InQwest has had the opportunity to provide excellent IT Security consulting services to federal and commercial clients. In order to provide a technical glimpse into the InQwest methodology and experience, a few examples have been provided to present our No Compromise on Quality approach.
Use Case #1
Identification and Exploitation of Vulnerabilities for Federal and Commercial Clients
To maintain a strong cybersecurity posture and healthy cyber hygiene for Federal agency and Commercial company systems and networks.
Identification and exploitation of vulnerabilities within client system to include servers, workstations, databases, web applications, web services, network devices, and security appliances. Automated and manual processes were utilized to assess all client system components through a detailed penetration testing methodology.
Reconnaissance and discovery activities outline assets within a system and network to provide a baseline of attack vectors and serve as initial sources for information gathering activities in order to provide a real world representation of client systems or networks. All hardware, software, operating system, web application, appliance, and network devices are enumerated with corresponding ports, protocols, services, applications, databases, web servers, middleware, browsers, and other pertinent information. Vulnerability and configuration scans were conducted to identify known vulnerabilities and hardening misconfigurations using the enumerated asset information. In addition, static and dynamic manual vulnerability testing was performed on all network, web, and infrastructure related components to identify vulnerabilities. Following the identification of valid vulnerabilities from automated raw data and manual assessments, the attempted exploitation was performed through the use of exploitation tool sets and manual methods. All successful exploitations and valid findings with associated mitigation recommendations were fully documented and provided to the client.
InQwest has an extensive breathe of experience in cybersecurity, vulnerability assessments,network, database, and web testing, as well as risk determination. We were chosen due to the technical expertise and cyber qualifications of our team.
The client received a holistic assessment and report of the security posture of their respective networks and systems. Successfully identified and provided mitigation recommendations to further strengthen the system under test, reduced the risk of vulnerability exploitation, and minimized the system attack surface.
Use Case #2
Authorization and Accreditation of Federal Information Systems
To maintain accreditation and an authority to operate with multiple Federal agency systems while ensuring a strong cybersecurity posture.
Review of agency networks and systems to determine compliance with technical, operational, and management security controls required by the Federal Information Security Management Act (FISMA), National Institute of Standards and Technology (NIST), and the National Industrial Security Program (NISP).
A two fold approach was implemented beginning with a review of the system design, functionality, data flow, security, and other management and operational processes was conducted. This review identified gaps in compliance and other requirements while providing recommendations on process and procedure improvements. In conjunction with documentation review, interviews with management and technical personnel was conducted to gather insider on the ground information regarding the systems implementation, day to day operations, and maintenance. A physical security assessment on system assets was performed to ensure proper access, environmental, and security controls were implemented.The second path includes technical automated and manual assessments on all system and network components including but not limited to web applications, servers, workstations, databases, web services, network infrastructure, and security appliances. The technical assessment was performed to identify system vulnerabilities and risk exposure providing the real world security posture.
Recommendations for mitigation of all technical, operational, and management vulnerabilities was provided to reduce the risk of exposure. All agency required Authority to Operate (ATO) documentation was generated to include system descriptions, system security plans, risk assessments, security control assessments, identified vulnerability and security control documentation, plans of action and milestones, and authority to operate documentation.
InQwest has over 10 years’ experience and expertise in Authorization and Accreditation activities, documentation review, security control assessment analysis, risk determination, and technical vulnerability assessments. InQwest is seasoned in all things related to the maintaining an agencies continued use of new and existing systems and networks. We were chosen due to our experience in many different areas of the government domain as well as technical expertise and ability to articulate security posture through documentation.
The client received a 360 degree assessment and documentation outlining the security posture of agency networks and systems. Successfully obtained system ATO on agency networks through detailed documentation and remediation recommendations of vulnerabilities identified during the effort.