September 9, 2009 8:47 PM
Posted by: Jeromie Jackson
, penetration test
, Security As A Service
, security assessment
, vulnerability assessment
Many of the Security-As-A-Service (SAAS) vendors have taken open source vulnerability assessment engines such as Nessus to provide vulnerability assessments to their customers. Nessus is a fair application, but its depth it limited and false-positives are numerous. I consistently find a higher number of vulnerabilities with our other toolsets. I am so confident that these services are doing an injustice to their customers that I’m willing to prove it- for FREE!
If your organization has not conducted a vulnerability assessment in the past the results may be frightening. If you’re currently under contract with a vendor let us provide the second set of eyes you need to confirm their diagnosis. If you trace security vulnerabilities to their origin you will often find that things were overlooked. Your digital defense is critical to ensuring your Internet presence and brand remain steadfast. Perimeter security needs to be scoured as throughly as possible. Our free external vulnerability assessment validates your security posture and provides the assurance needed by regulators, executive management, and security-conscious individuals.
Request Your Free Security Assessment Today at http://www.jeromiejackson.com
June 17, 2009 4:48 PM
Posted by: Jeromie Jackson
, displacement sku
, it optimization
, IT ROI
, IT TCO
, risk management
, six sigma
All of your vendors and suppliers are talking about reducing Total Cost of Ownership (TCO) , and higher Return On Investment (ROI) in our current economic situation. Considering how budgets are being tightened and heightened scrutiny is on purchasing, you can’t blame them. While the dancing around the dollars continues many are simply repackaging their message. The below 5 steps will help you as a manager, leader, or executive in your organization to make prudent decisions on purchases.
1- Maximize Current Investments
When looking over an existing environment there are almost always ways to optimize, reduce cost, or minimize upcoming investments. Multiple-Interface firewalls, under-utilized consoles, and places where countermeasures can be utilized to fix existing risks are often already existing in the environment. I often find organizations not fully leveraging their firewalls and existing log consolidation opportunities. Architectural review of as-is and to-be is almost always a very valuable project when conducted by a non-biased third party.
Leasing is becoming another common option for many organizations. As organizations plan for 3-5 year refreshes on their IT assets, leasing is an appealing option. End-Users are provided leading technologies, and the organization gains better cash flow and Total Cost of Ownership (TCO).
I know many are of the opinion that Six Sigma, Lean Six-Sigma, Balanced Scorecards, Business Process Optimization (BPO), and the pile of other models, frameworks, and guidelines are a waste of time. I have to say, I was of this thought initially. After standing up a Security & Risk Management team I found them to be invaluable. By leveraging these practices/frameworks best-practices are documented, a clear “to-be” state is communicated, and experts have documented valuable insight the organization can use. In summary- they give guidance on how to harmonize remediation activities, and to “hack at the root” instead of “thrashing at the leaves.”
3- Use Platinum/Elite VARS For Maximum Discounts
Have an expensive piece of software that you intend to keep? Seek Value Added Resellers (VARs) who are of the highest-level partnership with the manufacturer. These manufacturers receive discounts small shops are unable to obtain- this generally due to the sales commitments they have with the manufacturer. A large VAR that sells products/services across many technology areas may be able to drive additional discounts by engaging in longer-term sourcing agreements.
4- Use Displacement SKUs
Looking at a technology that could replace, and potentially improve, existing infrastructure? You’ll find many vendors have Displacement SKUs they will use when competing. These SKUs are generally deeply discounted in order to gain market-share from the competition. Use these to your advantage during migration between vendors to gain additional price reductions.
5- Consolidate Technologies/Consoles
Today, many organizations have best-of-breed solutions throughout the organization. As vendors merge and technologies mature, many of these tools are being consolidated. There is significant benefits to consumers. Centralized consoles simplify administrative burden and can optimize incident response times, training overhead, and maintenance fees. By reducing the number of systems in the environment efficiency is gained. Administrators have a smaller number of systems to manage, and training requirements are reduced. Often the consolidation also provides additional benefits. For example, an Intrusion Detection System (IDS) when combined with a vulnerability management system allows the IDS to determine if an active attack will be successful against the environment- directly impacting the types of response that is required. By looking at your current environment, and comparing it to current technologies, the organization may be able to sustain, or improve, the organization while equally reducing cost or improving efficiency.
google_ad_client = "pub-0558840059827073";
/* 120x600, created 9/18/09 */
google_ad_slot = "4578521529";
google_ad_width = 120;
google_ad_height = 600;
Make no mistake, there are many areas where cost-cutting is possible, and most likely prudent. Do not be misdirected towards additional purchases before you clean up what you have. While many budgets have diminished, optimization of the current infrastructure may yield additional dollars. I spend a significant amount of time with leadership focusing on such activities- at no cost. I look forward to continuing to gain trusted-advisor status with my customers by partnering with them, instead of pitching to them.
June 5, 2009 9:33 PM
Posted by: Jeromie Jackson
, pci readiness
, risk assessment
I was recently involved in conducting a penetration test and helping a merchant prepare for their PCI examination. A topic that often comes up during these pre-assessments is how and where to spend resources during the preparation. The scenario often plays itself out where the merchant’s employees identify issues, they get put on a quick-hit list, and then cycles are spent fixing the issues discussed. While these risks may be relevant I always have a tendancy to pull the customer off the keyboard for further discussion.
As most individuals know, security is not an absolute. Security is about effectively managing risk. There is no need to spend $100 securing an asset that is worth $1. A more methodical approach is required. I come from a technical background, and for MANY years thought all the work people put into risk assessments and regulatory compliance were for the most part not improving their security posture. After I worked as a de-facto CISO for an insurance company I found I was wrong.
Limited budgets, limited time, and limited mind-share require organizing the risks to enable resources to be focused on the issues which most affect the organization. I generally perfer the OCTAVE Allegro approach- it allows for the team to work in smaller groups. The smaller groups are more managable and help mitigate the intensive political and cultural battles generally tabled in large audiences.
Lesson learned from this audit was that up-front education of the team on information security and risk management helps the team focus on the areas of greatest weaknesses, and political and cultural strife is contained. The groundwork for a more comprehensive, consolidated, optimized, efficient, and organized risk management can be laid.