Home/Tag: Penetration Testing

Sudo: Its History and How to Abuse It

A quick explanation of one of the most influential and misconfigured computing utilities. A classic view into some of the tools use by pentesters at risk3sixty. You’re a hacker.   Okay, maybe you aren’t, but let’s say you are. You finally got into a server you’ve been attacking for weeks, but you’re stuck. The credentials you logged in with [...]

By |2020-01-24T14:00:12+00:00January 27th, 2020|CISO Discussions, Penetration Testing|0 Comments

So, you got a pentest. Now what?

How to progress toward a truly secure organization and infrastructure after penetration testing. You did it – you paid for penetration testing services. Whether it was to fulfill a potential client’s request, satisfy your interest or to be compliant with some framework, you tested the mettle of your environment against white-hat hackers and came out the other side, report in-hand and [...]

By |2020-01-23T15:44:56+00:00December 9th, 2019|Penetration Testing|0 Comments

An Introduction to Active Defense

Global research and advisory firm, Gartner, forecasts that information security spending will exceed $124 billion in 2019, yet cyber defenses continue to fail. Organizations large and small continue to experience breaches of all varieties resulting from zero-day exploits, failures in vulnerability patching, and phishing. The market has responded with a variety of security governance and control frameworks including CIS 20, ISO [...]

By |2020-01-31T01:10:36+00:00November 18th, 2019|Cyber Risk Management, Penetration Testing|0 Comments

If It Can Talk to Networks, It Can Walk Across Them

Why the Internet of Things is a penetration tester’s most valuable asset. As technology moves at a seemingly exponential rate of growth and changes every day, more and more devices are being developed to contain additional “customer-savvy” features. Collectively termed the Internet of Things (IoT), this new wave of technology is vast. Where historically a system in question would be a [...]

By |2020-01-17T21:16:57+00:00October 21st, 2019|Cyber Risk Management, Penetration Testing|0 Comments

Takeaways from SANS SEC560- Ethical Hacking and Pen Testing

This past week I completed the SANS SEC560 - Network Penetration Testing and Ethical Hacking course at the SANS Cyber Defense Initiative in Washington DC. With the experience fresh on my mind, I wanted to share my impressions with others considering SANS training. A Quick Overview of the SANS 560 Class Experience Curriculum Overview SANS SEC560 began with a discussion of [...]

By |2020-01-17T21:49:37+00:00December 26th, 2017|Cyber Risk Management, IT Audit & Compliance|4 Comments

How to Attack and Protect Network Printers and Devices

Recently I was asked by a CIO to think of and execute a simple attack at a manufacturing facility as part of an ongoing initiative to enhance cyber security awareness. I'm not at all a penetration tester or ethical hacker, but there are a few very simple "attacks" that almost anyone can execute. In this instance I will describe how you [...]

By |2020-01-17T21:21:31+00:00January 25th, 2016|Cyber Risk Management|0 Comments

Differentiating Penetration Tests, Vulnerability Scans, and Risk Assessments

Penetration testing has become another hot, and often misused term in the marketplace, joining the ranks of other buzz words such as “Cybersecurity”, “Hacker” and “The Cloud”. Often times, organizations confuse penetration testing with vulnerability scans or security posture assessments (a.k.a risk assessment). While penetration testing does include utilizing vulnerability scans and overlaps with security posture assessments, penetration testing encompasses a [...]

By |2020-01-17T21:21:48+00:00November 25th, 2015|Cyber Risk Management|3 Comments

Are Penetration Tests Worth the Risk?

I have had several conversations with executives recently about the role of penetration testing and whether or not penetration testing is worth the risk? There seems to be two schools of thought on this issue. One side argues that pen testing is inherently more risky than the risk it's trying to mitigate, the other side calls it necessary for security hardening. Here [...]

By |2020-01-17T21:22:00+00:00October 27th, 2015|Cyber Risk Management|3 Comments

Designing an Effective Information Security Training

The most vulnerable asset in any company isn't the network or the application - it is the people. People, being the imperfect beings we are, may forget passwords, forget to lock computers, or fall victim to social engineering hacks. Studies repeatedly show that adults willingly open malicious emails, give away personal information over the phone, and repeatedly give attackers enough information to [...]