Information that could compromise your cyber security posture

The open government data movement began fully maturing in early 2009, at a time when government(s) and society began to truly realize the beneficial value of government data; and open standards were taking root as drivers of innovation. The thrust of this movement was to identify all valuable Government data sets, and to require agencies to make them available to the public, at no cost, and in open-standard formats that ordinary citizens and enterprises could easily access and leverage.  

These key principles were enshrined in the Data.gov initiative, established in May 2009, by, then-Federal Chief Information Officer (CIO) of the United States.  Ten years later, Data.gov still serves to provide public access to high value, machine readable datasets generated by the Executive Branch of the Federal Government, creating the first publicly available repository for federal, state, local, and tribal government information.  

In our attempt to be transparent and share information with all stakeholders; we sometimes inadvertently share sensitive information that could compromise the cyber security posture of the organization.

.

Why is CMMI Level 3 Relevant for Cybersecurity?

Maturity models have been around for more than three decades, as early as the 1980s.  The original intent of the Capability Maturity Model (CMM) was to assess the United States Department of Defense (D.O.D.) contractors’ processes.  The success of the software projects was measured using the CMM measurements.  Higher maturity scores were equivalent to better processes.  Higher scores also meant that the contractors used established and reputable processes and best practices for software design, development and quality assurance.

The context in which the term ‘maturity’ was used had special significance.  It was used in reference to specific aspects of the assessment, where the level of organization and optimization of each operation could range from ad hoc to formal.  Because CMM’s initial focus was particularly aimed at improving the software development process, its scope and application was very limited. For this reason, the Software Engineering Institute (SEI) at Carnegie Mellon University revised it.  It then became known as the Capability Maturity Model Integration (CMMI).  This new framework superseded the original CMM in scope.

The extended scope of CMMI now allows it to have a footprint in multiple disciplines.  These include Information and Communication Technology (ICT), business process management, service management, civil engineering, manufacturing and cybersecurity.

.

Anatomy of the SolarWinds Breach

There are many entities throughout the world that use third-party software as part of their business. When they do this, the service they receive form part of the supply chain of the company. SolarWinds is a key vendor with 33,000+ of the world’s companies and government entities use their software. The 22-year-old US-Based company, supply system management tools that are used by the IT professions within these organizations. The tools are responsible for a number of important services including software management, application monitoring, network configuration, etc. The Orion suite in particular, is SolarWinds most widely deployed network management system. It is used to manage and monitor the network infrastructure of the host company. To do its job effectively, the Orion suit needs absolute visibility of the company’s diverse set of network technologies. For this reason, it is common practice for network administrators to configure SolarWinds Orion with extensive privileges consequently, making it the perfect target for threat actors. On December 13th, 2020, it was discovered that the Orion software suit was infected with the malicious software called Sunburst.

.

Mobile Security

Magnus team has managed the Mobile Security posture of federal agencies both from a policy management / device management (Mobile Device Management) and mobile application vetting perspective. Magnus engineers have worked extensively with The Lookout and IBM MaaS 360 tool suites to deliver this service.

In a recent case study, our Mobile Security engineering team is responsible with mobile secure communications and monitoring of security technologies of 10,000+ devices and have tested and vetted hundreds of applications both on the iPhone and Android platforms. This includes configuration management, application IT security, identity and access management, device management, log analysis, storage management, and remote access for all devices managed.

In addition, Magnus Digital Forensic Engineers have the knowledge and subject matter expertise to provide detailed reports to management to reveal what occurred to bring a device under the umbrella of a forensic investigation. In cases where an Executive Summary is needed for VIP or senior level management, MAGNUS Forensic Engineers have ability to present the details in a manner that is easily digestible for senior management.  In the instance where a deep technical description is needed, MAGNUS Forensic Engineers have the knowledge and experience to present the findings in a detailed manner.  As forensic investigations and e-discovery becomes more important both in government, corporate, and the private sectors, MAGNUS Engineers continue to stay up to date with processes, challenges, new tools, and changes as they come about.

Operations Management

MAGNUS Operations Management offers our clients the full range of consulting services. These services include:

  1. Development of Operations Strategy concepts,
  2. Product and Service Management,
  3. Service Delivery & Support,
  4. Integration Management
  5. IT Management.

Additionally by combining our functional Operations Management competencies with specific industry knowledge we are able to serve our clients with customized approaches responding best to their specific requirements and needs. A great deal of our focus is on efficiency and effectiveness of processes. Therefore, MAGNUS Operations Management consulting often includes substantial measurement and analysis of internal processes.

Program Management

Magnus has a proven record of successful support for CIOs and PM staff through: task area performance monitoring; program analysis and management; implementation of process improvement initiatives; and making information management efficient, uniform, accessible, and secure.

We perform the types of work called for in Performance Work Statements throughout our IT portfolios and provide service management to our clients as they request it – benchmarking our projects from inception to closeout through detailed Project/Task Order Management Plans (PMPs). Project management and technical support for IT application and business systems, software development (including Agile), documentation, and reviews, assessments, and system architecture analysis and make recommendations on enterprise architectures are core specialties. Portfolio Management and IT Governance and objective IT alignment (budgets, objectives, mission, etc.) are conducted in our PMO.

We support our clients in the Investment Review Board and IT Executive Council decision-making process and provide cost and financial analysis to their portfolios, including benefits realization techniques. We provide IT Milestone Reviews and IT Portfolio Management training as well as OMB Budget Submission support, including budget data, earned value and monthly submission data, pass-back, and ad-hoc data requests. All of these services are provided in the federal IT environment.

Our approach to comprehensive and effective project management is described below:

  1. A strong Program Management based on PMBOK best practices that provides an effective way to develop and coordinate requirements, manage the project risks, and manage the resources that ultimately makes the project successful.
  2. A Risk Management Plan (RMP) to identify risks throughout task execution, monitor activities for potential risks, mitigate risks, and develop contingency plans should those risks come to fruition.
  3. A highly skilled, stable, security-conscious, and multi-functional workforce with a strong team ethics to partner with our clients and work towards a shared goal.
  4. A Change Management process that helps the organizations, both Federal and Contractor staff, to embrace change in a positive manner.
  5. Customer Surveys as a tool to provide a method to assess stakeholders views on the parameters of service delivery, including quality, timeliness, and efficiency. The survey’s results are used in the Continual Service Improvement (CSI) which is one of the ITIL processes.
  6. Training program to improve the education and the professionalism of the workforce.
  7. Clear dispute resolution processes and procedures regarding the recording, reporting, scoring, and reviewing of performance.

Cyber Management Services

MAGNUS emphasizes quality, service, and intellect while employing cutting-edge technologies to keep clients ahead of the curve. Its strong business values and tested best practices, coupled with a creative technological edge, ensure that it delivers expert consulting services in the areas of Information Security Management, Project Management, and Operation Management.

Cyber Project Management

MAGNUS Project Management provides expert consulting services in principles described by the Project Management Body of Knowledge (PMBOK).

Hence, applying the five processes (Initiation, Planning, Execution, Controlling, Closing) and the nine knowledge areas (Project Integration Management , Project Scope Management , Project Time Management , Project Cost Management , Project Quality Management , Project Human Resource Management , Project Communications Management , Project Risk Management , Project Procurement Management) to all aspects of each clients needs.

Cyber Operations Management

MAGNUS Operations Management offers our clients the full range of consulting services. These services include the development of Operations Strategy concepts, Product and Service Management, Service Delivery & Support, Integration and IT Management.

Additionally by combining our functional Operations Management competencies with specific industry knowledge we are able to serve our clients with customized approaches responding best to their specific requirements and needs. A great deal of our focus is on efficiency and effectiveness of processes. Therefore, MAGNUS Operations Management consulting often includes substantial measurement and analysis of internal processes.

Security Management

MAGNUS Security Management offers our clients a full range of security consulting services tailored specific to their requirements.

MAGNUS Consultants are considered subject matter experts in the aforementioned functional areas and are actively involved with the design, development, procurement and implementation of Information Security solutions.

These services include:

  • Certification & Accreditation
  • Security Architecture
  • Risk Analysis and Assessments
  • Security Policy and Processes
  • System Auditing
  • Security Testing and Evaluation
  • Disaster Recovery Planning
  • Contingency Planning
  • Vulnerability Assessments
  • Penetration Testing
  • Physical Security Survey
  • Security Program Management

Proactive Cyber Security

Hard problems stay solved with MAGNUS. We work diligently and collaboratively with our customers to provide a variety of proactive security assessments and safeguards.

This is a landscape, like many, that is constantly changing. That’s why it’s absolutely critical to choose a security partner constantly on the leading edge, always a step ahead of our customers and potential threats to their operations. That’s exactly what we do at MAGNUS.

Our team performs the full range of proactive assessments and simulations to keep our customers’ informational assets secure – across cloud, mobile or on-premise. Our team of experts works on behalf of customers in the federal government and in the commercial arena alike. These projects involve, for example, preemptively securing thousands of devices; successfully defending against millions of attacks; performing hundreds of vulnerability assessments.

Additionally, we have developed a compliance assurance model that ensures our customers are safe from not only malicious threats, but threats to their ability to operate due to an unknown or unforeseen compliance issue.

Customers Turn to Us For:

  • Technical Security Assessment
  • Investigations
  • Digital Forensics
  • Application Security
  • Penetration Testing
  • Exploitation Analysis
  • Social Engineering
  • Mobile Device Security

Security Operations Center (SOC)

You’re securely up and running. We keep it that way. The MAGNUS team provides the full suite of security operations center services, drawing on years of experience in high-profile, high-stakes environments.

We offer our customers the full range of security operations center services. Whether we’ve built the system or have been engaged to manage it, we successfully and effectively meet our customers’ needs – and then some.

We ensure their applications, databases, servers, networks and other endpoints are secure. We perform continuous monitoring and assessment. But that’s table stakes. We go beyond the traditional SOC engagement to develop strategies and program management protocols that enhance our customers’ SOC objectives.

We measure and analyze – all the time – to ensure continuous improvement. We combine leading-edge industry knowledge and emerging techniques to keep our customers not only secure but aware and on offense. We customize our approach in line with specific requirements and needs. We’re agile, nimble and flexible; we’re also smart, fast and good.

Customers Turn to Us For:

  •  Security Program Management
  •  Security Awareness & Education
  •  System Authorization
  •  Agile Security Awareness
  •  Cyber Threat Intelligence & Analysis
  •  Defense Posture Assessment
  •  Incident Detection & Response
  •  Insider Threat Prevention & Detection

Digital Forensics

Magnus has had a Digital Forensics Practice since 2017 when we started supporting a premier Federal Law Enforcement Agency with its investigations into mobile devices. Initially this was done under the umbrella of our Cyber Security practice, however it was soon determined that this was a unique area with a need for focused skillsets and knowledge of specific tools.

Our Digital Forensics practice today supports Law Enforcement Agencies with its Collection, Examination, Analysis and Reporting of data for Mobile, Tablet, Vehicle GPS, IOT and Drone Investigations. Our digital forensics practitioners have a wide variety of tools in their kit which gives you a sense of the sorts of tasks they can complete:

  • Disk and data capture tools
  • File viewers
  • File analysis tools
  • Registry analysis tools
  • Internet analysis tools
  • Email analysis tools
  • Mobile devices analysis tools

The process models our digital forensics practitioners use can vary, however below are the four basic steps:

  1. Collection, in which digital evidence is acquired. This often involves seizing physical assets, like computers, phones or hard drives; care must be taken to ensure that no data is damaged or lost. Storage media may be copied or imaged at this stage in order to keep the original in a pristine state for reference.
  2. Examination, in which various methods are used to identify and extract data. This step can be divided into preparation, extraction and identification. Important decisions to make at this stage are whether to deal with a system that’s live or dead.
  3. Analysis, in which the data that’s been gathered is used to prove or disprove the case being built by investigators. For each relevant data item, investigators will answer the basic questions about it — who created it? who edited it? how was it created? when did this all happen? — and attempt to determine how it relates to the case.
  4. Reporting, in which the data and analysis are synthesized into a format that can be understood by stakeholders. Being able to create such reports is an absolutely crucial skill in digital forensics.