Orange County NC Website
Browse       Search
Orange County North Carolina <br />TrustedSec Confidential <br /> <br /> 9 <br /> <br />were focused on without resolving the Strategic Recommendations, the deficiencies would <br />likely reappear gradually over time. <br /> <br />As an attacker, TrustedSec can determine systemic weaknesses within the overall security <br />program. For example, if as part of the penetration test, third-party solutions are fully <br />compromised, it would indicate an issue around the client’s third-party risk management <br />program and the depth of review that is conducted when using a third-party. A second <br />example could be that TrustedSec identifies instances of SQL Injection and other critical <br />application flaws. This would indicate that the software development lifecycle may not have <br />security fully injected and in-depth reviews are not fully functioning within the organization. <br /> <br />Specific remediation steps around each strategic finding will be developed to help <br />accelerate a program where it may be deficient or non-existent. Technical Findings that <br />provide immediate exposure are important to fix, as they provide direct exposure. Without <br />remediating the strategic findings, new exposures will surface down the road, and there <br />will be a continuous battle of remediation and identification of critical threats to the <br />organization. <br /> <br />The report consists of several sections. First, the Executive Summary, which contains a <br />high-level analysis of what was performed and a general review of the discovered findings. <br />From there, a Penetration Testing walkthrough is designed using diagrams and step-by- <br />step details on how the penetration test occurred. Moving further into the report are <br />Strategic Recommendations and Technical Findings, which are broken down based on <br />severity. Lastly, any supporting information such as screenshots, reproduction of exposure <br />information, and appendices are included. <br />1.3.2 Report Timing <br />Unless otherwise defined under this Statement of Work (SOW), within two (2) weeks of <br />conclusion of the work described above, TrustedSec will issue a formal draft report to the <br />primary PoC. TrustedSec shall make every reasonable effort to promptly correct any <br />inconsistencies identified by Orange County North Carolina and shall resubmit the <br />deliverable for Orange County North Carolina’s review. If there are no comments within the <br />two-week comment period, TrustedSec will consider the report final. <br />1.3.3 Vulnerability Scanners <br />After the Post-Exploitation phase of the engagement, TrustedSec will explore other <br />avenues for attack in the time remaining. At the very end of the assessment, TrustedSec <br />will conduct a vulnerability scan during the timeframe of the assessment and explore any <br />other alternatives that were not investigated. Vulnerability scanners are good for basic <br />detection of “low-hanging fruit,” however, TrustedSec has found that they only catch a <br />small percentage of actual vulnerabilities. TrustedSec uses industry scanning technology <br />tools to ensure maximum detection of exposures during assessments. <br />DocuSign Envelope ID: AFDC1276-5BF5-4129-B1DC-BCD00B65C8BC