Cybersecurity Consulting

Auditing & Mitigation

No organization can be completely secure from all threats, but any business can strive for improvement in that direction. One of the first things you will need is to assess your current risks and identify the low-hanging fruit -- those things that you can do most easily that will significantly reduce your risks.

My most basic offering is a cybersecurity audit that will help you get this process going. I'll visit your location, ask lots of impertinent questions about your IT setup, and help you work through a questionnaire and some worksheets to identify vulnerabilities and threats, and quantify your risks. During the visit, I'll also help you perform some of the easiest and most powerful risk-mitigation measures, such as installing antivirus software, adopting a corporate security policy, or linking your employees to video training.

At the end of my audit, you'll receive a detailed report assessing your cybersecurity situation based on the NIST standards, and a prioritized list of recommendations for further risk mitigation. This will be something you can show to your insurance agency, your customers, your investors, or other business partners; and if you repeat it a year later, you'll have concrete evidence of improvement.

Secure Coding

One of the easiest things to get wrong in application development is security. Web and mobile apps that are coded quickly often leave the door open to hackers, pranksters, and other malevolent forces such as spam. As a veteran developer, PhD, and certified cybersecurity pro, I can help you find and plug vulnerabilities like these:

• SQL injection attacks that expose or damage your database
• Cross-site scripting and clickjacking attacks on your users
• Cross-site request forgery hacks that leverage other sites to compromise yours
• Rookie mistakes like insecure protocols and plaintext passwords

If you're hiring me as a software developer, all the code I'll write for you is designed with security built in. However, I can also help with code written by others. If you'd like to make sure your applications are secure, I would be happy to to review your code, give your IT department a second opinion, or add new security controls to an existing codebase. My skills are sharpest in the Java, Python, and JavaScript languages, although I have worked with many others.

Employee & Manager Training

Many of the most damaging "hacks" target your employees first, their computers second. A fraudulent e-mail may trick you into clicking on a link that downloads malware, or a voice on the phone claiming to be from the IT department may trick you into giving up your password (these are known as "phishing" attacks). The best way to prevent these "social engineering" attacks is by training employees. As a Ph.D. and former faculty member at Arizona State and UMaine, training is one of my greatest strengths.

As with other aspects of cybersecurity, there is a lot of low-hanging fruit. I can offer a half-day seminar to a pretty large group that will raise awareness of the most significant threats and arm your employees with tools and strategies to prevent many of the most common "hacks". This will improve your cybersecurity audit result and may be the minimum expected by your insurance company, investors, for government contracts, etc.

If that doesn't meet your needs, we could scale it up or down. I could design a multi-day training series with hands-on activities to prepare your team for the worst that could happen, including simulated incident response procedures and/or disaster recovery plans. Or going the other direction, I could set up watch-at-your-own-pace video training and give you reports on who has watched which lessons.

Ongoing Monitoring

There are many levels of continuous monitoring of your cybersecurity situation possible. On the technical side, I could monitor your security logs, including firewalls and intrusion detection systems, remotely from my office and give you regular reports. On the organizational side, I can set up video training and monitor employee participation, as well as regularly checking compliance with password policies and the like.

There are also a number of third-party tools I can set up for your organization. For example, a dark-web scan keeps an eye on some of the seedy anonymous websites where identity theft occurs, and can alert us if any of your employees' usernames and passwords come up for sale. The value of tools like this is well above their price, if only you have an experienced professional to configure them for you.