I am an entrepreneur and a Certified Information System Auditor focused on information security with more than 8 years of experience in the field.
Pentesting is the process used by some professional hackers to find security weaknesses on your systems. The hacker should ethically identify and exploit these vulnerabilities and make a report.
The process usually start where most of the companies ends, with a vulnerability assessment. It consist on identify the vulnerabilities.
My pentest is not an scanner report
Scanners are not the pinnacle of security auditing. Much of the work that I do is to complement them identifying vulnerabilities that scanners does not, and re-evaluating others that scanners have identified before.
After you identify vulnerabilities, a proof of concept is done, and after that, I start a process called Navigation. Navigation is much more like an APT (advanced persistent threat). I usually “navigate” into the compromised systems in order to compromise other systems. That’s because vulnerabilities does not only resides in software. Weak passwords, weak security designs, and human factors could compromise your security.
You need to understand how far the attacker can reach into your network. That’s why we do pentesting.
And that’s why I prefer the double blinded blackbox. As a security administrator or maybe the system administrator, we are aware and in known of our own vulnerabilities (eg. we need to apply the patches, change password, etc), however, we are not usually fully aware about how far a vulnerability can harm us. This work is all about that. teaching us the the importance of being secured before an enemy could compromise us.
At the end, I make recommendations adapted to your current situation having in mind the associated cost for remediation and enabling yourself to start fixing the most dangerous problems first.
Security Hardening / Bastion Host
In first place, auditory and hardening are mutually exclusive (CISA). If you opt for hardening, I won’t be able to carry the security auditory. So basically, what I do hardening your systems is:
- Identifying the system and their functionalities
- Identifying the possible threats
- Identifying the possible vulnerabilities
- Improving the configuration in favor of security
- Installing and configuring additional software to prevent and react against attacks
- Doing tests to check that the system is working ok after the patching
Actually I’m expert doing this to windows and Linux systems.
I also have deployed systems and networks from the beginning:
- Secured virtualization environments (With libvirtd)
- Secure Hardened Servers: (Mailservers, webservers, database servers, git servers, messaging servers)
- Linux based Firewalls (advanced routing + iptables)
- Applied Cryptography
- Linux based VPN
- Secure Hardened Desktops
- IDS/IPS (Host based and network based)
** If it’s well configured, with an average i5 physical processor, you can actually hold a mid-size whole secured network infrastructure with very good response times which can serve hundred of clients.
Currently, I hold more than 40 consulting services done in the field of information security with a high rate of success. I’ve successfully exploited public exposed systems which remained unexploited for more than 10 years valued in million of dollars, I also developed 0days and software in the field.
- Experience: more than 8 years
- High Level Clients experience: Banks, Central banks, Insurance companies, Governments
- Skills: Auditory, Hacking, low-level to high-level development (ASM,C/C++,Java), Networking, *nix (linux/bsd)
- Certifications: CISA (I know how to make an audit), ITILv3 (I know how to be compatible with your organization)
How to contract my services?
I work for many pentesting companies in different countries, you can contact me, and depending on your location and your preferences, I will refer you to them in order to work together, or we can agree to work directly.
Your location does not matter, We can agree to start a pentest by VPN, or if you want, I’m able to travel there.
I have my own strong ethic code based in values. This business is based on trust, then, I’m rejecting any ilicit proposal. Before trying to offer me any parallel business, read this before: ** If I wanted to be millionaire by hacking, I could do it alone and by myself. Not with you **
I love cutting edge technologies, and I don’t believe in borders, restrictions and so.
So I’m available to work for bitcoins/litecoins. 😉