- The “3 Legged Model” or “single firewall” – where the DMZ segment(s) are connected via a dedicated interface (or interfaces) and a single firewall implements traffic control rules between all of the network segments (the firewall could be a traditional firewall simply enforcing interface to interface rules or a “next generation” firewall implementing virtualized “zones” or other logical object groupings)
- The “Layered Model” or “dual firewall”- where the DMZ segment(s) are connected between two sets of firewalls, like a sandwich
MSI has built a reputation that spans decades in and around testing hardware and software for information security. Our methodology, experience and capability provides for a unique value to our customers. World-class assessments from the chip and circuit levels all the way through protocol analysis, software design, configuration and implementation are what we bring to the table.
Some of the many types of systems that we have tested:
- consumer electronics
- home automation systems
- voice over IP devices
- home banking solutions
- wire transfer infrastructures
- mobile devices
- mobile applications
- enterprise networking devices (routers, switches, servers, gateways, firewalls, etc.)
- entire operating systems
- ICS and SCADA devices, networks and implementations
- smart grid technologies
- gaming and lottery systems
- identification management tools
- security products
- voting systems
- industrial automation components
- intelligence systems
- weapon systems
- safety and alerting tools
- and much much more…
To find out more about our testing processes, lab infrastructure or methodologies, talk to your account executive today. They can schedule a no charge, no commitment, no pressure call with the testing engineer and a project manager to discuss how your organization might be able to benefit from our experience.
At A Glance Call Outs:
- Deep security testing of hardware, software & web applications
- 20+ year history of testing excellence
- Committed to responsible vulnerability handling
- Commercial & proprietary testing tools
- Available for single test engagements
- Can integrate fully into product lifecycle
- Experience testing some of the most sensitive systems on the planet
- Powerful proprietary tools:
- many more solution specific tools
- Circuit & chip level testing
- Proprietary protocol evaluation experience
- Customized honeypot threat intelligence
- Methodology-based testing for repeatable & defendable results
Other Relevant Content:
Project EVEREST Voting Systems Testing https://stateofsecurity.com/?p=184
Lab Services Blog Post https://stateofsecurity.com/?p=2794
Lab Services Audio Post https://stateofsecurity.com/?p=2565
Just a quick update on the Stolen Data Impact Model (SDIM) Project for today.
We are prepping to do the first beta unveiling of the project at the local ISSA chapter. It looks like that might be the June meeting, but we are still finalizing dates. Stay tuned for more on this one so you can get your first glimpse of the work as it is unveiled. We also submitted a talk at the ISSA International meeting for the year, later in the summer on the SDIM. We’ll let you know if we get accepted for presenting the project in Nashville.
The work is progressing. We have created several of the curve models now and are beginning to put them out to the beta group for review. This step continues for the next couple of weeks and we will be incorporating the feedback into the models and then releasing them publicly.
Work on phase 2 – that is the framework of questions designed to aid in the scoring of the impacts to generate the curve models has begun. This week, the proof of concept framework is being developed and then that will flow to the alpha group to build upon. Later, the same beta group will get to review and add commentary to the framework prior to its initial release to the public.
Generally speaking, the work on the project is going along as expected. We will have something to show you and a presentation to discuss the outcomes of the project shortly. Thanks to those who volunteered to work on the project and to review the framework. We appreciate your help, and thanks to those who have been asking about the project – your interest is what has kept us going and working on this problem.
As always, thanks for reading, and until next time – stay safe out there!
Yesterday, we were proud to announce a new service offering and process from MSI. This is a new approach to threat modeling that allows organizations to proactively model their threat exposures and the changes in their risk posture, before an infrastructure change is made, a new business operation is launched, a new application is deployed or other IT risk impacts occur.
Using our HoneyPoint technology, organizations can effectively model new business processes, applications or infrastructure changes and then deploy the emulated services in their real world risk environments. Now, for the first time ever, organizations can establish real-world threat models and risk conditions BEFORE they invest in application development, new products or make changes to their firewalls and other security tools.
Even more impressive is that the process generates real-world risk metrics that include frequency of interaction with services, frequency of interaction with various controls, frequency of interaction with emulated vulnerabilities, human attackers versus automated tools, insight into attacker capabilities, focus and intent! No longer will organizations be forced to guess at their threat models, now they can establish them with defendable, real world values!
Much of the data created by this process can be plugged directly into existing risk management systems, risk assessment tools and methodologies. Real-world values can be established for many of the variables and other metrics, that in the past have been decided by “estimation”.
Truly, if RISK = THREAT X VULNERABILITY, then this new process can establish that THREAT variable for you, even before typical security tools like scanners, code reviews and penetration testing have a rough implementation to work against to measure VULNERABILITY. Our new process can be used to model threats, even before a single line of real code has been written – while the project is still in the decision or concept phases!
We presented this material at the local ISSA chapter meeting yesterday. The slides are available here:
Give us a call and schedule a time to discuss this new capability with an engineer. If your organization is ready to add some maturity and true insight into its risk management and risk assessment processes, then this just might be what you have been waiting for.