Preemptive analysis, consulting, and planning

Why Wakefield Cybersecurity?

Posted July 23, 2018 by Marc Abel

I founded Wakefield Cybersecurity because I care intensely about the economic prosperity and security of the Miami Valley of Ohio. The viability and stability of our region's businesses is under attack, and demand for the gifts and grit to defeat our adversaries has never been stronger.

My name is Marc Abel, and I work with the best team in the world—your team. I am a one-man show, filling the roles of lever, facilitator, mentor, liberator, and partner. I have no business competition: the desire and talent we have working in our region is spread very thinly. I don't want Wakefield Cybersecurity to grow in number. Instead, I want to see more cybersecurity firms choose the Miami Valley for their home.

Although I welcome the growth we are seeing in Wakefield's industry, growth alone will not meet the information security needs of Western Ohio business. Diversity, insight, and intellect are each as important as having an army of ready responders:

There was a little city, and few men within it;
and there came a great king against it,
and besieged it,
and built great bulwarks against it:
Now there was found in it a poor wise man,
and he by his wisdom delivered the city;

I have been around the contracting block enough times to deeply appreciate the authority and integrity which frequently distinguish single-employee providers. I have no boss, and I have no quotas. There are no policies to artificially restrict how helpful or forthcoming I can be, nor any coworkers whose occasional slips I am expected to let slide past.

I have the freedom to say when a newly uncovered requirement won't cost you more, because I already anticipated it; the freedom to recommend a colleague who would be preferable for a given project; the freedom to guarantee a refund if I can't deliver as I stated in a contract. So shop around! In the inevitable situations where you select a non-Wakefield vendor, I hope you'll introduce us. We're here for the same reasons.

Wakefield's strengths and services

Posted July 23, 2018 by Marc Abel

Wakefield is a generalist consultancy. I would much rather be still and listen to you talk about your team, your goals, and your information security concerns than squander your time listing tangential or inconsequential skills and achievements. Until we can have this conversation, here is a little about what I do at Wakefield.

  • I specialize in anticipatory, defensive countermeasures against unknown threats and future vulnerabilities.
  • Risk assessment and treatment objectives are client-driven, unless a specific information security management system, industry standard, or regulatory requirement is being adopted.
  • I empower your team to develop and use in-house capabilities so that your front-line defenders are technically astute, aligned with your interests, capably advised, and attentive toward fiscal outcomes.

Here are some of the tools of the trade that we may use in the course of working together. Some of my peers might describe these as the services that they offer; however, I prefer to define my services in terms of measurable, intentional improvements to information security. But to reassure you that I have heard of and "offer" these controls, here is a list:

  • advanced persistent threat countermeasures
  • archive and backup planning
  • application and system testing
  • COBOL and legacy system retirement
  • compliance audits
  • configuration management
  • cryptographic process design and validation
  • design review
  • document control
  • documentation writing
  • embedded device and Internet of Things safety
  • email hardening
  • evidence collection and preservation
  • information security management system (ISMS) deployment
  • litigation research and expert testimony
  • medical equipment and implantable device assurance
  • metadata privacy
  • monitoring and logging
  • network and firewall evaluation and planning
  • operational software packaging and controls
  • physical security planning and assessment
  • policy development
  • record protection
  • regression testing
  • reimplementation of problematic systems
  • risk identification and assessment
  • second opinions
  • secure monitoring and logging
  • selection of infrastructure components
  • software quality assurance
  • source code reviews
  • source code security audits
  • tamper indication
  • training and public speaking
  • vendor evaluation and management
  • virtual private networks
  • vulnerability assessment
  • year 2000, 2036, and 2038 remediation

The upshot to all this is that I look forward to our conversation about your information security concerns, uncertainties, and questions. It doesn't matter whether or not you're ready to move forward with a project, if you have already signed with one of my peers, or if you're worried about showing a lack of knowledge about any topic. Great collaborations spring from small conversations.

Areas of weakness and skepticism

Posted July 23, 2018 by Marc Abel

Wakefield is a local business, and a high priority of mine is getting you to the right help expediently. So here are a few scenarios where I welcome your inquiries and will assist to the extent that I can, yet might sometimes direct you to another place:

  • device unlocking
  • forensic analysis
  • incident response
  • penetration testing
  • security as a service

Device unlocking comes with ethical considerations that are best handled by another supplier. Earlier on this page, I noted that I specialize in defensive countermeasures. That is to say, I am here on behalf of everyone. There is no way I can know in advance whose device I might be unlocking or what consequences might ensue.

Forensic analysis is highly automated and specialized. If you want findings that will carry a jury through a trial, an expert generalist is not your best option. If you have suffered a breach, there is no guarantee that the evidence left behind, assuming there is any, will be conclusive and dependable. Frankly, I'm a little amazed at the high percentage of cases investigators claim to "solve." I view news reports as to how breaches occurred with skepticism, as I do reports as to who was responsible or their national origin. This is another reason why you wouldn't want me as a prosecution witness: I would be too noticing of and candid about weaknesses in your evidence.

Incident response generally has an urgency involved that would make my business too expensive or too uncertain. This is especially true if you need hundreds of workstations returned to service before your next shift begins. Consider looking at national and multinational firms who have responded to hundreds of incidents and have the personnel available to knock out your project right now.

Penetration testing, I hardly know where to start with many misgivings. One is that as with device unlocking, I have no way to identify whose system I am attacking. The tests involved may indeed be pointed at a client machine, but that machine can forward my attacks to any computer on the Internet. Second, I stated previously that I specialize in unknown threats and future vulnerabilities. Penetration testing only looks for known threats and yesterday's vulnerabilities. Penetration testing is as polar as Russian-meddled American politics: either an attack succeeds or it doesn't, and neither outcome says anything constructive.

The ends don't justify the means. If a penetration test exposes a vulnerability, chances are stellar that any reasonable security assessment would have exposed the same vulnerability and many others without the test. If a penetration test finds no vulnerabilities, a completely false sense and perspective of security is entertained. Lastly for now, penetration testing encourages a "race to the bottom" in terms of security vendors, where automated checks or scantly-trained personnel are represented as expert guides.

If you want to run some automated tests as an audit control, by all means do. But I would view automatic "script kiddie" penetration testing in the same category as I do regression test cases for ineptly written software modules. Just as well-designed, well-implemented, well-understood software doesn't need every possible regression test run against it, equally well-designed, well-implemented, well-understood computer security components don't need much in the way of penetration testing either. On the other hand, poorly-made computer security components don't need penetration testing or even bug fixes. They need replaced.

Security as a service is essentially the opposite of Wakefield's business model. I'm not here to run or otherwise take over your security. Wakefield's commitment is to help you use your own team effectively, efficiently, and economically. Moreover, think about classic non-computing security services, which can only offer perimeter security up front and armed response after losses have already occurred. Cybersecurity as a service has these same limitations: firewalls, network monitors, and auditors are stationed around brittle assets, hourly fees are paid, and everyone hopes the attacker isn't too heavily armed, too unusually clever, or already on the victim's payroll.

Although I don't offer security as a service, penetration testing, incident response, forensics, and device unlocking as a rule, there are situations where you might have related questions. You might need, for example, network monitoring with 24-hour staffing. Someone might call that "security as a service," while I call it "network monitoring with 24-hour staffing." Here again, I'm happy for us to talk through your situation and at a minimum share a few thoughts as to how you might begin.

Wakefield Cybersecurity LLC
Wake secure℠