CYBER SECURITY CASE STUDIES
Cybersecurity Compliance and Computer Forensics is our key focus, we are an organization of IT security professionals. We work with organizations in all industry, you will find a few of our Case Studies on this page.
ISO 27001 Implementation for Manufacturing Organization Case Study
Executive Summary
CyberSecOp was engaged by a manufacturing organization to implement ISO 27001 and achieve compliance with Good Pharmaceutical Practice (GxP) regulations in an on-premises environment. CyberSecOp's VCISO led the compliance implementation and testing, working closely with the client team. The project included a security assessment, development of an ISO 27001 security program, build out of a secure environment on-premises, and implementation of a variety of security controls to protect the client's data and systems.
Challenges
The project faced a number of challenges, including:
The client had a complex environment with a variety of legacy systems.
The client had a limited understanding of ISO 27001 and GxP compliance requirements.
The client had a tight deadline for achieving compliance.
The project needed to be implemented in an on-premises environment.
Solution
CyberSecOp's team of experts worked closely with the client to overcome these challenges and deliver a successful project.
Security Assessment
CyberSecOp conducted a comprehensive security assessment of the client's on-premises environment. The assessment identified a number of vulnerabilities that needed to be addressed in order to achieve compliance.
ISO 27001 Security Program
CyberSecOp developed an ISO 27001 security program for the client. The program included a risk assessment, risk treatment plan, and implementation plan.
On-premises Environment Build Out
CyberSecOp helped the client to build out a secure on-premises environment. This included implementing the necessary security controls to protect the client's data and systems, including:
Access controls: CyberSecOp helped the client to implement strict access controls to ensure that only authorized users had access to the environment.
Data protection: CyberSecOp helped the client to implement a variety of data protection measures, including encryption, access controls, and backup and recovery procedures.
Security monitoring: CyberSecOp helped the client to implement a security monitoring solution to detect and respond to security threats in real time.
GxP Compliance
CyberSecOp worked with the client to ensure that its ISO 27001 implementation met all of the relevant GxP requirements. This included implementing controls for data integrity, data security, and system validation.
Other Security Controls
In addition to the controls listed above, CyberSecOp also helped the client to implement a variety of other security controls, including:
Vulnerability management: CyberSecOp helped the client to implement a vulnerability management program to identify and patch vulnerabilities in the on-premises environment.
Security awareness training: CyberSecOp provided security awareness training to the client's employees.
Incident response: CyberSecOp developed an incident response plan to help the client respond to security incidents in a timely and effective manner.
Benefits
The project delivered a number of benefits to the client, including:
Improved security posture
Increased compliance with ISO 27001 and GxP requirements
Reduced risk of data breaches and other security incidents
Improved visibility into security threats
Increased confidence in the security of the on-premises environment
Conclusion
CyberSecOp successfully implemented ISO 27001 and achieved GxP compliance for a manufacturing organization in an on-premises environment. The project overcame a number of challenges and delivered a number of benefits to the client.
Recommendations
CyberSecOp recommends that other manufacturing organizations consider implementing ISO 27001 to improve their security posture and achieve compliance with GxP regulations, even if they are operating in an on-premises environment. CyberSecOp also recommends that manufacturing organizations work with a qualified security partner to ensure the success of their ISO 27001 implementation.Executive Summary
CyberSecOp was engaged by a manufacturing organization to implement ISO 27001 and achieve compliance with Good Pharmaceutical Practice (GxP) regulations in an on-premises environment. CyberSecOp's VCISO led the compliance implementation and testing, working closely with the client team. The project included a security assessment, development of an ISO 27001 security program, build out of a secure environment on-premises, and implementation of a variety of security controls to protect the client's data and systems.
Challenges
The project faced a number of challenges, including:
The client had a complex environment with a variety of legacy systems.
The client had a limited understanding of ISO 27001 and GxP compliance requirements.
The client had a tight deadline for achieving compliance.
The project needed to be implemented in an on-premises environment.
Solution
CyberSecOp's team of experts worked closely with the client to overcome these challenges and deliver a successful project.
Security Assessment
CyberSecOp conducted a comprehensive security assessment of the client's on-premises environment. The assessment identified a number of vulnerabilities that needed to be addressed in order to achieve compliance.
ISO 27001 Security Program
CyberSecOp developed an ISO 27001 security program for the client. The program included a risk assessment, risk treatment plan, and implementation plan.
On-premises Environment Build Out
CyberSecOp helped the client to build out a secure on-premises environment. This included implementing the necessary security controls to protect the client's data and systems, including:
Access controls: CyberSecOp helped the client to implement strict access controls to ensure that only authorized users had access to the environment.
Data protection: CyberSecOp helped the client to implement a variety of data protection measures, including encryption, access controls, and backup and recovery procedures.
Security monitoring: CyberSecOp helped the client to implement a security monitoring solution to detect and respond to security threats in real time.
GxP Compliance
CyberSecOp worked with the client to ensure that its ISO 27001 implementation met all of the relevant GxP requirements. This included implementing controls for data integrity, data security, and system validation.
Other Security Controls
In addition to the controls listed above, CyberSecOp also helped the client to implement a variety of other security controls, including:
Vulnerability management: CyberSecOp helped the client to implement a vulnerability management program to identify and patch vulnerabilities in the on-premises environment.
Security awareness training: CyberSecOp provided security awareness training to the client's employees.
Incident response: CyberSecOp developed an incident response plan to help the client respond to security incidents in a timely and effective manner.
Benefits
The project delivered a number of benefits to the client, including:
Improved security posture
Increased compliance with ISO 27001 and GxP requirements
Reduced risk of data breaches and other security incidents
Improved visibility into security threats
Increased confidence in the security of the on-premises environment
Conclusion
CyberSecOp successfully implemented ISO 27001 and achieved GxP compliance for a manufacturing organization in an on-premises environment. The project overcame a number of challenges and delivered a number of benefits to the client.
Recommendations for Other manufacturing organizations
CyberSecOp recommends that other manufacturing organizations consider implementing ISO 27001 to improve their security posture and achieve compliance with GxP regulations, even if they are operating in an on-premises environment. CyberSecOp also recommends that manufacturing organizations work with a qualified security partner to ensure the success of their ISO 27001 implementation.
Cyber Security Threat Hunting Case Study - gain visibility on hackers
Cyber Security Threat Hunting Case Study
The Client was a Financial Services Institution (FSI) with 2031 networked windows. 216 were in a central office, with another 1815 in-satellite offices.
EXECUTIVE SUMMARY
1) The Engagement with the Client: Threat Hunting at an FSI that suspected a breach
2) The Tools and Services: How we assisted the Client with our toolset and services
3) The Client Outcome: The benefits the Client reaped, including continued services
This report does not discuss the essentials of cybersecurity awareness training, though we do cover the value of using training to mitigate vishing threats in a separate whitepaper.
THE CLIENT
The Client was a Financial Services Institution (FSI) with 2031 networked windows. 216 were in a central office, with another 1815 in-satellite offices. The Client’s IT/IS Team informed CyberSecOp of the system requirements and the shape of the network so that our threat hunting solution could be installed into the client’s environment without issue.
THE ENGAGEMENT
The Client employed CyberSecOp to deliver managed security services in the form of a Compromise Assessment on the critical infrastructure of the bank following suspicion that there may be threat actors on the network.
THE PARTNER (CyberSecOp)
CyberSecOp is a fast-growing MSSP that has hunted threats for some of the biggest financial institutions in the region.
THE PROCESS
CyberSecOp was able to configure the evidence collection system and scan the network without causing any downtime to the customer’s servers or services. The full assessment took approximately 10 days, with multiple scanning rounds completed within that time to optimize the client’s opportunity for remediation of the first layer of findings. We performed the Compromise Assessment, identifying the breach of the client’s network and discovering that it happened 3-4 months ago based on the evidence we identified. Upon discovering a breach, CyberSecOp initiated a containment phase, effectively isolating the malicious content, and then coordinated with the FSI’s IT team to investigate and discover any other remedial actions that needed to be taken. Following the breach CyberSecOp advised on how to communicate the results of the discovery to the Client’s users and conducted a Breach Postmortem during which CyberSecOp reviewed the report and findings with management at the FSI.
Steps in CyberSecOp’s Compromise Assessment included
REMEDIATION
CyberSecOp performed the following services as a part of the breach remediation:
- Forensics and Threat Hunting, detailed reporting, and data gathering/tagging
- Deploying CyberSecOp Managed Detection Response system to ensure any future breach was discovered much sooner than this one.
- Perform vulnerability and penetration scan to identify and remove vulnerabilities.
- A complete analysis of the malicious software the threat actor left on the Client server, including insights into what would have happened if the software had been activated.
- Worked with the client’s technical team to purge the system and ensure that there were no remaining backdoors for the threat actor to sneak back in through.
OUTCOME
- Threat actor’s access and malicious software were removed from the multiple devices, and vulnerability where remediation
- The Client now has an active contract with CyberSecOp for Managed Detection and Response and quarter compromised assessments
- The Client servers and all endpoints continue to be scanned periodically to validate that the remediation is complete and that no further threat actors have breached the network
IN CONCLUSION
Threat hunting and backups are critical, keeping a copy of your data in reserve is one of the best ways of reducing financial risk. It is highly recommended to use a security team that can analyze any provided decryption tool, to ensure there is no further threat present.
It’s also critical to ensure your organization takes step to ensure security of all systems, through implementation of Managed SOC, MDR services, and Employee Security Awareness Training.
Security Architecture for Financial Services – A CyberSecOp Case Study
Security Architecture for Financial Services Case Study
The Financial Services Sector encompasses a wide variety of commercial concerns, from traditional depository banking operations, to exotic investment funds and cryptocurrency exchanges. Yet, for all of their diversity of purpose each of these concerns will pursue a common goal of maximizing returns on their information security architecture - an increasingly important institutional discipline in today’s environment of proliferating threat actor assaults.
The purpose of this analysis is to provide a step-by-step roadmap exploring some of our sample engagements, client requirements, and solutions provided.
Engagement
Client requested that CyberSecOp assist with an information security breach response, and provide a subsequent analysis of its information security architecture along with present risks and vulnerabilities together with a comprehensive remediation roadmap.
Procedures
CyberSecOp was engaged to perform the following procedures as an outgrowth of the incident response:
· Breach response risk mitigation – Diagnose source and method of breach, immediately cure the vulnerability and ascertain the status of data loss (if any)
· Post-Mortem – Provide the client with a formal report addressing our findings
· Information Security Architecture Risk Assessment – Perform a comprehensive risk assessment of the client’s information security architecture in accordance with industry best practices and standards, providing a formal written report for the client’s review
· Information Security Program – Formulate a security program complete with monthly reporting to ensure the ongoing integrity of the client’s information security environment
· Implement 24 hour, 7 day per week Managed Detection and Response, covering all client networked resources through CyberSecOp’s Security Operations Center; integrate client’s information security reporting tools to CyberSecOp’s SIEM service via the Security Operations Center; recommend and implement a centrally monitored Advanced Endpoint Protection solution.
· Design and implement a cybersecurity dashboard solution, using the client’s preferred cloud-based information security reporting software.
Solutions
Breach Response and Risk Mitigation
CyberSecOp maintains a dedicated team of information security breach response professionals (‘Blue Team’) that stand ready and able to assist clients at a moment’s notice. CyberSecOp’s Blue Team professionals are some of the most skilled and best informed in the industry. Our Blue Team professionals will also provide formal documentation detailing the particulars of breach causality, as well as make recommendations to mitigate future information security risks.
Risk Assessment and Security Program Services
CyberSecOp risk management professional will provide the client with formal, written documentation discussing the state of the client’s information security architecture and detailing any vulnerabilities revealed in the data gathering, testing and discovery process. Our risk management professionals will then devise a comprehensive information security program designed to ensure that the client’s information security environment maintains integrity and that all covered systems and endpoints are updated with the most recent industry leading security features.
The CSO Security Operations Center (‘SOC’)
CSO’s Security Operations Centre service can be integrated with a customer’s own Security Operations Centers, should a shared, collaborative architecture be preferred. Partner Security Operations Centers may focus on areas within the customer’s own security domain or, if its business boundaries are extended by extensive collaboration with third party organizations which operate to different technology standards, monitor devices in such domains through the ‘Internet of Things’.
CSO’s Cyber Security Dashboard Service
CyberSecOp’s Security Portal and Dashboard service will provides reports and visibility on the implemented security services, including pre-defined views covering:
Security news, campaigns and threat information from external Threat Intelligence sources
Security incidents in the form of generated ‘trouble ticket’ information from analyzed security incidents
Security warnings, incident and alert information automatically generated by Security Incident and Event Management systems
CSO’s Security Incident and Event Management (‘SIEM’) and Managed Detection and Response (‘MDR’) Service
CSO’s SIEM Services comprise ‘always-on’ basic security analytics based on static, predefined correlation rules and are included with CyberSecOp’s Security Operation Center service. Clients can leverage CyberSecOp’s SIEM data collectors to provide a more robust picture of threat actor behavioral analytics, as described below.
Behavioral Analytics
CSO’s SIEM Behavioral Analytics monitors use threat actor behavior to identify anomalies. During that time the service learns what the normal activities of a customer’s end user are, so that the system is then able to identify anomalies whether a compromised account, infected host, account misuse or lateral movement.
Advanced Endpoint Protection (‘AEP’)
CyberSecOp provides a comprehensive suite of AEP solutions through our Security Operations Center. Advanced Endpoint Protection involves deploying sophisticated data protection software on all firm endpoints, including desktops, laptops, mobile devices and ‘Internet of Things’ devices. AEP software ensures threat actors are not able to access the client environment through one or more exploitable connected devices.
The CyberSecOp Advantage
Today’s information security environment is becoming ever more complex by the day. Concerned commercial businesses are increasingly finding themselves subject to seemingly random attacks from threat actors, who in reality select their targets carefully after extended observation and deploy tools to hold the target completely inoperable pending response to their demands. While following the steps set forth above can help inoculate the firm against such attacks and ensure that the client’s operating environment remains undisturbed, providing a competitive advantage in today’s marketplace is vital. Here at CyberSecOp, our professionals can assist in implementing the recommended framework, providing our clients white-glove service with all of their information security needs.
Education Case Studies & Forensics Analysis - Security Program Development
Education Case Studies & Forensics Analysis - Security Program Development
CyberSecOp engaged with multiple educational institutions to implement a security program, our team proceed by conducting a comprehensive assessment of the schools to review existing physical security technologies, security personnel, emergency plans, and the associated policies, procedures, and processes.
A thorough walk of the campus then lead to interviews of administration, faculty, staff, and parents. These interviews helped us understand security concerns on the campus as well as garner an understanding of the overall perception of security. Emergency management and large event planning and processes were reviewed. Interviews with local first responders gave us an inside look into their capabilities with assisting the school in case of an emergency situation.
RECOMMENDATIONS INCLUDED:
Implement comprehensive security program covering physical security technologies, security personnel, emergency plans, and the associated policies, procedures, and processes.
Reducing the number of entry points, and to us camaras to improve visibility of the parameter.
Implementing a visitor management program that would require all non-affiliates of the school to register at a central point.
Upgrading the technology associated with the school’s public-address system to improve the likelihood that emergency announcements would be heard at all points on campus.
Reviewing and modifying the emergency management manual to allow for a Run-Hide-Fight plan in association with an active shooter event.
Developing a Security Technology Master Plan and standardizing technology across the campus.
CYBER SECURITY SERVICES PROVIDED
Healthcare Case Studies & Forensics Analysis
Healthcare Security Case Studies & Forensics Analysis
The IT organization of healthcare (original name withheld) was facing a great deal of challenges with day-to-day IT service delivery. While critical activities, such as end-of-day, backup and restore functions, and scheduled server reboot for certain critical servers were documented on paper for regulatory compliance reasons, most processes were at best documented in individual employees’ heads.
There was poor change control; something broke every other day and it was perfectly acceptable to have unplanned downtime of Healthcare services for a few hours every month. Often, the unplanned downtime was due to, for example, failed system upgrades or security configuration modifications by the security administrators without proper impact assessments. Fortunately, the enterprise’s internal control department had some oversight over the critical banking infrastructure; otherwise, medical operations could have suffered a total systemic failure.
Healthcare Medical Center, has agreed to pay a $218,400 settlement to federal authorities for what the government is calling “potential violations” of data privacy and security breach notifications rules under HIPAA, including in a relatively rare enforcement area, Internet-based file-sharing services.
The Office for Civil Rights at HHS, which has federal HIPAA privacy and security rule enforcement authority, first received a complaint in November 2012 that members of organization’s workforce used an Internet-based document-sharing application “to store documents containing electronic protected health information (ePHI) of at least 498 individuals without having analyzed the risks associated with such a practice.”
In a separate incident, in August 2014, the hospital reported to HHS that a former workforce member had stored patient-identifiable health records of 595 individuals on a stolen personal laptop and USB flash drive.
According to a recent report on employee Internet usage by the Campbell, Calif.-based security firm Skyhigh Networks, employees at an average healthcare organization use a total of 928 cloud services, many without the knowledge of their IT departments. File-sharing services were among the top five uses of cloud services by healthcare workers in the report.
“Organizations must pay particular attention to HIPAA’s requirements when using Internet-based document-sharing applications,” said Office for Civil Rights Director Jocelyn Samuels. “In order to reduce potential risks and vulnerabilities, all workforce members must follow all policies and procedures, and entities must ensure that incidents are reported and mitigated in a timely manner.”
In addition to the payment, the settlement includes a corrective action plan “to cure gaps in the organization’s HIPAA compliance program raised by both the complaint and the breach.” organization has also reported to the civil rights office a breach of 6,831 lost patients’ identifiable records on paper or film, according to the “wall of shame” list kept by the office for breaches involving 500 or more individuals.
In April, 2012, a five-physician medical practice, Phoenix Cardiac Surgery, agreed to a $100,000 settlement for failing to have HIPAA-required business associate agreements with providers of their Internet-based calendar and e-mail service.
“Between these two cases,”, “what it stands for is OCR’s expectation you’re going to have to have a business associate agreement with any cloud-based (service) providers. And you need a risk analysis.”
“So, there appears to be a whistle-blower,” “It shows the importance of having a process for hearing concerns from your employees about addressing HIPAA, or they might go to the government instead.”
Since September 2009, when the civil rights office started keeping a public list of breaches involving 500 or more individuals, 1,265 breaches have been reported exposing the records of nearly 135 million people, equal to the populations of California, Florida, Illinois, New Jersey, New York, Pennsylvania and Texas combined.
CYBER SECURITY CISO SERVICES
Cyber Security CISO Internal and external penetration testing
Cyber Security CISO Configuration management, design, and remediation
Cyber Security Consulting Enterprise security architecture design and re-design
Cyber Security CISO Malicious code review
Cyber Security CISO Computer Security incident response
Cyber Security Consulting Engineering and architecture design
Cyber Security Consulting Application and software security assurance
Cyber Security Consulting Social engineering (targeted phishing)
Ransomware Case Studies & Forensics Analysis
Ransomware Case Studies & Forensics Analysis
A particularly insidious type of malware is ransomware, which is secretly installed on your windows systems and locks the system down. That lockdown is inevitably accompanied by a message demanding payment if the systems owner ever wants to access the files again. Unless you are very lucky (or the hacker spectacularly incompetent), everything important on your hard drive will be effectively lost to you, unless you pay up.
Although earlier versions of ransomware sometimes had flawed encryption, recent iterations are better designed. Although you could pay the ransom, that’s not a guarantee that things will work out, as Hospital in Massachusetts discovered when hackers demanded a second ransom after locking down files.
THE CASE
The victim: Hospital with 680 networked windows 380 in a central office, with another 300 in a satellite offices. Upon arrival of the incident response team, we identify that the client had no protection in place. The network administrators had no idea has to what is going on in the network, no security tool, no forensic tool, and the perimeter had no IPS/IDS system in place.
WE THEN
All the orgainization’s endpoint systems are Windows 7, and Windows 10. Employees operate using Windows email systems which operates on Office 365 and MS Outlook. CyberSecOp team identified that the infection started with a phishing email.
THE MALWARE
The ransomware was identified has RYUK, specifically a newer variant that resisted efforts by utility programs such as SpyHunter to remove it. the client also checked the registry settings as described by Malwarebytes, hoping to isolate the exact nature of the threat, but had no luck. RYUK has a nasty habit of deleting key files in its wake in order to confound attempts to stop it.
The company decided to restart the software and see how things went. While the server was down, though, the firm had to write down new orders on little slips of paper. It was chaos.
Each infected folder contained a three files: # Decrypt Read Me file, .txt. The ransomware encrypted any file on the target extension list, giving it a random filename with the .RYUK extension.
The malware infected all PCs at the central office and all the systems at satellite offices; The damage to these infected PCs was okay since they could be reimaged. The 26 servers hosting health information and databases was a big problem, since the client found out the backups has been failing: the log files (.log) were all encrypted, config files, as well as group polices files.
THE DEMAND
The# Decrypt Read Me file contained a message asking for 150 Bitcoins (about $1,734,000) to recover the organization systems, including details on how to pay. The firm Managing Director decided that they have no other avenue but to pay the ransom.
CyberSecOp first tried to recover files from the physical servers but had no luck, due most of the flies where corrupted. The team proceed with forensic and ransomware negotiation, and was able to get the threat actor down to 3.9793 bitcoin.
RANSOMWARE PAYMENT
All communication with the client is covered by with attorney-client privilege
Before the ransomware negotiating, we request proof of life
We understand that ransomware negotiation is big deal to your business
We negotiation and collaborate you he client like any other business deal
We quick try to understand the ransomware attacker, then start the ransom negotiation
Our ransomware negotiation experts understand classic rules of hostage negotiation
REMEDIATION
Forensics data gathering
Deploy CyberSecOp MDR
Pay the threat actor 3.9793 bitcoin
Received decryption tool from the threat actor
Complete malware analyst on the decryption tool
Work with the client technical team to decrypt the systems
PROTECTING YOURSELF
Large companies often have disaster plans in place that include ransomware infections. But what should individuals or small businesses do when confronted with this issue? Crossing your fingers is probably not the best option.
Frequent offsite backups are the obvious first step, although the automation comes with a downside: if your files are maliciously encrypted, the encrypted files might accidentally get backed up, as well. If you take this route, make sure that the backup vendor offers a 30-day recovery period or versioning, so you can get your backed-up files intact.
For individuals, even something as simple as copying files to an external memory stick or drive is better than nothing. If you take this route, keep your USB storage unplugged from your machines when not copying to it.
As email attachments are a prime source of infections, having an email scanner is probably the best way to eliminate that particular vector of attack.
Security training awareness to help them stop phishing email
CONCLUSION
Backup are critical, if the client had maintain there backups, the client would be able to recover, won’t pay the demand our expert can reduce the financial risk. Let the professional handle the case, the client should have loss all there data while trying to remove the ransomware before the don’t know how it works. It is highly recommended to uses a security team that that can analyze the decryption tool to ensure there is no logic boom being dropped.
It is also critical to ensure your organization takes step to ensure security of all system, implementation of Managed SOC, MDR services, and Employee Security Training awareness
CYBER SECURITY AND DIGITAL FORENSIC SERVICES
Retail Compliance Services Case Studies & Incident Response
Retail Security Compliance & Incident Response
CyberSecOp works with some of the top retailers around the world. Our aim is to help our customers reduce risk, save time, and save money. One of our most recent success stories comes from our work with the big box US department store chain faced with compliance requirements for CCPA, PCI DSS, also in scope is Shield Act with is pending approval for New York.
Their footprint consisted of hundreds of retail stores and several corporate. Their IT organization was significantly understaffed given the large geographic presence, thereby creating inefficient processes and establishing a greater risk profile for potential threats. Added to the current situation, they had purchased Security hardware and software that wasn’t being utilized which reduced the credibility of the IT team and their ability to push for additional network and security enhancements that would better position the business for future growth.
When during out discovery phase CyberSecOp team uncover multiple suspicious events, missing system logs, infected system, system without antivirus, external remote access without multifactor authentication, and evidence 19 compromised systems communicating with malicious IP addresses and domains.
The project quickly turned into a incident response, CyberSecOp risk management team put a quick playbook together for the operation.
Detailing the intricacies of the incident response, CyberSecOp risk management team involved individuals form accounting, forensics, risk management, CISO level resource to provide guidance, fraud detection, human behavior analysis, and interview/interrogation skills.
RECCOMENDATIONS INCLUDED:
Implement CyberSecOp SIEM and Managed Detection and Response Toolset
CyberSecOp provide 24/7 monitoring, threat hunting and incident response services
Create and implement a incident plan and playbook
Assess and Implement a comprehensive security program covering physical security, security personnel, emergency plans, and the associated policies, procedures, and processes in compliance with PCI/CCPA.