STANDARDS ALIGNMENT CYBER ASSESSMENTS
Cyber Risk AssessmentsA cyber risk assessment is the base service upon which all other services are built. A cyber risk assessment will cover a myriad of topics, including both internal and external vulnerability scans. We will rate your defensive posture against the National Institute of Standards and Technology’s Cybersecurity Framework (NIST CSF). The NIST CSF version 1.1 can be found here .
NIST Cybersecurity Framework AssessmentThe National Institute of Standards and Technology (NIST) has produced a five-part Cybersecurity Framework: (1) Identify, (2) Protect, (3) Detect, (4) Respond, and (5) Recover:
a) In the Identify phase, we will help you to catalog your network assets and existing policies.
b) The Protect phase covers the network hardware such as firewalls, intrusion detection/protection systems (IDS/IPS), and security information & event management (SIEM) systems.
c) The Detect phase centers on detecting events on your network that may have malicious origins.
d) The Respond phase constitutes a review of your incident response policies and procedures.
e) In the Recover phase, we focus on how your company will return to normal business operations after a cyber attack. The range of incidents can range from one hacked email account to a full ransomware infestation.
Personally Identifiable Information Cyber Risk AssessmentBusinesses have an obligation to protect the Personally Identifiable Information (PII)of both employees and customers/clients. Those that do not protect this information are vulnerable to lawsuits. Do you have a PII handling policy? Do you have a PII encryption policy? Do you send unencrypted emails containing PII over the internet? Are the hard drives of old computers wiped, degaussed, and destroyed? Cosecure’s PII Cyber Risk Assessment will help you answer these questions and more.
Information Governance Cyber Risk AssessmentInformation Governance is an overarching term referring to the policies and procedures used to manage the information that an organization creates, collects, and handles. This includes both digital and paper records; structured and unstructured data, including those stored in databases, on file systems; and the aspects of cybersecurity needed to keep all of that data as safe as possible to avoid fines and the loss of your competitive edge. Regular updates is a hallmark of a good Information Governance program. Our Information Governance cyber risk assessment will review your cybersecurity posture.
Payment Card Industry - Data Security Standards (PCI-DSS) Cyber Risk AssessmentDoes your company accept credit card payments? If so, you may be on the hook for special cybersecurity measures required by the Payment Card Industry (PCI). Version 3.2.1 of the PCI Data Security Standard (PCI DSS) increased the security requirements applicable to covered servers, even if the payment is passed to a third party for final processing. Are you aware that you are not allowed to store the three- or four-digit Card Verification Value (CVV) after the transaction is complete? If you do and there is a breach of your network, you could be held liable by the bank who issued that card https://www.merchantmaverick.com/what-is-credit-card-security-code-cvv2-cvv-cvc/ . Did you know that to remain compliant with the PCI-DSS standard, you have to install all critical security patches within one month of their release? This is true for all systems on the network. Allow us to help you find out if you are in compliance.
Ransomware Readiness AssessmentIf the thought of ransomware does not strike fear into your heart, you may not know the full extent of your vulnerability to it. Do you backup your data? If so, how often? Are those backups stored online or offline? If they are on a device connected to the server, even if it doesn’t have a drive letter, it can be encrypted by ransomware https://social.technet.microsoft.com/Forums/windowsserver/en-US/ce9371d7-5e91-401c-be58-a63fcf38bbf0/unhide-windows-server-2016-backup-drive-following-ransomware-attack?forum=ws2016.
There are many ways to breach a network and with persistence, any network can be compromised. What is left over at the end of the day is the ability to recover from the attack. Is your sensitive data encrypted when it is not in use? As more and more companies are mitigating ransomware with actionable backup strategies, cybercriminals are increasing their chances of being paid by exfiltrating your data and threatening to release it unless you pay the ransom. Are you protected?
Remote Workforce Environment Cyber Risk AssessmentToday’s workforce environment is like nothing we have ever seen. There are more people working remotely today than ever before, which completely changes the cybersecurity landscape in which your company is working. If your company’s computers are sitting on the same networks as your employees’ children on their Small Office Home Office (SOHO) routers — which may have never been updated — how protected are you? Most VPNs allow a split connection between the remote office LAN and the home LAN. This is how you are able to print on your home printer while connected to your office network. This means that infected devices on the home networks can be a threat to your company information. This is a tough situation to be in as you do not own your employees’ home networks. However, there are ways around this that we can help you establish. Contact us today for a free consultation.
Supply Chain and Vendor Cyber Risk AssessmentNo person or company can do it all. We all need assistance from outside experts, and that means using outside vendors. No matter how careful we are with our own networks, what can you say about the cybersecurity posture of your third party associates? Does your cloud provider have a SOC2 Type I report? How about a SOC2 Type II report? Do you know the difference between the two? Do you handle HIPAA data? Do you have HIPAA BAAs in place with all of your vendors who also handle PHI data? Let us help you navigate this complex landscape. Contact us today for a free consultation.
CYBER VULNERABILITY TESTING AND RISK ASSESSMENTS
Cloud Provider Cyber Risk Assessments
Secure Cloud EngagementCosecure will assess your current account with your cloud service provider. This assessment will include validation of adherence to best practices of cloud engagements. Remember, you are generally responsible for the security of any servers in the cloud to the same extent you would be if they were on premises (“on-prem”) servers. Cosecure will assess your cloud engagement process from start to finish. The assessment will include proper configuration and security rule review. Cosecure will run full external vulnerability assessments against any internet-facing servers and full internal vulnerability assessments against internal-facing servers. Our approach leverages our team’s years of experience to ensure a thorough review of current practices.
Cosecure can help you with the most popular cloud service providers, including:1. Microsoft
Elastic Computing 2 (EC2)
Simple Storage Service (S3)
Internet of Things (IoT) Cyber Risk Assessments1. CCTV Risk Assessments
IP Cameras are the most prevalent IoT devices on today’s corporate networks. Our team has years of experience configuring and testing IP cameras with the goal of ensuring the best possible cyber protection.
2. Printers and Copiers
Printers and copiers have both become multifunctional network assets. Both devices may have access to Windows shares, especially if they can scan documents to the network. The settings on these devices can be the vector for the initial compromise of your network.
Business Unit Realignment Cyber Assessments1. Reorganizations
Reorganization of your business can lead to incomplete organizational charts, which can lead to incorrect alignment of access rights on the network. A complete personnel audit can ensure that only properly authorized employees have access to sensitive files.
Merging two companies can lead to a complex situation. In Active Directory, you will be creating forests and trying to establish trust relationships between the trees. If this is not something you do every day, let us help you create an environment where the right people have access to the proper assets and only the proper assets.
Social Engineering Education and Testing1. Phishing Test
Directing false emails at your employees is one of the primary methods hackers use to infiltrate your network. Phishing, Spear Phishing, and Whaling will all fall under this umbrella. Attackers need only one employee to click on the links in their email, so your defense must be 100 percent effective. This is why frequently testing your employees is critical to the safety of your systems. .
2. Vishing Test
Vishing is phishing done over the phone. In the most common type of vishing, the attacker poses as a member of your IT department and tries to get the employee to provide usernames and passwords. The attacker can then use this information to perpetrate a full cyber breach. Our expert social engineering staff can test your employees for this type of vulnerability.
Passive and Active Password Risk Assessments1. Passive Password Risk Assessment
One popular method to compromise a network is to use password spraying. This is where commonly used passwords are tried in combination with known usernames to find a valid authentication pair. We can take your password hashes and compare them against passwords from known password breaches to determine if your organization is susceptible to this type of attack.
2. Active Password Risk Assessment
After conducting a passive password risk assessment, we move to an active password risk assessment in which we iterate through common passwords to generate passwords which are related to those breached. For example, if “mypassword01” was released in a previous password dump, and one of your employees uses “mypassword02” this would be considered a very insecure password.
Network Asset Inventory Assessment1. Network Asset Inventory
The first step to securing your network is to understand what is on your network. Our analysts can take a full inventory of all computers and devices on your network. You may be surprised at what is on your network if you have never looked. Many of our clients find computer which they thought were out of service and have out-of-date operating systems on them. They sometimes also find computers or laptops missing. You never know unless you look. Allow us to help you audit your inventory and create a physical asset list if one does not yet exist.
CYBERSECURITY PROGRAM DEVELOPMENT
Cybersecurity Policy Design and ReviewA good cybersecurity program will have many different policies and procedures. However, you don’t need everything at once. If you have no policies or procedures, we can help you establish a core set on which to base your cybersecurity program. Then we can grow your program over time until you have a full complement of policies. Since a policy is only as good as the people who follow it, let us help you gain the buy-in required to have not only good policies but effective ones too.
Incident Response PolicyIncidents are things that happen. Not every incident is a breach of your network which leads to ransomware and the end of your business. Some incidents, once investigated, are just small anomalies which are easily corrected. However, each incident has the possibility to lead to the discovery of a full breach. Let us help you establish and/or review your company’s incident response policy. You will be glad you did because it is not IFyou will need this policy, but WHEN you will need this policy.
Identity and Access Management Cybersecurity AssessmentIn how many places do you have each employee’s name listed? Does Human Resources maintain a database? How about Accounting, for expense reimbursement? Is there a separate database for access control ID Cards? How about Active Directory for Windows Accounts? Are there other non-Windows servers? How are those account identities maintained? The bottom line is that there should be an easier way to manage this data, and until there is, audits are critical to make sure that old accounts are disabled and Accounting does not have the ability to reimburse an employee who resigned two years ago.
Virtual CISO AdvisorsThe smaller the company, the higher the probability that a given person is wearing multiple hats. Whether you are a lawyer, a teacher, or a manufacturer, your job is not cybersecurity, it is to be a lawyer, a teacher, or a manufacturer. However, every company has the added responsibility to protect the data entrusted to it by its clients and employees. Allow us to be your Chief Information Security Officer (CISO) on an as-needed basis. We can assess your cyber infrastructure and advise you on the cybersecurity impact of new computer purchases, cloud versus on-prem decisions, networking firewalls, routers, and switches, and all things cybersecurity. Contact us for a free initial consultation to see what suits your needs.
Departing Employee Risk Assessment
- Cosecure understands that not all employees will stay with an organization until they retire. Some will leave gracefully for better opportunities, and some will leave for personal reasons. However, some employees will leave disgruntled and will perhaps feel entitled to take intellectual property with them.
- Some employees will feel that intellectual property (IP) they worked on during their tenure is theirs for the taking. If your employment agreements specify that the company retains all IP rights, then the employee is not entitled to take it with them when they leave.
- A targeted digital forensic assessment of the departing employee’s computer, other electronic devices, and email can help to determine if any of the company’s IP left with the employee. Contact us today for a free quote.
Breach Tabletop ExerciseOne of the most common tabletop exercises is one in which your network has been breached. We will work with you to personalize the scenario to your company’s needs. As this is the scenario most likely to play out in real life, this is our most popular exercise. However, that breach can lead to hundreds of different scenarios (with ransomware being just one example). Public data release of internal email can be another example. Public data release of sensitive client information is another. Stolen financial credentials of both business and personal banking accounts is yet another. The list goes on. Contact us to schedule a complementary scoping call with one of our expert facilitators.
Incident Response Tabletop ExerciseTabletop exercises are often thought of as C-Suite events where broad business decisions about how to react to different scenarios are tested. However, we can get technical too. Our experts can take your IT staff through tabletop exercises which can test the detailed procedures intended guide staff through such emergencies. By testing these procedures, we can help you determine whether the procedures are practical and appropriately sequenced when applied in an actual event. By having the participation and input of the IT staff actually doing the work, we can help you refine those procedures to serve you better in a real-life incident.
Specialized Tabletop Exercises Tailored to Your NeedsSometimes a company has specialized processes and functions that are critical to its core business. We can help you stress test your incident and disaster recovery policies and procedures in an safe atmosphere before a real disaster happens. Contact us for a free consultation with one of our experts.
Annual Employee Cybersecurity TrainingHaving a dedicated cybersecurity team is a great first step to securing your company’s information and intellectual property. However, anyone who has access to your network can be a conduit for a cyber breach. The only way to help strengthen your security posture is to continually educate your employees. Cyber criminals get smarter by the day, evolving and inventing new ways to breach your network. Some even offer inside employees money to help breach the networks. Employees need to know that forensic analysis can identify the source of any breach, and that employees who assist in a breach can face criminal and civil penalties. We offer a training program tailored to your needs. Contact us for more information.
Weekly Cybersecurity Video SnippetsSometimes the best way to learn is in small bites. Hours upon hours of staring at a computer screen can return diminishing results. Our weekly cybersecurity video snippets can continuously support and build upon the foundation laid by our annual training. These weekly training videos will address new and existing topics of concern to companies trying to navigate the diverse landscape of cybersecurity threats.
Active Directory AuditEmployees come and go on a regular basis. Summer interns turn over more frequently than full-time employees, and temporary employees are gone in a few weeks. Are you 100 percent certain that all former employees are disabled in Active Directory? Allow us to run an audit of authorized users versus your latest Human Resources list of current employees. You may be surprised at what we find.
Also, are there any computers still joined to your Active Directory Domain which are no longer actively being used? How about in a Bring Your Own Device scenario? Were any BYOD devices joined to the domain that the employee has since sold on eBay without telling you? If you can think of the scenario, it has probably happened. Let a full audit put your mind at ease.
Cloud Configuration AuditThe most important thing to understand about using cloud services is that you are still responsible for securing your servers. People often think that if they move their servers to the Cloud then someone else will manage them. While boutique, white-gloved, cloud providers do exist, most cloud providers only guarantee some level of uptime (i.e., a basic level of the facility not losing power) and protection against hackers getting in through their infrastructure. This means they protect against hackers hacking their backend systems and getting to your system through the hypervisor on which your virtual machine runs. If you are running any internet-facing service, you alone are responsible for making sure your operating system is up to date and that all ports are locked down and no known vulnerabilities exist. Allow us to do a Cloud Configuration Audit to help protect your online data.
Network Architecture AuditMost cybersecurity professionals are aware of the CIS top 18 controls https://www.cisecurity.org/controls/cis-controls-list/ . The number one control on this industry standard list is to have a complete inventory of all devices on your network. Vulnerabilities could exist if an old device which is no longer patched is allowed to linger on the network. A more malicious scenario can also occur when rogue devices have been planted on your network. It could even be the case that a rogue wireless access point has been put on your corporate network, allowing files to be downloaded from the parking lot. This actually happens more often than you would think. https://www.juniper.net/documentation/en_US/junos-space-apps/network-director3.1/topics/concept/wireless-rogue-ap.html and https://it-explained.com/words/rogue-access-points-explained-explained . Engage us to perform a Network Architecture Audit to help identify and remove any unwanted devices on your network.
Remote Device AuditWhat devices do you allow on your network? Do you have a Bring Your Own Device (BYOD) policy? In today’s remote workforce environment, companies are faced with the issue of buying every employee a new laptop for home use or to allow employees to use their personal computers for work. If you have chosen the BYOD route, what have you done to ensure those devices feature all of the proper protections? By authorizing the use of personal devices to process company information, you assume liability for client data loss due to a lax cybersecurity posture. What size of a lawsuit would you have to lose in order for it to have been cheaper to buy everyone laptops for remote work? We can help you make the correct decision on remote device policies and to bring to light cyber vulnerabilities caused by having a myriad of unprotected devices accessing your network.