Month: November 2018

Todd Salmon joins NotSoSecure to drive US growth

Industry expert joins leading penetration testing and ethical hacking company to fuel continued expansion.

Leading ethical hacking and penetration testing company NotSoSecure, part of the Claranet Group, has announced the appointment of security industry veteran Todd Salmon as Executive Vice President (US) to expand North American operations. In his new role with NotSoSecure, Todd will be responsible for the day-to-day operations in the US, as well as supporting global collaboration within the Claranet Cyber Security portfolio.

Todd brings nearly three decades of executive leadership and management experience providing information security and technical solutions to all the major vertical markets, and he has a proven track record of building and running successful professional services organisations for both the public and private sectors.

Most recently, Todd was a partner in the start-up Stack Titan where he served as Chief Operations Officer. Prior to this he spent eight years as the Vice President of Optiv/FishNet Security’s Attack & Penetration Practice. During that time, Todd grew their Security Assessments line of business significantly.

The appointment follows the launch of Claranet’s Cyber Security unit, which combines the pioneering penetration testing and managed security service capabilities of Sec-1 and NotSoSecure, and the training competencies of NotSoSecure – one of the largest training partners of the globally acclaimed Black Hat conferences. The new unit ensures that the capabilities of both companies are aligned in a way that offers the best range of security services to customers within the existing Claranet footprint and around the world.

Commenting on the appointment, Dan Haagman, Director of Security Services at NotSoSecure said:

In all his prior roles Todd has led from the front and, as a result of his dedication to client satisfaction, tireless coaching and mentoring of colleagues, and laser focus on quality, he has left a track record of success everywhere he’s been. That is why I am delighted that he has joined NotSoSecure to help us grow our North American operations. We have already have a loyal and engaged customer base in the US but we believe we are just scratching the surface. Bringing Todd on board is a sign of our intent and belief that we are in a strong position to help more customers in the US with security testing, training, and managed services.”

Todd Salmon added:

Despite its relatively small size, NotSoSecure punches far above its weight in the pen testing and security training industry and its consultants are world-renowned for their expertise. I’m therefore excited to be joining NotSoSecure and the wider Claranet Cyber Security Services Group as we build the business while we continue to meet the evolving needs of our existing customers.”

Human error is to blame for poor cloud security, not the infrastructure itself, warns Claranet

Global technology services provider points to automation and fully-accredited partners as way to avoid cloud security vulnerabilities.

A lack of knowledge and an overreliance on manual change processes is leading many businesses to jeopardise the security of their cloud deployments, global technology services provider Claranet warns today.

The warning follows the launch of a report published by McAfee this week, which found that the average business has approximately 14 improperly configured IaaS instances running at any given time and roughly one in every 20 AWS S3 buckets are left wide open to the public internet. Additionally, researchers estimate that roughly 5.5. per cent of all AWS S3 storage instances are in a “world read” setting, allowing anyone who knows the address of the S3 bucket to see its contents.

Commenting on the findings, Steve Smith, Senior Site Reliability Engineer and AWS Team Lead at Claranet, said:

The cloud security challenges highlighted in this report have little to do with the platform itself, but everything to do with the people using it and, in our experience, people are the biggest weakness here. The major cloud providers like AWS set a lot of sensible defaults designed to support configuration – for example, S3 buckets are now private by default – but unfortunately, it’s very easy to get things wrong if you don’t know how to use the platform.”

We’ve seen many AWS configurations that end-user businesses have developed themselves or have worked with partners that don’t have the right experience, and, frankly, the configurations can be all over the place. When internal IT teams create these environments themselves, mistakes can occur when they don’t have the depth of knowledge or experience to follow best practice.”

A click of a button or slight configuration change can have a major impact on your security posture, so it’s important to get a firm grip of the access controls and have safeguards in place to catch mistakes before they hit the production environment.”

Developing infrastructure as code – effectively, templated scripts that will create infrastructure in any public cloud environment – helps here because it makes it more difficult for mistakes to occur. Any changes in the code need to be peer-reviewed in the development lifecycle, making it much less likely that errors will make it out to the production environment and ensuring that any changes can be tracked and audited. In addition, it’s also good practice to run that code from a centralised location – some kind of CICD server for example – so that only that machine can make configurations and that there’s no way to make changes manually.”

Steve concluded by stating that AWS’s Well-Architected Framework, a programme designed to help AWS users build the most-secure, high-performing, resilient, and efficient infrastructure for their applications, is a key way that users can secure peace of mind about their cloud deployments.

AWS has set up a review scheme, the AWS Well-Architected Framework, to help address these very issues and provide users with the assurance that everything is configured securely and as it should be. Qualified AWS partners can conduct comprehensive and free reviews of existing AWS architectures, checking things like access policies and change processes, and advise on the best way forward to safeguard security.”