We recently delivered an Advanced Persistent Threat (APT) Penetration Test to one of our customers. People who know us know that when we say APT we’re not just using buzz words. Our APT services maintain a 98% success rate at compromise while our unrestricted methodology maintains a 100% success at compromise to date. (In fact we offer a challenge to back up our stats. If we don’t penetrate with our unrestricted methodology then your test is free. If we do get in then you pay us an extra 10%.) Lets begin the story about a large retail customer that wanted our APT services.
When we deliver covert engagements we don’t use the everyday and largely ineffective low and slow methodology. Instead, we use a realistic offensive methodology that incorporates distributed scanning, the use of custom tools, zero-day malware (RADON) among other things. We call this methodology Real Time Dynamic Testing™ because it’s delivered in real time and is dynamic. At the core of our methodology are components normally reserved for vulnerability research and exploit development. Needless to say, our methodology has teeth.
Our customer (the target) wanted a single /23 attacked during the engagement. The first […]
People are always mystified by how hackers break into major networks like Target, Hannaford, Sony, (government networks included), etc. They always seem to be under the impression that hackers have some elite level of skill. The truth is that it doesn’t take any skill to break into most networks because they aren’t actually protected. Most network owners don’t care about security because they don’t perceive the threat as real. They suffer from the “it won’t ever happen to me” syndrome.
As a genuine penetration testing company we take on dozens of new opportunities per month. Amazingly, roughly 80% of businesses that request services don’t want quality security testing, they want a simple check in the compliance box. They perceive quality security testing as an unnecessary and costly annoyance that stands in the way of new revenue. These businesses test because they are required to, not because they want to. These requirements stem from partners, customers, and regulations that include but are not limited to PCI-DSS, HIPAA, etc.
Unfortunately these requirements make the problem worse rather than better. For example, while PCI requires merchants to receive penetration tests it completely fails to provide […]
All of the recent news about Target, Neiman Marcus, and other businesses being hacked might be a surprise to many but it’s no surprise to us. Truth is that practice of security has devolved into a political image focused designed satisfy technically inept regulatory requirements that do little or nothing to protect critical business assets. What’s worse is that many security companies are capitalizing on this devolution rather than providing effective solutions in the spirit of good security. This is especially true with regards to the penetration testing industry.
We all know that money is the lifeblood of business and that a failure to meet regulatory requirements threatens that lifeblood. After all, when a business is not in compliance it runs the risk of being fined or not being allowed to operate. In addition the imaginary expenses associated with true security are often perceived as a financial burden (another lifeblood threat). This is usually because the RoI of good security is only apparent when a would-be compromise is prevented. Too many business managers are of the opinion that “it won’t happen to us” until they become a target and it does. […]
I (Adriel) read an article published by Charles Cooper of c|net regarding small businesses and their apparent near total lack of awareness with regards to security. The article claims that 77% of small- and medium-sized businesses think that they are secure yet 83% of those businesses have no established security plan. These numbers were based on a survey of 1,015 small- and medium-sized businesses that was carried out by the National Cyber Security Alliance and Symantec.
These numbers don’t surprise me at all and, in fact, I think that this false sense of security is an epidemic across businesses of all sizes, not just small-to-medium. The question that people haven’t asked is why does this false sense of security exist in such a profound way? Are people really ok with feeling safe when they are in fact vulnerable? Perhaps they are being lied to and are drinking the Kool-Aid…
What I mean is this. How many software vendors market their products as secure only to have someone identify all sorts of critical vulnerabilities in it later? Have you ever heard a software vendor suggest that their software might not be highly secure? Not only is the suggestion that all software is secure […]