Congratulations on embarking on an I-Net project. Like any other business goal you are addressing, the complete solution to your current needs will cut across many areas. These may include business processes, corporate policies, network architecture, and others. As part of HomeCom’s complete offering, we assist you in addressing the information security aspects of all these areas.
Whether a company is allowing a sales force remote access to internal databases, enhancing its customer service with online options, or even making simple online commercial transactions, the time to assess security needs and manage risk is now. With increasing connectivity to new and existing business applications and information resources, responsible information risk management has become critical to business success.
Executive managers have come to expect a rapid return on Internet investment. The challenge is to meet that expectation within an acceptable level of risk. The speed of the Internet revolution has created a resource gap in the ability of organizations to effectively understand the full range of risks involved, and to successfully use that information to manage their information security activities. As such, integrated information security controls and management are often beyond the reach of many organizations.
Information security is a complex blend of technology, people, and process. HomeCom Internet Security Services’ flexible assessment methodology is tuned to your specific requirements to provide results that you can directly use. By including people and culture as critical parts of your information infrastructure, we effectively analyze the entire range of risks in your environment to provide appropriate recommendations and knowledge transfer.
HomeCom understands today's cutting-edge security technology, and we take the time and effort to understand your business model, vision, and corporate culture when recommending future directions. By using a proven approach to addressing business problems with information security solutions, we perform the enterprise architecture and engineering, audit and assessment, policy and procedure development, and technology integration you need to field successful business solutions.
The HomeCom Approach
Environment Survey
Description: A security survey of your information infrastructure, supporting policies, and reporting hierarchy, based on current and future business goals.
Needed: When significant new capability is being added (e.g., Internet connection or remote access), the security architecture must be significantly altered, existing environments must be integrated (e.g., corporate merger), internal audit resources are in short supply, or an outside opinion is desirable or required.
Benefits: Provides vital decision making information, including security requirements and high-level risks, applicable threats, existing policy and procedure security controls, and high-level vulnerabilities, and pinpoints areas requiring detailed assessment.
Information Asset Analysis
Description: Documentation of the information assets in the targeted environment and analysis of their specific protection needs.
Needed: When business growth or internal application development has outpaced the resources of internal groups responsible for asset auditing and protection.
Benefits: Allows effective risk analysis and efficient use of protection resources through identification of specific data security requirements for information assets, qualitative evaluation of asset value, and identification of existing technical security controls.
Technical Risk Assessment
Description: A technical analysis of the exposure of your information infrastructure to internal and external threats.
Needed: Periodically to ensure that the overall security programs are resulting in an appropriately secure infrastructure. Often out-sourced when an unbiased third-party opinion is required or the technology involved is beyond the current assessment capabilities of internal groups (e.g., resources, technical depth, response time, etc.).
Benefits: Produces the information that executive managers need to make good business decisions on protecting the information infrastructure, including information on technical vulnerabilities, possible root causes, and recommendations which allow immediate progress on the integration of additional controls to mitigate risks and meet due diligence and other requirements.
Internet Vulnerability Assessment
Description: A technical vulnerability analysis on a specific set of IP devices to provide a hacker's-eye view of your Internet connectivity.
Needed: Periodically to ensure that controls on externally-visible devices have kept pace with the penetration tools and methods available to the hacker community. A similar assessment should also be conducted on high-value internal devices to help mitigate risks from internal threats (e.g., disgruntled employees).
Benefits: Confidence that Internet and Intranet connectivity is being accomplished with acceptable and appropriate risk.
Policy and Procedure Development
Description: Detailed security policies, guidelines, standards, and procedures as part of the overall system of security controls.
Needed: To have a successful security program. Requires updating when an organization has experienced significant growth in information technology functionality and capability (e.g., Internet connection), existing organizations must merge, an environment requires these additional controls to mitigate risk (e.g., liability from lack of policy, mishandling sensitive data, etc.), and periodically due to a change in threats and risks.
Benefits: Meets due diligence requirements, establishes responsibility for security enforcement, increases awareness of security issues, provides guidance on future development, deters internal hacking, and simplifies decisions about system changes.
Security Architecture Development
Description: A developed security architecture, security policy, and security procedure infrastructure.
Needed: When one or more significant new functionalities are being introduced (e.g., additional internal or external connectivity, new network applications, consolidation of resources, etc.) and detailed technical planning is required in advance to satisfy management criteria (e.g., for funding), IS department criteria (e.g., single integrated upgrade plan), and internal audit criteria (e.g., gain an understanding of the controls in the new environment).
Benefits: Provides a road map for safe infrastructure deployment by focusing on future plans and needs, effective and efficient planning and execution, and integration of new security functionality without unacceptable impact on overall security posture.
Security Effectiveness Programs
Monthly Retainer Service
Provides you and your staff with up-to-date information on security issues directly affecting your specific business and security architecture.
Periodic Vulnerability Assessment Scan of Environment
Ensures that security controls on network devices are keeping pace with the penetration tools and methods available to the hacker community (both outside and inside your organization).
Information Security Awareness
Gives users an understanding of basic security practices and risks and gives IS staff an understanding of a robust security engineering process, enabling them to effectively protect corporate information assets.
HomeCom Internet Security Services Brief Case Studies
Information security is a perpetual cycle of assessment and implementation increasing in complexity as organizational connectivity and data sharing grows. HomeCom Internet Security Services provides information security consultation and implementation support to organizations requiring safe and productive use of the Internet and corporate intranets. The following case studies provide examples of the support HomeCom has provided to its customers.
On-line Stock Trader
A firm with an existing automated stock-trading system, implemented using both a telephone Interactive Voice Response (IVR) system and a private dial-in, wished to integrate a web-based interface to their stock trading system without unacceptably increasing their level of risk. The existing system was completely isolated from the Internet and had limited connectivity to several organizations. It had been audited several times and security was considered good. Using a requirements analysis provided by the customer, HomeCom developed a Security Architecture, implemented a customer-friendly web front-end to the existing transaction server, and installed a firewall. HomeCom also developed a complete information security policy document and provided guidance in the creation of specific security-relevant procedures. The firm is now offering a state-of-the-art Internet-based system while maintaining their high-level of security.
Top 5 Bank
One of the world’s largest banks developed a new web-based architecture for employees, partners, and customers. Basing their architecture on existing requirements and security analyses, the bank’s executive staff needed an outside review by a firm with expertise in sophisticated Internet-based authentication and security systems. Because of our experience with encryption and authentication infrastructures, HomeCom was retained to perform a Technical Risk Assessment of the bank’s security architecture, and provide recommendations and an executive-level summary.
Regional Credit Union
A credit union required Internet connectivity for e-mail, a simple Internet web server, and web access for their employees. Based upon their requirements, HomeCom recommended the installation of a firewall, and placement of a hardened web server outside of the firewall. HomeCom installed the firewall, provided details on hardening the web server, and configured DNS, routing, and SMTP mail, providing the organization safe and reliable Internet connectivity.
Software Product and Services Company
A large provider of hospital automation products and services was facing competitive pressure to increase customer care and reduce costs. HomeCom was engaged to provide a thorough requirements analysis and to develop an overall security architecture to use a private IP network to securely connect to its many hospital clients and to the Internet. The private IP network costs were significantly less than the former long distance modem calls, provided faster throughput, enabled the company’s east and west coast offices to consolidate network infrastructure and increase customer coverage, and enabled them to deploy a customer care web site which increased customer satisfaction.
Web Farm
A web hosting service had grown rapidly and organically without comprehensively or methodically addressing security. The high degree of network connectivity required by this firm’s clients and employees left it vulnerable to network attacks. HomeCom interviewed corporate staff and performed automated vulnerability scans, and also provided an Environment Survey, an Asset Analysis, and a Risk Assessment. The recommended Security Architecture supported the twin goals of safely maintaining a high level of customer service and web host security, while still allowing employees full access to the Internet.
$20 Billion Retailer
A major retail chain wished to expand its Internet connectivity. Concern about the security implications of this new service led to a desire to examine their total security posture, including the store environment, the central data processing site, their partner connectivity, and remote access. Although the firm rarely uses outside consultants, and does all of their own application development, they wanted an objective evaluation of their security posture and they lacked the in-house expertise to design an Internet-ready security architecture. HomeCom met with company executives, IS staff, and system users, and made site visits to the central data processing facility and representative stores, conducting both interviews and automated security scans. Correlating data from each of these activities, HomeCom provided an Environment Survey and Technical Risk Assessment, developed a Security Architecture allowing access by employees traveling throughout the world, and suggested the implementation of new policies and procedures. After briefing the results to the executive staff, the IS budget was immediately increased to support upgraded security functionality.
Global Decision Support System
A global organization is implementing a worldwide private network used to provide decision support. Pressure to complete the project as quickly as possible encouraged developers to postpone decisions about security. HomeCom staff reviewed thousands of pages of system documentation and provided hands-on testing of Unix hosts and the intranet, discovering significant security weaknesses. HomeCom security consultants developed a business case allowing the customer to justify the development of new security policies and the improvement of host and network configuration. Implementation of these security improvements allowed the organization to continue to field and use its decision support system without a significant security breach.
Major Airline
A large global airline is deploying intranet kiosks to serve its nomadic employee population of nearly 100,000 with point and click web access to HR, scheduling, and other sensitive airline information at 80 airports around the world. HomeCom is developing web-based single sign-on to allow authentication of employees across multiple web servers. HomeCom is also creating an LDAP-based directory server in conjunction with this effort, to facilitate future deployment of certificates and strong authentication.
Corporate Intranet
A consumer goods manufacturer had virtually no tangible assets-it leased equipment and buildings and subcontracted product manufacturing, warehousing, and distribution. The company’s most valuable assets were the designs constructed using various software packages and stored on a file server. The building housing the server was located behind a large security fence, was monitored 24x7 by cameras and guards, required physical tokens for entry, and had a restricted access list. The file servers and design platforms, however, were visible from any part of the company’s global intranet. A Technical Risk Assessment revealed that these machines contained numerous vulnerabilities and configuration errors, easily allowing access to the company’s most valuable asset by any internal user anywhere in the world. HomeCom provided network reengineering and system configuration guidance which allowed these systems to remain useful in a global information sharing environment, but secure against internal hacking.
A large industrial manufacturer was deploying intranet applications and desired to publish best practices guidelines for their developers for use in product selection and implementation. HomeCom was engaged to develop a series of handbooks on how to securely deploy intranet applications. These guidelines cover topics such as identification and authentication, confidentiality, non-repudiation, access control, integrity, and how specific products implement each of these security features.
Internet Connectivity
Many firms have looked to HomeCom to provide assistance with secure implementation of new Internet-related capability, including:
An industrial manufacturer had several people in its network security department, underwent periodic information security audits, had adequate policies and procedures, and had the backing of executive management for expenditures for network security. Even with these excellent resources, they engaged HomeCom for a periodic unbiased sanity check of their current posture and near-term plans for expanded Internet connectivity. Later, after an acquisition of a new company, we were asked to assess the new acquisition’s Internet visible vulnerabilities and provided information on system vulnerabilities that allowed for progress in merging the company’s networks.
A regional bank out-sourced hosting of many of its Internet banking applications. The terms of the contracts were unclear on responsibility for host security, but allowed the bank to conduct security assessments of the web servers. HomeCom discovered a web server vulnerability that allowed unauthorized web page modifications, and was engaged to periodically ensure that the third-party hosting arrangements are operating in a secure fashion.
A high-end hosting service was seeking a market discriminator. HomeCom was engaged to provide an NCSA Web Site Certification, and to also apply a rigorous assessment process to the entire hosting environment. In this way, HomeCom was able to certify that the processes that resulted in the current secure environment were both sufficient and repeatable, allowing for growth and system upgrade without compromising security.
A large engineering services firm in the nuclear power industry was concerned about inappropriate use of the Internet by its employees. HomeCom recommended and installed web and e-mail content management and monitoring tools to enable the organization to effectively measure the amount and appropriateness of Internet use.
A leading software company with international sales offices desired to securely use the Internet for inter-office communications of sensitive information. HomeCom recommended and integrated firewalls with virtual private networking. Later this company desired to begin selling their software over the Internet and HomeCom was engaged to design and build a successful E-Commerce site for them.
A global oil company was concerned that its internal assets were overly exposed to the Internet and hired HomeCom to scan their network for vulnerabilities from the Internet.
A large international Internet Service Provider (ISP) offers a managed firewall service. To assure its customers that the Internet boundary protection managed service has been properly installed and is currently being properly managed, HomeCom has been retained to provide periodic vulnerability scanning and to provide the unedited results to the end customer.
A Federal Credit Union was deploying web-based access for its members to access their accounts on-line. HomeCom was engaged to perform a pre-audit and then a NCSA Web Site Certification to satisfy the FCU Board’s due diligence requirements.
A regional banking data center was deploying Internet banking for many of its 40 bank customers. HomeCom was engaged to perform a NCSA Web Site Certification and an on-going surveillance program of periodic scanning over the Internet.
code:吾生今世,能有何为?
