A penetration test, or pen-test, provides a comprehensive evaluation of the security state of an IT Information System (IS) and its users by trying to exploit vulnerabilities from a white-hat or ethical hacker approach (you know, the good guys). A myriad of potential vulnerabilities may be exposed within a company’s operating systems, applications, firewalls, routers, network configuration, cloud-base resources, and software through improper security configurations or risky behavior by the employees/users. Pen Tests are also useful for the validation of the efficacy of defense mechanisms and the effective application and practice of company security policies by its users.
Penetration tests are performed using manual or automated (or both!) methodologies to systematically attempt to compromise servers, users, endpoints, cloud applications, wireless networks, network and mobile devices, industrial control systems, and other potential company targets. If any vulnerabilities are successfully exploited on a company Information System or via its users through social engineering, phishing or spear-phishing, testers may additionally try to further utilize the compromised system to target deeper exploits at linked internal resources by trying to gain higher levels of access control through privilege escalation so that more sensitive information and data can be stolen or compromised.
The information obtained from the Pen Test results reveal details about security vulnerabilities that may have been successfully exploited, which is aggregated to reports and reviewed by the ISSO to construct into a final Report for Stakeholders within the company, including IT and network system managers to enable the construction and practice of tighter security policies and to prioritize remediation efforts to reduce critical vulnerabilities. The ultimate purpose of penetration testing is to pro-actively and routinely (at least once a year!) measure the implemented and effectiveness of the security of the company’s information systems and end-user training, awareness and practice. It allows for the subsequent evaluation for what consequences arise from the emulated cyber attacks may have on the company’s mission critical resources and daily operations as well as disaster recovery plans, business continuity, and effectiveness of end-user training.
Penetration testing should be performed routinely, and we recommend at a minimum, yearly, to provide assurance that your business’ IT and network security management and operating within your Security Policy’s parameters. A Techni-Core Certified OSCP Pen-Tester will work with you to select the depth of the Penetration Scan you can budget, using Test Time Per Paramater (TTPP). This will provide you progressively deeper scans, depending on both your Pen Test goals and budget. The following TTPP test levels are:
- Any time there is new threats of targeted breaches within your industry
- Network and systems configuration changes
- New applications, software or Operating Systems are added to the infrastructure
- New equipment like firewalls, routers and switches are added
- New office locations are established
- Major modifications of company security policies
To get started on your Penetration Scan, you simply purchase a clock of Cyber Compliance Consulting hours from our Square Store. The higher the block of hours, the more discount you receive!
- Our Standard Cyber Rate of $200, billed as you use per hour. Use this if you just wanted to get started with a consultation.
- Our 25-Hour Bundle for $25/hour discount!
- One 50-Hour Bundle for a $50/hour discount!
Russian Hackers Attacked U.S. Aviation as Part of BreachesFrom Bloomberg.com By Alan Levin Updated on “Russian hackers attempted to penetrate the U.S. civilian aviation industry early in 2017 as part of the broad assault on the nation’s sensitive infrastructure.The attack had limited impact and the industry has taken steps to prevent a repeat of the intrusion, Jeff Troy, executive director of the Aviation Information Sharing and Analysis Center, said Friday. Troy wouldn’t elaborate on the nature of the breach and declined to identify specific companies or the work that was involved.” Read More….
It’s not just elections: Russia hacked the US electric grid
From Vox.com By
“A huge story about Russian hacking got lost amid all the Trump administration staffing drama and Stormy Daniels news over the past week: On March 15, the US government released a report describing a massive Russian hacking campaign to infiltrate America’s “critical infrastructure” — things like power plants, nuclear generators, and water facilities.” Read More….
Half of UK manufacturers fall victim to cyber attacks
“The UK has already suffered stealth cyber attacks on more than 80 manufacturing plants, with criminals deploying tactics that could put critical national infrastructure at risk.
Britain’s spy agencies have warned the bosses of utilities, transport and health services that Russian hackers are invading unprotected networks ahead of a potentially serious attack.
But new evidence shows the attackers are already targeting UK factories. In an anonymous survey of manufacturers, almost half admitted that they have fallen prey to cyber warfare, according to trade group EEF. ” Read More….
Russian hacker warning: How to protect yourself from network attacks
“Businesses and governments have been urged to keep their network security up to date following a warning from US and UK authorities about the risk of cyber attack from hackers backed by Russia.
The US Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI) and the UK’s National Cyber Security Centre (NCSC) issued an alert over exploits in routers and other internet connected devices used in homes, small businesses and large organisations, which are said to be vulnerable to cyber attacks.
The hacking campaign includes breaking into routers and other network devices to carry out man-in-the-middle attacks to support cyber espionage, steal intellectual property and maintain persistent access in victim networks for use in additional attacks.” Read More…
Drones to cloud computing: AP exposes Russian wish list
From APnews.com By BY JEFF DONN, DESMOND BUTLER and RAPHAEL SATTER Feb. 08, 2018
“WASHINGTON (AP) — Russian cyberspies pursuing the secrets of military drones and other sensitive U.S. defense technology tricked key contract workers into exposing their email to theft, an Associated Press investigation has found.
What ultimately may have been stolen is uncertain, but the hackers clearly exploited a national vulnerability in cybersecurity: poorly protected email and barely any direct notification to victims.
The hackers known as Fancy Bear, who also intruded in the U.S. election, went after at least 87 people working on militarized drones, missiles, rockets, stealth fighter jets, cloud-computing platforms or other sensitive activities, the AP found.
Employees at both small companies and defense giants like Lockheed Martin Corp., Raytheon Co., Boeing Co., Airbus Group and General Atomics were targeted by the hackers. A handful of people in Fancy Bear’s sights also worked for trade groups, contractors in U.S.-allied countries or on corporate boards.
“The programs that they appear to target and the people who work on those programs are some of the most forward-leaning, advanced technologies,” said Charles Sowell, a former senior adviser to the U.S. Office of the Director of National Intelligence, who reviewed the list of names for the AP. “And if those programs are compromised in any way, then our competitive advantage and our defense is compromised.” Read More….
Exposed: Misconfigured Cloud Storage Leaves 1.5B Sensitive Files Up for Grabs
“A colossal 12TB of data – including confidential intellectual property, penetration test results and other sensitive files in the cloud – can be pulled from exposed Amazon S3 buckets, rsync, SMB, FTP servers, misconfigured websites, and NAS drives, according to new research.
The “Too Much Information” report published by Digital Shadows on Thursday, found that 1.5 billion files were exposed across the internet’s most ubiquitous file sharing services. That includes 64 million files in the UK alone – the equivalent to one file for nearly everyone in the country.
Security Teams, Bow your Heads
Thousands of security audits (5,794), network infrastructure details (1,830) and penetration test reports (694) were among the files publicly accessible online.
The instances were blamed by Digital Shadows on poor security practices in file-sharing protocols.
“As organizations look to bolster their internal security programs with assessments and penetration tests, they turn to external consultants and suppliers. As these consultants backup and share their work, this highly sensitive information can become exposed,” report authors Rick Holland, Rafael Amado and Michael Marriott noted.” Read More…
Amazon Web Services Cloud Business Showing No Signs of Slowing Down
“Today’s topics include Amazon Web Services’ cloud business continuing to grow, and Google rolling out a Kubernetes cloud service catalog and cloud service broker.
Amazon Web Services on April 26 reported first-quarter 2018 revenue of $5.4 billion, an impressive 49 percent year-over-year revenue growth in the public cloud. For comparison, when Amazon began to break out AWS revenue in the first quarter of 2015, revenue was $1.57 billion, and Amazon has continued to grow cloud revenues at a rapid pace every quarter since.
“AWS had the unusual advantage of a seven-year head start before facing like-minded competition, and the team has never slowed down,” Jeff Bezos, Amazon’s founder and CEO, stated.
Security Experts Warn of New Cyber-Threats to Data Stored in Cloud
“SAN FRANCISCO –New cyber-attack techniques are evolving that threaten computer systems that IT security administrators may have considered relatively safe. That was the message of a panel of SANS Institute cyber-security experts at the 2018 RSA Conference.
For example, cloud computing is often lauded for its security and a way for companies to offload the infrastructure and investment costs of owning and maintaining on-premises data centers.
But SANS Institute’s Ed Skoudis said storing data offsite doesn’t ensure security.
“There is leakage when you have data stored in the wrong repositories or not stored correctly,” said Skoudis, a fellow and lead instructor at SANS Institute, which specializes in IT training and security services.
“There have been many attacks, Verizon twice, Time Warner and Uber and the U.S. Army leaked over 100 gigabytes of data because of a bug in an Amazon S3 storage bucket.”
Skoudis said organizations have focused on protecting their computer systems, but it’s time to think more broadly.
“If I ask a company if they manage and secure their computer systems they say yes. But when I ask about securing their data assets they say, ‘What are you talking about?’ It’s important to protect your computer systems, but if you don’t know what your data assets are and you’re putting them on systems you have no control of, you’re going to be in trouble,” he said.” Read More…