Seven Stones - Risk Management; Information Security

Looking for Leading-Edge Consulting?

Cost effective information risk management cannot be achieved with CISSPs and products (i.e. today's genre of expensive, all-in-one magic boxes).

We have 10-plus years experience of success stories with global Fortune 500s, plus the foundation of another 10 years practical IT experience. Real practical knowledge and experience is required to deliver real, cost effective security, AND empower clients to implement future-proofed practices.

Information security is complex, but with our experience we can assemble the pieces of the puzzle. Our methods may be seen as unorthodox. If you are not ready to do things differently in security, you need not read on...because we are committed to delivering value, and that requires a new approach.

Seven Stones' Ethos

Our market position is at the higher - end of the consulting spectrum.

We are totally committed to delivering value for investment. It is not in our interests to merely help clients pass their audits, or just cover little pieces of ad hoc security in "islands" around the network. We can help you to pass your audit, but just passing the audit does not give you value for money. We are not in the businesss of wasting our clients' investments.

For more details of how we engage with clients, check here. Some of our services are mentioned below, and our full service portfolio is here. Alternatively contact us for a meeting or more details.

Architecture

This service varies from client to client, as it depends very much on the maturity of exisiting controls.

This is usually the service which we need to perform as a first step. In summary, it's an information gathering workshop and it allows us to learn how we can best deliver value for our clients.

For more details, please consult our terms of engagement and service portfolio.

Vulnerability Assessment

When you see this title you probably think in terms of penetration testing. The reality is though that penetration testing, even when delivered

properly (i.e not using automated scanners and with all testing restrictions removed), doesn't lend itself to cost-effectiveness.

Generally, we only deliver these services when we are sure the clients' investment is justified in terms of risk. For more details please review our engagement terms, and service portfolio.

Corporate Policies

At Seven Stones, we have no interest in consulting or delivering for clients, if the recommendations we make are likely to be implemented,

but then forgotten after a change of staff, or just the passage of time.

Policies and standards (an ISO 27001 - based baseline policy, plus technical build standards) are very important, not least for helping to ensure that improved processes and practices are "carved in stone".

Incident Response

Incident response, and the whole area of best practicies in incident management, are complex. If you think it's simple, then you probably

don't have effective processes.

We have a track record of having dealt in this area with large firms in transport and finance, and we know what works in practice, as opposed to just theory.

For more details on our offering in incident response, click here

Seven Stones Weblog...Latest

The Joy Of Web Apps Scanners

Post Date: 2010-08-31 14:04:35

I recently came across one of the more apt descriptions/critiques of commercial automated web applications scanners. Other reviews I have read tend to make a lot of generalisations and the number 50 is nearly always quoted in there somewhere (as in 50% accuracy in the results).

Really the results are in ALL cases less than half-right. The reason this fact is not more well known is because there are so few analysts who really understand web app vulnerabilities - they didn't even go through the Webgoat tutorial. Also, the commercial product vendors don't want you to know how ineffective is their product.

The other, less well known reason is that whenever a skilled tester goes to her boss and complains about autotragic web apps testing tools, their boss does not trust their reasoning (as in the old Luddite mindset and protecting jobs etc).

Michal Zalewski is author of Silence On The Wire and the blog entry is here

Latest OSVDB Vulnerabilities

http://osvdb.org

Most recent post: 09/04/2010

Microsoft Windows Media Encoder Path Subversion Arbitrary DLL Injection Code Execution

Microsoft Windows SDK for Windows 7 / .NET Framework 4 GraphEdit Path Subversion Arbitrary DLL Injection Code Execution

PGP Desktop Path Subversion Arbitrary DLL Injection Code Execution

KeePass Password Safe Path Subversion Arbitrary DLL Injection Code Execution

Pixia Path Subversion Arbitrary DLL Injection Code Execution

Pthreads-win32 Path Subversion Arbitrary DLL Injection Code Execution

Hitachi JP1/Desktop Navigation Unspecified Cluster Environment DoS

Network Security Services (NSS) Certificate IP Address Wildcard Matching Weakness