Tools and services I use to run 7 Minute Security, LLC
This gist complements a series of podcast episodes I do called How to Succeed in Business Without Really Crying. In part 6 of this series I list a bunch of tools and services I use to help me conduct security assessments and also balance the taxes/books. Here is that full list in all its gist-y glory:
There are lots of registrars out there, and as far as I can tell, they offer about the same amount of features and same pricing for each domain. Since I have such a large footprint already in Google services with my account, moving domains under their roof was pretty easy and made sense. I've also had to use their technical support a few times and found the response times - and level of service - to be stellar.
You know it and probably love or hate it. Lots of people tell me "Just use Google Docs! Just use Libre Office!" but I can't live without Outlook on the PC, so IMHO, my subscription is justified by this app alone.
A no-brainer (to me). A few dollars a month gets you email, SharePoint, OneDrive - the whole shootin' match.
This little gem takes output data from Nessus and puts in in pretty graphs/reports that call out things orgs usually ask about, like:
- Where are my most vulnerable hosts?
- Which of my hosts have exploitable vulnerabilities?
It's $65/year for an unlimited use license.
This is the popular vulnerability scanner from Tenable. I like it because it's affordable ($2k a year) for both me and my clients, and really easy to use. Only thing I don't love is the reporting (see NamicSoft above).
Network Detective does a nice job of scanning an AD environment (using a data-collecting .exe that doesn't leave a footprint in the environment) and spitting out some nice reports that give you insight into the AD layout, users, groups, etc. and also a peek into their group policy config. The thing I don't like is that there's really only 1-2 reports that I think have value - the other network diagrams and PowerPoint presentations contain a lot of fluff and less-than-valuable content. I also don't like that only the default domain and default domain controllers policy gets grabbed by the tool - not all GPOs.
Ninite is a 3rd-party patching tool that's dead simple to install and manage. Just run the .msi quick installer (takes a few seconds) and manage machine patches from a lightweight Web interface. You can easily "pin" certain software versions, assign tags to systems, or configure certain actions to happen automatically - such as the blocking or auto-updating of specific apps.
I use QB + the payroll module to run the books. However, I also employ a tax guru to take care of all this for me, because I hate math. I'd rather be securing things.
I just started using this to write-up my assessments. The idea is you track all vulnerabilities in a Web portal, and then you can give your customers access to the report. That way their security assessment report is a living/breathing thing they can work on to actually make security better in their organization! Cool!
Rumble is an awesome (and in my opinion, affordable) tool to inventory assets, get alerts when assets change, and even screenshot Web interfaces on them. It's free for under 256 assets too. Who doesn't like asset inventory + free?
Proposify makes it really easy to spin up a boilerplate SOW for a pentest, assessment, etc. and then easily customize it per-client. I now spend only a few minutes creating proposals rather than HOURS.
Is it expensive? Yes. Is it (to me) overly complicated and convoluted? Yes. Does my 7MS sales force seem to get along with it just fine and therefore it's a worthwhile purchase? I hope so. Warning: the trial plan you start on cannot be upgraded/downgraded to the plan you purchase (if you change plans) so be aware of that. It was kind of a pain to import/export data 2 or 3 times to finally get things up and running properly.
I use ShareFile to securely send/receive documents, contracts and deliverables from clients. One config change I'd seriously recommend you consider is setting a file expiration timeout for all your client folders. This way files naturally self-delete and you don't end up with an ever-growing pot of very sensitive information. I'm not saying Citrix would ever get hacked (cough) but it could happen.
This is pretty feature-rich remote access software for PC/Mac/Linux. I really like that you can enable 2FA and add a separate PIN/password to each individual machines you control as well. I use it mainly to control machines in my lab from anywhere (and, sadly, to continue my eternal role as tech support for my mom and dad).
This is where I host 7 Minute Security, LLC and I love that I can make a pretty site without being a Web design whiz. Many people say "Roll your own Web solution for 10 cents a year on insert name of cheap hosting here!" I could definitely do that. But the ~$15/month investment to have Squarespace take care of the site, security certificate, uptime, backups and support is well worth it.
I really, really like how easy Zoom makes it to schedule and conduct meetings. Plus it's a lot cheaper than GoToMeeting and other alternatives. Plus, they have a very affordable Webinar add-on.