A classic view into some of the tools use by pentesters at risk3sixty.
How to progress toward a truly secure organization and infrastructure after penetration testing.
You did it – you paid for penetration testing services.
Whether it was to fulfill a potential client’s request, satisfy your interest or to be compliant with some framework, you tested the mettle of your environment against white-hat hackers and came out the other side, report in-hand and next steps […]
Global research and advisory firm, Gartner, forecasts that information security spending will exceed $124 billion in 2019, yet cyber defenses continue to fail. Organizations large and small continue to experience breaches of all varieties resulting from zero-day exploits, failures in vulnerability patching, and phishing.
The market has responded with a variety of security governance and control frameworks including CIS 20, ISO 27001, […]
Why the Internet of Things is a penetration tester’s most valuable asset.
As technology moves at a seemingly exponential rate of growth and changes every day, more and more devices are being developed to contain additional “customer-savvy” features. Collectively termed the Internet of Things (IoT), this new wave of technology is vast. Where historically a system in question would be a server […]
This past week I completed the SANS SEC560 – Network Penetration Testing and Ethical Hacking course at the SANS Cyber Defense Initiative in Washington DC. With the experience fresh on my mind, I wanted to share my impressions with others considering SANS training.
A Quick Overview of the SANS 560 Class Experience
SANS SEC560 […]
Recently I was asked by a CIO to think of and execute a simple attack at a manufacturing facility as part of an ongoing initiative to enhance cyber security awareness. I’m not at all a penetration tester or ethical hacker, but there are a few very simple “attacks” that almost anyone can execute.
In this instance I will describe how you can […]
Penetration testing has become another hot, and often misused term in the marketplace, joining the ranks of other buzz words such as “Cybersecurity”, “Hacker” and “The Cloud”. Often times, organizations confuse penetration testing with vulnerability scans or security posture assessments (a.k.a risk assessment).
While penetration testing does include utilizing vulnerability scans and overlaps with security posture assessments, penetration testing encompasses a number […]
I have had several conversations with executives recently about the role of penetration testing and whether or not penetration testing is worth the risk? There seems to be two schools of thought on this issue. One side argues that pen testing is inherently more risky than the risk it’s trying to mitigate, the other side calls it necessary for security hardening. Here […]
The most vulnerable asset in any company isn’t the network or the application – it is the people. People, being the imperfect beings we are, may forget passwords, forget to lock computers, or fall victim to social engineering hacks. Studies repeatedly show that adults willingly open malicious emails, give away personal information over the […]
What is a Malicious File Execution Vulnerability?
Malicious file execution vulnerabilities (also called File Inclusion Vulnerabilities) is a vulnerability that occurs due to user input or uploads to websites not being properly handled or poor data validation by the website/web application.
Web applications that are poorly designed or coded may automatically run or parse input that is inputted from a user. If […]