Defense in depth is a term that gets thrown around a lot by security practitioners, and for good reason. When applied correctly it will exponentially increase your ability to prevent, detect, and limit the damage an attacker can cause. In this blog, we will take an in-depth look at defense in depth with some practical […]
In this blog, we are going to walk through one of the most common ways we get an initial foothold on a network during an internal penetration test: NBNS and LLMNR Spoofing. First, we’ll discuss what these two technologies are, then we’ll talk about how to exploit them and the potential impact. Finally, we’ll discuss […]
In a previous post, we covered timing-based username enumeration vulnerabilities and how an attacker can exploit these weaknesses to craft a list of known-valid user accounts. The next step in that attack chain is using that list of valid accounts to conduct password attacks and try to gain unauthorized access to an organization’s exposed login […]
From time to time, when we see a particular vulnerability that keeps showing up over and over again during penetration testing engagements, we like to write about it and help spread awareness. This can help explain the issue, the subsequent risk it presents to your organization, and how to successfully remediate the issue or at […]
What is “phishing”? How can we protect our firm from phishing attacks? How can we train our employees to spot a phishing attempt? These are all valid questions and today we will explore the ins and outs of how to recognize phishing and how to protect your firm from it. As we have discussed before, […]
In our last blog on tackling the broad topic of how do I protect my company’s sensitive information, we reviewed several ways to get started with this process. Before you can protect your sensitive data or “crown jewels”, you’ve got to know what you have and where it lives. We covered creating an asset inventory […]
Today, we’re going to try and tackle the million dollar question of how to protect your organization’s sensitive data. Keep in mind, this isn’t going to be a single, magical answer. There is no silver bullet when it comes to security, but when it comes to tackling a broad topic like this, we’ll try and […]
We often get asked whether it is a good idea to change penetration testing companies each year. Obviously we don’t want our clients to leave us and we pride ourselves on building a long term relationship with them, but we will always offer advice that is in line with their best interests. As with anything, […]
The question of “do startups need a penetration test” comes up quite often when speaking with entrepreneurs and folks in the startup scene. Unfortunately, startups can be a natural target for would-be hackers as they know that the security posture of startups can often be immature or non-existent. Sometimes the pressure to build and get […]
Today we’re going to talk about a question that seems to be coming up more and more in the security and penetration testing world, even though it’s been around in the technology and software development world for quite some time. Does it matter if I use an offshore penetration testing company? It doesn’t matter who […]
