Top Mistakes CISOs Make When it Comes to Penetration Testing
In this blog, we are going to look into a few of the top mistakes CISOs make when it comes to penetration testing and how your organization can avoid them.
Quick Tips
Social Engineering in the Age of COVID-19
In today’s blog, we will be discussing social engineering attacks in the age of COVID-19. Social Engineering is a popular vector for attackers and with the rise of remote work due to the pandemic, companies’ IT security departments need to be increasingly vigilant. As many of our readers are no doubt aware, social engineering attacks […]
Network Segmentation For Security
Today, we’re going to take a closer look at how network segmentation can be used to improve your organization’s security posture. Network segmentation is, very simply, creating subdivisions of your corporate network and then intelligently restricting traffic flows between them. This can take the form of VLANing, ACLs on routers or firewalls, host-based firewalls, physical […]
CTF vs Real Penetration Testing
In today’s blog, we’ll discuss the differences between a CTF vs real, professional penetration testing, and the mindset required for each. We’re primarily aiming this article at aspiring and junior penetration testers, by highlighting some of the things to think about when transitioning from a CTF-style environment to that of a professional penetration testing firm. […]
Should You Worry About Medium/Low Risk Vulnerabilities?
Let’s say you just received a penetration test report from a company and you are working with your internal IT team or development team to triage and fix the issues raised. Someone on your team is of the mindset that fixing the medium/low priority issues in report isn’t even worth the amount of resources it […]
Quick Tip – Leave Passwords in the Database Where They Belong!
Today’s security quick tip is brought to you by some API penetration tests I’ve completed over the past few weeks. One of the things I’ve noticed more and more as organizations are developing and implementing APIs as part of their overall application infrastructure is the presence of “greedy” or overly verbose JSON objects in HTTP […]
Different Day, Same Path to Domain Admin
One of the most common tests we perform for clients is an internal penetration test, designed to explore the vulnerabilities across a company’s internal networks. This testing emulates what an attacker that gained an initial foothold on the network could do or what kind of problems a malicious insider could cause, to put it briefly. […]
PCI DSS Requirement 12.11
In this blog, we’re going to do a quick review of PCI DSS Requirement 12.11 and provide some strategies for service providers who need to maintain PCI compliance. As you may have guessed from context clues in the first sentence of this blog, this requirement only applies to service providers and does not need to […]
PCI Compliance Tip – Preparing Network Documentation
As we continue our series of blogs hitting on some tips to help your organization maintain PCI compliance, we’re going to take a look at network documentation. When preparing for an initial PCI-related audit or trying to maintain your compliance program over time, an important part of that is your network documentation. This includes things […]
PCI Compliance Tip – Creating Evidence
Today we’re going to tackle a consistent issue we see with companies trying to meet and maintain PCI compliance, creating evidence. When we talk about creating evidence for compliance purposes, we’re really talking about all the different ways you are proving that you are compliant. For example, it’s great that you tell me as an […]