CISO Security Assessment for a National Construction Company

CISO Security Assessment for a National Construction Company

Challenge: A phishing attack successfully obtained the personal information of all employees. In addition, the Company does not have a security strategy to address cybersecurity threats.

Solution: Perform an in-depth security architecture and configuration review of connected IT systems, conduct penetration testing on publicly accessible devices and wireless networks, and outline internal system vulnerabilities and weaknesses. Identify and mitigate active attacks on the internal network. Provide ongoing consulting services to develop the cybersecurity program and advice on remedial efforts, and maintain focus on threats to operations and confidential information.

HOW WE HELPED

We performed an on-site information security architecture review to identify if the system design or configuration could allow for exploitable deficiencies. We buttressed this review with a network and vulnerability assessment that revealed hidden weaknesses which, if exploited, could allow unauthorized access to company systems and information.

Our in-depth analysis also identified that the organization’s critical infrastructure, including a plant control system, was vulnerable to Internet-based attacks. During our engagement, previously undetected, unauthorized connections from Latvia and China were discovered on the internal network. After immediately escalating these matters to management, we worked closely with the Company’s IT department to provide remediation assistance and verify that their corrective measures adequately addressed the threat.

BNN Intelligence, or BNNi, uses custom-developed software that is combined with our decades of real-world, human experience to translate the collected information into meaningful, actionable results. Using BNNi to ingest the mountain of technical vulnerability and controls testing detail generated in the assessment, the team developed and summarized our findings in a four-page prioritized list of ten major pain points. The deliverable described the underlying causes and potential impact of the vulnerabilities, and presented recommendations to address the deficiencies. Some of the more perilous issues we identified were network vulnerabilities that, if exploited, could have resulted in a data breach or ransomware attack causing many issues including exposing the organization to financial, security, operational and reputational risks.

Using the recommendations as a foundation, our team provided consulting services to assist the construction company’s senior leadership team prioritize the identified threats, guide the selection of remedial actions, and monitor the ongoing remediation efforts. Our assessment’s detailed findings also served to precipitate network security improvements throughout the organization. Without the remedial action derived from our information security architecture review and vulnerability assessment, the organization could be unaware of unauthorized access until the actors achieved their ultimate objective.

Interested in learning more?

Lead Contacts

Patrick Morin

Principal

Pat began at Baker Newman Noyes in 1995 when the firm was founded, having previously been with one of our predecessor organizations since 1988. Pat is a principal of the firm and the director of the risk and business advisory practice.

Ilona Davis

Principal

Ilona has more than twelve years of experience leading and coordinating the daily efforts for audit and consulting projects across numerous industries. She has provided a wide range of advisory services, including regulatory compliance and controls, IT and business risk management, service organization examinations including SOC examinations, IT strategy, system selection, IT security, IT audit, and business process improvement.