Social engineering is a special form of penetration testing that simulates a particular attack vector that leverages the human element of an organization’s security program. Chris has years of social engineering experience in a professional setting as well as in a competition setting — two second-place finishes and one fourth-place finish in Social Engineering Capture the Flag competitions. Most recently, Chris won the SECTF at Def Con 24 and was awarded a Black Badge (free lifetime admission). While traditional social engineering tests normally only include the general user community, Chris prefers to include IT support areas and executive staff as well, since those groups represent more risk to the organization due to their roles and access.
CG Silvers Consulting provides pragmatic, hard-hitting security awareness in a customized setting. It’s common for employees, executives and IT staff alike to doze off when the security awareness training they receive is just like any other. CG Silvers Consulting delivers something different. We engage our audience with hands-on demonstrations and stories from our years of experience, administering eye-opening lessons that stick with our students. Audiences come away from security awareness sessions with a set of concrete skills that enable them to play an active role in the security of the company.
Many in the security industry believe that network penetration testing has become a commodity service. While organizations looking for these services to merely satisfy some compliance goal may just need a “check the box” assessment, other organizations are finding that this cookie-cutter approach provides them very little value. Our approach to penetration testing is similar to our approach to social engineering: while finding and exploiting vulnerabilities is important, what’s more useful is testing a client’s monitoring, detection and response processes. A vulnerability discovered and exploited without the testing activity being detected by the organization is a much larger risk than it would be after the tester has been detected. While any vulnerability should be addressed, any that can be exploited without being detected should be given a higher priority. The reason that most penetration testers fail to simulate this threat is that they run out of patience and become too “noisy” on the network. Chris’s experience as a network security analyst and founding member of a nation-wide red-team has taught him how to exploit vulnerabilities and misconfigurations in a more stealthy manner to avoid detection. Being a more mature, patient individual also contributes to his success in these exercises.
Risk and Compliance
Leveraging a wide range of professional experience that includes mail-order retail, contract services, financial services, and corporate mergers, CG Silvers Consulting brings a unique understanding of business realities to risk and compliance consulting. Specializing in NIST, PCI, HIPAA, and SANS risk frameworks, we apply the intent of each control to enable our clients to implement creative solutions that do not compromise their ability to maximize company success. For example, while conducting a PCI DSS Gap assessment, the client expressed concerns over forcing their employees to remember passwords that contained upper-case letters, lower-case letters, and numbers. By interpreting the password requirements, CG Silvers Consulting was able to advise the client to use longer passwords without complexity requirements. Since this met the intent of the control (strong password entropy), it satisfied the requirement.