We don't do it all - just the Important Things in CyberSecurity..!

In today’s world-wide economy, every Company, in every Industry, in every Country, must take steps to protect themselves. It’s a common maxim that states – “It’s not IF you will get Hacked…. But WHEN...” 

Several catastrophic data-breaches have happened lately that has shaken even the U.S. Citizens and the American economy – specifically, the EQUIFAX Data-Breach, where  where both the CIO and the CEO were fired for negligence  – and is expected to cost them almost $1 Billion to settle (currently at $750MM).

 Global IT-Security Plan (aka – the Security ‘Plan’ or ‘RoadMap’) – this is the Enterprise-level set of Programs and Projects that collectively address the highest risk (and medium-risk where appropriate) technology gaps within the company and create a defense-in-depth environment. Using a combination of Tools, Procedures, Training, Standards, Methodologies and adequately experienced staff as inputs – the security team uses these inputs to reinforce the technological environment, monitor traffic, ensure data-integrity, prevent unauthorized access, and protect the company and data from malicious activities.  

Many companies are transitioning to ‘Cloud-Computing’, but most don’t realize that almost All Security standards are the Responsibility of the Customer.  We can provide BOTH the Technical (Hardening) Standards and Procedural (document) Standards, that Cloud-Vendors like Amazon and Microsoft require in order to ensure the security of your Data and systems. We can also help to design and implement Role-Based Access-Control (RBAC) and Identity-and-Access-Management (IDM) to greatly reduce the effort and man-hours required to administer and manage the End-Users in your Cloud environment. 

Whether it's Amazon's AWS Cloud, Microsoft Azure, IBM's Cloud, or Google Cloud - we have the technical professionals with the hands-on experience to help guide you in creating a Secure Infrastructure (Public, Private or Hybrid).

Risk-Assessment / Management is the defined, repeatable process, performed bi-yearly, of proactively Identifying, Analyzing, and Evaluating Risk at the company-level, and Developing Risk-Treatment and/or Mitigation plans and Executing those plans to eliminate, avoid or transfer that Risk out of the organization, with the intent of reducing the Residual Risk to an acceptable level.     An effective Risk-Management Plan  will identify the critical infrastructure in the company and evaluate the key controls relevant to those systems / processes and verify that – the Control exists, whether the Control is Functioning (well), etc. The result of the evaluation will be a Gap Analysis and an Action or Remediation Plan to address the GAP(s) based n their Risk and Cost (time, dollar, redesign, etc.). The security-related portions of the Remediation Plan become Mission-Critical Projects / Programs on the Security-RoadMap. When Management determines what the company’s Risk-Tolerance is for Financial Loss, Reputational Loss, Loss of Business, etc. then the analysis of the results becomes a simpler process that can be initiated by Line-Management if needed. Because the results are based on the risk to the company, even Audit and Compliance will support the efforts and decisions. 

Commonly called ‘Ethical Hacking', 'White-Hat' testing or Pen-Test’, this is an authorized, Simulated attack on the company’s computer system (and Network), performed to evaluate the security of the system as a whole. The test is performed to identify weaknesses (referred to as Vulnerabilities), and the potential for unauthorized parties to gain access to the system’s features and data and is usually part of an Audit or Annual Risk Assessment. Common Tools include – nMap, Nessus, Burp-suite, Metasploit, THC-Hydra, etc. The value of this activity is the highest among comparable methods.  The test will identify the weakest points in the network as well as identify many common compound-vulnerabilities in your technology stack.

Network Security is the process of segregating your Data into common types or uses and also physically "Segmenting" your network into relevant 'subnets'.  Many Compliance Standards like PCI and HIPAA require companies to separate their Networks in logical segments, in order to provide for Defense-in-Depth and minimize the access or damage a Hacker can do if they manage to break into your Network.  This also allows companies to Limit the Audit-Scope or Compliance-Scope of Review.  This "Best-Practice" will surely pay for itself in the event of a Data-Breach.  Plan ahead now.

This process involves – researching and sourcing vendors, obtaining price quotes, capabilities, and quality of work, negotiating contracts, assigning jobs, processing payments, preventing Fraud and nowadays can include IT-as–a-Service, Data-Protection, and CLOUD-Security.  Target and BOEING suffered multi-million dollar breaches via a Vendor. Common packages are Claritum, GateKeeper and SAP FieldGlass.

Key activities in this area include - evaluating a Vendor's Security Program, reviewing their latest Pen-Test Results, a Vendor-Scoring Program, Clauses in Legal / Vendor Contracts, Right-to-Audit stipulations, etc.  Be sure to Hold your Vendors / Partners Accountable for Security - they could be Your Weakest Link.     

. This will help companies avoid Data-Breaches as well as highly-publicized, potentially embarrassing events like The Panama Papers Data-Breach Incident.

Computer-Security-Incident Response-Team (CSIRT), Security-Incident Event-Management (SIEM), and Incident-Response procedures and documentation are critical in today's internet-based world.

Do you have a Security Team (SOC / CSIRT / SIEM / Red-Team) to handle a security incident?

Are there Documented Procedures... or a CSIRT Handbook / Playbook for a Crisis?

Has your Team received Training on how to handle a Data-Breach? 

Do you know the most common (Top 15) Security Scenarios..?

Does your Security Team have an Escalation-Plan to get / CxO Members  / other departments involved at 2am..?  (Legal, Facilities, ISP/Telco Provider, Police, FBI,  the Press/Media, company-contacts in Other Countries) 

Do you know what a "Forensics Kit" is and what it should contain?

Have you and your Security Team run  'Red-Team' table-top exercises on the weekend to make sure employees respond to events..?

Commonly called ‘Ethical Hacking', 'White-Hat' testing or Pen-Test’, this is an authorized, Simulated attack on the company’s computer system (and Network), performed to evaluate the security of the system as a whole. The test is performed to identify weaknesses (referred to as Vulnerabilities), and the potential for unauthorized parties to gain access to the system’s features and data and is usually part of an Audit or Annual Risk Assessment. Common Tools include – nMap, Nessus, Burp-suite, Metasploit, THC-Hydra, etc. The value of this activity is the highest among comparable methods.  The test will identify the weakest points in the network as well as identify many common compound-vulnerabilities in your technology stack.

Network Security is the process of segregating your Data into common types or uses and also physically "Segmenting" your network into relevant 'subnets'.  Many Compliance Standards like PCI and HIPAA require companies to separate their Networks in logical segments, in order to provide for Defense-in-Depth and minimize the access or damage a Hacker can do if they manage to break into your Network.  This also allows companies to Limit the Audit-Scope or Compliance-Scope of Review.  This "Best-Practice" will surely pay for itself in the event of a Data-Breach.  Plan ahead now.

This process involves – researching and sourcing vendors, obtaining price quotes, capabilities, and quality of work, negotiating contracts, assigning jobs, processing payments, preventing Fraud and nowadays can include IT-as–a-Service, Data-Protection, and CLOUD-Security.  Target and BOEING suffered multi-million dollar breaches via a Vendor. Common packages are Claritum, GateKeeper and SAP FieldGlass.

Key activities in this area include - evaluating a Vendor's Security Program, reviewing their latest Pen-Test Results, a Vendor-Scoring Program, Clauses in Legal / Vendor Contracts, Right-to-Audit stipulations, etc.  Be sure to Hold your Vendors / Partners Accountable for Security - they could be Your Weakest Link.     

. This will help companies avoid Data-Breaches as well as highly-publicized, potentially embarrassing events like The Panama Papers Data-Breach Incident.

In today's Global-based economy, companies must comply with various Regulatory Standards.  Which of the following Payment, Privacy and Health-data Standards apply to your organization?

PCI / DSS - Payment (Credit) Card Industry has their unique set of Data-Security Standards (DSS).  Depending on your volume of Transactions and type of business, all 154 Controls may apply to your Business.

Data-Privacy - GLBA (Gramm-Leach Bliley Act) provided specific guidelines on the protection of personal data.  Similar regulations include the European Privacy Act (GDPR), California's PIPEDA and others.

HIPAA - The Health Industry has developed their own set of Medical Data-Privacy Standards as summarized in the HIPAA Standard - Health Insurance Portability Accountability Act)   The technical standards for health-data protection are outlined in the HiTECH control standards.

SOX - The financial accountability act Sarbanes-Oxley specifies that  a company's financial statements must flow directly and accurately from a company's ongoing business transactions.

GRC - A software package that is commonly used to assist in Compiiance efforts is a Governance, Risk and Compliance system.  Common GRC Packages include - ARCHER, MetricStream, R-SAM, Avatier