This blog outlines Triaxiom Security’s methodology for conducting mobile application penetration tests. A mobile application penetration test emulates an attack specifically targeting a custom mobile application (iOS and/or Android) and aims to enumerate all vulnerabilities within an app, ranging from binary compile issues and improper sensitive data storage to more traditional application-based issues such as […]
This blog outlines Triaxiom Security’s methodology for conducting Application Programming Interface (API) penetration tests. An API penetration test emulates an external attacker or malicious insider specifically targeting a custom set of API endpoints and attempting to undermine the security in order to impact the confidentiality, integrity, or availability of an organization’s resources. This document outlines […]
When we are talking through social engineering with a potential or current client, we notice that many times, the client will respond with some variation of “I already know my users are going to fall for it.” If you already know your users are going to fall for it, what’s the point of a social […]
This blog outlines Triaxiom Security’s social engineering methodology, which is used to guide our engineers during these types of engagements. Social engineering engagements are designed to target and take advantage of the human-element to gain access to your network. During the engagement, a variety of methods are used to get an employee to click on […]
When going through one of our security gap analyses, we are often asked to clarify why the interviewee is being asked if they have an asset inventory in place. Asset inventories are more than just a spreadsheet to track your hardware. According to the HIPAA Security Rule Crosswalk to NIST, managing assets enables “the organization to […]
How do I fill out a vendor security assessment questionnaire? As company’s are beginning to become more security focused and realize that suppliers/vendors represent potential security threats, we are constantly being asked how to fill out a supplier assessment related to information security. While we think this is great for the security industry, it often […]
External penetration tests are one of the most common tests we perform. An external penetration test is often the starting point for any company that is trying to understand their risk. With numerous compliance regulations either requiring external penetration tests or “highly recommending” them, we get to perform a lot of them. As such, we […]
Host compliance audits are known by a lot of different names. Configuration reviews, security reviews, configuration audits, and host checks are just a few names I’ve heard tossed around to describe a review of the level of security of a workstation/server/device. This is done by using a combination of a best practice standard and a […]
On September 8th, 2018, Marriott received an alert from an internal security tool in what would be the start of one of the worst data breaches of 2018. After disclosing the breach, which affected approximately 383 million victims, shares fell 5.6% and Marriott is now facing a class-action lawsuit. Although it is too soon to […]
According to a survey conducted by Wombat Security, 76% of companies in 2017 experienced phishing attacks. Not only that, but social engineering is the most prevalent way an organization gets breached. Think about it, you probably spend a lot of time and money shoring up your perimeter security posture. You are diligent about ensuring systems are patched and up-to-date, […]
