Ryan Wakeham
Ryan leads NetSPI’s Assessment Team, which performs network and application penetration tests, code reviews, and infrastructure assessments. He also consults directly with clients on IT risk management and security program development projects. He brings to his work sound insight into security issues and the communication skills to effectively and thoroughly convey risks and recommended remedies to clients. Ryan has over ten years of computer security experience, seven of them with NetSPI. He holds a BA in Computer Science from Carleton College and an MS degree in Information Security from the Georgia Institute of Technology.
September 22nd, 2013
The Value of Detective Controls
For as long as I can remember, security professionals have spent the majority of their time focusing on preventative controls. Things like patching processes, configuration management, and vulnerability testing all fall into this category. The attention is sensible, of course; what better way to mitigate risk than to prevent successful attacks in the first place? […]
December 12th, 2012
2013 Cyber Threat Forecast Released
The Georgia Tech Information Security Center and Georgia Tech Research Institute recently released their 2013 report on emerging cyber threats. Some of these threats are fairly predictable, such as cloud-based botnets, vulnerabilities in mobile browsers and mobile wallets, and obfuscation of malware in order to avoid detection. However, some areas of focus were a bit […]
October 15th, 2012
Thoughts on Web Application Firewalls
I recently attended a talk given by an engineer from a top security product company and, while the talk was quite interesting, something that the engineer said has been bugging me a bit. He basically stated that, as a control, deploying a web application firewall was preferable to actually fixing vulnerable code. Web application firewalls […]
June 22nd, 2012
Web Application Testing: What is the right amount?
It is becoming more common these days (though still not common enough) for organizations to have regular vulnerability scans conducted against Internet-facing, and sometimes internal, systems and devices. This is certainly a step in the right direction, as monthly scans against the network and service layer are an important control that can be used to […]
May 24th, 2012
Enterprise Vulnerability Management
Earlier this month, at the Secure360 conference in St. Paul, Seth Peter (NetSPI’s CTO) and I gave a presentation on enterprise vulnerability management. This talk came out of a number of discussions about formal vulnerability management programs that we have had both internally at NetSPI and with outside individuals and organizations. While many companies have […]
March 19th, 2012
Pentesting the Cloud
Several months ago, I attended an industry conference where there was much buzz about “The Cloud.” A couple of the talks purportedly addressed penetration testing in the Cloud and the difficulties that could be encountered in this unique environment; I attended enthusiastically, hoping to glean some insight that I could bring back to NetSPI and […]
February 7th, 2012
The Annual Struggle with Assessing Risk
In my experience, one of the security management processes that causes the most confusion among security stakeholders is the periodic risk assessment. Most major information security frameworks such as ISO/IEC 27002:2005, the PCI Data Security Standard, and HIPAA, include annual or periodic risk assessments and yet a surprising number of organizations struggle with putting together […]
October 26th, 2011
Why I Hate The Cloud
The Cloud is one of the “new big things” in IT and security and I hate it. To be clear, I don’t actually hate the concept of The Cloud (I’ll get to that in a minute) but, rather, I hate the term. According to Wikipedia, cloud computing is “the delivery of computing as a service […]
October 12th, 2011
Mobile Devices in Corporate Environments
Mobile computing technology is hardly a recent phenomenon but, with the influx of mobile devices such as smartphones and tablet computers into the workplace, the specter of malicious activity being initiated by or through these devices looms large. However, generally speaking, an information security toolkit that includes appropriate controls for addressing threats presented by corporate […]