FAQ

Looking for an instant answer to a question?

Risk Evaluations

  • What is a cybersecurity risk evaluation, and why should we do one?

    A cybersecurity risk evaluation or an assessment is the process of identifying, analyzing, and evaluating cybersecurity risks that your company faces. 

    You should have periodic cybersecurity evaluations completed to ensure you meet the requirements of business leaders,  are satisfying customer expectations, ensuring investor confidence, and complying with regulator demands.

    Conducting regular evaluations will help you avoid potential breaches and security incidents, reduce costs associated with potential breaches or potentially bad spend on solutions that do not provide a return on investment, and keep you informed of your current cybersecurity maturity and posture levels.

  • What should I expect during a cybersecurity risk evaluation?

    A comprehensive cybersecurity evaluation will include an analysis of your policies, people, processes and technology. The objective is to take the business goals, ensure the policies set the framework, couple those with the people and processes that you rely on to achieve the goals, and ensure the technology is providing the confidentiality, integrity, and availability needed to run a secure environment. 

    There are varying cybersecurity assessments but at the core, they all rely on a framework similar to this.

  • I had a risk assessment performed by another firm and the list of things to fix were overwhelming. We did not know where to start. What makes you different?

    At Elteni, we provide a list too, however, the items are risk-analyzed to highlight the issues that we find pose the biggest risk to your business. The benefit to working with us is we sat in your seat once and we also do not like to see long lists of useless information.

    We evaluate all issues, consolidate where necessary, and provide a meaningful list of things to work on. The best part of the evaluation is not what we identify for you, but what we do to help  remediate them. We provide you with the white glove service you expected from the other firm. We develop a project plan, establish milestone checks, and test any remediation efforts made.

  • Can you build a comprehensive cybersecurity program for us?

    Of course we can! We can put together various services from evaluations, to training, to penetration testing and table-top exercises. We want to build a comprehensive program for you, all while keeping it cost-effective and you guessed it, comprehensive.

    With us cost-effective does not mean you have to sacrifice quality.

  • We already have a comprehensive cybersecurity program, what value can you provide?

    We have no reason to doubt that you do, but we ask you to ask yourself these questions:

    1. What standards are you basing the comprehensiveness of your program on?
    2. Is it an effective program?
    3. How are you measuring the effectiveness of the program?

    If you have answers to these, great, you are on the right track. But in our experience, irrespective of your level of maturity, there is always something to improve on or test. No person or business is 100% secure, however, we sure want to see you get as close as possible to that number. We provide a critical set of eyes with varying degrees of experience in technology, security and compliance, so we may be able to find things that may have been overlooked. 

    We are totally independent from you and your business so we provide unbiased analysis and guidance.

  •  

    Vulnerability Assessments

  • Do I need an external vulnerability assessment?

    Think of it this way. Should you occasionally visit the doctor for a preemptive check-up to make sure nothing is wrong? Of course you should. The same applies to your external network facing devices and servers. The more resources you have exposed to the internet the more frequently you should run preemptive checks to detect potential vulnerabilities. Even if your external network is smaller, occasional vulnerability assessments should be conducted to ensure you are not exposed to known vulnerabilities.

  • Do I need an internal vulnerability assessment?

    Similar to our response for an external vulnerability assessments, internal vulnerability assessments are necessary too. Internal vulnerability assessments  will identify known vulnerabilities across a range of devices including printers, phones, video cameras, etc. These items are usually not found during external vulnerability assessments because they are not internet facing. An internal vulnerability assessment will also provide verification of your patch management program.

  • Are there other types of vulnerability assessments?

    Yes, there are several other types of vulnerability assessments such as wireless, application, configuration, database, etc. These types of assessments are more focused in one specific area. Oftentimes an internal or external assessment will include some higher level analysis of the above-mentioned assessments.

    If you are in need of a specific type of assessment, contact us to discuss the options we have available for you.

  •  

    Penetration Tests

  • Do I need an external penetration test?

    Yes you do! If you want a certain level of assurance that your external network can withstand certain attacks by external threat actors, an external penetration test will provide you with insights of how penetrable or impenetrable your defenses are.

    If you are a regulated entity, you almost certainly have to do these to comply.

  • Do I need an internal penetration test?

    Yes you do! If you want to ensure your internal controls can detect or prevent physical threats such as the plugging in of an unauthorized device into the network, or from malicious acts or unintentional threats from employees, or from external attacks that may have successfully made it past the perimeter security, these tests are a valuable tool in your cybersecurity arsenal.

    If you are a regulated entity, you most likely have to do these to comply.

  • Can you provide red team services?

    We most certainly can. For those looking for an even more comprehensive test that comprises of external penetration testing, social-engineering, and physical analysis, reach out to discuss your options.

  • Most people request penetration testing or red team services, but can you offer blue team support?

    Lucky for you we can. We spent many years building all sorts of technology solutions including standing up data centers from ground-up with various layers of hardware, software, and security solutions. We were tasked with hardening systems, to setting up monitoring of them. That means we have also seen varing types of logs and have had to analyze them in different capacities.

    We can provide additional support to your IT and information security teams to help improve the defensive capabilities.

  • Do you offer purple team services as well?

    We excel at this. We are happy to play both sides. We have defended networks from attacks, and also attacked networks to test security controls.  We can provide you with valuable information to help you make truly informed decisions about detecting, preventing, and responding to cyber attacks.

  •  

    Other Services

  • Can you help us test our incident response plan?

    Absolutely, need a seminar to get your folks trained in incident response? Or maybe you want an operations-based exercise targeting only certain groups in your business? Or you are ready for a full table-top exercise that incorporates key stake holders?

    We’ll work with you design the scenarios and facilitate the entire exercise process.

    Read about testing your incident-response plan here: https://www.elteni.com/incident-response-plan-how-do-you-move-from-developing-one-to-testing-it

  • We have more unique cybersecurity needs, what else can you do?

    Take a list of the cybersecurity services we offer here: https://www.elteni.com/cybersecurity-services.

    We understand that certain business need specific help with various projects. If you are looking for help with research, analysis, or implementation we can help. Give us a call so we can talk through your needs.

  • We are in need of awareness training, do you offer that?

    Of course we do, and if that is all you need we are happy to do it. We understand that awareness is a key element to a successful cybersecurity program. If you need us to develop custom training, or even provide interactive examples, we are happy to develop a unique solution just for you.

    We can provide phishing, social-engineering, individual, group-based or company-wide training.

  • Can you assist with incident response?

    Yes! Many of our clients want us to be their first call. This is not a problem for us because we maintain relationships with complementing providers that can help support your incident response needs. From outside counsel to authorities and other forensic firms, we have you covered.

  •  

    General

  • We do not have a huge budget, can we afford your services?

    We understand that addressing cybersecurity risks sounds expensive but the reality is there are solutions to fit every budget. We do not force you into a bundled service that is expensive or potentially overlaps with things you are already doing.

    We want to ensure you get the most value out of a relationship with us, so we provide you with all of the transparency you need to make an informed decision. We never try to sell you something we know you do not need.

    We want to complement your program, so we fit in where you need us the most.

  • Do you offer forensic services?

    We do not currently advertise forensic services, however, there are certain situations where we will provide this to clients. We have a great deal of experience in how applications, systems and networks work and and we also know the common threats that affect your environment. We have a pretty comprehensive analysis program and package but only offer it on a limited basis.

    Reach out and speak to us about your situation to determine if it meets our minimum requirements.