Enterprise security and risk management services include developing or enhancing information security and risk management programs; achieving compliance objectives such as Sarbanes-Oxley (SOX), PCI DSS, GLBA, BSA, etc.; conducting and responding to audits; business continuity and disaster recovery planning; vulnerability, risk, and threat assessment and analysis; incident response, prevention, recovery, and investigation.
Case Studies
Here is a short list of some our major cyber security cases.
Industrial Espionage – We were called in to assist the lead investigative team who were performing the forensics responsibilities. We provided collaboration in the overall investigation while concentrating on incident prevention and recovery. Having successfully defended against repeated attacks in other instances including a major entertainment company, we were able to successfully prevent the attacker from regaining entry and stealing information. We hardened the network, systems, and endpoints with both technological and procedural solutions, and developed an information security and risk management program in furtherance of their business objectives.
________________________________________________________________
Fraud – We have performed several types of fraud responses. In one instance, a former disgruntled employee planted a logic bomb at a financial company with the intent of ruining the company’s reputation and short selling stock for profit. Responses include the initial actions while the attack was in progress, assisting in the rebuilding of the infrastructure, providing leadership to the incident prevention team, and creating custom programs to detect the affecting malware. The perpetrator was later apprehended and convicted.
________________________________________________________________
Extortion – An unknown entity had obtained unauthorized access to the desktop computer of a member of Executive Management. The attacker then committed extortion against the individual. A clandestine investigation was successfully conducted to identify the individual who was also employed at the firm.
________________________________________________________________
CYBER SECURITY SERVICES
We can help you with both tactical and strategic initiatives to achieve your business objectives and manage your risk. We’ve been in charge of IT Security, Risk Management, and Compliance at major international firms. We have proven accomplishments in resolving the same issues you are confronted with. We work with you to design and implement cost effective and efficient solutions whatever your objective may be.
Our client list remains confidential. Here is a list of some of the industries that we’ve helped to achieve success:
• Financial Services
• Sports
• Entertainment
• Media
• Publishing
• Pharmaceutical
• Aerospace
• Defense Contractors
• Government
• Oil & Gas
• Education
• Retail
• Private Individuals
We have aided our clients in both large and small technology projects encompassing many different types of technology, including:
• Access Control
• Change Management
• Endpoint Encryption
• Endpoint Protection such as anti-virus, firewalls, proxies
• Network Access Control and 802.1x at both the endpoints and switch ports
• Policy and process creation or enhancement
• Implementing logging and monitoring solutions, IDS, IPS, etc.
• Implementing Vulnerability and Threat Management programs
• Logging and Monitoring
• Incident response, Business Continuity, and Disaster Recovery Planning
Developing or Enhancing Information Security & Risk Management Programs
This set of services is the core, or hub, from which many of our other services either lead to or from. We have many proven accomplishments in successfully developing new, or enhancing existing, security and risk management programs to achieve a variety of business and compliance objectives. An example of this was successfully architecting an FFIEC compliant risk management program that included a new set of policies, vulnerability assessments with a plan for resolving the findings, and enhancement to the Business Continuity and Disaster Recovery plan in a 90 day period. We also have experience in architecting and implementing multi-year, multi-million dollar enterprise-wide security projects.
Vulnerability & Risk Assessment, Audits, Penetration Testing
We perform many vulnerability and risk assessments, as do other security firms. The main difference in our approach is that we think that knowing about the vulnerabilities is only the first step. Once the assessment is complete the next step is to resolve the findings. In addition to identifying vulnerabilities, we can help to identify the root causes of the issues to better address your risk reduction, compliance initiatives, and reduce current and future audit findings.
How many times have you received an assessment or report and then struggled with what to do next? Or had Executive Management ask you what your plans are to resolve the findings? Perhaps you have been given a directive to reduce the number of audit findings. We have a proven methodology to help you resolve the findings and identify the root causes. We’ll help you work up an action plan and continue to assist you to resolve the issues in a cost effective and efficient manner. we can also help you to implement new processes and technology as needed.
Achieving Cost Effective, Efficient, High Performing IT
We believe that you must have a stable environment upon which to build to a secure infrastructure. Many times the root causes of extensive or recurring vulnerabilities and audit findings are the result of poor stability and a lack of control over the IT infrastructure and applications development areas. Our background in achieving high performing and high security IT helps to provide you with the insight to avoid future findings and security incidents. We have experience in identifying and eliminating the root causes of audit findings. We follow proven practices and standards to help you build a stable and secure infrastructure. Using methodologies such as Visible Ops, and established frameworks such as OWASP, we will assist you in achieving the stability and security you need. We’ll help you find what works for you to achieve your objectives.
Compliance
We have real world experience in having to be compliant with many different types of regulations in many jurisdictions. Many consulting companies are comprised of staff that haven’t “been there and done that”. We have. We draw on this experience to help you achieve your compliance objectives. Whether they are internal or external, legal obligations or other liability matters, or just guidelines, we have experience in achieving success and reducing your exposure. In one instance an FFIEC compliant program was delivered in 90 days in preparation for an OCC examination.
Our accomplishments include:
• External Regulations including: Sarbanes-Oxley (SOX), PCI DSS, Graham-Leach-Bliley (GLBA), Bank Secrecy Act (BSA), (FFIEC);
• SWIFT;
• Corporate Employee Financial Reporting Systems;
• Global Markets;
• Transaction Banking;
• Adherence to Internal Policy, Process, Standards;
• Litigation Matters;
• Liability Issues;
• Audit: Conducting Audits (including pre-external assessments), Responding to audits and reducing the number of repeat findings.
Investigations; Incident Response, Prevention, and Recovery
Below is a list of some of the types of Incident Response and Investigations we have performed. Our focus includes prevention and recovery as well as initial response. Most other companies conclude their services after their investigation is over. Similarly, their staff’s expertise also concludes at that same point. Our services can begin where the others start, but ours continues where their service ceases. We have performed forensics ourselves and collaborated with industry leaders in forensics and e-discovery. We have worked with the FBI, NYPD, and other law enforcement agencies in performing investigations and forensics. Our experience and proven accomplishments at building and maintaining cyber security infrastructure gives our clients a complete service offering. Below is a short list of the types of investigations we have performed.
• Industrial Espionage
• Fraud
• Extortion
• Physical Threats
• Illegal Activity
• Internal Investigations
• Computer Malware