Are you considering new IT projects but don’t have a security sounding board? Have to meet new security requirements but don’t know where to start? Are you planning for growth and want to make sure that security and privacy are factored into your corporate plan? No problem, we can provide the necessary guidance on all of these and more. Our Virtual CSO service was designed to help companies of all sizes get the needed guidance when and where they need it. We aim to be your one-stop for guidance on any project where security and privacy are important but that you don’t have adequate resources to provide the necessary support.
Connect with us to find out how we can help build a program to suit your specific business needs and budget.
1. Reconnaissance: we gather actionable intelligence that may be used to breach the organization’s perimeter. Using a comprehensive suite of known and proprietary open source intelligence techniques (i.e. scouring message boards, search engines, DNS interrogation, etc.) we collect information such as user credentials leaked inadvertently via document meta-data or online backups to network service banners. In addition, we actively probe the organization’s perimeter to determine its public footprint on the Internet and what kind of entry points may exist. This phase usually consumes around 50% of the time allotted for the assessment.
2. Scanning: using automated and manual processes, we scan for vulnerabilities that may exist at the network, application, or operating system layers. TwelveDot prides itself on being a highly technical firm that is capable of truly understanding the underlying technologies that power today’s environments. We understand that automated processes can only uncover the “low hanging fruit” which in most cases accounts for only 20-40% of the vulnerabilities that may exist. More sophisticated vulnerabilities can only be discovered by manually reverse engineering or testing components at all layers (i.e. presentation to transport layers). This is where our in- depth knowledge of technology comes into play. We use low-level debugging techniques to identify the most sophisticated, hard-to-find vulnerabilities, just like a professional adversary would.
3. Exploitation: using the information gained in the first two steps, we prioritize which systems and vulnerabilities may lead us closer to the exercise’s target. Great care is taken to ensure that the methods of exploitation we use are not destructive in nature and protect our client’s sensitive information. The objective of exploitation is not to deny or degrade service but to gain unauthorized access to a system, application or data repository. Means by which we exploit systems may include, but are not limited to:
In the case of social engineering attacks, an executable may be sent to a client within the organization to establish backdoor access.
4. Post-exploitation: once an initial foothold is established, we repeat the steps above to identify internal vulnerabilities or weaknesses to penetrate further into the environment. This phase may involve escalating privileges and pivoting to other systems within the network.
Vulnerabilities discovered within each of these phases are recorded and given a rating based on the rating methodology.
Back in 2015 we started a defense research project on how best to assess IoT products and solutions. Over a two year period, we assessed and pen tested about 90 products in multiple sectors. We then developed the GCAM methodology in order to assess products. We have since used this model for evaluation of products and solutions and have since added CAN CSA-T200 Express and UL2900 as standards that can be applied using our methodology. We have tested many medical and smart technology products using this approach.
IoT is the future of technology and takes many aspects of mobile and cloud to a whole new level. While many companies are still considering their options in this developing market, the time is right to identify the risk posture of the potential solution and ensure that security and privacy have been designed into your solution.
While some organizations might already have solutions on the market, it’s not too late to consider how to secure the next revision. The key is conducting a security threat model and then update it accordingly. This includes ensuring the design and test plans validate the threats. If issues are found infield, they can easily be dealt with using the updated design and development process.
We also perform end-to-end solutions testing for organizations who are looking for a higher level of assurance. This can include code assessments and vulnerability assessments against both hardware and software components. Global requirements are being expanded to consider the company governance and risk management as a key factor to producing a secure product. Make sure you’re aware to these pending developments in global market that will prevent surprises in the future.
Businesses have long struggled with how to handle the unfortunate moment when a network intrusion becomes a data breach. The security team at TwelveDot has developed a pre- and post- breach methodology to help organizations prepare for the day when a compromise to privileged data occurs.
Based on international standards, our methodology considers the full breach picture from understanding the risk of data exposure, to breach prevention and incident response. Our holistic approach guides companies through the full breach lifecycle to mitigate risk and reduce company exposure to threats and breaches.
Understanding the risk of any project that handles critical data is fundamental to a pre-breach program. Ensuring that adequate technical controls are are in place and that policies and procedures governing security practices are well communicated is paramount in a sound security program. TwelveDot will build a customized playbook to protect and secure your assets.
The ability to detect and perform an incident response that follows a breach aids greatly in tightening security practices by identifying methods that will prevent further compromise in the future. Our team can help you implement procedures to handle this independently and can also be called on to assist in emergency situations.
Preparing for a cloud deployment is tough enough – let us take on the security and privacy aspects. We can work with both administrative and technical teams to conduct a Technical Risk Assessment (TRA) and outline the risks that need to be addressed. This includes creating an Action Plan (AP) with your project team to implement these new system and process controls.
We use ISO standards as the yard stick for controls that should be considered and deployed. It also allows us to ensure your specific cloud security needs are considered and addressed.
We consider all aspects of a cloud deployment regardless of architecture or deployment model used. This includes:
While mobile usage has surpassed web for development projects, many programs lack even a basic System Development Lifecycle (SDLC) discipline. As a result, apps are created that lack security threat modelling and security gates that evaluate any new programming risk that might of been introduced to the source code.
We have developed a methodology that allows for software to be validated against vulnerabilities. The focus is on testing to flush these out using the source code where possible to conduct these tests. This includes network layer testing to see data that traverses connections and user identifiable details in these transactions. Our approach is based on years of R&D on attack surface for these solution.
Our services includes the following aspects:
Building and maintaining an ISMS (Information Security Management System) is not always easy – especially for larger organizations who have already developed processes and procedures for managing risk. However, more governments, financial institutions and even software vendors now require partners to be compliant with ISO/ IEC 27001. Many countries in Europe and Asia are now requiring certain sector companies to be come 27000 certified to operate. Our approach to implementing an ISMS is divided into phases that help organizations big or small easily prepare for deploying an ISMS. The process is initiated with a gap analysis to better understand the organization and the current set of security controls that have been deployed. We then work with customers to understand the mandatory controls that will be required and provide technical consulting to implement these controls. Once completed, we work with customers to develop the Statement of Applicability (SoA) that will be used towards obtaining certification. While not always the goal of an organization who want an ISMS, it typically is the long term strategy for many companies.
Applying our intimate knowledge of the ISO 27000 standards family and technical deployment know-how, we can provide all the services necessary to support your implementation of an ISMS. If you think an ISMS is only for big companies, think again. Small and medium businesses also benefit from the controls that an ISMS requires to ensure a strong security foundation for the future. It will also significantly reduce the cost of deploying these aspects for a large company that now needs to comply to this standard to win large contracts or new customers. This investment in an ISMS will help prepare a company for its future.
1. Pre-assessment and Breach Playbook Working with your organization at multiple levels, we attempt to prepare your organization to better deal with an incident when it occurs. We draft a Breach Playbook that looks at multiple aspects specific to your organization and aligns with current systems and methodologies used for business processes. For this, we help to implement controls that will aid in the triage of an incident and its subsequent mitigation.
2. Incident Management When deployed, our team of analysts work with business and technical staff to enact the Breach Playbook. This ensures all parties know their role during an incident and can perform their tasks accordingly. This will include providing both remote and on-site support, to handling the investigative aspects of the incident to determine scope and impact. At the onset, we will deploy secure communications with the assumption that current communications channels have potentially been impacted. This ensures that discussions and data exchanges remain secure during the incident.
3. Impact Assessment We use system and network resources to quickly and efficiently identify the impacts. This may include aspects such as:
4. Remediation: Our team of analysts will provide the necessary road map to incident containment and remediation based on the activities of the intrusion. We will provide guidance on how to minimize these attacks in the future and deploy the necessary controls to ensure that weaknesses that could be exploited in the future are addressed.
5. Lessons Learned After the incident has been contained, we provide guidance on how to ensure similar threats can be mitigated in the future with better security controls.
ISO based approach
TwelveDot is dedicated to the development of ISO standards as both experts and conveners of several committees. As such, we rely on ISO/IEC 27035 – Information Security Incident Management to drive our solution. As a multiple part standard, we are guided by the principles for breach prevention, identification, mitigation and eradication. Having a structured approach allows to provide a higher level of assurance that the compromise is properly dealt with and ensure the organization impacted will be functional in the quickest time possible with minimal impact.
While we attempt to ensure that companies are prepared prior to breach, in many instances we are engaged without the necessary controls in place. In these situations, we will use additional forensic methods to determine the possible timeline and target assets of the breach. This may include analysis of system and device memory, data captures once engaged and interviews with impacted staff.