We work on a wide variety of complex security projects. The following engagements illustrate our solution approaches:
Data Loss Prevention / Enterprise Search: Increasingly organizations are adding pro-active identification of unprotected personal and corporate information (e.g., PII, privileged passwords, intellectual property, etc.) to their enterprise risk management programs. Through experience in designing and performing complex searches, KoreLogic has found that a successful search requires far more simply purchasing a data loss prevention product. Read More...
Forensic Capability Maturity Assessment: To counter the risks of today's "open" and inter-connected environments, organizations must have a program established to identify, assess, and respond to computer-based attacks and employee mis-conduct. A properly defined, implemented, and managed Incident Response Program is a mandatory, extremely cost effective risk mitigation technique. A key component of an incident response program is an effective and efficient forensic capability. Forensics basically is the processing of electronically-based evidence to determine the who, what, where, when, and how. As a result, computer and network forensics must mature to the level in which proper discovery, determination, analysis, protection and presentation of electronic crime evidentiary data must meet our legal system's requirements. Read More...
Application Security Management Program: Clients have continually had web application security assessments completed by various vendors. They recognize, as many do, that an ongoing program to identify and correct critical vulnerabilities identified by such testing is an integral part of a web application security management program. However, the security robustness of applications significantly varies between different application development groups (both their internal and externally sourced groups). This is exacerbated by the inevitable addition of new developers, project managers, teams and outsourcing arrangements becoming involved as a result of acquisitions, new hires or pricing sensitiveness of outsourcing contracts. Inevitably, security vulnerabilities discovered during multiple testing efforts become a management and mitigation issue. The basic issue becomes: How can we maximize the Return On Investment (ROI) from our application testing program? Read More...
Password Audit: As part of a larger yearly security audit for a Fortune 500 company, KoreLogic performed a password complexity audit against 30,000+ hashes taken from an Active Directory domain and a Single Sign On (SSO) environment. Using its proprietary cracking grid, KoreLogic was able to recover 92% of the passwords over an extended period of time. Consequently, the company established password complexity requirements based on KoreLogic's findings and recommendations. This included not allowing users to use recent years, seasons, office locations, or months. Additionally, a list of common "root words" was provided to the client with instructions that they were never to be allowed inside a password regardless of whether the password meets complexity requirements or not. Now, the IT Help Desk explains why the rules were adopted and the importance of strong passwords to all users requesting a password reset. KoreLogic has created the Password Recovery Service as an outgrowth of this work.
Merger and Acquisition Due Diligence: While the security posture of an acquisition target is unlikely to influence management's decision to acquire the firm, an acquisition creates both opportunities and risks for the acquiring company. Several common issues that must be considered include:
Risk: How to securely and quickly interconnect/integrate the two firms while still protecting the combined information assets and business processes? By connecting the two firms, the acquirer potentially expands its network perimeter to that its acquisition.
Risk: Employees or affiliates of the acquired firm become internal users increasing their ability to potentially harm company assets, particularly if they are disgruntled about the acquisition and are privileged IT users.
Opportunity: Identify and help retain talented security staff and best practices within the acquired firm.Read More...
Enterprise Resource Planning (ERP) Security Assessment: SAP, PeopleSoft and Oracle security testing services continue to be in demand from our to various Fortune 500 and other large firms. This case study is representative of our ERP testing services. Read More...
Application Development (KRAD): We develop custom
software that solves difficult information security problems not
met by existing solutions. In the security R&D space, we have
advanced the state of the art in:
- source code repository integrity monitoring (DARPA - Defense Advanced Research Projects Agency)
- malware analytic framework (DARPA)
- forensic digital file carving (Digital Forensics Research Conference)
For our Fortune 500 clients we have developed:
- an enterprise search architecture as part of a data breach response
- a password cracking grid to support incidence response and regulatory compliance
- a firewall services inventory tool to support energy sector regulatory compliance
- many custom solutions to support unique information security needs
The following are representative samples of our record of continued results:
Web Application Disassembly: A prominent financial institution requested a review of their online banking web application. Ironically, just weeks before the review, another Internet security firm had performed an assessment and had given the client high marks for security. The client had even been given a plaque to display in their lobby and a seal of approval for their website. The team reviewed the web application, and subsequently identified several high risk vulnerabilities including: the ability to access customer accounts, view financial histories, and transfer funds.
Fortune 500 Financial Services Firm - Incident Response: While on-site performing other security services, the client asked KoreLogic staff to provide ad hoc incident response to a customer-impacting malware attack. KoreLogic's team immediately collaborated with offsite KoreLogic team members who, within 4 hours, had reversed engineered the trojan malware and provided the client clean-up instructions. The client's anti-virus vendor was not able to respond until 12 hours later and still did not provide a clean-up approach. "The teamwork between us and KoreLogic was amazing" - Security Manager and Incident Response Leader.
Fortune 500 Telecommunications Firm - Mobile Service Security Assessment: Following extensive security assessment work including threat modeling, source code analysis, infrastructure penetration testing performed by KoreLogic's client other security vendors, KoreLogic was asked to perform a final pre-production security assessment of a new mobile service. Drawing on its extensive mobile security testing experience, KoreLogic tested the mobile devices, application servers, mobile web applications, mobile device-to-server communications and the hosting vendor's infrastructure. KoreLogic's testing revealed numerous high- and medium-risk vulnerabilities that had been previously missed by other vendors. KoreLogic provided mitigation steps for each vulnerability found and supported the client in briefing affected vendors and service providers.
Fortune 500 Mobile Services Provider - Malware Response and Forensics: A laptop was compromised while the client's employee was browsing a company-sponsored health website. The employee clicked on a link to a malicious site which downloaded malware that created a reverse tunnel to a Russian website and installed a malicious program. As part of its retainer-based support of the client, KoreLogic provided on-site incident response and forensics support including blocking the malicious site, malware reverse engineering, forensic examination/documentation of the laptop, verification that the malware was contained and sanitized, and mitigation of the vulnerabilities that allowed the attack.
Department of Defense Agency - Compliance Verification: The Agency asked for KoreLogic's support in meeting an urgent compliance request to verify that no Agency systems contained files with certain suspect MD5 hashes. KoreLogic designed a rapid response plan that leveraged the use of a KoreLogic-sponsored forensic tool (FTimes), which allowed the Agency to verify compliance in one day. Other agencies that faced the same requirement spent weeks before achieving required compliance.
Financial Services Firm - Intrusion Analysis: KoreLogic was requested to assess the impact of a successful compromise of the client's systems that hosted personally-identifiable financial data. The client, a California business, was concerned about addressing the breach and their responsibilities under SB1386 law, which requires protection and notification. KoreLogic performed a forensics analysis to determine the scope of the intrusion and provided recommendations to help prevent a re-occurrence of the incident. KoreLogic also provided suggestions to the client on how to communicate the incident to its customers.
Enterprise Systems Audit: A large ISP retained the team to assess the security of their heterogeneous server environment. The objective of the assessment was to identify vulnerabilities, configuration errors, and their root causes. Network-based assessments had always yield an incomplete picture because they are unable, in most cases, to examine the internal configurations of the systems being scanned. For this reason, the team elected to utilize custom harvesting tools and a WebJob framework to systematically inspect and harvest security information that provided an in-depth security posture of the systems. The end result was a wealth of information that was used to identify, prioritize, and mitigate the vulnerabilities and configuration errors found.