uk cybersecurity

[Gyumri]

I think fraud prevention is viable. I would write to some fairly important companies but with a letter head design and name that looks challenging - like "Killjoy." And with a hammer and sickle image that looks threatening and distinctly Russian.

I don't think Killnet would sue you for defamation but the letter needs to put the recipient on notice that you intend to hack into their computer system.

After you've got their attention you can then introduce your charges and explain that your hacking will only be with their consent and with the aim of assisting them to secure their systems before a black hat hacker comes along.

As for charges I would charge £2,000 to be placed in Escrow so you only get that if you break in. Once you break in then you can name your price depending on the patch that you will suggest.

 

[fisicx]

You can do that if you want to break the law. Once again you show your complete lack of knowledge of English law (and EU law as that is where you reside).

 

[Gyumri]

What law is one breaking? That's how white hat hackers make their money and it's perfectly legitimate. You are not threatening to do anything illegal.

You've quoted the Computer Misuse Act in another posting which was totally irrelevant.

 

[kulture]

What law is one breaking? That's how white hat hackers make their money and it's perfectly legitimate. You are not threatening to do anything illegal.

You've quoted the Computer Misuse Act in another posting which was totally irrelevant.

Once again you demonstrate a lack of attention to details. It was me who quoted the computer misuse act and it was entirely relevant.

Your suggestion regarding hacking and then once you get in “name your price” is boarderline at best and could be considered as blackmail.

 

[Gyumri]

Let's beg to differ as to how we view the purpose of the Computer Misuse Act as nobody is urging the OP to blackmail anybody or access a computer without authority.

 

[ValenDigital]

Our main focus is monthly assessments for £250, which are ideal for wordpress users, as this tests the wordpress plugins and templates for new security issues that may arise.

We also offer a £2500 per year package which includes a full website security also monthly smaller more focused security testing and each client is included in our threat intelligence system, customised to the clients requirements.

Question is, do you think the prices are affordable for simple wordpress based websites ?

Personally dont think you will get many small business with wordpress based sites to cough up that kind of cash. Bravo if you do, keep them super happy and you will defo have long term clients.

Ecommerce sites are probarbly a better target market in comparison to small wordpress sites and you caould command higher prices (than you stated) too

 

[Gyumri]

Your suggestion regarding hacking and then once you get in “name your price” is boarderline at best and could be considered as blackmail.

With all due respect to your views which I personally find generally very informative, the customer would be under no obligation to pay to patch the vulnerability of their computer system. Nobody is holding a gun to their head and saying "stand and deliver" like that highway man Dick Turpin.

The OP has asked for suggestions about the best way to legitimately promote and utilise his obvious skills as a hacker and I have given a suggestion.

 

[kulture]

With all due respect to your views which I personally find generally very informative, the customer would be under no obligation to pay to patch the vulnerability of their computer system. Nobody is holding a gun to their head and saying "stand and deliver" like that highway man Dick Turpin.

The OP has asked for suggestions about the best way to legitimately promote and utilise his obvious skills as a hacker and I have given a suggestion.

You understand the word “boarderline”? It means that some may interpret this as blackmail. Others may not. I agree that legally it is unlikely to go to court, but such actions may leave a bad impression with the potential clients.

The OP actually asked for suggestions regarding how to promote his cybersecurity business.

 

[fisicx]

The OP has asked for suggestions about the best way to legitimately promote and utilise his obvious skills as a hacker and I have given a suggestion.

Where in any of his posts has he suggested this?

 

[ekm]

I would never employ the services of someone who undertook any kind of security testing activity without an agreement in place beforehand with the rules of engagement firmly in place - in this industry you need trust and ethics and using the generation of sales as a motivation for initiating any kind of vulnerability scan or beyond wouldn't sit right with me.

I am aware people do this with the aim of notifying companies if something is found, sometimes for free sometimes to collect a bug bounty or similar.

 

[Gyumri]

Where in any of his posts has he suggested this?

"Hi, im just starting a business for cybersecurity testing, any advice would be helpful to gain new clients. I have a few ideas, but wondering what you guys could think of."

It's his first posting.

 

[fisicx]

"Hi, im just starting a business for cybersecurity testing, any advice would be helpful to gain new clients. I have a few ideas, but wondering what you guys could think of."

It's his first posting.

That doesn’t make him a hacker. Different thing altogether.

 

[Gyumri]

That doesn’t make him a hacker. Different thing altogether.

"Ive been on both sides of cyber security spectrum, from black hat hacker which you can google about to ethical hacking"

In my book that makes him a hacker but what the OP is trying to obtain is views on how he can use his skills legitimately and approach potential customers.

With the consent of potential customers he could expose security vulnerabilities in their systems and be rewarded for that assistance.

A customer could hardly complain to the police that with their consent he has succeeded in accessing their system!

The law is solely concerned with unauthorised access.

 

[fisicx]

"Ive been on both sides of cyber security spectrum, from black hat hacker which you can google about to ethical hacking"

And where does it say that in his opening post?

 

[kulture]

And where does it say that in his opening post?

Again, details matter. This is a partial quote from post 42. The full quote says

like the response from before, educating people to do it themselves. Ive been on both sides of cyber security spectrum, from black hat hacker which you can google about to ethical hacking side of things.

Apathy is the biggest issue, so im looking at starting some videos, and real time events whether over coffee at local cafe or online to counter apathy and get people talking.

Adverts and websites, are nothing compared to actually talking to people.

So he is saying educating people to do it themselves.

 

[DontAsk]

I can see you hate the idea of open source even though the secret is that all security features are open source and then packaged and sold.

That's the root of the problem. Much open source is found severely wanting when stressed yet you seem to think it's the holy grail of cyber security. How many times do we read of severe vulnerabilities that are due to unthinking incorporation of open source software?

When Joe Bloggs Plumber has enlisted his 10 yo to setup an R-Pi with all this open source software, which of them has the skills to do the due diligence on the system they have created?

Perhaps that's the real business opportunity for the OP. Educate people how to set up their own open source server and then fleece them to actually make it secure

Please, stop trolling.

 

[matthewbeddoes]

Here is the problem, alot of people dont realise that its the SMALL businesses that are being hit hard because of the costs of snake oil like effective antivirus and firewall. We used to bypass norton AV just by breaking down a virus into 100 chunks, scan each part to identify the bad part, then edit and stick backtogether. Firewalls lmao if you play with the packets, and mess with the unimportant flags you can find a combination that slips through, you just then edit your client to do the same. Now its FINE for big companies to be wasting money on antiviruses and firewalls, and to be honest i keep suspecting they keep companies oblivious to the fact its all useless.

But, how would i call up a company, enquire about fraud prevention policies etc, and end up with a client. LEGALLY, none of this blackmail or misleading them to affiliates or referrals.

 

[fisicx]

Small businesses aren’t going to pay your monthly fee. They might consider a one off audit if the price is right.

 

[Gyumri]

its the SMALL businesses that are being hit hard

What type of small businesses or SME's? Why go after the small fry when there are only 360 months between the ages of 30 and 60? I hear of small businesses being hit hard because of Brexit or business rates but not due to viruses or hacking. Presumably you are concerned about the latter. If so then I would pursue bigger fish. If you can identify smaller companies then I would give them a call and see their view.

It might be like trying to sell CCTV or insurance to somebody who has not yet been burgled.

 

[matthewbeddoes]

"It might be like trying to sell CCTV or insurance to somebody who has not yet been burgled."

That is exactly how it is

 

[DontAsk]

I had a look into your background and found just as I expected lol.....

Do tell... I am sure everyone else would be interested

 

[fisicx]

"It might be like trying to sell CCTV or insurance to somebody who has not yet been burgled."

That is exactly how it is

That’s because you are doing it wrong. People do buy CCTV and insurance because they are sold the benefits not the product. Basic marketing. Selling security audits is no different.

 

[ekm]

I had a look into your background and found just as I expected lol.....

Forget hackers, never underestimate OSINT :/

 

[DontAsk]

I had a look into your background and found just as I expected lol.....

? Still waiting

 

[ekm]

Tried google?

 

[Gyumri]

Forget hackers, never underestimate OSINT :/

Agreed :- https://www.csoonline.com/article/3...op-open-source-intelligence-tools.html?page=2

 

[stugster]

Having read through this thread all I can say is "wow, what a journey!".

To answer OP's original question, I'm with fisicx. No small business is going to pay £250 a month to be told their Wordpress instance, plugins or theme is out of date. You might (read that again: might) be able to convince a few to pay £250 for maintenance - checking and updating those instances/plugins.

You'd be better looking to target medium-sized businesses, who might well be up for that, but your problems there are going to be:

1) Larger businesses tend to have better patch cycles on things like websites;
2) Larger businesses tend to drift away from Wordpress to other CMS platforms like Umbraco.

(caveat: Not all do, but in my experience, that's the way it goes)

You need to understand your market. Small businesses simply do not know or care that their website is out of date. That's the fact of the matter.

Their approach is to spend as little as possible for as long as possible until a requirement forces their hand. That requirement would likely be a defacement, at best. Almost none of these SME websites that sit with WordPress as their CMS will have any considerable PII or business data to make them concerned about a breach on that side.

How can you use your talents to offer a tangible service that's actually valued by an SME? The answer is: it's hard! You've got to convince a small business that spending money proactively is worth it. That's a really big challenge, and one we're faced with daily.

Why does Bob need to spend £2k a year to protect his business when he's never had a breach? He's got no personal experience of any disruption to his business, and his only yardstick to understand that is media/news about it. That attitude of "it'll not happen to me" is a massive hurdle for you to overcome.

We still struggle to convince SMEs of the value of Cyber Essentials - and that's not even very expensive, and they get a really nice shiny badge at the end to use in their marketing!

Selling cyber-related services is an uphill battle. Especially in the small business side of the game.

 

[stugster]

I usually hack the target first to see what needs protecting before I approach them. I have had a few who simply ignore reality or IT depts who insist I can't have gained access..while telling them what I have access too. I mostly get requests asking to destroy the competing business or to extract their supplier or customer base. Simple stuff that makes a company vulnerable as knowledge is power.

I'd be careful admitting to criminal offences publicly.

 

[stugster]

You should listen to the Darknet Diaries podcast and take a lesson from all the hackers on there that thought they'd never get caught.

 

[YasmeenLondon]

I'm a bit late to the party but I would like to add my advice, your service should be aimed toward web design agencies, you will have little success in explaining the importance of web security and justifying its costs to a small business owner, you will have even a more challenging time explaining why they should choose you over a plugin like wordfence for example, but when the service is already included in the cost of the website, the agency will have much better success than you in explaining and selling it to the customer.

My advice is to offer 2 services, one with relatively quick turnaround, low cost and provides enough value that the agency will include it in all websites going forward, such as website/server hardening, security headers, 7G firewall etc and another add-on services for larger clients that require more enhanced security, when I tried to sell the basic security service, my clients didn't want to pay for it, when I included it in the cost ( slightly raising my prices to include it) no one complained or asked to remove it for a lower price.

 

[Deleted member 348872]

I'm more worried about the internet of things. People may lock down their routers and machines but then have printers, alexa, doorbells, fridges, cams etc which never get patched.

 

[Russ Michaels]

Having been in the MSP/hosting business and website management and security for many years myself, I can tell you that almost all small businesses just do not care about security.

It is not something they want to spend money on, no matter what the risks are or what you tell them.
Even when they get hacked, most still do not care and still will not spend any money on it.

Even those that are willing and do care, you will be hard pushed to find many small business owner is going to pay, or can even afford £250 per month just to have their website scanned. there are many much more affordable solutions that offer a lot more.

 

[manwithnonames]

Having been in the MSP/hosting business and website management and security for many years myself, I can tell you that almost all small businesses just do not care about security.

True and those that do didn't come down with the last rain fall when they make procurement decisions.

No offence to the OP but there are loads of good testers out there who
A: Have an accredited qualification
B: Operate within the professional code operated by their qualification
C: Don't have a criminal record.

Immediately- you cant be involved in anything to do with clients who have regulatory compliance obligations which

 

[ctrlbrk]

Resurrecting this to address something that is bugging me about WordPress security:

@matthewbeddoes I've looked at a few so-called security scan plugins for WordPress. Most of them are rubbish. Take for example JetPack Protect, WordFence or All In One WP Security. Two of them don't even work if your site is not online. These are supposed to be the most popular WordPress security plugins and they expect you to put your site online even before it is secure! It goes against basic common sense.

Most of these plugins scan for so-called vulnerabilities by just checking what version of theme/plugin you have and telling you if there are vulnerabilities associated with them: all the do is they look up those versions in security databases (usually CVE stuff such as MITRE, NIST etc.) so they don't really add any value.

If your site has some custom code (and I bet many WordPress sites do), none of these plugins appear to be able to scan the code with basic linting techniques telling you that you should escape output, sanitize fields, etc. - that's where I think they could really add value and make a difference.

I think there is a market for that. What it comes down to is developing a rival plugin that offers what all of these product don't, and then market that appropriately.

Just a thought.

 

[Russ Michaels]

I always use Wordfence, because it does things the others do not.
it checks if plugins and themes have been removed from WordPress.org, so thus likely have a security issue or have been discontinued.
it checks if plugins/themes have been abandoned and not updated for a long time, thus could have vulnerabilities or compatibility issues.

None of the other security plugins do this.
And yes it does do a malware scan as well, as do many of the others, so it does detect malicious scripts that have been uploaded and I believe uses OWASP.

the other plugins tend to have other useful functionality such as user audits, spam blocking and the like.

Your site has to be online, because these are Wordpress plugins, and so use PHP. They are not executable files like you run on your PC.
That said, nobody says you have to put the site live on the internet, online simply means connected to a website and accessible. So you could setup your site locally or on a dev server, or simply restrict the site so only you can access it.

 

[ctrlbrk]

Not going to get drawn into an off-topic debate about the merits of the existing security plugins. I said what I said and I stand by that.

OP asked for input on ideas for his cybersecurity business, specifically around WordPress and I provided my 2p worth.

 

[fisicx]

These are supposed to be the most popular WordPress security plugins and they expect you to put your site online even before it is secure!

And that's because their checks pull data from their databases which get their data from all their users. For example when you report an IP the security plugin needs know so they can tell everyone else.

If your site has some custom code (and I bet many WordPress sites do), none of these plugins appear to be able to scan the code with basic linting techniques telling you that you should escape output, sanitize fields, etc. - that's where I think they could really add value and make a difference.

There are plugins will check your theme (which is where custom code usually ends up):

Theme Check

A simple and easy way to test your theme for all the latest WordPress standards and practices. A great theme development tool!

en-gb.wordpress.org

Plugins are a whole different ball game. When you submit a plugin for publication there are a whole lists of applicable standards (including things like input sanitation). If you build your own custom plugins there are various tools you can use to check and test your code (both PHP and JS). There aren't things wordfence or any other security plugin should be checking.

Also worth pointing out that the best security is configured at server level not at browser level.

 

[Paul Kelly ICHYB]

@ctrlbrk isn't that what server side stuff checks for e.g. ClamAV or whatever...?

 

[Russ Michaels]

Not going to get drawn into an off-topic debate about the merits of the existing security plugins. I said what I said and I stand by that.

OP asked for input on ideas for his cybersecurity business, specifically around WordPress and I provided my 2p worth.

then why say "Resurrecting this to address something that is bugging me about WordPress security:"