Information Security, sometimes shortened to InfoSec, is the practice of preventing unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction of information (WikiPedia). An integral part of this prevention is a clear understanding of a) what information an organization has, b) where access to that information is weak (vulnerabilities) and c) how and why an attacker can leverage these vulnerabilities to gain access to the information (threat). Understanding the vulnerability and the threat makes it easy to identify and quantify risk. We work with our clients to help them identify and understand their risk so they they are able to manage it.
- What services does Piratica provide? Information security consulting, information security training and information security assessments including internal and external vulnerability scans, vulnerability assessments and manual penetration testing.
- Does Piratica mitigate or re-mediate problems that it identifies for clients? No. We are happy to work with the clients existing or on-site IT support personnel. If the client doesn’t have an on-site IT staff or relationship with a third-party IT support company, we are happy to recommend one. We believe that it’s important to separate the tasks of securing the information and then testing that security.
- Why would my company need your services? Understanding where and how you are vulnerable is a crucial part of any viable information security strategy. Piratica leverages tools, techniques and methodologies used by malicious attackers to assess the information security posture of our clients to identify potential risks. We then document those risks in an after action report that can be used by the client as a roadmap to mitigate any vulnerabilities before a malicious attacker is able to target them.
- When / how frequently should my company have these services done? Best practice is to asses the environment either annually or whenever changes to the environment are made (new servers, new firewalls, new software, etc.).
- Who are your clients? There are generally two reasons to engage an information security company to asses the information security posture of your organization; either your organization has something worth protecting or you suspect that your organization has already been breached. In the case of the former, the client can become a target for attackers (if they’re spending money to protect something, they must have something valuable and worth protecting) who previously didn’t consider them a viable target. In the case of the latter, exposing the fact that an organization may believe that they’ve been breached can result in anything from a PR nightmare to loss of business or stock crash. Because of this, our engagement agreement includes non-disclosure language to prevent us from disclosing our client list and encouraging discretion on the part of the client in disclosing that they have engaged an information security / offensive security company.
- What industry verticals does Piratica service? We do not limit ourselves to any specific industry verticals but have extensive experience in the legal, healthcare, manufacturing, hospitality, retail and energy verticals.
- What does a ‘typical’ engagement ‘look like’? There really are no ‘typical’ clients, every business has it’s own set of processes, procedures, standards, policy and culture that make it unique and contribute to it’s overall value. That said, our typical process for a new client would include the following:
- Initial meeting – Meet with the decision maker(s) and possibly the business unit managers to determine the organizations needs and establish contacts for the remainder of the engagement including primary and secondary contacts and a technical contact. Depending on the organization, this is generally a one to two hour meeting.
- Scope Meeting – Meet with the / a decision maker(s), the primary and secondary contact and the technical contact to establish the Scope and rules of engagement (RoE) for the engagement to draft the Engagement Agreement. Depending on the organization, this is generally a one to four hour meeting.
- Kickoff – Meet with the primary contact to execute the Engagement Agreement. This meeting is generally less than one hour.
- Engagement – Piratica will conduct the engagement per the signed Engagement Agreement. The engagement portion is generally split into an operational phase and a reporting phase. The operational phase is generally between one week and one month and the reporting phase is generally the following week.
- Report Delivery – Meet with the decision maker(s), primary and secondary contact, technical contact, technical support and the business unit managers to deliver the After Action Report. This is generally a multi-part meeting with the decision maker(s) leaving after the Executive Summary and the business unit managers leaving soon thereafter. The technical contact and technical support team generally attend longer to review the findings and start building a roadmap. The duration of the report delivery can vary wildly from two hours to two days, depending on the organization, the engagement and the findings.
- Retest [optional] – In some cases, the client may opt for a follow-up vulnerability scan 30 days after the report delivery to test / validate their mitigation efforts for externally facing vulnerabilities.
- Schedule next assessment – Most clients prefer require or prefer regular (quarterly, semi-annual or annual) testing. Some have planned changes to the environment and want it re-tested after those changes to identify any new vulnerabilities or attack surfaces.
- How much does it cost? Information Security Consulting and training is billed hourly at our standard hourly rate with the duration documented and agreed upon in advance. Offensive security projects (vulnerability scanning, vulnerability assessments, penetration testing, etc.) are priced per engagement with the scope and investment documented in the engagement agreement.