Cyber Security Awareness and Vulnerabilities Blog

Image
What is?

What is a Vulnerability Management Program?

Oct 4, 2017
The Equifax breach was caused by a vulnerability. The WannaCry virus exploited a vulnerability. The stories don’t seem to end but it seems like no one is talking about how to solve this problem which is: start a vulnerability management program. “Manage the vulnerabilities in my network? Sounds easy” well, not so much, but not so difficult that you shouldn’t be spending time and resources on it. This blog covers the planning and set up of vulnerability management programs. 

3 Tips to Conducting Successful Web Application Tests

Oct 2, 2017
At the age of six, my parents were looking for ways to get me out of the house and burn some of that energy every six-year-old child has. On top of being pretty small, I grew up in a small town. So my options for youth sports were pretty limited. However, through a series of conversations, my parents decided to get me involved in the youth wrestling program. What I didn’t understand at the time, was this was the beginning of many life lessons. In today’s blog, I want to talk about a few of those lessons and how they correlate to running web application pen tests.

Latest Improvements Shipped to Core Impact 2017 R2

Oct 1, 2017
It is our mission to continuously provide to you a comprehensive and up-to-date penetration testing tool to meet the needs of the market. Today we are recapping the 23 total updates that have been shipped to Core Impact 2017 R2 since its release on August 14th 2017. The team has been working hard to develop these improvements in order for our users to continue to experience the maximum value from Core Impact.

Holiday Season is Coming – Don’t Be a Target

Sep 27, 2017
It’s that time of year again where the air turns a bit cooler, pumpkins start popping up in your supermarket and your annoying neighbor starts posting daily “Only XX Days til Christmas” updates. Yes, it is almost holiday shopping season and if you’re lucky enough to be in retail at this time of year, this is your three-month long super bowl.
Image
Security Compliance

The Importance of PCI Compliance

Sep 25, 2017
*As used previously in GCN.com As governments look for more ways to reduce costs, electronic payments have become an economical method of purchase. Using credit or debit cards reduces the time it takes to receive funds, is less error-prone and makes it easier for residents to pay.
Image
Security Tips

How to Spot and Stop Zombie Accounts in Your Network

Sep 20, 2017
Zombie accounts, also known as abandoned accounts, are user accounts left with no verifiable owner. This happens most often when someone leaves your company and their access to a certain application is never terminated. In a perfect world, the person that leaves you would never try and get back into your system for any reason. However, our world is not perfect. Instead, we have rogue players who can create or hide these accounts in your system for nefarious reasons.
Image
Security Compliance

The Biggest Risk for Security Breaches: Humans!

Sep 18, 2017
You can have all the tools in place: firewalls, security programs, routinely updated passwords and security team members. But that still might not be enough.
Image
Security Tips

How to Set SMART Goals With Your Red Team

Sep 11, 2017
As with most anything in life, you want to set SMART goals. Setting goals that follow this guideline (Specific, Measurable, Achievable, Relevant and Time-bound) allows you to form hypotheses and set firm parameters around your work and what potential outcomes to expect. This is no different for the Red Team whose sole purpose is to test the security measures currently in place and test how to improve or continue that in your infrastructure.
Image
Identity & Access Management

New Release: The Most Beautiful Experience in Identity

Sep 6, 2017
Before I start, I need to come clean and tell you that I love enterprise software. Weird? Maybe. However, after working in the industry for many years and for many different companies, enterprise software is the basis for what drives business. Whether it’s your CRM, ERP or cyber security – it all starts with enterprise software.

Quick Guide to Penetration Testing

Sep 4, 2017
We're always trying to simplify how you go about pen-testing your organization. Anytime you make something too complicated there becomes unnecessary barriers to completion. Enjoy this free Guide to Penetration Testing to ensure you complete your penetration tests quickly and efficiently. 1. Project Scope Before starting your pen-test, you need to determine you plan of attack. This will consist of what to include in the test and will spell out your goals.

Pivoting for Penetration Testing

Aug 28, 2017
I recently was watching an old episode of “Friends”. During this one particular episode, Ross was trying to move a couch into his upstairs apartment. As they were trying to carry the couch upstairs, they reached a point where they had to turn a corner. As you can imagine - the couch becomes stuck and Ross was yelling, "PIVOT!!" Since joining Core Security, anytime I hear the word ‘pivot’, I think about it in terms of how an attacker would move through a network.

Interns – Gone but not forgotten

Aug 23, 2017
Internships are becoming more and more necessary in order for college students to land a job straight out of college. In fact, over 85% of college students complete internships every year. With numbers like these, it’s quite possible that you have a few interns in your office throughout the year. We had five this summer and they were amazing – and not just for getting coffee and making copies. They were integral parts of our business. As such, they had access to several different applications based on their area of focus within the business.

How to Choose: Penetration Tester vs. Red Team

Aug 22, 2017
Don’t be misled into thinking that because you have a Penetration Tester that you have a Red Team – or that because you have a Red Team you have a Penetration Tester. While some functions may overlap, you are getting two different things when enlisting the help of each. Both provide something beneficial to your organization and the security measures in place – so let’s further investigate what you can really expect from each.
Image
Digital lockpad inside circle

Why Hacking Your Network Is a Good Idea

Aug 14, 2017
The terms “hacking” and “hackers” often get a bad reputation. This tends to have a fairly negative connotation because of the nature these words are often used in. I’d like to think I’m not alone in envisioning some scary guy hanging out in a dark room in a black hoodie trying to break into my bank to steal my credentials or money for that matter. The way we perceive and hear “hacker” in the media has definitely misconstrued my perception of these folks.

I Dream of Full Roles Based Access Control

Aug 9, 2017
Imagine a world where the mundane parts of Identity and Access Management (IAM) are automated. We pass audits with ease. We don’t wake up in the middle of the night sweating about whether the right people have the right access. Our end users have the access they need and access reviews are completed on time. All while maintaining a high level of security posture for our organization.

Protecting Your Organization From Phishing Schemes: Tips From the FBI

Aug 7, 2017
It’s not just the bad actors that we at Core Security want to protect you from – we also want to protect you from yourself. It’s all hands on deck when it comes to securing your systems and the systems you interact with on a daily basis.
Image
IT Security

Healthcare’s Unique Cyber Security Challenges

Aug 2, 2017
It’s no secret that healthcare organizations are constantly in the crosshairs of cyber criminals. One of the reasons healthcare records are 30 times more valuable than financial records is because they contain full identity profiles – including your social security number which is the gateway to acquiring any and all of your personal information.

Benefits of Core Impact

Jul 31, 2017
It's true - we've had a lot of updates and releases for Core Impact over the past month. From the New Named User Pricing to the continued improvements being shipped to Core Impact and just this past week the new release of Core Impact 2017 R2 - there's been a lot happening. But trust that the product is still the most comprehensive solution for assessing and testing security vulnerabilities within your organization. Today we're going through some of the benefits you can find when using this tool.

Are you prepared for DFARS?

Jul 26, 2017
For several years the Department of Defense (DoD) has been focused on protecting controlled and unclassified information. Seven years ago, around November 2010, the White House issued Executive Order 13556 that established an open and consistent program across all civilian and defense agencies for managing information. The issue this Executive Order was trying to rectify was that departments/agencies had ad hoc measures for safeguarding controlled and unclassified information.

New Release - Core Impact 2017 R2

Jul 24, 2017
After months of hard work by our outstanding team, I am pleased to announce the release of Core Impact 2017 R2 – the comprehensive software solution for identifying, assessing and testing security vulnerabilities that attackers will exploit. With Core Impact you are able to identify the most pressing cyber risks to your organization by using this tool that enables you to think, and act, like an attacker. Penetration Testers and Red Teamers can safely imitate real attacks within their own networks.

How to Build a Red Team

Jul 17, 2017
From phishing scams to ransomware, cyber-attacks are growing every day. But something else is growing too – as in the number of Red Teams being built by organizations just like yours. But is a Red Team right for you? Red Teams SANS defines a Red Team as “a process designed to detect network and system vulnerabilities and test security by taking an attacker-like approach to system/network/data access.”

3 Questions to Ask About Vulnerability Management

Jul 5, 2017
Vulnerability management is becoming a standard industry practice and, as such, is included in most regulatory compliance rules as a quick and easy path to threat remediation. However, the reality is that most companies are not actually managing vulnerabilities, but rather conducting scans that produce thousands of potential threats. Identifying possible security risks and actually managing them through to remediation are completely different things.

Petya - What Really Happened

Jun 29, 2017
There has been a lot of information shared this week around the Petya “ransomware” virus. I put this in quotes because, just as with most attacks, once you dive in and get more information you find out that everything is not as it seems.

Petya Ransomware Attack: Here We Go Again

Jun 28, 2017
For the second time in as many months, organizations around the world are feeling the effects of a ransomware attack. No doubt, you heard about the WannaCry virus that spread rapidly, worldwide last month demanding bitcoin ransom for company data. This time, the virus is called “Petya” but there are many similarities, and one important difference, compared to WannaCry. 

Before You Download: Penetration Testing Your Applications

Jun 26, 2017
Each day we are being inundated with information. This could be in the form of ads, articles or a new tool to use that will surely make our lives easier. While these applications could be very useful to the organization, they could also be the cause of breaches or the unlawful capture of your personal or business information. But there’s a way to ensure the programs you are downloading to your devices are secure – at least for now.