Security Assessment Services

Where are you vulnerable?

Our Penetration Testing services identify those areas of risk that could impact the confidentiality, integrity and availability of your sensitive information prior to a real attack.

Standards Based

Our Penetration Testing is standards based and tied closely to the fundamentals found in the Open-Source SecurityTesting Methodology (OSSTM) and the Penetration Testing Execution Standard (PTES).

Identify and Prioritize

A primary goal of our Penetration Testing is to identify the vulnerabilities and exposures within your network and provide you with an actionable blueprint so that you may effectively prioritize top threats that pose the highest risk to your organization.

Key Performance Indicators (KPI's) and Metrics

We put a great deal of focus on providing our clients with a multitude of KPI's to help track their security posture quarter over quarter and year over year. Also, as a cybersecurity company that has been focused on metrics since we were founded in 2012, we can help answer questions like "How do we compare to other organizations of our same size and/or within our industry". Context matters, its in our DNA.

Compliance Requirements - Yes

Whether its for PCI-DSS, HIPAA, NIST, or CMMC (to name a few), or its a requirement from a business partner, we have you covered. Each Penetration Test includes a member from our compliance team to ensure the engagement addresses the key components needed to satisfy the requirement.

How confident are you in your Incident Response Plan?

A common pitfall that many organizations make is that they will create an Incident Response Plan, but fail to update it as the environment evolves. Whether it’s changes in key technologies in use, employee responsibilities, or the organization’s business processes, if the Incident Response Plan isn’t current, incident response activities may be slow, ineffective or incomplete.

To address these issues, Contextual Security Solutions will review the organization’s Incident Response Plan to verify that it is actionable. Key areas that will be analyzed include the incident response roles and responsibilities, business recovery procedures, data backup procedures, analysis of legal requirements for reporting compromises, coverage of all critical systems and applications, and the reference of response procedures from any regulatory requirements the organization must adhere to.

Have you tested your Incident Response Processes?

If the answer is no, you're not alone. Our tabletop exercises will assess whether your people and processes are in sync when responding to security incidents common within your specific industry. Special attention will be applied to evaluating the efficiency and effectiveness of the processes that the organization employs in detecting, containing, eradicating and ultimately recovering from an incident.

How secure are your Web Apps?

Contextual Security Solutions' web application assessment service can provide your organization with critical visibility into the security posture of those key applications that store, process and or transmit your sensitive data (e.g. ePHI, PII, CHD, etc.).

OWASP Top 10

Our Web Application Assessments are conducted following the fundamentals found in the Open Web Application Security Project (OWASP) Top 10 framework. This approach includes both passive and active testing modes, with the latter compromised of Configuration Management, Business Logic, Authentication, Authorization Session Management, Data Validation, Denial of Service (if requested), Web Services, and Ajax testing.

Manual Testing paired with Automated Dynamic Scanning

Our cybersecurity professionals conduct both Manual Testing / Verification with Automated Dynamic Scanning (using industry recognized tools) to give an accurate view of your web application's attack surface.

Executive Out-Brief

For every service we offer, a detailed Executive Out-Brief is given to go over the report, highlight and provide context regarding those vulnerabilities and exposures that present the most risk to the organization, and answer any related questions.

What are your Security Overlays not seeing?

Can your organization afford to see only one out of every ten security events? Since 2019, we've found that the percentage of security events seen by organizations during a security engagement (penetration test) has been around 10%.

Improve your Visibility

The Attack Visibility Assessment is an engagement designed by Contextual Security Solutions to test the effectiveness of the organization's security overlays. Through the execution of live exercises, the Attack Visibility Assessment focuses on improving the ability and likelihood of the organization's security overlays to detect common attacks (e.g. LLMNR poisoning) and activities that are typically indicators of a breach (e.g. Privileged Account Creation).

_{* Source: Cost of a Data Breach 2023 (ibm.com)}

Contextual Security Solutions has created an annual program for those organizations that must adhere to the New York State Department of Financial Services 23 NYCRR Part 500 Cybersecurity Regulations. Our Base Assessment of Security Elements (B.A.S.E.) NYCRR 500 Program addresses the following key components found in the most recent amendment to the regulation (November 2023):

1) Penetration Testing (500.5): Each covered entity shall conduct, at a minimum, penetration testing of their information systems from both inside and outside the information systems’ boundaries by a qualified internal or external party at least annually; and automated scans of information systems, and a manual review of systems not covered by such scans, for the purpose of discovering, analyzing and reporting vulnerabilities at a frequency determined by the risk assessment, and promptly after any material system changes;

2) Vulnerability Scans (500.5): Each covered entity shall conduct automated scans of information systems, and a manual review of systems not covered by such scans, for the purpose of discovering, analyzing and reporting vulnerabilities at a frequency determined by the risk assessment, and promptly after any material system changes.

3) Risk Assessment (500.9): Each covered entity shall conduct a periodic risk assessment of the covered entity’s information systems. The risk assessment shall be carried out in accordance with written policies and procedures and shall be documented. Such policies and procedures shall include: criteria for the evaluation and categorization of identified cybersecurity risks or threats facing the covered entity; criteria for the assessment of the confidentiality, integrity, security and availability of the covered entity’s information systems and nonpublic information, including the adequacy of existing controls in the context of identified risks; and requirements describing how identified risks will be mitigated or accepted based on the risk assessment and how the cybersecurity program will address the risks.

‍4) Incident Response Plan Testing (500.16): Each covered entity shall periodically, but at a minimum annually, test its: incident response and BCDR plans with all staff and management critical to the response, and shall revise the plan as necessary; and ability to restore its critical data and information systems from backups.

Additional Resources

Timeframes for Covered Entities

Timeframes for Class A Businesses

Timeframes for Small Businesses

If you'd like to learn more about our B.A.S.E. NYCRR 500 Program, please click the "Schedule a Discovery Call" button at the top of this page to schedule a 15-minute call with one of our experienced consultants.

‍