Information Technology (IT) systems are vulnerable to a wide range of risks stemming from both physical and cyber threats (i.e., Nation-State, Criminal, Hacktivist, and Insider). Cyber actors and nation-states exploit vulnerabilities to pilfer Intellectual Property (IP), Personally Identifiable Information, Protected Health Information (PHI), currency, etc., and/or deploy capabilities to disrupt, destroy, or threaten the delivery of essential IT services. In light of the risk and potential consequences of cyber events, strengthening the security and resilience of our customers’ networks and systems is an important mission. To help mitigate these risks of attack and address your compliance needs, Quantum's cyber division provides Cyber Audit and Regulatory Compliance services; Vulnerably Assessment/ Penetration Testing, Phishing Assessment & Training; Cybersecurity Training; Incident Response; Policy Development; & other Services.
Choosing the right cybersecurity company is essential. We have the expertise and experience in defending against a growing universe of cyber threats using proven processes, state-of the-art tools, and certified/highly skilled personnel. Our cyber division aligns our Cyber Services with the National Institute of Standards and Technology (NIST) which has responsibility for establishing computer and information technology-related standards and guidelines for all federal agencies (e.g., DoD, DHS, Commerce, etc.). We have no ties to particular cybersecurity products or vendors giving you true third party advice to help you select and deploy the right mix of defenses for your unique IT security challenges.
Industries we support include:
Identifies network risks to critical and sensitive data across all major enterprise operating systems, applications, and IT architectures. Industry leading assessment tools combined with proven techniques gather an accurate picture of the customer’s security posture. Reporting provides detailed recommended corrective actions to eliminate or mitigate risks found during the assessment.
Real-world hacker techniques identify defensive weaknesses and data at risk. This can be performed as part of the vulnerability assessment (recommended) or separately to assess the security posture.
A penetration test, or sometimes called a PenTest, is a friendly software attack on a computer system looking for security weaknesses, and potentially gaining access to the computer's features and data. The process typically identifies the target systems and a particular goal—then reviews available information and undertakes various means to attain the goal.
We have conducted thousands of PenTests, including Red (simulate real-world attacks) and Blue (assess network, ID vulnerabilities and defend) Teams for commercial and government customers, thus adding greater analysis supporting vulnerability assessments. PenTest success is defined as identification of all vulnerabilities and the delivery of a detailed executable Remediation Plan to eliminate the cyber threat vector. Our team is so good, it developed and executed training for U.S. Army ethical hackers for many years.
We conduct a variety of social engineering “attacks” to simulate real-world intrusion methods and train employees to reduce network risk. Our team developed, tested, and deployed the US Army’s Phishing training and assessment platform used to train Soldiers and government civilians; and then initiated an IRAD program that redesigned, tested, and launched an updated Quantum Phishing Assessment Tool (QPAT) to support government and commercial customers. Since 2010, our team has conducted Phishing attacks targeting in excess of 200,000 users. All social engineering methods are closely coordinated with the customer to ensure no negative impacts on the network.
Methods we might employ under customer control and coordination:
Our Phishing assessment architecture tests and trains employees to avoid the trap set by hackers. We closely coordinate with customer “Trusted Agents” to distribute phishing messages to users, track their actions, and provide on the spot training.
Training is essential to keeping your workforce up-to-date with Cybersecurity skills necessary to counter the ever evolving threat. An effective security awareness training program turns your workforce into a strong last line of defense against cyber-attacks. To engage users and keep security top-of-mind, we offer a continuously updated library of cybersecurity training modules—all with consistent, actionable messaging suitable for global organizations.
Our customizable cybersecurity education content covers a broad range of security risks, from phishing attacks to insider threats. We also make it easy to alert your users to the most relevant phishing attacks and lures through our Phishing Education Program. This program quickly teaches Users how to spot a current threat and avoid becoming a victim.
Our Incident Response Team provides incident response, management and coordination activities for cyber incidents. Examples of cyber incidents include but are not limited to, malware infections, data theft, data corruption, and ransomware encryption, denial of service, control systems intrusions, and threats against assets. We work with our customers to identify and contain threat activity and develop mitigation plans for removal and remediation of root cause. Our incident response efforts focus on finding the root cause of an incident by searching for Techniques, Tactics and Procedures (TTPs) along with behaviors and associated artifacts in the victim network. We have four types of incident response engagements: remote assistance, advisory deployment, remote deployment, and on-site deployment.
Our IRT’s goal is to manage the situation in a way that ensures safety, reduces risk, limits damage and reduces recovery time and costs. Our experience shows that most of the response actions will be technical in nature, but any action taken to reduce the impact of an incident is considered part of the incident response. We will keep you apprised of our progress on a daily basis. Following an engagement and analysis completion, our IRT will deliver you a final Incident Response Report (IRR) within 15 days of an incident. The IRR provides the background, scope, findings, security best practices, and conclusions relevant to the incident.
Our cyber analysts augment technical assessment activities with a review of the customers IT information security policies, and IT staff procedures to emphasize compliance with industry best practices and applicable standards.
We aggregate results using the data and vulnerability findings generated during the Internal and External Device Assessments to determine potential compliance violations and assign an overall risk.
We hold interviews and discussions with key personnel at all applicable levels and map the findings into the policies and procedures to ensure:
List of services:
Regulatory, policy, and industry standards compliance is a critical component of any Cybersecurity program. Compliance is directly impacted by constantly evolving rules and regulations which attempt to keep pace with escalating cyber threats. The compliance challenge facing organizations is further compounded by new information technology, the rise of IoT, and the explosion of wireless devices and applications.
At Quantum, we recognize these challenges and align and customize our services, assessments, and reports with current industry standards, regulations and laws. We conduct our compliance reviews by examining customer polices (or lack thereof), their unique IT network and business operations, and the information they most need to protect (e.g. Personally Identifiable Information (PII), Controlled Unclassified Information (CUI), Covered Defense Information (CDI), Intellectual Property (IP), Credit Card Data, Electronic Protected Health Information (ePHI), and much more). Our compliance support purpose is to ensure you have the right mix of policies, procedures, and technology to protect a hacker’s target – your most important information and data. We support the security principle of least or minimal privileges which requires that access to information is only granted as necessary and required for its legitimate purpose.
We support compliance audits across a variety of standards and legal regimes including, but not limited to: