Connecticut Information Security
is a full-service cyber security firm

We specialize in mitigating security risks, protecting networks, aligning organizations with security standards, and educating workforce members on security-related topics and tools.

Learn more about us
image01

Top Issues from Top Experts

Get in touch with today's top security topics from
the experts in the field.

Visit our blog now
image01

Are You Exposed?

Need help evaluating your security risks?
We are here to help.

Contact us now
image01

CTInfoSec has extensive experience
performing security assessments

We work in a variety of industries, including insurance, financial services, mobile applications, healthcare, online services, manufacturing, utilities, real estate, business services and more.

Find out more
image01

THE BLOG

  • Sep 22, 2021
    Sorting Through the Threats

    Everyday there are new cyber threats facing organizations. Often when an article makes its way to mainstream media, there is a flurry of action and response. This is often well intentioned, but many times is a poor use of resources. So how do we determine what is real and what is hype?

    The first answer, the one nobody will want to hear, is that you need to know your threats. You need to think about them, conduct tabletop exercises around them, understand them inside and out. What information do you stand to lose? What will the impact of a successful attack be? If your data is of low value, or a successful attack is unlikely to disrupt operations or customers, how important is it to protect against? Is the threat a realistic one within your market? Even ransomware can be distinct within various types of industries – from the threat actor to the impact.

    This evaluation can be difficult for data owners and IT security teams to conduct at times, especially if they are not in full knowledge of the datasets, compliance aspects, or operational dependence on data. Thinking about this proactively and having a plan to address threats can be the difference between falling victim to an attack and being able to stop (or prevent) it.

    Most attack types are not new. That is why the MITRE ATT&CK framework works well. In fact, we can take a wider view and map MITRE to general military attack techniques going back as far as history will allow. So as the next big urgent risk is played out in the public forum, take a moment to consider how it applies to you or your organization. Is it something that needs to be urgently addressed, or does it slot in behind other evaluated and prioritized risks in the register?

  • Jul 30, 2021
    Verify Your Controls

    Making sure security controls are working as expected is just as important as making sure backups are operating properly or patching is applied correctly. It isn’t uncommon for controls to fail, creating significant exposures. This can be common, for example, in EDR not blocking an exploit, or a guardrail failing to stop a public S3 bucket. Very rarely do companies revisit a security control put in place after it is initially setup unless it is pointed out in a security assessment.

    Simply having the security control in place isn’t enough, controls must be regularly tested and adjusted according to any changes in risk profile or environment. Without regular check-ins, the practical effectiveness of a control declines over time. Without an initial verification that it is in place as expected, the effectiveness is capped well below potential capability. Here are a few tips to get started:

    - Clearly outline the expected areas of applicability for a control. Define these and share with any relevant parties.

    - Align to a control framework such as ATT&CK or CSF, keeping things easily transferable to new risk evaluations.

    - Select an appropriate methodology, using configuration guides that fit best with the environment. CIS provides many working documents as do most vendors.

    - Perform annual security reviews to ensure controls are still relevant and working as expected.

    Keeping to this guidance will ensure longer term usefulness and best the best ROI on security control investments.

Popular Offerings

IT Security Healthcheck

    We provide a multi-leveled, custom IT Security Healthcheck of your technology environment leveraging a proprietary stack of tactical and operational checkpoints to deliver an analysis of the environment – within your needs and budget - to identify gaps and risks and provide actionable remediation steps with tiered goals.

NARC® Deception Technology

    Our patented NARC® technology identifies internal compromise or malicious insiders. By creating virtual targets and enticing malicious users to them through open services and potentially valuable data, organizations can root out illegitimate traffic and users quickly and without false positives.

PROTECT YOUR BUSINESS.
MITIGATE YOUR RISKS.

Dealing with security attacks has become a fact of doing business online. With the introduction of regulations to protect data,
this has become a critical area for businesses today.

Know your risks. Protect your data. Become compliant.