Phase 4 will always continue in the fourth quarter of collaboration and includes the following:
Fourth penetration test
A fourth penetration test will be provided in the fourth quarter that we work together.
The options for this pen test include: Wifi test, external pen test, internal pentest, physical pentest, …
Usually, an internal pentest is chosen here. Here we assume a scenario where a hacker effectively already has access to the business system. For example, the hacker got in via a phishing mail or virus.
Then we will look at what a hacker can do with a low level account (an account with no privileges). The expert will try various ways to upgrade this account to administrator in order to obtain sensitive information.
An admin account can add an account so that it has permanent access to the system. But an admin account can also, for example, establish a special invisible (in the background) connection to his computer so that every time a computer boots up, he gets access to the network.
In this way, it is possible to sit in the backups unseen even for years. Which makes them unusable.
We continue to run these as standard after our awareness training and are sent out quarterly. We try to make these as interactive as possible partly by asking questions, videos and pictures about the training given.
In this way, we maintain an active presence with this training with all participants and can help improve cyber hygiene within the organization as much as possible. We would like to educate people as much as possible about all the dangers online and offline. This keeps repetition as the main motivator for success.
Following on from the previous phase, we continue to optimize our phishing campaigns and website scanning in order to continue to address and improve the basic elements through this. These 2 services are always reported to you on a monthly basis. We do this on a monthly basis because this should and can be anticipated very quickly.
Our phishing campaigns are highly sought after by companies as it is different for each individual. This means that it is customized according to the level of the employee. The better they get away with it, the harder the mails will be and vice versa. Thus, emails are also different with each employee and are also sent at different times.
By the way, employees can always indicate the mails as phishing mails with a button in Outlook. This way we can see if they actually saw that this was a phishing mail and didn’t accidentally delete or ignore it. Which is very interesting for us since we usually use these results in our awareness trainings.
Our website scanning includes an automated scan on which, among other things, the 10 most important points according to the OWASP are tested. Of course, other points are additionally tested so that the website is analyzed as well as possible.
This scan is redone monthly, so the latest vulnerabilities are always added. For we find this extremely important since the website is the public point of contact for your company and the easiest place to find digital vulnerabilities or information.
In this quarter we go over the full year. What happened and what was fixed, what improvements were made and we look at all the results on that year.
But equally important, we look together at how we can tackle things in the coming year and what definitely needs to be improved. This way we can review our goals again and set them to be achieved together.
In this way we can see what still needs to be tackled and adjust our annual planning accordingly.
This all happens in the fourth phase of our journey. This is accompanied by a virtual quarterly meeting so we can go over all the reports if needed and answer any questions.
“A company is only as strong – or weak – as its weakest link.
The human factor is usually the weakest link, but it can just as easily be the strongest protection.”