Kobalt.io Logo
Contact Us

Assess Your Security Program

Identify vulnerabilities. Build a roadmap. Execute with purpose.

Conduct Assessment
Down arrow

Detect risks. Secure systems and people.

CIS Gap Assessment

Is your organization’s cyber security a guessing game for you? We get it. Many small business leaders also struggle to find out where to start improving security, what to prioritize and how to measure and report. To find out the answers of these questions, conducting a CIS Gap Assessment is an effective starting point.

What is a CIS Gap Assessment?

A CIS gap assessment is a step-by-step assessment of your existing security program. Our experts review your cybersecurity program against a IT security framework called the Center for Internet Security (CIS) 18 Critical IT Security Controls, also known as CIS Controls.

Assessing your cybersecurity program against this framework helps you build a solid security foundation to meet industry standards, from cloud to compliance.

CIS Gap Assessment

How to use assessment findings for better security?

Kobalt.io can support you using the 90 Days to Better Security Approach:

  1. Days 1 – 30: Receive a detailed assessment report that identifies areas to improve and recommendations broken down by cost, effort, threat model and urgency.
  2. Days 31 – 60: Kobalt.io discusses assessment findings, recommendations, a strategic roadmap with your team and helps execute remediation activities to address security gaps.
  3. Days 61 – 90: Continue to perform remediation activities and get continuous support from the Kobalt.io team to improve security.

Can I find out which types of attacks is my organization most vulnerable to?

Ransomware, email fraud and data breaches are the common attacks that most businesses fear. However, gap assessments do not provide answers to the specific incidents that your organization is most susceptible to – risk registers do. That’s why gap assessments and risk registers are often conducted simultaneously. 

Having findings of both gap assessment and risk register can help you map out the vulnerabilities and contributing factors to incidents. They can also help generate insights to build an effective cybersecurity roadmap as well as a list of best practices. Based on the needs of your organization, you can also conduct gap assessments against other standards like Canada CyberSecure, SOC 2, NIST and ISO27001.

CIS Gap Assessments starting from $5000.

Discuss with Kobalt.io

Privacy Gap Assessment

What’s the difference between CIS gap assessment and privacy gap assessment?

Privacy gap assessments review the privacy portion of your overall cybersecurity program thoroughly. In the field of privacy, it typically has its own set of regulatory and compliance standards based on the industry you are in or selling to. Examples include GDPR, Bill 64, and CCPA/CPRA. Privacy gap assessments will assess your existing privacy policies, data processing procedures, privacy breach containment and more.

Privacy

Why do I need a privacy gap assessment?

The answer is simple and straightforward – it is to ensure that you maintain compliance and safeguard sensitive data.

Clients expect you to help them solve problems, not to create problems. It is your responsibility to protect your clients’ data. If you solely rely on your CRM provider or financial institution to protect the sensitive data you collect, you are putting both your clients and your business at risk.

Deliverables from Kobalt.io

  • An in-depth report on findings and recommendations for your existing privacy policies, data processing procedures, risk analysis, compliance, etc.
  • An executive review session to go through the highlights of the assessment findings and address any questions or concerns. This review session can help your teams get a clear understanding of the next steps that are best for your organization.

Learn more about how you can better protect your clients, employees and organization’s privacy, here.

Privacy Gap Assessments starting from $7500.

Book A Call to Discuss

Cloud Security Audit

Your production cloud environment is critical to your business. It stores data that contributes to the day-to-day business operations. That’s why it is incredibly important to keep your valuable data and information safe and secure in the cloud.

Securing your cloud infrastructure

A cloud security audit helps assess the security controls, vulnerabilities and compliance gaps in your cloud environments like AWS, GCP and Azure. With a better understanding and visibility of your overall cloud security posture, the Kobalt.io team can help identify and prioritize the areas that need improvements. This helps your team to have a strategic plan to follow while tightening up security.

Features of a cloud security audit

  • Find IAM vulnerabilities - root account use, lax password requirements, lack of multi-factor authentication (MFA)
  • Check for logging best practices and ensure event logging is enabled across regions
  • Verify that log files are validated and encrypted
  • Assess critical account activity like unauthorized API calls and unauthorized access to the management console and root account access
  • Drive secure network configurations and limit access to vulnerable ports, enforce “least access” privileges, checking for use of flow logging
  • Quickly assess your data bucket settings for data buckets at risk
  • Find and fix potentially exposed data buckets configured for external access and identify out of compliance buckets with CIS Benchmark
  • Identify vulnerabilities in ephemeral and immutable infrastructure with telemetry to distill and focus on what's critical/important
  • Provide host image scanning for known vulnerabilities before deploying to a live environment
  • Connect known CVE's with active packages on hosts for live visibility to active packages with associated vulnerabilities
  • Reporting that allows security to "shift right" with tailored reports on new active CVE's and known definitively when a patch has been applied

Deliverables from Kobalt.io

  • An in-depth report on audit findings and recommendations, optionally aligned to a compliance standard such as SOC2, ISO27001, PCI-DSS, HIPAA.
  • A 60-minute executive briefing to review the findings and answer your team's questions.

Cloud Security Audit starting from $5000.

Protect Assets Today
Privacy Program

Penetration Test

Do you know how susceptible your teams are to cyber attacks? Do a penetration test to find out before they fall victim to an attack.

Pentests (short for penetration tests) – sometimes also called ethical hacking – offer a practical way of testing your cyber security measures using trained professionals. Regular pentests form an essential part of any cyber security program and indeed are mandatory to maintain compliance with various standards such as SOC2 and PCI.

Learn more

Pentest Approaches

  • Vulnerability Scans

    Scan your environment for known vulnerabilities in hardware and software.

  • OWASP Application Security Verification Standard (ASVS) assessments

    Assess your application security based on the rigorous and standardized framework.

  • Black Box Pentest

    Identify vulnerabilities in a system that are exploitable by ethical testers without previous knowledge of the network.

  • Gray Box Pentest

    Provide a more in-depth assessment of the system and identify the greatest risks and countermeasures.

  • White Box Pentest

    A sophisticated type of testing that provides a comprehensive assessment of both internal and external vulnerabilities.

  • Social Engineering Pentest

    A type of testing that manipulates staff to disclose sensitive information that is valuable for a future attack. This test provides an understanding of staff awareness of security threats.

  • Physical Pentest

    This testing method exposes the weaknesses of physical controls including locks, cameras or sensors.

How to choose the right pentest for my business?

Kobalt.io works with you to recommend the most effective approach based on:

  1. The data you’re trying to protect
  2. How critical the application or system is
  3. Industry and business objectives

Penetration tests starting from $5000.

Ready to Discuss?

Phish Testing

End users are the largest and most vulnerable target in most organizations. Phishing attacks grow every year, making an end-user security awareness training program and regular phishing tests essential for any security programs. We pair our phish testing with security awareness training. Learn more about our user education. 

What is phish testing?

A phishing test is a mock phishing attack simulated by professional security experts. It is created to test how effectively an organization’s employees can resist phishing attacks. Depending on the test results, organizations can work with Kobalt.io to carry out various remediation measures to tighten up security and train employees.

Tailor phish testing to your organization

For example:

  1. Include all your employees or a subset, according to your objectives for the test.
  2. Run tests for a month with approximately two emails targeted at each user per week, with a mix of standard and custom messages.
  3. Design remediation activities based on actionable reporting and metrics Kobalt.io provides.
  4. Run tests periodically to keep your team’s skills sharp, measure improvements and reduce your risks.
Let's Discuss

Frequently Asked Questions

Penetration testing is an intrusive practice, as the name suggests. With the intrusive nature of penetration tests, testers get an intimate understanding of the organizations they engage with. Penetration testers can use their experience and identify gaps beyond what insiders may be able to identify alone. Penetration tests allow organizations to make informed security decisions.

Penetration testing is also a requirement for organizations striving to achieve compliance to several industry-recognized certifications.

 

Small and medium organizations often struggle with the preparation process to get ready for their penetration tests. Penetration tests follow a common approach. The reason there is a common approach is to help define repeatable processes while minimizing the impact of testing to the organization being tested. The steps are as follows:

1. Information Gathering

2. Analysis and Planning

3. Vulnerability Identification

4. Exploitation

5. Risk Analysis and Remediation

6. Reporting and Lessons Learned.

Organizations can modify and adjust the procedures to be catered toward their business processes, but they will typically follow the methodology.

Book a call
Kobalt-Logo

Ready to take your next step?

SPEAK WITH A SECURITY EXPERT
SUBSCRIBE TO OUR NEWSLETTER

COPYRIGHT © 2023 | Privacy Policy | Terms of Use | Press Kit | 

Linkedin Twitter Facebook