Improve Your Cybersecurity Posture Today

Cybersecurity expertise that delivers quality

MainNerve is recognized as having one of the most extensive backgrounds in cybersecurity compliance and penetration testing in the country. Its employees have over 52 years of combined experience in providing cybersecurity services to the commercial markets and the U.S. Government. With hundreds of cybersecurity clients, MainNerve has conducted thousands of internal, external, network, web application, SCADA, mobile application and wireless penetration tests across all verticals of the U.S. economy to ensure that our customer’s cybersecurity risk or compliance needs are met.

• Finance and Banking
• Technology
• Cloud
• Healthcare
• Retail
• Manufacturing
• Transportation
• Telecommunications
• Restaurant/Hotel

Technical Certifications

At MainNerve, our team comes from a background of protecting some of this nation’s most valued assets and have some of the most prestigious certifications the cybersecurity industry has to offer as well as the ability to support classified work.

• Certified Information Systems Security Professional (CISSP)
• Certified Computer Examiner (CCE)
• EnCase Certified Examiner (EnCE)
• Certified Ethical Hacker (CEH)
• CompTIA CTT+ Certification
• Certified Reverse Engineering Analyst (CREA)
• CompTIA Security+
• CompTIA Network+
• Red Hat Certified Engineer (RHCE)
• GIAC Web Application Penetration Tester (GWAPT)

Obtain an accurate understanding of your security and risk posture…. and ensure compliance with industry regulators and information security best practices.

MainNerve keeps you compliant and secure

MainNerve’s services ensure that companies meet their Governance, Risk, and Compliance (GRC) needs in a professional and affordable manner. Whether companies require penetration testing to meet PCI, NERC, or CJIJS requirements or auditing to ensure that their policies and procedures are up to date, MainNerve can assist.

Penetration Testing

Few companies in America have the breadth of penetration expertise and services that MainNerve Provides its customers. Using industry leading tools and the latest in penetration testing methodologies MainNerve conducts numerous forms of penetration testing for it customers

• Internal/External Network
• Web Application
• Mobile Application
• NIST Best Practices
• SCADA/ICS
• IOT
• AWS - And the other cloud based platforms

The penetration testing methodologies we use ensure that companies are compliant and up to date ensuring customer, stakeholder and industry/regulatory body satisfaction.

Compliance Services

MainNerve has some of the most extensive experience in assisting clients meet their compliance requirements in the cybersecurity and risk management industry. From the payment card industry, to healthcare, defense contracting, law enforcement and critical infrastructure, MainNerve’s compliance and penetration testing experts have assisted hundreds of companies find their way through the regulatory issues surrounding their industry. With a passion for their customers that is not found in cybersecurity, highly experienced experts and affordable pricing, MainNerve is best positioned to assist you with your compliance needs, no matter what they are.

A Letter From The CEO

From the Desk of Bruce Parkman:

I have often been asked why I decided to move away from Defense Contracting, where I lived for 10 years, to the commercial cybersecurity world. The answer has always been plain to me: there are almost 30 million small and mid-sized businesses out there that are not being afforded the protection they need to stay ahead of the cyber threat. In fact, most of them are on their own when it comes to cybersecurity and to me, that is unacceptable and I wanted to change that. Further, large enterprise organizations require similar levels of protection that the U.S. Government employs.

At MainNerve, we have been providing numerous defense and commercial clients the highest affordable level of cybersecurity services possible since 2002. Very few companies have the expertise and passion that we have applied that to a wide range of customers. It was important to me to figure out a way to make that expertise available to the commercial, public sector and educational markets, to help those companies that, in my opinion, represent the economic backbone of this country.

That decision was the result of what we did at my last company, NEK. To this day, we did our very best to provide our soldiers, sailors, and marines the absolute best support as they fought two wars in support of this great nation. As an example of our commitment, in order to fill a gap in air support for our Special Operations troops, NEK literally bought its own airline to ensure that our troops could get the training they needed. Over the years we provided the highest level of support to thousands of soldiers and numerous units during their time of need.

As we merged MainNerve and our Cyber Operations Group together in 2012, I wanted to provide that same level of commitment in terms of cybersecurity to our customers and partners because, just like our soldiers, they are very important to this nation. By establishing ourselves as a cybersecurity partner, not just a vendor, and providing industry best practices, technology, and just plain old American passion, we would do our best, as a team, to prevent cyber attacks from harming these vital businesses. Today, we are one of the only firms in the U.S. that can provide cost effective cybersecurity services.

As an additional note, this extraordinary level of commitment that MainNerve provides our cybersecurity clients permeates this company and its support of other worthy causes. We are one of the leading supporters of the Green Beret Foundation, which I helped start and provides unique support to over 800 wounded Green Berets and their families. We support numerous local and national veterans, cancer and literacy events, Special Olympics, as well as support the Bob Telemoose Foundation’s Christmas Giveaway with volunteers and thousands of dollars in toys for families in need.

I will continue to ensure that this great company exists to serve not only our cybersecurity customers, but also to serve as a platform to support worthy causes. I have always said that, for a company to be successful, it needs to have a “raison d’etre” much larger than profitability or ambition. I can honestly say, with our commitment to the small and mid-sized business community and venerable causes… we have that here at MainNerve.

Our Mission

MainNerve’s mission is to fill the critical gap in cybersecurity technology and expertise for the cyber defense market by employing critical subject matter expertise, and supporting that with state-of-the-art technologies, and affordable solutions. No matter how large or small… our goal is to educate and advise on exactly what our services offer and how they can assist you with increasing your security posture.

USA Based Services

MainNerve is proud to employ only US-based security engineers, many with DoD and special operations experience. Our organization is dedicated to providing services and support for companies across the United States.

The MainNerve Team

Here at MainNerve, we’re proud of the team that we’ve developed. We cherish the honor of working with some of the best people in the cybersecurity industry… individuals who are highly knowledgeable, experienced, hard-working and sincere. We know that the people on our team are vital to keeping your company secure and protected, so we pick the very best of the best for you!

As a cybersecurity company, MainNerve is a leader in Internet and data security. Our management and cybersecurity team represents a team of experienced professionals with over 30 years of watching IT evolve (watching the networks and security world change)… they have all been there since the beginning. They are dedicated to education…. the next generation of cybersecurity and compliance services, with some of the most experienced technology professionals in the industry to back it up. We are the cybersecurity team to work with.

Our Certifications

At MainNerve, we are truly blessed with a talented team of cybersecurity experts and professionals. Our team comes from a background of protecting some of this nation’s most valued assets and have some of the most prestigious certifications the cybersecurity industry has to offer. And we bring that experience to the commercial world… If you’re looking for quality and affordable cybersecurity… the MainNerve cybersecurity team is the team to work with.

Our Accreditations Include:

• Amazon Web Services Certified Solutions Architect - Associate and Professional
• Amazon Web Services Certified DevOps Engineer - Professional
• Amazon Web Services Certified Developer - Associate
• Amazon Web Services Certified SysOps Administrator - Associate
• ANSI-ASQ National Accreditation Board (ANAB) ISO 27001 Certification
• Certified of Cloud Security Knowledge (CCSK)
• Certified in the Governance of Enterprise IT® (CGEIT®)
• Certified Computer Examiner (CCE)
• Certified Ethical Hacker (CEH)
• Certified Information Systems Auditor (CISA)
• Certified Information Security Manager® (CISM®)
• Certified Information Systems Security Professional (CISSP)
• Certified Risk and Information Systems Control (CRISC)
• Cisco Certified Network Associate (CCNA)
• Certified Reverse Engineering Analyst (CREA)
• CompTIA CTT+ Certification
• CompTIA Security+
• CompTIA Network+
• EnCase Certified Examiner (EnCE)
• FedRAMP Accredited Third Party Assessment Organization (3PAO)
• GIAC Web Application Penetration Tester (GWAPT)
• GIAC Security Leadership (GSLC)
• Health Information Trust Alliance (HITRUST) Common Security Framework (CSF) Assessor
• Palo Alto Networks Accredited Configuration Engineer (ACE)
• Palo Alto Networks Certified Network Security Engineer (PCNSE)
• PCI SSC Approved Scanning Vendor (ASV)
• PCI SSC Qualified Security Assessor Company (QSAC)
• PCI SSC Payment Application Qualified Security Assessor (PA-QSA)
• PCI SSC Payment Application Qualified Security Assessor Point-to-Point Encryption (PA-QSA P2PE)
• Red Hat Certified Engineer (RHCE)
• Splunk Certified Architect
• Splunk Certified Consultant Level 2
• VMware Certified Professional (VCP5-DCP)

An audit of business security strategy and controls to ensure key digital assets are secure. Discover risk and define appropriate mitigation strategies that fit your company’s objectives.

Security Risk Assessments: A Business Security Audit

The most important part of security assessments is the security review & gap analysis. It is the glue that ties the entire security risk assessment solution together. As with security audits, there must be a process for assessing a company’s risk profile. In a security review, we review your key assets, current security strategy, controls, IT infrastructure, and prioritize your top vulnerabilities, risks and recommended security control solutions. Following, MainNerve provides a final report for the purpose of defining future security strategies, determining budgets, and implementing security risk mitigation solutions.

Discover Risk and Define Mitigation Strategies

Security risk assessments are essential for discovering risk and defining appropriate mitigation strategies that fit your company’s objectives. There are two components to security assessments: 1) Security Reviews (often called security audits) provide a complete process for defining security risk strategies based upon your objectives, security posture and status and 2) Security tests such as penetration testing, vulnerability testing and phishing tests which diagnose actual vulnerabilities in specific areas of your security infrastructure.

The MainNerve Process

Security risk assessments are a fundamental foundation for the security of any organization. At MainNerve, our security risk assessments help companies ensure that controls and expenditure are fully commensurate with the risks to which organizations are exposed. Determine which security controls are appropriate and cost effective for your business.

Gap Analysis

MainNerve will interview key personnel identified by the customer either by questionnaire or phone and perform document reviews in accordance with NIST SP800-30. Document reviews will provide the MainNerve risk assessment team with the basis on which to evaluate compliance with policies and procedures in order to ultimately identify potential shortfalls in the administrative, technical, and/or physical security posture.

Deliverable's (*Excluded from Gap Analysis)

The following deliverable's may be provided as part of the engagement depending upon services chosen:

• Gap analysis results that include risk rating and assessment of items such as: physical safeguards, network resources inventoried, data protection measures, log monitoring and auditing.
• *Risk ratings results based on interview or questionnaire (High, Medium, Low, Risk number)
• *The final report will provide information on current assessment and findings of customers’ security posture, recommended remediation and a description of potential risk due to non-remediation.
• *A “Crosswalk to Security” report will also be provided to assist customer in how to develop a plan to mitigate risk. The findings will be presented as a strategic “Crosswalk” in the form of recommendations only. These recommendations are intended to assist the customer’s security posture. This includes items such as: recommended security roles, how to evaluate key security policies and controls ongoing, control implementation guidelines and internal review processes.
• Remediation recommendations.

The deliverable's will be provided to the customer via secure e-mail or through a secure website as mutually agreed. All final deliverable's are shared only with the customer approved representatives.

Security Risk Assessment

As threats to computer systems grow more complex and sophisticated, risk assessments are an important tool for organizations to rely on as part of a comprehensive risk management program. This security risk assessment will help the customer to:

• Determine the most appropriate risk responses to ongoing cyber-attacks.
• Guide investment strategies and decisions for the most effective cyber defenses to help protect your organizational operations (including missions, functions, image and reputation), organizational assets, and employees.
• Maintain ongoing situational awareness of the security state of your organization’s information systems and the environments in which those systems operate.

The risk assessment methodology and approach will be conducted using the guidelines in NIST SP 800-30, “Risk Management Guide for Information Technology Systems.” The assessment is broad in scope and evaluates security vulnerabilities affecting confidentiality, integrity, and availability of information. The assessment report will recommend appropriate security safeguards, permitting customer management to make knowledge-based decisions about security-related initiatives. MainNerve will hold regular status meetings with key personnel to report on progress, discuss any issues that may have been identified, and solicit feedback and guidance related to the engagement. This will ensure that all interested parties are well informed as work progresses and any issues requiring immediate attention or further validation are promptly addressed. The following controls are assessed:

• Administrative Safeguards: This information includes policies and procedures revolving around the administrative side of protecting networks and resources. These policies and procedures may include information about termination procedures and requirements, when training is conducted, sanction policies, etc.
• Physical Safeguards: This section assess the policies and procedures used to protect the physical networks and resources. These safeguards might include locks on doors to server rooms, how access to said server rooms is granted, and who has the authority to grant access.
• Technical Safeguards: This information gathered in this sections allows MainNerve to determine how well the networks and resources are protected technically and virtually. This will include procedures on allowing employees access to specific data required to do their jobs, information about encryption, anti-virus and anti-malware software, as well as information gleaned during the vulnerability scan and penetration test.

MainNerve will hold regular status meetings with key personnel to report on progress, discuss any issues that may have been identified, and solicit feedback and guidance related to the engagement. This will ensure that all interested parties are well informed as work progresses and any issues requiring immediate attention or further validation are promptly addressed.

Social Engineering

Test the susceptibility of employees for email phishing, telephone vishing, and physical attempts to compromise security.

Ensure that your employees aren’t susceptible to the number one cybersecurity threat for businesses—social engineering attacks.

Social Engineering: A Cybersecurity Must Have

Even if it weren’t the current #1 cybersecurity threat for businesses, social engineering attacks are also the fastest growing security threat today. Social engineering attacks, which rely on human interaction and fraudulent behavior to trick people, are the driving force behind spear phishing, email compromises, and ransomware. It’s for these very reasons that, here at MainNerve, we view social engineering as a mush-have service for every business and organization. And it’s why we offer social engineering assessments for email phishing, telephone/text, and onsite/social pretexting.

Ensure your Employees aren’t the Weak Link in your Security

Although traditional cybersecurity attacks leverage technology-based system vulnerabilities, such as misconfigurations and software bugs, social engineering attacks take advantage of human nature and the inherit vulnerabilities in people. And they’ll use deception in order to trick targeted victims into performing acts that end up harmful. At MainNerve, we make social engineering process painless and simple. Our team has conducted and successfully delivered numerous social engineering assessments for businesses of all sizes and types… and we can help you protect your employees.

Social Engineering-based Scams:

Spear Phishing

Spear phishing is a highly-targeted form of attack. Spear phishers use carefully crafted emails alongside social engineering tactics to convince individuals to both open and engage with the email.

Consumer Phishing

Consumer phishing is a type of attack in which a criminal sends a deceptive email that appears to come from a respected brand. This is usually done in order to gain individual account credentials.

Data Breach

Data breaches are frequently the result of intrusions caused by credential theft or the installation of malware. This is in turn fueled by social engineering and identify deception techniques.

Ransomware

Ransomware is a form of malware that infects the computers of its victims. From there, content is encrypted, and the victim is required to pay a ransom in order to regain access to their content.

Email Compromise

Email comptonization, or Business Email Compromise (BEC), is a sophisticated email attack in which a criminal sends a victim’s emails to an organization’s employees. It’s also known as CEO fraud.

The MainNerve Process

MainNerve’s team of highly-qualified and experienced security experts will test your employees in order to determine their level of resistance to the ploys of nefarious actors and social engineers.

Social Engineering

A social engineering test can be used as a one-time method of assessing the effectiveness of a security awareness campaign, or to support new and current training programs. Using the latest intelligence on social engineering techniques, a social engineering test can evaluate employees against general phishing and “spear-phishing” attacks that are intended to exploit trust and lack of security awareness.

• Phishing Email Attack: Deploys a distinct simulated phishing email to test whether employees click on malicious links that they should not. It is a single test where no exploitation occurs, but only collects general information on the effectiveness of the attack and the employee’s response.
• Phishing Data Attack: Tests user security awareness by manipulating individuals in your organization to perform malicious actions or provide sensitive information over email. The content used in these scenarios ranges from generic, spam-like messages to client-specific emails that are designed to appear to originate from internal users, third-party service providers, or clients.

MainNerve recommends that the names and/or email addresses of the intended recipients that will be included in the social engineering test be provided beforehand. If such a list is not provided where MainNerve must search or otherwise build a list through manual research, additional costs will be incurred.

• Customer-Provided List (Gray Hat): The customer provides a list of email address of its employees that will be included in the social engineering test. This type of social engineering test represents the simpler and quicker method as research is not required in order to build a list.
• Manual Research (Black Hat): The customer does not provide a list of employees to MainNerve, but relies on MainNerve to gather a list of employees through manual research. Research includes employing tools and techniques for harvesting names and email address from open source directories, social media sites, and customer web sites.

Penetration Testing Services

MainNerve Penetration Testing services are based on (OWASP) Open Web Application Security Project and (NIST) National Institute of Standards and Technology testing methodologies. We bring over 12 years of experience in conducting white, gray and black box assessments for leading compliance standards, such as, HIPAA and PCI or as a matter of best practice. Our U.S. based cybersecurity experts served as Team Leaders and members of the (NSA) U.S. National Security Agency Red Team and DOD. They are responsible for numerous assessments for municipalities, universities, telecommunications and many other industries large and small. The MainNerve team also has some of the highest credentials come with the below trusted certifications that you demand.

Identify Network Vulnerabilities and Exposures

MainNerve’s penetration testing is designed to test your IT systems, cloud assets, applications, API’s, and mobile devices to uncover potential exposures within your organization just as an attacker would—by hacking it. Our expert penetration testing truly simulates the attacks of a real-world hacker; and includes specialized vulnerability assessments, automated scans, and manual techniques, that all work together to reduce risk and identify security gaps.

Methodology

MainNerve performs penetration testing using the methods detailed in NIST SP 800-115, Technical Guide to Information Security Testing and Assessment and OWASP Testing Guide. MainNerve will determine the means and processes that an attacker would use to breach systems and steal data. MainNerve uses highly rated commercial tools, such as Nessus Pro and Metasploit Professional, to perform the testing.

The Process

Penetration testing will involve no less than two experienced security professionals at any given time who will examine the weaknesses of the targeted systems. MainNerve will ensure that all exploits are documented and verified throughout the assessment. All reports (i.e. interim reports) will include a description of the exploit attempts and the successes or failures, documentation of testing activities, and remediation recommendations.

Reporting

In preparation of the final report, all technical data gathered from the penetration testing is included. Other critical information included will be:

• Attack Narrative
• Assessment Timeline(s)
• Screenshots of All Attacks/Findings
• Technical Data
• Statement of Methodology
• Limitations
• Testing Narrative
• Findings
• Tools and Uses
• Remediation Recommendations
• Risk Rating

Penetration Testing Standards: MainNerve’s penetration testing approach is based on industry accepted best practices and standards and follows the penetration testing methods is based on NIST SP 800-115, “Technical Guide to Information Security Testing and Assessment” as well as the standards and the Penetration Test Execution Standards (PTES) and the Payment Card Industry Data Security Standards (PCI-DSS) 3.2.

Process: The MainNerve penetration testing process is one that has been proven thru the penetration testing of hundreds of clients. Using their honed defense and commercial hacking skills, the latest industry tools and unique, manually operated techniques, our technicians follow this process to ensure that a complete understanding of the customer’s requirements is known, discovery is properly planned, attacks are done within the scope and expectation of the customer and a comprehensive report is delivered.

The MainNerve Penetration Testing Process

Upon approval of a project, the MainNerve team will schedule a kick off call to discuss key areas in the rules of engagement such as: methodology and testing techniques, compliance requirements, testing times, and points of contact. The phases listed below discuss key actions that are taken throughout the network penetration testing process.

Network Vulnerability Scanning: An Affordable Cybersecurity Solution

Network vulnerability scanning provides companies with the opportunity to identify active IP addresses and scan them using industry-leading tools with the ultimate goal of discovering vulnerabilities in both internal and external networks—affordably. Throughout the vulnerability scanning process comprehensive automated testing will be used to identify as many network related vulnerabilities as possible. At MainNerve, all of our vulnerability scans go beyond international standards such as NIST, and come with a detailed final report that includes an executive summary, a listing of risk ratings, remediation recommendations, and more.

Identify Documented Vulnerabilities and Exposures within your Network

One of the most significant challenges in securing business environments is having the knowledge required to identify vulnerabilities, prioritize which are the greatest threats posed to your environment, and then remediate any discovered vulnerabilities. This is where MainNerve’s vulnerability scanning services come into play. Our industry-leading scanning tools enable you to perform an in-depth scan of all external, Interned-exposed and internal systems for vulnerability identification and verification.

Test your network for:

WIFI Testing

Measure the overall security of your wireless infrastructure and ensure the integrity and security of your WIFI networks.

Wireless clients are extremely vulnerable to exploits. Know how vulnerable your WLANs are and receive remediation recommendations to improve your wireless security.

WIFI Penetration Testing: A Hybrid Approach

MainNerve utilizes automated, as well as comprehensive manual testing, throughout the WIFI penetration testing process. WIFI pen tests are performed in order to identify all wireless network and business-logic related vulnerabilities. At MainNerve, all of our WIFI security tests go beyond national standards such as NIST, and come with a detailed final report detailing the results of the test. This final report includes an executive summary, a listing of risk ratings, remediation recommendations, and more.

Identify Wireless Security Vulnerabilities

Simply because of its nature and medium, wireless networks are inherently less secure than wired networks. From rogue access points to weak encryption algorithms… to customers that access your wireless networks, threats to WIFI networks are unique… and the risk they pose for businesses can be significant. It is for this very reason that businesses must be cognizant of the security implications associated with an unsecured wireless network. MainNerve’s wireless penetration testing services help businesses evaluate the security of their wireless implementations and provide remediation recommendations for improvement.

Test your wireless network against:

SCADA Testing

Assess the effectiveness of your security controls through the manual analysis of your SCADA systems.

Discover security gaps through safely, and expertly, simulated attacks against your SCADA or Industrial Control Systems (ICS).

SCADA Penetration Testing Process:

SCADA Penetration Testing vs. Commercial Penetration Testing

SCADA systems are different from most TCP/IP-based system in that many ICS vendors use proprietary protocols to communicate within their systems. Additionally, movements within establishing industry standards such as DNP 3.0 and Modbus and methods of communicating on ICS LANS with minimal authentication put ICS systems at risk of a cyber-attack. Additionally, due to the differences between commercial and proprietary SCADA/ICS systems, the same vulnerability assessment or penetration testing tools/methods that maybe used in a standard commercial penetration test can have a serious impact on a SCADA/ICS network if improperly applied. MainNerve’s experts work with the customer’s Assessment Team to understand the implications of testing on a production system and when possible to mitigate operational effects by testing offline or on a backup ICS. To MainNerve, the best possible outcome is the proper testing of a SCADA/ICS that provides adequate details around identified vulnerabilities and the provision of mitigation information for the SCADA/ICS Administrator or Security staff to address them.

SCADA Penetration Testing: A Hybrid Approach

SCADA Penetration Testing with MainNerve is designed to assess the effectiveness of your security controls as applied to NERC-CIP, NIST 800-53 v4 or ISO 27001 through the manual analysis of your SCADA systems and application of best practices to Information Technology and Operational Technology systems for Critical Infrastructure. SCADA/ICS penetration tests are highly sophisticated due to the combination of customized technology, the criticality of the infrastructure that is dependent on it, and the knowledge necessary to penetration test these systems without taking them off-line. To conduct SCADA/ICS penetration tests, MainNerve assesses these systems with a combination of the disparate knowledge base of the actual SCADA language environment itself as well as industry leading penetration testing expertise to ensure that all vulnerabilities identified and exploited do not jeopardize customer operations or its infrastructure. Depending on the customer’s needs, MainNerve can provide White, Grey, or Black box testing and can accelerate to Red Team operations if needed.

Robust threat exploration and manual analysis of your web applications to uncover security gaps and identify exploitable vulnerabilities, weaknesses, and technical flaws.

Web Application Penetration Testing

Robust threat exploration and manual analysis of your web applications to uncover security gaps and identify exploitable vulnerabilities, weaknesses, and technical flaws.

Web Application Security: A Hybrid Approach

Throughout the web application penetration testing process, automated, as well as comprehensive manual testing, will be used to identify all application and business-logic related vulnerabilities. At MainNerve, all our web app security tests go beyond international standards such as OWASP and come with a detailed final report that includes an executive summary, a listing of risk ratings, remediation recommendations, and more.

Identify Application Vulnerabilities And Exposures

Web applications frequently store sensitive information… and may even provide an external access point to your network. MainNerve’s expert penetration testing truly simulates the attacks of a real-world hacker–which includes specialized vulnerability assessments, automated scans, and manual techniques. These cyber services all work together to reduce false positives and identify application security gaps.

The MainNerve Process

MainNerve’s web application penetration testing services and designed to improve the security of your web applications through a comprehensive, highly-manual, risk-based approach to identifying critical vulnerabilities. And at the end of the MainNerve web app pen test process, you will receive a detailed report that clearly defines the result of the test. MainNerve application security solutions are designed to help realize a resilient application that can withstand sophisticated cyber threats.

Test Your Web Application Against:

Web Application Vulnerability Assessments

Add value to a web application vulnerability scan with an assessment by a certified cybersecurity engineer.

70% of websites are vulnerable to malicious hackers. Make sure you aren’t. Detect vulnerabilities and get on a path to remediation.

Web App Vulnerability Assessments: An Affordable Cybersecurity Service

Cyber-attacks are shifting away from the network level to the application level. The number of high-profile attacks on the websites of financial institutions, healthcare organizations, and small businesses is rising at a pretty alarming rate. End-user workstations are continuously under sophisticated attacks targeting web-based solutions. It is an unfortunate reality that malicious hackers may start targeting your web applications. With web application security assessments, you gain an inside look at your application(s) and gain the benefit of reporting and analysis on all identified weaknesses. The ultimate goal behind a web app vulnerability assessment is to report on the findings of a web application vulnerability scan and combine them with the analysis of a professional cybersecurity engineer.

Identify Documented Vulnerabilities and Exposures within your Web Apps

Web application vulnerability assessments provide companies with the opportunity to discover vulnerabilities within their applications. Note that throughout the web app vulnerability assessment process, comprehensive automated testing will be used to identify used to identify application related vulnerabilities. At MainNerve, all our web application vulnerability assessments go beyond OWASP best practices in addition to national standards such as NIST, and come with a detailed final report and assessment by an experienced cybersecurity engineer.

Web Application Vulnerability Scanning

Discover, catalog, and scan all your web applications for vulnerabilities and misconfigurations.

Protect your sensitive information and web properties with regular check-ups.

Web Application Vulnerability Scanning: An Affordable Cybersecurity Service

If there’s one thing history has taught us, it’s that the rapid evolution of web applications has forced companies to adapt and evolve their security techniques at an alarming rate. Regularly performing web application vulnerability scans can help businesses maintain their security against trending cyber threats. And with the high internal costs of developing and implementing a proper web app assessment methodology/solution, outsourcing your web application services offers an affordable alternative.

Identify Documented Vulnerabilities and Exposures within your Web Apps

Web application vulnerability scanning provides companies with the capability to discover vulnerabilities within their applications. Note that throughout the web app vulnerability scanning process, comprehensive automated testing will be used to identify application-related vulnerabilities.. At MainNerve, all of our web application vulnerability scans go beyond national standards such as NIST, and come with a detailed final report.

Test your web application against:

API Security Testing

Pinpoint where API attacks really succeed… not just the areas that may be susceptible to attacks. Validate authentication, encryption, and access controls.

Understand the risk posed to you, and your customers, by the vulnerabilities present in the API/message layer and web UI level of your applications.

API Security: A Hybrid Approach

Throughout the API penetration testing process, automated, as well as comprehensive manual testing, will be used to identify existing vulnerabilities at the API / message layer of your applications. At MainNerve, all of our API security tests go beyond national standards such as OWASP, and come with a detailed final report that includes an executive summary, a listing of risk ratings, remediation recommendations, and more.

Identify API Vulnerabilities And Exposures

When it comes to API security testing, there are a number of things to consider. So here at MainNerve, we perform API security testing by analyzing both request and response. This is done in order to discover and fix security vulnerabilities earlier in the software development cycle. Whether you’re using REST, SOAP, or a mix of both, we’ve got your APIs covered. Further, a detailed analysis of JSON and XML are performed as part of our API security testing process sent in the API/message layer and web UI level of your applications.

Mobile Application Testing

Comprehensive penetration testing that identifies design defects, vulnerabilities, and security weaknesses in mobile applications.

Protect your mobile business and mobile applications from cyber threats with advanced mobile security testing.

Mobile Application Security: A Hybrid Approach

Throughout the mobile application penetration testing process, automated, as well as comprehensive manual testing, will be used to identify all application and business-logic related vulnerabilities. At MainNerve, all of our security tests go beyond national standards such as NIST, and come with a detailed final report that includes an executive summary, a listing of risk ratings, remediation recommendations, and more

Identify Mobile App Vulnerabilities And Exposures

MainNerve mobile application penetration testing is designed to test your mobile applications and uncover potential exposures and vulnerabilities that could be exploited by a hacker. Our expert mobile application testing simulates the attacks of a real-world hacker; and includes specialized vulnerability assessments, automated scans, and manual techniques, that all work together to reduce false positives and keep you one step ahead of hackers.

Test your mobile application against:

Vulnerability Scanning and Assessment

Vulnerability scanning will identify known network, operating system, web application, and web server vulnerabilities with the use of automated scanning tools. Scans will provide an overall snapshot of the vulnerabilities present on the internal and external networks and assist in vulnerability risk management (Figure 1). All vulnerabilities are classified in a rating system with severity levels of impact. Optionally, when validating the vulnerabilities discovered, MainNerve may, upon request, manually reviews all discovered vulnerabilities. This reduces false positives and provides an actionable list of vulnerabilities for remediation.

Deliverables

MainNerve will prepare a final vulnerability scan report in accordance with the NIST Technical Safeguards or OWASP. The report will, if relevant to the current project, contains at a minimum the following sections:

• Risk Classification and Scoring
• Security Analysis
• Technical Summary
• Vulnerabilities by Severity

Rescan Methodology

MainNerve provides rescanning services wherein vulnerabilities or weaknesses discovered during the initial vulnerability scans are analyzed to determine whether remediation steps have been applied effectively by the client. A rescan report can be included in the overall final report or in a separate document.

Security Risk Assessments

Discover Risk and Define Mitigation Strategies

Security risk assessments are a fundamental foundation for the security of any organization. At MainNerve, our security risk assessments help companies ensure that controls and expenditure are fully commensurate with the risks to which organizations are exposed.

Security risk assessments are essential for discovering risk and defining appropriate mitigation strategies that fit your company’s objectives. There are two components to security assessments: 1) Security Reviews (often called security audits) provide a complete process for defining security risk strategies based upon your objectives, security posture and status and 2) Security tests such as penetration testing, vulnerability testing and social engineering tests which diagnose actual vulnerabilities in specific areas of your security infrastructure.

Security Risk Assessments: A Business Security Audit

The most important part of security assessments is the security review and gap analysis. It is the glue that ties the entire security risk assessment solution together. As with security audits, there must be a process for assessing a company’s risk profile. In a security review, we review your key assets, current security strategy, controls, IT infrastructure, and prioritize your top vulnerabilities, risks and recommended security control solutions. Following, MainNerve provides a final report for the purpose of defining future security strategies, determining budgets, and implementing security risk mitigation solutions.

Advantages of a Risk Assessment

• Identify enterprise risks that could impact your business
• Assess business security strategies
• Update risk associated policies and procedures
• Prioritize security budget requirements based on risk findings.

HIPAA Risk Assessments

A rigorous and detailed identification and prioritization of key HIPAA compliant risks.

Ensure your company’s compliance with HIPAA regulations and protect yourself from security breaches and hefty fines.

HIPAA Risk Assessments: A Healthcare Requirement

HIPAA Risk Assessments are a requirement for remaining HIPAA compliant and are designed to help with the identification of potential vulnerabilities within your organization in order to determine how to remediate those vulnerabilities. Working towards remediating any discovered vulnerabilities will help to protect your patients’ information. And, from a business perspective, protect you from costly fines for failing to apply best practice security standards within your organization.

Simplify Your Next HIPAA Risk Assessment with MainNerve

Although conducting regular HIPAA risk assessments may seem to be a hassle, the cost of failing to conduct them and remediate risks is much worse. Penalties can include millions of dollars in fines, civil and criminal litigation, restitution, and damage to institutional and professional reputations. At MainNerve, we make the HIPAA risk assessment process painless and simple. Our team has conducted and successfully delivered numerous HIPAA risk assessments to healthcare organizations of all sizes and types—we can help you as well.

In accordance with the law, you must be compliant with the following:

• HIPAA Security Rule
• HIPAA Privacy Rule
• Breach Notification Rule
• Administrative and Simplifications Rules
• Medicare and Medicaid Enforced by CMS
• State Laws

The MainNerve Process

MainNerve’s team of highly-qualified and experienced security experts understand what it takes to implement a comprehensive Information Privacy and Security Program—and how to build a culture of compliance.

HIPAA Risk Assessment

As threats to computer systems grow more complex and sophisticated, risk assessments are an important tool for organizations to rely on as part of a comprehensive risk management program. This security risk assessment will help the customer to:

Determine the most appropriate risk responses to ongoing cyber-attacks.

Guide investment strategies and decisions for the most effective cyber defenses to help protect your organizational operations (including missions, functions, image and reputation), organizational assets, and employees.

Maintain ongoing situational awareness of the security state of your organization’s information systems and the environments in which those systems operate.

The risk assessment methodology and approach will be conducted using the guidelines in NIST SP 800-30, “Risk Management Guide for Information Technology Systems”, in addition to 800-66, “An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act” (HIPAA) Security Rule. The assessment is broad in scope and evaluates security vulnerabilities affecting confidentiality, integrity, and availability of information. The assessment report will recommend appropriate security safeguards, permitting customer management to make knowledge-based decisions about security-related initiatives. The following controls are assessed:

Administrative Safeguards: This information includes policies and procedures revolving around the administrative side of protecting networks and resources. These policies and procedures may include information about termination procedures and requirements, when training is conducted, sanction policies, etc.

Physical Safeguards: This section assess the policies and procedures used to protect the physical networks and resources. These safeguards might include locks on doors to server rooms, how access to said server rooms is granted, and who has the authority to grant access.

Technical Safeguards: This information gathered in this sections allows MainNerve to determine how well the networks and resources are protected technically and virtually. This will include procedures on allowing employees access to specific data required to do their jobs, information about encryption, anti-virus and anti-malware software, as well as information gleaned during the vulnerability scan and penetration test.

MainNerve will hold regular status meetings with key personnel to report on progress, discuss any issues that may have been identified, and solicit feedback and guidance related to the engagement. This will ensure that all interested parties are well informed as work progresses and any issues requiring immediate attention or further validation are promptly addressed.

Gap Analysis

MainNerve will interview key personnel identified by the customer either by questionnaire or phone and perform document reviews in accordance with NIST SP800-30. Document reviews will provide the MainNerve risk assessment team with the basis on which to evaluate compliance with policies and procedures in order to ultimately identify potential shortfalls in the administrative, technical, and/or physical security posture.

Deliverables (*Excluded from Gap Analysis)

The following deliverables may be provided as part of the engagement depending upon services chosen:

Gap analysis results that include risk rating and assessment of items such as: physical safeguards, network resources inventoried, data protection measures, log monitoring and auditing.

• Risk ratings results based on interview or questionnaire (High, Medium, Low, Risk number)
• The final report will provide information on current assessment and findings of customers’ security posture, recommended remediation and a description of potential risk due to non-remediation.
• A “Crosswalk to Security” report will also be provided to assist customer in how to develop a plan to mitigate risk. The findings will be presented as a strategic “Crosswalk” in the form of recommendations only. These recommendations are intended to assist the customer’s security posture. This includes items such as: recommended security roles, how to evaluate key security policies and controls ongoing, control implementation guidelines and internal review processes.
• Remediation recommendations.

The deliverables will be provided to the customer via secure e-mail or through a secure website as mutually agreed. All final deliverables are shared only with the customer approved representatives.

Red Team Assessments

A multi-faceted, full-scope attack simulated against software, hardware, people, and facilities.

Obtain a comprehensive, realistic view of your business’ vulnerabilities and the level of associated risk.

Red Team Assessments: A Comprehensive Attack Simulation

A Red Team Assessment is a multi-blended and comprehensive attack that involves several facets of physical penetration testing, social engineering, application penetration testing, as well as internal and external network penetration testing. The goal of a Red Team Assessment is to reveal real-world opportunities for malicious hackers, or just malicious employees and bad actors, to be able to compromise all aspects of your organization. With a Red Team Assessment, you gain a full-scope understanding of how an attacker might gain unauthorized virtual and/or physical access to sensitive information leading up to data breaches and full system/network compromise.

Identify Vulnerabilities and Determine Level of Risk

With a MainNerve Red Team Assessment, your company will gain a realistic understanding of how well your networks, applications, people, and physical security controls can withstand an attack from a real-life hacker. All of our Red Team Assessments are carried out by our highly-trained security engineers (NSA Red Team experience) in an effort to: (1) Identify physical, hardware, software, and human vulnerabilities; (2) Obtain a more realistic understanding of risk for your organization; and (3) Help provide remediation recommendations for all identified security weaknesses.

Test your business against multiple attack vectors:

The MainNerve Process

MainNerve Red Team Assessments are designed to provide businesses with a truly holistic view of their security posture. With a red team assessment, a full-scope, multi-layered attack simulation is performed in order to measure how resilient your people, networks, applications and/or physical security controls are to an attack from a real-life adversary. Concluding the red team security assessment, MainNerve will provide a comprehensive final report that details all the findings of the test.