As with most anything in life, you want to set SMART goals. Setting goals that follow this guideline (Specific, Measurable, Achievable, Relevant and Time-bound) allows you to form hypotheses and set firm parameters around your work and what potential outcomes to expect. This is no different for the Red Team whose sole purpose is to test the security measures currently in place and test how to improve or continue that in your infrastructure.

Before I start, I need to come clean and tell you that I love enterprise software. Weird? Maybe. However, after working in the industry for many years and for many different companies, enterprise software is the basis for what drives business. Whether it’s your CRM, ERP or cyber security – it all starts with enterprise software.

We're always trying to simplify how you go about pen-testing your organization. Anytime you make something too complicated there becomes unnecessary barriers to completion. Enjoy this free Guide to Penetration Testing to ensure you complete your penetration tests quickly and efficiently. 1. Project Scope Before starting your pen-test, you need to determine you plan of attack. This will consist of what to include in the test and will spell out your goals.

I recently was watching an old episode of “Friends”. During this one particular episode, Ross was trying to move a couch into his upstairs apartment. As they were trying to carry the couch upstairs, they reached a point where they had to turn a corner. As you can imagine - the couch becomes stuck and Ross was yelling, "PIVOT!!" Since joining Core Security, anytime I hear the word ‘pivot’, I think about it in terms of how an attacker would move through a network.

Internships are becoming more and more necessary in order for college students to land a job straight out of college. In fact, over 85% of college students complete internships every year. With numbers like these, it’s quite possible that you have a few interns in your office throughout the year. We had five this summer and they were amazing – and not just for getting coffee and making copies. They were integral parts of our business. As such, they had access to several different applications based on their area of focus within the business.

Don’t be misled into thinking that because you have a Penetration Tester that you have a Red Team – or that because you have a Red Team you have a Penetration Tester. While some functions may overlap, you are getting two different things when enlisting the help of each. Both provide something beneficial to your organization and the security measures in place – so let’s further investigate what you can really expect from each.

The terms “hacking” and “hackers” often get a bad reputation. This tends to have a fairly negative connotation because of the nature these words are often used in. I’d like to think I’m not alone in envisioning some scary guy hanging out in a dark room in a black hoodie trying to break into my bank to steal my credentials or money for that matter. The way we perceive and hear “hacker” in the media has definitely misconstrued my perception of these folks.

It’s not just the bad actors that we at Core Security want to protect you from – we also want to protect you from yourself. It’s all hands on deck when it comes to securing your systems and the systems you interact with on a daily basis.

It’s no secret that healthcare organizations are constantly in the crosshairs of cyber criminals. One of the reasons healthcare records are 30 times more valuable than financial records is because they contain full identity profiles – including your social security number which is the gateway to acquiring any and all of your personal information.

It's true - we've had a lot of updates and releases for Core Impact over the past month. From the New Named User Pricing to the continued improvements being shipped to Core Impact and just this past week the new release of Core Impact 2017 R2 - there's been a lot happening. But trust that the product is still the most comprehensive solution for assessing and testing security vulnerabilities within your organization. Today we're going through some of the benefits you can find when using this tool.

For several years the Department of Defense (DoD) has been focused on protecting controlled and unclassified information. Seven years ago, around November 2010, the White House issued Executive Order 13556 that established an open and consistent program across all civilian and defense agencies for managing information. The issue this Executive Order was trying to rectify was that departments/agencies had ad hoc measures for safeguarding controlled and unclassified information.

After months of hard work by our outstanding team, I am pleased to announce the release of Core Impact 2017 R2 – the comprehensive software solution for identifying, assessing and testing security vulnerabilities that attackers will exploit. With Core Impact you are able to identify the most pressing cyber risks to your organization by using this tool that enables you to think, and act, like an attacker. Penetration Testers and Red Teamers can safely imitate real attacks within their own networks.

From phishing scams to ransomware, cyber-attacks are growing every day. But something else is growing too – as in the number of Red Teams being built by organizations just like yours. But is a Red Team right for you? Red Teams SANS defines a Red Team as “a process designed to detect network and system vulnerabilities and test security by taking an attacker-like approach to system/network/data access.”

Vulnerability management is becoming a standard industry practice and, as such, is included in most regulatory compliance rules as a quick and easy path to threat remediation. However, the reality is that most companies are not actually managing vulnerabilities, but rather conducting scans that produce thousands of potential threats. Identifying possible security risks and actually managing them through to remediation are completely different things.

There has been a lot of information shared this week around the Petya “ransomware” virus. I put this in quotes because, just as with most attacks, once you dive in and get more information you find out that everything is not as it seems.

Each day we are being inundated with information. This could be in the form of ads, articles or a new tool to use that will surely make our lives easier. While these applications could be very useful to the organization, they could also be the cause of breaches or the unlawful capture of your personal or business information. But there’s a way to ensure the programs you are downloading to your devices are secure – at least for now.

While it can be nerve-wracking letting someone into a portion of your organization, look at it as though you are actually taking back control. Enlisting the help of trained and experienced experts is nothing to be ashamed of – if anything, this could be the smartest thing you do for your company. However, before completely letting go of the reigns here are some questions to ask so that you know you can trust the team you have enlisted the help from.

We spend a lot of time talking around and about bad actors, but what if we sourced them to teach us about this industry instead? We know they exist and we know they’re working towards obtaining the sensitive data on our networks. But how do their minds work and how do they work differently than those on the ethical side of hacking? Let’s look at what sets bad actors apart and how you can leverage that information towards your future security initiatives.

So I know that everyone was worried about WannaCry and the Ransomware epidemic that we just had. Though this type of attack isn’t new, this one particular instance got so much attention because it was such a large attack and affected many in the world. Many organizations immediately started researching with their security vendors how to detect, deter and remediate…Sound familiar? Yeah, that’s Core Security’s line and we have products that could have helped then and can help today.

You may know that you need to penetration test your organization for the sake of compliance - but there is more to gain from a pen-test than just adhering to set regulations to avoid a fine.  We've compiled a list of reasons to pen-test your infrastructure to help your company operate out of a healthy security posture. 

WannaCry may be the latest outbreak or ransomware to hit the news, but it is not the 1st or the last. In 2016 alone, it is estimated that $1 billion dollars in cyber ransoms were paid out to cyber criminals. If this widespread attack proved anything it's that the threat is real. 

According to the Anti-Phishing Work Group, 1.2 million individual phishing attacks took place in 2016 – a 65% increase from the year before. These attacks have been mentioned across all industries and the most recent Verizon Wireless Data Breach Report states that 95% of phishing attacks that led to a breach were followed by some sort of software installation- usually malware.

Did you know that one of the top nine attack types consistently covered in Verizon’s Data Breach Report are insider threats and privileged misuse? According to this year’s report, 66% of insiders steal information in hopes of selling it for cash, 17% are just unsanctioned snooping and 15% are taking it in order to take the information to a new employer. What is the root cause of all of these problems? Access. 

It seems as if government agencies, both locally and nationally, are making headlines for mostly the wrong reasons these days. From scandals to breaches and cybersecurity this has become such a sensitive subject within the past year that these events have left most folks feeling even more on edge. As stated by Thales Data Threat Report, within the past year alone, 33% of government agencies reported that they experienced a data breach. Not to mention the ones that have remained unnoticed, for now at least.

Retail is arguably the leader in terms of the most financial transactions executed in an industry. With that in mind, the retail industry also makes up 8% of all data breaches. It may feel nerve-racking to both work and participate in such a risk dense environment. However, if you have the right security measures in place and remain aware of other’s security breaches and best practices you may be able to breathe a bit easier.