Network security assessments are great for discovering technical weaknesses that exist in your broader group of network hosts. Using well-known and widely-accepted commercial tools as well as in-depth manual analysis I will look at your external and/or internal systems from the perspective of an untrusted outsider, trusted insider, or both. I can test your wireless (Wi-Fi and others) networks as well for common flaws as it relates to weak encryption keys and misconfigured guest wireless networks. I can also perform open source intelligence (OSINT) of your Internet domains and/or employees to uncover potentially sensitive information that is being exposed.
Consider this type of testing if you need to determine where your systems are currently vulnerable, you’ve been hacked or experienced a breach, or wish to have periodic vulnerability scans assessments (i.e. quarterly, bi-annually, etc.) to ensure no new vulnerabilities have cropped up and to help your organization meet ongoing regulatory requirements for PCI DSS, HIPAA, GLBA, etc.
I can perform a full assessment with an in-depth, formal report or, if you want to minimize your investment, I can perform a targeted assessment of one or two systems with the deliverables being a short summary report. Whatever is the best fit for your needs, I can make it happen.
These independent assessments of your websites, web applications, and APIs/web services are a great way to uncover some of the greatest risks to your business. This is what I do the most and I absolutely love it because the challenges are so unique and the risks are so great. Using well-known and widely-accepted commercial tools combined with an in-depth manual analysis I will look at your web system(s) from the perspective of an untrusted outsider, trusted user, or both. Whether it’s an in-depth look at all of your web-based server systems, a penetration test of specific web applications for PCI DSS compliance, this assessment is beneficial for product marketing, regulatory and business partner contract compliance, and general improvement of the application environment.
Consider this type of testing if you’re an organization with a web presence, software vendor or development firm looking to enhance your application or product positioning from a security or compliance perspective, responsible for the security of in-house web applications, or if you’re looking to evaluate third-party software before making an investment.
Along the same lines as my web application security tests, I can help you with your mobile apps for smartphones and tablets. I can perform manual analysis of mobile apps on any platform which includes assessing general functionality, login mechanisms, browser behavior, forensic artifacts, file handling as well as interactions with external applications and systems using a web proxy and network analyzer. I can also perform source code analysis of Android and iOS-based apps to uncover security and privacy-related flaws that may go undetected otherwise.
Consider this type of testing if you’re an organization rolling out new mobile apps or need to validate that existing ones (in-house or external) are resilient to security and privacy abuses.
Similar to my other assessments but with a twist, I can help you with your existing or soon-to-deploy IoT devices to uncover security flaws that can not only be directly exploited but also put your entire network environment at risk. If a system has an IP address or a URL, it can be scanned, poked, prodded, and exploited just like any traditional network device. Those are the weaknesses I can help uncover.
Consider this type of testing if you design, build, and/or sell IoT systems or you’re looking for an independent review of your IoT environment.
This is targeted testing of your users (individuals or groups) to assess how gullible they are in not only clicking links and opening attachments in emails but also how willing they are to give out sensitive information. Just one single slip-up – a mere clicked link or divulged password can literally negate all other security assessment and technical controls you have worked so hard to build out. Generic email phishing testing is simply not enough. It must be targeted and convincing via customized spearphishing campaigns.
Consider this type of testing if you want to evaluate your current security awareness and training program, complement network security assessments and penetration testing, or otherwise take your traditional email phishing testing program to the next level. You’ll be (un)pleasantly surprised by the results!
Whether you’re an end user or managed service provider (MSP), ongoing vulnerability scans can help you meet compliance or contractual requirements or create and maintain peace of mind that the simple, low-hanging fruit on your Internet-facing network hosts and web applications is being discovered and addressed on a periodic and consistent basis. You won’t have to invest in the vulnerability scanning tools, attempt to tweak them for your unique environment or decipher their findings. I’ll do the work for you (or your customers) using multiple scanners (because they all tend to find unique vulnerabilities) – a benefit that will help ensure you get the most out of this exercise. I can also perform one-off scans when it makes sense. In a short period of time, you’ll receive the vulnerability scanner reports along with tips from me regarding what you might need to address. A quick and easy, yet very valuable, service.
With all that you have invested – and stored – on your network and in the cloud, you need to review your architecture and configurations to ensure there are no gaping holes. Whether you host everything internally or in the cloud via AWS, Azure, or other third-party, I can help. I can review your network architecture for security gaps and opportunities. I can also review your cloud configurations to find the vulnerabilities that are otherwise difficult to see. This is a good way to address “you don’t know what you don’t know” beyond traditional vulnerability and penetration testing.
This is a review of your IT and security-related operations to look for policy and process weaknesses that are often the underlying reasons for your technical vulnerabilities. Typically in conjunction with a larger network security assessment, I will meet with your IT, operations, finance, and other staff members to uncover gaps in areas such as security policies, information management, system patching, passwords, local admin privileges, malware protection, mobile security, event logging/monitoring, software development, incident response, disaster recovery, and so on.
Consider this type of assessment if you want to evaluate the operations side of security in order to meet compliance and contractual requirements or want to build out your information security program without having to perform a formal IT security controls audit.
If you’re looking for guidance and unbiased insight on various aspects of your information security program, I can help. Common consulting projects I work on include:
I bill this work by the hour and you can purchase a block of retainer time, in advance, at a discounted rate.
My goal is to help you acknowledge your security weaknesses, convert raw findings data to information and knowledge that helps you grow your information security program. My security assessments include a detailed report that outlines exactly where you need to focus your efforts in order to reduce your business risks and start making positive changes to your security program. My assessment deliverables include:
I will also perform a remediation validation assessment and deliver a summary report outlining which of the original critical- and high-priority findings have been resolved for you to share with management, customers, and other stakeholders. Finally, I’ll make myself available to you and your team after I deliver my report to answer any questions or address any concerns. See what my clients are saying about my security assessment and penetration testing deliverables.
I bill my work on fixed-fee basis or hourly where necessary. Either way, I’ll set your expectations so you’ll know what you’re getting and exactly what it’s going to cost before the engagement begins.
If you’re putting together an IT or security-related show or conference and are looking to bring in a thought-leader and well-known expert on information security and compliance, I can help. I’ve keynoted conferences for Hewlett-Packard, IDC, ISSA, TechTarget and others and speak on engaging and timely information security topics. I can perform a keynote address, lead a seminar (live or online), or serve as a panelist on various topics that I’m passionate about including:
Please contact me to discuss my speaking engagements further, throw around some new ideas, and hear about my reasonable and competitive speaking fee. In the meantime, you can see what others are saying about my abilities as a professional speaker, panelist, and seminar leader.
If you’re a publisher, media-based organization or technology vendor and you’re looking for a thought-leader and well-known expert on information security and compliance to write guest blog posts, present a webcast/webinar, or record a video or podcast, I can help. Please contact me to discuss this further and hear about my reasonable pricing. In the meantime, click here to see what others are saying about my speaking abilities in past seminars and keynote presentations.
If you’re in charge of your organization’s information security awareness and training programs, I am currently developing pre-written articles and checklists you can use in your internal newsletters to share relevant stories and information with your employees about data breaches, safe computing practices, what to look out for, and so on. Please contact me for more information.
For legal matters related to computer and information security, regulatory compliance, or general IT governance, I can serve as your consulting expert. I have experience with cases involving intellectual property and patents, libel, data breaches, and freedom of information act requests.
My specific areas of knowledge include compliance (i.e. HIPAA, HITECH Act, GLBA, PCI DSS, FERPA, and state breach notification laws), data breaches, identity theft, mobile computing, laptop encryption, wireless networks, software security (client/server, web apps, mobile apps, and cloud), operating systems, messaging systems, content filtering, security policies, as well as hacking concepts, techniques and tools. I can also perform peer reviews of security assessment reports, security audit reports, or incident response reports to help you and your client determine whether or not proper and reasonable steps were taken to minimize future information risks. I have the expert witness experience, technical expertise, business knowledge, speaking skills as well as industry respect and recognition to help you with your case.
Please contact me and I can help you determine which information security service is best for your organization as well as provide client references and testimonials, specific pricing for your needs, and even presentation/seminar outlines or sample assessment reports so you’ll know what you’ll be investing in. See what my clients are saying about me.