Defense in depth is a term that gets thrown around a lot by security practitioners, and for good reason. When applied correctly it will exponentially increase your ability to prevent, detect, and limit the damage an attacker can cause. In this blog, we will take an in-depth look at defense in depth with some practical […]
In this blog, we are going to walk through one of the most common ways we get an initial foothold on a network during an internal penetration test: NBNS and LLMNR Spoofing. First, we’ll discuss what these two technologies are, then we’ll talk about how to exploit them and the potential impact. Finally, we’ll discuss […]
In a previous post, we covered timing-based username enumeration vulnerabilities and how an attacker can exploit these weaknesses to craft a list of known-valid user accounts. The next step in that attack chain is using that list of valid accounts to conduct password attacks and try to gain unauthorized access to an organization’s exposed login […]
From time to time, when we see a particular vulnerability that keeps showing up over and over again during penetration testing engagements, we like to write about it and help spread awareness. This can help explain the issue, the subsequent risk it presents to your organization, and how to successfully remediate the issue or at […]
What is “phishing”? How can we protect our firm from phishing attacks? How can we train our employees to spot a phishing attempt? These are all valid questions and today we will explore the ins and outs of how to recognize phishing and how to protect your firm from it. As we have discussed before, […]
In our last blog on tackling the broad topic of how do I protect my company’s sensitive information, we reviewed several ways to get started with this process. Before you can protect your sensitive data or “crown jewels”, you’ve got to know what you have and where it lives. We covered creating an asset inventory […]
