Connecticut Information Security
is a full-service cyber security firm

We specialize in mitigating security risks, protecting networks, aligning organizations with security standards, and educating workforce members on security-related topics and tools.

Learn more about us
image01

Top Issues from Top Experts

Get in touch with today's top security topics from
the experts in the field.

Visit our blog now
image01

Are You Exposed?

Need help evaluating your security risks?
We are here to help.

Contact us now
image01

CTInfoSec has extensive experience
performing security assessments

We work in a variety of industries, including insurance, financial services, mobile applications, healthcare, online services, manufacturing, utilities, real estate, business services and more.

Find out more
image01

THE BLOG

  • Jun 30, 2022
    MFA is a Requirement (but Not Perfect)

    In the age of sophisticated phishing attacks and credential harvesting, multi-factor authentication (MFA) is a crucial part of any security program. It is often trivial for attackers to gain access to a user’s credentials through password spraying or phishing campaigns. Even though most organizations educate users regarding phishing threats, a percentage of employees will still likely fall for them, providing their credentials unknowingly to attackers. In an environment of distractions, users will fail to see the 'external' banner, the mistyped domains, and the lack of encryption on the web page collecting their credentials – some of the common tell-tale signs of a phishing attack.

    You can enforce user lockouts for login pages and put technology in place to block most phishing attempts, but it is very likely that something, or someone, will get through. MFA gives your organization the peace of mind to know that if a user does fall victim to credential theft, a breach to the environment is less likely since an MFA token would be needed for access. 

    Note, it is not good enough to just lockdown VPN, all external access points into the environment must be protected: VPN, Webmail, Collaboration Tools, etc. Services that allow for multi-factor bypass (like EWS) should be limited or shut off completely. Users should not be allowed 'exceptions' to bypass this control. 

    Keep in mind that MFA is not a magic pill answer to every problem. Sophisticated phishing attacks can trick a user into allowing the attacker into the environment by providing the passcode or acceptance to a push request, but these happen less frequently than other types of attacks. User education about the specifics of what a 'real' phishing attack of today looks like will help as well. Without MFA you are not only susceptible to attack, but there could be a hard-to-spot attacker in your internal network environment right now. Depending on the compromised account without MFA, the attacker may have significant access privileges.

    What we know is that no security measure is perfect or infallible. The security layers in place – with MFA close to the top of the list (right up there with logging!) – will help to create an environment that will hold up to many of today's malicious activities.

  • May 31, 2022
    Trust but Verify

    The landscape of technology has changed drastically over the past two decades. Companies trying to do it all themselves is a thing of the past. SaaS, PaaS and IaaS are all the rage and organizations are adopting solutions to run many aspects of their businesses. With this evolution comes risk. Even as companies look to lessen their burden of onsite data and regulatory obligations by pushing them off to third party vendors, security remains a major concern. 

    Today, organizations must enter into relationships with trust, but not trust alone. Contracts are a must and verification of security practices is too. All too often, companies look past the security concerns assuming that if the software they are going to use is out in the marketplace, that it must be secure. 

    Unfortunately, there are many software companies that go to market without a clear security plan, and without the proper controls in place. It is imperative that organizations take the time to ask about security practices and obtain attestation letters stating the solution has been penetration tested appropriately. Also important is to receive concrete assurances that security protocols are being followed, delivering upon the regulatory needs of the company, and aligning to the risk appetite of the organization. 

    Be sure to look at new third party vendors and ask security questions ahead of signing the contract. Before a signature, the vendor is more likely to share information quickly as it is holding up the contract from being executed. Additionally, you can make decisions about moving forward without the legal trouble of undoing a contract if this information is requested early enough in the process.

    If you decide to move forward despite security gaps, track the risk and follow up with the company periodically to see if the risks have been remediated. And if your third-party software vendor doesn’t have penetration test results feel free to send them our way.

Popular Offerings

IT Security Healthcheck

    We provide a multi-leveled, custom IT Security Healthcheck of your technology environment leveraging a proprietary stack of tactical and operational checkpoints to deliver an analysis of the environment – within your needs and budget - to identify gaps and risks and provide actionable remediation steps with tiered goals.

NARC® Deception Technology

    Our patented NARC® technology identifies internal compromise or malicious insiders. By creating virtual targets and enticing malicious users to them through open services and potentially valuable data, organizations can root out illegitimate traffic and users quickly and without false positives.

PROTECT YOUR BUSINESS.
MITIGATE YOUR RISKS.

Dealing with security attacks has become a fact of doing business online. With the introduction of regulations to protect data,
this has become a critical area for businesses today.

Know your risks. Protect your data. Become compliant.