According a DarkReading article, the Bitglass research team claims…
The average business has nearly 450,000 files in the cloud, they report, and 1 in 20,000 contains malware, they report in their findings.
Business Continuity Planning Guide
I just finished a short, 9-page guide for implementing business continuity in any organization. It includes links to tools and additional guides. It is free for download from http://bit.ly/2nQbxDT
Expand Your Concept of Penetration Testing
Penetration testing, or ethical hacking, is the process of using tools and techniques used by attackers to exploit vulnerabilities and reach information resource targets. This article at the InfoSec Institute provides a description of the top tools used for this.
Penetration tests are performed in two ways: during the testing phase of the SDLC and annually after implementation. Most organizations do not have the resources to pen test during the SDLC, nor can they afford to have a pen tester on staff. This requires engaging a third-party to perform these tests as part of an annual external review of security effectiveness.
Testers do not arbitrarily start attacking systems. They perform tests approved by management in writing. In addition to the tests to be performed, the test approval documentation should include test boundaries. For example, management might require the test to end once vulnerabilities are discovered without actually accessing sensitive data or adversely affecting production systems.
In the past, attacks stepped through the traditional attack steps, including
- Reconnaissance
- Scanning
- Gaining access
- Maintaining access
- Covering tracks
These steps are used to crack through perimeter defenses. However, most attacks today bypass the perimeter and leverage user vulnerabilities to enter our networks. Consequently, penetration tests must include attempts to use tools and techniques, including social engineering.
In addition to paying for formal pen tests, bug bounty programs are a good way to get hundreds or thousands of people looking for weaknesses instead of one or two. One company that coordinates these is https://www.bugcrowd.com/. Bug bounty programs aren’t just for Microsoft and Google. They are for businesses of any size that want the maximum number of eyes looking for weaknesses in websites or applications.
Would you recommend a bug bounty program for your organization in addition to or instead of a pen test? Why or why not?
Legacy Cisco ASA TLS Vulnerability
Legacy ASA systems in the graphic below are susceptible to TLS decryption attacks.
Selling Security to Management
Security professionals and management have to share perspectives to reach information assurance. This video provides guidance for security professionals seeking to communicate clearly to decision makers.
You must be logged in to post a comment.