If you're looking for guidance and unbiased insight on various aspects of your information security program, I can help. Common consulting projects that I work on include:
- Assistance in answering security questionnaires that you receive from business partners and customers
- Reviewing existing and new business contracts for security-specific requirements and gotchas
- Providing guidance on your incident response plan/procedures
- Analyzing your security program strategies and tactics to ensure you're on the right track
I bill this work by the hour and you can purchase a block of hours, in advance, at a discounted rate.
Website and Application Vulnerability Assessments and Penetration Tests
Independent vulnerability assessments of your websites or applications are a great way to uncover some of the greatest risks to your business. Whether it's an in-depth look at all of your Web-based server systems, a penetration test of a specific Web application, or source code review this assessment is beneficial for product marketing, regulatory and business partner contract compliance, and general improvement of the end product. I can also help you if your organization falls under the PCI Data Security Standard requirements for ongoing security testing.
Using well-known and widely-accepted commercial tools combined with in-depth manual analysis I will look at your Web site/application from an untrusted outsider, trusted insider or both. I can also perform source code analysis using a well-known (and highly-effective) static source code analyzer. I'll provide you with a detailed report* on exactly what you need to focus your efforts on to reduce your risks. I can also perform a remediation validation assessment and deliver a summary report outlining which of the initial assessment findings have been resolved for you to share with your customers or business partners. Consider this type of testing if you're an organization with a Web presence, software vendor or development firm looking to enhance your application or product positioning from an information security or compliance perspective, responsible for the security of in-house applications, or you're looking to evaluate third-party software before making an investment.
Network Vulnerability Assessments and Penetration Tests
Network vulnerability assessments are great for discovering technical weaknesses that exist in your computers, mobile devices and overall network. Sometimes referred to as penetration tests and vulnerability assessments, I can tailor this type of testing based on exactly what you need including reviewing your actual network architecture and your people for security weaknesses. Using well-known and widely-accepted commercial tools as well as in-depth manual analysis I will look at your external and/or internal systems from the perspective of an untrusted outsider, trusted insider, or both. Email phishing (spearphishing to be specific) is a large part of what I do as well. I'll provide you with a detailed report* on exactly what you need to focus your efforts on to reduce your risks. Consider this type of testing if you wish to determine where your systems are currently vulnerable or wish to have periodic assessments (i.e. quarterly, bi-annually, etc.) to ensure no new vulnerabilities have cropped up and to help your organization meet the various regulatory requirements for ongoing security evaluations.
Mobile App Vulnerability Assessments and Penetration Tests
Along the same lines of my Web site and application security tests, I can help you with your mobile apps for smartphones and tablets. I can perform manual analysis of mobile apps on any platform which includes assessing general functionality, login mechanisms, browser behavior, file handling as well as interactions with external applications and systems using a Web proxy and network analyzer. I can also perform source code analysis of Android and iOS-based apps to uncover security and privacy-related flaws that may go undetected otherwise. I'll provide you with a detailed report* on exactly what you need to focus your efforts on to reduce your risks. I can also perform a remediation validation assessment and deliver a summary report outlining which of the initial assessment findings have been resolved for you to share with your customers or business partners. Consider this type of testing if you're an organization rolling out new mobile apps or need to validate that existing ones are reasonably secure.
Incident Response and Security Breach Analysis
If your business has been hacked or you suspect some form of security breach (internal or external) has occurred, I can help you find the operational and technical security weaknesses that may have been exploited and consult with you on how you can improve your technical controls and/or IT operations to prevent future breaches from occurring. I don't do formal forensics analyses but, just as importantly, I can validate that what you're doing - or have done - to resolve the issues that led to the breach is adequate and reasonable in the context of information security.
*My security assessment reports typically include:
- Listing of existing information security controls I find that support your organization's information security in a positive way
- A detailed report outlining vulnerabilities discovered ranked by priority
- Practical advice for addressing each finding
as well as general advice on your security architecture and technologies
- Screenshots and other findings uncovered during the manual assessment phase
- Timeline and mitigation resource recommendations
- Critical success factors to help with your overall information security program
- Raw vulnerability scanner reports
I typically scope to perform a follow-up remediation validation to determine which of the original findings have been resolved so you can rest assured that your follow-up efforts have paid off. I'll also make myself available to you and your team after I deliver my report to answer any questions or address any concerns.
Speaking, Training, and Writing
If you're putting together an IT or security-related show or conference and are looking to bring in a thought-leader and well-known expert on information security and compliance, I can help. I've keynoted conferences for Hewlett-Packard, IDC, ISSA and others and speak on engaging and timely information security topics. I can perform a keynote address, lead a seminar or serve as a panelist on the following topics that I'm passionate about:
- Mobile security
(smartphones, tablets, laptops, etc.)
- Web and cloud security
- Information risk management and compliance
- Ethical hacking and information security testing
- Information security/IT leadership
Please contact me to discuss these further,
throw around some new ideas, and hear about my reasonable and competitive
speaking fee. In the meantime, you can see what others are saying
about my abilities as a professional
speaker, panelist, and seminar leader.
Information Security Webinars, Videos, and Podcasts
If you're a publisher, media-based organization or technology vendor and you're looking for a thought-leader and well-known expert on information security and compliance to present a webcast / webinar or record a video or podcast, I can help. Please contact me to discuss this further and hear about my reasonable pricing. In the meantime, click here to see what others are saying about my speaking abilities in past seminars
and keynote presentations.
Pre-Written Articles for Security Awareness and Training Programs
If you're in charge of your organization's information security awareness and training programs, I am currently developing pre-written articles and checklists you can use in your internal newsletters to share relevant stories and information with your employees about data breaches, safe computing practices, what to look out for, and so on. Please contact me for more information.
Expert Witness and Litigation Support
Consulting and Testimony
For legal matters related to computer and information security, regulatory compliance, or general IT governance, I can serve as your consulting expert and/or testifying expert.
I have been deposed and have experience with cases on from intellectual property and patents, libel, and freedom of information act requests.
My specific areas of knowledge include compliance (i.e. HIPAA, HITECH Act, GLBA, PCI DSS, FERPA, and state breach notification laws), data breaches, identity theft, mobile computing, laptop encryption, wireless networks, software security (client/server, web apps, mobile apps, and cloud), operating systems, messaging systems, content filtering, security policies, as well as hacking concepts, techniques and tools. I can also perform peer reviews of security assessment reports, security audit reports, or forensics reports to help you and your client determine whether or not proper and reasonable steps were taken to minimize future information risks. I have the expert witness experience, technical expertise, business knowledge, speaking skills as well as
industry respect and recognition to help you with your case or incident.
Please contact me and I can help you determine which information security service is best for your organization as well as provide client references and testimonials, specific pricing for your needs, and even presentation/seminar outlines or sample assessment reports so you'll know what you'll be investing in. See what my clients are saying about me.
For your convenience I accept: