Digital Cyber Support
Overview
- DataVise provides customized customer support for Data Security
- DataVise helps customers protect vital internal information
- DataVise helps customers determine risk information compromise
- DataVise helps customize evaluate possible security controls
- DataVise helps customers monitor effectiveness of system defenses
Background
The maturity of digital systems brought massive amounts of sensitive information on corporate servers and network devices which must not be divulged outside the organization.
Stuxnet (an infiltration of Iranian nuclear plant) demonstrated the ability to wreak havoc on within computer controlled systems. We have experienced attacks on utility control systems, manufacturing systems, home security systems and ransom attacks on information systems.
Lack of Standards and Processes
The National Institute of Standards and Technology studied the issue and published findings and recommendations that were adopted and implemented at the Federal Government Level which dictated the design, implementation and operational requirements for systems that are connected to Federal Networks. Federal Guidance can be found under NIST 800-xx Publications and encapsulated in the Risk Management Framework (RMF).
As DataVise considered a viable approach to assisting our customers meet the challenges presented by Cyber Security, we found a labyrinth of State, Local and Corporate Guidance that was confusing, in-complete and fraught with errors. We chose to operate under the Federal NIST Guidance.
Standard Services Provided
Penetration Testing:
Using the standard software readily available to a “State or Industrial Hacker” we attempt to gain access to the customer network or LAN devices. No information will be altered or destroyed
Vulnerability Analysis (RMF Report):
Risk Management Framework (RMF) Steps (NIST 800-37)
Step 1: Categorize Information System
The Information System Owner assigns a security role (critical, non-critical, etc.) to the IT system based on mission and business objectives.
Step 2: Select Security Controls
Security controls are the hardware, software, and technical processes required to fulfill the minimum assurance requirements as stated in the risk assessment. Economic and Operational Considerations limit some controls implementation so no implementation can totally eliminate risks.
Step 3: Implement Security Controls
The agency should have documented and proven that they have achieved the minimum assurance requirements.
Step 4: Assess Security Controls
An independent assessor reviews and approves the security controls as implemented to determine the risk mitigation.
Step 5: Authorize Information System (Approval to Operate)
The authorizing authority reviews authorization package for risk assessment and risk determination agent then submits the authorization decision to all necessary parties.
Step 6: Monitor Security Controls
The agency continues to monitor the current security controls and update security controls based on changes to the system or the environment.
Supervisory Control and Data Acquisition System (SCADA) Security:
SCADA provides the proper operation of systems ranging from the electric power distribution/generation, control of a large manufacturing lathe to traffic signals in local streets. A “State or Industrial Hacker” can gain access at multiple points to include the Control Computer, the Local Area Network or a Card Reader for the Parking Lot located at the remote control location connected to the Remote LAN.
Medical Systems are a subsystem of General SCADA
Specialized Systems
Case by Case basis