I n f o r m a t i o n S e c u r i t y

Transcription

1 We help organizations protect INFORMATION The BorderHawk Team has significant experience assessing, analyzing, and designing information protection programs especially in Critical Infrastructure environments. Our experience with State and Local Government, Financial, Healthcare, and Energy sector clients gives us a significant edge in helping our customers conserve resources on cyber security and related regulatory compliance initiatives. I n f o r m a t i o n S e c u r i t y Consulting*Training*Management At any point in the Security Lifecycle, BorderHawk can be there as needed strategic planning, policy analysis or development, controls design, solutions implementation, or even as technical project managers. ISO HIPAA NERC CIP NISPOM NIST PCI IRS Form 1075 FPLS CYBERSECURITY ANALYTICS & ALERTING * INFORMATION SECURITY TRAINING * CONSULTING ON INFORMATION ASSURANCE ISSUES * CYBER INCIDENT RESPONSE * STANDARDS BASED INFORMATION RISK ASSESSMENTS * CYBER SECURITY TESTING * INFORMATION SYSTEMS FORENSICS Need More Information? Call: info@borderhawk.com Our Security Teams are comprised of only the most senior Information Security professionals in the United States; these are hands on professionals that have been there. Accordingly, our teams have decades of experience conducting complex security engagements in a variety of public and private sector environments.

2 BORDERHAWK CORPORATE OVERVIEW Georgia Corporation as of 2008 (Sole Proprietor, ) Steve Akridge, Owner Phone: Former: Chief Information Security Officer (CISO), State of Georgia; Technical Director, Defense Security Service, U.S. Dept of Defense; Chief Cryptologic Tech, Naval Security Group Command JD, MS, CISSP, CISM, CGEIT Mailing Address: 3330 Cobb Pkwy NW STE 17 PMB363 Acworth, GA Operational Office in Cartersville, GA BorderHawk Values: We believe your organization s information, workforce, and supporting infrastructure are critical components to your success. Consequently, we believe that truly tested professionals with demonstrated integrity, courage, and commitment are the key to achieving your organization s goals. We are tested experts offering best-in-class solutions to resolve security and safety issues. BorderHawk Mission Statement: To provide our clients with experienced advice and professional services involving information protection, workplace safety, employee awareness, and infrastructure management. We deliver innovative solutions that empower our clients in meeting regulatory requirements, while maintaining a competitive business infrastructure.

3 BORDERHAWK SERVICES C Y B E R S E C U R I T Y A N A L Y T I C S & A L E R T I N G BorderHawk Cybersecurity Analytics & Alerting provides an ongoing awareness of information security, information technology vulnerabilities, and potential threats to support organizational risk management decisions. By monitoring certain critical computer systems within your environment and analyzing information collected via the Internet regarding your organization, the BorderHawk Team is often able to isolate potential threat indicators and extrapolate such knowledge into a proactive indication and warning processes. We use a variety of cutting edge tools to collect information, and then we employ a team of experts to analyze that data in order to reach solid conclusions about threats to your organization. Detect/Prevent Unauthorized Access and Insider Abuse Meet Regulatory Requirements Forensic Analysis and Correlation Ensure Regulatory Compliance Track Suspicious Behavior IT Troubleshooting And Network Operation Our Cyber Threat Reports deliver both strategic and tactical perspectives regarding your organization s information security. Client Driven Reported As Needed Focus of analysis can be changed in near real-time Issue can be refined for macro or micro analysis Breaking News Daily Situation Report Weekly Status Report Quarterly Trends Analysis Knowledge delivered by such products: provides historical, current, and predictive views of business related events in order to guide leadership decisions and actions involves computer-based techniques to gather business related information from within your environment and publicly available sources for analysis in order produce actionable security responses

4 I N F O R M A T I O N S E C U R I T Y T R A I N I N G Virtually all Information Security Standards and Regulations require both information security awareness and information security training targeted at all users (including managers, senior executives, and contractors) on an on-going basis. Learning is a continuum it starts with awareness, builds to training, and evolves into education. (NIST Special Publication Revision 1) BorderHawk has developed a Web based Information Security tutoring solution. Our approach delivers two options for our clients: 1) Generic (ISO1799/27001) Information Security Awareness and Training modules or 2) Customized (branded if desired) Information Security Awareness and Training modules based on specific corporate or regulatory requirements unique to the client or line of business, such as HIPAA, FISMA, NERC CIP, CJIS, IRS Pub 1075, Red Flags, etc. In either case, our training is designed to provide a convenient and cost-effective approach to Information Security Awareness and Training. Most organizations have either adopted or are moving toward a remote or off-site business model. Consequently, the opportunity to conduct collective information security awareness or training sessions has become a challenge. Our solution provides a web based series of awareness and training modules that can be accessed via the Internet anywhere, anytime. The student simply logs in using a credit card, selects a module and follows on-screen prompts through the module. When the module has been completed with a passing score, an is generated by our system informing your Human Resources organization that successful Information Security Awareness or Training has been accomplished by the student.

5 C O N S U L T I N G O N I N F O R M A T I O N A S S U R A N C E I S S U E S Security Policy Access Control Organization of Security Asset Management Human Resources Security Physical and Environmental Security Communications and Operations Management Info Systems Acquisition, Development and Maintenance Information Security Incident Management Business Continuity Management Compliance C Y B E R I N C I D E N T R E S P O N S E BorderHawk is available to help you manage all aspects of a breach including subsequent activities. Our experts are experienced in cybercrime investigations and can be available to provide legal liaison as needed. In response to risks identified by a breach, we work with you to: Limit immediate incident impact to customers and partners Determine who initiated the incident and your options going forward Recover from the incident and return to operations Review existing policies and protocols for adequacy Determine how the incident occurred Avoid escalation and further incidents Help assess impact and damage Review adequacy of other systems security Develop long-term mitigation plans Provide necessary training

6 S T A N D A R D S B A S E D I N F O R M A T I O N R I S K A S S E S S M E N T S Information Risk Assessments set the stage for establishing the Information Technology Big Picture. Our Information Risk Assessment process is built around an ISO 17799/27001 based framework, and controls are customized according to business needs (Health Insurance Portability and Accountability Act of 1996 (HIPAA), Federal Information Security Management Act of 2002 (FISMA), Financial Services - Federal Financial Institutions Examination Council (FFIEC) & Gramm-Leach-Bliley Act (GLBA), North American Electric Reliability Corporation s (NERC) Critical Infrastructure Protection (CIP), or the Payment Card Industry Data Security Standard (PCI DSS). Our inquiry will include every aspect of your organization: People, Process, and Technology. Preparation Doc Request Overview Scoping People Processes Technology Discovery Analysis Results Ratings Trends Draft Report Final Report Recommendations Reporting The cost of a BorderHawk Information Risk Assessment is directly related to the client s needs and information security program. PURPOSE/TYPE PROCESS DESCRIPTION Information Risk Assessment consisting of 11 Information Security Management Controls and 132 sub-components Activity Hours Total OPTION 1 INFORMATION RISK PROGRAM DEVELOPMENT Discovery (offsite & onsite) 60 Analysis Reporting 40 Planning 40

7 Security Policy Option 1 Inquiries Information Security Policy Evaluation Review of Information Security Policy Implementation Organization of Security Management commitment to Information Security Information Security Co-ordination Allocation of Information Security Responsibilities Authorization Process for Information Processing Facilities Confidentiality Agreements Contact with Authorities Contact with Special Interest Groups Independent Review of Information Security Identification of Risks Related to External Parties Addressing Security When Dealing with Customers Addressing Security in Third Party Agreements Asset Management Inventory of Assets Ownership of Assets Acceptable Use of Assets Classification Guidelines Information Labeling & Handling Human Resources Security Roles & Responsibilities Screening Terms & Conditions of Employment Management Responsibilities Information Security Awareness, Education, & Training Disciplinary Process Termination Responsibilities Return of Assets Removal of Access Rights Physical & Environmental Security Physical Security Perimeter Physical Entry Controls Securing Offices, Rooms, & Facilities Protecting Against External & Environmental Threats Working in Secure Areas Public Access, Delivery, & Loading Areas Equipment Protection Supporting Utilities Cabling Security Equipment Maintenance Security of Equipment Off-Premise Secure Disposal or Re-use of Equipment Removal of Property Communications & Operations Management Documented Operating Procedures Change Management Segregation of Duties Separation of Development, Test, & Operational Facilities Third Party Service Delivery Management Monitoring & Review of Third Party Services Managing Changes to Third Party Services Capacity Management System Acceptance Controls against Malicious Code Controls against Mobile Code Information Back-up Network Controls Security of Network Services Management of Removable Media Disposal of Media Information Handling Procedures Security of System Documentation Information Exchange Policies & Procedures Exchange Agreements Physical Media in Transit Electronic Messaging Business Information Systems Electronic commerce On-line Transactions Publicly Available Information Audit logging Monitoring System Use Protection of Log Information Administrator & Operator Logs Fault Logging Clock Synchronization Access Control Access Control Policy User Registration Privilege Management User Password Management Review of User Access Rights Password Use Unattended User Equipment Clear Desk & Clear Screen Policy Policy on Use of Network Services User Authentication for External Connections Equipment Identification in Networks Remote Diagnostic & Configuration Port Protection Segregation in Networks Network Connection Control Network Routing Controls Secure Log-on Procedures User Identification & Authentication Password Management System Use of System Utilities Session Time Out Limitation of Time Connection Information Access Restrictions- Sensitive System Isolation Mobile Computing & communications Teleworking Info Systems Acquisition, Development & Maintenance Security Requirements Analysis & Specification Input Data Validation Control of Internal Processing Message Integrity Output Data Validation Policy on the Use of Cryptographic Controls Key Management Control of Operational Software Protection of System Test Data Access Control to Program Source Code Change Control Procedures Technical Review of Applications after Operating System Changes Restrictions on Changes to Software Packages Information Leakage Outsourced Software Development Control of Technical Vulnerabilities Information Security Incident Management Reporting Information Security Events Reporting Security Weaknesses Information Security Incident Management Responsibilities & Procedures Learning From Information Security Incidents Collection of Evidence

8 Business Continuity Management Including Information Security in the Business Continuity Management Process Business Continuity & Risk Assessment Developing & Implementing Continuity Plans Including Information Security Business Continuity Planning Framework Testing, Maintaining & Re-assessing Business Continuity Plans Compliance Identification of Applicable Legislation Intellectual Property Rights Protection of Organizational Records Data Protection & Privacy of Personal Information Prevention of Misuse of Information Processing Facilities Regulation of Cryptographic Controls Compliance with Security Policies & Standards Technical Compliance Checking Information Systems Audit Controls Protection of Information Systems Audit Tools Information Risk Gap Analysis consisting of 11 Information Security Management Controls and 42 sub-components Activity Hours Total OPTION 2 INFORMATION RISK GAP ANALYSIS Discovery (offsite & onsite) Analysis 24 Reporting 16 Option 2 Inquiries Information Security Policy Evaluation Allocation of Information Security Responsibilities Confidentiality Agreements Independent Review of Information Security Identification of Risks Related to External Parties Addressing Security in Third Party Agreements Inventory of Assets Acceptable Use of Assets Terms & Conditions of Employment Information Security Awareness, Education, & Training Physical Security Perimeter Physical Entry Controls Securing Offices, Rooms, & Facilities Secure Disposal or Re-use of Equipment Change Management System Acceptance Access Control Policy Password Use Clear Desk & Clear Screen Policy Segregation in Networks Network Routing Controls User Identification & Authentication Mobile Computing & communications Teleworking Outsourced Software Development Reporting Information Security Events Information Security Incident Management Responsibilities & Procedures Collection of Evidence Business Continuity & Risk Assessment Intellectual Property Rights Protection of Organizational Records Data Protection & Privacy of Personal Information Prevention of Misuse of Information Processing

9 Controls against Malicious Code Information Back-up Security of Network Services Disposal of Media Physical Media in Transit Electronic commerce Facilities Compliance with Security Policies & Standards Technical Compliance Checking Information Systems Audit Controls Protection of Information Systems Audit Tools OPTION 3 INFORMATION RISK DOCUMENT REVIEW Analysis of client completed BorderHawk Information Risk Questionnaire and requested supplemental documents provided by client Not to exceed 24 hour expended time Option 3 Inquiries The BorderHawk Information Risk Questionnaire develops a high-level overview of an organization s information security posture. Specifically, this document requests an overview of the client s business function, a preliminary list of documents describing information technology and security operations, and a brief questionnaire about security within the organization. The review process requires documentation be provided in a digital or paper format, including: Information Security Policy: This document states your organization s policy and management direction as it relates to information security Information Security Procedures, Guidelines, & Standards: Information protection related procedures, guidelines, and standards supporting the information security policy Security Incident Reporting and Procedures: Procedures and forms associated with the organization s incident response plan o System Configuration Diagrams: Technical policies, procedures and other baseline documents used by your information technology group for installation and configuration of information systems Change Management: Change control policy, procedures, and other documents used to initiate and/or validate changes to information systems and/or their environment Most Recent Information Technology Audit or Review of Controls (SAS70 or Equivalent): Assessments by external consulting organizations and associated documentation Software Coding Standards (if applicable): Software development and testing

10 procedures Network Architecture: Network architecture diagram detailing all inbound and outbound network connections (Internet, VPN, remote access, third-party vendors, etc.). C Y B E R S E C U R I T Y T E S T I N G BorderHawk Cyber Security Testing is a hands on effort in which Test Operators attempt to circumvent security features of a system or network based on their understanding of the technical design and implementation. The purpose of a penetration test is to identify methods for gaining access to a system or network by using common attacker tools and techniques. Accordingly, in order to conduct a penetration test, the operator must first conduct a vulnerability assessment in order to determine exploitable targets. External Network Assessment Targets: Internet facing systems and devices Attack Parameters: May include both automated and manual attacks; Will usually NOT include exploitation of any identified vulnerabilities; Password cracking usually in the scope Restrictions: Attack(s) usually limited to non-business hours Time to Complete: Dependent on target size according to Internet Protocol (IP) addresses Internal Network Assessment Targets: Internal network devices, not limited to domain controllers, infrastructure services (WINS/DHCP/DNS), servers, workstations, printers and network devices Optional: Configuration review of the firewall and internal Attack Parameters: Unobtrusive system vulnerability scans may occur during business hours; Caution: potential for interruption of critical business systems Restrictions: Internal network assessment will be conducted on-site Will not include mainframe systems

11 May include both automated and manual attacks; but will not usually include exploitation of any identified vulnerabilities; password cracking is usually in the scope Time to Complete: Dependent on target size according to internal Internet Protocol (IP) addresses Wireless Assessment Targets: Organization -Campus -Specific Building -or Facility Attack Parameters: May occur during business hours for unobtrusive scans Rogue wireless device detection; penetration testing, password cracking usually in the scope Restrictions: Wireless security risk assessment usually limited to technologies Time to Complete: Dependent on target size according to internal Internet Protocol (IP) addresses Social Engineering Attempt to bypass security controls in order to gain access to sensitive areas or information Targets: Individual - Organization Campus - Specific Building - or Facility Attack Parameters: May include physical access, telephone, and /phishing Restrictions: Attack may be performed any time Time to Complete: Dependent on target size and client needs Application Pen Test Targets: Web-based production application, Internet facing IP address Attack Parameters: May include both automated and manual attacks May include attempts to gain access through social engineering Restrictions: Will usually not include exploitation of any identified vulnerabilities Password cracking is usually in the scope Will not include a code review Time to Complete: Dependent on target size and client needs I N F O R M A T I O N S Y S T E M S F O R E N S I C S

12 In association with our forensic partners, BorderHawk can be available to assist with all facets of computer evidence extraction, preservation, analysis, and presentation. Depending on the situation, we are prepared to assist with: Digital evidence acquisition, search, filter, and consolidation from virtually any type of media from mobile hand held devices through fixed plant servers and cloud repositories. Depositions, expert witness testimony, helping achieve optimal balance in legal and technical strategies Special Master Duties (E-Discovery & Information System Forensics) Analyzing and exposing flaws with interpretation of electronic evidence and results gleaned from other digital forensic analysis efforts BORDERHAWK SAMPLE ENGAGEMENTS Large Financial Institution Information Risk Assessments of over sixty-five third party/vendor companies located throughout the US and Canada (business verticals include financial, insurance, health, technology, printing, courier, software, receivables, non-profits, legal, and data brokers); ISO/IEC 17799; FFIEC Oil Pipeline Company (Northwest) State Dept of Revenue, Tax Division (Northwest) State Legislative Services Division (Midwest) State Dept of Blind Services (Southeast) Information Security Program Development; Custom Training; ISO/IEC 17799/27001/27002 Code of Practice for Information Security Management, NIST SP Guide for Developing Security Plans for Federal Information Systems and IRS Publication 1075; API-1164 State Department of Corrections (Southeast) City (Electric Utility) (Southeast) City, Employees Retirement System (Northeast) Non Profit (Law Enforcement Related) (Southeast) Cyber Security Testing; penetration testing, technical vulnerability assessment, and controls analysis; ISO/IEC 17799; NERC CIP 5 & 7

13 Medical Device Company (Southeast) Insurance Company (Southeast) Hospital Company (Southeast) State Dept of Labor (Northwest) Pharmaceutical Company (Southwest) State Dept of Health and Social Services (Northwest) State Dept of Human Resources (Southeast) Information Security Program Assessment; Federal Parent Locator Service, HIPAA; ISO/IEC Retail Company (Northeast) Non Profit (Technology Provider) (Southeast) Financial Service Company (Global) Information Security Incident Analysis; Incident response to potential cyber crime or other malicious activity specifically targeting client networks or sensitive data