Jeff Bowers is one of our IT professionals with a unique background: he's a Certified Ethical Hacker, MBA and an IT networking professional. His area of expertise is in Network Assessments and Data Security. We sat down with Jeff recently to ask him some questions about assessing data and network security.
Data security is a challenging and delicate area. What are your credentials that have made you successful in this field?
JB: I have field experience from a variety of previous jobs, along with some specialized certifications. I gained a lot of experience in my roles as an IT Auditor, a Systems Analyst and as an Information Security Analyst. I was also the Information Security Officer of a very large ($2B) financial services company.
As for my technical skills, I have two highly sought after certifications in the information security field. I hold the Certified Information Systems Security Professional (CISSP) designation from ISC(2). I am also a Certified Ethical Hacker (C|EH), a certification sponsored by the EC Council.
My background in information security includes developing the matrix used to assess the level of security on the network by utilizing standards and guidelines from ISO 27001, NIST and industry best practices. It also includes configuring Firewalls, routers, servers, workstations, group policies to meet the stringent guidelines of various regulatory bodies as well as accepted industry standards. My experience includes not only the configuration of network and server equipment but also the assessment of the security controls.
Being a Certified Ethical Hacker sounds intriguing, but how do you apply those skills to clients today?
JB: My expertise as a Certified Ethical Hacker has provided the professional training and technical expertise to perform very in-depth network security assessments for a wide range of industries.
Utilizing a multitude of tools I gather information on network topology, penetration testing, social engineering and vulnerability exploitation. I can develop a methodology of assessing a network ranging from a complete black box assessment to a full disclosure white box assessment.
What’s a black box assessment or a white box assessment and what’s the difference?
JB: To explain the difference, a black box assessment is done with zero input from the customer other than the name of the company; the typical goal for this type of assessment is to gain access to the internal network of the client. The assessment in this case will end upon successful penetration of the client network.
A white box assessment is the complete opposite. This type of assessment involves full disclosure from the client to include access to the internal network via an onsite visit and/or a computer setup onsite to allow remote access. This type of assessment is usually done to assess the level of security of the network with no penetration testing. There are various levels of assessments in between the two extremes which is where most client assessments will fall. The length of time for a black box assessment is typically much longer than a white box assessment. The increased length of time is due to the level of information gathering that is necessary. A fully documented summary of the findings, methodology and the steps required to better secure the network will be provided to the client upon completion of the assessment.
What is the number one issue you see unaddressed in organizations large and small when it comes to data security?
I think the number one issue unaddressed in most organizations is data integrity. When I say data integrity, I am referring to how the organization is able to ensure that the data they rely on to run and operate their business is properly secured. This ranges from their accounting software to proprietary formulas to the data that is used to drive the organizations business decisions. Improperly secured data could lead to significant financial loss for any business. Enabling proper access controls to the data can help mitigate this risk.
Do you only help really large organizations that are heavily regulated?
Organizations large and small, heavily regulated and not all have the potential for loss due to a lack of proper controls. Proper security controls are not just a good practice for large, highly regulated organizations. All organizations need to ensure that they have the proper security controls in place to prevent potential business ending losses due to a data leak.