Industry: Financial
Location:UK
Profile: This client is a leading UK-based pension investment company
LRQA Nettitude services deployed:
• Managed Vulnerability Scanning
Vulnerability scanning identifies vulnerabilities within an environment and is much wider in scope than penetration testing. It is used to estimate how susceptible the environment is to different vulnerabilities. Vulnerability scanning uses automated tools that scan an environment on a regular and repeatable basis to generate a report based on risk exposure. Vulnerability scanning does not try to exploit the vulnerabilities and is normally non-intrusive.
• Penetration Testing
Penetration testing goes beyond vulnerability scanning. It attempts to identify and then actively exploit previously unknown weaknesses or vulnerabilities within an environment and is much more rigorous than vulnerability scanning. Penetration testing is not normally an automated process and involves human interaction to a targeted scope. Penetration testing is normally performed infrequently, a few times a year, to a set schedule.
On-boarding the client
Setting up the client for managed vulnerability scanning was smooth and simple, done via
a scoping document and kick-off call. This process is then repeated ahead of six-monthly
penetration tests:
- Steps - Ensuring LRQA has the correct authorisation to perform the test.
- Dates - Confirm the dates of engagement.
- Point of contact - Verified who the point of contact is, and how we want to communicate during the test and all subsequent reports.
- Environment – Determine which environments are included e.g. servers or workstations.
- Firewalls - Assess whether anything is blocking connections or could prevent testing.
- Credentials - Request low-privilege user accounts for testing purposes.
Time period
Three year Managed Vulnerability Scanning
Six-monthly Penetration Testing
Results
Key results:
- Improved security and control
- Rapid identification of vulnerability
- Elimination of blindspots
- Improvement of operation efficiencies
LRQA’s Managed Vulnerability Scanning provided our client with highly accredited expertise, combined with Gartner magic quadrant leading security technology to deliver industry-leading protection.
The services implemented provided the client with a proactive and threat-led approach; informed by our offensive and threat intelligence teams to protect against the latest industry threats.
Regular penetration testing also provides the client with a real-world view of where and how attackers can exploit weaknesses in their infrastructure, networks, people, and processes.
What our client said
“From scoping through to conclusion, our experience with LRQA has been excellent. The scoping documentation is clear and detailed enough to minimize the time required to agree scope/cost and to focus on the testing we need.
The remote testing procedure is straightforward and allows us to execute a test without having to bring a tester physically to site, reducing the work required from our side. The tester was approachable and communicative throughout and did not require us to be constantly available in order for them to execute the test.
Post-test documentation is comprehensive, well laid out, and provides excellent detail and evidence of findings and further reading. Follow-up questions on remediation are also dealt with quickly and concisely.”
