As a security consultant I set the goals of my job to educate companies and institutions about the dangers and risks that they are taking by their practices and methodologies. The posture of many companies lies on prevention methods and disaster management as opposed to efficient monitoring.

Too many times companies put their trust and concerns on the wrong place overlooking the biggest concerns and putting themselves on vulnerable positions. Their trust usually lies on software solutions that are just a partial security mechanism which makes them feel safe when they are far from it.

Many of my clients at the first meeting assure me that they’re very concern about security and therefore secure and that they never had any break in, for which my question is always, “how do you know?”. They usually expect the attack to be noticable and manageable even without having some kind of active or passive monitoring.

This is absolutely the worst posture on the information security business. If a competitor or adverse actor would want to take your company out of business they wouldn’t want to reveal their presence until it was too late for your company to recover or respond.

Bruce Schneier a renowned cryptographer wrote in an essay in 1999

The mantra of any good security engineer is: “Security is not a product, but a process.” It’s more than designing strong cryptography into a system; it’s designing the entire system such that all security measures, including cryptography, work together. It’s designing the entire system so that when the unexpected attack comes from nowhere, the system can be upgraded and resecured. It’s never a matter of “if a security flaw is found,” but “when a security flaw is found.”

In my opinion this defines how every entity should look upon their security. The services I present here are parts I consider essential to build and test a good strategy to deal your company security needs.

Offensive Defense Services

Vulnerability Assessment

The aim of this type of analysis is to identify, quantify and prioritize potential vulnerabilities in order to enable companies to formulate a defense strategy based on the characteristics of their systems. This is usually the first step to take a proactive stance on the security of your company’s information. For companies who want to start creating a security strategy this could be an affordable first step.

Penetration Testing

Penetration tests come in a variety of forms, each of them thought out to replicate real attacks on the client’s networks, servers and services without compromising their availability. They are usually made with the objective of discovering known types of flaws, testing security mechanisms and detection systems. Do not expect this test to be a measurement of how secure is your network, this is a wrong assumption as these tests have boundaries and limitations, that real attacks don’t.

Client-Side Attacks

Client-Side Attacks are complementary to a penetration test, another vector that a real attacker may exploit and that not every company chooses to test. These attacks became more popular ( on the defensive side ) after the RSA breach which was initiated by a malicious excel document. This types of attacks are not limited to sketchy e-mails as many customers think, they come in various forms and can be that tiny breach that makes the difference.

Proactive Defense Services

Service Monitoring

The cornerstone of a good security model is monitoring every inch of your infrastructure. Building a secure infrastructure is not an easy task a tiny mistake can make your system almost indefensible the risk becomes even more important if you don’t know what’s happening.

How much time do you think your systems can hold without supervision when being inspected by a skilled and motivated hacker?

If your company wants to take a proactive attitude on the management of its services, and start monitoring them (a requirement for ISO 27001). I can build custom monitoring solutions which can alert your staff before it gets too late to deal with the problem.

Application Analysis

Since the beginning of the software revolution there were abuses to software from licensing issues with cracks to avoiding payment, competitors trying to extract algorithms and now to exploiting the application to extract data or gain access to the clients machines all this poses a very serious threat to your product. Many companies rely on the image of a secure enviroment to gain the client’s trust if that image is broken your company will have a very hard time regaining the trust from them which is what can be avoided by taking an external examination of your product. I can provide reverse engineering services for applications on various operating systems and or in embedded devices.

Malware Analysis

Malware is a threat to every person using computers, but for companies is even a bigger threat as cyber criminals and competitors target companies with malware campaings. By analyzing the malware your company can learn from the attacks and be able to neutralize ongoing campaigns and possibly uncover the actors behind the attacks. If you suspect that your company is being targeted by a malware campaing I can take a look at the malware in question.

These are some skills that I provide and can help a lot of companies to prosper with a robust set of security mechanisms and protocols to endure a lot of different types of attacks. With these skills I also give a chance to companies to detect ongoing attacks and problems within their current infrastructure.