So, you got a pentest. Now what?

How to progress toward a truly secure organization and infrastructure after penetration testing.

You did it – you paid for penetration testing services.

Whether it was to fulfill a potential client’s request, satisfy your interest or to be compliant with some framework, you tested the mettle of your environment against white-hat hackers and came out the other side, report in-hand and next steps […]

An Introduction to Active Defense

Global research and advisory firm, Gartner, forecasts that information security spending will exceed $124 billion in 2019, yet cyber defenses continue to fail. Organizations large and small continue to experience breaches of all varieties resulting from zero-day exploits, failures in vulnerability patching, and phishing.

The market has responded with a variety of security governance and control frameworks including CIS 20, ISO 27001, […]

If It Can Talk to Networks, It Can Walk Across Them

Why the Internet of Things is a penetration tester’s most valuable asset.

As technology moves at a seemingly exponential rate of growth and changes every day, more and more devices are being developed to contain additional “customer-savvy” features. Collectively termed the Internet of Things (IoT), this new wave of technology is vast. Where historically a system in question would be a server […]

Takeaways from SANS SEC560- Ethical Hacking and Pen Testing

This past week I completed the SANS SEC560 – Network Penetration Testing and Ethical Hacking course at the SANS Cyber Defense Initiative in Washington DC. With the experience fresh on my mind, I wanted to share my impressions with others considering SANS training.

A Quick Overview of the SANS 560 Class Experience

Curriculum Overview

SANS SEC560 […]

Differentiating Penetration Tests, Vulnerability Scans, and Risk Assessments

Penetration testing has become another hot, and often misused term in the marketplace, joining the ranks of other buzz words such as “Cybersecurity”, “Hacker” and “The Cloud”. Often times, organizations confuse penetration testing with vulnerability scans or security posture assessments (a.k.a risk assessment).

While penetration testing does include utilizing vulnerability scans and overlaps with security posture assessments, penetration testing encompasses a number […]

Are Penetration Tests Worth the Risk?

I have had several conversations with executives recently about the role of penetration testing and whether or not penetration testing is worth the risk? There seems to be two schools of thought on this issue. One side argues that pen testing is inherently more risky than the risk it’s trying to mitigate, the other side calls it necessary for security hardening. Here […]

Designing an Effective Information Security Training

The most vulnerable asset in any company isn’t the network or the application – it is the people. People, being the imperfect beings we are, may forget passwords, forget to lock computers, or fall victim to social engineering hacks. Studies repeatedly show that adults willingly open malicious emails, give away personal information over the […]

Pen Testing: Malicious File Execution

What is a Malicious File Execution Vulnerability?

Malicious file execution vulnerabilities (also called File Inclusion Vulnerabilities) is a vulnerability that occurs due to user input or uploads to websites not being properly handled or poor data validation by the website/web application.

Web applications that are poorly designed or coded may automatically run or parse input that is inputted from a user. If […]