Yes, you read that right - we at True Digital Security are offering free information security assessments. Because I'm feeling generous today, I won't even require you to participate in the information gathering process. No interviews. No policy gathering. No effort on your part beyond reading the final report. Do I have your attention?
One of the core services we at True Digital Security offer is a comprehensive information security assessment. For the purposes of standardization and international acceptability, we base our assessments on the international standard ISO/IEC 27002 (which expands to International Organization for Standardization/International Electrotechnical Commission, if you're interested). The assessment process is intense because we are investigating a wide range of procedural, physical, and technical security controls and evaluating them against the standard.
Every organization we work with is different. They all have a unique combination of strengths, technology, industry struggles, personnel backgrounds? I could go on and on. We have identified an interesting trend, however, in that there are several areas we analyze in which many of the organizations we've worked with struggle. I decided I would do the corporate community and our analysts a favor by filling you in on some of these areas.
My hope is that by giving you this information, we can collectively work to raise the bar of security so that you're more secure and we don't have to report on different variations of the same issues over and over again. In order for True to maintain some resemblance to a profit-seeking company, I'm going to make this a series instead of giving it to you all at once. We're generous, but we're not crazy! So, without further ado, here is the first section of your "Final ?We Look Like Everyone Else' Information Security Assessment Report."
Section X.X.X.X: Technical Vulnerability Management
Summary of Findings:
...
"One of the most critical categories of vulnerabilities relates to SQL Servers on the internal network. Many of these are missing the latest service packs and patches. As a result, the information in these databases is vulnerable to disclosure to an unintended party. In addition, some of these vulnerabilities could be used to gain a foothold on the host, which could allow an attacker to elevate his privileges on that host or the network."
...
Recommendations:
"Please, please, please patch your database servers and change their default credentials," (paraphrase mine).