© 2018 RSM US LLP. All rights reserved.
IT Security Testing
IT security testing uses technical methods to identify findings supporting the broader enterprise risk management program.
Security testing responds to a range of an organization’s needs. These include regulatory-required testing, testing of new solutions and validation of processes (e.g., patching, configuration or change management). Information technology (IT) security testing is a process by which technical methods are used to identify findings that support the broader enterprise risk management program.
A thorough IT security testing approach looks at security vulnerabilities from several perspectives:
Systemic issues: Teams use testing results to identify the root causes of types of risks.
Multifactor risks: Security testing should translate technical risks into regulatory compliance, legal and operational risks. Two vulnerabilities may be completely identical but still present vastly different risks, depending on the system, applications, data or business processes they affect.
Consistent frameworks: How do you know if testing was done completely and correctly? How do testers validate that they performed the appropriate levels and types of penetration testing? At RSM, we base testing methodologies on widely accepted frameworks, such as Open Source Security Testing Methodology Manual, Open Web Application Security Project (OWASP), Penetration Testing Executive Standard and the SANS Institute’s Security Consensus Operational Readiness Evaluations.
Controls assessments: Assessment data is valuable to validate the effectiveness or existence of controls and processes. While general checklist style audits work well to assess policies governing controls, or to perform spot checks of specific systems, full security testing is often needed to validate the effectiveness of technical controls across an enterprise. Processes tested can include patching and vulnerability management, configuration management, systems development life cycle, security monitoring and incident response, network security awareness training, data loss prevention and data protection.
A robust IT security program will test the system with several specific approaches:
- Vulnerability assessment: Vulnerability assessments use a mostly automated approach to identify vulnerabilities in network assets, including network devices, operating systems and applications. RSM recommends these types of tests occur on a quarterly basis.
- Network penetration testing: Penetration tests demonstrate how a malicious actor might breach your organization, with the tests helping you to prevent such an occurrence. Through penetration tests, RSM consultants will attempt to breach the organization by acting as an unauthorized user, with the ultimate goal of compromising your networks and data. The tests seek to exploit weaknesses in externally facing systems, the internal network, mobile devices, logical devices and wireless systems.
- Adversarial simulation: This simulation uses the same basic approach included within penetration testing, except it is performed over a longer time period, with a main goal of being undetected by simulating attacks used by real-world adversaries. This type of testing aims to determine the effectiveness of an organization’s detective and incident response controls.
- Application testing (web, mobile, thick client): Application testing identifies critical web application vulnerabilities that may be leveraged to either breach systems and applications, or gain access to sensitive data. During this testing, RSM consultants focus on identifying vulnerabilities included within the OWASP Top 10. This testing can be performed on a number of different apps, including both web and mobile, and includes both dynamic and static code analysis.
- Social engineering testing: Social engineering testing assesses the security awareness of your employees through tactics that include email, phone and USB drops.
- Wireless testing: This testing determines if wireless technologies present an unacceptable level of risk, including their configuration, hardening, usage and security of endpoints (e.g., laptops and mobile devices).
- Database testing: Database testing provides penetration testing and security audits of databases, including MSSQL, Oracle and My SQL, with review of the database environment and associated documentation.
How can we help you?
Contact us by phone 800.274.3978 or
submit your questions, comments, or proposal requests.
Receive Risk Bulletin by Email
Cybersecurity Rapid Assessment®
Complete our Cybersecurity Rapid Assessment form to be contacted about receiving our "quick-hit" evaluation of your organization’s overall security risk.