| Active Reality, Inc. Category Descriptions |
| DIR Managed IT Security Services - |
| i. Scanning |
| During a typical scanning effort a discovery scan is performed to determine what systems are visible within the defined address space and what services are visible on those systems - this type of activity is often called a discovery scan or port scan. Network services, such as mail and web, listen for incoming connections on specific ports. The scanners help determine which ports are open and accepting network connections by sending information to the remote systems and examining the responses (or lack of responses). ICMP, TCP, and UDP scans are all performed during this step. As a continuation of the discovery scanning activity, we use data gathered up to this point as well as other specific tests to determine what operating system and specific version of a service is running on the systems being examined. Deliverables for scanning efforts typically include a formal report listing the tests performed, systems and services discovered, and recommendations for addressing any findings. |
| ii. Penetration testing |
| Unique applications have unique security issues. A professional security audit of your site can locate issues that are difficult to automatically detect. The advantage of a combined manual and automated human audit lies in providing relevant information to your business about the real risks to your company and your consumers. A black box human assessment is an efficient method to locating network and web application security flaws in custom applications that hackers target and that automated security tools often miss. Penetration testing also brings to bear a number of custom and commercial off the shelf tools to identify common security flaws and externally identifiable configuration and patch management issues. |
| iii. WAR Dialing |
| War dialing combines extensive experience with modern techniques to locate vulnerable modems, and FAXs that might be accessible outside the organization, creating undue risk from outside recon or attack. These modems and FAX machines are tied together and reported upon, to insure knowledge of their relative footprint within the organization. |
| iv. WAR Driving |
| Using advanced tactics to both locate and assess wireless network strength war driving consists of onsite assessments of wireless networks through wireless canvassing. Tied in with known vulnerabilities in common wireless platforms, default configurations and poor use or lack of encryption, the output maps out the known issues and builds out geo-located positions on maps. |
| v. Social Engineering |
| Social engineering uses a combined approach of pretexting, trojan horses, phishing, quid pro quo and other confidence schemes to reveal secret information from persons with access to sensitive information, or access to critical functions. This information is most effectively used when combined with penetration testing. |
| vi. Applications Assessment |
| Application assessment uses a detailed and bespoke approach to testing the security viability of applications. Some questions that are identified and answered include issues like 1) Is the application opening sockets for listening 2) is it transferring data 3) does it store data encrypted 4) does it interact with other programs in an insecure way (unhashed or unencrypted data) 5) does it require privileges for it to run that are unnecessary for it's function 6) is it configured correctly and is that configuration secure, etc... |
| 1.a Cyber Attack Alerts |
| Cyber attack alerts are provided by a security operations center to deliver real time alerts based on both network intrusion and protection devices. On an ongoing basis, critical alerts are delivered on an operational real time basis, for all network events. These alerts are sorted and can be issued based on relative severity. |
| 1.b Cyber Attack Countermeasures |
| Countermeasures begin with an architectural overview, adjustments are made to enable proper placement of NIDS/NIPS devices. Each network segment that a detection engine resides can be profiled until the organization is comfortable enabling active protection measures. These can include automatic firewall blocking, packet injection, packet normalization as well as audits to ensure the attacked systems are not vulnerable to the exploits being used against them. |
| 2.a Configuration Management of Monitored Devices: Security Hardware |
| Configuration Management is achieved via automated tools that enforce version control, change authorization, detect unauthorized changes and periodically audit configurations against best practice and custom needs. |
| 2.b Configuration Management of Monitored Devices: Security Software |
| Configuration Management is achieved via automated tools that enforce version control, change authorization, detect unauthorized changes and periodically audit configurations against best practice and custom needs. |
| 1.a Cyber Attack Alerts |
| Host based intrusion detection systems (HIDS) and host based intrusion protection (HIPS) systems are deployed on the target computers that are most likely to be exploited. Central management and alerting of HIPS and HIDS devices help reduce the overall cost of deployment and increase the likelihood of recovering from a security event. |
| 1.b Cyber Attack Countermeasures |
| Countermeasures begin with an overview of each type of host present in the environment, adjustments are made to prevent potential conflicts between host software and HIDS/HIPS. Each host that a detection engine resides on can is profiled until the organization is comfortable enabling active protection measures. These can include automatic host firewall blocking, execution prevention, process termination as well as audits to ensure the attacked systems are not vulnerable to the exploits being used against them. |
| 2.a Configuration Management of Monitored Devices: Security Hardware |
| Configuration Management is achieved via automated tools that enforce version control, change authorization, detect unauthorized changes and periodically audit configurations against best practice and custom needs. |
| 2.b Configuration Management of Monitored Devices: Security Software |
| Configuration Management is achieved via automated tools that enforce version control, change authorization, detect unauthorized changes and periodically audit configurations against best practice and custom needs. |
| 1. Correlation and reporting of specific server logged events |
| Hosts and applications are configured to log all relevant events. Host based agents can be tuned to report on events relative to the application's use. Central log servers are configured for reporting relevant to the overall environment and correlate between all available information using an advanced correlation engine. |
| 2. Capture, store and reporting logged events |
| System level events are centrally logged to enable correlation across the infrastructure. The correlation engine tracks trends and alerts as appropriate in real time to security personnel, as well as a periodic security report. Application logs are treated based on their profile, some logs, such as web logs, can be too large to move off host, in which case an agent approach is used to alert on specific matches. Other applications may be too sensitive to keep the logs on host, or desire central logging for enhanced correlation. |
| iv. Network attack activity |
| The SOC (Security Operations Center) monitors reports from all internal security controls and external sources to model and interpret network activity and threats. Specific alerts are compared to the threat model of the target and the threat is classified. Appropriate action is taken based on threat classification. |
| vi. Advanced analysis and correlation of security events |
| Correlating security events operationalizes otherwise inefficient and noisy security devices, especially when used in a layered defense model. Additionally, attacks that may otherwise roll off of a buffer of any given security device can be held much longer within a correlation engine, providing long term insight into "low and slow" attacks that may go otherwise undetected. Correlation also allows two disparate devices that otherwise cannot see inside of certain packets, protocols, etc... to work in concert to identify potentially malicious behavior, and eventually recover quickly in forensics situations. |
| vii. Expert human interpretation |
| With decades of operational and forensics experience, the right staff can augment security tools to build better knowledge of any given attack situation. Events themselves can be misleading or incorrect, and with skilled professionals to isolate and dissect the event, it can provide valuable insight into a detected security event. |
| x. Security management and event responses practices |
| Incident response is tailored to each specialized environment. General procedures providing all personnel with knowledge to properly report and react to events. Specialized procedures for escalation, and response to events. Data handling policies for compromised hosts and devices, law enforcement reporting and data handling procedures. |
| xi. Intrusion detection and response |
| Intrusion detection systems (IDS) are only as good as the people manning them. While IDSs do provide value in knowledge of an attack, ultimately it still requires the correct decision and response to ultimately thwart a security event. Tuning IDSs to be more efficient and relevant to the specific environment also greatly increases the likelihood of detection. |
| xiii. Firewall/VPN monitoring services |
| 24/7 monitoring of events, customer notification based on event classification (pre-canned or set by the organization). |
| xiv. Firewall/VPN management services |
| i. Connection and configuration |
| Through a series of investigations (self assessment, reviewing configurations, and ultimately testing the configuration), a detailed assessment of the current settings and configurations can be performed. Also, this can be tied back with current best practices and baselines, to build gap analysis for future remediation. |
| ii. Scanning |
| Scanning for the purpose of inventory management and discovery is critical to understanding the threats faced against any IT environment. Using both home-grown assessment tools, as well as commercial and open sourced tools, scanning can even detect environments that are completely non contiguous (commonly found after the merging of two organizations). |
| iii. Topology mapping |
| Beyond scanning, mapping topology is an important step towards identifying configuration issues, and logic flaws in complex environments. Using both custom home-grown assessment tools, as well as commercial and open sourced tools, even complex topologies can be mapped both externally and internally. Combined with manual assessments, layouts and diagrams can be built to help document and remediate networking issues. |
| iv. Network utilization and change detection |
| Network devices are configured to report on performance metrics, those metrics are graphed overtime so that anomalies in traffic patterns and utilization can be detected and alerted on. Thresholds are set and adjusted as new services and equipment are added or removed from the network. |
| v. Network forensics and hot fix detection |
| After a security event, network forensics can help identify the critical events and isolate the damage. Additionally, detection of out of date patches and missing hot fixes can identify the problems that lead to compromise. Proper forensics can also identify areas of future improvement, and ultimately lead to a reduction in the long term risks. |
| i. Firewall and VPN policy and architecture review |
| Architecture review of firewalls and virtual private networks (VPNs) can help identify issues that can ultimately lead to network compromises. Policy reviews of the associated equipment can help identify critical holes in processes. Additional gap analysis of best practices or regulatory compliance reduces the likelihood of severe vulnerabilities. |
| ii. ISB/IPS policy and architecture review |
| Intrusion detection and prevention systems are situated in a way that captures real security threats and ignores traffic that will cause no harm, but would trip alarms and waste valuable human resources. Polices are built around the infrastructure they are protecting and tuned through traffic analysis to reduce false positives and alert on truly suspicious activity. |
| iii. Access control/identity management review/integration services |
Active Reality and IdentiPHI can provide a full scope of services beginning with a Readiness Assessment and continuing throughout the full deployment of an appropriate identity management solution. By establishing a project plan that consists of both short-term and long-term goals, we can help to accomplish overall success by establishing and achieving individual success milestones identified and organized based on priority.
IdentiPHI has established one of the strongest alliances of technology providers in the areas of smartcards, biometrics, token devices, and can fully integrate one or more of those technologies to deliver a combined secure identity management solution that addresses the needs of every user in your organization. With the most powerful middleware, backend authentication services, and management tools available, IdentiPHI is able to tailor an identity management deliverable that is highly specific to your organization’s needs. This is due to the realization that there is no single technology solution available on the market today that can provide a complete identity management solution.
SAFsolution and SAFmodule provide government organizations of all sizes and capacities to easily deploy smart card and biometric authentication methods to Windows and Novell networks. SAFsolution provides biometric and smart card authentication methods to MS Active Directory environments. SAFmodule is designed as either/both smart card and biometric NMAS method for authentication to Novell Networks common in state and local government agencies. SAFsolution and SAFmodule provide full centralized management and redundancy through MMC, eDirectory and iManager.
|
| iv. Network architecture review |
| Performing architectural assessments of a network produces a customized report of the most critical areas to remediate. Using custom tools and in-depth know-how, the aim is to produce actionable items that are easy to follow, cost effective, scalable and secure. |
| v. Host hardening and secure build development |
| Hardening the hosts used for production environments allows an environment to survive cyber threats, and in many cases can actually protect from previously unknown or "0 day" attacks that would otherwise compromise default environments. By using secure standard builds, it is possible to both thwart attacks, increase system longevity and reduce the cost to deploy. |
| vi. Disaster Recovery plan review, development and telecommunications redundancy |
| Building a disaster recovery plan increases the likelihood of survivability after an electronic incident, whether malicious or accidental. Developing telecommunications redundancy and implementing quality of service routing increases the chances of lower latency and high availability during network outages or congestion. |
| vii. High availability architecture review and development |
| Developing backup strategies, redundant connections and reducing single points of failure everywhere possible greatly increases system viability during and after an event. Reviewing existing high availability (HA) plans and performing a gap analysis against best practices can help mitigate future HA issues, and dramatically increase survivability. |
| i. Perimeter vulnerability scans |
| Performing regular vulnerability scans helps both proactively assess the overall security of the perimeter, as well as helps gauge the overall health metric of the network over time. Perimeter vulnerabilities scans use a combination of custom home grown tools, as well as both commercial and open sourced tools, to perform an accurate assessment of the relative vulnerabilities in the overall network infrastructure and underlying applications. Perimeter scans have the advantage of more accurately simulating what an external determined attacker would find. |
| ii. Perimeter penetration scans |
| Performing a penetration scan identifies the real risk in a network and the associated applications. This reduces the chances for false positives significantly by actually compromising the systems as a proof of vulnerability. Using home grown tools, as well as many commercial and open sourced tools, vulnerability reports, and custom exploitation, the perimeter can be assessed. |
| iii. Internal network vulnerability assessments |
| Performing internal assessments against a network allows an organization to simulate either an internal threat (rogue employee/contractor, etc…) as well as the threat of an external attack that may have already successfully compromised the internal network and seeks to spread. Attacks of this nature typically lead to far greater damage to an organization. Using custom applications, commercial and open sourced vulnerability assessment applications against an internal network creates a far better view of the threat landscape. |
| iv. Network risk assessments |
| Defining risks that a large network may face is a valuable exercise to compliment a vulnerability test or penetration test, allowing an assessor to predict the major risks. Rank ordering the risks by severity turns threats into actionable lists. |
| v. Host vulnerability assessments |
| Addressing host based security is often an economic and scalable solution to reducing risks for a large organization. By assessing the vulnerabilities in the hosts, as well as defining the path for proper defense, an organization can greatly reduce the overall risk it faces from known and unknown exploits. |
| vi. Host risk assessments |
| Performing a proper risk assessment against the hosts within an organization can help define the lowest cost path to improving overall security. By knowing the risks that a host faces, it is far easier to define the easiest remediation path that supports the organization and also reduces the rate and damage potential of incidents. |
| vii. Applications architecture assessment |
| Application architecture is one of the easiest things for an organization to get wrong. By assessing the architecture, a skilled practitioner will define faults in any part of the chain. For example, how the application collects, stores and displays information are all subject to serious risk. By using the theory of least privilege an organization can dramatically reduce the overall risk. |
| viii. Applications penetration testing |
| Performing application penetration testing is the easiest way to emulate what a determined attacker might find. It accurately simulates a low to zero-knowledge attack from the outside, where an attacker knows only that the target exists and perhaps that it stores or collects information that may be of interest to an attacker. |
| xi. Commercial product assessment |
| Performing assessments on potential vendors is an easy way to reduce the risk of adoption. This is done by performing a gap analysis between the vendors and the issue that needs to be mitigated. Commercial product assessments are performed by finding flaws in architecture, problems with reporting or installation and long term maintenance issues. |
| xii. Data security assessment |
| Data security is of top importance as attackers are far more interested in data than they are in the compromise itself. By categorizing data security and applying the policies and procedures in place, a company can ultimately narrow down the chances of successful data theft even after a successful compromise. |
| i. Security product deployment & configuration services |
| Hands on support for security product deployment and configuration reduces the internal burden of training and ultimately ongoing support for products. This is especially true given the complex nature of modern security devices that require expert eyes to configure, as they often require "training" against live traffic. |
| ii. Firewall/VPN deployment and configuration services |
| For firewall and/or virtual private networks (VPNs) having professional installation and configuration can make all the difference. These areas are often overlooked in even some of the largest organizations on earth, leading to easy and senseless compromise. The proper configuration can heavily reduce the risks from many types of attacks, including attacks that are currently unknown. |
| iii. NIDS/NIPS deployment and configuration services |
| NIDS and NIPS deployments are both complex and potentially dangerous if not properly configured and placed within the network. Often times, at incredible expense these tools are improperly deployed giving little to no benefit to the organization who purchased them. Knowledge both of the network and of best practices are critical to a proper deployment. |
| iv. HIDS/HIPS deployment and configuration services |
| With a proper deployment of HIDS and HIPS products a host can defend itself and alert upon critical incidents. With modern day applications and complex network environments, a self defending machine can strategically reduce the overall cost of maintenance and improve the visibility within the overall environment. |
| i. Virus outbreak assistance |
| Virus outbreaks can wreak havoc on an internal network, get systems blacklisted from real-time black hole lists and leak sensitive information out to attackers. Recovering from a virus outbreak can be time consuming and difficult for individuals who aren't well equipped to deal with the incident. External assistance in this area can reduce the time required to recover from an outbreak. |
| ii. Cyber attack response assistance |
| A cyber attack can be one of the most complex issues to deal with, often requiring real time forensics, quick modifications to production environments to isolate and protect critical devices, and ultimately the correct reactionary defense to reduce the risks posed by the assailant. Proper response can reduce the risks of retribution and proper documentation can ultimately lead to arrests if so desired. |
| iv. Remediation services |
| Responding to known vulnerabilities and issues goes beyond simply understanding the threat. With knowledge of the infrastructure, the purpose of the related devices, the budget and the timeline can all heavily impact the correct decisions made during a remediation contract. This could entail anything from racking and stacking, to configuration changes, and long term modifications to whole environments. |
| iii. End user security awareness training |
Essentials of Community Cyber Security - CIAS Site - max 20 students.
This ½-day lecture training course places the issues of cyber security in a community context and
demonstrates how cyber attacks by terrorist organizations can impact, prevent, and/or stop business
operations and emergency responses. The lecture covers cyber threats, vulnerabilities and
countermeasures, explains how computers systems and networks are vulnerable, and how this
vulnerability affects the organizations. CIAS Classes |
Essentials of Community Cyber Security - Customer Site in Texas - max 20 students.
This ½-day lecture training course places the issues of cyber security in a community context and
demonstrates how cyber attacks by terrorist organizations can impact, prevent, and/or stop business
operations and emergency responses. The lecture covers cyber threats, vulnerabilities and
countermeasures, explains how computers systems and networks are vulnerable, and how this
vulnerability affects the organizations. CIAS Classes |
| iv. Infrastructure security principles training |
Voice and data: An Introduction to Information Assurance - CIAS Site
This 4-day lecture and hands-on training course provides an introduction to information assurance and
general security practices. The lectures and hands-on lab exercises cover a broad range of topics related
to information assurance and information security issues. Introduction to Cyber Security Assessment & Risk Management
This 5-day lecture and hands-on training course provides an introduction to the basic concepts and
methodologies of cyber security assessment and risk management. Lectures cover methodologies,
techniques and tools for identifying system and network vulnerabilities, while labs reinforce the
concepts and provide experience in the use of security assessment tools. CIAS Classes |
Voice and data: An Introduction to Information Assurance - Customer Site in Texas - max 20 students.
This 4-day lecture and hands-on training course provides an introduction to information assurance and
general security practices. The lectures and hands-on lab exercises cover a broad range of topics related
to information assurance and information security issues. Introduction to Cyber Security Assessment & Risk Management
This 5-day lecture and hands-on training course provides an introduction to the basic concepts and
methodologies of cyber security assessment and risk management. Lectures cover methodologies,
techniques and tools for identifying system and network vulnerabilities, while labs reinforce the
concepts and provide experience in the use of security assessment tools. CIAS Classes |
| vi. Forensic/Incident response training |
Introduction to Incident Response - CIAS Site
This 5-day lecture and hands-on training course provides an introduction to the basic concepts and
procedures of incident response. The lectures cover all facets of incident response, while the labs
reinforce the lectures and demonstrate common procedures, best practices, tools and related issues
in the incident response discipline. Introduction to Digital Forensics
This 5-day lecture and hands-on training course provides an introduction to digital forensics. The
lectures cover a full range of forensics practices, techniques, and issues, while the labs reinforce
concepts and provide experience in the use of forensics tools. CIAS Classes |
Introduction to Incident Response - Customer Site in Texas - max 20 students.
This 5-day lecture and hands-on training course provides an introduction to the basic concepts and
procedures of incident response. The lectures cover all facets of incident response, while the labs
reinforce the lectures and demonstrate common procedures, best practices, tools and related issues
in the incident response discipline. Introduction to Digital Forensics - Customer Site in Texas - max 20 students.
This 5-day lecture and hands-on training course provides an introduction to digital forensics. The
lectures cover a full range of forensics practices, techniques, and issues, while the labs reinforce
concepts and provide experience in the use of forensics tools. CIAS Classes |
| ix. IT security certification training |
Certified Information Systems Security Professional (CISSP) - CIAS Site
This 5-day lecture course prepares information security professionals for the CISSP examination.
Lectures cover in detail, the ten security domains required for the CISSP examination. Exam
registration and credential verification are not included in this course.
CompTIA Security + - CIAS Site
This 5-day lecture training course prepares IT/Security professionals for the CompTIA Security+
certification exam. Lectures cover all five examination domains required for the CompTIA Security+
exam in detail. Exam registration is not included in this course. CIAS Classes |
Certified Information Systems Security Professional (CISSP) - Customer Site in Texas - max 20 students.
This 5-day lecture course prepares information security professionals for the CISSP examination.
Lectures cover in detail, the ten security domains required for the CISSP examination. Exam
registration and credential verification are not included in this course.
CompTIA Security + - Customer Site in Texas - max 20 students.
This 5-day lecture training course prepares IT/Security professionals for the CompTIA Security+
certification exam. Lectures cover all five examination domains required for the CompTIA Security+
exam in detail. Exam registration is not included in this course. CIAS Classes |
| xi. Security Policy and Guideline Development |
| Security policies are incorporated with the customer's current policies and honed to fit their unique needs while maintaining any compliance with any regulations and laws that are applicable. ITIL and ISO 20000 standards are used in development of all polices and guidelines. |
