Protection assessments are used to measure a client's protection systems and provide advice in making changes where appropriate. Here are some recent examples:
ISO-27001, ISO-17799, and ISO-15489-1 Compliance: Increasingly, enterprises are contractually pushed to meet security standards. Internal forces and the business environment move them increasingly toward the ISO standards identified here. By using standards, they avoid incompatibilities, have a basis for claiming due diligence, and avoid unnecessary costs and complexity in their security programs. We provide assessments and gap analyses that include the current status and urgent, tactical, and strategic changes to be made over appropriate time frames to meet these standards within the context of the business, and with minimal changes and inconvenience. We also do policy and control standard development and other related work within the context of these standards. (Typical assessment and gap analysis costs ISO-27001: $45K - ISO-17799: $75K - ISO-15489-1: $35K)
HIPAA Compliance: In one of these reviews, we assessed compliance of a system under development for patient health care. We found that, to meet their business requirements under HIPAA, separation of identifying information from patient health records was going to be necessary. Ultimately we helped them redesign their system before it was fully implemented, saving them enormous long-term security problem. (Typical full compliance audit cost $65K - typical rapid assessment costs $25K)
Dumpster Diving: In one of these assessments, we examined waste from a multi billion dollar corporation. We found information including but not limited to employee pay details, proprietary technology, guard patrol patterns, user IDs and passwords, and purchasing details. This could have allowed us to do employee identity theft, take up to $100,000 from the company, break into the company and its information systems, and create serious adverse publicity. Our recommendations included inexpensive and easily implemented methods to solve this problem in the context of their normal work environment. (Typical cost $30K)
Web-based Intelligence: In one such study, we gathered detailed information on groups for a government agency. This included group history, identification and pictures of many group members, histories of key individuals, details of their information systems and technologies in use, psychological profiles of group members, information on funding sources for various efforts, connections with other groups, and purchasing patterns. These types of studies almost uniformly reveal significant changes that should be made in a corporate web presence. (Typical cost $55K)
Deception Susceptibility Study: One such study involved a sampling of susceptibility across a large corporation. In this case, telephones yielded very helpful people, while email requests tended to get referred to people with special expertise. Tailgating for entry was unsuccessful, and talking our way in failed miserably, but multi-mode efforts such as combinations of FAXes with emails and phone calls were very successful. The net effect was a change in corporate awareness focus and the introduction of new procedures for specific situations. (Typical cost $45K)
Telecommunications Sweep: The typical telecommunications sweep includes telephone, cellular, fax, modem, and Internet sweeps of corporate information assets. A typical case revealed numerous technical weaknesses, unauthorized modems and computer connections, weak voicemail passwords, some exploitable configuration errors, telephone extensions not listed in the company phone list, and voicemails that should not have been present. As a result, many changes were made to reduce risk and investigation of misuse was performed for specific abuses. (Typical cost $40K)
Project Data Aggregation: In one case we were tasked by a company to see whether a competitor could determine when a company confidential project would be completed. After some effort, we ended up using a combination of techniques and sources to determine who key project individuals were, how they were making plans for the coming months, and when they would come to be available for other activities. This allowed us to predict planned project completion to within one month. The net effect was a change in operational planning for future sensitive projects. (Typical cost $50K)
A Bugging Exercise: In a typical example, we were asked to see whether we could listen into conversations in an executive suite. The plan was very simple and it worked very well. We covertly inserted a listening device into the appropriate meeting room, record activities over a period of weeks, and play back results. The net effect was a change in the way countermeasures were implemented. (Typical cost $20K)
Our protection assessments provide realistic appraisals of how effective your protection is against the things real attacks do today. They also help you plan for your future by giving you insight into how to balance your protection across all domains and against all threats.