what i do?

Am an Information Risk Consultant and Penetration Tester, i specialize mostly in penetrating secure networks/computer systems where i simulate an organized professional attack against your organization, where after that a detailed report with weakness and exploited vectors are summarized. This will help you gain control over your infrastructures security and maximize your protection.

Saturday, August 20, 2011


Information security is one career that a lot of Techis out there have mistaken what it entails a lot. I have seen some people think that because they can run nmap on an MS box they can do VA assessments for an organization. Others think coz they can develop code they can actually hack. Others come straight from college and join a security company, handed in some company questionnaires and shown how to scare clients when they need to do an audit, only to find they are asking for SAM files from a unix admin, LULZ. Am not hating but I think I need to talk about this.

Personally my skill-set is penetration testing, but how I got here was nasty. I started with repairing computers and mobile devices back in 1999/2000, then went into structured cabling, later I was administering domains and huge networks and I had to script code and I ended up indulging into development. As I went on, security became a huge interest and there was no guys in Nairobi I could get advice from, so I had to do research and heavy studies by myself.

With 11 years in this career am still learning new things everyday.

So here are some aspects to those who want to do security at higher level. By higher level I mean, working in those institutions where Security is taken seriously:

a) IT Background, Research and studies
b) Health and fitness
c) Personal Security
d) Patience
e) Independence
f) Intelligence
g) Confidentiality

As days go by, I will write on these aspects above.

With all regards,


Wednesday, August 10, 2011

Calculating PSR and the Reason to

So what is PSR, what does it stand for? In short P means Probability, S is Severity and R is relevance. This metric looks at the probability of the vulnerabilities found and how they can be exploited, with ease or with loads of trial and error. Its also looks at the severity of the impact they will cause to the organization in case exploited and then the relevance of the asset to the organization.

Below is a table we can calculate the P = Probability with.


The likelihood that the risk will take place:

5 - Very High

Is almost certain (P > 95%)

4 - High

Is very likely (65% < P ≤ 95%)

3 - Medium

Is likely (35% < P ≤ 65%)

2 - Low

Is not very likely (5% < P ≤ 35%)

1 - Very Low

Is unlikely (P ≤ 5%)

So for the auditor to estimate the probability he has to consider several factors,

a) The knowledge requires to have a working exploit on the specified flaw. So the more the knowledge required the higher the probability.
b) The resource required to attack and exploit the flaw will also major out on the probability, the fewer the resource the higher the probability.
c) The duration required to exploit the flaw, if the intruder would take a short time, then the probability goes higher.
d) Also how important the target is, e.g a Banking server, where most attackers would wont to fully exploit flaws makes the P vary alot. The more attractive the system is the higher the probability
e) How well the asset is protected, physical and operation wise, if lower the protection the higher the probability.
f) Environmental, political, weather also affects the probability variations

So probability is a way of looking at a view of the like hood a risk might happen, while severity will evaluate the level of impact on the asset and organization if it takes place.


The risk taking place will cause:

5 - Very High

Major impairment

4 - High

Very severe impairment

3 - Medium

Severe impairment

2 - Low

Less severe impairment

1 - Very Low

Almost no impairment

So for the auditor to estimate the severity he has to consider several factors,
a) The degree of impairment of the reliability of the process results or information as well as the systems or related environment supported by the asset.
b) Degree of impairment of the assets performance.
c) The impairment of the quality of services, systems and information.

Thirdly is the relevance of the asset, where the importance of it is valued and what it supports to the business/organization.


The asset’s impairment:

5 - Very High

May affect the entire organization and losses will be extremely high

4 - High

May affect one or more of the organization’s businesses and losses will be high

3 - Medium

May affect a part of the organization’s business and losses will be considerable

2 - Low

May affect a small and localized part of the organization and losses will be low

1 - Very Low

May affect a very small and localized part of the organization’s business and losses will be minimal

So now we can multiply the values to calculate the PSR of an asset after we have defined them.

Risk Level

Possible PSR Values

Very Low

1, 2, 3, 4, 5, 6


8, 9, 10, 12, 15, 16


18, 20, 24, 25, 27, 30


32, 36, 40, 45, 48, 50

Very High

60, 64, 75, 80, 100, 125

So all the PSR calculation sum up to 125.