Consulting

If you're looking for guidance and unbiased insight on various aspects of your information security program, I can help. Common consulting projects that I work on include:

  • Acting as a Virtual Chief Information Security Officer (CISO)
  • Analyzing security program strategies and tactics
  • Developing incident response plan/procedures
  • Helping answer security questionnaires required by PCI DSS or from business partners and customers
  • Reviewing existing and new business contracts (cloud service providers, customers, etc.) for security-specific requirements and gotchas

I bill this work by the hour and you can purchase a block of retainer time, in advance, at a discounted rate.

Security Assessments and penetration testing

Website and Application Vulnerability Assessments and Penetration Testing

These independent vulnerability assessments of your websites or applications are a great way to uncover some of the greatest risks to your business. This is what I do the most and I absolutely love it because the challenges are so unique and the risks are so great. Using well-known and widely-accepted commercial tools combined with in-depth manual analysis I will look at your web system(s) from the persepctive of an untrusted outsider, trusted user, or both. Whether it's an in-depth look at all of your web-based server systems, a penetration test of a specific web applications for PCI DSS compliance, or source code review this assessment is beneficial for product marketing, regulatory and business partner contract compliance, and general improvement of the application environment.

Consider this type of testing if you're an organization with a web presence, software vendor or development firm looking to enhance your application or product positioning from a security or compliance perspective, responsible for the security of in-house web applications, or if you're looking to evaluate third-party software before making an investment.

Mobile App Vulnerability Assessments and Penetration Testing

Along the same lines as my web application security tests, I can help you with your mobile apps for smartphones and tablets. I can perform manual analysis of mobile apps on any platform which includes assessing general functionality, login mechanisms, browser behavior, forensic artifacts, file handling as well as interactions with external applications and systems using a web proxy and network analyzer. I can also perform source code analysis of Android and iOS-based apps to uncover security and privacy-related flaws that may go undetected otherwise.

Consider this type of testing if you're an organization rolling out new mobile apps or need to validate that existing ones (in-house or external) are resilient to security and privacy abuses.

Internet of Things (IoT) Vulnerability Assessments and Penetration Testing

Similar to my other assessments but with a twist, I can help you with your existing or soon-to-deploy IoT devices to uncover security flaws that can not only be directly exploited but also put your entire network environment at risk. If a system has an IP address or a URL, it can be scanned, poked, prodded, and exploited just like any traditional network device. Those are the weaknesses I can help uncover.

Consider this type of testing if you design, build, and/or sell IoT devices or you're looking for an independent review of your IoT environment.

Email Spearphishing

This is targeted testing of your users (individuals or groups) to assess how gullible they are in not only clicking links and opening attachments in emails but also how willing they are to give out sensitive information. Just one single slipup - a mere clicked link or divulged password can literally negate all other security assessment and technical controls you have worked so hard to build out. Generic email phishing testing is simply not enough. It must be targeted and convincing via customized spearphishing campaigns.

Consider this type of testing if you want to evaluate your current security awareness and training program, complement network security assessments and penetration testing, or otherwise take your traditional email phishing testing program to the next level. You'll be (un)pleasantly surprised at the results!

Network Vulnerability Assessments and Penetration Testing

Network security assessments and penetration tests are great for discovering technical weaknesses that exist in your broader group of network hosts. Using well-known and widely-accepted commercial tools as well as in-depth manual analysis I will look at your external and/or internal systems from the perspective of an untrusted outsider, trusted insider, or both.

Consider this type of testing if you need to determine where your systems are currently vulnerable, you've been hacked or experienced a breach, or wish to have periodic vulnerability scans assessments (i.e. quarterly, bi-annually, etc.) to ensure no new vulnerabilities have cropped up and to help your organization meet ongoing regulatory requirements for PCI DSS, HIPAA, GLBA, etc.

Periodic Vulnerability Scanning

Ongoing vulnerability scans can help you meet compliance or contractual requirements or create and maintain peace of mind that the simple, low-hanging fruit on your Internet-facing network hosts and web applications is being discovered and addressed on a periodic and consistent basis. You won't have to invest in the vulnerability scanning tools, attempt to tweak them for your unique environment, or decipher their findings. I'll do the work for you using multiple scanners (because they all tend to find unique vulnerabilities) - a benefit that will help ensure you get the most out of this exercise. I can also perform one-off scans when it makes sense. In a short period of time, you'll receive the vulnerability scanner reports along with tips from me regarding what you might need to address.

Security Operations Reviews

This is a review of your IT and security-related operations to look for policy and process weaknesses that are often the underlying reason for your technical vulnerabilities. Typically in conjunction with a larger network security assessment, I will meet with your IT, operations, finance, and other staff members to uncover gaps in areas such as security policies, information management, system patching, passwords, local admin privileges, malware protection, mobile security, event logging/monitoring, software development, incident response, disaster recovery, and so on.

Consider this type of review if you want to evaluate the operations side of security in order to meet compliance and contractual requirements or want to build out your information security program without having to perform a formal IT security controls audit.

A bit about my deliverables...

My goal is to help you acknowledge your security weaknesses, convert raw findings data to information and knowledge that helps you grow your information security program. My security assessments will include a detailed report that outlines exactly where you need to focus your efforts in order to reduce your business risks and start making positive changes to your security program. My reports include:

  • Executive summary
  • Listing of existing security controls I find that support your organization's information security in a positive way
  • A detailed report outlining vulnerabilities discovered ranked by priority
  • Practical advice for addressing each finding as well as general advice on your security architecture and technologies
  • Screenshots and other findings uncovered during the testing
  • Timeframe and difficulty ratings for remediation efforts
  • Original, raw security scanner/tools test results...something you likely won't receive from other providers!

I will also perform a remediation validation assessment and deliver a summary report outlining which of the original critical- and high-priority findings have been resolved for you to share with management, customers, and other stakeholders. Finally, I'll make myself available to you and your team after I deliver my report to answer any questions or address any concerns. See what my clients are saying about my security assessment and penetration testing deliverables.

I bill these work at fixed-fee so you're comfortable knowing what to expect throughout the process.

Speaking and Writing

Speaking Engagements

If you're putting together an IT or security-related show or conference and are looking to bring in a thought-leader and well-known expert on information security and compliance, I can help. I've keynoted conferences for Hewlett-Packard, IDC, ISSA and others and speak on engaging and timely information security topics. I can perform a keynote address, lead a seminar, or serve as a panelist on the various topics that I'm passionate about including:

  • Information risk management and compliance
  • Web and cloud security
  • Mobile security
  • IoT security
  • Security penetration testing
  • Hacking
  • Information security/IT leadership and careers

Please contact me to discuss these further, throw around some new ideas, and hear about my reasonable and competitive speaking fee. In the meantime, you can see what others are saying about my abilities as a professional speaker, panelist, and seminar leader.

Information Security Blog Posts, Webinars, Videos, and Podcasts

If you're a publisher, media-based organization or technology vendor and you're looking for a thought-leader and well-known expert on information security and compliance to write guest blog posts, present a webcast / webinar, or record a video or podcast, I can help. Please contact me to discuss this further and hear about my reasonable pricing. In the meantime, click here to see what others are saying about my speaking abilities in past seminars and keynote presentations.

Pre-Written Articles for Security Awareness and Training Programs

If you're in charge of your organization's information security awareness and training programs, I am currently developing pre-written articles and checklists you can use in your internal newsletters to share relevant stories and information with your employees about data breaches, safe computing practices, what to look out for, and so on. Please contact me for more information.

Expert Witness and Litigation Support

Consulting and Testimony

For legal matters related to computer and information security, regulatory compliance, or general IT governance, I can serve as your consulting expert and/or testifying expert. I have been deposed and have experience with cases on from intellectual property and patents, libel, and freedom of information act requests.

My specific areas of knowledge include compliance (i.e. HIPAA, HITECH Act, GLBA, PCI DSS, FERPA, and state breach notification laws), data breaches, identity theft, mobile computing, laptop encryption, wireless networks, software security (client/server, web apps, mobile apps, and cloud), operating systems, messaging systems, content filtering, security policies, as well as hacking concepts, techniques and tools. I can also perform peer reviews of security assessment reports, security audit reports, or forensics reports to help you and your client determine whether or not proper and reasonable steps were taken to minimize future information risks. I have the expert witness experience, technical expertise, business knowledge, speaking skills as well as industry respect and recognition to help you with your case or incident.

Please contact me and I can help you determine which information security service is best for your organization as well as provide client references and testimonials, specific pricing for your needs, and even presentation/seminar outlines or sample assessment reports so you'll know what you'll be investing in. See what my clients are saying about me.

Client Testimonials

"A business associate referred our company to Principle Logic when we were seeking a resource to perform vulnerability /penetration testing for our external and internal networks. We found Kevin Beaver to be professional, well informed, and easy to work with. His testing did not disrupt our networks, and his progress updates were timely.

His final report was very thorough and included security recommendations for our network environment. The executive leadership was so impressed with Kevin’s security expertise, they have extended their agreement to continue to perform periodic testing. We highly recommend Kevin Beaver and Principle Logic as a resource for network security testing.”

(IT managed services firm)