Blog

Viewing posts tagged security

Gray Tier work getting noticed

A small team, that includes Gray Tier researchers, received recognition on Dec 8 in the form of CVEs for their work on the Up.Time Agent software.

Choosing a Penetration Testing Company

When selecting a penetration testing company there are many factors to consider, not the least of which is the integrity and technical skill of their team. The first, and most critical, step is to decided whether or not you trust the team you’re considering. Make no mistake about it; you are inviting a third-party to attempt to compromise your most critical IT assets. If you do not have the utmost trust in the team you're about to hire - stop immediately and consider alternatives. With the global increase in corporate data breaches there is also a rise in penetration testing companies. So how do you know if you can trust the team you’re hiring? If the company has been around for a while it should be as easy as asking for references. However, if they’re a relatively new company, like Gray Tier, then it’s a bit harder. Regardless, you should still ask about previous clients. You should also ask about their methodology? How they approach their testing? What are their rules of engagement (ROE)? What is the background of the individual team members? How do they minimize risk to your assets during an engagement? These are just a few of the questions we expect our clients to ask, and likewise we should be able to provide answers to your satisfaction.

Rethink Security

At Gray Tier, would like to reshape how network defense strategies are thought about. Network security policies are usually an afterthought. Put up some firewalls over here, sprinkle some IDS over there; maybe a host based monitoring system and presto - secured! Being compliant is not the same as being secure.  No longer can an organization go through this robotic thinking of network security and assume that is good enough. Recently more companies are conducting penetration tests either by internal teams or external companies as a service. The issue with network penetration testing is that this assessment is only a snapshot in time of the organization's network security posture. As soon as something is changed within the network, is the previous assessment still valid? Networks are by nature complex systems-of-systems, and it’s very difficult to know if there are second or third order effects to adding, removing, or changing one of those systems. Moreover, your network might be secure, but are your business partners network’s secure? What kind of trust relationships do you have with them (e.g. Target)?   

Gray Tier Technologies at DEFCON23

Co-Founder, Rich Kelley, gives his talk, Harness: Powershell Weaponization Made Easy (or at least easier), to a packed house. 2500+ in attandance.