what i do?

Am an Information Risk Consultant and Penetration Tester, i specialize mostly in penetrating secure networks/computer systems where i simulate an organized professional attack against your organization, where after that a detailed report with weakness and exploited vectors are summarized. This will help you gain control over your infrastructures security and maximize your protection.

Saturday, August 22, 2009

WHY WE MIGHT NEED A BETTER SECURITY ASSESSMENT VENDOR



THE SCAMS

During the mail list last week, a member brought up this issue whereby i was also involved in the consultancy in a company situated in Ghana.
http://lists.my.co.ke/pipermail/security/2009-August/000566.html


This a bit hilarious provided that these guys were doing a security assessment for the company and i expected such a company like KPMG to be aware of the security assessment factors and which services are offered during such an engagement.

THE FACTORS

So which factors does a client need to look into before taking in a Security Assessment:
a)Penetration testing External or Internal
b)Durations, how many times do you need the service, annually, semi-annually?
c)Last but not least, which security assessment service do you need.

Before we go down to some explanations, during a presentation at KRA i did explain the difference between a Vulnerability Assessment and a Penetration Test. To make that statement short, a penetration test is the actual outcome after a vulnerability assessment. In short a penetration test is the actual hands on confirmation of a vulnerability picked up during a Vulnerability Assessment therefore its a VA logical conclusion.

EXTERNAL AND INTERNAL TESTING

During a test, you might choose if you want the pentest to be performed outside your network from a remote site or you want the engineers to be in the network. When its performed externally, the engagement is taken inform of an outsider Blackhat who is supposed to bypass your firewall and any device on your perimeter from the internet. In such kind of test, the testers are not given any IP ranges, no DNS and no users, in short, no information, they have to covertly collect it and perform as much intelligence as they can before picking their prime targets. This test is commonly known as Blackbox pentesting.

The internal testing, this is carried more of like an inside threat. Someone who is already behind the perimeter, who has much info about the network and the organization. Here the testers will try to use social engineering, privilege escalation, exploitation etc.

DURATIONS, HOW MANY TIMES DO YOU NEED THE SERVICE, ANNUALLY, SEMI-ANNUALLY?

This may be considered by the security team in an organization that needs this service and also from the consultants perspective. The factors may include:
a) Threat Intelligence
b) Security Incidents (scan, bruteforces, hack attempts, DOS)
c) Insiders
d) Business espionage
e) Perimeter devices and applications e.g Portals, may need external blackbox pentests
d) Application and system changes including addition of clients and employees


WHICH SECURITY SERVICE DO YOU NEED?

One thing I have noticed with most of the security vendors in Africa is that they come with crazy names for their products that leaves customers wondering which to take and get up tricked into non service commitment. When a client asks for a security assessment, or an organization which needs one, this is what to look into as the services needed.

a) Vulnerability Assessment

b) Penetration testing

c) Web Application Assessment

d) Physical Security Assessment

This is just to mention the most important ones. I will be writing a brief blog entry for each of them soon.

./Chuks


2 comments:

Idd Salim (GRoGR) said...

Super!

Was starting to feel lonely...

chukjonia said...

We are so many actually, check here, http://lists.my.co.ke/pipermail/security/
and august archives, http://lists.my.co.ke/pipermail/security/2009-August/thread.html

Great day

./Chuks