You’ve arrived here because you realise you need some help with your information and cyber security, so lets skip the part where we tell you what security is and head straight to the bits that matter when finding help.
We can help you develop your organisation’s security in multiple ways: by educating those involved, whether that be management or technical staff; by assessing the technology you have and discovering weaknesses; and by making recommendations of how you can improve. We do all this, whilst making sure that the context of your organisation is dead-centre, meaning that you get advice and analysis that actually makes sense to the level of risk, budget, and regulatory and contractual obligations you have.
We try not to work with companies once: by working with us over a longer period of time, the benefits are better distributed throughout the organisation in a cost-effective manner. This is because the principals of what we teach and the vulnerabilities we uncover can be applied many times on many different systems – there is little point in us telling you approximately the same thing multiple times.
We are an information and cyber security consultantancy – our business cards say “Consultant Hacker” on it. We do cool things with awesome tech whenever possible, however, we also know that the vast majority of what needs protecting is actually normal stuff for businesses far and wide. The information and cyber security industry is full of people who want to do cool things with awesome tech, but from our experience, we know that the money to do cool things with awesome tech has to come from somewhere. That’s the real reason you should speak with us: we will work with you to determine the best course of action for your security and budgetary requirements now and into the future. We won’t sell you the most expensive services unless you have established your basics first. Each security testing programme is tailor made to your organisation’s context and is always designed to help you build your organisation’s information and cyber security at an achievable pace.
The following are some of the things that you can pay us to do:
- Vulnerability assessments
- Network segmentation and segregation testing
- Wireless network security testing
- Internal and external infrastructure penetration tests
- Web site and web application penetration tests
- VOIP security testing
- Digital social engineering
- Physical social engineering
- Open Source Intelligence (OSINT)
- Adversarial and non-adversarial red-teaming
- Mobile app penetration tests
- API penetration tests
- Code review
- Host configuration review
- Exploit research and development
- PCI-DSS consultancy
- ISO 27001 consultancy and internal audits
Every person, every computer, every digital service and every organisation from every country on this planet (and those in orbit) are targets. That’s because, by volume, the majority of cyber attacks world-wide are launched in an untargeted fashion. It is also why we work with any organisation, regardless of size, industry and risk-levels: they all need protecting.
Think about phishing emails, most of these are “trawler net phishing”. This is the practice of sending a broad attack to millions, if not hundreds of millions, of potential victims. This is the tactic that is deployed the most and it works for the attackers, simply because they only need to convert a small percentage from being potential victims, to being actual victims. Lets do some back-of-a-receipt maths: 100,000,000 emails sent, with a tiny success rate of 0.0001%, that equals 10,000 victims. In recent times, crypto-locker attackers were asking for around £200 to decrypt your files – lets say only half of those people actually paid up, that means they could potentially walk away with £1,000,000. Not bad for a couple months work eh?
It is understandable then, when information and cyber security professionals say that the very concept that an organisation doesn’t have anything worth targeting so they don’t need to “do security” is a fundamental misunderstanding of how cyber attacks come to be. If you have any doubt about your information and cyber security defensive capabilities, pick up the phone and call us: lets work it out together.
We are freelance cyber security consultants who specialise in penetration testing. Between us, we have many years experience in the field and our testing work has covered web applications, smart device applications, and infrastructure, as well as digital and physical social engineering and bigger full-spectrum red-teaming exercises. In addition to our technical testing work, we can also draw from skills as qualified ISO 27001 Lead Auditors and as Payment Card Industry Qualified Security Assessors (PCI-QSA’s). These last two items aren’t our favourite work, however, we think it is important to gain these skills to enhance PCI Req 11.3 penetration tests and to make sure that all our work deals with risk levels and business decision processes in an accurate and useful manner.
Some would call us “sad” – typically we’ve been programming since we were less than ten years old and we tend to have the slightly clichéd teenage experience of going to secondary school and challenging the security capabilities of computer systems there. We even have team lead skills where small sub-teams would attack a particularly large or complex target. Jobs before being a penetration tester were pretty typical IT jobs, thankfully we could often convert these positions into security work, for example as a cyber security engineer at a boutique ISP, cloud services provider and software house. Some of us are very academic too, for example, one of us is fortunate enough to have completed an MSc in Software and Systems Security at the University of Oxford, (achieving a distinction grade both in the eyes of the university and those of GCHQ as they accredited the course, but we don’t talk about that as they might get a big head). It is important to constantly develop your skill set as a penetration tester, so we all have our own little mini crusade to gain further training and qualifications, and even go co-author books on penetration testing. We tend to hang out at conferences whenever possible as well, sometimes the huge holiday-style ones like DEFCON Vegas, but other times little tiny ones line B-Sides.
Our work has taken us to many international destinations and the clients have ranged from small independent organisations to large multinationals and everything in between. These organisations have been in a diverse range of sectors, notably including: finance; legal; property; banking; insurance; travel; technology; education; manufacturing; and medicine. No task is too great or too small – though the more interesting and engaging the better!
Assuming for a moment that you want to get hold of me. These are some of the methods you could try:
Email us: firstname.lastname@example.org
(Yes, that is a real email address!)
If you need to use secure emails, you can email the above address, but encrypt your message using GPG or PGP. The below is one of the public encryption keys you could use to do that:
GPG public key:ID 0x4B2F12C41DFAA29B
You can also find this key on Keybase: https://keybase.io/felixrr
If it proves high in demand or an apocalyptic event occurs I will get out the CB radio. I don’t yet have a fleet of carrier pigeons but this could also be arranged.