Respecting Users' Privacy
Personally Identifiable Information
You may wish to request information about our products and services. To facilitate the distribution of this content, you are asked to provide information, such as, but not limited to, name, company, title, phone number, e-mail address, site name, URL, and address. Based on the your request, Seven Stones Information Security may also ask for additional information, such as number of page views your site receives, how many orders your site receives, and how you heard about us. This is information is provided by you on a voluntary basis only and is not required by us in order for you to use and enjoy our site.
Collected Personal Data
Seven Stones Information Limited may use the information that we collect on the Site to contact you to further discuss your interest in our company, our services, and to send information regarding our company or partners, such as marketing promotions and events. This information may also be used to improve the services we provide you. The information is collected and stored in a manner that is appropriate for the nature of the data that we collect, and the need to fulfill your request. This information is not provided or sold to third parties for their use. Seven Stones Information Security uses secured server areas and advanced firewall technology to minimize the risk of security breaches for individually identifiable information that is volunteered on the Site. Though we make every effort to preserve user privacy, we may need to disclose personal information when required by law, or in order to comply with a current judicial proceeding, a court order, or legal process served on the Site. We will of course notify you should such a situation occur.
Our Site has security measures in place to help protect against the loss, misuse, and alteration of the data under our control. When sensitive on our Site are accessed using Netscape Navigator, Microsoft Internet Explorer versions 5.0, or higher, Secure Socket Layer (SSL) technology protects information using both server authentication and data encryption to help ensure that the data is safe, secure, and available only to you and us. Seven Stones Information Security also provides unique usernames and passwords that must be entered each time a customer logs on to an Seven Stones Information Security product via this Site. These safeguards help prevent unauthorized access, maintain data accuracy, and help ensure the appropriate use of all data. The webserver is protected by a firewall to provide network access control.
Third Party Sites
Latest Blog Post
What Is Your VA Scanner Really Doing?
April 20, 2021, 1:05 p.m.
It's clear from social media and first hand reports, that the awareness of what VA (Vulnerability Assessment) scanners are really doing in testing scenarios is quite low. So I setup up a test box with Ubuntu 18 and exposed some services which are well known to the hacker community and also still popular in production business use cases: Secure Shell (SSH) and an Apache web service.
This post isn't an attack on VA products at all. It's aimed at setting a more healthy expectation, and I will cover a test scenario with a packet sniffer (Wireshark), Nessus Professional, and OpenVAS, that illustrates the point.
I became aware 20 years ago, from validating VA scanner output, that a lot of what VA scanners barf out is alarmist (red flags, CRITICAL [fix NOW!]) and also based purely on guesswork - when the scanner "sees" a service, it grabs a service banner (e.g. "OpenSSH 7.6p1 Ubuntu 4ubuntu0.3"), looks in its database for public disclosed vulnerability with that version, and flags vulnerability if there are any associated CVEs. Contrary to popular belief, there is no actual interaction in the way of further investigating or validating vulnerability. All vulnerability reporting is based on the service banner. So if i change my banner to "hi OpenVAS", nothing will be reported. And in security, we like to advise hiding product names and versions - this helps with drive-by style automated attacks, in a much more effective way than for example, changing default service ports.
Security De-engineering, published by Taylor Francis, covers ubiquitous problems in information security and offers a solution in the final chapter
Areas covered: Penetration testing, Hackers, CASEs (Checklists and Standards Evangelists), IDS, Cloud Security, jobs in security, Identity Management, and organisational elements.