Principle Logic - Home of Atlanta-based computer and information security expert Kevin Beaver

Assessments

Web Site and Application Vulnerability Assessments and Penetration Tests
Independent vulnerability assessments of your Web sites or applications are a great way to uncover some of the greatest risks to your business. Whether it's an in-depth look at all of your Web-based server systems, a penetration test of a specific Web application, or source code review this assessment is beneficial for product marketing, regulatory and business partner contract compliance, and general improvement of the end product. Or, if your organization falls under the PCI Data Security Standard requirements, I can help you with your security assessments. Using well-known and widely-accepted commercial tools such as HP's WebInspect as well as in-depth manual analysis I will look at your Web site/application from an untrusted outsider, trusted insider, or both. I'll provide you with a detailed report* on exactly what you need to focus your efforts on to reduce your risks. I can also perform a remediation validation assessment and deliver a summary report outlining which of the intial assessment findings have been resolved for you to share with your customers or business partners. Consider this type of testing if you're an organization with a Web presence, software vendor or development firm looking to enhance your application or product positioning from an information security or compliance perspective, responsible for the security of in-house applications, or you're looking to evaluate third-party software before making an investment.

Network Vulnerability Assessments and Penetration Tests
Network vulnerability assessments are great for discovering technical weaknesses that exist in your computers, wireless systems, and overall network. Sometimes referred to as penetration tests and vulnerability assessments, I can tailor this type of testing based on exactly what you need. Using well-known and widely-accepted commercial tools such as QualysGuard as well as in-depth manual analysis I will look at your external and/or internal systems from the perspective of an untrusted outsider, trusted insider, or both. I'll provide you with a detailed report* on exactly what you need to focus your efforts on to reduce your risks. Consider this type of testing if you wish to determine where your systems are currently vulnerable or wish to have periodic assessments (i.e. quarterly, bi-annually, etc.) to ensure no new vulnerabilities have cropped up and to help your organization meet the various regulatory requirements for ongoing security evaluations.

Information Risk Assessments, Compliance Gap Analyses, or Pre-Audits
An information risk assessment, gap analys, or pre-audit will help you determine where your business stands with regard to overall information risk and, perhaps,prepare for that formal audit from a regulatory body, business partner, or other third-party. Be it HIPAA, GLBA, PCI DSS or other regulatory requirements or if you just want to get up to speed with the widely-accepted ISO/IEC 27002 (formerly 17799) information security framework so you can reduce business risks and manage your compliance initiatives more effectively this type of assessment will do wonders. I will assess your organization's current information security systems practices and identify gaps between them and your established set of policies, procedures, standards and the ISO/IEC 27002 framework. If you don't have established security documentation, no worries. I'll help you put it all together. Consider this type of service if you're wanting to find the operational security issues in your business in order to take your information security program to the next level or your organization is about to be audited and you need to get things cleaned up beforehand to help make things go more smoothly.

Incident Response and Security Breach Analysis
If you've recently been hacked or suspect some form of security breach (internal or external) has occured, I can help you find the operational and technical security weaknesses that may have been exploited and consult with you on how you can improve your technical controls and/or IT operations to prevent future breaches from occuring. I don't do formal forensics analyses but, just as importantly, I can validate that what you're doing - or have done - to resolve the issues that led up to the breach is proper and reasonable in the context of information security.

Security Vulnerability Scanning Service
Whether you need to minimize your investment in information security and compliance, you're in need of an easy way to discover the low-hanging vulnerabilities, or you need help certifying your compliance with government regulations such as PCI DSS, HIPAA, and GLBA I offer managed security scanning service that can provide everything you need. You simply tell me which IP addresses you want to scan, tell me when you want them scanned, and pay for the scans up front. I'll run the scans and send you the results in a PDF report. You'll get up and running immediately. No hardware to setup. No licenses to buy. No systems to configure. No data center operational costs. No support costs. And no need to hire people with the right skill set to manage the process. Click here for more information on my security scanning service.

*My security assessment reports typically include:

Documentation on existing information security controls I find that support your organization's information security in a positive way
A detailed report outlining all potential and exploitable vulnerabilities discovered ranked by priority
Vulnerability scanner reports
Screenshots and other findings uncovered during the manual assessment phase
Organizational/business process risks ranked by priority
Practical advice for addressing each vulnerability
Timeline and mitigation resource recommendations
Critical success factors to help with your overall information security strategy
Security policy templates for revamping existing policies or creating new ones

Expert Witness

Expert Witness Consulting and Testimony
For legal matters related to computer and information security, regulatory compliance, or general IT governance, I can serve as your consulting expert and/or testifying expert. My specific areas of knowledge include regulatory compliance (HIPAA, GLBA, PCI DSS, and more), operating systems (Windows and NetWare), directory services (eDirectory and Active Directory), messaging systems (general email and GroupWise, Voice over IP, instant messaging, and peer to peer file [P2P] sharing systems), content filtering, security policies, remote access, mobile computing, laptop encryption, wireless network security, software security, identity theft, as well as hacking concepts, techniques, and tools. I can also perform peer reviews of security assessment reports, security audit reports, or forensics reports to help you and your client determine whether or not proper and reasonable steps were taken to minimize future information risks. I've got the expert witness experience, technical expertise, business knowledge, speaking skills, as well as industry respect and recognition to help you with your case or incident.

Speaking, Training, and Writing

Keynote Speaking Engagements
If you're putting together an IT or security-related show or conference and are looking to bring in a thought-leader and well-known expert on computer and information security or regulatory compliance, I can help. I've keynoted conferences for Hewlett-Packard, IDC, ISSA and others and speak on engaging and timely information security topics. My keynote topics include:

Succeeding in Security
Staying Ahead of the Security Curve
The Business Case for Information Security
Leading a Successful Security Program
Security Audits are for Sissies
The Art of Hacking
Real-world Security Problems You Can't Afford to Overlook
Mobile Security Oversights, Misconceptions, and Dangerous Blunders
Exploring the Pros and Cons of Employee Monitoring
Identity Theft and What You Can Do About It
Doing Compliance the Right Way

Please contact me to discuss these further, throw around some new ideas, and hear about my reasonable and competitive speaking fee. In the meantime, you can see what others are saying about my abilities as a keynote speaker and seminar leader .

Information Security and Compliance Seminars
If you head up an audit, IT, business, or other technology organization and want to bring in a thought-leader and well-known expert on computer and information security or regulatory compliance, I can help. I have both half-day and full-day seminars on timely information security topics including information security tools, performing vulnerability assessments, and IT and/or security career development. Please contact me to discuss this further and hear about my reasonable and competitive pricing. In the meantime, click here to see what others are saying about my speaking abilities in past seminars and keynote presentations.

Whitepaper Development
If you're an IT or security product vendor or other organization looking for an independent view on a particular security topic, I can help. I can write a whitepaper or article(s) you can use to bring some credibility to your marketing or security awareness efforts. I'm the author of 18 whitepapers to this point and always enjoy bringing an outsider's perspective to complement messages and ideas others want to convey. Please contact me to discuss this further and hear about my reasonable and competitive pricing.

_____________________________________________

Please contact me and I can help you determine which information security service is best for your organization as well as provide client references and testimonials, specific pricing for your needs, and even presentation/seminar outlines or sample assessment reports so you'll know what you'll be investing in. See what my clients are saying about me.

incident response, hack assistance, pci expert, data security consultant, computer security consultant, security audit, compliance audit, security pre-audit, information risk assessment, security policy documentation, independent information security audit, information security seminar, expert witness, computer security expert witness, information security expert witness, daubert, compliance expert witness, hacking expert, keynote speaker, security keynote speaker, well-known security expert, web security consultant, web security assessment, independent web security audit, independent web application testing, security testing, penetration testing, software security expert, web application security, vulnerability testing, vulnerability scan, security scan, information security pre-audit, security gap analysis, qualysguard, qualys, webinspect, web inspect, PCI audit, PCI assessment, PCI scan, HIPAA consultant, GLBA consultant, got hacked, security breach analysis, wireless security expert, computer hack analysis, web site security consultant, network analyzer, sniffer, WebInspect expert, WebInspect consultant, whitepaper author, whitepaper development