Cyber Security

CGNET has been providing security services for decades. We offer services for potential vulnerabilities in your defense as well as finding malware implanted in your system (Advanced Persistent Threats).

Our services focus on five areas:

Vulnerability Assessment

You’ve taken appropriate steps to make sure your network is protected from viruses, malware, and “bad actors” that want to compromise it. So you feel safe, right? But are you really sure?

Organizations regularly test their networks to confirm that there are no weak spots—vulnerabilities—that could be used to enter the network, take over computers and steal information. In fact, it’s considered a “best practice” to conduct such vulnerability testing twice a year. CGNET can do this for you.

What’s Involved

CGNET uses a tool that scans a list of all external IP addresses, provided by the customer. The tool looks for common weaknesses associated with the devices at those IP addresses and saves its results in a log. Examples of weaknesses include executable files that have not been updated and passwords that have not been changed from their default settings. It also scans web applications for vulnerabilities to exploits such as SQL injections and cross-site scripting.

CGNET can go beyond traditional scanning, and attempt to exploit the weaknesses that are uncovered. This step takes vulnerability scanning beyond identification of potential threats, to include confirmation of which threats are real and require immediate remediation.

What Do I Get?

Once the scan is completed, CGNET produces a report for the customer that includes:

• Details of devices scanned and vulnerabilities found
• A list of vulnerabilities, sorted by priority, along with an explanation of the potential security risk of each vulnerability
• A management summary of the scan results with recommended remedial actions

What’s the Benefit?

The first benefit of vulnerability testing is knowledge: now you know the state of your network. You can’t fix what you don’t know is broken!

The second benefit is sometimes equally important: now you can demonstrate that your network is secure. Organizations frequently undergo audits or compliance reviews, and it’s common for an auditor to ask for evidence that your network is secure. Now you have it!

What Does It Cost?

The cost for vulnerability testing depends on the number of IP addresses to be scanned. For most organizations, the cost is typically in the $5K-$10K range.

Network Security Assessment

Vulnerability testing can tell you if your network is secure from future threats. It’s a great tool for your cyber security toolbox. But it can’t tell you about threats already present in your network. Also, advanced persistent threats tend to take up residence in your network and lie dormant for a period before they act.

What this means is that you can’t assume that a well-behaved network is free of threats. You have to go looking for them and proactively confirm that they’re not there. Fortunately, CGNET’s Network Security Assessment tool can do this for you.

What’s Involved

CGNET works with you to install a monitoring device on the edge of your network. The device examines outbound network traffic, looking for instances of communication with known bad sites. These sites are compiled from monitoring roughly one third of all internet traffic, and the list is continually updated. Monitoring collects information such as what file or program is attempting to communicate, whether it was successful, what endpoint was reached, and whether the communicating file or program was associated with a threat signature.

What Do I Get?

Once the assessment is completed, CGNET produces a report for the customer that includes:

Details of files analyzed, threats found, assets with downloadable files, and command-and-control sites that files attempted to access
Endpoints monitored, including those that appear to have been compromised
Detailed information on active and potential threats uncovered
Comparison of threats found compared with threats identified by antivirus programs
A command-and-control blocking score
A management summary of the assessment results with recommended actions

What’s the Benefit?

The first benefit of a network security assessment is knowledge: now you know if there are threats present.

The second benefit is that you have a prioritized list of actions to take to clean up any threats. Many security products will give you reams of output to analyze—and that’s the problem. With so much information on possible issues, including false positives, it’s overwhelming to sift through the data to find the information that’s truly actionable. With CGNET’s network security assessment, you get right to the heart of the matter: what’s wrong, where is it broken, what should I fix first?

What Does It Cost?

The cost for a network security assessment depends on the number of IP addresses to be scanned. For most organizations, the cost is typically in the $5K-$10K range. You can run the assessment periodically, or you can subscribe to continuous threat monitoring, making sure your network gets clean and stays that way.

Information Security Training

According to a 2016 Ponemon Institute survey, “the number one security risk is employee carelessness.” 66 percent of respondents said that “employees are the weakest link in their efforts to create a strong security posture.” The best way to mitigate this risk is through effective, comprehensive training of users about information security.

What’s Involved

CGNET first works with your organization to customize end-user security training to your needs. We then provide a program of training that includes live classes, online training materials, phishing tests, and periodic user security updates.

What Do I Get?

The subjects covered in on-site training often include:

How important security is to the organization
How important users are to security
Caution installing programs
Cooperating with patching efforts
Physical security: theft, clean screen, proper paper
Caution opening attachments
Caution clicking on links in email
Caution clicking pop-ups
Special caution with company data or financial assets
Creating strong passwords, keeping them private and changing them
Password managers
Caution with wi-fi connections on the road
Protecting your credentials, e.g. multi-factor authentication
Not using strange flash drives
Reporting any phishing, lost devices, or any other security issues

In addition, we run phishing tests on all users you select and give you the names of people who clicked and the percentage of users who clicked. We also provide follow-up materials and quizzes to keep users’ knowledge fresh.

What’s the Benefit?

The main benefit is that user awareness can be expected to reduce the risk of information breaches. One study reported that “changing employee behavioral responses to cyber threats such as social media, phishing and other popular attack vectors can reduce an organization’s risk by as much as 70%.” In addition, organizations with effective security training have more confidence in their organization’s security efforts. Finally, many regulations require end-user information security training in order to achieve compliance.

What Does It Cost?

The cost for an effective information security training program depends on the size of the organization and the training modules selected. An average cost among our clients is between $3,000 and $5,000.

Strategic Information Security Planning

Despite your best efforts, there’s a real chance that some of the organization’s information is going to be compromised. There are plenty of news stories about leaked emails, lost laptops and stolen smart phones, all of which caused previously private information to be made public.

Is your organization prepared to deal with this possibility? Do you have plans to minimize the chances of such information exposure? Most organizations don’t know the extent of sensitive information spread throughout the organization, haven’t implemented comprehensive controls to secure the information, and don’t know what they would do if information was made public. Preparation now can mean peace of mind later.

What Does It Accomplish?

Strategic Security Planning helps an organization understand the potential impacts of compromised information security, whether it affects confidentiality, data integrity, or availability. It also prioritizes actions to address weaknesses in an organization’s information security.

What’s Involved

CGNET first works with your organization to document what information, devices and applications exist that could be considered sensitive, where they exist, and how they are currently secured. Once this inventory of sensitive information assets has been developed, CGNET works with your organization to understand the severity of each class of security breach. For instance, disclosure of some kinds of information could have a financial impact, while others could have a reputational impact. Temporarily shutting down the organization’s operations, as with a denial-of-service attack, will affect some organizations more than other.

CGNET then calculates the likelihood of each kind of breach occurring and combines this with the severity ratings to develop an information security risk matrix. By plotting each information asset on the matrix, controls to mitigate each risk can be prioritized.

CGNET then compares the security practices that are in place with industry standard controls, determining what improvements have to be made, in terms of the priorities of the risk matrix. The improvements are put onto a temporal roadmap, to provide a comprehensive plan.

What Do I Get?

CGNET produces a report that includes the following topics:

What information assets exist, where are they located, and how are they currently protected?
What is the kind (financial, reputational) and amount of risk for each asset?
How does the organization’s current security posture compare, risk by risk, with industry standards and best practices?
What should be done to close the gap between current and best performance, given the organization’s particular needs and resources, including technology, policies and procedures?
How should new and improved security controls be implemented over time?

What’s the Benefit?

The organization gets a comprehensive view of its complete information security posture, rather than being influenced by events or the clamor of different security vendors. It prioritizes remediation measures and justifies their cost.

The plan also is a demonstration of how the organization has adopted best practices for information security. This can have economic impacts for the organization, for instance if donor confidence is affected by such a demonstration. The plan can also be used to demonstrate aspects of regulatory compliance.

Finally, the planning process helps sustain a dialogue with executive management about how information is shared and stored, so that information security concerns can be raised, addressed and given the priority they deserve.

What Does It Cost?

The cost for developing a Strategic Information Security Plan depends on the scope of the effort and the resulting time required. Usually, the cost in the $10,000 to $20,000 range

Information Security Policy Development

If you want to encourage positive information security habits by end users and IT staff, and if you want to get top management involved, it’s critical to document expectations in the form of information security policies. Creating them codifies expectations for everyone –end users, system administrators, help desk staff and so on—with respect to security.

Information security policies typically include these topics:

A general management commitment to information security
Clear responsibility for implementing, maintaining and updating security
Appropriate device use, from password strength to using wireless networks on the road
Access policies (who has access to what systems or applications, with what level of permissions, for how long)
Physical access (how are wiring closets and server rooms secured, who has access, how is access documented)
Administrative access (how is access granted, for how long, with what level of permissions)
Business continuity and disaster recovery
Use of mobile devices

Additionally, change management is sometimes included under information security, or at least referenced. Change management, in this context, considers who will make and approve changes, how changes will be made to systems and applications, with what controls, considering the risks, encompassing rollback plans and the like.

It’s a lot of ground to cover, and it’s often helpful to engage consultants who are familiar with “best practices” in the industry to assist with policy development.

What’s Involved

CGNET first reviews what policies and procedures are already in place. Often these will be incomplete or not well observed, but they represent a starting point for new policy development. Next, CGNET interviews IT management and other relevant staff to understand the particular needs of the organization. Some questions might include:

What practices are followed now and what incentives are provided to follow the policy?
Are there any audit findings that indicate improvement is required in development and application of different policies and procedures?
What is the desired scope of the plan—what is to be included? Excluded?
What systems and applications are within scope?
How do users learn about the policies and the techniques needed to follow them?

Once CGNET has collected this information, it then goes forward with policy development, taking industry best practices into account. Once a draft of the plan is ready, CGNET reviews it with the customer and revises the plan as required. CGNET can optionally provide training on the plan for the organization’s staff.

What Do I Get?

CGNET delivers an information security policy, as a single document or divided into multiple subject documents. CGNET also delivers an explanation of the policies intended for review with executive management as part of obtaining their support for plan adoption. CGNET can also provide training of staff on the policy’s procedures.

What’s the Benefit?

A general information security policy “ratifies” information security for the organization; good information security is everyone’s responsibility, not just IT’s responsibility.

Information security policies set expectations for the organization: here is what we need to do and why. They also set performance expectations. Information security policies also represent a focal point for documentation of the organization’s practices around information security. This is crucial in audit and compliance situations, where there is a need to demonstrate that the organization has a documented approach to information security.

What Does It Cost?

The cost for development of an Information Security plan is dependent on the scope of the effort and the resulting time required. We find that Information Security plans typically cost in the $10K-$20Krange.

CGNET Blog: Cyber Security

Setting an Email Forward Alert

I got a great response from my recent post detailing a phishing attack; thanks for that! Some of you asked about how to set an email forward alert. Remember that one component of the recent attack was that the hacker created a rule to auto-forward all messages to an...

The Treacherous World of Social Engineering: Top Tricks of the Trade

Hacking is a thriving business. We hear about it in the news all the time these days. When we think of a hacker, we imagine a computer whiz who has the technical expertise to “break in” to computer systems. The high school nerd who works his way into the...

How a Successful Phishing Attack Happens

It’s instructive to see how a successful phishing attack can happen. Let me share a story with you. I got a text message, then a call last week. Both were from the same customer. “Dan, I think my account has been hacked,” was the message. “What do I do now?”...

Use Azure Migrate to Streamline Application Cloud Migration

Does this situation sound familiar? You’ve moved email to the cloud (yeah!). You’d like to move your servers and applications to the cloud as well, but the task seems daunting. Before you could use Azure Migrate it was challenging to answer these questions: Will...

Get Your Security Systems under Controls

The latest version (7.1) of the CIS Controls can make planning your overall IT security effort much easier. The purpose of the Center for Internet Security’s controls has always been to focus on the most fundamental and valuable security actions that an...

How Secure Is Your Attack Surface?

It is now necessary to go beyond your servers to other endpoints covered by an attack surface assessment.

Reconsidering Website Email Addresses

Deciding whether and how to post email addresses on websites is an old problem. In internet time, that means several years. We do know a little more now than we used to. To review, the primary risk is that email addresses that are simply posted as text or html can be...

Foster Security Training Engagement with Quizzes

Challenge: How to Foster Security Training Engagement If you’ve been following along (and we know you have!), you’ve heard us stress the importance of security training for staff as a component of your cybersecurity posture. (If you want to know more, click here.)...