NMI LLC — Information Security Services

Security Testing

NMI first performed a penetration test in 1994. Since that time, NMI has performed thousands of security tests for hundreds of customers ranging from small businesses to the world's largest companies.

The NMI Difference

• Expert research (identifies 20-50% more critical vulnerabilities)
• Consistent reporting across all types of tests (using RSK)
• Service after the test (including post-remediation report updates)
• Superior deliverables accessible to all audiences
• Testing team with extensive programming experience
• More experience than most organizations (including those much larger than NMI

Vulnerability Scan

NMI conducts intelligence gathering (discovery) and an automated scan of the scoped systems. NMI security experts use this information as the basis for comprehensive research and analysis (many companies simply provide an annotated report of the automated scan findings). NMI's expert research and analysis reduces nuisance findings and obvious false positives. Results are reported using RSK.

Penetration Test

NMI performs a vulnerability scan, and then uses a combination of automated tools and human expertise to attempt to gain unauthorized access to the scoped systems. A penetration test significantly reduces false positive findings. Because a penetration test has more permissive rules of engagement, NMI often identifies vulnerabilities that are not detected by a vulnerability scan. Results are reported using RSK.

Application Test

An application test provides assurance that your applications, and especially web-served applications, are secure. NMI uses automated tools and over 50 years of combined programming expertise to analyze applications for security flaws. NMI looks for parameter and boundary checking errors, excessive privileges, SQL and HTML injection, cross-site scripting, and other problems in HTML, scripts, and other executable code. Results are reported using RSK.

Configuration Analysis

NMI analyzes the actual configuration of selected systems and networks as a trusted insider (a configuration analysis of your network design is sometimes referred to as a Network Architecture Review). The configuration analysis can be performed independently or as a complement to the other tests described on this page. Configuration analysis identifies problems that are not apparent from external testing, and is the only way to categorically disprove the existence of certain vulnerabilities. Results are reported using RSK.

Phone Scan

NMI scans a list of public switched telephone network (PSTN) numbers you provide to identify modems, faxes, PBX systems, and other phone-accessible resources (a phone scan is also referred to as war dialing). A phone scan is usually an added rule of engagement for a vulnerability scan or penetration test, but can be performed as a standalone test. Results are reported using RSK.

Wireless Scan

NMI will attempt to identify and gain access to wireless networks and devices operating within your organization, including 802.11 and Bluetooth networks and devices (a wireless scan is also referred to as war driving). A wireless scan is usually an added rule of engagement for a vulnerability scan or penetration test, but can be performed as a standalone test. Results are reported using RSK.

Social Engineering

NMI uses phone, web, electronic mail, and on-site covert research and subversive access attempts (referred to as pretexting) to test the strength of your policies, staff training, and technical controls. Social engineering identifies failures in security awareness and information handling practices that may allow an attacker to obtain valuable information from unsuspecting or uninformed employees. Results are reported using RSK.

Security Architecture

Security architecture means the development of secure enterprise information technology solutions, not just security-specific solutions. NMI security architecture and implementation solutions consider security in the context of business needs and risk tolerance as an integral part of every solution's life cycle.

• Strategic business vision
• Unmatched technical expertise
• RAPID enterprise security architecture process
  • Business-oriented
  • Shortest time to functional specification
  • Fastest & most cost-effective implementation
  • Guaranteed business acceptance
  • Deployment structured for minimal business disruption
  • Minimize bureaucratic overhead
• Complete solution documentation
• Support throughout the entire solution life cycle

Enterprise Security Architecture

NMI will design or enhance your enterprise security architecture (ESA), and work with you to integrate your ESA with every organizational function (not just technology- and security-related projects). NMI offers a unique combination of project management, business management, enterprise governance, and security architecture skills. NMI will:

• Develop your enterprise security architecture as an overall framework, and integrate that framework with your normal business functions in a cost-effective way that ensures stakeholder and user buy-in.

• Apply your security architecture to design solutions for specific business needs, ensuring that every solution is secure and meets business requirements, your risk appetite, and the needs of stakeholders and users.

Security Solution Architecture

The development and implementation of an enterprise security architecture (ESA) is important, but you often need a specific information security solution developed and deployed as quickly and cost effectively as possible. NMI provides the expertise and the security architecture experience necessary to design and implement technology- and security-specific solutions including(but not limited to):

• Secure network architecture
• Identity Management (IM)
• Public Key Infrastructure (PKI)
• Multi-Factor & Biometric Authentication
• Reduced Sign-On (RSO) & Single Sign-On (SSO)
• Security Event & Incident Monitoring (SEIM)
• Border protection (firewalls, VPN)
• Intrusion detection (IDS)
• Intrusion prevention (IPS)
• Secure domain name service (DNS, DNSSEC)
• Secure electronic mail (POPS, IMAPS, SMTPS)
• Malicious Software control
• Junk and SPAM control
• Legacy Systems Security Enhancement

Information Security & Information Technology Support

NMI LLC has the broad multi-platform, multi-protocol expertise to support any information security and information technology environment. Services are available 5x8 and 7x24 on a retainer or fixed-price contract basis.

• Support for all manufacturers and operating systems
• Support for all network architectures and protocols
• Special expertise with IBM i-Series and z-Series platforms & applications
• Services available on a 5x8 or 7x24 basis
• Average 30 minute callback for level 2 and level 3 support requests
• Average 8 hour on-site support (48 contiguous U.S. states & southern Canada)

General Security & Technology Support

Take advantage of the full range of NMI's security, technology, and software engineering capabilities by phone or email (with scheduled on-site work as necessary).

• Support for security and technology configurations & initiatives
• Phone support available on a 5x8 basis with average next-business-day callback
• Electronic mail support available on a 5x8 basis with average same-business-day callback
• Schedule on-site work for projects of any size

Managed Security Event & Incident Handling (SEIM)

Real-time monitoring & alerting for intrusion detection & prevention systems. Daily consolidation and analysis, including expert review, of network and system logs for evidence of malicious activity or malfunction. Log review will identify incidents that fall below the detection thresholds of intrusion detection and prevention systems. NMI SEIM offers the following features and options:

• Detection of probes, attacks, and compromises that escape real-time IDS & IPS
• Consolidation of logs and audit trails from multiple systems
• Archiving and analysis of log information at NMI, or on customer equipment
• Full customer data-mining capabilities
• Daily, weekly, and or monthly summary reports on log review activity & findings
• Procedures optimized for electronic discovery (eDiscovery)
• Automatic escalation to NMI Incident Response Services available
• Consulting assistance in whole-network time-synchronization

Incident Response Services

Incident Response Services provide access to security and technology experts when you have a security incident (including non-malicious incidents, accidents, and natural disaster).

• Expert incident response on a 7x24 basis
• Average 30 minute callback time
• Access to NMI corporate aircraft & short-notice commercial flights
• Average 8 hour on-site time Incident response (48 contiguous U.S. states & southern Canada)

Electronic Discovery (eDiscovery) & Electronic Forensic Analysis

Proper procedures are vital when initiating an investigation or responding to a legal complaint that requires the collection, analysis, and presentation of electronic evidence. NMI first developed electronic discovery & electronic forensic procedures in 1995, and has updated those procedures to reflect current legal requirements. NMI will perform proper forensic copies, maintain a complete chain of custody, and document every action taken in the course of the investigation or response.

• Determine the scope of the investigation or response
• Analyze affected systems and media
• Make proper forensic copies of critical evidence
• Analyze data to identify incriminating or exculpatory evidence
• Analyze live systems and networks when necessary
• Preserve and gather evidence in "pursue and prosecute" situations
• Support speedy recovery in "contain and recover" situations

Secure Software Engineering

NMI is one of the few security consulting companies with extensive software engineering experience. You may think you don't need or don't want custom software—but whether you are an entrepreneur with a dynamic web site or a large corporation with complex information technology solutions, you already have custom software. The only question is whether you will control custom software development or whether it controls you.

• Security technology integration
• Over 50 years of combined software engineering experience
  • Rapid application development (RAD) process
  • Rigorous version & change control
  • Extensive quality assurance
  • Complete, high-quality documentation
  • Ongoing maintenance and support
• Cross-platform development (any combination of platforms)
• Multiple language development (any combination of languages)
• Service oriented architecture (SOA) design
• Expertise with midrange and mainframe systems
• Systems programming (including assembly language for any platform)
• Enterprise messaging architectures

Dynamic Web Content

Dynamic web content means custom software engineering. NMI will implement a formal software engineering process for your dynamic web development that ensures security and change control but provides the greatest possible freedom for developers. NMI supports all server models, databases, programming languages, and markup languages.

Cloud-Based Applications & Services

NMI has the expertise to help you develop and deploy cloud-based products and services, and to ensure those products and services will meet rigorous vendor due diligence, governance, and compliance requirements.

Legacy Application Support

How many times has the mainframe died since 1970? Yet many organizations still depend on their midrange and mainframe applications, and despite repeated efforts have not found solutions as robust and reliable on other technologies. NMI's extensive experience with midrange and mainframe environments and software development ensure that your legacy applicable will remain robust and reliable over time.

Languages & Platforms

How can NMI claim it supports all languages and platforms? NMI software engineers average more than 20 years of software engineering experience, and follow a rigorous program of continuing education. With this level of expertise and continued learning, NMI can assimilate new platforms and programming languages at an expert level without any impact on project performance. NMI's experience ranges from mainframes to embedded systems, and from direct machine language entry to modern fourth- and fifth-generation programming languages. Following is only a partial list of the programming languages, platforms, and environments supported by NMI:

Operating Systems & Platforms

• Android
• iOS (iPhone, iPad)
• Linux
• Windows
• z/VM (z-Series)
• z/OS (z-Series)
• i/OS (i-Series)
• Sun Solaris
• OpenBSD
• HP-UX
• AIX
• SCO UnixWare & OpenServer
• MacOS & OS X
• OS/2

Programming Languages & Platforms

• Java
• J2EE (JSP, Servlets, EJB)
• .Net (ASP, Visual Basic, C#, VC++)
• Perl
• C and C++
• PHP
• Markup languages (HTML, WML, XML, etc.)
• JavaScript
• Rexx
• FORTRAN
• COBOL
• RPG
• Assembler (all supported platforms)

Database Platforms

• Oracle
• Microsoft SQL Server
• IBM Universal Database (DB/2, Informix)
• MySQL
• PostgreSQL
• Ingres
• Access

The Martial Art of Information Security

NMI founder Andrew T. Robinson combines over 20 years of SGRC expertise and over 10 years of martial arts experience into The Martial Art of Security, Governance, Risk Management, and Compliance(TMA/SGRC). TMA/SGRC provides the most extensive and flexible SGRC curriculum in the industry.

The subset of TMA/SGRC that deals specifically with information security is The Martial Art of Information Security (TMA/IS).

Information Security Awareness & Self-Defense Training

TMA/IS applies the principles of martial arts training to develop information security awareness and skills. TMA/IS can be customized for your organization, including customization for your specific information security program and your legal and regulatory environment.

TMA/IS is supplemented by other discipline-specific courses including:

• The Martial Art of Enterprise Information Technology Governance
• The Martial Art of Enterprise Risk Management
• The Martial Art of Information Technology Compliance

All courses are taught by NMI Senior Instructors with at least five years of experience with the course material and one or more industry-standard certifications.

The Martial Art of Information Security Curriculum

The formal TMA/IS curriculum consists of the following elements. Each element can be customized for your environment, and elements can be combined and created to meet your specific needs.

SGRC Awareness Quiz

For thousands of years, martial artists have studied animals in order to refine their techniques. Following in this tradition, Andrew T. Robinson has created the SGRC Quiz. Find out which of the five SGRC Animals most typifies your own behavior and attitudes regarding SGRC.