an introduction to pivot point security
DESCRIPTION
We Make It Simple to Know You’re Secure and Prove You’re Compliant Our mission is to simplify the complexities of security information management: - Focus on the core group of security assessment services you need - Take the time to understand your business and then optimize our approach for your unique situation - Deliver reports and guidance that are easily understood and acted on by both management and technical personnel - Base your assessment and recommendations on trusted, “open” (non-proprietary, non-vendor specific) guidance to simplify the process of operating and maintaining your Information Security Management System after we leaveTRANSCRIPT
Our mission is to simplify the complexities of security
information management: Focus on the core group of security assessment services you need
Take the time to understand your business and then optimize our approach for
your unique situation
Deliver reports and guidance that are easily understood and acted on by both
management and technical personnel
Base your assessment and recommendations on trusted, “open” (non-
proprietary, non-vendor specific) guidance to simplify the process of
operating and maintaining your Information Security Management System
after we leave
10+ Years purely focused on Information Assurance
• Information Security Management System Assessment (35%)
Design Reviews/Gap Assessments /ISO27001/ Compliance Testing
Experienced with dozens of standards/frameworks
• Penetration Testing/Ethical Hacking (40%)
Network/Application/Database/Physical/Social Engineering
• Security Information Event Management (25%)
• Regional Focus/National Reach
Experience• Hundreds of Security Assessment engagements
• Personnel Security Experience (12+ years on average ~ 6 years as a team)
• Education & Certification (all major certifications relevant to our focus)
Results • Focus on communicating results in an understandable/actionable manner
• Demonstrable body of success
Integrity • Commitment to doing what is right
• Pride in our work product
• Respect for our “extended” team
• Independence (we sell no products)
Intent• Focus on mutual benefit
• Straight Talk -- Always
City of New York:• Financial Services• Taxi and Limousine Commission• City Time• Electronic Justice Project
Wyndham Worldwide
Oklahoma Gas & Electric
Barnes & Noble
Time Warner Cable
Bristol Myers Squibb
NJ Motor Vehicle Commission
Philadelphia Parking Authority
Verizon Wireless
Depository Trust & Clearing Corporation (DTCC)
Bank of New York
Savient Pharmaceuticals
County of Sussex (NJ)
Pennsylvania Power & Light
National Student Clearinghouse
Woodbridge Township (NJ)
Banco Estado of Chile
Target
System Certification & Accreditation (NIST 800-37)
PCI Compliance
Sarbanes Oxley
Identity Theft
Third Party Attestation
• ISO 27001/27002
• BITS
• SAS70
• HIPAA
Risk Assessment
Incident Response
• Forensics
Security Assessments • Vulnerability Assessments• Penetration Testing Internal / External Application Physical Penetration
• Social Engineering
Design Reviews • Application Code Review
• Network • Database• Systems
Information Technology/Security professionals that
became auditors (not accountants)
Highly experienced – average 12+ years
Highly certified – ISO 27001, CISA, CISSP, CEH,
CHFI, MCSE, CCNA, OCP, etc.
Core team has been together ~ 6 years
Consistent commitment to excellence –
we are passionate about what we do
Concerns: Protect Critical Data• Passenger Credit Card Data
• Passenger, Drivers, & Owners Privacy
• Advertising, Entertainment, & PSA Feed
Key Challenges• Highly Complex Solutions
In-Cab Architecture
Wireless & GPS Architecture
Multiple Data Centers
Web Applications to service TLC, Drivers, Owners
• A “moving” target (13K of them)
• 4 Unique Vendor Solutions
• Accountability
Taxicab Security Presentationhttp://s.pvtpt.com/TaxicabSecurity
for leading US Electrical Utility Company
“The problem wasn’t a lack of guidance, rather it was an overabundance of guidance.”
-John Verry, Principal Consultant
Electrical Utilities: Information Security Blackout http://s.pvtpt.com/InfoSecBlackout
Over 20 Standards to Consider
Testing of Hard to Secure Distributed Environments
Radio Networks
Smart Meters
In-Home Devices
Command Response
SCADA Systems
Major PA Electrical Utility
• SIEM Solution Implementation (Novell Sentinel)
Major Regional Transmission Organization (RTO)
• Network, Application & Physical Vulnerability Assessments / Penetration
Testing
• WLAN Assessments
Burlington County Bridge Commission (NJ)
• Concerns: Segregation and Protection from EZ-Pass Systems
• Vulnerability Assessments / Network Architecture Assessments
NYC Financial Information Services Agency (FISA)
• Concerns: Security of Personally Identifiable Information (PII) of NYC’s
400k Employees
• eHire: Implementation of PeopleSoft Recruiting Software Across all NYC
Agencies
NYC Department of Finance (DOF)
• Concerns: Security of an $8 Billion eCommerce Application with Payment
Card Industry (PCI) Compliance
• NYCSERVE: Online Payment System
Sussex County (NJ)• Concerns: Managing Personally Identifiable Information (PII) and HIPAA
Regulations for New Jersey Consumer Affairs
• Vulnerability Assessments / Penetration Testing
• ISO 27001 Gap Analysis & Implementation Leading to ISO 27001 Certification
Woodbridge Township & Board of Education (NJ)
• Concerns: Collapsing Network Infrastructure and Protecting from Malicious Individuals
Education
Law Enforcement
Taxes
Etc.
• Incident Response / Vulnerability Assessments / Penetration Testing
Testing of Hard to Secure Distributed Environments
Radio Networks
Smart Meters
In-Home Devices
Command Response
SCADA Systems
New Jersey Based
New Jersey SBE Type 2
Backdrop Services Contracts
• NY State OGS
• NJ Administrative Office of the Courts
• WSCA (Western States Contracting Alliance)
90% of Projects $6-30k, Falling Under Direct Purchasing Authority (DPA)
