Security assessment

Security assessments (otherwise known as audits) form an important part of Contec’s service portfolio. Below you’ll find an overview of frequently asked questions regarding this topic. Is your question missing? Please feel free to contact us.

 

What is a security assessment?

A security assessment is a thorough technical inspection that provides insight into the current state of an organization's IT security. At the end of an assessment the organization receives an advisory report that describes the following elements:

  • Which network parts have been examined
  • An overview of identified vulnerabilities and risks
  • A list of recommended improvements and solutions to increase the current security level

 

Who carries out the assessment?

Security assessment are performed by CEH certified security consultants.

 

Are there standard packages I can choose from?

No - the contents of a security assessment varies by organization. However, each assessment begins with the same two steps:

 

Step 1. Choose a testing technique (white box, black box, gray box)

A security assessment starts by determining which technique will be used to analyze the network. Depending on the amount of information an organization wishes or is allowed to share prior to an audit, one can choose from three techniques:

  1. White Box:
    The white box technique is characterized by the tester having complete visibility and access to all infrastructure components.
     
  2. Black Box:
    This technique is the opposite of a white box. In this case the tester is given minimal information about the system architecture. Note that this technique requires a high time investment and, as a result, is very costly.
     
  3. Gray Box:
    As the name suggests, this technique can be found somewhere in between the two previously mentioned testing methods. For instance, a gray box can include making IP data available to the tester, but not giving him access to the infrastructure.

 

Step 2: Determine scope

The next step is determining the scope of a security assessment in cooperation with the customer. This includes selecting the tests that will be used during the assessment. Contributing factors to this choice are the size / complexity of the network environment.

 

How much does a security assessment cost?

Since all security assessment are case-specific, the consultant will make an estimation of the required hours per case.