As penetration testers and security professionals we now have a myriad of tools at our disposal. It seems like everyday a new product, program, or script is being released to make our jobs easier and increase our effectiveness (ok that’s debatable :). However, with all of these tools available how likely is it that most testers are taking the time to understand what’s going on behind the scenes? Arguably the most well-known penetration testing tool-suite is Metasploit. Thanks to all the hard work from the community and Rapid7 the Metasploit Framework is an amazing resource at our disposal. I’ve heard some complaints of Metasploit lately, but in my opinion there’s still nothing quite like it available. Now, we all know that it’s bad practice to download an exploit from an untrusted website and throw it at a system without proper vetting, but it’s equally important to understand the inner workings of tools you trust like Metasploit.
When selecting a penetration testing company there are many factors to consider, not the least of which is the integrity and technical skill of their team. The first, and most critical, step is to decided whether or not you trust the team you’re considering. Make no mistake about it; you are inviting a third-party to attempt to compromise your most critical IT assets. If you do not have the utmost trust in the team you're about to hire - stop immediately and consider alternatives. With the global increase in corporate data breaches there is also a rise in penetration testing companies. So how do you know if you can trust the team you’re hiring? If the company has been around for a while it should be as easy as asking for references. However, if they’re a relatively new company, like Gray Tier, then it’s a bit harder. Regardless, you should still ask about previous clients. You should also ask about their methodology? How they approach their testing? What are their rules of engagement (ROE)? What is the background of the individual team members? How do they minimize risk to your assets during an engagement? These are just a few of the questions we expect our clients to ask, and likewise we should be able to provide answers to your satisfaction.
At Gray Tier, would like to reshape how network defense strategies are thought about. Network security policies are usually an afterthought. Put up some firewalls over here, sprinkle some IDS over there; maybe a host based monitoring system and presto - secured! Being compliant is not the same as being secure. No longer can an organization go through this robotic thinking of network security and assume that is good enough. Recently more companies are conducting penetration tests either by internal teams or external companies as a service. The issue with network penetration testing is that this assessment is only a snapshot in time of the organization's network security posture. As soon as something is changed within the network, is the previous assessment still valid? Networks are by nature complex systems-of-systems, and it’s very difficult to know if there are second or third order effects to adding, removing, or changing one of those systems. Moreover, your network might be secure, but are your business partners network’s secure? What kind of trust relationships do you have with them (e.g. Target)?
The cyber prefix is used everywhere these days - cybersecurity, cybercrime, cyber-attack, cyberspace, etc. What most people may not know is that, in the security community, there seems to be a vocal opinion that “cyber” is a useless term. This is probably strange to those not in the industry and we agree, but there is a sound reason behind it.