In this blog, we’ll outline our methodology for conducting PCI QSA Onsite Assessments, also known as a Level 1 Assessment or PCI ROC Assessment. A PCI QSA onsite assessment verifies and validates an organization’s compliance with the Payment Card Industry (PCI) Data Security Standard (DSS). This assessment produces a full Report on Compliance (RoC) and […]
In this blog, we are going to look at red team engagements. We will answer the question of what is a red team engagement, clarify how they work, and cover what type of organizations we recommend them to. Usually, this type of assessment isn’t going to be the best course of action for an organization […]
The importance of being HIPAA compliant is higher than ever with the current state of security and the potential penalties that can be levied on organizations. The Health Insurance Portability and Accountability Act (HIPAA) passed in 1996 establishes industry-wide standards for the protection and handling of Protected Health Information (PHI), among other things. Maintaining compliance […]
In this blog, we will explore some of the most common tools used by penetration testers when performing an assessment. A penetration test is designed to emulate an attacker trying to breach your network or gain access to sensitive data. So while some of these tools cost money, all are readily available on the Internet. […]
One of the foundational elements of an organizational security plan should be the underlying policies in place. These are not the exciting or sexy security controls and blinky boxes that you’re going to see in marketing material and vendor pitches, but they can prove to be extremely critical when trying to build or mature an […]
This week we’re going to look at the differences between an External vs Internal Penetration Testing. Our primary goal will be to give you the information you need to be able to choose between these two basic types of penetration tests based on their value to your organization. Of course, the easy answer would be, […]
In this blog, we will explore one of the more severe vulnerabilities we see on an internal penetration test: setting the local administrator password via GPO. Group Policy Objects (GPO) are used to push configuration items down to machines in an Active Directory environment. GPOs are really useful tools to make sure that systems are […]
In this blog, we will look at one of the attacks we use on almost every internal penetration test, pass the hash. Many times, to make managing devices easier and because this account is rarely used, IT Teams will set the local administrator account to the same password on all devices across the organization. The […]
If you are required to have a QSA On-Site Assessment annually as a part of your PCI DSS compliance, you are likely already familiar with the fact that meeting PCI requirements is a complex process, and no easy feat. To prepare you, we want to help you understand what to expect before, during, and after […]
If you are a level 1 merchant or service provider, or your acquiring bank views your organization as high risk, you must be compliant with the full Payment Card Industry (PCI) Data Security Standard (DSS). Additionally, in order to validate your compliance, you will be required to have a Qualified Security Assessor (QSA) perform a […]
