You are viewing 'assessment'
Many types of red team and physical security assessment toolkits are utilized across the industry. Through our experiences in the NTT Security Threat Services group, we have developed a mixed bag of devices and tools that we commonly use with hybrid assessment types.
The lists below are not intended to be comprehensive, but a quick reference for red team specific toolkits - which often include technical devices and physical tools.
As always, it is assumed that you have permission from your client, have the proper documentation on hand and the defined scope is your primary consideration before attempting to compromise a target facility. Please make sure that you have plenty of experience with bypass and lock picking tools in order to reduce the risk of damaging doors, locking cores and mechanisms etc. Always be... read more >
While there are many articles directed at assessors and consultants on “what not to do” during a penetration assessment, I haven’t seen many blogs directed towards what things clients should avoid when preparing for a penetration assessment. I wanted to address this topic, and share from experience, pitfalls that can often hinder the progress and quality of a penetration assessment.What is a "Penetration Assessment"?
Penetration assessments are a way to identify an organization’s risks by simulating common threats. These assessments can target a wide range of scenarios; such as, external service attacks, insider threats, social engineering and physical intrusion. Once these vulnerabilities have been identified and exploited, that information is then compiled into a report and passed on to the client for... read more >
#WarStoryWednesday: Quick and Dirty Social Engineering
Every now and then, I work on the assessments that normally Brent White and Tim Roberts blog about. When I’m privileged to get such an assignment, I typically create unnecessary pressure on myself in an effort to compete with the likes of my aforementioned teammates and their overwhelming success on Social Engineering Assessments. I find myself feeding off the pressure and nervous energy, turning it into excitement and focus. By drawing on my past experiences in the Broadcast Television industry, I convince myself that this will only help me succeed on such a project. Then, when I get word of the increased challenge level, whether due to the small size of the company being assessed, a shared work environment or building, or armed guards present, I actually find myself... read more >
Earlier this year, a friend (5tubb0rn) and I toyed around with some ideas at a local hacker workspace. I had been using a Proxmark/BishopFox build to steal proximity badges during some of our Professional Security Services on-site Social Engineering Assessments and covert Physical Security Assessments. The Proxmark/BishopFox build was handy in that I didn’t have to bump into anyone in order to snag their badge for replication. The only problem I’ve had with this device is the size – it is a garage badge reader after all, and about the size of a laptop. There are smaller devices out there but we wanted to create something from scratch, utilizing a Raspberry Pi and some plug-and-play sensors that could be easily hidden by someone in the guise of a contractor. So, the two of us came up with a... read more >
Another Wednesday, another war story. As a Senior Security Consultant here at NTT Security, I am constantly performing assessments on-site for our clients. At a recent on-site social engineering and physical security assessment, we exploited some vulnerabilities that could easily have been avoided with the right security measures in place.
Also, as many of you are aware, October is National Cyber Security Awareness Month (NCSAM). The theme for this week is STOP. THINK. CONNECT, however, I’d like to change it to fit the theme of my blog: STOP. THINK. FACT CHECK. As I’ve said in previous war stories, always ask questions and check that the person is who they say they are. And no matter how nice someone may look or act, always fact check. Use your instincts and don’t let someone with seemingly legitimate credentials fool you.Assessment Background
The... read more >