The Security Assessments Practice at Set Solutions is dedicated to assisting organizations in improving their security posture and their alignment to industry-leading standards through a range of different types of security assessment services. The team is comprised of information security experts who are ready to custom-tailor assessments to address any organization’s unique information security requirements. Our most commonly delivered services fall into the following categories:
Threat & Vulnerability Management (TVM)
TVM services assist client’s in understanding their risk-exposure to cyber threat actors and security incidents. These services include:
- TVM Program Enhancement – Assisting with building up the maturity of an internal TVM program through program reviews and by creating custom tailored integrations to enhance reporting and provide improved contextual risk-analysis.
- Application Security Services – Services to assist in implementation and/or enhancement of secure development operations and integration into existing development workflows. These services include regression testing automation, secure coding training, application threat modeling, dynamic application security testing (DAST), static application security testing (SAST), application infrastructure reviews, and integration of application security solutions.
- Penetration Tests – Controlled adversarial threat emulations, which simulate the actions of real-world cyber threat actors to identify potential exposures. Penetration testing can be targeted towards different types of environments to include the external network (Internet-facing perimeter assets), internal network, facilities (physical access), wireless networks, personnel (phishing / social engineering), applications, or other unique information systems.
- Red Team Assessments – An evasive approach to penetration testing which provides organizations with an authentic evaluation of detection and response capabilities.
- Purple Team Assessments – A collaborative assessment (between the adversarial “red team” and the defensive “blue team”) wherein the penetration testing team maintains open communication with security operations personnel to develop and enhance security controls in real-time.
Governance, Risk, and Compliance (GRC)
Set Solutions GRC professionals have significant experience with both industry-specific compliance standards (HIPAA, PCI-DSS, etc.) and leading cyber security frameworks (NIST, ISO 27001, SOC2, etc.). Services include:
- Gap Analysis Review – Review of your organizations processes and/or controls against a standard (industry compliance or CSF) to identify gaps and opportunities for improvement.
- Remediation Services – Our team can assist you in achieving compliance through remediation services related to identified gaps.
- Program Governance Review – An assessment to evaluate the comprehensiveness and maturity of an organization’s security governance.
- Risk Assessments – Assessments which evaluate cyber risks facing an organization and the degree to which existing controls address those risks. Risk assessments can be performed at a macro-level (focused on the entire enterprise) or performed against specific systems or environments.
Incident Response (IR)
The Set Solutions Security Assessments team can assist in preparation, identification, triage, and response to security incidents. IR services include:
- Table-Top Exercises (TTX) – Discussion-based sessions where participants (from across different verticals within the organization) evaluate operational responses within the context of a simulated cyber security incident.
- Threat Hunting / Breach Assessments – Technical review of an organization’s network and/or endpoints to identify signs of malicious activity, to include Indicators of Compromise (IOCs) or Indicators of Attack (IOAs).
- Response and Forensics Services – For organizations who have experienced a cyber incident or breach, we are available to assist with technical experts and forensic analysts who can assist in triage, containment, eradication, recovery, and after-action reviews.
Leading Industry Certifications
Justin Hutchens (“Hutch”)
Security Assessments Practice Lead
LinkedIn Bio: https://www.linkedin.com/in/justinhutchens/
Principal Security Consultant
Jimmy Mejia began his information technology career with the U.S. Army’s 82nd Airborne Division. Since separating from the military, Jimmy has accumulated years of experience operating in multiple security roles within the healthcare, retail, technology, and oil and gas industries. Jimmy comes with a vast background in system and network administration and has multiple industry certifications to include OSCP, CISSP, and GPEN.
LinkedIn Bio: https://www.linkedin.com/in/jimmy-mejia-88010110/
- Inside the Mind of a Hacker – Intro
- Inside the Mind of a Hacker – Exploiting Public Facing Infrastructure (Part 1)
- Inside the Mind of a Hacker – Exploiting Public Facing Infrastructure (Part 2)
- Inside the Mind of a Hacker – Emerging Phishing Tactics (Part 1)
- Inside the Mind of a Hacker – Emerging Phishing Tactics (Part 2)
- Inside the Mind of a Hacker – Credential Harvesting and Limitations of MFA
- Inside the Mind of a Hacker – Third Party Exploitation
- Inside the Mind of a Hacker – Wrap Up
- One Does Not Simply Hack APIs… Actually, One Probably Does
- SolarWinds Sunburst: Back to the Basics
- Implementing a Risk-Based Vulnerability Management Strategy
- Defining a Solid Vulnerability Management Strategy
- What Is Vulnerability Management?
- Hiding in Plain Sight – The Emerging Risk of “Serverless” Malware
- Has CAPTCHA Outlived its Usefulness?
- How to MFA the Right Way – Part 3
- How to MFA the Right Way – Part 2
- How to MFA the Right Way – Part 1
- Pulling at the Loose Thread of Open Source Code
- Governance, Risk, and Compliance | Ready, Set, Secure – Episode 21
- Capture the Flag | Ready, Set, Secure – Episode 13
- Inside the Mind of a Hacker | Ready, Set, Secure – Episode 5
- How to MFA the Right Way | Ready, Set, Secure – Episode 2
- “Bypassing MFA with Real-time Replay Attacks” | Hutch (Sec Assmts Practice Lead) at DEFCON 28 (2020)
- “Warfare on the Social Web” | Hutch (Sec Assmts Practice Lead) at HOU.SEC.CON v9 (2019)