Becoming a Cyber Consultant Part-time. Anyone doing it?

Is anyone here an IT/Cyber engineer by day, and perhaps running a small operation on the side for extra cash? I'd love to talk.I've been tossing ideas around in my head for some time, but I wanna get things moving now and launch a side operation by year end. I have the knowledge and experience (and business experience), but I've never been a full fledged IT consultant before.

What I envision doing is vulnerability / audit scans. I have a friend who did a scan for a well known company. They flew him in, he hooked up, did his scan, and 30 min later he was done, with a nice chuck of change in his pocket. I know vulnerability assessment / reporting is in big demand.

Actually, half the companies out there are vulnerable and don't even know they need it. So I need to come up with some ideas to attract the business, show em how/why they are vulnerable, and how I can help. Ideally I'd get small businesses in on a setup + scan fee, then perhaps a monthly retainer (doing automated scans).

My main concern is the legalities with this business model . If I'm part-time, I probably wont yet have the funds to hire an lawyer, get all that in place. Maybe it should come first though. Essentially my scans will have highly-sensitive data on a businesses' infrastructure. In the wrong hands, this could be scary. Anyway, I have ideas, but just curious if anyone has done something similar.

I really dont want to be doing anything other than providing scans/reports....maybe down the road, "fixes". If I had the time, resources, and perhaps small team, I could do the scan and remediation by integrating with some patch management platforms. I wanna start small though and see where it goes.

For now I'm thinking to manage clients via JIRA or some ticketing system. I know to really make it work, I'd need legal in place, website, and all that, but to start, I just wanna find that first client as "proof of concept", then work the model out fully. I know my friend made some awesome money and didn't even scratch the surface. I'm all ears....

Find more posts tagged with

Comments

Danielm7

I have a friend who did a scan for a well known company. They flew him in, he hooked up, did his scan, and 30 min later he was done, with a nice chuck of change in his pocket.

I always wonder about things like this. What sort of large, well known company flies someone in for a 30 minute scan? I say this working at a large company that has to bring people in for PCI/SOX auditing and nothing is that quick, ever.

roninkai

Well, it just happened to go smoothly. It was essentially a test, testing him as much as their system. They wanted a vuln report. No fixes. Just a report at where they were. So if you set things up ahead of time (gather IPs, credentials, etc), it can in fact go smoothly. I dont know how many hosts it was, but he said it was the easiest 3k he's made.

apr911

dragonsden wrote: »

They flew him in, he hooked up, did his scan, and 30 min later he was done, with a nice chuck of change in his pocket. I know vulnerability assessment / reporting is in big demand.

A lot of companies do this now days because they need the scans "verified" by a 3rd party. Its not enough that they know they're vulnerable, an outside organization needs to tell them they're vulnerable. Non-repudiation and such... An internal report is buried easily enough while an external report is not.

TeKniques

Keep in mind that the example of going in and doing a 30 minute scan and that's it is a bit exaggerated. There's a lot more that goes into it such as reviewing the scan data, writing an official report and presenting the findings to management. In my experience the canned reports are supplemental data to accompany an official report that's been reviewed and signed off by someone who can attest to the information.

gespenstern

Danielm7 wrote: »

I always wonder about things like this. What sort of large, well known company flies someone in for a 30 minute scan? I say this working at a large company that has to bring people in for PCI/SOX auditing and nothing is that quick, ever.

PCI requires tons of interviewing, that's why you can't make it quick. In this case it was probably not a compliance issue, but something specific, a certain application for example, or something. I did similar work (ADDS audits) in the past for small/medium businesses and it was exactly like that. First I show up, introduce myself and do a small presentation on what I'm going to do, run my scripts under domain admin account, then leave for a few weeks, during which I consume the data collected, identify issues, produce a nice report and send it via email. Then I usually show up another time where I fight for my results and proposals against their IT people while their big bosses watch it. The pay is different per client, some agree to pay upfront, others 30/70, others after getting results, etc.

And yes, these monies are pretty easy to make, the only problem is social networking and getting recognized. I did it as a representative of a somewhat recognizable MSSP, but I don't see these companies trusting me to do that on my own. Brand is a major part of this business and two absolutely identical reports but signed by different names have different weight in the eyes of a client.

LeBroke

dragonsden wrote: »

Well, it just happened to go smoothly. It was essentially a test, testing him as much as their system. They wanted a vuln report. No fixes. Just a report at where they were. So if you set things up ahead of time (gather IPs, credentials, etc), it can in fact go smoothly. I dont know how many hosts it was, but he said it was the easiest 3k he's made.

Generally, a lot of companies have requirements for 3rd-party scans (I believe someone already mentioned it).

They also don't want to do any real work remediating their issues.

Therein lies a conflict of interest. On the one hand, you want to do your job properly and highlight any and all vulnerabilities (and ideally, back it up by hacking something, depending on if it's a full pentest, or a vulnerability assessment). On the other, you want repeat business, so you don't want to press them too hard, since if they're not interested in actually fixing anything or having any issues with their infrastructure as a result of the scan, they don't want you to be too hard on them since it'll cause them hassle.

Financial companies with competent IT are generally OK with you ******* them over. They're also good at not being incompetent, so you usually won't find anything really bad either unless you're Elliot.

Most other companies? Don't want to give a crap and if it saves them 50 bucks or a few hours of their (most likely overworked) sysadmin's time, so they'd rather you not notice any glaring holes (like printers with telnet connections that are inexplicably routable from the internet.... yes, seen it more than once) because they don't want to fix anything.

That said, it's a great business, but the hard part isn't the work. It's the same as running any other business - getting clients to actually buy your services. You have to either have a great professional network of people who will hire you, or be a pushy salesman type to get your foot in the door and get business.

mbarrett

gespenstern wrote: »

And yes, these monies are pretty easy to make, the only problem is social networking and getting recognized.

You will need to make a name for yourself first - there's not too many companies who will hire some unknown person to tell them how to run their shop.

LeBroke wrote: »

Generally, a lot of companies have requirements for 3rd-party scans (I believe someone already mentioned it).

They also don't want to do any real work remediating their issues.

Therein lies a conflict of interest. On the one hand, you want to do your job properly and highlight any and all vulnerabilities (and ideally, back it up by hacking something, depending on if it's a full pentest, or a vulnerability assessment). On the other, you want repeat business, so you don't want to press them too hard, since if they're not interested in actually fixing anything or having any issues with their infrastructure as a result of the scan, they don't want you to be too hard on them since it'll cause them hassle.

Most other companies? Don't want to give a crap and if it saves them 50 bucks or a few hours of their (most likely overworked) sysadmin's time, so they'd rather you not notice any glaring holes (like printers with telnet connections that are inexplicably routable from the internet.... yes, seen it more than once) because they don't want to fix anything.

Agreed - the hard part isn't the assessment, it's actually getting somebody to fix stuff. There's a fundamental conflict of interest that prevents the same person from doing both.