Exclusive Cybersecurity Insight from Solutionary
Businesses that are adjacent to hotels are the best…for security consultants. When you have a high-gain wireless antenna, a rogue access point plugged into a network or able to compromise a vulnerable wireless access point, you pretty much don’t have to leave the comfort of your hotel room or parked vehicle for the assessment. I have been on a handful of these fortunate layouts and it certainly helps when staying under the radar. One of my first red team assessments had a hotel right next to the business we were assessing. The only thing separating the extended stay hotel and business was waist-high foliage, with little to no lighting or camera coverage. With this assessment, after hours testing was in scope, thus making the assessment that much easier.On-site Social Engineering... read more >
Hands-On Web Exploitation with Python
Back in 2015, a colleague and friend asked if I would be interested in teaching a training class with him at OWASP AppSec USA. After carefully considering, I agreed. It’s a good thing, because he had already submitted the class to the call for trainings before asking me.
Fast forward a bit and we’re now gearing up to teach our third version of the class. What started out as a one-day training session has turned into a three-day course. Based on the feedback we have received over the previous years, my colleague and I have tweaked the class in an attempt to provide a class for all levels of programmers, from beginners who may be new to Python to veteran programmers.
Much like our first class, I have taken the time to develop a new vulnerable virtual machine for the test lab. This time around, I applied several lessons I learned along the way. The primary change to the virtual machine is that I made it quite a bit more simplistic. I did this because I... read more >
Does your organization face challenges with effectively aligning cybersecurity teams and business executives? In many organizations, it seems that business executives and cybersecurity teams don't always understand each other's roles. Executive leadership may not realize the cyber risks to their organization, such as APT threats, insider threats, espionage, phishing. Also, cybersecurity teams may not know what business systems are MOST important to protect before and during an incident.
So how can you successfully align cybersecurity with the C-Suite, and keep the collaborative alignment effective? Before we answer that question, let's first talk about the challenges that have historically kept security and business executives out of alignment.
Strategic vision directly influences and impacts the success of implementation of cybersecurity controls. Cybersecurity MUST be positioned as a business enabler. And businesses... read more >
How long is too long?
There has been a lot of chatter on social media lately surrounding the topic of public vulnerability disclosure. Doing a quick Google search, I found a ton of resources, discussions and blog posts available, covering different ways to properly disclose a vulnerability. Several are listed below:
Many types of red team and physical security assessment toolkits are utilized across the industry. Through our experiences in the NTT Security Threat Services group, we have developed a mixed bag of devices and tools that we commonly use with hybrid assessment types.
The lists below are not intended to be comprehensive, but a quick reference for red team specific toolkits - which often include technical devices and physical tools.
As always, it is assumed that you have permission from your client, have the proper documentation on hand and the defined scope is your primary consideration before attempting to compromise a target facility. Please make sure that you have plenty of experience with bypass and lock picking tools in order to reduce the risk of damaging doors, locking cores and mechanisms etc. Always be... read more >
A recap of RSAC 2017
RSA 2017 finished up last week - thousands of security professionals descended upon the Golden City, ready to learn about the newest technology.
If you made it to our booth, you heard us discuss how digital transformation is having a substantial impact on organizations in every industry. The cloud is becoming harder to navigate, with more products and solutions offered than ever before. On top of that, many organizations with a security program in place, are wondering how to keep up with the threat landscape and digitization.
I touched on this during my interview with Illena Armstrong, VP Editorial, SC Media at RSA. Organizations need a strong and flexible security program that is able to adopt and transition to new technological advancements for your organization. Watch the full interview below to learn about how the ability to adopt solutions faster can be cost saving, and key things to consider in the digital transformation... read more >
Phishers & Scammers & Taxes, Oh My!
Our new Constitution is now established, and has an appearance that promises permanency; but in this world nothing can be said to be certain, except death and taxes.
— Benjamin Franklin
It’s that time of year — tax season. Regardless of whether you owe or are expecting a refund, there is one thing we all should be looking out for: people who want to take your money. This is a good time of year to remember one of the least technical, but certainly one of the most dangerous aspects of our industry, social engineering.
Whether by email through a phishing scheme or via telephone and fear, there is a possibility that you will be contacted in an attempt to access your IRS records, or pushed to send money to an unauthorized, but reputable sounding party.
Here are just some of the potential social engineering scams you might see:A tax company appears... read more >