetration Test

1. Discover the Vulnerabilities Hidden in Your System Early 

It is imperative to identify and uncover the vulnerabilities in your system before the people who pose a threat to you actually do. In this regard, you have to dig deep into the threat and establish exactly what the kind of information could be brought out in the event that it is discovered.  By revealing whether or not an organization is susceptible to cyber attacks and making recommendations on ways to secure your system, you protect yourself. It is important to understand the extent to which your organization is vulnerable to hackers.

2. Avoid Remediation Expenses and Reduces Overall Network Downtime

It is very costly to recover from a system attack following a security breach. These costs could be regulatory penalties, loss of business operability and even protecting your employees. By identifying the areas of weakness in your system, you not only shield your organization from massive financial losses but also spare it from reputational prejudices. Through your qualified security analysts, you can get clues on ways through which you can take steps towards, and even make investments that will establish a more secure atmosphere for your organization. 

3. Establish Thorough and Reliable Security Measures

From what you discover after the penetration test, you will be able to develop necessary measures to ensure the security of your information technology systems. The results can serve as pointers to security loopholes, how real they and the degree to which they can affect the performance and functioning of your systems. The test will also make the proper recommendations for their timely precautionary measures while at the same time enable you to set up a security system that you can rely upon with the aim of making the safety of your IT systems a priority.

4. Enable Compliance with Security Regulations

Practicing the habit of conducting occasional penetration tests can help you stay in accordance with the security regulations as laid out by the security standards in authority. Some of these standards include the HIPAA, PCI and the ISO 27001. This will be instrumental in helping you stay safe from the heavy fines which are normally common when compliance guidelines are not adhered to. To remain compliant to such standards, system managers ought to carry out frequent penetration tests alongside security audits as guided by the qualified security analysts. The outcome or the results of the penetration tests prompt can even e presented to the assessors of the organization as a symbol of due diligence.

5. Protect Company Image and Customer Trust

When your systems fall victim of cyber attacks, the company image becomes tarnished in that the way the public used to view the company takes a negative hit. Consequently, customers begin to develop a concern about the security of their information in the hands of the company. The outcome of this may be a consideration on their part to seek the services of an alternative company for the same services you were offering them. Penetration testing will, therefore, help you avoid putting your company in such a position and by so doing, protect the company image as well as maintain the loyalty and the trust of your employees.

6. Prioritize and Tackle Risks Based on their Exploitability and Impact

Penetration testing will identify the areas that are vulnerable for cyber attacks and using such results, you may be able to prioritize the potential risks and come up with a counter plan on how you are going to shield the company from the named risks. Your list of priorities could base itself on the degree to which individual risks are susceptible to exploitation by the prospective hackers. You may also choose to attack the risk with priority put upon the risk that would make for a graver impact on the company. By so doing, you will be cushioning the company against heftier hits in the event of a cyber attack crisis and by so doing deal with the risks that can easily be contained or whose impact is less harmful.

7. Keep Executive Management Informed about Your Organization’s Risk Level

Any properly working executive management of a company would always want to be kept in the loop whenever the company is at risk. More importantly, they also want to know of the level of protection the company operates in at any given time from potential cyber attackers.

Penetration Tests

Penetration tests are evidently of utmost relevance to the successful running of a company and should, therefore, be integrated into the maintenance procedures of a company. They can put you in a better position to identify the areas in your system that is vulnerable to cyber attacks, help you design a list of priority in terms of your precautions, enhance compliance measures and make everything legitimate for the good of all stakeholders of the company in their various capacities, including the customers.

A Penetration Test is a Piece of the Cybersecurity Puzzle

Penetration Tests and Vulnerability Assessments are two key tools utilized to improve and harden an organization’s security program.  Penetration Tests are used to identify key weaknesses in specific systems or applications and provide feedback on the most at-risk routes into the target.  These tests are designed to achieve a specific, attacker-simulated goal.

Alternatively, Vulnerability Assessments are designed to identify and affirm where key gaps are in your overall security program and yield a prioritized list of vulnerabilities which can be addressed to strengthen the environment.

We like to begin with the end in mind and understand your goals before we recommend any assessments, gap analyses, or pen tests.

Cybriant’s security professionals can assist in selecting the right approach to achieve your objective. We won’t just tell you that you have a problem; we will show you how to fix it, or we can perform the services on your behalf.

Here are 6 important considerations for your next security assessment vendor.  

Penetration Test vs. Vulnerability Scan

No matter your size, all organizations should regularly check their network and systems for vulnerabilities that can allow outsiders to have access to your critical data.

There are two methodologies to do this – Vulnerability Scanning and Penetration Testing. A common error in the cybersecurity world is to confuse these services or to use them interchangeably. Most cybersecurity experts will agree that both services are important and they should be used together to have a comprehensive security program.

Read more




Find Out More About Assessments and Testing Services

6 Considerations for Your Next Security Assessment Vendor

6 Considerations for Your Next Security Assessment Vendor

Information security assessments are a necessity in today’s cyber insecure world. Be sure to consider these 6 things when you select a security assessment vendor. 

security assessment vendorRisk assessments (often referred to as security assessments) are a critical part of any compliance program.  More often than not, these risk assessments are required to be performed by an external party.

Hiring a firm to perform a risk/security assessment can be a daunting task.  With little to go on we often we fall back on the old standbys of contracting a vendor: reputation, size, certifications, etc, etc.  And often that results in poor performance or obvious cookie-cutter results.  How then should we approach the task of ensuring we get value from our security assessment vendor?

After years of performing risk/security assessments and gap analyses for various companies in different vendors I’ve noticed some themes and want to share six items to look for when selecting a vendor.

Fortunately, these are items that can be teased out in negotiation long before signing the contract.

6 Factors to Look for in a Security Assessment Vendor:

1. They consider People, Processes, and Technology

This one seems like it should be obvious.  Isn’t that what a security assessment vendor should be doing?  In theory, yes. However, as you have probably experienced that is not the case most of the time.


Human nature. Believe it or not, auditors are human too and with that comes comfort zones, preferences, dislikes, and biases.  If you have an auditor who came up through the ranks as an accountant or another non-technical analytical personnel, you’ll have someone who is very comfortable with the processes of security but may not understand the nuances of people or the technology supporting the business.

The same can be said for a highly technical individual with no people skills or the adamant extrovert who crammed well enough on the technical side to pass the PCI QSA test by whiskers.

A good security assessment vendor will have the processes and procedures in place to ensure that; one, only well balanced individuals are selected to be auditors and two, even treatment is given to all aspects of security.  Just because an auditor is more comfortable in one area than another doesn’t give them leeway to abandon other areas.

2. Spreadsheet mania

This one is a bit counter-intuitive. Spreadsheets and auditors are like mac and cheese, they just go together.

However, let me ask you one thing.  Have you ever had an auditor that you felt truly understood what you did and how you did it?  I haven’t. Most of the time they sit across a table with a laptop open entering in your responses into a spreadsheet like an automaton.

Sure they’ll ask some questions to get a better understanding, but only enough to answer what the spreadsheet wants to know.  Spreadsheets are great for identifying risks in technology or gaps in processes, but what about people?

Whatever happened to the art of conversation, I ask? 

Here at Cybriant, and any other good security assessment vendor, all the technicalities of the spreadsheets can be asked beforehand, or after.  What we’re there to do is understand your risks and that includes what and how your people perform their daily duties.  I have story after story of finding major risks to an organization through conversation that a spreadsheet approach would have never caught.

Let me give you a great ‘for instance’. 

I was performing a security assessment for a college and knew of the locked, secured, shred bins as well as the policies dictating its use.

However, after conversing with a funding representative I had to ask,

“So do you actually use the shred bin upstairs?”

“Of course I do!” was the response.

Based on other answers I probed some more; “well, I put the credit card information in this cardboard box beside my desk when I’m done with them and once a week I dump the paper in the shred bin”.

Need I say more?  When considering a vendor try to have a conversation with the auditor who will be assigned to your account.  Do they ask good questions?  Are they personable?

3. They talk to more than just the nerds.

I wonder if you caught something odd about the story above, other than the blaring PCI violation.  As part of a security assessment, we were speaking to a funding representative, not a technical resource.

While technical resources are an absolute must when interviews are concerned, so are the rank and file.  Processes, policies, guidelines, standards, security controls, technology, those are all good and well, but users have an uncanny ability to destroy all our good work without even trying sometimes.

As such it is imperative your assessor speaks with others in your organization. Often external assessors are brought in to verify what the technical staff, or leadership already suspects.  However, because of our insistence on interviewing non-technical personnel, we have found countless security risks that were unknown.

When assessing your potential vendor be sure to ask who all is considered for interview candidates.  If it’s just technical staff and minimal leadership, back away slowly.

4. They see the big picture

Very similar to the spreadsheet item, there is one item that seems to elude a vast majority of assessment firms, big-picture thinking.

After performing dozens of security assessments I have come to the realization that most findings can be distilled into what we call Cybriant: Risk Themes. These are overarching risks that are not part of any framework but contribute to the overall security profile.

Examples of Cybriant: Risk Themes are a company culture that ignores security or lack of proper network design which exposes several risks.  While our assessments do include specific risks we also include any Cybriant: Risk Themes to help guide the organization towards the most efficient method of addressing the outlined risks.

Ask to see a sanitized assessment, do they address risk themes?

5. They give a roadmap to success

A good security assessor understands technology to the point that they can provide a roadmap that addresses the most critical findings first and how to fix them. This is absolutely critical to a successful implementation of remediating security risks.

Tell me if this sounds familiar.  A security assessment vendor performs a security assessment and you receive a PDF containing page after page of faults with your environment, and that’s it.  No recommendations on how to remediate, no path towards completion, no way of knowing which ones really do pose the highest risk to your organization.

When choosing a security assessment vendor it is critical that they consider what technology you have in place and the most efficient path towards remediating the identified risks.

However, they can only do that if . . . . .

6. They understand technology

In previous points, it may have seemed as if I were discounting technical knowledge.  Let me squash that rumor now.

A disturbing trend in the security assessment world is the tacking on of technology auditing to other fields such as accounting.

I like my CPA and trust them with my taxes, but I wouldn’t want them to pass judgement on my BGP network.  Just because you can sit in a CISSP boot camp and memorize enough to pass the test doesn’t mean you understand the nuances of a system or network design.

This trend is resulting in strict adherence to spreadsheets above any extenuating circumstances and discounting of any client explanation.  That in turn results in frustrated and dissatisfied clients.

Above all, an assessor needs to understand technology well enough to understand how your organization uses said technology and any potential downfalls therein.  When determining which security assessment vendor to select be sure to have your technical talent probe the assessor for technical knowledge.

Some of the brightest most capable employees and coworkers I have ever had the privilege to work with do not have college degrees or certifications; however, by what metric do we normally measure a potential employee?  The reason we do this is because it is very difficult to assess whether a potential candidate has the “right stuff” so we fall back on the defacto standard.

The same can be said for how most security professionals choose a security assessment vendor.

Hopefully, I have given you the tools to look past the standard fodder of evaluating a security vendors and equipped you to ask intelligent questions and look for signs that you have found the diamond in the rough.

Jason Hill

Jason Hill

Director of Strategic Services

Jason is an accomplished Infosec Speaker, AlienVault certified instructor and engineer, Risk Assessor, Security Consultant, and Security Trainer.


Learn More About Our Assessments

5 Key Reasons You Need a Cyber Security Assessment

5 Key Reasons You Need a Cyber Security Assessment

You probably need a cyber security assessment, especially if you are wondering whether you need one. Here are the top 5 reasons, you should start today. 

Keep reading and we’ll help you understand different types of cyber security assessments, why you may need one, and the main benefits of a cyber security assessment.

What is a Cyber Security Assessment

When you hear the term “Cyber Security Assessment” you can assume that a “Risk Assessment” is what is being implied.

The goal of a risk assessment is for an organization to understand “the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals” – NIST Cybersecurity Framework

The NIST Cybersecurity Framework has five main categories: Identify, Protect, Detect, Respond, and Recover. These categories provide a set of activities to achieve specific cybersecurity outcomes and reference examples of guidance to achieve those outcomes.

The Frameworks provides a common language for understanding, managing, and expressing cybersecurity risk to internal and external stakeholders. It can be used to help identify and prioritize actions for reducing cybersecurity risk, and it is a tool for aligning policy, business, and technological approaches to managing that risk. It can be used to manage cybersecurity risk across entire organizations or it can be focused on the delivery of critical services within an organization. Different types of entities – including sector coordinating structures, associations, and organizations – can use the Framework for different purposes, including the creation of common Profiles.

Framework for Improving Critical Infrastructure Cybersecurity

At Cybriant, we highly recommend the NIST Cybersecurity Framework. The very first category of NIST, Identify, explains the need for a Risk Assessment. If you need more advice or recommendations on deciding which framework is right for your company, read the article we recently posted “Is My Company Secure.”

Purpose of Cyber Security Assessment

The purpose of a cyber security assessment includes identifying:

  • Threats to your organization (operations, assets, individuals) or threats directed through organizations or nation-states
  • Identify internal and external vulnerabilities
  • The adverse impacts (harm) that may occur
  • The likelihood that harm will occur
  • Determination of risk

Cyber Risk is a measure of the extent to which an entity is threatened by a potential circumstance or event and is typically a function of the adverse impacts that would arise if the circumstance or event occurs and the likelihood of occurrence.

5 Key Reasons You Need a Cyber Security Assessment:

A Cyber Security Assessment or Risk Assessment is the process of identifying, estimating, and prioritizing information security risks. Assessing risk requires the careful analysis of threat and vulnerability information to determine the extent to which circumstances or events could adversely impact on the organization and the likelihood that such circumstances or events will occur.

Why do you need a cyber security assessment? Here are 5 key reasons:

  1. Compliance Requirements

Almost every regulatory compliance requirement includes a comprehensive Risk Assessment. In your cyber security assessment for compliance, you’ll be able to evaluate your compliance controls and understand your full range of risk exposure. An effective cyber risk assessment will help you prioritize risks, maps risks to the applicable risk owners, and effectively allocate resources to risk mitigation.

  1. Gap Analysis/Cyber Exposure

A gap analysis is a critical service when you need identifying any deficiencies between your security program and a specific regulation or framework. As noted in the ANSI/ASIS/RIMS risk assessment standard, “Gap analysis is intended to highlight the amount by which the need exceeds the resources that exist and what gaps may need to be filled to be successful.”

  1. Identify Vulnerabilities

A cyber risk assessment will help you identify and locate vulnerabilities in your infrastructure and applications. This cyber risk assessment will help you determine your security flaws and overall risk. You’ll be directed to have a better understanding of your assets and help you reduce the likelihood that of being breached.

  1.  Asset Discovery

An asset is no longer just a laptop or server. It’s now a complex mix of digital computing platforms and assets which represent your modern attack surface, including cloud, containers, web applications, and mobile devices. Proactively discover true asset identities (rather than IP addresses) across any digital computing environment and keep a live view of your assets with a cyber risk assessment.

  1. Baseline

By going through a cyber security assessment, you will create a baseline. You’ll understand your security controls, what is working and what isn’t. This baseline will help you create a standard by which your company will assess your organization based on that standard.

Speaking of creating a baseline when it comes to a cyber security assessment, consider ComplyCORE.

compliance management systemComplyCORE is a Compliance Management System that will help reduce the hassle of compliance into a concise program. Learn how to make compliance simple.

Compliance Management System

Today’s compliance environment is an overwhelming assortment of never-ending checklists and to-do items. Not only are organizations required to adhere to a standard, there are often many standards that a company must adhere to adding additional complexity to an already frustrating situation. Pulled in many directions, today’s IT professionals often feel as they are descending into a fog of compliance.

There is also a constant stream of acronyms that businesses now must learn and adhere to be compliant. Each new entrant into the pantheon of compliance complicates and weaves an even more complex web of checklists, procedures, and policies. Each time new letters are added to our alphabet soup of regulations we must scramble to meet that specific list of requirements.

We have created a better way. Introducing ComplyCORE.

ComplyCORE reduces the fog of compliance into a clear and concise vision.  With ComplyCORE as your compliance management system each new compliance matrix that springs to life is easily and quickly integrated.  There is no scrambling each time an auditor for a specific regulation appears, it’s all part of the plan.

Take a look at ComplyCORE, our compliance management system:

Compliance Management System

Learn More about ComplyCORE

People, Process, Technology in Cybersecurity or: How I Learned to Stop Worrying and Love the Process!

People, Process, Technology in Cybersecurity or: How I Learned to Stop Worrying and Love the Process!

People, Process, and Technology is the cornerstone of ITIL, but can it also be used to ensure a proper cybersecurity foundation? The answer may surprise you!

Let’s just get this out of the way. You are not secure. There I said it.

Let me qualify that statement: when I say you are not secure what I mean is that regardless of the money, talent, resources, or luck your organization possesses, your organization (or any other) cannot consider itself completely impervious to outside aggressors. Just like a Major in boot camp, let me tear your assumptions down for a moment so I can build them back up.

According to Gemalto, 82 records were compromised every second in 2017. It is widely accepted that the nation-state failure rate is as near to nothing to make no difference. There are spear phishing kits available to allow anyone, even your mom, to launch a targeted attack against you. You have to be right every time; a hacker only has to be right once. A bird in the hand . . . . . I could go on, but I think you get the point.

“But,” you say “I just bought something with ‘NEXT-GEN’ in the product description. That’s got to make me secure!” No, it won’t. Nothing short of throwing all copies of your secure data into a volcano will make your data completely secure.


people process technology


What we must strive for, what we must get up every morning and make it our mission to accomplish, is the process. A far too common mistake is that once we place security controls around our data we believe the job is done. Once we buy and install that tool, outsource that task, or hire that consultant firm we are not done. Let’s look at the tried and true foundation of People, Process, Technology and see how that fits into your cybersecurity plan – we are going to switch it up and discuss process last.

According to ITIL News, using People, Process, and Technology for a successful implementation is not only good old-fashioned common sense but also like a 3-legged stool. The stool analogy is used because any leg that is too short or too long will cause an imbalance.

People, Process, Technology


Here’s one thing everyone in security knows: People like clicking on all the links! Hackers know this, even that rich Prince from Nigeria knows this! In Jim Collins book, Good to Great, he discusses how the leader of your organization is a like a bus driver and the employees are the bus riders.

You are a bus driver. The bus, your company, is at a standstill, and it’s your job to get it going. You have to decide where you’re going, how you’re going to get there, and who’s going with you.

Most people assume that great bus drivers (read: business leaders) immediately start the journey by announcing to the people on the bus where they’re going—by setting a new direction or by articulating a fresh corporate vision.

In fact, leaders of companies that go from good to great start not with “where” but with “who.” They start by getting the right people on the bus, the wrong people off the bus, and the right people in the right seats. And they stick with that discipline—first the people, then the direction—no matter how dire the circumstances.

While this may seem like a stretch in the cybersecurity world, the analogy holds true in the sense that everyone on board the bus must be on the same mission. We don’t want to let anyone (cybercriminals) on the bus or let any corporate secret fly out the bus windows.

Train your people and make sure policies are understood from the top down.


If that “next-gen” tool were able to keep you secure without your ability to understand and effectively use it, why isn’t everyone buying it and not the others? Because no tool by itself can effectively secure your data. You must be knowledgeable of what the tool is telling you, how to effectively deploy it, and how to customize it to your environment. If you don’t take the time to do these things you might as well have dug a hole and thrown the money in, it’s the same thing. Too many times I have seen a very expensive product simply create heat. The security product was implemented, but time was not dedicated to truly use the product. Now it’s ignored.

On the other hand, you could outsource the task of doing all that.….

Great! You’ve contracted an MSSP to watch your security for you. Job’s a good’n. Nope. I’ve trained many, many MSSPs, probably near fifty plus. I’ve been instrumental in starting two successful MSSPs. This experience has taught me several things of which one is critically important to this conversation.

It can be summed up by a question: How do you know they provide value?

Nifty charts? Awesome. Wizbang product suite? Sweet! Suites that cost more than your first car? Shiny. However, all of that is for naught if you have not educated yourself in the mechanics of what they provide. Most people outsource what they are not good at, wouldn’t a better idea be to outsource what you are good at? The more you know about the topic the less you must worry about whether that vendor is doing a good job. If you don’t stay current, educate yourself on cybersecurity and constantly engage your vendor, what value do they really bring?


people process technologyIt is said wisdom is the appropriate application of knowledge. You may have learned many things about cybersecurity, but if you can’t effectively use that knowledge in everyday life what use is it? This is where everything we’ve discussed above fits into “the framework”. I’ve described what a framework is and how to pick one in other blogs.

With a framework, we can take each new product; align it with our goals, test the product, and verify our management of the product is appropriate. With each outsourced task, we can quickly and easily see if the value exists by the iterative processes inherent in frameworks. With each consultant, we can direct and manage the work and relationship using the process of satisfying the framework.

Cybersecurity is a process. It is not a rush to prepare for a single point in time audit and relaxing until the next time. By embracing that iterative steps, incremental progress is the proper way to secure your environment, you inherently become secure.

Well, at least until George clicks on that link again.

Why You Must Perform A Security Assessment

Why You Must Perform A Security Assessment

Recently, we discussed why it is important to have a SIEM (Security Information and Event Management) system, and why it is crucial for skilled Administrators to actively use and monitor it. For a quick refresher, here is the article in Wired that sums up the presentation by Rob Joyce, Chief of NSA’s Tailored Access Operations, that inspired this series.This week’s post will cover why it’s important for your organization to perform a Security Assessment to analyze your organization’s operational risks.

One of the biggest issues facing organizations today is that security is an invisible attribute.  IT administrators will setup devices or services, configure the security parameters and rarely if ever, consider security settings again.  Organizations routinely write policies for user access and infrastructure and never update them.  Systems are tested and vulnerabilities discovered but left unresolved. This is the “Set it and Forget it” Syndrome and almost every organization suffers from it.  As Rob Joyce points out, Nation State Hackers and Advanced Persistent Threats (APT’s) are relying on these issues, and unfortunately, we are making their jobs easy by not assessing our systems and processes regularly.

Everyone has blind spots which cause them to overlook important issues.  Infrastructures constantly change which introduces new vulnerabilities while new methods of attack are discovered or invented daily.  And, often what was secure yesterday is likely not secure today. Periodic assessments can help your organization identify these blind spots so your teams can design an effective security program.  Assessments can help determine the best methods to prevent a breach, as well as protect assets and corporate reputations.

>>>>Why You Must Have a SIEM<<<<<

Why perform a periodic Security Assessment?

Organizations are increasingly bound by governmental regulations which dictate what security measures must be in place and how they are to be audited.  PCI, FISMA, Sarbanes-Oxley, HIPAA, NERC and GSA among others all dictate how to secure different types of data and the systems that manage them.  These regulations also require regular security posture assessments.

Read more: Is a SIEM required for PCI Compliance? 

While regulations are often the driving factor, they aren’t the only reason why an organization should perform (or better yet, have a third party perform) periodic assessments of their infrastructure.  A Security Assessment is the equivalent of an organization’s State of the Union.  It is a report that looks at every aspect of security and details the severity and potential impact of risks to the company.  Furthermore, it produces the fundamental information required to create a roadmap to a successfully secure business.  To navigate to any destination you must first know where you are.

What should be assessed?

To begin, most organizations only focus on IT data systems or penetration tests during Security Assessments, and this is where things go wrong very quickly.  Yes, it is important that the firewall blocks bad guys and workstations are kept secure, but what about phone systems or printers?  Will your users recognize and report a phishing email attempt?  What is the process for when an employee exits your organization? Did anyone remember to disable their key card to the building?  A thorough Security Assessment will go beyond the typical IT systems assessment.  Here is a list of security domains that should be considered during a Security Assessment:

  • Access control
  • Information Governance and Risk Management
  • Infrastructure Architecture and Design
  • Cryptography
  • Operations Security
  • Network and Telecommunications Security
  • Disaster Recovery and Business Continuity plans
  • Governmental Regulations
  • Incident Management Policies and Procedures
  • Physical Security
  • IT Security Training Programs
  • Network Boundaries

What about after the Security Assessment?

It is shocking to think that most companies will pay for a third party to audit their systems, processes, facilities, and personnel; then, do nothing to resolve the discovered issues.  This is exactly what Rob Joyce points out in his video.  A high percentage of companies will fail to close gaps discovered during security audits.  A vulnerability of any size is important no matter where it exists.  All an APT really needs is a toehold.  Once one is presented no matter how small, attackers will use it to gain access to your company’s data.

Once you have received your assessment results, it is imperative to either fix discovered issues or create compensating controls to avoid these issues from being leveraged.  As Rob Joyce points out in his video, most companies and organizations fail to act even after issues have been discovered, documented, and reported.  Joyce also says not to assume any crack in your defenses is too small or insignificant to be exploited.  These toe-holds are exactly what Advanced Persistent Threats are looking for in your environment.

Companies put a lot of effort into securing revenue streams, banking information, and payroll information by default. These areas, they feel, are important to protect.  Most companies have a provision in the employee handbooks that instruct employees not to discuss salary information with fellow employees.  We don’t often find this level of care and communication when it comes to IT security.  Accountants frequently audit the bank and company for fraudulent activities.  It’s time that companies added IT security to this list of very important, very well understood activities.  Yearly assessments should be the norm and the findings should be well communicated within the company.  IT security cannot be the sole responsibility of a few guys in the back of the building.  Every employee has to be involved because every employee is a target.

The journey to a secure organization begins with the first step.  Your first step should be a Security Assessment to know where to place your foot, and how to find the path ahead. Start here >>>>

by Byron DeLoach

Learn More