Our services include Assessment and Management of Risk and Vulnerabilities (RMF), Policy and Security Control Implementation, Compliance Assessment and Implementation, Data Protection, Enterprise Security Implementation, Cloud Transition, Cybersecurity Awareness Training, and more. Contact us with any questions, comments or for quotes.
Below are some samples of work we have done.
Compliance and Risk Management Policy Documentation
Creation of cybersecurity policy documentation sets based on: NIST SP 800-53, 800-171 and CMMC for corporations in the aerospace, machinery, and manufacturing firms. These sets were part of a compliance and risk management program for each of the three corporations.
Small Business Security Management
Security implementation and monitoring plan creation for small businesses to safeguard and backup data, including current situation assessments and recommendations on cost-effective measures. Currently, we monitor for changes, issues that may arise, and growth.
Development of Cyber Threat Intelligence Programs
Threat intelligence programs are created for companies to understand threats that had targeted, would target, or were currently targeting the organizations and could defend itself against them. The information collected helped in the preparation of the program itself and provided essential context data to prioritize critical attacks and continuously update the businesses’ protection measures.
Creation of Detailed Incident Analysis Guides
To supplement incident response plans, incident analysis guides have been created outlining structured processes for identifying what, how and why an incident happened, what can be done to reduce the risk of recurrence.
Assessment of Network Defense Policies
Assessment of current algorithms, message integrity techniques, symmetric and asymmetric encryption uses, key exchange techniques, Kerberos server, key and certificate generation, and management activities are typically conducted.
Transitioning Data to the Cloud
At client’s request recommended several commercial file hosting services for backup, accessibility and safe storage. After reviewing the client’s needs, functionality, ease of use, synchronicity, storage size, long/short term use plans, and price were considered in the selection. The client selected a commercial cloud service and after signing for an account the duplication of documents into the cloud was made. A backup schedule was created and implemented, and a staff person was designated at the client’s firm to oversee the backups, assist staff with questions and technical difficulties and manage any issues that could arise.
Planning and Development of an Online Research Platform
A worldwide network of 200+ business centers needed an online international business research platform where their members could interact and exchange business information. The platform needed to be secure and have secure user login and authentication features. The platform also required an area where members could showcase their products and services, post jobs, and interact with other members. The platform was successfully created and implemented.
Recommendation of Cryptographic Security Measures
Perform analysis and security recommendations on how to use cryptographic techniques to improve the security of companies’ networks. Tasks performed include identifying the components within the company’s network where hash functions and message authentication codes (MACs) could be used to enforce integrity and other security policies.
Creation of Forensics Readiness Policies
These policies have been created for businesses for the appropriate collection and retention of evidence after being affected by security incidents. The policies address the need for the organizations to have planned procedures in place to preserve digital evidence and to conduct forensic investigations.
Selection of Security Controls
Performed a report for a law firm with recommendations on how to manage their risk considering effectiveness, efficiency, and constraints due to applicable laws, directives, executive orders, policies, etc. The report also included a recommendation on what security controls to implement and a list of all the applicable laws, regulations and standards that the law firm had to observe, follow and comply with for accessing, handling and safeguarding data. The project included the identification of vulnerable areas in the firm’s physical, administrative and technical areas and processes and types of damages the law firm could suffer in case of an attack (when confidentiality, integrity and availability are compromised).
Implementation of a User Authentication Protocol
Prepared a plan to implement a user authentication protocol on a health insurance company’s network. The plan described the need for such server and its uses, particularly, to authenticate users/machines in a network so that the company administrators could have control over who can access it, when and where, and the type of access the user or the machine would have. The plan concluded with a recommendation to the executive team to adopt such protocol to manage user access to their networks.
Creation of a Cloud Based Database
Created and online searchable member database platform for a non-profit organization. The database was custom programmed with the use of an enterprise cloud database and embedded into the organization’s webpage. The development and implementation were successful, and the database achieved a range of 50-150 visitors per day.
Scanning of Network Traffic
The scans performed had the objective of giving the client a visualization of what type of information is transmitted every time there is communication between the client’s devices and an outside network (WAN). The activity also illustrated the process the information goes through to reach the other end securely.
Adversarial Threat Assessment
Performed a business adversarial threat assessment for a corporation in the international trade field. The objective was to identify any individuals, groups, organizations, or states that could seek to exploit the resources of the business in question. The assessment provided the company with a clear illustration of the threats that they face and enabled them to implement a proactive incident management program (Cyber Threat Intelligence Plan) that focused on the threat component of risk. Meetings, surveys, reports and confidential reports were created to address the possible threats and the modes of attack. The report created awareness at the managerial and executive levels and provided them a better perspective of who and what could be out to affect them.
Creation of an Incident Response Plan
Drafted an incident response plan for a client. The plan included steps on how to handle potential incidents in case they happen, how to identify a security incident, how to isolate an affected system to prevent further damage, finding and eliminating the root cause, how to get the affected systems back into the production environment, how to document an incident, and the recovery process.
Whitepaper of Threat Intelligence Capability
The creation of a whitepaper to describe post-mortem effects of two cyber-attacks in recent years was created for the client company to gain an understanding of what it would take to build, staff, resource, and operate a cyber threat intelligence capability to support their cyber operations. Case studies of two well-known international corporations were used for research. The objective was to illustrate how enterprises of any size can be greatly affected by a cyber-attack and create the understanding at the executive levels that cybersecurity is not an expense but a needed investment. Additionally, it was intended to help the leadership team better understand, discuss, and assess the company’s needs for a cyber threat intelligence capability.
Assessment of Risks, Security Controls and Policies
Performed a report for a law firm with recommendations on how to create a framework for managing their risk considering effectiveness, efficiency, and constraints due to applicable laws, directives, executive orders, policies, etc. The framework also included a list of all the applicable laws, regulations and standards that the law firm had to observe, follow and comply with for accessing, handling and safeguarding data. The project included the identification of vulnerable areas in the firm’s physical, administrative and technical areas and processes and types of damages the law firm could suffer in case of an attack (when confidentiality, integrity and/or availability were compromised).
Vulnerability Assessment Scan
Performed vulnerability scanning on systems to identify, rank, and report vulnerabilities that, if exploited, may result in an intentional or unintentional compromise of the systems. Reported on potential risks posed by known vulnerabilities, ranked in accordance with NVD/CVSS base scores associated with each vulnerability, and cross checked with CVE numbers associated with identified vulnerabilities to suggest remediation or security controls. In addition, associated risks were identified and to mitigate them security controls were selected according to the risks’ levels of impact.