Frequently Asked Questions
Is it true you have clients all over the country?
Yes, we are based in Denver, but we have clients all over the country that we protect.
My business has been hacked, can you help?
Yes, we offer incident response services that will help get your company operational as soon as possible, collect evidence, and help determine the cause of the breach or attack.
Is it better for me to hire you once a year to fix stuff, or is it better to hire you for on ongoing services?
While we are available to help after a breach or attack, we can also assess the current IT environment and make security recommendations to address critical risks to your business. These recommendations will keep your business from being vulnerable to attacks before they happen.
Based on our experience, the downtime that the business is subjected to after an attack, makes the overall cost of reacting to an attack 10 times more expensive than it would have cost to prevent it.
How do I choose the right cybersecurity company for my business?
We understand that we aren’t the only Cybersecurity company in Denver, but when you are shopping around, please ask the competition what their testing procedures include. They should be a mix of automated scanning of vulnerabilities and manual testing using exploits to confirm the findings. You don’t want someone that will point a scanning at your publicly facing systems and uses the results directly from this tool to give you a report. We can do better than that.
Additionally, after describing your companies systems and IT environment, ask them what what attack vectors they would be using during their fieldwork. These should the applications specific to your company. You do not want a company that performs the same attacks on each of their clients regardless of whether they have Office365 with application development hosted in Azure or large traditional on-site domain-based active directory.
CP Cyber provides all the services, customer care, and attention for protecting our clients and letting them focus on business
How can you help our company stay secure even though our employees are all working from their homes?
We can assess the security of the remote work solutions you may or may not have in place. We can make recommendations of cheap but effective security solutions that will greatly increase the security for your employees and the data on their laptops. We can also take a look at the configuration of the solution being used for online meetings to make sure they are secure, we have expertise with Zoom, Skype, GoToMeeting, WebEx, and Hangouts.
What is a penetration test?
A penetration test is performed by cybersecurity experts that are hired to find areas of weakness in the cybersecurity of a company’s IT environment. A report is provided to the company so that they can focus their money and time on addressing the most critical findings to reduce the overall risk of their company. A penetration tester is trained to emulate a real attacker that will use the latest exploits to gain unauthorized access and escalate privileges.
Why should we have a penetration test performed?
When it comes to cybersecurity the cost of reacting to an attack is much greater than being prepared and avoiding an attack in the first place. In 2019 the average cost of a cyber attack was $4.6 million. Penetration tests help avoid this by showing your IT team where the security holes are so that they can fix them before an attack happens. Without a thorough penetration test your environment may have some vulnerabilities your IT team is unaware of.
Also, certain industries that deal with sensitive data such as financial data are required by law to have an annual penetration test.
How does a penetration test differ from an automated vulnerability scan?
The first step in performing a penetration test is “information collection”. We gather information in a variety of ways including automated vulnerability scanning. After scanning, we review the results and adjust our strategy for manual testing. We may change the exploit we use on publicly facing systems, or attempt a different attack vector all together based on the results. We find that our competitors use the results of the vulnerability scan to provide their clients with reports and call it a penetration test. Naturally, these competitors can charge less for their “penetration test” so be careful when shopping for cybersecurity companies.
What penetration test documentation should I expect to receive when the test is complete? How are the findings documented?
Please contact us for a redacted sample of a penetration test report we have given to a client.
Our reports are written based on findings from the manual testing performed by our penetration testers. The penetration tester that performed the work will include a description of the attacks performed, the vulnerability related to these attacks, the risk, and the impact to your business. In addition, the report will include vulnerability scan results. Our team will be available to present the findings to the client’s IT team as well a presentation to upper management.
Does my company need both a Vulnerability Assessment and a Penetration Test?
Many companies will mistakenly use the terms “vulnerability assessment” and “penetration test” interchangeably. When deciding what your company needs keep in mind that a vulnerability assessment acts as a supplement to a penetration test, not a replacement. Ideally a company will enroll in a full penetration test which includes a vulnerability scan, however if that is not in the company’s means, a standalone vulnerability scan will still give their IT team information to better secure their environment.
Our company has an incredibly unique setup, can you still perform a vulnerability scan?
Yes, prior to starting any engagement, our team will schedule a scoping meeting were we will discuss the systems that make your company unique and how we can make sure these systems are included in our testing. Our tools are designed to work cross platform including but not limited to Windows, Mac, and Linux operating systems. Our team is also comfortable scanning large IP subnets or segmented networks.
I heard Apple computers were entirely secure, does my company still need a vulnerability scan?
Although Apple computers are typically more secure than their counterparts, they are by no means risk free. Traditionally, Apple computers were not used as frequently in the business world as their competitors, therefore Apple gained a reputation for being more secure. However, as Apples become more and more prevalent in the business world, attackers are targeting them and finding holes in their security. It would be unwise to exclude Apple computers from a vulnerability scan under the false pretense that they were entirely secure.
Cyber Risk Assessment
What is the NIST Cyber Security Framework?
The NIST Cybersecurity framework is a standard that is widely recognized worldwide as best practices for computer security. It provides a framework for IT personnel and cybersecurity personnel to efficiently implement security controls for IT assets in a way that will address the most risk. Many companies use this Framework to develop their cybersecurity strategy and to determine the cybersecurity projects to be prioritized.
Additionally, some sectors that deal with sensitive data, such as the financial industry, are required by law to follow the standards. We can perform a gap analysis by comparing your current cybersecurity environment to the framework to ensure your IT personnel are prioritizing the cybersecurity projects that matter most.
My IT team assures me our company is secure, do I still need a Cyber Risk Assessment?
No matter how good your IT team is, there is always the possibility of them missing something. Even a system that is 99% secure can still be vulnerable to attacks. Everyone is confident in their security until a breach happens. An external Cyber Risk Assessment minimalizes the chances of this happening. In addition, it verifies the work of the IT team so you, as an owner, can rest assured that your data is properly secured.
I own a small startup company; do we need a Cyber Risk Assessment?
Ideally, your company would have an annual Cyber Risk Assessment, however the reality is not every company is ready for one. As a brand-new company your IT team may not have had the proper time to secure your system. At this maturity level a Cyber Risk Assessment would be an expensive way of telling you what you already know that your system is not secure. In this case it would be wise to wait until your IT team is confident in the security. On the other hand, if your company is rapidly growing and security is now a priority a Cyber Risk Assessment can help your IT team prioritize what needs to be fixed first.
Why should I bother having my company’s passwords checked?
According to a 2019 Verizon Data Breach report, 81% of hacking related breaches were tied to stolen or weak passwords. This means weak passwords are one the biggest risks to your company’s security. By ensuring strong passwords you can stop many attackers in their tracks.
You are asking me to share passwords with you? Does that not break the number one rule of keeping passwords secret?
In our testing, we are only able to see the passwords that we can crack. The weak passwords. These are the same passwords that will be discovered by an attacker. It is much better to allow us the good guys to identify weak passwords before the attackers do.
How often should I have my passwords checked?
Since weak passwords serve as one of the biggest threats to a company’s security, we recommend quarterly checks. The process is secure, automated, and simple.
What results will I get from having my company’s passwords checked?
We will give you a list of accounts with weak or easily guess passwords, accounts that use the same passwords, and we will point out areas that the password policy could be stronger to meet industry best practices. Once you receive the report, we can work with your IT team to educate the users with weak passwords, then set their passwords to be changed on the next logon.
Open Source Intelligence Gathering
I can google my own company, why would I pay for Open Source Intelligence Gathering?
Using google is the first step in our Open Source Intelligence Gathering service. We employ numerous techniques that allow us to dig deeper just like an attacker would. For example, one of our tools finds sites your company is hosting that google doesn’t even know about.
Is Open Source Intelligence Gathering intrusive?
No. A big difference between Open Source Intelligence Gathering and a penetration test is that a penetration test will execute attacks to try and gain additional access. Open Source Intelligence gathering on the other hand only uses information already available to the public.
PhishDefy - Technology Protection
What operating systems is PhishDefy compatible with?
PhishDefy is compatible with Windows and Microsoft Exchange. Unfortunately, the way Apple and Gmail are configured makes them incompatible.
I have a small company; do I still need to worry about Phishing?
Yes. All companies big or small can become a target for a Phishing attack. Especially if you are growing fast, the last thing you want to halt your growth is to become victim to a Phishing attack.
Education and Training
How in-depth is the training? Is it multiple sessions?
We pride ourselves in our ability to customize training sessions to meet your companies needs. If you have an hour time slot in a annual employee meeting, we can give a good training overview. If you were just breached and want some serious training, we can give multiple in depth sessions to fully train your employees. In addition to group-based training, we offer training to individual employees via our online phishing and training platform that focusing the training on specific phishing scenarios.
I already tell my employees to watch out for bad emails, how will this be different?
That is great news you are already promoting email awareness, however if your employees are not heading your advice it might be time for us to step in. We can conduct training sessions where we simulate an attack and display the passwords, we gathered at the next training session. We have found that an employee seeing their password up on screen makes much more of an impact than just telling them to be careful. Other real world attack scenarios are available based on the needs of our clients and the risk that their employees may face.
How quickly can you respond?
For any incidents that cause outages or business downtime, we are usually able to re-task several of our employees who specialize in breach response to your needs. If you are located in Denver or the surrounding area, our team can usually be at your offices within an hour.
If my data has been locked by ransomware can it be recovered?
Usually, the only way to recover data without paying is restore from a backup. We can assist you in process. If you choose to pay the ransomware, we can assist you through that process and the resulting data “unecryption” process afterward.
How long does it take until my company can be fully recovered?
We have performed a full recovery of small office in 3 hours. Every environment is different, such as cloud hosted data or on site servers, but we can scale our team of specialists to meet the needs our clients and size of the incident.
Don't risk your business and your clients' private information any longer.
Our team knows the ins and outs of CyberSecurity, and more. We stay ahead of the curve and provide our clients’ peace-of-mind. We’d love to hear from you!