SErvices
TCG offers a myriad of services globally to a variety of clients. TCG has operated in Southeast Asia, Europe, Africa and the Americas. TCG takes advantage of strategic partnerships and dynamic personnel to achieve clients' goals effectively and in a timely manner.
Managed Cyber Security Services
The Clavis Group delivers agile managed security services that work the way our clients want; enhancing their existing security program, infrastructure and personnel while relieving the information security and compliance burden.
By gaining a detailed understanding of individual client’s needs, The Clavis Group combines deep security expertise and proven operational processes with industry leading monitoring and threat prevention platforms to improve security and address compliance with regulations such as PCI DSS, HIPAA, GLBA, Sarbanes-Oxley, and others.
IT Audit & Advisory Services
The Clavis Group provides a wide range of audit and advisory capabilities which can assist an organization’s business and regulatory requirements as well as providing a starting point in building a successful compliance program. Enterprise risk assessments and focused IT risk assessments are fundamental in understanding the current risk and compliance posture of any organization and is typically done prior to any other assessments or audits. In addition, TCG can help an organization design or improve existing documented policies, procedures, and controls, review processes, and support an organization through regulatory compliance efforts.
TCG’s assessment methodology may follow standard frameworks including NIST, ISO, COBIT, ITIL, and COSO or be custom-tailored to meet the organization’s needs. TCG can provide expertise to cover a wide range audit, risk, and compliance objectives.
Vulnerability Assessments
Our testing may strictly conform to standard public methodologies or be custom-tailored to meet an organization’s needs. TCG can provide testing on a large range of device types and applications covering network, server/workstations, mainframe/mid-range systems, virtual machines, SCADA, wireless, VoIP, mobile, web, databases, software, etc.
Below are the different types of vulnerability assessments TCG conducts:
Network Vulnerability Assessment – Identifying, analyzing, and reporting on network-based vulnerabilities of systems.
Configuration Assessment – Identifying, analyzing, and reporting on host-based vulnerabilities and insecure configurations covering both networked and non-networked applications and services.
Application Assessment – Focused, in-depth vulnerability analysis or source code review of applications covering web apps and services, database, software, and mobile applications.
Penetration Testing
A penetration test is a detailed review of an organization’s overall defense effectiveness by simulating a hacker targeting an organization’s network and data assets. Testing is performed manually, includes active exploitation, is multi-vectored, and often reveals many findings often missed by a standard vulnerability assessment. In addition, a penetration test has a goal or “trophy” in mind such as gaining access to confidential client information, intellectual property, administrator access, etc. Penetration testing is best used to test the effectiveness and resiliency of a matured security defense where an existing vulnerability management process already exists.
A penetration test typically involves performing information reconnaissance about a target organization, network mapping and system fingerprinting and enumeration, identifying vulnerabilities, exploitation, gaining and maintaining privileged access, evidence gathering, cleaning up, and reporting. The penetration test can be conducted externally from the Internet acting as an outsider and/or internally from inside the corporate LAN acting as a malicious insider. Different types of penetration tests can be performed with different goals in mind. A “white box” test, which can leverage data from provided information or a vulnerability assessment, and “black box,” which is performed with limited knowledge of the organization’s assets and defenses.
Below are the different types of penetration tests TCG typically conducts:
Network Penetration Testing – Involves hacking an organization’s network using network-based attack vectors. Client-side attack vectors, which includes a few social engineering techniques, can also be performed.
Application Penetration Testing – Involves in-depth testing of applications (web, database, software, mobile), reverse engineering, and identifying/exploiting vulnerabilities in order to gain unauthorized access to data.
Social Engineering – Involves testing an organization’s information security awareness and employee training by hacking “people” in order to gain sensitive information. Examples: phone and email phishing, social networking, impersonation, etc.
Physical Security Testing – Involves testing an organization’s physical security controls and defenses by breaching facilities and gaining physical access.
Red Teaming – A penetration testing method that truly takes on the real world “hacker” perspective and tests an organization’s complete security defenses and incident response. A red team exercise involves “Blackbox” testing, having limited knowledge of the target’s defenses, and utilizes multiple physical, social, and network attack vectors to obtain a goal. More evasive hacker techniques are used in order to test the preventative, monitoring, and incident response effectiveness of an organization.