mcdowell associates
iStock-1037573870s2.jpg

Services

Please contact us for a customized solution for all of your security needs

Areas of Expertise

McDowell Associates provides professional IT consulting services to companies throughout the United States. We specialize in the successful, secure implementation, and management of core information technology. McDowell Associates engages a network of highly skilled consultants and project managers who can help you achieve your technology goals. 

McDowell Associates opens up possibilities for your business. We are ready to help you solve your most difficult technical challenges. We offer you a complete network of experienced and highly qualified consultants who deliver creative solutions through a highly collaborative problem-solving approach. Because McDowell Associates is not aligned with any hardware or software vendors, we are able to provide you with completely objective technology solutions.  

McDowell Associates begins by understanding your needs. We have the experience to quickly and precisely determine your requirements. Project management is one of McDowell Associates greatest strengths. Using our proven methodology, we actively manage the scope and delivery of our projects. McDowell Associates also assigns experienced Engagement Managers to oversee our projects. Each Engagement Manager is accountable for the well being of our consultants and our clients, and the consistent delivery of successful project results. 

Key Security Differentiators 

  • Collaborative Project Management Methodology - We work side-by-side with our clients to supplement their in-house skills and resources. Clients retain ultimate authority over their ongoing network operations. 

  • Specialized Security Expertise - We have expertise in a number of specialized disciplines, including assessing risk, planning for defense, and architecture and infrastructure expertise to ensure our customers have a comprehensive security solution. 

  • Quality, Customized Service Delivery - We develop the project specifications, supervises development of all client reports, and ensures delivery of quality products to each client. The McDowell Associates technical staff provides project management, design support, and implementation management according to the needs of each project. 

  • CCNA, CSSA, CICP, CEH and NSA IAM & IEM Certified - McDowell Associates utilizes its certified consultants to assess security for the organization. 

  • Business Level View - McDowell Associates consultants understand that risk management must be driven at the business level and applied at the technical level. This view is reflected by our IT Risk Framework. 

McDowell Associates is committed to the continual improvement of technology (e.g., tools, applications, systems, networks) and methods used to ensure the evolution of security for our customers. Our commitment to continuous improvement assists our customers in developing technology and processes that align with changes in their security posture. Through our client deliverable and knowledge transfer processes McDowell Associates provides a comprehensive set of improvement recommendations to mitigate identified risks in addition to remediation of general vulnerabilities discovered during the engagement. McDowell Associates continuous improvement processes help us to ensure that our security consultants are aware of changes in the industry, and ensuring that we provide comprehensive professional services. 

iStock-479801072.jpg

Network Penetration Testing

We work to determine the Scope, Rules of Engagement and overall Goals of your organization.  This will establish what is to be tested and what approaches will be used during testing.   

We will use industry trusted tools, commercial scanners and manual techniques to discover all vulnerabilities.   

We then work to eliminate all false positive findings.  This is done through exploiting and validating all possible security threats.  We take screen shots and provide information to explain and show the nature of each security threat. 

REPORTING:

Any high-risk vulnerabilities/risks identified will be immediately reported to management for appropriate action. The final report will describe the identified vulnerabilities/risks (prioritized as High, Medium, or Low), along with cost-effective recommendations for the remediation. SEE MORE

Web Application testing

We use a customized process for conducting assessments of Web-based applications. This testing is designed to assess the
development effort of the client’s Web application. In contrast to network-based testing for known vulnerabilities, this test identifies design flaws and recommends methodologies for improving the security of Web applications at the development level.

We review the logic structure, code, methods of access and authentication mechanisms of your web-based applications. Testing for SQL injection, Cross-Site Scripting (XSS) and many other web application attack vectors.

REPORTING:

Any high-risk vulnerabilities/risks identified will be immediately reported to management for appropriate action. The final report will describe the identified vulnerabilities/risks (prioritized as High, Medium, or Low), along with cost-effective recommendations for the remediation.  SEE MORE

Wireless Testing 

We utilize a three-phased approach to evaluate wireless networks:

Phase 1: Map and Identify Active Wireless Networks. We will investigate potential exploitation options that would be available to an individual with only radio access to the wireless network space. With only very limited knowledge we will attempt the following:

• Detect the wireless networks in place.

• Determine the locations and ranges of the wireless networks.

• Evaluate the range of the wireless access area, (i.e. can a computer attach to the wireless LAN from another floor or from outside the building?).

• Determine whether network configuration information is being advertised.

• Probe points of entry for identifying system information or access parameters.

Phase 2: Assess Wireless Implementation for Vulnerabilities. Once wireless networks have been identified, we will investigate potential exploitation options as a user with normal user access within the target area. We will evaluate the security measures taken to secure the wireless infrastructure, including the following:

• The use of WPS.

• The use of WEP encryption

• The strength of WEP encryption

• The use of WPA/WPA2 encryption

• The strength of WPA/WPA2 encryption

• Network segmentation

• Access control devices (i.e. wireless MAC address access lists, RADIUS, filtering routers, firewalls, etc.)

Phase 3: Exploit Vulnerabilities and Access Other Networks. We will attempt to exploit the wireless network vulnerabilities and weaknesses discovered during Phase 2, and obtain access to other network segments (either wired or wireless). If access is obtained, various methods to increase privileges will be attempted. We will attempt to determine the following:

• The wired network segments and systems, if any, the wireless network infrastructure can access.

REPORTING:

Any high-risk vulnerabilities/risks identified will be immediately reported to management for appropriate action. The final report will describe the identified vulnerabilities/risks (prioritized as High, Medium, or Low), along with cost-effective recommendations for the remediation.  SEE MORE

Social Engineering  

McDowell Associates provides a “safe learning environment” where employees can experience what real attacks would feel like. With our variety of predefined, multilingual attack simulations you can test whether your employees are really familiar with the dangers of the Internet. We enable you to simulate the full threat landscape that goes beyond just simple phishing emails.

  1. Attack or educate first? A simulation test may start with introductory training where employees are educated about e-mail safety and phishing implications. An organization may also set up an anti-phishing e-mail account where employees can readily share their experiences, suspicions, and other requirements concerning cyber threats before starting the simulation.

  2. Frequency of the simulation: Simulation frequency should be adjusted based on perceived threats. User coverage and simulation frequency should be determined in correlation to the perceived risk (e.g., Finance & Payments – 2 themes / X months, senior leadership – 1 theme / X months). High risk functions / departments and individuals handling important roles in the organization should be covered more frequently as part of the simulation.

  3. Length of the simulation: Most phishing simulation tests are usually planned out over a period of 12 months. However, there can be certain ad-hoc campaigns which are situational.

  4. Timing—when to send e-mails? When planning the campaign for each function / department or individual, phishing e-mails should be innitiated with the elements “Day of the week” and “Time of the day.”

  5. Following Up: A phishing simulation campaign may need to be followed up by relevant e-mails from the IT department informing involved employees about the reality of phishing e-mails and what is expected of them in return. If users are repeatedly failing, plan a discussion with them to understand what difficulties they are experiencing and why. Accordingly, arrange for awareness / training sessions for those users.

  6. Consistency with current policies: Once implemented, the process needs to be executed evenly to everyone in scope. Integration into existing information security policies and procedures will also help to give additional importance to the campaign.

  7. Choose the right phishing theme: Please see next section.

  8. Corporate communication: Before initiating the phishing simulation campaign, work out a communication plan about the phishing simulation with the head of function / department. Employees need to be made aware of the new process, what the expectations are, what the consequences of non-compliance include, and when it takes effect.

  9. Targeted group: If the campaign targets a large group of users belonging to the same function / department, they might inform others in the group. Therefore, phishing e-mails should not be forwarded to the entire company as it sparks suspicion. Instead, the process should be organic and must target a small group of select employees at any one time.

  10. Ensure top level commitment: Management support is critical to ensuring that the process is effective. Therefore, higher-tier users need to have a willingness to follow through.

  11. Technical preparations: White-listing of phishing domains, creation of test accounts, mail delivery tests are some of the activities that need to be carefully planned.

REPORTING:

Any high-risk vulnerabilities/risks identified will be immediately reported to management for appropriate action. The final report will describe the identified vulnerabilities/risks (prioritized as High, Medium, or Low), along with cost-effective recommendations for the remediation.  SEE MORE

REPORTING

A face-to-face or phone presentation of findings and recommendations  

An executive summary that examines the overall assessment process and results including highlights of specific high priority vulnerabilities and findings. 

A management summary that groups, categorizes, and ranks vulnerabilities by severity level, as well as recommends mitigation techniques. 

A management summary that groups, categorizes, and ranks vulnerabilities by severity level, as well as recommending mitigation techniques. 

Technical reports which include detailed processes and/or findings from each phase of the assessment. This report includes technical mitigation recommendations, technical process improvements and recommendations on proactive mitigation strategies, depending on the situation. 

Any high-risk vulnerabilities/risks identified will be immediately reported to management for appropriate action. The final report will describe the identified vulnerabilities/risks (prioritized as High,Medium, or Low), along with cost-effective recommendations for the remediation. The report will be divided into five major sections including:


1. Executive Summary: A high-level description of the activities performed and a summary of the pertinent findings.


2. Introduction: Contains the task objectives and a description of the steps performed.


3. Methodologies: A detailed description of the processes and procedures used to perform this task. This section contains a description of tools and
    techniques used by the assessment team.


4. Assessment Findings: A comprehensive list of findings including a detailed discussion that explains each vulnerability discovered and a set of recommendations to address each finding.


5. Conclusions: A high-level set of recommendations based upon the systemic problems found during the assessment.