Security Risk Assessments

The Mangold Security Security Risk Assessment uses guidance from the National Institute of Standards and Technology (NIST), the Defense Information Systems Agency (DISA), the National Security Agency (NSA), and other industrial security organizations to provide a deep analysis and understanding of the state of our client’s information systems security. These guidelines are correlated with the specific needs of our clients, the sensitivity of our client’s data, and their particular risk tolerance, to develop a comprehensive view of the organizations cyber risk

The information security assessment consists of five (5) primary activities: Interviews & Document Review, Risk Modeling, Vulnerability Assessment, Remediation Roadmap Development, and Reporting.

Interviews and Document Review

The assessment begins with a collection of all security documentation, to include network diagrams, policies, procedures, inventories, and other security-relevant documentation. This documentation is used throughout the engagement to help guide the assessment and better understand the environment. If documentation is not available, Mangold Security will work to discover missing information and develop the documentation, as time permits.

Next, Mangold Security interviews key personnel to understand the operational security and characteristics of the organization. These interviews often guide the course of the assessment towards key vulnerabilities, technology gaps, or resource constraints. The interview questions are based on security controls from various industries, including commercial (e.g. Payment Card Industry Council), Government (e.g. DISA Security Technical Implementation Guidelines), and vendor-specific documentation (e.g. Fortinet Best Practices).

Vulnerability Assessment

A vulnerability assessment involves the automated and manual scanning of computers and servers on the network, searching for known security vulnerabilities. Vulnerabilities are known security deficiencies that generally should be patched or otherwise controlled. This process uses a number of proprietary tools and techniques, similar to what attackers use, to inspect your network from the inside-out.

It is not uncommon for a vulnerability scan to return thousands of results. Most of these results are real, but there are many common false-positives that our engineers filter-out. Further, it is understood that the prospect of fixing thousands of vulnerabilities is a daunting task. To help with that, We roll our vulnerability findings into your overall risk analysis to ensure that the vulnerabilities you fix first are the most important.

Sample Vulnerability Scan

We also use similar methods to perform an external assessment on all internet-facing assets, such as firewalls, server, and other external assets. Mangold Security employs multiple security tools and techniques for this analysis, including Open Source Intelligence (OSINT) gathering. OSINT uses publicly available data to passively “footprint” the organization, discover vulnerabilities, and plan attacks. This data is added to the risk model and all resulting reports. 

Attacker-Centric Risk Modeling

Mangold Security uses results of the interviews, documentation, and vulnerability assessments to develop a a realistic cybersecurity threat model for your organization using the NIST 800-30 methodology. Using cybersecurity intelligence resources, our engineers assess your organizations “attack surface” against real-world attack patterns. In doing so, we are able to rank all the areas of risk in your organization based on the likelihood of occurrence and the potential damage that can result.

800-30 Risk Chart

A proper risk assessment should always result in an understanding of the top threats your organization faces. Be warned: It’s very common to see vulnerability assessments marketed as risk assessments – they are NOT the same.

Remediation Roadmap

We understand that a report is much different than a secure network. To help prevent this risk analysis from being another report on your desk, Mangold Security develops a prioritized remediation roadmap to address all the concerns found in report. The roadmap is broken into 30/90/120 day tasks, along with product and solution recommendations.

Contact us for more information

11 + 4 =