Advanced Security Centers Enabling threat and vulnerability services in a borderless world
Contents Borderless security overview EY Advanced Security Centers Threat and vulnerability assessment services Why EY? What makes our s different? 2 3 4 6 7 Borderless security Giving you confidence in a virtual world The trend toward anywhere, anytime access to information is changing the business environment, blurring the lines between home and office, and moving traditional enterprise boundaries. To be competitive, companies must have a web presence, and many conduct a large amount of their trading and logistics via the Internet. Recently, there has been a significant increase in the business adoption of new technologies such as cloud computing, social networking and mobile computing devices that increase both collaboration and the flow of important information in and out of the organization. These new technologies represent an opportunity for IT to deliver significant benefits to an organization, but they also mean new risk. Cyber attacks, data loss, application vulnerabilities, external and internal access to sensitive and confidential information, and the increased use of external service providers it s a real challenge to keep on top of the ever-changing risks. Additionally, in today s business world where fast response is vital, continuous availability of critical IT resources is one of the most important success factors. Our research* shows that only 30% of companies have an IT risk management program that is capable of addressing the increasing risks related to the use of new technologies. The EY Global Advanced Security Centers (s) offer a wide range of threat and vulnerability services that help companies understand the risks they face and enable them to take the appropriate actions to enhance their overall security. We know that every company will have different technology demands, so our services are tailored to your specific business. We would welcome the opportunity to discuss what we could do to improve your information security situation and potentially reduce your risk exposure, and we invite you to contact us and/or visit one of our s. *Global Information Security Survey
EY Advanced Security Centers EY is a leader in information security services. Our Advanced Security Centers (s) are a key enabler of our leadership. Security incidents due to exploitation of existing technical exposures The EY Advanced Security Centers proactively search for existing problem areas and potential security issues in your information technology systems, helping organizations recognize, rectify and manage the risks associated with doing business in an increasingly borderless environment. First established by EY in 2002, our global network of s provides controlled and physically secure environments in which our dedicated team of leading security professionals can conduct assessments focused on your infrastructure, applications and people. The centers also provide an environment that facilitates interaction amongst EY and client teams for rapid problem-solving, knowledge transfer and project collaboration. The highly experienced security professionals in our s have performed thousands of assessments on a wide variety of systems, and our assessments are totally independent we are not linked to any hardware or software solutions. We have the practical knowledge, current proven technical equipment and global capabilities to be able to identify the risks your company faces through its use of technology and to work with your IT team to potentially reduce your vulnerabilities. Te c h no l og y Advan ce d S e curity Centers Sound operational management practices to proactively identify and manage risk + G lob a Protect brand and reputation Regulatory requirements to perform testing to identify and mitigate vulnerabilities l R e a c h + P eo p le + Ex p e rie n ce Legal and regulatory recourse resulting from failure to implement due care in protecting vital corporate, partner and client data We are commited to improving our client s IT environments with a focus on actionable recommendations, training, and knowledge sharing. Advanced Security Centers 3
Threat and vulnerability assessment services Ongoing threats and attacks challenge a company s business assets and the availability of their critical systems and data. EY s attack and penetration services aim to discover the extent to which an organization is currently vulnerable to exploits that are realistic and probable. Derived from extensive hands-on experience, our attack and penetration methodology provides a real life test of an organization s exposure to known security threats and vulnerabilities by focusing on exploiting network, application and systems vulnerabilities. Our testing methodology emphasizes manual testing techniques and vulnerability linkage; making EY different from other security vendors and providing more value to you. Identify risk Remediation and change Infrastructure People Applications Assess risk Findings and recommendations EY offers a broad range of threat and vulnerability services from attack and penetration testing to security program management enabled through our s. Our services are designed to bring you the best answer to solving your threat concerns. Following an initial discussion, we will suggest one or more of the following assessments to evaluate your current environment and allow you to be in a better position to win in the perennial fight against IT risks. Infrastructure assessments Our s perform attack and penetration assessments of your network infrastructure to attempt to identify vulnerabilities from various risk perspectives, including the true outsider, malicious insider and third parties with limited access: each of these assessments follow a similar approach that includes discovery, vulnerability identification and exploitation phases. With your permission and coordination, we attempt to penetrate the identified systems using an agreed controlled testing approach and then exploit the identified vulnerabilities. Our infrastructure assessment services include: External network attack and penetration Internal network attack and penetration Wireless network attack and penetration Dial-up assessment Cloud infrastructure attack and penetration Supervisory control and data acquisition (SCADA) network assessments Mobile device and infrastructure assessments The results of these assessments will enable you to proactively take steps to eliminate the identified risks. Social engineering assessments Our focus is on assisting clients with efficient remediation 60% of issues have a low remediation level, leveraging EY leading practice ideas. Social engineering assessments are designed to trick or manipulate your company personnel into providing sensitive information, inappropriate access to your network, or to identify physical security control issues. EY performs these assessments from four primary vectors: phone, phishing, physical and portable media. The assessment includes an information-gathering stage to structure the attack scenarios and assess publicly available information. We then provide physical evidence as to the success, extent and potential business impact of the intrusion. 4 Advanced Security Centers
Application assessments The most common and impactful attacks against companies often involve application vulnerabilities, leveraging well-known issues to steal data and compromise users. To protect against these threats, companies need to identify the issues within their applications, fix the coding flaws that create the vulnerabilities, train their developers to avoid future issues and build security into their software development life cycle process. Y performs security assessments on a variety of application types, including web applications, web services, thick clients and mobile applications. We approach the task from a variety of perspectives, including those of the anonymous user, normal authenticated user and the privileged user. During these assessments, we use automated tools and manual techniques to identify and exploit the vulnerabilities, potentially reduce the false positives, and demonstrate business impact. Our application assessment services include: Black box Source code assisted black box Gray box Secure software development life cycle (SDLC) assessment Application security training EY offers a variety of instructor-led and web-based training programs focused on application security, and the training sessions are often tailored to the technologies and programming languages used in our clients development environments. The training is designed to be interactive, with examples and case studies based on actual assessment results, including demonstrations of the concepts in a test environment. Our training programs include: Secure coding Web application testing Application security for quality assurance Application security for project managers and architects Data loss prevention assessments EY s data protection services are not the standardized data collection and out-of-the-box reports that many vendors perform. We analyze and understand your business and get to know your data. Couple that knowledge with our deep regulatory and compliance experience and you receive an assessment that is distinct for your organization. Specifically you will understand: Where critical/sensitive information resides in your network How that information is moving through your enterprise, over which communication channels, and who is sending/receiving that information Compliance risks in your environment previously not recognized Next steps, quick wins and long term recommendations to reduce data and business risks Vulnerability management program assessment Attacks that target security vulnerabilities can threaten a company s business assets and the availability of its critical systems and data. EY can help you to improve your ongoing vulnerability management programs by charting your policies and procedures against a set of leading practices. The resulting diagnostic provides an independent perspective to measure the maturity of the program, identify gaps, focus your risk mitigation efforts, and help to prioritize your spend. Ongoing enablement services Even if you have already started to assess and make plans to eradicate information security risks, you can t afford to let your guard down. EY can help your company build, transform, enable and sustain your threat and vulnerability management programs through recurring testing and assessments, incident response support, threat intelligence, and continuous knowledge sharing with your in-house IT team. Advanced Security Centers 5
Why EY? Y is the most globally integrated professional services organization in the world, with more than 231,000 professionals working in 152 countries. World-renowned for our assurance, tax, transaction and business advisory services, EY is also a global leader in the field of information technology risk and information security. For more than 20 years, our clients have benefited from an extensive portfolio of professional services in assessment, remediation, and assisting with the design and implementation of effective enterprise security services. Y brings together an unparalleled team of highly experienced industry, security, privacy and risk management professionals, to meet the complex needs of some of the most data-intensive organizations in the world. We have developed proven industry leading methods, tools and resources to address our clients information risk management challenges and to support the ongoing security, integrity and availability of our clients information assets and processes. As a large and established professional services organization, EY s name and experience lend weight to each project we undertake: we provide a broad business risk perspective that will help enhance its value with your senior management and your audit committee. Our IT risk and assurance professionals assist clients in using technology to achieve a competitive advantage. They advise on how to make IT more efficient and how to manage the risks associated with running IT operations. They focus on helping clients optimize and secure their technology so that it serves the business effectively and enhances results this includes several focused competency groups including application controls and security, third-party reporting and IT risk advisory. Our privacy advisors assist clients with enabling the governance, risk and compliance efforts related to the use of personal information, assessing enterprise privacy risk, leading privacy internal audits and inventorying the use of personal information in business processes, technologies and third parties. Our Information Security practice offers a wide range of management, assessment and improvement services. Our targeted security services help our clients maintain the appropriate alignment between their security, IT and business strategies, enabling them to maintain their focus on their business needs while addressing their security and risk issues. Companies choose to work with us because of our intense client focus, and our deep technical and sector-based business knowledge. We have earned a reputation as a leading innovator because we invest heavily in our people, our processes and in our technology capabilities. The s help our clients understand the risks posed by their technologies and applications. By understanding these risks in both technical and business contexts, our clients can make more informed business decisions. 6 Advanced Security Centers
The EY Ernst Advanced & Young Security Advanced Centers Security offer Centers sophisticated offer sophisticated technical facilities technical and facilities a staff and of dedicated a staff of dedicated security professionals security professionals who are ready who are to ready assist to our assist clients our 24x7x365. clients 24x7x365. Our globally Our integrated globally lab oratory centers are based in Argentina, Australia, Ireland, Israel, integrated laboratory centers are based in Argentina, Australia, Netherlands, Singapore, Spain and US. Ireland, Israel, Singapore, Spain and US. The s mean we can offer our clients cost-effective and scalable IT vulnerability assessment services that produce extensive, consistent, repeatable and auditable results. We perform hundreds of assessments each year for our audit and non-audit clients. Our services allow you to: Proactively identify and manage risk Protect the availability and confidentiality of corporate, customer and personally identifiable information Validate security designs and configurations Protect your brand, reputation and customer confidence Be consistent in assessments across your global portfolio Meet industry and regulatory standards and the expectations of your customers Comply with internal policies and external guidelines The s have centralized management and operations, using standardized methodologies and tools, which provide consistent quality control procedures wherever you use our services. The EY approach is dynamic and flexible, allowing us to customize our activities and test phases for each individual client s environment, priority and assessment needs. Our deep pool of highly qualified resources provides us with the ability to select the right people to meet the scheduling requirements of your company. The s are results oriented: more than 90% of assessments generate high-risk findings, most with low or medium effort to exploit. Advanced Security Centers 7
What makes our s different? Business and industry focus We combine business process and industry sector operational experience with technical security experience; providing a risk-focused solution for our clients. This differs from our competitors who merely provide a technical tool-based approach. Security Our s are highly secure with 24-hour building security and CCTV cameras, as well as restricted biometric access for approved staff only. The s are independently audited, as well as regularly audited by clients as part of their vendor security programs. services are fully permitted under the applicable rules of the SEC, PCAOB and other regulators and professional bodies. Our services are completely confidential, so you do not have any fear of compromise. Our security features include: Encryption of all client data at rest and data in transit Data retention policy to securely destroy client data within 30 days of project completion Separate networks (from EY organization) Regular security testing on network infrastructure Firewall and IDS Continuous improvement We use commercial, open source and proprietary tools to equip our testing teams, but tools alone are not capable of mimicking the thought processes and behavior of attackers who are becoming ever more ingenious at finding ways to access secure data. Our professionals are regularly inventing Information security assessment services the EY difference Service benefits new methods of attack; discovering, linking and combining vulnerabilities, and finding application and business logic flaws that can lead to exploitation. Our team is encouraged to continuously perform research and to make advancements in tool development. Our security research has led to the identification of several previously unknown vulnerabilities in leading software and infrastructure technologies. Information security is complex, fastmoving and ever-evolving. The EY team keep current by participating in and providing internal training, performing vulnerability research, attending security conferences, being involved with a number of industry groups, and pursuing relevant certifications. EY Advanced Security Centers Large professional service firm Focus on business risk Brand confidence Diverse industry knowledge combined with technical experience Strategic national and global locations, resources and knowledge Full range of security and risk advisory services available within the firm Approach and recommendations independent from specific tools Proprietary tools Dedicated testing team Attack and penetration team critical mass, ability to scale, and 24x7 availability Established security training offerings Collaborative environment for knowledge sharing Secure physical center, meeting DoD standards and dedicated to testing Security firms Professionalism Boutique firms Tool vendors Y is recognized in the industry as an information security thought leader. Our team routinely presents at national and international conferences and authors thought leadership. Our professionals demonstrate deep industry knowledge and experience that will be leveraged to increase the value of our services with our clients, which means we always hit the ground running. This also positions us to quickly respond to the ever-changing landscape of security and privacy, helping your company to flourish in a borderless world. 8 Advanced Security Centers
Contact For further information about our information security services, or to discuss your requirements, please contact: Ad Buckens Executive Director ad.buckens@nl.ey.com +31 88 407 8799 +31 6 2125 2803 EY Assurance Tax Transactions Advisory About EY EY is a global leader in assurance, tax, transaction and advisory services. Worldwide, our 231,000 people are united by our shared values and an unwavering commitment to quality. We make a difference by helping our people, our clients and our wider communities achieve their potential. EY refers to the global organization of member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit www.ey.com 2016 EYGM Limited. All Rights Reserved. This publication contains information in summary form and is therefore intended for general guidance only. It is not intended to be a substitute for detailed research or the exercise of professional judgment. Neither EYGM Limited nor any other member of the global Ernst & Young organization can accept any responsibility for loss occasioned to any person acting or refraining from action as a result of any material in this publication. On any specific matter, reference should be made to the appropriate advisor.