Assessments

During this phase, Abacode performs a comprehensive assessment of the organization. This assessment might include: a penetration test, web vulnerability assessment, policy and procedures review, information security controls check, and security technology configuration review. Once the assessment is complete, our client will receive a detailed report of findings and recommendations that help drive the next stage, Remediation of Findings.

The findings and recommendations identified in the Assessment Report are prioritized so the organization may implement those of highest impact first. Budget considerations along with internal resource constraints often play a role on how quickly findings are corrected. In some cases, the organization has to accept the risk posed by a finding due to a lack of resources. Often, the organization is required to engage a third party company to help with remediation, and Abacode can assist with this process as well.

Penetration Tests

A Penetration Test helps our clients determine how effectively the implemented security technology, policies, and controls can prevent the intrusion of determined, ethical hackers. Organizations with the highest level of cybersecurity readiness perform penetration testing exercises regularly, typically once a year, in order to assess security in the ever changing infrastructure and threat landscape. As new devices, systems, applications, and solutions are adopted by the organization, new vulnerabilities and risks are introduced which must then be handled.

During the Penetration Test, the Cybersecurity Team utilizes the “red team” approach in which Abacode operates as an outsider trying to breach the organization. In other instances, the Cybersecurity Team applies a “blue team” approach to assess the vulnerabilities in collaboration with the organization’s staff. The outcome of the Penetration Testing effort is a formal report of findings and recommendations generated from the exercise that will help our clients raise their readiness level.

Internal Network Vulnerability Scans

Abacode’s Security Operations Center (SOC) team performs monthly vulnerability scans to detect issues such as missing patches, malware, enabled services that should be disabled, open ports, and unauthorized software, among others. The outcome of these vulnerability scans is presented to our client in an actionable report that summarizes and prioritizes the findings and provides corrective recommendations.

Abacode’s SOC also generates weekly reports summarizing the level of activity, events, and alarms addressed during the week. Included are listings of malicious IP addresses targeting the organization so those IP addresses can be blocked by the firewall. A summary of these weekly activity reports is then included in the monthly vulnerability report.

Information Security and Governance

The implementation of an Information Security Management (ISM) program shows a high-level of commitment of the organization to keeping the top most cybersecurity readiness. Organizations in highly regulated markets are required to comply with standards such as HIPAA and PCI DSS that involve information security governance efforts.

Abacode believes that ISM programs such as the NIST Framework and ISO 27001, when properly implemented and executed, are critical to keeping an organization safe. Such programs define a set of controls that incrementally reduce the risk of breach.

Abacode can help your organization select the ISM standard that best suits your needs and work with your staff to implement the ISM controls at a pace your organization can digest.

Leadership and Staff Training

The efficacy of social engineering means that in the midst of robust cybersecurity tools, humans remain the weakest link. The most effective way to mitigate the cyber risk exposure introduced by employees, partners, and vendors is through training. Abacode provides training tailored both to the leadership of the organization and the general staff.

Human factor controls must be tracked and audited to ensure that policies and procedures are followed by the staff and validate that implemented technological controls are functioning properly.

Every member of the organization is critical to the success of the implementation of cybersecurity policies and procedures. Staff members should be empowered to fulfill their cybersecurity roles and responsibilities and be vigilant and careful in the utilization of the organization’s assets. Furthermore, as today’s cybersecurity paradigm is assumption of breach, it is imperative that the organization’s team members at all levels understand their responsibilities in reporting incidents if and when they occur, and which reporting mechanisms to use.

Lastly, cybersecurity training must be reinforced regularly to keep the staff up-to-date on recent threats, keep their level of awareness high, and cybersecurity responsibilities fresh in their minds.

ISO 27000 Information Security Management

International standards such as ISO 27000 are strategic tools and guidelines to help organizations tackle some of the most demanding challenges of modern business. These standards ensure that organizational operations are as efficient as possible, increase productivity and customer satisfaction, and help organizations access new markets. ISO standards aid in cutting costs through improved systems and processes, improving safety and quality, ensuring compatibility of products and services, and reducing their impact on the environment.

The implementation of an Information Security Management (ISM) program shows a high level of commitment by the organization to cybersecurity readiness. Furthermore, organizations in highly regulated markets are required to comply with standards such as HIPAA and PCI DSS that involve information security governance efforts.

Abacode believes that ISM programs such as the NIST Framework and ISO 27001, when properly implemented and executed, are critical in keeping an organization safe. These standards define a set of controls that each incrementally reduce the risk of breach. Abacode can help each organization select the ISM standard that best suits organizational needs and work with the staff to implement the ISM controls at a pace the organization can digest.

Web Application Vulnerability Scans

Similar to Penetration Testing, during the Website/ Web Application Vulnerability Assessment, a team of ethical hackers will attempt to compromise the target website or web application. Typically, the first step is to run a series of scans and tools that identify open ports, active services, and vulnerabilities that malicious hackers could exploit. Abacode’s ethical hackers then utilize the gathered intelligence to try to compromise the website or web app. Misconfigurations, third party plugins/ tools, and poorly written code introduce vulnerabilities imperceptible to the non-cybersecurity expert but exploitable by hackers.

Abacode highly recommends that websites and web apps are assessed for cybersecurity readiness prior to going into production plus with every major release, particularly when these assets handle transactional and/or sensitive data. Even informational corporate websites should be scanned and tested as any compromise of such websites pose a threat to the organization’s online brand and reputation.

Forensic Investigations

Cyber incidents, or data breaches must be investigated in a timely fashion for the highest probability of finding the root cause of the event.

Abacode is prepared to help you execute your incidence response by performing a full forensic investigation, following the silver platter approach required by the Department of Justice for prosecution. Our forensic investigations are performed under the directive and supervision of a licensed private investigator, as is required by most states. If necessary, all evidence, findings, reports, and documentation may be handed over to authorities for prosecution and may be admissible in a court of law.

Abacode can work with your legal advisors, insurance company, and executive team to assess the extent of an incident, the timing of the event, and to discover if there are notification requirements. Abacode performs these investigations under the strictest level of confidentiality in direct and exclusive communication with the organization contracting the services.

24/7 IT Infrastructure and Device Monitoring

Cybercriminal organizations have an unfair advantage over their victims, particularly those not actively monitoring their IT infrastructure and network. Without monitoring, a cybercriminal can operate undetected while progressing towards compromising and breaching the network of the unsuspecting victim.

Technology alone cannot stop hackers, and it is important to differentiate between software that enables the detection of unauthorized activity, and a full monitoring solution which includes hardware, software, and professional staff to constantly combat cyber-crime. Abacode’s Cyber Lorica is that solution.

With our configuration, operation, and diligent maintenance, our monitoring platform will enable the organization to detect and deter attacks. Monitoring requires human intelligence and human decision making to analyze the attacks and determine the proper course of action or response to protect the organization.

Abacode’s Security Operations Center (SOC) team monitors the events and alarms generated by the Cyber Lorica console, 24 hours a day, 7 days a week. Our TIER 1 cybersecurity professionals are constantly observing our alarms and events console to analyze alarms as soon as they arise. The Abacode team can internally escalate the alarm to the TIER 2 and/or TIER 3 support team members to decide if a client escalation is required, and to determine the recommended corrective action. If an alarm requires escalation to the client, specific preset protocol is followed.

ISO/IEC 27001:2013

ISO/IEC 27001:2013 is an auditable international standard that formally outlines requirements for an Information Security Management System (ISMS) to help protect and secure an organization’s data.

EU-U.S. Privacy Shield Framework

Certified under the EU-U.S. Privacy Shield Framework.

SOC 3 Type 2

This Trust Services Report is designed to meet the needs of Abacode customers that want assurance about Abacode controls related to security and availability but do not need the level of detail provided in a SOC 2 Report.