A vulnerability assessment conducts a thorough review of the internal components of your network. Think of it like someone inspecting the interior of your house and not simply looking at it from the outside. A vulnerability assessment looks at the internal components of your network such as routers, switches, printers/multi-purpose devices, desktop/laptop computers, and servers. This allows you, the asset owner, to see the areas where you have thorough security in place and those areas that may need a little extra attention.
The vulnerability assessment includes:
- Looking at the configuration of these devices to ensure a secure configuration is in use.
- Check the software, firmware, and operating systems to ensure that all applicable security patches are applied.
- Review of the administrative policies and procedures used to protect the overall Information Technology (IT) infrastructure.
These activities allows the IT system owner(s) to understand potential areas of weakness that could cause a larger risk to the confidentiality, availability, and integrity of internal data, or customer information.
As part of the vulnerability assessment, Cyber Strike Solutions, LLC will provide a detailed report providing an explanation of the vulnerabilities, and what types of risk it may pose to the network. It will also provide recommendations for remediation of the vulnerabilities and quantify the decreased risk through execution of the remediation. Finally, if the organization would benefit from the addition of another security service or feature, Cyber Strike Solutions, LLC will provide the recommendation along with the potential costs of incorporating the service or feature.
There are two different penetration test scenarios that Cyber Strike Solutions, LLC uses. The first is a penetration test where the only knowledge of the system we have is of the external IP addresses. This type of test involves looking at the target system as a hacker would look at the system. Black-box testing involves a great deal of reconnaissance to determine what information can be collected that would allow for us to gain unauthorized access into the network. Other techniques used during the test are:
- social engineering
- exploit development
- exploit execution
The social engineering uses tactics such as phishing emails, spoofed webpages, and even observation of employees in an attempt to gain access to the organization, either physically, or through a set of captured credentials.
The exploit development and execution are the final phases of testing. This takes the information gained from the reconnaissance and attempts to create a script or program that can gain unauthorized access to the network. If network access is achieved, privilege escalation is the next goal, to demonstrate the ability of a malicious outsider to gain access to sensitive organizational data and exfiltrate the data.
The second type of penetration test is an insider threat scenario. This test emulates the effects of an employee that is attempting to gain unauthorized access to organizational information assets. During this test, Cyber Strike Solutions, LLC will use social engineering techniques and other tools to escalate privileges and gain unauthorized access.
After the penetration test is complete, Cyber Strike Solutions, LLC provides a detailed report. This report includes explanation of how unauthorized access was achieved along with the data that was accessed or exfiltrated. Further, it will share techniques to remediate the exploitable vulnerabilities, including technical and administrative remediation.
Cyber Strike Solutions, LLC provides secure system configuration. There are many different organizations providing technical guidance for securing the systems within the network boundary. Cyber Strike Solutions, LLC will:
- Analyze the organization’s regulatory requirements
- Determine how the technical security guidance applies to the organization’s systems.
- Following the analysis, the technical protective mechanisms will be implemented incrementally.
- After each iteration the system will be tested to ensure proper function is still achieved.
In the event that a technical control causes malfunction, an appropriate non-technical control will be recommended and the organization can decide if the control will meet their needs. The goal of secure system configuration is achieving maximum security with minimal impact on functionality.
Cyber Strike Solutions, LLC possesses a significant amount of experience in security engineering. Our security engineering services include embedded systems, enterprise systems, and stand alone systems. As part of the security engineering we review the design of the solution to determine what security implementations would apply to the product or system being designed. This would include conducting a comparative analysis of any available options in the security implementation to ensure that the additional security meets the customer’s needs and is complementary to the system or product design. The ultimate goal of security engineering is to mitigate any potential disruptions to the product or system regardless of the origins. This means that as part of the engineering process we will take a meticulous look at any sources of disruptions ranging from malicious attacks to natural disasters and help determine how best to mitigate the risk.
The secure architecture design possesses similarities to the security engineering. Unlike security engineering, secure architecture design takes a broader look at the system instead of looking at components or subsystems. The secure architecture design helps provide a defense in depth approach to security. It allows for implementation of security at multiple layers within the overarching system to prevent unauthorized activities or access. Cyber Strike Solutions, LLC will take a look at the larger system and determine what security controls should be implemented to properly protect the system. The secure architecture design may include recommendations for additional policies or procedures as part of the overall risk mitigation approach. The combination of the technical and non-technical controls is designed to provide complementary overlap of protection through the management of human factors along with the technical aspects of securing the system architecture.
Cyber Strike Solutions, LLC realizes the importance of properly training the individuals using the information systems. Security Awareness Training focuses on the human factor of cybersecurity. We continually review current training methods and approaches to determine the most effective method of training individuals. Additionally, there is continuous updating of the training materials to address current threats, along with specific risks or threats facing a specific geographical location or industry. The intention of the security awareness training service is to mitigate as much of the risk to the information system at the user level. Methods of determining training needs include social engineering activities such as sending test phishing emails to see how many employees click the link or divulge sensitive information. These activities may also include observation of employee behaviors to see if there are any risks that may be exploited using human factors instead of technical exploitation techniques.
Cyber Strike Solutions, LLC supports the entire Department of Defense (DoD) Risk Management Framework (RMF) process including technical control design and implementation and assistance with developing the necessary policy documents. We understand the importance of achieving system authorization as soon as possible and support our customers in achieving authorization. Our understanding of the National Institute of Standards and Technology (NIST) 800 series Special Publications (SP) enables us to provide accurate and efficient support to our customers navigating the RMF Assessment and Authorization (A&A) process.