Podcasts about penetration test

Learn more about cyber risks for small businesses: Are you a small-medium business owner? Did you just get a message from your bank telling you to call SecurityMetrics? Are you worried about having a bad experience? Do you know what PCI even means? This episode is for you.Learn how SecurityMetrics can help you navigate this regulatory landscape. We'll discuss:Why your processor is making you do PCI compliance: Did you know that nearly half of all cyberattacks target small businesses?What calling into SecurityMetrics looks like. Learn what information you need handy so you can get your compliance done as quickly as possible, and the questions you should ask to get the best service.Support Stories: Discover how other small businesses have successfully leveraged SecurityMetrics to achieve compliance.Tips and Tricks: Get practical advice on how to optimize your PCI compliance efforts and minimize risks, keeping your business and your customers more secure.Whether you're just starting your PCI compliance journey or looking to improve your existing processes, this video will provide valuable insights and actionable advice.Request a Quote for a PCI Audit ► https://www.securitymetrics.com/pci-audit Request a Quote for a Penetration Test ► https://www.securitymetrics.com/penetration-testing Get the Guide to PCI DSS compliance ► https://www.securitymetrics.com/lp/pci/pci-guide Get FREE security and compliance training ► https://academy.securitymetrics.com/ Get in touch with SecurityMetrics' Sales Team ► https://www.securitymetrics.com/contact/lets-get-you-to-the-right-place

The cone penetration test (CPT) is a standard tool for geotechnical engineers; it's used for measuring soil sheer strength, stress history and type. Leveraging her NSF CAREER award, Portland State U researcher Diane Moug plans to improve the CPT, so engineers can make better interpretations of CPT data. Moug will employ NHERI at UC Davis centrifuges, numerical modeling, and lab experimentation.

In this episode, we discuss the challenge of translating penetration test findings into practical and effective security improvements, and we delve into the three major bottlenecks to improving security and give recommendations for overcoming them.Blog: https://offsec.blog/Youtube: https://www.youtube.com/@cyberthreatpovTwitter: https://twitter.com/cyberthreatpovWork with Us: https://securit360.com

Join us on this extra long episode as SecurityMetrics experts Jen Stone, Gary Glover, Aaron Willis and Chad Horton dive deep into the evolving landscape of PCI compliance for e-commerce businesses. With the deadline for PCI 4.0 rapidly approaching, understanding the new requirements for e-commerce is crucial.In this episode, our panelists discuss:Understanding PCI 4.0 for e-commerce: Learn about the key changes and their implications for your business, especially if you're a small or medium-sized enterprise.Combatting e-commerce skimmers: Discover how attackers target online transactions and the measures you can take to protect your customers' data.The power of script analysis: Understand how script scanning can help identify and mitigate vulnerabilities on your e-commerce website.Securing dynamic content: Explore the challenges of protecting websites with constantly changing content.Choosing the right security solution: Weigh the pros and cons of agent-based and agentless solutions, considering the specific needs of your business.Whether you're a seasoned PCI professional or just starting your compliance journey, learn this episode provides valuable insights to help you safeguard your e-commerce business and protect your customers' sensitive information.Request a Quote for a PCI Audit ► https://www.securitymetrics.com/pci-audit Request a Quote for a Penetration Test ► https://www.securitymetrics.com/penetration-testing Get the Guide to PCI DSS compliance ► https://www.securitymetrics.com/lp/pci/pci-guide Get FREE security and compliance training ► https://academy.securitymetrics.com/ Get in touch with SecurityMetrics' Sales Team ► https://www.securitymetrics.com/contact/lets-get-you-to-the-right-place

Download the guide: https://www.cisecurity.org/insights/white-papers/from-both-sides-a-parental-guide-to-protecting-your-childs-online-activityAre you a parent looking for guidance on how to keep kids safe online? Join us for a candid conversation with Sean Atkinson, CISO at the Center for Internet Security, and his daughter, Emma, as they discuss their journey of creating a guide designed to help families have conversations about online safety.In this episode, you'll learn:Why open communication is key: Discover how Sean and Emma fostered an environment of trust and understanding about online safety.Common online dangers: Understand the risks your child may face, such as sharing personal information, cyberbullying, and meeting strangers online.Practical tips for parents: Get actionable advice on how to set boundaries, have difficult conversations, and create a safe online space for your child.Whether you're a new parent or a seasoned digital native, this podcast will help you start conversations and find resources to help you protect your child in the ever-evolving online world.Request a Quote for a PCI Audit ► https://www.securitymetrics.com/pci-audit Request a Quote for a Penetration Test ► https://www.securitymetrics.com/penetration-testing Get the Guide to PCI DSS compliance ► https://www.securitymetrics.com/lp/pci/pci-guide Get FREE security and compliance training ► https://academy.securitymetrics.com/ Get in touch with SecurityMetrics' Sales Team ► https://www.securitymetrics.com/contact/lets-get-you-to-the-right-place

Links from the episode:https://405d.hhs.gov/Discover the latest trends and threats in healthcare cybersecurity. This episode explores the real-world impact of cyberattacks on patient care, the vulnerabilities of medical devices, and the strategies organizations can implement to protect their sensitive data.Request a Quote for a PCI Audit ► https://www.securitymetrics.com/pci-audit Request a Quote for a Penetration Test ► https://www.securitymetrics.com/penetration-testing Get the Guide to PCI DSS compliance ► https://www.securitymetrics.com/lp/pci/pci-guide Get FREE security and compliance training ► https://academy.securitymetrics.com/ Get in touch with SecurityMetrics' Sales Team ► https://www.securitymetrics.com/contact/lets-get-you-to-the-right-place

Confused about PCI DSS compliance standards? This video breaks down each available SAQ type, including: SAQ-A, SAQ P2PE-HW, SAQ D for Service Providers, and the newly introduced SAQ SPoC for PCI DSS 4.0.Learn which one is right for your business based on your payment processing environment.Learn about:Different SAQ types for merchantsEligibility criteria for each SAQ typeFactors to consider when choosing a SAQ typeSimplifying your PCI complianceListen now to learn what your business can do to protect itself from data breaches and be compliant.#PCIcompliance #paymentsecurity #merchant #smallbusiness #cybersecurityhttps://www.youtube.com/watch?v=XoR0Tt8uHl4 Request a Quote for a PCI Audit ► https://www.securitymetrics.com/pci-audit Request a Quote for a Penetration Test ► https://www.securitymetrics.com/penetration-testing Get the Guide to PCI DSS compliance ► https://www.securitymetrics.com/lp/pci/pci-guide Get FREE security and compliance training ► https://academy.securitymetrics.com/ Get in touch with SecurityMetrics' Sales Team ► https://www.securitymetrics.com/contact/lets-get-you-to-the-right-place

Join Jen Stone as she chats with DevOps engineer and Day Two DevOps podcaster Kyler Middleton about her unique journey from a rural upbringing to becoming a DevOps expert. Discover how Kyler's passion for teaching led her to a career in technology, and learn about the importance of automation and documentation in building secure and efficient cloud environments.This episode dives deep into DevOps practices, the role of Terraform, Azure vs AWS, and the challenges organizations face when adopting cloud technologies. Kyler shares valuable insights on overcoming common hurdles, fostering a blameless culture, and the future of DevOps. Don't miss this engaging conversation!Hosted by Jen Stone, Principal Security Analyst (MCIS, CISSP, CISA, QSA).[Disclaimer] Before implementing any policies or procedures you hear about on this or any other episodes, make sure to talk to your legal department, IT department, and any other department assisting with your data security and compliance efforts.Request a Quote for a PCI Audit ► https://www.securitymetrics.com/pci-audit Request a Quote for a Penetration Test ► https://www.securitymetrics.com/penetration-testing Get the Guide to PCI DSS compliance ► https://www.securitymetrics.com/lp/pci/pci-guide Get FREE security and compliance training ► https://academy.securitymetrics.com/ Get in touch with SecurityMetrics' Sales Team ► https://www.securitymetrics.com/contact/lets-get-you-to-the-right-place

Worried about hotel hacking? This episode unveils the cybersecurity protocols of resorts like Atlantis. ️Dive deep into the unique challenges of cybersecurity in hospitality, from balancing guest convenience with ironclad defenses to training a diverse workforce.Tsega Thompson, Executive Director of Cybersecurity and Data Privacy at Atlantis Resorts, shares her insights on:Getting into CybersecuritySpecial Challenges of Cyber in the Hotel IndustryTraining your workforce effectivelyThis is your essential guide to cybersecurity in the hospitality industry, packed with valuable tips for travelers and hospitality professionals alike.Hosted by Jen Stone, Principal Security Analyst (MCIS, CISSP, CISA, QSA).[Disclaimer] Before implementing any policies or procedures you hear about on this or any other episodes, make sure to talk to your legal department, IT department, and any other department assisting with your data security and compliance efforts.Request a Quote for a PCI Audit ► https://www.securitymetrics.com/pci-audit Request a Quote for a Penetration Test ► https://www.securitymetrics.com/penetration-testing Get the Guide to PCI DSS compliance ► https://www.securitymetrics.com/lp/pci/pci-guide Get FREE security and compliance training ► https://academy.securitymetrics.com/ Get in touch with SecurityMetrics' Sales Team ► https://www.securitymetrics.com/contact/lets-get-you-to-the-right-place

Is your penetration testing just a compliance formality? This episode of the SecurityMetrics Podcast redefines pen testing as a strategic partnership, empowering you to get the most out of your assessments.Join Jen Stone and James Farnsworth as they discuss:The critical role of scoping: Learn how to align business needs with technical assessments for a truly impactful pen test.The difference between a vulnerability scan and a penetration testUnlocking report potential: Discover how to leverage pen testing reports for maximum security benefit.Tips for fostering a successful collaboration with your pen testing service.Stop seeing penetration testing as a checkbox exercise and transform it into a powerful tool for boosting your organization's security posture.Bonus Resources:PenTest FAQs:https://www.youtube.com/watch?v=EECUTDMn43U James' Previous Episode: Hacking Your Career: How to Become a Penetration Tester | SecurityMetrics Podcast 95Hosted by Jen Stone, Principal Security Analyst (MCIS, CISSP, CISA, QSA).[Disclaimer] Before implementing any policies or procedures you hear about on this or any other episodes, make sure to talk to your legal department, IT department, and any other department assisting with your data security and compliance efforts.

In this episode, host Bidemi Ologunde discussed a September 2023 penetration test in St. Petersburg, Florida.Support the show

In this episode we discuss what makes a great penetration test report. The report is THE crucial deliverable of a penetration test. It's the culmination of all the effort that went into testing. It not only provides insights into an organization's security posture but also serves as a roadmap for addressing vulnerabilities and improving overall security.Blog: https://offsec.blog/Youtube: https://www.youtube.com/@cyberthreatpovTwitter: https://twitter.com/cyberthreatpovWork with Us: https://securit360.com

The process of evaluating the security of a system or network by simulating an attack on it. Sometimes called "ethical hacking" or white hat hacking. The phrase started to appear in U.S. military circles in the mid 1960s as time sharing computers became more necessary for daily operations. Computer security experts from Rand Corporation began describing computer compromises as “penetrations.” By the early 1970s, government leaders formed tiger teams of penetration testers to probe for weaknesses in various government systems.

The process of evaluating the security of a system or network by simulating an attack on it. Sometimes called "ethical hacking" or white hat hacking. The phrase started to appear in U.S. military circles in the mid 1960s as time sharing computers became more necessary for daily operations. Computer security experts from Rand Corporation began describing computer compromises as “penetrations.” By the early 1970s, government leaders formed tiger teams of penetration testers to probe for weaknesses in various government systems. Learn more about your ad choices. Visit megaphone.fm/adchoices

Sponsor by SEC Playground --- Support this podcast: https://podcasters.spotify.com/pod/show/chillchillsecurity/support

Sponsor by SEC Playground --- Support this podcast: https://podcasters.spotify.com/pod/show/chillchillsecurity/support

Ist dein System sicher vor Eindringlingen von außen? Wie kann man überhaupt testen, ob das eigene System sicher ist? Genau darum geht es heute: die sogenannten Penetrationstests. In der heutigen Episode wirst du erfahren, welche verschiedenen Arten von Penetrationstests dir zur Verfügung stehen, um dein System für den Ernstfall auf die Probe zu stellen. Von White-Box Penetration Tests über White, Blue und Purple Teams bis zu Netzwerk- und Social Engineering Penetration Tests: Die heutige Folge ist voll mit Konzepten, die du in diesem Zusammenhang kennen solltest. Ich gehe darauf ein, in welchen Fällen welche Art von Test sinnvoll ist. Außerdem erkläre ich dir, was du beachten musst, wenn du einen Penetrationstest machen willst. Sollte man einen externen Dienstleister beauftragen? Wie sieht es mit der rechtlichen Seite aus? Was gehört ins Protokoll? Und wie leitest du praktische Schritte aus den Test-Ergebnissen ab? All dies wirst du in dieser Episode erfahren. Bleib dran, denn dies ist Teil 1 einer 4-teiligen Serie. LINKS: [Meine Website](https://www.paul-stengel.de) [Kontaktiere mich bei LinkedIn](https://www.linkedin.com/in/paul-g-stengel-771947216/) DIR GEFÄLLT WAS DU HÖRST? Dann hinterlasse mir bitte eine 5-Sterne-Bewertung auf Apple Podcasts, eine Rezension und abonniere den Podcast. Vielen Dank für deine Unterstützung! Hier bei Apple Podcasts bewerten und abonnieren: https://podcasts.apple.com/de/podcast/informationssicherheit-einfach-verstehen-cyber-security/id1694694337 Dieser Podcast wird produziert von Podcastliebe, deiner Full Service Podcast Agentur. Mehr dazu: https://podcastliebe.net

Penetration Test of a Web Application hosted on Google Cloud in 2023 is quite different to just a simple/traditional web app pentesting.Cloud Penetration testing is misunderstood to be just config review in Google Cloud. In this video, we have Kat Traxler who is a cloud security researcher, SANS Course author and has worked in the Google Cloud space to even build open source tools that can be used to perform cloud security testing. Episode YouTube: ⁠ ⁠⁠⁠Video Link⁠⁠⁠⁠⁠⁠ Host Twitter: Ashish Rajan (⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠@hashishrajan⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠) Guest Socials: Kat Traxler (⁠⁠ Kat Traxler's Linkedin ⁠⁠) Podcast Twitter - ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠@CloudSecPod⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Cloud Security Newsletter ⁠⁠⁠⁠⁠⁠ - ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Cloud Security BootCamp⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ Spotify TimeStamp for Interview Question (00:00) Introduction (04:17) A bit about Kat Traxler (05:56) Pentesting in GCP vs AWS (08:07) Config review vs cloud pentesting (09:24) Cloud pentest vs Traditional Pentest (10:28) Starting to do GCP pentesting (12:35) Common services used in GCP (14:10) Low hanging fruits in GCP (15:25) What are default service accounts? (17:52) You may already have google cloud (20:00) How to persist access in Google Cloud? (21:56) Shared responsibility in GCP (24:01) Common TTPs in GCP (28:05) Is there SSRF in GCP? (30:19) Open source tools for cloud pentest (33:59) Fun questions Resources that Kat shared during the episode The Google Cloud Adoption Framework Google Cloud Org Policy Bot GCAT Threat Horizons Report Pacu Microburst DeRF Stratus See you at the next episode!

In this episode Spencer and Tyler discuss the most important things you must do before you have an external penetration test. Everything from understanding goals and objectives to asset management to dark web searches. Listen in as Tyler shares how the SecurIT360 external pentest process may be different from other pentests you've received in the past.Blog: https://offsec.blog/Youtube: https://www.youtube.com/@cyberthreatpovTwitter: https://twitter.com/cyberthreatpovWork with Us: https://securit360.com

In this captivating episode of R2DSO hosts Ken and Mike embark on an exploration of security automation in the realms of application and cloud security. With a a keen understanding of the pitfalls, they emphasize the need for precision, consistency, and repeatability. Stepping beyond the traditional confines of scanning, and automation techniques destined for failure, they offer insightful analogies and practical advice, empowering listeners to harness the true power of secure automation. Join this engaging conversation tailored for technical application security enthusiasts and discover the keys to unlock a new era of efficiency and effectiveness.

Come si scrive codice sicuro? Come si trovano vulnerabilità? Come si diventa Cybersecurity Engineer? Conosciamo Paolo Perego, Cybersecurity Engineer presso SUSE. Risorse: Blog di Paolo: https://codiceinsicuro.it/ Canale Youtube di Paolo: https://www.youtube.com/c/PaoloPerego OWASP: https://owasp.org/

In this episode Brad and Spencer discuss the differences between a Penetration Test, Purple Team Exercise and a Red Team Engagement. The goal of this episode is to help educate and inform on the differences between a pentest, a purple team and a red team, what the goals of each may be, and how they help an organization improve security and resilience.Blog: https://offsec.blog/Youtube: https://www.youtube.com/@cyberthreatpovTwitter: https://twitter.com/cyberthreatpovWork with Us: https://securit360.com

Web Applications, like most everything in cyberspace can be prone to vulnerabilities. If (or when) those vulnerabilities within the applications get exposed that you use on a daily basis to a hacker or cybercriminal, it could be very bad news and dangerous to you and your organization. This week, the guys talk about how they handle Web Application Penetration Testing and go through a deep dive on how you can prepare for your Penetration Test, should the time come!Pick up your copy of Cyber Rants on Amazon.Looking to take your Cyber Security to the next level? Visit us at www.silentsector.com. Be sure to rate the podcast, leave us a review, and subscribe!

Episode 3 of The Australian CISO continues on from the previous episode that described a surprise "Red Team-Blue Team" penetration test. This episode walks through the "attack" and highlights the low cost, highly effective controls that every organisation could benefit from. This episode is a must if you want to strengthen your environment.

This episode delves into the world of the surprise penetration test. Is it a good approach or is it better to let everyone know that you are about to conduct a penetration test? i.e. if no-one knows about it, then the "attack" will be handled as it should. That is unexpected and using all the people, processes and technology that one would expect when an attack occurs...a good test of the organization's ability to respond and recover.Does the surprise attack pose problems though? What can go wrong?Listen to this episode where someone's decision to conduct a surprise penetration test had deep consequences.

Un case study tra associati Enteprise OSS, un caso di collaborazione virtuosa.Vi raccontiamo la gestione di un vulnerability assessment specifico in ottica di sicurezza informatica effettuato per rispondere alle esigenze di sicurezza interna dei sistemi e in risposta a quanto richiesto dalla normativa certificazione ISO.Un progetto che ha permesso di far conoscere agli attori coinvolti, la situazione AS-IS della propria infrastruttura IT e dei propri sistemi informatici con il vantaggio di poter poi sviluppare un processo di messa in sicurezza delle aree critiche emerse Il fine?Prevenire e rispondere in maniera attiva e proattiva in caso di attacco informatico o sospetto attacco informatico per garantire la continuità produttiva e funzionale.

Robyn Lundin started working in tech after a coding boot camp as a developer for a small startup. She then discovered her passion for security, pivoted into pentesting for NCC Group, and now works as a Senior Product Security Engineer for Slack. Robyn joins us to discuss the role of penetration testing within the application security realm. Robyn provides actionable guidance you can apply directly to your application pen testing program. We hope you enjoy this conversation with....Robyn Lundin.Visit our website: https://www.securityjourney.com/resources/application-security-podcast FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/channel/UCfrTGqjSsFCQW4k6TueuY-A Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The Application Security Podcast is brought to you by Security Journey. Security Journey delivers secure coding training to development teams and those who support them. They help enterprises reduce vulnerabilities through application security education for developers and everyone in the SDLC. TRY OUR TRAINING ➜ https://info.securityjourney.com/try-our-training

How To Choose A Cybersecurity Provider. Learn tips on what to ask for and what to look for. Penetration Tests vs. Vulnerability Scans, Pricing, Zero Trust Technology and The Latest Takeaways from the recent FTX Crypto Exchange Hack.Please like, subscribe and visit all of our properties at:YouTube: https://www.youtube.com/channel/UC8Hgyv0SzIqLfKqQ03ch0BgYouTube: https://www.youtube.com/channel/UCa9l3tgOOHMJ6dClNn8BiqQ Podcasts: https://petronellatech.com/podcasts/ Website: https://compliancearmor.comWebsite: https://blockchainsecurity.comLinkedIn: https://www.linkedin.com/in/cybersecurity-compliance/ Visit https://ComplianceArmor.com for the latest in Cybersecurity and Training.NO INVESTMENT ADVICE - The Content is for informational purposes only, you should not construe any such information or other material as legal, tax, investment, financial, or other advice. Nothing contained on our Site or podcast constitutes a solicitation, recommendation, endorsement, or offer by PTG.Please be sure to Call 877-468-2721 or visit https://petronellatech.com

OT sotto attacco, vulnerabilità sempre più fonte di guai, l'importanza del Penetration Test, la MFA Fatigue, l'approccio passwordless, gli occhiali e le videoconferenze e il decryptor per LockerGoga. Ne parliamo con Giancarlo Calzetta, appassionato di sicurezza, e Andrea Veca, CEO di Achab, per la rubrica “La sicurezza secondo Giancarlo”. Tutti i dettagli sul sito di RadioAchab.

Are you sure you're getting what you paid for when it comes to external penetration tests? In this podcast Brad and Spencer discuss 5 things that you as a consumer of penetration tests can do to get more value from them. Some of these are easy wins, some of them require work, all of them will make your external pentests better.Blog: https://offsec.blog/Youtube: https://www.youtube.com/channel/UCCWmudG_CTNAFBaV48vIcfwTwitter: https://twitter.com/cyberthreatpovWork with Us: https://securit360.com

A CISO's Guide to Pentesting References https://en.wikipedia.org/wiki/Penetration_test https://partner-security.withgoogle.com/docs/pentest_guidelines#assessment-methodology https://owasp.org/www-project-web-security-testing-guide/latest/3-The_OWASP_Testing_Framework/1-Penetration_Testing_Methodologies https://www.pcisecuritystandards.org/documents/Penetration_Testing_Guidance_March_2015.pdf  https://pentest-standard.readthedocs.io/en/latest/ https://www.isecom.org/OSSTMM.3.pdf https://s2.security/the-mage-platform/ https://bishopfox.com/platform https://www.pentera.io/ https://www.youtube.com/watch?v=g3yROAs-oAc    **************************** Hello, and welcome to another episode of CISO Tradecraft -- the podcast that provides you with the information, knowledge, and wisdom to be a more effective cyber security leader.  My name is G. Mark Hardy, and today we're going to explore a number of things a CISO needs to know about pentesting.  As always, please follow us on LinkedIn, and make sure you subscribe so you can always get the latest updates.   Now to get a good understanding of pentesting we are going over the basics every CISO needs to understand.   What is it Where are good places to order it What should I look for in a penetration testing provider What does a penetration testing provider need to provide What's changing on this going forward First of all, let's talk about what a pentest is NOT.  It is not a simple vulnerability scan.  That's something you can do yourself with any number of publicly available tools.  However, performing a vulnerability scan, and then acting on remediating what you find, is an important prerequisite for a pentest.  Why pay hundreds of dollars per hour for someone to point out what you can find yourself in your bunny slippers sipping a latte?   Now let's start with providing a definition of a penetration test.  According to Wikipedia a penetration test or pentest is an authorized simulated cyber-attack on a computer system performed to evaluate the security of a system.  It's really designed to show weaknesses in a system that can be exploited.  Let's think of things we want to test.  It can be a website, an API, a mobile application, an endpoint, a firewall, etc.  There's really a lot of things you can test, but the thing to remember is you have to prioritize what has the highest likelihood or largest impact to cause the company harm.  You need to focus on high likelihood and impact because professional penetration tests are not cheap.  Usually, they will usually cost between $10,000-$30,000 but if you have a complex system, it's not unheard of to go up to $100,000.  As a CISO you need to be able to defend this expenditure of resources.  So, you will usually define a clear standard that our company will perform penetration tests on customer facing applications, PCI applications, and Financially Significant Application or SOX applications once per year.   My friend John Strand, who founded Black Hills Information Security, pointed out in a recent webcast that sometimes you, the client, may not know what you mean by the term pentest.  Sometimes clients want just a vulnerability scan, or sometimes an external scan of vulnerabilities to identify risk, or sometimes a compromise assessment where a tester has access to a workstation and tries to work laterally, or sometimes a red team where a tester acts like a threat actor and tries to bypass controls, or a collaborative effort involving both red teams and blue teams to document gaps and to help defenders do their job better.  He goes on to state that your pentest objective should be to "provide evidence of the effectiveness of current defensive mechanisms and attack detection methodologies."   Please do not confuse a penetration test with a Red Team exercise.  A red team exercise just wants to accomplish an objective like steal data from an application.  A penetration test wants to enumerate vulnerabilities in a scoped target system so the developer can patch and remediate.  It's a subtle difference but consider that a red team only needs to find one vulnerability to declare success, whereas a penetration test keeps going to help identify potentially exploitable vulnerabilities.  Now, is a pentest about finding ALL vulnerabilities?  I would say no – there are vulnerabilities that might require a disproportionate amount of resources to exploit for little or no value – something with a CVSS score of 4.0 or the like.  Those can often be left unpatched without consequence – the cost of remediating may exceed the value of the risk avoided.  There really is a “good enough” standard of risk, and that is called “acceptable risk.”  So, when scoping a pentest or reviewing results, make sure that any findings are both relevant and make economic sense to remediate.   Let's take the example that you want to perform a web application pentest on your public website so you can fix the vulnerabilities before the bad actors find them.  The first question you should consider is do you want an internal or an external penetration test.  Well, the classic answer of "it depends" is appropriate.  If this website is something of a service that you are selling to other companies, then chances are those companies are going to ask you for things like an ISO 27001 certification or SOC 2 Type 2 Report and both of those standards require, you guessed it, a penetration Test.  In this case your company would be expected to document a pentest performed by an external provider.  Now if your company has a website that is selling direct to a consumer, then chances are you don't have the same level of requirement for an external pentest.  So, you may be able to just perform an internal penetration test performed by your company's employees.   I'd be remiss if I didn't mention the Center for Internet Security Critical Controls, formerly know as the SANS Top 20.  The current version, eight, has 18 controls that are listed in order of importance, and they include pentesting.  What is the priority of pentesting, you may ask?  #18 of 18 -- dead last.  Now, that doesn't mean pentests are not valuable, or not useful, or even not important.  What it does mean is that pentests come at the end of building your security framework and implementing controls.  Starting with a pentest makes no sense IMHO, although compliance-oriented organizations probably do this more often than they should.  That approach makes the pen testers job one of filtering through noise -- there are probably a TON of vulnerabilities and weaknesses that should have been remediated in advance and could have been with very little effort.  Think of a pentest as a final exam if you will.  Otherwise, it's an expensive way to populate your security to-do list.   OK let's say we want to have an external penetration test and we have the 10-30K on hand to pay an external vendor.  Remember this, a penetration test is only as good as the conductor of the penetration test.  Cyber is a very unregulated industry which means it can be tricky to know who is qualified.  Compare this to the medical industry.  If you go to a hospital, you will generally get referred to a Medical Doctor or Physician.  This is usually someone who has a degree such as a MD or DO which proves their competency.  They will also have a license from the state to practice medicine legally.  Contrast this to the cyber security industry.  There is no requirement for a degree to practice Cyber in the workforce.  Also, there is no license issued by the state to practice cyber or develop software applications.  Therefore, you need to look for relevant Cyber certifications to demonstrate competency to perform a Penetration Test.  There's a number of penetration testing certifications such as the Certified Ethical Hacker or CEH, Global Information Assurance Certification or GIAC GPEN or GWAP, and the Offensive Security Certified Professional or OSCP.   We strongly recommend anyone performing an actual penetration test have an OSCP.  This certification is difficult to pass.  A cyber professional must be able to perform an actual penetration test and produce a detailed report to get the actual certification.  This is exactly what you want in a pentester, which is why we are big fans of this certification.  This certification is a lot more complicated than remembering a bunch of textbook answers and filling in a multiple-choice test.  Do yourself a favor and ask for individuals performing penetration tests at your company to possess this certification.  It may mean your penetration tests cost more, but it's a really good way to set a bar of qualified folks who can perform quality penetration tests to secure your company.   Now you have money, and you know you want to look for penetration tests from companies that have skilled cyber professionals with years of experience and an OSCP.  What companies should you look at?  Usually, we see three types of penetration testing companies.  Companies that use their existing auditors to perform penetration tests – firms like KPMG, EY, PWC, or Deloitte (The Big 4 1/2).  This is expensive but it's easy to get them approved since most large companies already have contracts with at least one of these companies.  The second type of company that we see are large penetration testing companies.  Companies like Bishop Fox, Black Hills Information Security, NCC Group, and TrustedSec, focus largely on penetration testing and don't extend into other areas like financial auditing.  They have at least 50+ penetration testers with experience from places like the CIA, NSA, and other large tech companies.  Note they are often highly acclaimed so there is often a waitlist of a few months before you can get added as a new client.  Finally, there are boutique shops that specialize in particular areas.  For example, you might want to hire a company that specializes in testing mobile applications, Salesforce environments, embedded devices, or APIs.  This is a more specialized skill and a bit harder to find so you have to find a relevant vendor.  Remember if someone can pass the OSCP it means they know how to test and usually have a background in Web Application Penetration testing.  Attacking a Web application means being an expert in using a tool like Burp Suite to look for OWASP Top 10 attacks like SQL injection or Cross Site Scripting.  This is a very different set of skills from someone who can hack a Vehicle Controller Area Network (CAN) bus or John Deere Tractor that requires reverse engineering and C++ coding.   Once you pick your vendor and successfully negotiate a master license agreement be sure to check that you are continuing to get the talent you expect.  It's common for the first penetration test to have skilled testers but over time to have a vendor replace staff with cheaper labor who might not have the OSCP or same level of experience that you expect.  Don't let this happen to your company and review the labor and contract requirements in a recurring fashion.   Alright, let's imagine you have a highly skilled vendor who meets these requirements.  How should they perform a penetration test?  Well, if you are looking for a quality penetration testing guide, we recommend following the one used by Google.  Google, whose parent company is called Alphabet, has publicly shared their penetration testing guidelines and we have attached a link to it in our show notes.  It's a great read so please take a look.  Now Google recommends that a good penetration test report should clearly follow an assessment methodology during the assessment.  Usually, penetration testers will follow an industry recognized standard like the OWASP Web Security Testing Guide, the OWASP Mobile Security Testing Guide, the OWASP Firmware Security Testing Guide, the PCI DSS Penetration Testing Guide, The Penetration Testing Execution Standard, or the OSSTMM which stands for The Open Source Security Testing Methodology Manual.  These assessment methodologies can be used to show that extensive evaluation was done, and a multitude of steps/attacks were carried out.  They can also standardize the documentation of findings.  Here you will want a list showing risk severity level, impact from a business/technical perspective, clear concise steps to reproduce the finding, screenshots showing evidence of the finding, and recommendations on how to resolve the finding.  This will allow you to build a quality penetration test that you can reuse in an organization to improve your understanding of technical risks.     If I can get good penetration tests today, perhaps we should think about how penetration testing is changing in the future?  The answer is automation.  Now we have had automated vulnerability management tools for decades.  But please don't think that running a Dynamic Application Security Testing Tool or DAST such as Web Inspect is the same thing as performing a full penetration test.  A penetration test usually takes about a month of work from a trained professional which is quite different from a 30-minute scan.  As a cyber industry we are starting to see innovative Penetration Testing companies build out Continuous and Automated Penetration Testing tooling.  Examples of this include Bishop Fox's Cosmos, Pentera's Automated Security Validation Platform, and Stage 2 Security Voodoo and Mage tooling.  Each of these companies are producing some really interesting tools and we think they will be a strong complement to penetration tests performed by actual teams.  This means that companies can perform more tests on more applications.  The other major advantage with these tools is repeatability.  Usually, a penetration test is a point in time assessment.  For example, once a year you schedule a penetration test on your application.  That means if a month later if you make changes, updates, or patches to your application then there can easily be new vulnerabilities introduced which were never assessed by your penetration test.  So having a continuous solution to identify common vulnerabilities is important because you always want to find your vulnerabilities first before bad actors.   Here's one final tip.  Don't rely on a single penetration testing company.  Remember we discussed that a penetration testing company is only as good as the tester and the toolbox.  So, try changing out the company who tests the same application each year.  For example, perhaps you have contracts with Bishop Fox, Stage 2 Security, and Black Hill Information Security where each company performs a number of penetration tests for your company each year.  You can alternate which company scans which application.  Therefore, have Bishop Fox perform a pentest of your public website in 2022, then Stage 2 Security test it in 2023, then Black Hills test it in 2024.  Every penetration tester looks for something different and they will bring different skills to the test.  If you leverage this methodology of changing penetration testing vendors each cycle, then you will get more findings which allows you to remediate and lower risk.  It allows you to know if a penetration testing vendor's pricing is out of the norm.  You can cancel or renegotiate one contract if a penetration testing vendor wants to double their prices.  And watch the news -- even security companies have problems, and if a firm's best pentesters all leave to join a startup, that loss of talent may impact the quality of your report.   Thank you for listening to CISO Tradecraft, and we hope you have found this episode valuable in your security leadership journey.  As always, we encourage you to follow us on LinkedIn, and help us out by letting your podcast provider know you value this show.  This is your host, G. Mark Hardy, and until next time, stay safe.

Welcome to The VanRein Compliance Podcast: the Podcast that will secure your business with a clear plan to reduce your risk.This week our hosts Dawn and Rob Van Buskirk discuss Penetration Tests with our own Pen Tester James Kashevos, Owner of Tetsu Enterprises;In this week's episode we unpack the following topics:What is a Penetration Test and why do you need oneWIll discuss the negative side effects of a Penetration TestWhat are the risks to your business if you do not complete a Penetration testWhat types of risks does James find when performing a Pen TestYou can contact James at Testsu.Tech to learn more about his services. As always you can reach out to the VanRein Team to schedule a Discovery Call with one of our compliance guides. Every week The VanRein Compliance Podcast will help you simplify compliance, secure your business, and reduce your risk all while having some fun.  Thanks for joining us!Thank You for Listening to the VRC Podcast!Visit us at VanRein ComplianceYou can Book a 15min Call with a GuideFollow us on LinkedInFollow us on TwitterFollow us on Facebook

TA578 Using Thread-Hijacked Emails to Push ISO Files for Bumblebee Malware https://isc.sans.edu/forums/diary/TA578+using+threadhijacked+emails+to+push+ISO+files+for+Bumblebee+malware/28636/ Google Drive Emerges as Top App for Malware Downloads https://www.helpnetsecurity.com/2022/05/11/malicious-pdf-search-engines/ Vanity URL Abuse https://www.varonis.com/blog/url-spoofing npm Supply Chain Attack Turns Out to be Part of Penetration Test https://jfrog.com/blog/npm-supply-chain-attack-targets-german-based-companies/

TA578 Using Thread-Hijacked Emails to Push ISO Files for Bumblebee Malware https://isc.sans.edu/forums/diary/TA578+using+threadhijacked+emails+to+push+ISO+files+for+Bumblebee+malware/28636/ Google Drive Emerges as Top App for Malware Downloads https://www.helpnetsecurity.com/2022/05/11/malicious-pdf-search-engines/ Vanity URL Abuse https://www.varonis.com/blog/url-spoofing npm Supply Chain Attack Turns Out to be Part of Penetration Test https://jfrog.com/blog/npm-supply-chain-attack-targets-german-based-companies/

This episode reports on zero-day bugs, testing data recovery  procedures, the world's biggest penetration test returns and vulnerabilities found in Lenovo laptops

In a world where cybersecurity is no longer just an IT issue, it is more important than ever to assess the human, technical, and physical security aspects of any organization. Bringing responsible awareness to this triad, FC (aka Freaky Clown) and his team at Cygenta are reimagining the role of penetration testing in fostering sustainable cyber resilience. Hear the tricks that FC has learned on the job while (ethically!) robbing banks to identify physical security weaknesses, enhancing the comprehensive value of pen tests, and developing cybersecurity training exercises for people of all ages. Learn more about FC's company!  ~Cygenta  Follow us on Social!! ~Cybrary Twitter ~Delinea Twitter ~Instagram ~Facebook ~YouTube ~Cybrary LinkedIn ~Delinea LinkedIn

Il GDPR è ancora visto come una noiosa complicazione burocratica. Ma può anche esser visto come uno stimolo a pensare a come rivedere i processi aziendali, divenendo una grande opportunità per migliorare il proprio business. Ne parliamo con Alberto Bonato, socio e amministratore di Infol, e Andrea Veca, CEO di Achab, per la rubrica “SpuntIT”. Tutti i dettagli sul sito di RadioAchab.

Participe GRATUITAMENTE da

Welcome to The VanRein Compliance Podcast: the Podcast that will secure your business with a clear plan to reduce your risk.This week our hosts Dawn and Rob Van Buskirk discuss Penetration Tests with our own Pen Tester James Kashevos, Owner of Tetsu Enterprises;In this week's episode we unpack the following topics:What is a Penetration Test and why do you need oneWIll discuss the negative side effects of a Penetration TestWhat are the risks to your business if you do not complete a Penetration testWhat types of risks does James find when performing a Pen TestYou can contact James at Testsu.Tech to learn more about his services. As always you can reach out to the VanRein Team to schedule a Discovery Call with one of our compliance guides. Every week The VanRein Compliance Podcast will help you simplify compliance, secure your business, and reduce your risk all while having some fun.  Thanks for joining us!Thank You for Listening to the VRC Podcast!Visit us at VanRein ComplianceYou can Book a 15min Call with a GuideFollow us on LinkedInFollow us on TwitterFollow us on Facebook

John Strand is the owner of Black Hills Information Security, and he has over 2 decades of experience in cybersecurity. In this podcast, David and Brad from Samurai interview John and share stories and anecdotes about their dealings with organisations across all verticals over the years. When you start planning against a hack, you need to make sure that you can identify your risks. When you strip down risk to its core, it boils to threats and vulnerabilities. Don't be blinded by one aspect of the danger and assume that the same threat will be repeated. An attacker will never follow just one type of methodology. The threat actors will use any technique at their disposal! Listen further to find out what the best approach is to start protecting your organisation.

Join Scott Young and Shaun Sturby from Optrics Engineering as they discuss the large number of organizations in the headlines who have been hit by ransomware, the White Houses recent memo to private organizations on what they can do to prevent being a victim of a ransomware attack as well as today's launch of Amazon's Sidewalk wireless mesh service. For more IT tips go to: > www.OptricsInsider.com Timecodes: 0:00 - Intro 0:18 - Today's 3 topics 0:37 - Topic 1: Ransomware Headlines 2:10 - Topic 2: White House Ransomware Memo 11:39 - Topic 3: Amazon Launches Sidewalk 22:09 - Closing remarks Ransomware headlines: > FBI Statement on JBS Cyberattack > NY & Mass. Transportation Providers Targeted in Recent Attacks > Unauthorized access to Fujifilm servers > Sturdy Memorial Hospital - Notice of Data Security Incident White House Memo: Advice to Private Sector on Protection from Ransomware: > Memo: What We Urge You to Do to Protect Against the Threat of Ransomware [PDF Download] > Cybersecurity & Infrastructure Security Agency: Ransomware Guidance and Resources Good Security Habits: > Cybersecurity & Infrastructure Security Agency: Security Tip (ST04-003) Security Awareness Training Options to Train Your Staff on What Not to Click: [KnowBe4] - www.Optrics.com/KnowBe4 [Curricula] - www.Optrics.com/partners/Curricula How to Stay Safe Against Phishing Attacks & Social Engineering with Mike Brill from KnowBe4: > www.YouTube.com/watch?v=kRM9rd_zj9o Learn More About How to Test the Security of Your Network with a Penetration Test: > www.Optrics.com/partners/Foresite Amazon Sidewalk is Going Live Next Week: > How to disable Amazon Sidewalk (and why you should do it) > How Amazon Sidewalk Works—and Why You May Want to Turn It Off > Amazon Sidewalk goes live tomorrow, here's why you shouldn't be scared --- Send in a voice message: https://anchor.fm/optrics-insider/message

The red team instigates the trouble when it comes to penetration testing. Red teaming is quite aggressive - a nuclear version of a pen test if you will. The red team goes the whole hog, and all vulnerabilities are exposed. Blue teaming is more defensive, and it is all about evaluating the detection/prevention tools you have put in place to protect yourself against an attack. Purple teaming is a joint red and blue test. Brad Thomas probes Dr. David Day to give us the scoop on red, blue, and purple teaming in this podcast. Listen in.

When you do not remain secure online, you put everyone in your organisation at risk! Cybersecurity should not be about ‘box-ticking'. You can get the certification, but compliance does not equal security. And we can run all the penetration tests and cybersecurity reviews, but it is vital to implement the advice that follows. Unfortunately, we have had a few instances where clients would simply ignore our findings, or they were seeking findings to support their decisions. Listen to how Dr. David Day digs deep into his treasure trove of experiences and shares a few gripping stories with Brad Thomas on what happens when Samurai's advice is ignored. All shared anonymously, of course!

Whether you are required to adhere to regulatory compliance or have voluntarily picked a framework to map your cybersecurity strategy and you inevitably come to crossroads with a vulnerability assessment or a penetration test. Join me this week as I sit down with Kenneth May of Swift Chip Inc. as we dissect when it is appropriate to go beyond a vulnerability assessment. The repercussions of a penetration test when a policy or guideline is not in place. If you are wondering about vulnerability assessments and penetration tests and how to determine when you should execute one or both then this episode is for you.

Victor looks for vulnerabilities on the web and reports them responsibly. This is the story about discloser number 5780. Listen to episodes 86, and 87 before this one to be caught up on the story leading up to this. Sponsors This podcast is sponsored by Navisite. Accelerate IT transformation to respond to new demands, lower costs and prepare for whatever comes next. Visit Navisite.com/go. This podcast is sponsored by the JSCM Group. They have a service called ClosedPort: Scan, and it’s is a monthly Penetration Test performed by Cyber Security Experts. Contact JSCM Group today at jscmgroup.com/darknet. Support for this show comes from IT Pro TV. Get 65 hours of free training by visiting ITPro.tv/darknet. And use promo code DARKNET25.

Apetech Website: https://www.apetech.me/social https://anchor.fm/apetech/message Email: letschat@apetech.me Twitter: @apetechda If you run a business and are curious about what pen testing vs vulnerability scanning is, then this is the article for you. Both services are useful and they each come with their own set of pros and cons. In this article, we'll explore what each service is and which one is right for you and your business needs. A Penetration Test, or commonly referred to as a Pen Test is when a third party tries to get physical access to your building and/or network. They try to get past security, employees, and whatever other security measures you have in place preventing intrusion. Once they have breached the perimeter, they then go after your network and data. If they are able to access critical data, then they have successfully penetrated your business. Vulnerability scanning is a little less intense. A third party will access your vulnerabilities by doing very passive scans of your network. They are checking for known security flaws that your business may be exposed to, but don't actually do anything to defend or attack. They just report what they find and make a recommendation about what you should to protect yourself. So, now that you know what the difference is between the two methods, which one do you need for your business? Pen testing is an active test. There are real people involved and while the attack is performed in a control manner, there is still a chance that something might go wrong. There is a small chance that data can be lost or damaged since the pen tester is actively trying to actually break into the system. The vulnerability scan, since it is typically a passive thing has much less risk. But the vulnerability scan is more of a theoretical test. Yes, it's going to find real ports that are open, but unless you take action to close up your vulnerabilities, they are just going to be documented on paper. The same can be said about the pen test. The Pen test isn't supposed to actually take down your network or steal your data. It's just supposed to show you how someone could potentially do it. But like the vulnerability assessment, unless you actually take action to protect yourself, the white hat hacker can't actually save or protect your data. So, which test is right for you? If you are confident in the security you have in place, I would recommend you go with a full pen test. They say ignorance is bliss and there's no better way to test out your shiny new security policy than having someone actively try to break it. An attacker isn't going to be asking for permission when they attempt to break in and steal your data, so a pen tester is as close as you are going to get to a real world simulation. With that said, this is a real world simulation which means things can go wrong. Have a backup plan for your data and network and then try to poke holes. If you aren't quite there yet with your network and security infrastructure, then I'd recommend you get your feet wet and go for a vulnerability assessment. It will paint a picture of where you have holes and give you a few good critical next steps you can take to improve your security. --- This episode is sponsored by · Anchor: The easiest way to make a podcast. https://anchor.fm/app --- Send in a voice message: https://anchor.fm/apetech/message Support this podcast: https://anchor.fm/apetech/support

The story of today's guests is ripped straight from the headlines. Gary DeMercurio and Justin Wynn, both of the company Coalfire, were arrested at the Dallas County Courthouse while doing red team pentesting for the State of Iowa’s judicial branch. Their story is fascinating, and they discuss that fateful night as well as ways in which similar incidents could be avoided in the future. You can’t be too timid as a red teamer, they say. "If you're bragging as a red teamer about how you've never been caught, you're not pushing the operation as far as you should. You SHOULD be caught sometimes." – Get your free security awareness toolkit: https://infosecinstitute.com/ncsam2020 – Enter code “cyberwork” to get 30 days of free training with Infosec Skills: https://www.infosecinstitute.com/skills/– View transcripts and additional episodes: https://www.infosecinstitute.com/podcastGary DeMercurio runs one of the largest groups in Coalfire Labs as a Senior Manager working with technologies every day. His expertise focuses on social engineering, physical testing and network devices. At Coalfire, Gary manages day-to-day business involved with FedRAMP, PCI, HIPPA and penetration testing, while helping to spearhead the physical and social engineering portion of testing.As a Senior Security Consultant, Justin Wynn is responsible for actively compromising and reporting on virtual environments typically encountered at Fortune 500 companies. Justin performs wireless, physical, red team and social engineering engagements. Justin also conducts research to include the production of open-source models for printing/milling to aid in red team engagements, with specific regard to tool gaps in the locksport industry as well as master keys for access control/elevator overrides. Currently, Justin is researching security vulnerabilities in various RFID devices.About InfosecAt Infosec, we believe knowledge is power when fighting cybercrime. We help IT and security professionals advance their careers with certifications and skills training. We also empower all employees with security awareness training to stay cybersafe at work and home. Driven by smart people wanting to do good, Infosec educates entire organizations to defend themselves from cybercrime. It’s what we do every day — equipping everyone with the latest security skills and confidence to be safe online. Learn more at infosecinstitute.com.

Our latest 'Intro' podcast takes a look at Firewall Security. Holly discusses different types of firewalls, the importance of network segmentation and Firewall Configuration Security Reviews, and how firewalls are targeted during a pentest. 1'30 How firewalls are they targeted during a Penetration Test? 8'29 Network segmentation 11'08 How threat actors jump between networks 13'56 Next Generation Firewalls 19'14 Web Application Firewalls Useful links: Firewall Configuration Security Review - https://www.secarma.com/services/cybersecurity-assessment/firewall-configuration-security-review.html Listening time: 24 minutes Hosted by: Holly Grace Williams, Managing Director at Secarma

This week, first we talk Enterprise News, discussing how Yubico Delivers New Security Key the YubiKey 5C NFC, ManageEngine ADSelfService Plus now supports MFA for VPNs to protect remote workforce, Sysdig partners with VulnDB to strengthen vulnerability intelligence reporting, 3 Signs it’s Time for a Penetration Test, and CrowdStrike Expands Support for AWS Workloads and Container Deployments! In our second segment, we welcome Corey Williams, VP Marketing/Idaptive by CyberArk at CyberArk, to talk about Exploring Identity Security and Its Role in the Modern Enterprise! In our final segment, we welcome Bradon Rogers, SVP of Global Pre-Sales Engineering at Mimecast, to discuss Cloud Based Cyber Resiliency!   Show Notes: https://securityweekly.com/esw198 Visit https://securityweekly.com/mimecast to learn more about them! Visit https://securityweekly.com/cyberark to learn more about them!   Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly

This week, first we talk Enterprise News, discussing how Yubico Delivers New Security Key the YubiKey 5C NFC, ManageEngine ADSelfService Plus now supports MFA for VPNs to protect remote workforce, Sysdig partners with VulnDB to strengthen vulnerability intelligence reporting, 3 Signs it’s Time for a Penetration Test, and CrowdStrike Expands Support for AWS Workloads and Container Deployments! In our second segment, we welcome Corey Williams, VP Marketing/Idaptive by CyberArk at CyberArk, to talk about Exploring Identity Security and Its Role in the Modern Enterprise! In our final segment, we welcome Bradon Rogers, SVP of Global Pre-Sales Engineering at Mimecast, to discuss Cloud Based Cyber Resiliency!   Show Notes: https://securityweekly.com/esw198 Visit https://securityweekly.com/mimecast to learn more about them! Visit https://securityweekly.com/cyberark to learn more about them!   Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly

Yubico Delivers New Security Key the YubiKey 5C NFC, ManageEngine ADSelfService Plus now supports MFA for VPNs to protect remote workforce, Sysdig partners with VulnDB to strengthen vulnerability intelligence reporting, 3 Signs it’s Time for a Penetration Test, and CrowdStrike Expands Support for AWS Workloads and Container Deployments!   Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw198

Yubico Delivers New Security Key the YubiKey 5C NFC, ManageEngine ADSelfService Plus now supports MFA for VPNs to protect remote workforce, Sysdig partners with VulnDB to strengthen vulnerability intelligence reporting, 3 Signs it’s Time for a Penetration Test, and CrowdStrike Expands Support for AWS Workloads and Container Deployments!   Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw198

The process of evaluating the security of a system or network by simulating an attack on it. Sometimes called "ethical hacking" or white hat hacking. The phrase started to appear in U.S. military circles in the mid 1960s as time sharing computers became more necessary for daily operations. Computer security experts from Rand Corporation began describing computer compromises as “penetrations.” By the early 1970s, government leaders formed tiger teams of penetration testers to probe for weaknesses in various government systems.

CJ and Bryan will share the knowledge they’ve accumulated, by helping 1,000’s of organizations determine what they need and don’t need when it comes to penetration tests and security assessments, over the years. Topics Covered: Selecting the type of test Selecting the company to test When to test Issues around conducting a test This webcast […] The post Webcast: What to Expect When You’re Expecting a Penetration Test appeared first on Black Hills Information Security.

The process of evaluating the security of a system or network by simulating an attack on it. Sometimes called "ethical hacking" or white hat hacking. The phrase started to appear in U.S. military circles in the mid 1960s as time sharing computers became more necessary for daily operations. Computer security experts from Rand Corporation began describing computer compromises as “penetrations.” By the early 1970s, government leaders formed tiger teams of penetration testers to probe for weaknesses in various government systems.

Bei klassischen Hacking-Demos sieht man häufig wie ein Security-Experte innerhalb weniger Sekunden in ein System eindringt. Doch das ist nur ein Teil der Wahrheit. Ernst zu nehmende Angriffe sind immer gut über eine längere Zeit vorbereitet. Wie ein gezielter Angriff klassischerweise abläuft, ist Thema dieser Folge. Andreas Wisler und Sandro Müller zeigen Schritt für Schritt auf, was für einen erfolgreichen Angriff nötig ist.

In this episode of Coffee With Adel, Anthony DeGraw and Adel Strauss discuss IT due diligence, what companies should keep in mind before getting a Penetration Test, and the benefits of making relationships.

Shon Gerber from ShonGerber.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career.  Shon utilizes his expansive knowledge while providing superior training from his years of training people in cybersecurity.  In this episode, Shon will provide CISSP training for Domain 6 (Security Assessment and Testing) of the CISSP Exam.  His extensive training will cover all of the CISSP domains. BTW - Get access to all my CISSP Training Courses here at:  https://shongerber.com/ CISSP Exam Questions Question:  108 What are the various phases associated with completing a Penetration Test for an organization. Planning, Reporting, Vulnerability Management, Exploiting, Information Gathering Production, Registration, Vulnerability Management, Exploiting, Information Gathering Planning, Reporting, Vulnerability Scanning, Exploiting, Information Gathering Production, Reporting, Vulnerability Management, Exploiting, Information Gathering Explanation: [c] Planning, Reporting, Vulnerability Scanning, Exploiting, and Information Gathering (not in order) are the phases of completing a penetration test for an organization. ------------------------------------ Question:  109 When creating metrics for your leadership, what are first items you should focus first on and what should be your level of complexity for the report? Very complex metrics focused on all systems; Open vulnerabilities, Time to resolve, Outdated systems, Uploaded data, Legal/Compliance Issues Very simple metrics focused on critical systems; Open vulnerabilities, Time to resolve, Outdated systems, Uploaded data, Legal/Compliance Issues Very simple metrics focused on critical systems; Management processes, Closed vulnerabilities, Time to resolve, Outdated systems, Uploaded data, Legal/Compliance issues Very simple metrics focused on critical systems; Open vulnerabilities, Time to resolve, Outdated systems, Uploaded data, Legal/Compliance Issues Explanation:  [b] Starting off with simple metrics focused on critical systems with the following metrics:  Open vulnerabilities, Time to resolve, Outdated systems, Uploaded data, Legal/Compliance Issues is the best method to get started.  Obviously, you organization may be different and you will have to modify to meet your needs, but it is good place to get started….keep it simple.   ------------------------------------ Question:  110 When completing a Penetration Test of your organization who needs to be involved in the discussion and decision? No one; informing people that the penetration test will occur will taint the results resulting in waste Everyone; it is important that people don't feel duped that this test was designed to trick them Key personnel; it is important to focus on only telling the decision makers/influencers (CEO/CIO, Legal, Public Affairs, Compliance) as it relates to a penetration test. None of the above Explanation: [c] It is important the right people are involved in the decision making process as a Pen Test can have significant impact on an organization and cause a disruption within a company. ------------------------------------ Want to find Shon elsewhere on the internet? LinkedIn – www.linkedin.com/in/shongerber Facebook - https://www.facebook.com/CyberRiskReduced/ LINKS:  ISC2 Training Study Guide https://www.isc2.org/Training/Self-Study-Resources

Sponsor by SEC Playground Music by https://www.bensound.com/ --- Support this podcast: https://anchor.fm/chillchillsecurity/support

Music by https://www.bensound.com/ --- Support this podcast: https://anchor.fm/chillchillsecurity/support

Music by https://www.bensound.com/ --- Support this podcast: https://anchor.fm/chillchillsecurity/support

Music by https://www.bensound.com/ --- Support this podcast: https://anchor.fm/chillchillsecurity/support

Alexei Doudkine, Principal Offensive Consultant at Content Security gives 7 tips to get the most out of your next penetration test.

Season 1 Episode 5

Morning Brief June 27th 2019

Morning Brief June 19th 2019

Morning Brief June 17th 2019

Morning Brief June 14th 2019

Morning Brief June 11th 2019

Shon Gerber from ReduceCyberRisk.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career.  Shon utilizes his expansive knowledge while providing superior training from his years of training people in cybersecurity.  In this episode, Shon will talk about the following: CISSP / Cybersecurity Integration What is Security Assessment / Testing CISSP Training Conducting or Facilitating Security Audits CISSP Exam Question Conducting a Penetration Test  

Morning Brief June 10th 2019

Morning Brief June 6th 2019

Morning Brief June 5th 2019

Morning Brief May 24th 2019

We’ve previously discussed the difference between Penetration Testing and Red Teaming, so in this episode we delve a little deeper into the different stages of PenTesting. For organisations who are considering this security assessment, it’s is an excellent starting point to better understand the process. The discussion includes: 2’00 What is a Penetration Test? 3’02 How is it performed? 5’03 An example of a vulnerability: SQL Injection 6’52 What kind of vulnerabilities do we look for? The OWASP top ten* 8’07 What we do when we find a vulnerability 11’50 Reporting after a penetration test *https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project Download on iTunes: apple.co/2Ji61Ek Listening time: 15 minutes For more information, follow us on Twitter @secarma or @secarmalabs or email us at podcast@secarma.com Hosted by: Holly Grace Williams, Technical Director at Secarma

Show Notes: https://justinfimlaid.com/5-security-predictions-for-2019/ Sponsor: https://www.nuharborsecurity.com Contact Me: https://justinfimlaid.com/contact-me/ Twitter: @justinfimlaid LinkedIn: https://www.linkedin.com/in/jfimlaid/ Most companies put together a "top predictions" for FY19.  Most are garbage.  There's a couple I think are decent but they are few. Here's my top 5 predictions for FY19. People will realize that SOAR (Security Orchestration and Automation Response) is not the security savior.  In fact, I'd be so bold to say it hinders the security industry by forcing security professionals to become distracted from doing the core and foundational security work.  Security takes work…plain and simple.  You have to eat some shit and grind it out.  That's the job.  There's no easy button for this.  While people are spending the year trying to figure out what to automate, they'll only get to December with little to show and year wasted. I often see SOAR being sold as the end all be all to the security talent short-comings…"no staff, no problems…just buy this solution and we'll solve it for you." BS.  In my experience, most companies don't have good security practices, and what happens when you automate broken processes…you break the process more times and faster.  Additionally, the fundamental thing that SOAR is missing is that security is often distributed within an organization, meaning…it's not one team rather a bunch of teams/departments doing their part of security.  The issue in corporate is that those departments DO NOT allow another group to dictate automatic configuration of technology they are responsible for. Lastly, folks are still trying to figure out security…never mind automate it.  Security teams still need to fundamentally understand the tedious parts of security before they can automate anything…and unfortunately, most people don't know what they don't knowNetwork visibility becomes an important thing. Yeah - this one has been around for a while but I think this is the year it picks up momentum. With distributed networks and IOT blowing up, I think folks will finally start to realize that you can't secure what you can't see and will finally own up to needing a solution that provides central visibility to all devices with an internet connection.  To date, I think this has been a bit of a luxury to have this level of visibilty but I think must folks have tried to cobble together make-shift or home grown solutions to get this level of visibility, so this year I think we'll see folks start to own it.Blockchain will become commoditized.  C'mon let's face it…there is ton of folks trying to tout how smart they are with innovative blockchain solutions.  Honestly…there's so many people trying to do this, and if someone can find useful use-cases then I foresee this becoming as commoditized as asymmetric and symmetric encryption for data protection late this year.  Other words, if someone can do something worthwhile, it become table stakes and no one will care anymore.  Scan-jockeys will be identified.  Contrary to what I hear every week - a vulnerability scan is not a Penetration Test. In the industry we call these folks who run a vulnerability scan and pass it off as a penetration test as Scan Jockey.  These are folks that don't really know how to pen test, so they choose a vulnerability scanner, run a scan and hope no one knows the difference.  Now, don't get me wrong, a vulnerability scan has a VERY valid use in security; in fact I think every organization should be doing vulnerability scans.  My issue is people faking to be a penetration tester.  I do see folks in industry becoming more educated in the difference between the two types of test, and I think later this calendar year more scan-jockeys will have a harder time in securit...

From the Blue Fox Group Blog. https://www.bluefoxgroup.com/blog/proactive-it-security-advice-smb

What do you do after learning about weaknesses in your defenses? Drew Green, Director of Information Technology at Thomas, Judy and Tucker recommends ways to go about creating fixes in your security leading up to, and after a penetration test. Mr. Green talks to Jason Karn, Total HIPAA's Chief Compliance Officer, about how often penetration […]

What do you do after learning about weaknesses in your defenses? Drew Green, Director of Information Technology at Thomas, Judy and Tucker recommends ways to go about creating fixes in... Read More ›

A penetration test is a crucial tool used to protect your information. Being able to trust your security expert is a must. What can you expect from a breach, and what kind of damages and expenses can your organization prevent through these diagnostic tests? Drew Green, Director of Information Technology at Thomas, Judy and Tucker […]

A penetration test is a crucial tool used to protect your information. Being able to trust your security expert is a must. What can you expect from a breach, and... Read More ›

As a business owner, it is valuable to be familiar with what is involved in the process of a penetration test, so you can gain the best understanding about the status of your company's security. Drew Green, Director of Information Technology at Thomas, Judy and Tucker talks with Total HIPAA's Chief Compliance Officer, Jason Karn […]

As a business owner, it is valuable to be familiar with what is involved in the process of a penetration test, so you can gain the best understanding about the... Read More ›