Cyber Security Awareness and Vulnerabilities Blog

New Release - Core Impact 2017 R2

Jul 24, 2017
After months of hard work by our outstanding team, I am pleased to announce the release of Core Impact 2017 R2 – the comprehensive software solution for identifying, assessing and testing security vulnerabilities that attackers will exploit. With Core Impact you are able to identify the most pressing cyber risks to your organization by using this tool that enables you to think, and act, like an attacker. Penetration Testers and Red Teamers can safely imitate real attacks within their own networks.

How to Build a Red Team

Jul 17, 2017
From phishing scams to ransomware, cyber-attacks are growing every day. But something else is growing too – as in the number of Red Teams being built by organizations just like yours. But is a Red Team right for you? Red Teams SANS defines a Red Team as “a process designed to detect network and system vulnerabilities and test security by taking an attacker-like approach to system/network/data access.”

3 Questions to Ask About Vulnerability Management

Jul 5, 2017
Vulnerability management is becoming a standard industry practice and, as such, is included in most regulatory compliance rules as a quick and easy path to threat remediation. However, the reality is that most companies are not actually managing vulnerabilities, but rather conducting scans that produce thousands of potential threats. Identifying possible security risks and actually managing them through to remediation are completely different things.

Petya - What Really Happened

Jun 29, 2017
There has been a lot of information shared this week around the Petya “ransomware” virus. I put this in quotes because, just as with most attacks, once you dive in and get more information you find out that everything is not as it seems.

Petya Ransomware Attack: Here We Go Again

Jun 28, 2017
For the second time in as many months, organizations around the world are feeling the effects of a ransomware attack. No doubt, you heard about the WannaCry virus that spread rapidly, worldwide last month demanding bitcoin ransom for company data. This time, the virus is called “Petya” but there are many similarities, and one important difference, compared to WannaCry. 

Before You Download: Penetration Testing Your Applications

Jun 26, 2017
Each day we are being inundated with information. This could be in the form of ads, articles or a new tool to use that will surely make our lives easier. While these applications could be very useful to the organization, they could also be the cause of breaches or the unlawful capture of your personal or business information. But there’s a way to ensure the programs you are downloading to your devices are secure – at least for now.
IT Team

The 4 Questions to Ask Your Security Consultants

Jun 19, 2017
While it can be nerve-wracking letting someone into a portion of your organization, look at it as though you are actually taking back control. Enlisting the help of trained and experienced experts is nothing to be ashamed of – if anything, this could be the smartest thing you do for your company. However, before completely letting go of the reigns here are some questions to ask so that you know you can trust the team you have enlisted the help from.

Do you know who your machines are talking to?

Jun 14, 2017
For those of you that have been living under a rock for the past few months, there has been quite a lot of talk about Russia and their interference in the 2016 U.S. election. From open session meetings to leaked documents and the tweets heard round the world, the question on everyone’s mind is – how much did Russia have to do with the election results? I’m not going to pretend I have the answer to that question nor do I want to talk about how to go about figuring this out – but it did get me thinking. Do we really know who our machines are talking to?
Security Tips

How to Think Like an Attacker: Advice from the (Not So) Dark Side

Jun 12, 2017
We spend a lot of time talking around and about bad actors, but what if we sourced them to teach us about this industry instead? We know they exist and we know they’re working towards obtaining the sensitive data on our networks. But how do their minds work and how do they work differently than those on the ethical side of hacking? Let’s look at what sets bad actors apart and how you can leverage that information towards your future security initiatives.

Lessen the Blow of Ransomware or Social Engineering – Phish Your Users

Jun 5, 2017
So I know that everyone was worried about WannaCry and the Ransomware epidemic that we just had. Though this type of attack isn’t new, this one particular instance got so much attention because it was such a large attack and affected many in the world. Many organizations immediately started researching with their security vendors how to detect, deter and remediate…Sound familiar? Yeah, that’s Core Security’s line and we have products that could have helped then and can help today.

10 Reasons You Should Be Pen Testing

May 29, 2017
You may know that you need to penetration test your organization for the sake of compliance - but there is more to gain from a pen-test than just adhering to set regulations to avoid a fine.  We've compiled a list of reasons to pen-test your infrastructure to help your company operate out of a healthy security posture. 

The Benefits and Threats of the Internet of Things

May 24, 2017
There is no doubt about it, the Internet of Things (IoT) has made life better. I’m not just talking about the fact that I can be connected 24/7 through my laptop, tablet or phone. The rapid expansion of devices that are connected to the internet and weaved into our everyday life is remarkable. For example, this morning I woke up and didn’t have to get out of bed before Alexa told me today’s weather and top stories and my iPhone gave me a traffic alert that it would take longer than usual to get to my 8AM meeting.
Ransomware locked files

WannaCry and the Rise of Ransomware

May 17, 2017
WannaCry may be the latest outbreak or ransomware to hit the news, but it is not the 1st or the last. In 2016 alone, it is estimated that $1 billion dollars in cyber ransoms were paid out to cyber criminals. If this widespread attack proved anything it's that the threat is real. 
Security Tips

Phishing: What Does It Look Like and How to Avoid It

May 15, 2017
According to the Anti-Phishing Work Group, 1.2 million individual phishing attacks took place in 2016 – a 65% increase from the year before. These attacks have been mentioned across all industries and the most recent Verizon Wireless Data Breach Report states that 95% of phishing attacks that led to a breach were followed by some sort of software installation- usually malware.
Security Tips

The Biggest Problem with User Access and How To Fix It

May 10, 2017
Did you know that one of the top nine attack types consistently covered in Verizon’s Data Breach Report are insider threats and privileged misuse? According to this year’s report, 66% of insiders steal information in hopes of selling it for cash, 17% are just unsanctioned snooping and 15% are taking it in order to take the information to a new employer. What is the root cause of all of these problems? Access. 

How Pen-Testing Protects Your Federal Agency

May 8, 2017
It seems as if government agencies, both locally and nationally, are making headlines for mostly the wrong reasons these days. From scandals to breaches and cybersecurity this has become such a sensitive subject within the past year that these events have left most folks feeling even more on edge. As stated by Thales Data Threat Report, within the past year alone, 33% of government agencies reported that they experienced a data breach. Not to mention the ones that have remained unnoticed, for now at least.

How Penetration Tests Protect Your Retail Business

May 1, 2017
Retail is arguably the leader in terms of the most financial transactions executed in an industry. With that in mind, the retail industry also makes up 8% of all data breaches. It may feel nerve-racking to both work and participate in such a risk dense environment. However, if you have the right security measures in place and remain aware of other’s security breaches and best practices you may be able to breathe a bit easier.

Ways Hackers Look to Exploit State and Local Governments

Apr 24, 2017
Don’t for a minute think that bad actors have no interest in the information you collect in your state or local office. Whether you work for the City Water Department or the Department of Tax and Revenue for your county, you are collecting data that is critical to not only your job – but for all of the organizations and people that work and live within your territory. Even if you aren't employed by these organizations, your personal data may be harbored here. So what are you doing about it?
IT Team

Building the Best Offensive Security Team [Infographic]

Apr 17, 2017
  Download the full infographic

Students Safely Using Devices on Networks: Home, School and Business

Apr 10, 2017
The integration of technology in classrooms has changed school environments tremendously. It seems as if each year at earlier ages, students are more comfortable using a tablet than putting pen to paper. However, there’s more to be concerned with than kids growing up with poor penmanship.
Security Tips

How to Deal with Changing Financial Cybersecurity Regulations

Apr 5, 2017
Late last year the New York State of Financial Services (DFS) announced that New York would be proposing a "first in the nation" rule on cyber-security to go into effect on March 1, 2017 which would impact any bank, insurance company and anyone else covered by DFS. The rule requires any regulated company design a cybersecurity program that assesses its risks to ensure the safety and soundness of the cybersecurity protections in place with the goal of providing further protections of its customers.
IT Security

When to Revisit a Cybersecurity Plan

Apr 3, 2017
We are a full three months into 2017 and hopefully you’ve remained unscathed. Have you had some things on your “to-do” list that just haven’t happened? Or maybe something didn’t work or produce as much of a “punch” as you were hoping it would? Maybe some things have served your company far better than you thought—like putting a company-wide security training in place paired with password reset or even knocking out a pen-test for the year.
Security lock breaking

A New Way of Thinking About Vulnerability Management

Mar 29, 2017
How do you look at vulnerability management? We’ve seen several blogs on this topic in the past month and even a webinar with one of our security consultants but the truth is that everyone looks at this issue differently. From scanning and assessments to prioritization and patching, vulnerability management is a lot of different things but it is not and never should be seen as:

Horrible Mistakes You're Making With Pen-Testing Pt. 2

Mar 27, 2017
We’ve let you in on some of the not-so-secret mistakes people make with pen-tests last week in "Horrible Mistakes You're Making With Pen-Testing Pt. 1" and we’re continuing with that theme today. There are more potential mistakes and we want to make sure you’re aware of them in order make your pen-tests successful. Read on and stay tuned to see just how many there actually are!

Tips for Helping Vulnerability Managers Sleep Easier

Mar 22, 2017
Wouldn’t it be nice to sleep easy at night and not have to worry if your vulnerability management program is really catching all the vulnerabilities that could be and are in your environments? Wouldn’t it even be nicer if you could get them prioritized by risk and truly make sure they are mitigated or remediated based on what attackers may try to leverage first? How about that resource(s) who now spends 100% of their job on vulnerability management, although it wasn’t why they were hired?