CyberSecurity within the government and commercial spaces has become a necessity in today’s ever changing cyber landscape. Hackers, state sponsored criminals, and script kiddies are constantly generating and implementing new and innovative ways to launch malicious attacks on networks systems, and big data. With Cyber Hygiene as a constant worry for CISOs, CEOs, and CIOs, a broad and detailed approach to CyberSecurity is a must. InQwest has spent years establishing this approach to CyberSecurity through the implementation and execution of Information Assurance, Independent Verification and Validation (IV&V), Security Engineering, and Penetration Testing.

PENETRATION
TESTING

PENETRATION TESTING

Penetration Testing facilitates the identification and discovery of exploitable vulnerabilities within IT networks and applications. Reconnaissance and discovery activities outline assets within a system and network to provide a baseline of attack vectors and serve as initial sources for information gathering activities in order to provide a real world representation of a system or network. InQwest implements a Blue/Red Team Hybrid methodology that allows for testing from an insider threat perspective with system knowledge while leveraging any identified findings for use in external exploitation.

This methodology not only includes all typical Red Team testing but also adds an additional layer of internal exploitation. This internal component will identify additional exploits that would not be found when performing external Red Team testing. The Hybrid approach provides a more in depth vulnerability assessment of implemented technical controls.

SECURITY ENGINEERING

Security engineering includes all of the necessary technical testing associated with the Accreditation and Authorization (A&A) process. Testing is driven by network and system boundaries with associated asset inventory. InQwest is fluent in providing automated and manual assessments on web applications, web services, databases, infrastructure devices, servers, workstations, and security appliances.

This includes automated and manual dynamic testing as well as static code analysis and manual configuration assessments. Raw data analysis is performed to identify false positives and a findings report is generated to support the overall A&A technical testing assessment.

SECURITY
ENGINEERING

INFORMATION
ASSURANCE (FISMA)

INFORMATION ASSURANCE/FISMA COMPLIANCE

Information assurance and Federal Information Security Management Act (FISMA) services focus on compliance with the FISMA and National Institute of Standards and Technology (NIST) guidelines. The support includes facilitation of communication with key stakeholders, scheduling of A&A activities, generating necessary plan and accreditation documentation, reviewing A&A testing results, creation of Plans of Action & Milestones, and final accreditation package.

InQwest A&A services are tailored to accommodate each specific agency in order to satisfy compliance requirements and streamline the A&A process.

IV&V

The IV&V service provides a third party external assessment of system and application processes, procedures, and internal implementation. This outside perspective facilitates a fresh take on long established and familiar establishment approaches to internal and external security practices. This approach is essential in identifying gaps in management, operational, and technical implementations that are common place with regards to system administration, security configuration, defense in depth capabilities, and documentation.

InQwest has been providing IV&V services for government clients to identify critical areas with elevated risk within agency.

IV&V SYSTEM
APPROACH

VULNERABILITY
ASSESMENTS

VULNERABILITY ASSESMENTS

Vulnerability Assessments facilitates the identification and discovery of vulnerabilities within IT networks and applications. Discovery activities outline assets within a network and provide an attack surface to facilitate additional testing. InQwest implements a standard Blue Team approach that allows for internal white box testing from an insider threat perspective with system knowledge.

This methodology includes testing with and without credentials on all workstations, servers, databases, web applications, network devices, and security appliances. Automated tools and manual testing methodologies are implemented to provide a holistic review, minimize false positives, and identify as many network and system vulnerabilities as possible. InQwest vulnerability assessments drive to increase the overall security posture of commercial and agency networks and systems.