Amtrak

Amtrak’s business initiatives require increasing access to Amtrak’s automated systems and data network by Amtrak employees and non-Amtrak entities.  As Amtrak opens its data network to accommodate external access requirements and expanded internal access requirements, Amtrak’s network is subject to increasing risks from both internal and external threats.  SeNet has been assisting Amtrak with their information security needs since 2005.  SeNet was awarded a multi-year contract to perform vulnerability assessments and penetration testing across Amtrak’s complete IT infrastructure. 

Amtrak is a large organization with a complex and critical IT infrastructure.  SeNet is excited to have helped Amtrak improve their security maturity in the 10 years we have been supporting them.

Throughout the years we have performed enterprise security assessments, SCADA reviews, red team penetration testing, mobile security code analysis, web application testing, and much more.

We also provide PCI services to Amtrak through our QSA partner ControlCase. 

SeNet’s work was recognized by senior Amtrak management and SeNet is often consulted on information security questions and concerns that impact the organization.

Department of Education

SeNet International has been providing the Department of Education with information security services since 2012 to support the Office of Inspector General’s independent evaluation of the effectiveness of the Department's overall information security program and practices. During this 3-year period, our assignments covered many aspects ranging from information security audit support to network and information security.   Some of the more notable accomplishments with this client include:

  • Provided audit expertise by developing a risk-based audit plan to assess the Office of Chief Information Officer (OCIO) and Federal Student Aid (FSA) management oversight controls of the EDUCATE and Dell Systems information security program for compliance with FISMA.  We made the determination of the extent to which the Department’s information security plans, programs and practices comply with FISMA requirements, relevant OMB processes and reporting requirements, Federal Information Processing (FIPS) requirements, and applicable National Institute of Standards and Technology (NIST) special publications.  As a result of the Modernization Act as of July 2015, we also made the determination on the effectiveness of the OCIO and FSA’s information security programs.  As a result, we made various recommendations to assist the OCIO and FSA in the improvement of their Agency-wide information security program(s).
  • We executed security reviews of the OCIO oversight of the Guarantee Agencies (GA) and Private Collection Agencies (PCA) who maintain personally identifiable information (PII).  We were to make the determination as to whether the GA’s and PCA’s were in compliance with the Department’s security program policies and practices in how they secure PII data.  As a result, we issued recommendations to the OCIO on how their oversight can be improved.
  • In addition to FISMA, we conducted reviews of various applications within the Department’s the General Support System (GSS) to ensure the effectiveness of the general controls in place, and since some applications were contractor owned and operated we conducted a review of the OCIO’s oversight controls to ensure proper monitoring of their data housed on those contractor systems.
  • Performing comprehensive mainframe security audit which examined the operating system layer, database, and security control package (i.e. Top Secret, ACF2).  As a result of this work deficiencies were noted recommendations made to improve the mainframe security posture.  The results of this assessment gained visibility at the highest level withinthe Department.
  • As a component of each FISMA audit SeNet performed penetration testing and vulnerability scanning on selected systems.  These systems ranged from large GSS to extremely important major applications.  The types of testing included:
    • Web Application
    • Network
    • Database
    • Physical
    • System
    • Wireless
  • The SeNet team also provided security training to OIG auditors in the form of classroom briefings and lab exercises.

 

Borgata Hotel Casino and Spa

Borgata was one of the first customers SeNet supported in the the gaming sector.  When iGaming was legalized in New Jersey we performed the initial security assessment on Borgata's partner Bwin.  The iGaming security assessment had to meet New Jersey’s Division of Gaming Enforcement strict standards.  This consisted of application testing, system testing, and network testing.

Since then we have also performed iGaming assessments for Borgata's other partner, Pala Interactive.  We also performed a physical security assessment and social engineering of Borgata’s data center. 

We also provided security training to Borgata IT staff and performed vulnerability testing of their casino and corporate networks.

North Carolina Education Lottery

SeNet performed an independent security assessment and audit of North Carolina Education Lottery (NCEL) systems and gaming operations.  We worked with and reported directly to the internal audit team at NCEL.  Our review focused on both gaming systems (i.e. RNG, ICS) as well as the supporting IT infrastructure. SeNet utilized NIST 800-53 “Security and Privacy Controls of Federal Information Systems and Organizations” revision 4 as the baseline for the audit.

In addition to performing interviews and examinations, technical vulnerability assessment scans were also conducted on the NCEL network and systems. Vulnerability scans were conducted both from external and internal perspectives. A limited web application security assessment was also conducted on mission critical applications identified by NCEL. A physical security review was performed on the headquarters in Raleigh and a field office in Greensboro.

The result of this effort was a comprehensive audit report that NCEL could use to strengthen their overall security posture.

 

Multi-State Lottery Association

SeNet along with our partner Delehanty Consulting performed a comprehensive security evaluation of the facilities, security controls, policies, and procedures used by the MUSL organization in the conduct of its business.  The objectives of the task were to:
1.    Assess whether effective IT and gaming operations security controls are in place and being followed.
2.    Evaluate if controls are in place to protect the confidentiality, integrity, and availability of MUSL systems and data.
3.    Identify potential security risks and analyze possible opportunities for improvement.
In order to complete these objectives the following tasks were conducted:
1.    Interviewed MUSL staff and lottery personnel.
2.    Assessed the existence and effectiveness of the controls and processes in place via interviews, tests, and examinations.
3.    Performed a network vulnerability assessment.
4.    Identified weaknesses and associated risks.
5.    Provided a Report

Our work and report were praised by both the Task Force and the member lottery directors.

 

City of Alexandria

In December of 2012, SeNet was awarded a task order by the City of Alexandria (Alexandria) to perform a vulnerability assessment.  Alexandria had not had an assessment for a few years and there was uncertainty of their security posture.  SeNet performed external scans and testing to identify areas that were vulnerable from an external perspective.  Once completed we turned our attention to the internal network.  Once again additional vulnerability scans and testing were performed.  This testing also involved host-based scans, router/switch/firewall review, database testing and wireless scans.  Based on this information Alexandria was able to take steps to establish plans to mitigate and fix the discovered items.  

In 2014, SeNet performed detailed external and internal network testing and a router assessment. The internal penetration test comprised of about 3,000 hosts that were running various Windows and UNIX operating systems. An in-depth analysis on the internal environment was conducted in order to discover any outdated systems, as well as those that had missing or outdated software patches. A separate DMZ assessment was performed to evaluate the security posture and network segregation between the DMZ and internal environment.  

In 2015, SeNet interviewed the CISO to determine the organization’s information security policy requirements and drafted an overall information security policy using industry standards, such as NIST 800-53, Security Forum’s Standard of Good Practice, etc.

 

Akwesasne Mohawk Casino Resort

SeNet performed an overall security assessment of AMCR’s IT infrastructure.  The testing consisted of primarily vulnerability testing in order to identify weaknesses that needed to be corrected.  Both internal and external testing was performedand recommendation provided that would allow AMCR to increase their security posture.

Idaho Department of Health and Welfare

SeNet provided the following services to Idaho Department of Health and Welfare (IDHW):

  • Security Standards Assessment
  • External and Internal Network Assessment
  • Web Application Assessment

SeNet conducted a security standards assessment for the health care exchange system to ensure it complied with the security standards requirement set by the Center for Medicaid and Medicare Services (CMS). In addition to reviewing documentation provided by IDHW, SeNet used the methodology of Interview, Examine, and Test to evaluate compliance with the Minimum Acceptable Risk Standards for Exchanges (MARS-E).

SeNet also performed an external and internal vulnerability assessment on the systems hosting the health care exchange system. The external scope consisted of one Class C network and the internal scope consisted of 15 Class B networks. Internal testing took place on-site at IDHW’s headquarters in Boise, ID.

A web application assessment was performed on two of IDHW’s web applications. Burp Suite and Netsparker along with manual tests were used to identify security vulnerabilities.
At the conclusion of the project, SeNet compiled and delivered three separate reports (one for each assessment) that detailed the methodology used during testing, vulnerabilities identified as well as their severity level, and recommendations to remediate the vulnerabilities found.

 

Rush Street Gaming

Rush Street Gaming contracted SeNet to perform a security assessment of their SugarHouse Casino and Rivers Casino properties.  Tasks performed included:

  • External and Internal Vulnerability Assessments
  • Wireless Security Assessment
  • Security Architecture Review
  • Phishing Attack
  • Firewall and Switch Review

SeNet also performed an evaluation of their new social gaming platform that was deployed at Sugarhouse casino in Philadelphia.  The testing consisted of two phases, the first was on the server infrastructure and second focused on the gaming application itself. Network vulnerability scans and automated/manual application testing was performed.

We have also assisted Rush Street in performing incident response and forensic activities.

 

USDA Procurement Systems Division

In November 2009, SeNet began work under a USDA Blanket Purchase Agreement (BPA) to provide security services to Procurement Services Division (PSD). Services have included work to independently test and verify their security controls and to ensure they are in compliance with Federal Information Security Management Act (FISMA) and Office of Management and Budget (OMB) A-123 which defines responsibilities for internal financial controls in federal agencies. Additionally as part of the Security program support. SeNet conducts account management activities and reviews and has implemented an agency wide auditing policy, identified and deployed a consolidated auditing tool.
Security Assessment and Authorization (SA&A) Support (FISMA Audits)
•    Support for full security assessment and authorization (SA&A) activities;
•    Provide Risk Management Framework (RMF) Step 4-6 coordination and support;
•    Prepare, review and update all related SA&A system documentation;
•    Prepare the SA&A packet for submission to the certifying official;
•    Review and provide recommendations on security development life cycle (SDLC), architecture and security documentation;
•    Perform Continuous Monitoring;
•    Conduct Security Awareness Training and Contingency Plan Test training;
•    Conduct annual account reviews and validation activities; and
•    Provide SME support to configuration management board for configuration management activities.
OMB Circular A-123
•    Support IAS General Computer Controls (GCC), IAS (Procurement Management Business Process (BP) and Smart Pay2 Business Process independent assessments;
•    Prepare documentation of internal controls of GCC and BP;
•    Develop test plans to test efficiencies of GCC and BP;
•    Execute independent verification and validation of GCC's and document test results; and
•    Provide OMB Exhibit 300 support.
Audit and Accountability Program Support
•    Audit Solution Life Cycle Operations support;
•    Audit and Accountability Policy support;
•    Audit Solution Implementation (testing, management and oversight);
•    Perform semi-annual vulnerability assessments;
•    Test relevant security controls and identify risks;
•    Develop risk mitigation plan;
•    Implement and monitor risk mitigation plan.