Tag Archives: socialengineering

Top 5 Attack Vectors Report: Defend It Before You Hack It

0
Filed under Defense
Tagged as , , , , , , ,

robot-with-sheild-300x287Each year my team conducts hundreds of Penetration Tests in a wide variety of industries, ranging from Healthcare to Retail, Finance to Manufacturing, and many more. The team analyzed data collected from each of our penetration tests at SecureState since 2011 and found common themes in the methods of compromise utilized to break into organizations and compromise sensitive information. As a result, SecureState has issued a new report that expands on the attack vectors identified and suggests ways organizations can defend themselves against such attack vectors. SecureState’s 2014 Attack Vectors Report revealed the following Top 5 methods of compromise:

  1. Weak Passwords
  2. Web Management Consoles
  3. Missing Patches and System Misconfigurations
  4. Application Vulnerabilities
  5. Social Engineering

The full report is available for download on the SecureState website. I also presented a webinar (watch the replay here) with Defense team lead Robert Miller, expanding on the report’s findings and offering additional advice to organizations on how to defend against these attack vectors. I highly recommend you download this report to see where your organization stands in regards to these attack vectors.

What’s the bottom line?
The current mindset of many organizations is to only react after an attack or breach has already occurred. However, based on our findings and what the current onslaught of recent breaches have shown us, it’s clear that organizations face the same attacks month after month. Rather than be reactive, the defensive mindset needs to change to a proactive one. Consider focusing time, money and resources on your defensive controls before a penetration test occurs.

A penetration test should be your final step to ensure your defense can withstand an attack and to adjust your defenses if necessary. We’ve seen it time and time again where organizations only conduct an annual penetration test and expect that remediating tactical issues from the penetration test will improve their security posture. This needs to stop! Build and test your defensive controls first, then test to see how these controls hold up. Most of these controls are a mix of tactical and strategic, but reactively focused. By taking a proactive stance on defense, your organization will become much more secure and the time, money and resources spent will provide much more value to the business.

Defend it before you hack it.

Cross-posted from the SecureState Blog

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

Want to learn more about Social Engineering?

2
Filed under Social Engineering
Tagged as ,

Of course you do!

If you don’t know who Chris Nickerson is…then you should. Chris is the founder of Lares Consulting, was on the Tiger Team TV show and also a frequent speaker at security conferences who talks about tiger team/red team operations. He also talks about how social engineering is more important then ever to include in your penetration testing program. I couldn’t agree more! In fact, he’s giving a free webcast with Mike Murray on March 10th called “Modern Social Engineering – A Vital Component of Pen Testing”.

Via the Carnal0wnage Blog:

“The world of Information Security is changing. Budgets are tighter, attacks are more sophisticated, and the corporate network is no longer the low hanging fruit. That leaves web-enabled applications as the vector-du-jour, but that well is quickly drying up for organized crime as well. As they creep up the OSI Model looking for easier ways to steal your corporate assets, they are quickly making their way up the stack to the unspoken 8th layer, the end user. So what is the next step in the never-ending escalation of this cyber war?

To find out, we must do as Sun Tzu taught. “Think like our enemy!” That is, after all, the primary tenet of penetration testing AKA ethical hacking, isn’t it? After years of hardening physical systems, networks, OSs, and applications, we have now come full circle to a new dawn of attack. People are now the target of the advanced hacker, and the cross-hairs are focused squarely on their foreheads… literally. It is only a matter of time before corporations feel the pain of wetware hacking requiring a new approach to testing and defense. “

You can sign-up for the webcast here. Also, Chris and Mike are doing a “Social Engineering Master Class” at ChicagoCon this year which looks awesome! Looks like there are only 25 seats so check it out if you can. Interestingly enough Chris has just started blogging so be sure to check out his blog. If that wasn’t enough…we (Security Justice) recorded a special edition podcast with Chris in which he talks about his adventures on the Tiger Team TV show.

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS