-
Services
- Information Security Program (ISP)
-
Information Security Assessment Services (ISAS)
- Internal Security Assessment (ISA)
- External Vulnerability Assessment/Penetration Testing (EVA/PT)
- Physical Security Assessment (PSA)
- Remote Internal Vulnerability Assessment (R/IVA)
- Wireless Vulnerability Assessment (WVA)
- Branch Controls Assessment (BCA)
- Virtual Vulnerability Assessment (VVA)
- Website Penetration Testing Assessment (W/PTA)
- Mobile Device Management Assessment (MDM)
- Risk Management/Business Continuity Program
- CastleGarde NetAudit (CNA)
- Remote Social Engineering (RSE)
- Bank Secrecy Act/Anti-Money Laundering (BSA/AML) Audit
- Website Compliance Assessment (WCA)
- Resources
- Company
External Vulnerability Assessment / Penetration Testing (EVA/PT)
External Vulnerability Assessment / Penetration Testing (EVA/PT)
The purpose of this type of assessment is to identify potential network and host oriented vulnerabilities that can be exploited externally. Vulnerabilities of this nature typically involve operating systems, services, and applications. Following the CastleGarde assessment methodology, an External Vulnerability Assessment and Penetration Testing (EVA/PT) is performed in four phases.
Following the CastleGarde assessment methodology, an External Vulnerability Assessment and Penetration Testing (EVA/PT) is performed in four stages:
1
Passive Information
Gathering
2
Active
Testing
3
Evaluation, Exploitation, and
Validation
4
Reporting
External Vulnerability Assessment Phases
1
Passive Information Gathering
This portion of the assessment entails engineers gathering information about the credit union that is publicly available and using applications that identify all devices within the scope of the IP ranges provided by the client.
2
Active Testing
Technical Testing using a myriad of industry-proven penetration testing tools to scan every device on the client’s network for known or possible vulnerabilities.
3
Evaluation, Exploitation, and Validation
During this part of the assessment, engineers actively validate each and every tested result discovered from the previous steps of the assessment, per the client’s management approval. Engineers also attempt penetration activities on all network devices with the goal of obtaining unauthorized application, device, and/or network entry, and the unauthorized discovery of Sensitive Member Information.
4
Reporting
This part of the assessment is where engineers gather and organize the testing results which include assessment findings and recommendations based on regulations, policies, standards, procedures, and industry best practice guidelines. In this final phase, the assessment team is able to determine the organization’s security risk profile. The ensuing report provides management with the tools it needs to make accurate decisions with respect to the acceptance, avoidance, or assignment of risks identified.