Darrell Hill Information Security Services protects the confidentiality, integrity and availability of information. We are uniquely valuable to our clients because of our independent, objective consulting approach, and the detailed results we provide for our clients.

Today, the responsibilities of the CIO, CISO and CSO are increasingly more complex. In addition, resources are scarce either due to investing in business growth, or in containing costs. As well, the bad guys are knocking on both sides of your door. Information security is the responsibility of all employees and partners. The call for continuous action is now.

Darrell Hill provides expert information security advice to a range of both private and public sector clients covering all aspects from physical security reviews to compliance with legislation. Key services include:

1. Asset Assessments
2. Risk Assessments
3. Development of Security Policies & Procedures
4. Security Awareness & Training
5. Information Security Reviews & Audits
6. Physical Security Reviews
7. Vulnerability Assessments
8. Penetration Testing
9. Website Security Assessments
10. Social Engineering

Darrell Hill first seeks to understand the business requirements and culture, and then assists in defining what exactly needs to be protected and how to protect it. Business critical asset auditing includes the identification and monetary valuation of all business critical assets. As well, this audit ascertains the probability of known threat occurrences to each given asset and thusly, ranks the severity of such threats to each given asset's productivity.

The resulting data provides not only the cost-benefit of mitigating risks, but also provides a clear path to qualifying which assets demand immediate risk mitigation. The benefits of this audit are as follows:

• A clear understanding of the actual value of a given asset - this includes not only the replacement value, but also the value of the asset if it provides direct or indirect revenue.
• The identification of points-of-failure within a given asset.
• The identification of unnecessary (or unintentional) redundancy in services.
• The identification of the need to implement redundancy in services for business continuity.
• The cost-benefits of mitigating risk..

Developing security risk assessments to give a prioritised list of justified actions to improve information security. A Risk Assessment includes identification and monetary valuation of all business critical assets. This assessment determines the probability of known threat occurrences to individual assets and ranks the severity of such threats to each asset's productivity.

The resulting data provides the cost-benefit of mitigating risks, and provides direction to qualifying which assets demand immediate risk mitigation. In assessing your threat occurrences, Darrell Hill provides:

• A clear understanding of the actual value of a given asset - including not only the replacement value, but also, the value of the asset if it provides direct or indirect revenue.
• Cost-benefits of mitigating risk.
• Identification of points-of-failure within a given asset.
• Identification of unnecessary (or unintentional) redundancy in services.
• Identification of the need to implement redundancy for business continuity.

The authoring of security policies and procedures that reflect business practice. Following an organization’s Risk Assessment, developing and then implementing a well-written security policy is essential for personnel to safeguard information assets appropriately. To achieve its security objectives, a successful security policy must document the security-related details of day-to-day operations. An effective security policy should include:

• Best Practices
• Management Responsibilities
• Policy Management Hierarchy

Organizations also must update their Security Policies, as technologies and business practices change and evolve. In 2009, writing a new policy on employee use of Social Networking tools is a good example.

Providing security awareness materials and courses, as well as delivering tailored training for security roles. Security awareness training is a key component of implementing an effective security policy.Darrell Hill provides training in the “best practices” of administrative, physical and technical safeguards.

Through a security elearning module offered as a web based training program, employees learn how to thwart ID fraud, inadvertent information disclosure, tampering and more. Included in the web-based training, the employees participate in a brief, 10 question, randomly generated, multiple-choice quiz. Upon finishing, they are immediately notified as to whether they passed or failed. If they have passed, they receive a company-specific certificate acknowledging their success. Upon failure, the employee is directed to re-train and re-test. In addition, management can login to the site and assess the training status of each employee.

Assessing your information security management system against best practice (e.g. ISO 27001), and ensuring compliance with relevant legislation (e.g. Data Protection Act). Undertaking audits against ISO 27001, as well as developing, mentoring and training internal audit teams.  

Reviewing building and perimeter security against known threats. The purpose of the Physical Security Assessment is to provide a comprehensive 33-point guideline for members of your Security team. The Physical Security Assessment includes, but is not limited to:

• Access authorization
• Unauthorized viewing of sensitive information
• File cabinet security
• Fire suppression
• Secure media disposal
• Intrusion detection/prevention
• Personnel security

Although related to the Risk Assessment, host and perimeter vulnerability assessments differ by involving the evaluation of the operating systems, the applications implemented and the identification of known vulnerabilities and security configuration issues. All hosts behind the firewall, and the systems that reside on the external network, are quantified in terms of risk level.

The resulting rank of discovered vulnerabilities and security configuration issues identify the systems and services that require immediate, secondary and tertiary remediation. The benefits of hiring Darrell Hill to perform this audit are that in all cases, Darrell Hill Information Security Consultants:

• Work closely with the client to understand their system characteristics and security policy objectives.
• Scan for vulnerabilities and security configuration issues, including Active Directory policy and UNIX policy assessments.
• Analyze scan results, immediately appraises the client of any “extremely critical” vulnerabilities, and correlates any less severe vulnerabilities, that if taken together, also present an immediate call to action.
• Provide concise, high-actionable reports, with identification of host and perimeter vulnerabilities, stacked from Extremely Critical down to Low (or to the client’s level of interest, or defined “risk threshold”).
• Meet with the client and provides specific consulting recommendations for mitigation and/or remediation of identified vulnerabilities, providing increased system security.
• Identify unnecessary/redundant (or unintentional) services running on the client’s network.
• Offer a Vulnerability Life Cycle Plan for the client to follow up on the remediation of vulnerabilities, and subsequent scanning to validate that risk mitigation has been effective.

“Penetration Tests. A penetration test subjects a system to the real-world attacks selected and conducted by the testing personnel. The benefit of a penetration test is that it identifies the extent to which a system can be compromised before the attack is identified and assesses the response mechanism’s effectiveness. Because a penetration test seldom is a comprehensive test of the system’s security, it should be combined with other monitoring to validate the effectiveness of the security process.

Darrell Hill is able to perform all penetration tests against servers, firewalls and databases from external locations. We utilize a battery of commercial and “hacker-grade” software to attempt to penetrate your defences by exploiting known vulnerabilities and improperly configured systems.

Darrell Hill does NOT install any software, perform any reconfigurations, or remove any sensitive information that we may encounter. We provide “screen shots” of any successful penetration attacks. As well, you are notified immediately if we identify any critical issues. 

If you are responsible for developing a web application, hosting a web application and/or owning a web application you need to be aware of security issues that can impact your business. Any web application that offers input fields is very susceptible to a variety of exploits designed to trick the back-end database to divulge information. A multitude of attacks such as cross-site scripting or SQL injections can force a database into revealing information about the web server configuration or divulging sensitive information from the database. Such attacks create a tremendous liability for the web application developer and/or the web application owner if the database divulges sensitive information such as financial data, credit card numbers, social security numbers, social insurance numbers or other personally identifiable information.

Web application security assessments involve complex code hacks and queries of your web application. While a web application security assessment is very valuable in providing insight as to the vulnerabilities of your web site, remediation of the identified vulnerabilities as well as a code review of the web application code is highly recommended.Darrell Hill security consultants will assess your site using a variety of hacking techniques through automated tools as well as complex manual hacking.

Darrell Hill’s web site security assessments are based upon the OWASP Top Ten methodology.  

It has been said that amateur hackers attack technical systems, while the real professionals attack via the people! A Social Engineering Assessment is an excellent way to assess the physical and information security perimeters, including how employees behave in various “security-centric” situations. Performing a Social Engineering Assessment provides an immediate litmus test to how well your employees understand and abide by your implemented security policies and security awareness training.

As with all assessments, Darrell Hill provides detailed reporting so that an organization can understand current security gaps and continuously improve its Security Policies and its Employee Security Awareness Training. The end result is a better information security program.