Cloud computing isn’t really that new of a thing anymore. By now, many organizations are familiar with what it is and may even be considering migrating portions of their operations. But what we’re saying a lot of times is that, even though they may want to move to the cloud because it’s the cool thing […]
Organizations are starting to realized, given the news regarding data breaches over the past couple years, that your security perimeter can be as strong as Fort Knox, but all it takes is one employee to click on a malicious link and none of that matters. Everything you have done to secure your network and all […]
One of the most common compliance standards we deal with as an organization is the Payment Card Industry Data Security Standard (PCI DSS). Reading through this standard can be complex however, and trying to figure out how it applies to your organization can be a daunting task. For most organizations that have to complete a […]
When conducting wireless penetration tests, the most common type of wireless network we see is WPA2-PSK. While this is better than WEP (thank goodness we rarely see that anymore), this type of network still has some shortcomings, depending on what you are trying to protect. Specifically in this blog, we will focus on the dangers […]
One of the most common compliance standards we deal with as an organization is the Payment Card Industry Data Security Standard (PCI DSS). Reading through this standard can be complex however, and trying to figure out how it applies to your organization can be a daunting task. For most organizations that have to complete a […]
Organizations have varying levels of concern when it comes to a penetration test. Many of them have been through this process many times before, have had a multitude of different tests performed, and are not concerned in the slightest that testing will cause any sort of disruption. On the other side of the spectrum, some […]
All good (or in some cases bad) things come to an end. In the ever-changing world of technology, this is even more true. As Microsoft (or any other vendor) works on pushing new technology out, they will often mark older operating systems and applications as “end-of-life.” Some organizations, particularly those with a small IT budget, […]
Defense in depth is a term that gets thrown around a lot by security practitioners, and for good reason. When applied correctly it will exponentially increase your ability to prevent, detect, and limit the damage an attacker can cause. In this blog, we will take an in-depth look at defense in depth with some practical […]
In this blog, we are going to walk through one of the most common ways we get an initial foothold on a network during an internal penetration test: NBNS and LLMNR Spoofing. First, we’ll discuss what these two technologies are, then we’ll talk about how to exploit them and the potential impact. Finally, we’ll discuss […]
In a previous post, we covered timing-based username enumeration vulnerabilities and how an attacker can exploit these weaknesses to craft a list of known-valid user accounts. The next step in that attack chain is using that list of valid accounts to conduct password attacks and try to gain unauthorized access to an organization’s exposed login […]
