In today’s blog, we will be taking a high-level look at a popular attack called Kerberoasting. Kerberoasting is used by attackers to escalate privileges once they gain initial access to an internal network. As penetration testers, we regularly use this attack vector during engagements and are generally successful in doing so. Let’s take a look […]
We are often times asked “why did you become a penetration tester” or “why should I get into penetration testing”? There are many different reasons to get into penetration testing and everyone is motivated by different things. We took a poll in our office of why our team members got into penetration testing and today […]
In today’s blog, we will be taking a very high-level look at buffer overflow attacks. Attackers exploit buffer overflow vulnerabilities by overwriting the memory of an application. By doing so, an attacker can change the execution flow of the program, thereby instructing the program to execute code stored in an area of memory the attacker controls. Consider […]
The COVID-19 pandemic has reshaped our organizations as we know them. For many, they have shifted from an on-site location to primarily working from home. What was first thought to be a few weeks, has now turned into a few months, and likely the impacts of this pandemic on your organization’s IT operations and procedures […]
We’ve been running across a lot of modern web applications lately that have implemented JSON Web Tokens (also known as JWTs) for session tracking. JWTs are an open, industry standard designed to securely transmit information between two parties as a cryptographically-signed, JSON object. While the JWT specification is designed generically to account for a variety […]
We’ve recently seen an uptick in vendor security assessment questionnaires (VSAQs) that are requiring organizations to do white box application penetration testing. Obviously this may be anecdotal, but we thought it would be a good opportunity to discuss what is being asked of you when it comes to white box or clear box testing, and […]
In the past, we have explored how to find penetration testing Requests For Proposals or RFPs. Today, we are going to explore how to effectively write a penetration testing RFP. Often times, government entities or commercial industry companies are forced to leverage an RFP process to ensure a fair and objective assessment of vendors for […]
One of the most helpful things an organization can do when it comes to security is understanding what needs to be protected. An asset inventory is a great starting point, as it should include all of our hardware and the software you’re running. But perhaps more importantly, you really need to know where your sensitive […]
This blog is intended to help merchants understand the various roles in PCI compliance. Specifically, we are going to look at perhaps the most important role: the role of your acquiring bank. Simply put, your acquiring bank is the judge and jury when it comes to meeting PCI compliance. Let’s discuss. Who is My Acquiring […]
In light of COVID-19 and the toll it is taking on the business community, today we will discuss the types of remote security assessments that can be performed and some alternative tweaks to assessments to ensure your security program is still evaluated and working properly. Unfortunately with all of the chaos, attackers know that they […]
