Vulnerability Assessment Penetration Testing

Vulnerability Assessment is a non-intrusive approach that serves to produce a prioritised list of security vulnerabilities. A combination of automated and manual scan may be performed on the organisation’s IT systems or network, to identify flaws that may be exploited during an attack. The systematic approach of identifying, quantifying, and ranking security vulnerabilities enables organisation to select critical vulnerabilities to resolve based on their available resources. Without such assessments, there is a risk that IT infrastructure are not sufficiently secured. It is recommended that organisations should perform a vulnerability assessment on their IT infrastructure on a quarterly basis, and as well as to assess their applications on a yearly basis.

 The difference between vulnerability assessment and penetration testing is that the former helps to discover the security loopholes present in organisation’s systems but does not exploit the vulnerabilities. The latter is employed to demonstrate how damaging security vulnerabilities could be in a real cyber-attack. As these two approaches serve different purposes, they are often used in tandem to provide a comprehensive picture of the security deficiencies that exist within the IT infrastructure and applications, and the potential impact. 

 Vulnerability Assessment involves a cyclical three-phase process, beginning from the conduct of assessment, identifying exposures, addressing exposures, and re-assessment to ensure that vulnerabilities identified had been rectified.   

Assessment
The two main objectives of this phase are the planning and execution of the vulnerability assessment. Planning includes information gathering; defining activity scope, roles and responsibilities; and informing the relevant personnel of the process. Execution includes interviewing system administrators, reviewing IT security policies, and scanning of security vulnerabilities. 

 Identify Exposures
This phase include a variety of tasks that is performed to the specifications and needs of your organisation. Generally, it includes the review of results from the previous phase and identification of remedy actions for the vulnerabilities. 

 Address Exposures
An investigation needs to be carried out to determine if the vulnerable services are required. If the affected services are not essential, they should be disabled. Required services with security weakness must be patched or rectified, and the management needs to be informed of un-patched vulnerabilities and residual risks. 

Penetration testing, or pen-testing, is one of our most demanded services and we take pride in having delivered over 1000 successful projects. Pen-testing is a critical method of evaluating the security of information systems or networks by simulating an attack on them by a malicious hacker. The process involves an active analysis of the system for any weaknesses, security flaws, or vulnerabilities, and is carried out from the perspective of a potential attacker. Pen-testing involves active exploitation of security vulnerabilities. The goals of a penetration test vary depending on the type of approved activity for any given engagement. The primary goal focuses on finding vulnerabilities that could be exploited by a nefarious actor and advising the clients of those vulnerabilities along with recommended mitigation strategies. A well-planned penetration test on a system may include all of the following steps: finding an exploitable vulnerability, designing an attack around it, entering the system, and exploiting the entry for information recovery.

One of the key challenges for organisations today is how to safeguard their information systems and digital infrastructure from attacks by malicious hackers and cybercriminals. Another difficulty is how to prevent an increasing number of ransomware attacks that unleash viruses latching onto their systems, how to exploit robots and artificial intelligence to assist them in fighting malware with worm capabilities.

No matter how certain organisations are about their defences, there are always risks to their security because of frequent changes and updates made to their digital infrastructure. Cybercriminals adopt savvier methods to target them, and that makes them wonder how to continue to be on top of security of their organisation.

Our Methods

The CREST approved method of penetration testing used at Oxens combines black box (no knowledge of the target system), and white box (partial understanding of the system) approaches.

We focus on knowledge exchange with our clients during all penetration test projects and consulting services.

In addition to a project’s final report, we deliver several presentations to the executive management and technical teams of the client organisations. These presentations are accompanied by comprehensive training that guarantees a thorough understanding of methods used during the penetration testing and full comprehension of the prepared recommendations.

Our method ensures a rapid implementation of recommended changes and provides immediate security improvements.

Penetration tests also boost security interest among client’s personnel, which in the long term has an exceptionally beneficial effect on the overall security of their information systems. During penetration tests, we use a combination of industry standard security tools as well as self-developed proprietary tools and techniques.

We present all identified security vulnerabilities to the clients with a risk assessment and recommendations for risk mitigation. For each finding, we also explain and rate the risks involved, the complexity of our recommendations, and the effort estimation for implementation of the proposals to help the clients in decision making.

Our Pen-testers

Our pen-testers have a solid and extensive background in information security consulting services, including architecture and design, development, integration, deployment, quality control, and comprehensive program management.

They are best known for their strong skills in solving complex problems in large heterogeneous enterprises, vulnerability assessment, and red team assessment. They are particularly adept at penetration testing and hold industry-leading credentials, including professional certifications in penetration testing.

Malicious hackers often attack web applications. Hence, web application security testing is of paramount importance.

Our method for web application penetration testing involves an end to end testing of web applications including dynamic (or external) security testing and static (or internal) security testing which seeks to address the following principal sources of security issues:

SQL Injection (SQLi)

Injection flaws, such as SQL, NoSQL, OS and LDAP injection, occur when untrusted data gets sent to an interpreter as part of a command or query. The attacker's hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorisation.

Broken Authentication

Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens. Other implementation flaws can also get exploited to assume other users' identities temporarily or permanently.

Sensitive Data Exposure

Many web applications and APIs do not adequately protect sensitive data, such as financial, healthcare, and Personally Identifiable Information (PII). Attackers may steal or modify such weakly defended data to conduct credit card fraud, identity theft or other crimes. Sensitive data can get compromised without extra protection, such as encryption at rest or in transit. And special precautions are required when data gets exchanged with the browser.

XML External Entities (XXE)

Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file Unified Resource Identifier (URI) handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks.

Broken Access Control

Restrictions on what authenticated users can do are often not adequately enforced. Attackers can exploit these flaws to access unauthorised functionality and data. They can access other users' accounts, view sensitive files, modify other users' data, change access rights, etc.

Security Misconfiguration

Security misconfiguration is the most commonly seen issue and is usually a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, but patched and upgraded in a timely fashion.

Cross-Site Scripting (XSS)

XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript. XSS allows attackers to execute scripts in the victim's browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.

Insecure Deserialisation

Insecure deserialisation often leads to remote code execution. Even if deserialisation flaws do not result in remote code execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks.

Using Components with Known Vulnerabilities

Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. On exploiting a vulnerable part, an attack can facilitate severe data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defences and enable various attacks and impacts.

Insufficient Logging and Monitoring

Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows adversaries to attack systems further, maintain persistence, pivot to more systems, and tamper, extract or destroy data. Most breach studies show that the time to detect a breach is on average over 200 days. And breaches are typically identified by external parties rather than internal processes or monitoring.

 Our method involves an end to end testing of mobile applications on iOS, Android, and Windows Mobile platforms and seeks to address the following critical causes of vulnerabilities: 

Improper Platform Usage

Inappropriate usage of mobile software platforms covers misuse of specific platform features or failure to use platform security controls. It might include Android intents, platform permissions, abuse of TouchID, the Keychain, or some other security controls that are part of the mobile operating system. There are several ways that mobile apps can experience this risk.

Insecure Data Storage

Insecure data storage covers aspects of storage of sensitive data without encryption and unintended data leakage.

Insecure Communication

Insecure communication often involves poor handshaking, incorrect SSL versions, weak negotiation, cleartext communication of sensitive assets, etc.

Insecure Authentication

Insecure authentication captures notions of authenticating the end user or bad session management and can include failure to identify the user at all when that should be required. A failure to maintain the user's identity when it is necessary as well as weaknesses in session management can occur.

Insufficient Cryptography

Many vulnerabilities occur in mobile applications because of insufficient cryptography. Software code applies cryptography to a sensitive information asset. However, the cryptography can be inadequate in many ways. Note that anything and everything related to TLS or SSL relates to insecure communication (mentioned above). A failure of the application to use cryptography at all when it should refer to insecure data storage (discussed above).

Insecure Authorisation

Authorisation is the process of allowing authenticated users to access the resources by checking whether they have access rights to a system. Authorisation helps to control access rights by granting or denying specific permissions to authenticated users. An insecure authorisation can lead to failures in authorisation (e.g., authorisation decisions on the client’s side, forced browsing, etc.).

Client Code Quality

Client code quality is synonymous with "Security Decisions Via Untrusted Inputs". This category is one of our lesser-used and serves as a catch-all for code-level implementation problems in the mobile client. This class would capture problems such as buffer overflows, format string vulnerabilities, and various other code-level issues for which the solution is to rewrite some code that is running on a mobile device.

Code Tampering

Code tampering covers binary patching, local resource modification, method hooking, method swizzling, and dynamic memory modification.

Once the application gets delivered to the mobile device, the code and data resources are resident there. An attacker can either directly modify the code, change the contents of memory dynamically, change or replace the system APIs that the application uses, or modify the application's data and resources. This can provide the attacker with a direct method of subverting the intended use of the software for personal or monetary gain.

Reverse Engineering

Reverse engineering involves the analysis of the final core binary to determine its source code, libraries, algorithms, and other assets. Software such as IDA Pro, Hopper, otool, and other binary inspection tools give the attacker insight into the inner workings of the application. Such an approach may be used to exploit other nascent vulnerabilities in the application, as well as revealing information about back-end servers, cryptographic constants and ciphers (or cyphers), and intellectual property.

Extraneous Functionality

Developers often include hidden backdoor functionality or other internal development security controls that are not intended to get released into a production environment. For example, a developer may accidentally include a password as a comment in a hybrid application. Another example comprises the disabling of a two-stage authentication during testing.

The more our world revolves around the internet and technology, the more essential becomes cybersecurity. Modern business systems in large organisations can comprise several thousand software applications hosted on servers residing in many different data centres across various countries.

Software applications are complex and can have various types of security issues. The issues can stem from poor or inadequate coding practices to misconfigured servers and everything in between. Addressing challenges like these requires introducing a culture of security to all the key personnel involved in strategy development, system design, transition, and operations in order to deliver a complete perspective on security. Our DevSecOps practice aims to address just that.

To this end, we provide the following application services:

Source Code Review

Code review is perhaps the most effective technique for identifying security flaws. When used together with automated tools and manual penetration testing, code review can significantly increase the cost-effectiveness of an application security verification effort.

Code review is the process of auditing the source code for an application to validate that appropriate security controls are in place. That the controls work as planned, and that they have invoked in all the right situations. Code review is imperative to assure that software developers are following secure development practices.

A penetration test should not discover any additional application vulnerabilities relating to a developed code after the application has undergone a proper security code review.

A skilled reviewer can understand the context for specific coding practices and make a severe risk estimate that accounts for both the likelihood of attack and the business impact of a breach.

Our consultants combine advanced tools and technology to assess large amounts of codes and point out possible issues. In a next step, they manually discern each item for the real problem, exploit it to realise its potential impact and probability of occurrence. They also analyse whether there are any significant blind spots and give appropriate advice.

Secure SDLC and Application Security (DevSecOps)

The DevSecOps program is based on the idea that everyone is responsible for security. Retrofitting current solutions is no longer sufficient as hackers have changed the rules and enjoy the advantage of being on the offensive. It is imperative that organisations adopt equally offensive and proactive countermeasures akin to those chosen by the hackers.

Oxens helps organisations assess the maturity of their processes and suggest improvements. It assists in adopting best practices with respect to security and helps integrating them with existing development and operations practices. We make sure that this is done without compromising on cost, timeline, and quality, and with a particular focus on building security testing in the development and automation processes. Where required, DevSecOps helps layer in overarching policies and procedures that assist with the integration between traditional information security and development teams.

To this end, we encourage a culture that emphasises partnership and communication between software developers, security professionals, and other IT professionals while streamlining the procedure of software and infrastructure delivery.

We also help our clients to assess and put in place processes to deal with the phase change from waterfall to continuous iteration and customised security user stories relative to each application or software service to develop.

Our profound insights into the most current and active technology benefit our clients to effectively implement the correct tools without the need to learn, understand and assess the broad technology landscape in this area. We focus on tools for process enablement, for training, testing, and orchestration.

Application Performance Testing

Performance testing is a testing practice performed to determine how a system comprising computers, servers, network, software programs or devices performs regarding responsiveness and stability under a particular workload.

It may also include investigation, measurement, validation or verification of other quality attributes of the system, such as scalability, reliability and resource usage. The entire process can involve multiple quantitative tests in a lab to measure the response time or some instructions processes per unit of time.

Performance testing strives to build performance standards into the implementation, design, and architecture of a system.

We provide bespoke performance testing services covering Load testing, Stress testing, Soak testing, Spike testing, Breakpoint testing, Configuration testing, Isolation testing, and Internet testing.

Our performance testing efforts are goal oriented and seek to measure the performance criteria or compare two systems to determine which performs better. It can help to identify which parts of the system causes it to perform poorly.

Oxens can assist organisations in comprehensive test management of web and mobile applications.

Application Troubleshooting

We provide platform-agnostic troubleshooting services to organisations across industry verticals for web and mobile applications.

The level of support we provide to organisations generally pertains to issues that remained unresolved by their technology operations or support teams.

The troubleshooting can include analysing the applications, databases, configurations, server logs, processes, services, the audit trail, the code, etc.

Our method of problem-solving focuses on an advanced and systematic analysis of the sequence of events in order to understand the relationship between causal factors and the defined problems. This allows us to recommend appropriate and effective remedial actions.

Our experts are adept at employing industry best practices to overcome barriers to problem-solving. They aim to methodically identify and address the causes of events and not just tinker with symptoms.

Cybercrime has gone pro. More than ever, your users are the weak link in your network security. They need to be trained and then stay on their toes, keeping security top of mind.

We deploy the world’s largest integrated Security Awareness Training and Simulated Phishing platform with tens of thousands of active enterprise accounts. You finally have a platform to better manage the urgent IT security problems of social engineering, spear-phishing, and ransomware attacks and at the same time stay compliant with industry regulations like PCI, HIPAA, SOX, FFIEC and GLBA. 

Find out where your users are in both security knowledge and security culture as you start your security awareness program with our Assessments. You now have the ability to send a skills-based assessment and a security culture survey to your users from your console. Both assessments are strongly based in assessment science and allow you to measure the security knowledge and proficiency of your users and your organization’s overall security culture posture over time.

With world-class, user-friendly, new-school Security Awareness Training, Our platform gives you self-service enrollment, and both pre-and post-training phishing security tests that show you the percentage of end-users that are Phish-prone. Our highly effective, frequent, Phishing Security Tests provide several remedial options in case an employee falls for a simulated phishing attack.

Your users get a fresh new learner experience with the revamped end-user interface - making learning fun and engaging. Our localized training interface is available in multiple languages, giving your users the option to choose the language they're most comfortable with for an immersive training experience. With the optional customization features to enable gamification, your users can compete against their peers on leaderboards and earn badges while learning how to keep your organization safe from cyber attacks.

To simplify how you roll out and manage different training programs for your users, you can now use your platform for your in-house training content or other licensed corporate training. You now have the option to upload your own SCORM-compliant training and video content - at no extra cost.

With the Virtual Risk Officer and Advanced Reporting features, you get the most accurate view of the effectiveness of your security awareness training program. With an integrated deep learning neural network, you get detailed reports that help evaluate how your organization’s risk changes over time and truly measure the performance of your training program and understand where improvements need to be made to strengthen your human firewall.

Effective security awareness training is hard. Today’s security awareness teams often don’t have the support, time, or resources they need to be successful and/or are missing the skills and experience to effectively create a fully mature security awareness program. To help you get started we’ve taken away all the guesswork with our Automated Security Awareness Platform. It helps you to implement all the steps needed to create a fully mature training program in just a few minutes.

Find out how tens of thousands of organizations have mobilized their end-users as the last line of defense. 

Oxens can help organisations investigate cybersecurity incidents and develop an adequate response.

The primary goal of an incident response is to examine which vulnerabilities got exploited by the adversary, to understand how the adversary attacked the systems, which systems and credentials are compromised, and what information has been exposed. In addition to that, digital forensics is used to perform a systematic investigation while documenting the chain of evidence. It is important to discover exactly what transpired on digital systems and who was responsible for it.

Our Digital Forensic and Incident Response (DFIR) service include the technical investigation and response to incidents of cyber attacks. It identifies the initial attack vector to determine the extent of the incident. The service also aims to recover lost information, which involves retrieval and examination of evidence found in digital devices.

Our method usually replicates the step-by-step actions of an attacker. We conduct an in-depth forensic investigation of suspected malicious network security incidents, and we carry out an investigative analysis of computers, mobile devices, networks, memory drives, databases, logs, files, etc. This is important to gather information and evidence and detect intrusion. As a consequence, we can discover and analyse patterns of fraudulent activities resulting from criminal activities.

The service includes analysing the incident, assisting the enterprises to respond to them, and removing the attacker from their network.

Our DFIR service offers a portfolio of incident response processes to investigate and respond to cybersecurity incidents that hit organisations.

Enterprise Incident Response Service

The Enterprise Incident Response Service helps organisations to respond to incidents of cybersecurity.

Our method includes identifying the initial attack vector, determining the extent of the compromise, understanding the attacker’s methods, and developing an action plan to remediate. The investigation will follow the evidence of cyber attacks.

Rapid Response Service

The Rapid Response Service helps organisations to triage security incidents. It includes scoping and identifying systems of interest, artefact collection, incident analysis, developing an action plan, and reporting.

The scoping refers to the investigation of a number of hosts. Starting from this scope, we follow the evidence in order to understand the attacker’s techniques.

Digital Forensic Investigation

Our Digital Forensic Investigation service is deployed when forensic imaging is required, including full drive imaging.

This service is delivered either as part of our Enterprise Incident Response and Rapid Response services or on a standalone basis, for example as an e-discovery in a Credit Card leakage scenario.

Our method involves scoping and identifying systems of interest, forensic imaging, forensic analysis, preparing an action plan, and reporting.

Tabletop Exercise

Oxens Tabletop Exercise enables organisations to prepare for potential future security incidents. The exercise includes a brief assessment of the incident response capability and simulation of the incident response process.

This service tests whether an organisation is operationally ready to face an incident. The testing is based on a simulated scenario in a workshop and examines how an organisation’s primary stakeholders respond to the scenario.

Our method involves scenario discussion and planning, workshop exercise with targeted audiences, gap analysis, and preparing an action plan.

Cyber Incident Response Plan (CIRP) Assessment

A cybersecurity incident is a disturbing event that threatens confidentiality, integrity, or availability of organisational information assets.

Cybersecurity incidents can include an unintentional or intentional disclosure of sensitive or protected information, data breaches, data theft, acts of intrusions, such as cyber attacks, to networks, or a full-blown system compromise by external attackers or faulty operational processes getting exposed or exploited by members of own staff.

Information security incident management involves the monitoring and detection of security events on information assets and the execution of appropriate responses to those events.

A Cyber Incident Response Plan (CIRP) is a specific form of an incident management plan. Its primary objective is to define a well-understood and expectable response to cybersecurity incidents. By implementing CIRPs, businesses can be proactive about cybersecurity and prevent potential damage.

Members of staff that are most likely be dealing with the cybersecurity incidents are organisations’ IT security teams.

Our CIRP Assessment service enables organisations to get their CIRP reviewed to deal with potential future cyber incidents effectively. We analyse organisations’ current CIRP and recommend changes based on industry best practices. The assessment is based on a document evaluation in order to examine specific policies, standards, processes etc. that are in place to respond to an incident.

Our method includes document collection, workshops with the stakeholders, gap analysis, and reporting.

The service includes strategic consultancy after the assessment of the incident response capability of an organisation.

Information Security Audits

An information technology (IT) audit is the examination and evaluation of an organisation’s IT infrastructure, and their policies. The audit determines whether the existing IT controls protect corporate assets adequately. It ensures that data integrity aligns with the overall business goals and provides opportunities to improve.

On the other hand, an information security (IS) audit examines the maturity of information security in an organisation. IS auditing can have a broad scope. There are several types of IS audits: technical, physical, or even administrative. They all have different objectives and can require, among others, the examination of facilities and infrastructure.

With our expertise and proven record, organisations will successfully overcome the challenges of IS audits.

Some of the key benefits:

- Help organisations to assess the objectives of the information security audits and their scope.

- Help to frame a strategy, including defining the procedures to deal with audits.

- Assistance in the identification of cybersecurity risks, including monitoring and control of organisational information assets.

- Setting up a benchmark for delivering continuous improvements of audits.

Information Security Risk Assurance

Our Information Security Risk Assurance service and associated workshops help enterprises identify risks and allow them to make the most of their security investments.

We determine flaws or gaps in organisations’ existing security policies, procedures, and controls in order to assist them with information security risk management. These international standards-based services for security, privacy, and continuity provide a proven basis for minimising business risks and maximising return on investments.

Transforming security and digital protection requires a measured and skilled approach. We help to protect organisations’ digital information infrastructure by mitigating risks and analysing evolving security compliance landscapes. To put the right security and privacy controls in place is crucial.

We can help enterprises define their strategy, to mature or to remediate gaps in their security systems.

Our risk assurance services can assist with:

- Risk identification, management, and mitigation.

- Risk assessment as to whether the level of organisations’ cybersecurity investment links to their business objectives.

- Gap analysis as to the current state of organisations’ IS program for improvement.

- Framing a business case for security managers in order to help them get their key stakeholders’ buy-in for enforcement of IS policies.

- An assessment whether organisations have the right controls in place.

- Prioritisation of changes to technology and systems, review of operations, and implementation of evolving regulatory requirements.

Information Security Compliance

Our information security compliance portfolio is a collection of services designed to create and adopt a security strategy that addresses the organisation’s key security risks. Consequently, we provide that the enterprises’ security function become adaptable to business performance drivers without an increased risk in compliance mandates.

We offer advisory and consulting services to help organisations assess their current state and implement the required changes.

We help organisations to adhere to the following compliance and regulatory frameworks:

ISO 27001 Implementation

The ISO/IEC 27000 family of standards helps organisations to keep information assets secure.

Using this family of standards will provide security of assets, such as financial information, intellectual property, employee details, or information entrusted to companies by third parties.

ISO/IEC 27001 is the best-known standard in its family, providing requirements for an information security management system (ISMS).

Oxens has expertise in helping organisations to build robust and effective ISMS.

Payment Card Industry Data Security Standard (PCI DSS) Compliance

The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organisations of any size that accept credit card payments from the major card schemes.

The PCI Standard is managed by the Payment Card Industry Security Standards Council. In order to protect credit card data, it enforces security controls by mandating organisations to comply with their rules.

Some of the PCI DSS rules require organisations to provide PCISSC evidence that the standards have been met throughout the year.

Oxens can help organisations to perform a gap analysis. We also provide consulting on, and implementation of the ever-evolving PCI DSS compliance requirements.

The key benefits of the service are:

- Assessment of enterprises’ current state in relation to the PCI DSS requirements.

- Gap analysis and consulting about how to continue to meet the compliance requirements.

- Establishment of PCI DSS requirements and solution baselines for future references.

- Secured networks, protected cardholder data, well-managed security program including IS policies.

- Ability to remain on top of the ever-changing regulatory and compliance frameworks.

Threat and Vulnerability Risk Assessment (TVRA) Compliance

Threat and Vulnerability Risk Assessment (TVRA) is a method to identify cybersecurity threats to data centres. It explores operational weaknesses in data centres in order to determine the level and type of security that should be established to protect the facility.

In the financial services industry, the security requirements are amongst the most stringent. Various government bodies require the financial services providers to comply with local regulatory requirements. This can affect in many instances also foreign firms that are engaging in local business activities. This adds more complexities for businesses—locally and transnationally.

Financial institutions are often required to undergo TVRA assessment, such as auditing of data centres for security, evaluation of the safety controls, including hosted data centres, in order to demonstrate that their data centre assets meet the legal requirements.

The analysis of threats and vulnerabilities relating to data centres vary, depending on several factors: the criticality of a data centre, the geographic location, the tenant type, the potential impact from disasters, political environment, etc.

Oxens can help organisations to comply with the requirements of protecting and safeguarding their technology assets with a risk-based approach TVRA. We apply the method to every asset individually depending on the elements that have to be assessed.

Our approach comprises different phases, such as the identification of perceived critical threats, a risk rating in terms of impact and probability, a detailed analysis of how such threats may impact asset directly or indirectly, and assistance in drafting a remediation plan within the constraints.

We deliver the following key services:

- Vulnerability assessment.

- Cataloguing of organisational IT resources, including assets and capabilities.

- Identification of sources of greatest threats by assigning a risk-based quantifiable value and importance to the resources in order to highlight which configurable items are prone to the highest levels of threat.

- Identification of the vulnerabilities or potential threats to each endpoint.

- Mitigation or eradication of the severest vulnerabilities for the most valuable resources.

General Data Protection Regulation (GDPR) Compliance

The General Data Protection Regulation (GDPR) is binding on organisations processing personally identifiable information (PII) of individuals inside the European Union (EU).

The regulation applies to all enterprises that are conducting business in the European Economic Area. The GDPR provides rules in connection with transferring personal data outside of the EU.

Business processes in which personal data is handled require data protection by design and by default. Personal data must be stored using encryption and the highest-possible privacy settings must be used by default. Data must not be available publicly without explicit consent.

Oxens has the expertise to help organisations to comply with the requirements of GDPR.