Pentests are required for ISO 27001 or SOC2 audits: download pdf
Why do organizations need to conduct a penetration test?
Jul 12 2021
APPSEC TESTING APPROACHES
Jun 08 2021
The Benefits of Automated Penetration Testing
Penetration testing has been one of the industries that are relatively slow adopters of automation. As security firms started automating many parts of the cybersecurity process including scanning and threat intelligence updates, security testing for some time was still mostly about traditional methods.
βIn the past few years, the use of automation in many spheres of cybersecurity has increased dramatically, but penetration testing has remained stubbornly immune to it,β as noted CISO Alex Haynes explains in an article exploring the potential of AI replacing humans in this field.
This is perfectly understandable, considering that penetration testing needs to be thorough and supervised by experts. Many of its parts are repetitive, but they require the scrutiny of human cybersecurity professionals to be carried out effectively. AI and machine learning technology has yet to reach a level advanced enough to competently handle the complexities of security testing.
However, the past years have produced excellent examples of solutions that take advantage of automation. These pen-testing platforms employ automation in specific areas that make excellent sense. These existing solutions provide convincing evidence of the benefits of automation in this field of cybersecurity.
Table of Contents
- More effective cyber threat intelligence gathering and assessments
- Automated attack simulations and continuous testing
- Improved threat response through automated evaluation, prioritization, real-time reports, and guided responses
- Better penetration testing in virtually all aspects
Mar 16 2021
Network Penetration Testing: A Primer
What is Network Penetration Testing?
A network penetration test, or pen test, is a method of assessing a networkβs security and identifying vulnerabilities in the network by the intentional use of malicious penetration techniques. In simple terms, an ethical hacker tries to hack your organizationβs network, with your permission, to reveal underlying security risks to your network.
You may ask, βI have conducted a vulnerability assessment. Do I need to conduct a network penetration test, as well?β
Vulnerability assessment makes use of automated tools that only help pinpoint common security vulnerabilities. In contrast, during penetration testing, security experts act as hackers and simulate a potential cyberattack. They observe how your system will react to a cyberattack by a cybercriminal. They identify security weaknesses, and may provide remediation advice applicable to software, hardware, or even human management of the system.
Although some high-quality vulnerability assessment tools categorize security risks, assign risk levels and offer remediation suggestions, the need for pen testing can not be fulfilled by vulnerability assessment alone.
So, the answer is yes. For a complete picture of your networkβs security, network penetration testing is a must.
What are the Benefits of Network Penetration Testing?
Dec 26 2020
Fake Amazon gift card emails deliver the Dridex malware
The Dridex malware gang is delivering a nasty gift for the holidays using a spam campaign pretending to be Amazon Gift Cards.
Dridex phishing campaign wants to send a gift
When distributing malware, malware gangs commonly use current events and the holidays as themes for phishing campaigns to lure people into opening malicious attachments.
Such is the case in aΒ recent phishing campaignΒ discovered by cybersecurity firm Cyberreason that pretends to be an Amazon gift certificate sent via email.
These emails, shown below, pretend to be a $100 gift certificate that users must redeem by clicking on a phishing email button.
Source: Fake Amazon gift card emails deliver the Dridex malware
Fake Amazon Email Scam 2020 | How to Detect & Defend | Alert | Windows 10 | Beginners Guide |
httpv://www.youtube.com/watch?v=LXPehYw-D0E
Jul 20 2020
Black Hat USA Announces New Community Programs to Address the Needs of Information Security Professionals
Programs will address diversity and inclusion, mental health and career education.
βThe technical content that is presented on the Black Hat stage each year is an important contribution to the industry, but weβve found that more sensitive topics such as mental health and diversity within the information security community are often not highlighted enough,β said Steve Wylie, Black Hat General Manager.
Source: Black Hat USA Announces New Community Programs to Address the Needs of Information Security Professionals
Download a Security Risk Assessment Steps paper!
Subscribe to DISC InfoSec blog by Email
Take an awareness quiz to test your basic cybersecurity knowledge
DISC InfoSec 🔒 securing the business 🔒 via latest InfoSec titles
Aug 07 2019
Why do organizations need to conduct a penetration test?
12 desirable reasons why an organization should carry out a penetration test:
- Β Assess potential business and operational impacts of successful attacks and determine the feasibility of a particular set of attack vectors.
- Β Identify higher-risk vulnerabilities resulting from lower-risk vulnerabilities exploited in a particular way.
- To comply with security regulations or standards, e.g. ISO 27001
, NIST CSF
, NIST 800-171
,Β HIPAA
,Β PCI DSS
or the EU GDPR
.
- To ensure the security of new applications or significant changes to business processes.
- To manage the risks of using a greater number and variety of outsourced services.
- To assess the risk of critical data or systems being compromised by an incident.
- In preparation for any upcoming external audits, such as FFIEC audits performedΒ by third-party providers.
- To determine the weakness in the infrastructure (hardware), application (software) and people in order to develop controls.
- Save Remediation Costs and Reduces Network Downtime.
- To develop Efficient Security Measures.
- Provide evidence to support increased investments in security personnel and technology.
- At the end of the day, it’s basic due diligence, to find out about the vulnerability before someone else does.
I’ll Let Myself In: Tactics of Physical Pen Testers
#SANS Pen Test HackFest Summit
DISC InfoSecΒ Recommended Pen Testing Titles
Penetration Testing Services Procurement Guide
Contact DISC InfoSec to discuss your information security assessment (pen test) requirements
Nov 26 2014
Have you heard about the Pwn Phone 2014?
If you have to undertake vulnerability scans or penetration tests at remote sites as part of your day-to-day activities, having to lug around a laptop and other scanning and penetration testing kit can be a real pain. Having the right tools for the job is crucial.
But how can you ensure you have the right tools for the job and eliminate the need to lug around bulky equipment? The simple answer is the Pwn Phone 2014. This sleek LG Nexus 5 mobile phone doubles as a powerful penetration testing device that makes it easy to evaluate wire, wireless and Bluetooth networks.
The most portable penetration device yet, its custom Android front-end and Kali Linux backend, and comprehensive suite of one-touch penetration tools, render it the ideal choice for pen testers who are on the road or conducting a company or agency walkthrough.
Watch a demonstration of the Pwn Phone in the below video:
Go mobile with the Pwn Phone 2014.
Related articles
May 28 2014
8 Best Books That Every Budding #Hacker Must Read
Everyone knows that a hacker by extension is always a programmer. What many don’t know though is that there is a lot more to it. It’s not just about knowing the language. A hacking is mainly defined by his curiosity to know what is otherwise not to be known.
While the following booksΒ are on a subject of hacking, theyΒ cover a lot ofΒ in-depth knowledge on the subject which includes but not limited to examples and exercises. As an ethicalΒ hacker, it’s something you can never pass upΒ and may need to know.
1. Hacking: The Art of Exploitation, 2nd Edition
Hacking is the art of creative problem solving, whether that means finding an unconventional solution to a difficult problem or exploiting holes in sloppy programming. Many people call themselves hackers, but few have the strong technical foundation needed to really push the envelope.
Rather than merely showing how to run existing exploits, author Jon Erickson explains how arcane hacking techniques actually work. To share the art and science of hacking in a way that is accessible to everyone, Hacking: The Art of Exploitation, 2nd Edition introduces the fundamentals of C programming from a hacker’s perspective.
The included LiveCD provides a complete Linux programming and debugging environment-all without modifying your current operating system. Use it to follow along with the book’s examples as you fill gaps in your knowledge and explore hacking techniques on your own. Get your hands dirty debugging code, overflowing buffers, hijacking network communications, bypassing protections, exploiting cryptographic weaknesses, and perhaps even inventing new exploits.
2. The Basics of Hacking and Penetration Testing: Ethical Hacking and Penetration Testing Made Easy
The Basics of Hacking and Penetration Testing serves as an introduction to the steps required to complete a penetration test or perform an ethical hack. You learn how to properly utilize and interpret the results of modern day hacking tools; which are required to complete a penetration test. Tool coverage will include, Backtrack Linux, Google, Whois, Nmap, Nessus, Metasploit, Netcat, Netbus, and more. A simple and clean explanation of how to utilize these tools will allow you to gain a solid understanding of each of the four phases and prepare them to take on more in-depth texts and topics. This book includes the use of a single example (pen test target) all the way through the book which allows you to clearly see how the tools and phases relate.
3. Metasploit: The Penetration Tester’s Guide
The author of this book David Kennedy is Chief Information Security Officer at Diebold Incorporated and creator of the Social-Engineer Toolkit (SET), Fast-Track, and other open source tools. Some see this book as a right of passage for anyone to be a hacker.
4. BackTrack 5 Wireless Penetration Testing Beginner’s Guide
Written in Packt’s Beginner’s Guide format, you can easily grasp the concepts and understand the techniques to perform wireless attacks in your lab. Every new attack is described in the form of a lab exercise with rich illustrations of all the steps associated. You will practically implement various attacks as you go along. If you are an IT security professional or a security consultant who wants to get started with wireless testing with Backtrack, or just plain inquisitive about wireless security and hacking, then this book is for you. The book assumes that you have familiarity with Backtrack and basic wireless concepts.
5. CEH Certified Ethical Hacker All-in-One Exam Guide
Get complete coverage of all the objectives included on the EC-Council’s Certified Ethical Hacker exam inside this comprehensive resource. Written by an IT security expert, this authoritative guide covers the vendor-neutral CEH exam in full detail. You’ll find learning objectives at the beginning of each chapter, exam tips, practice exam questions, and in-depth explanations. Designed to help you pass the exam with ease, this definitive volume also serves as an essential on-the-job reference.
Β
Get complete coverage of all the objectives included on the EC-Council’s Certified Ethical Hacker exam inside . Kevin Mitnick was the most elusive computer break-in artist in history. He accessed computers and networks at the world’s biggest companies–and however fast the authorities were, Mitnick was faster, sprinting through phone switches, computer systems, and cellular networks. He spent years skipping through cyberspace, always three steps ahead and labeled unstoppable. But for Kevin, hacking wasn’t just about technological feats-it was an old fashioned confidence game that required guile and deception to trick the unwitting out of valuable information
A former top-level National Security Agency insider goes behind the headlines to explore America’s next great battleground: digital security. An urgent wake-up call that identifies our foes; unveils their methods; and charts the dire consequences for government, business, and individuals.
8. CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide
CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide is an update to the top-selling SY0-201 guide, which helped thousands of readers pass the exam the first time they took it. The SY0-301 version covers every aspect of the SY0-301 exam, and includes the same elements readers raved about in the previous version.
Each of the eleven chapters presents topics in an easy to understand manner and includes real-world examples of security principles in action. The author uses many of the same analogies and explanations he’s honed in the classroom that have helped hundreds of students master the Security+ content. You’ll understand the important and relevant security topics for the Security+ exam, without being overloaded with unnecessary details. Additionally, each chapter includes a comprehensive review section to help you focus on what’s important.
Over 450 realistic practice test questions with in-depth explanations will help you test your comprehension and readiness for the exam. The book includes a 100 question pre-test, a 100 question post-test, and practice test questions at the end of every chapter. Each practice test question includes a detailed explanation to help you understand the content and the reasoning behind the question. You’ll be ready to take and pass the exam the first time you take it.
Related articles
Feb 25 2013
PENETRATION TESTING & ISO27001
Penetration testing (often called βpen testingβ or βsecurity testingβ) establishes whether or not the security in place to protect a network or application against external threats is adequate and functioning correctly. It is an essential component of most ISO27001 and UK public sector contracts.
Why would my company need penetration testing services?
In a world where attacks on networks and applications are growing in number at an exponential rate, and the penalties incurred by organisations for failing to defend against such attacks are becoming ever steeper, effective penetration testing is the only way of establishing that your networks and applications are truly secure. Penetration testing is also an essential component in any ISO27001 ISMS – from initial development through to on-going maintenance and continual improvement.
How does penetration testing fit into my ISO27001 ISMS project?
There are three specific points in your ISMS project at which penetration testing has a significant contribution to make:
1. As part of the risk assessment process: uncovering vulnerabilities in any Internet-facing IP addresses, web applications, or internal devices and applications, and linking them to identifiable threats.
2. As part of the Risk Treatment Plan ensuring controls that are implemented do actually work as designed.
3. As part of the on-going corrective action/preventive action (CAPA) and continual improvement processes; ensuring that controls continue to work as required and that new and emerging threats and vulnerabilities are identified and dealt with.
The Basics of Hacking and Penetration Testing
This guide will show you how to undertake a penetration test or as it is sometimes known an ethical hack. This book focuses on how to hack one particular target, this allows you to see how the tools and phases of the pen test relate. to get your copy of The Basics of Hacking and Penetration Testing
ITG | eBay | Amazon
Penetration Testing – Protecting Networks and Systems
An essential guide to penetration testing and vulnerability assessment, which can be used as a Certified Penetration Testing Engineer Exam Prep Guide. to get your copy of your Penetration Testing – Protecting Networks and Systems
ITG | eBay | Amazon
Related articles
« Previous Page
