Blog

Latest news from us

What is Vulnerability Scanning?

Vulnerability scanning is the process of using an automated tool to shoot large numbers of payloads at a target (website or network) to see if they are vulnerable to publicly disclosed security problems. As new security problems are identified by researchers from around the world they are added the the list of tests the scanner will perform and as such the arms race between attackers and defenders evolves.  


If you've read my previous article "What is Pentesting?" you'll have seen I mention that most Pentesters will use vulnerability scanners as part of their tool kit so they can focus their attention on the areas of the target site or network that are most likely to need remediation.


The results of the scan will be combined with the results of manual investigation so that as many as possible of the issues present are included in the report. The objective of a Pentest is not necessarily to compromise the server or network, although this is often possible. The purpose of a Pentest is to identify and report as many as possible security issues that could be used by an attacker to gain their first foothold on their target. In many cases these issues are rated as being of low risk on their own. However, in my experience when it is possible to compromise a web server or gain unauthorized access to a network, it's as often from something considered to be low risk as it is a critical flaw which is much harder to find. It's fair to say the vast majority of attackers use automated means to find low level vulnerabilities and only really start paying attention when they have a foothold in the target. As such it makes sense to use automated means to find the vulns they use to gain that foothold and plug them as soon as possible. 


An example of an attack chain that is very effective but only uses low risk vulnerabilities could be as follows:


An attacker identifies the login page of their target website is vulnerable to user enumeration - This means that either to registration or password recovery page returns a message that confirms whether or not a user's email address is registered on that site e.g try to register or recover your password and receive a message saying "This user is already registered, please try another email address" or similar. The attacker can then run a huge list of email addresses against that function and identify a long list of users, possibly including sites administrators. 


They then identify the login page is vulnerable to Clickjacking - This is when the page can be loaded as an Iframe. This Iframe is then loaded over the attackers own login page and a similar domain name is used which looks very similar and in some cases indistinguishable from the real one. 


When this is set up correctly from the attacker perspective they can email a link to all the users they have enumerated and when those users go to log in they will be sending their login credentials to the attacker controlled site which will then forward them to the real site. The user won't notice any difference but they will have had their credentials compromised. In essence the legitimate login page has been turned into a phishing page using 1 low risk vulnerability and the attack has been completed with the use of 1 more low risk vulnerability, the user enumeration and a smattering of social engineering in the email.


I mention this to demonstrate a site can be compromised using only low risk vulnerabilities in combination. I've done tests for clients who take the view they only fix issues rated as medium and above as part of their appetite-for-risk and this has always worried me.


In financial services and other sensitive industries regulators require that a Pentest be done after any major change is made to a site or network. This is expensive and places a heavy burden on the network/site owner. In industries that are not so heavily regulated the same principle applies but the overhead in time and money isn't realistic, especially where changes are being made frequently or even daily. 


Vulnerability scanning can be used as a cost effective stop gap to check for low hanging fruit issues such as these whenever changes are made so that confidence can be maintained no issues have been introduced between Pentests. The only alternative is to have a tester on staff which is a great expense to bare.

Read more

What is Pentesting?

Penetration Testing or Pentesting for short is a method businesses and organizations use to confirm the cyber security protections they have in place are effective. Known as offensive security it involves using a third party consultant to test the organizations security by attempting to breach it in the same way a real hacker would do. The main difference is that when the consultant is finished they don't steal the data, instead they provide a detailed report explaining exactly how they were able to compromise as much as they did and how best to go about fixing it. This means when a real hacker comes along they aren't able to do the same things. 

There are restrictions placed on Pentesters which ensure that only non-destructive tests are attempted and close communication with the organization being tested is of critical importance. This places a slight caveat on the effectiveness of Pentesting because a real attacker will not be concerned about doing damage, only about achieving their objective. A Pentester places primary importance on doing no damage and then tests as well as they can within those confines. 

Typically the main areas that receive attention from Pentesters are networks, networking equipment and websites. These are the parts of businesses that change regularly and when changes are made it's important to be sure no vulnerabilities have been introduced. Bringing in the Pentester to confirm in practical terms what vulnerabilities are present and what data can be accessed is an effective method of confirming what data is exposed and what an attacker might be able to do with it. 

Depending on the sensitivity of the data being protected Pentesting is normally carried out either every year, every 6 months or after every major change that is made to the network or website. 

There are 3 main reasons that companies tend to get a Pentest. 

1. Testing is required as part of a regulatory regime that binds the organization - e.g ISO27001, HIPAA or FFIEC

2. In order to attract larger clients - Breaking the ceiling on the next level of clients often requires greater adherence to and confirmation of best practices. 

3. The company is concerned they don't have clarity on exactly where cyber attacks are likely to come from and they want to get ahead of the potential damage a data breach could cause. 

With the introduction of GDPR regulations in 2018 things changed in a big way for companies who control data as since 2018 there has been an additional threat to businesses apart from the reputational damage associated with a data breach. This comes from the Information Commissioners Office itself in the form of potential fines of up to 20M Euros or 4% of global turnover (whichever is greater). This means that businesses that experience a data breach must report themselves to the Information Commissioners Office and may well be fined for not protecting their customers and employees data. To date the largest fine issued by the ICO was to WhatsApp for 225M Euros. 

With the well publicized increase in Ransomware and Phishing attacks combined with the potential to be fined by the ICO, the risks for all businesses who don't invest in cyber security are clear. Travelex was a world famous foreign exchange company until they experienced a Ransomware attack in in 2020. Since then the reputational damage of this attack has forced the company into administration. 

There are however, myriad options and service providers available to choose from and selecting the right provider can seem like a major project in itself.

Choosing the right provider depends on a number of factors but the main one is how far into cyber security testing the organization already is. If you already have Pentests regularly and have eliminated most or all of the low hanging fruit in your estate. You may be ready to move some of your Pentesting budget towards more specific security tests such as Phishing attack simulations. If, on the other hand, you've never had security testing done then you will likely get more value from focusing your budget on identifying low hanging fruit and honing your deployment methods to ensure these issues are caught and fixed before go live time. 

Read more

Collaboration in Cyber Security

Hacking forums go back to the very early days when hacking was all fun and games about defacing your friends website or proving to them that you had better attacking skills than they did the ability to harden their website. 

Now hacking is big business!

Hacking forums still exist and attackers use them to share knowledge and skills openly with the objective of helping each other to attack innocent businesses and individuals, to make money by illegal means.  

Defending yourself on the internet has never been so difficult!

All the current trends suggest it's only going to get more difficult, as attackers increase in number and upskill at the same time. 

It’s never been easier to become a successful attacker on the internet than it is now. There is abundant training and attack methods are shared openly. Just check YouTube for endless examples. 

Defending has always been harder than attacking. As a defender you have to be right all the time. As an attacker you only have to be right once. 

It’s well recognised you should never write your own encryption. Even if you’re the greatest mathematician the world has ever known. It’s impossible for one person to see all the angles.

This is why encryption methods that get used in all spaces of life, use methods that are made public and peer reviewed over years. 

PGP is still one of the most secure methods of transferring sensitive data, and it's been about since 1991. It will be considered to be secure, until someone manages to break it, which eventually they will. This is inevitable. 

For the same reasons that encryption methods require peer review. Defence methods are most effective when they're made public and peer reviewed. 

No one person can see all the angles and what might seem unbreakable from one perspective may be vulnerable from another. Peer review is the best method of validating your methods to be sure they’re effective in all the contexts you require.

Defence is most effective when it’s collaborative.  

For this very reason we have joined https://www.info-sec.live/. This is a safe space where CIO’s and anyone with responsibility for the security of their organisation can meet to discuss their security methods and to get feedback from us and other experts on how those methods might be improved or adjusted. 

If you’re serious about securing your organisation this is a good place to find the advice and support you need. 

We hold live messenger meetings weekly featuring guest experts so you can safely question your own assumptions and actively improve your security posture.    

I help business owners secure their websites and networks through Vulnerability Scanning and manual Pentesting. A secure business is one that can weather the challenges of 2021. Are you secure? If you don’t know then I can help you. Book a free consultation and UP your security NOW 

#pentesting #cybersecurity #training #data #BetterTogether

Read more

2020, the Year of the Hack

2020 is going down in history as the year of the hack!

Attacks have increased in scope and complexity on an unprecedented scale. 

➕Malicious Domains up 22%

➕Malware/Ransomware up 36%

➕Phishing Scams/Fraud up 59%

The sad fact is that the threats of 2020 are not going away in 2021. There is simply too much money to be made by attacking businesses, their websites, infrastructure and staff.  

Attacks will continue to grow in number and attackers will continue to get more sophisticated.

So what can businesses do to defend themselves from unscrupulous users of the internet. 

It’s not a simple problem to fix. New attack vectors are revealed regularly. New exploits are discovered by researchers and disclosed to the public every day. That means business owners and IT teams can put fixes in place but it also means attackers can take advantage of them for their own purposes.

If you don’t keep up with the constant developments in cyber security then your business will be left vulnerable and it is only a matter of time before you get targeted. If you haven’t been already. 

So what are your options? 

❌Do nothing and hope attackers never notice you?

This isn’t an option, the accepted wisdom in the cyber security industry is that for any business it isn’t a question of IF but WHEN they will be targeted by an attack.

❌Try to keep on top of all the developments in the cyber security space and take all the actions necessary to defend yourself and your business?

You can try this but the reality is that it will take you a huge amount of time and take you and your IT staff away from your proper functions, which is running your business. 

✅Get professional assistance to supercharge your security and make life really difficult for attackers!!

We have a combined experience of over 20 years in the cyber security industry, the majority of which was spent as part of the worlds largest Pentesting team. 

We've spent those years learning and refining the skills of our trade and have applied them helping secure some of the UK’s largest financial and industrial institutions. 

Now we use our skills to benefit businesses of all sizes around the world. We’ve developed a set of tools and policies that boil down the industries tried and tested methods, to help you secure your business. 

Can we offer you a magic fix or silver bullet? No, unfortunately it’s not that easy. Securing your business will take time and effort on your part. 

What we can do is give you the benefit of our years of experience, boiled down into manageable steps.  

Our process involves examining your business in detail so we can identify how and by what methods attacks can target you. Then we show you what changes you can make to reduce the risk of those attacks being successful. After that we help you develop and implement policies specific to your circumstances that will allow you to stay on top as the threat landscape evolves in the future.  

By taking you through the process an attacker would go through when targeting you, we reduce the ease with which attacks can be launched and and allow you to prioritise your defensive effort for the most effect. We help you put yourself in a position where even if an attack is successful and your perimeter is breached, the impact is confined and minimised allowing your business to keep on functioning.

Business continuity is critical.   

We verify the results of your policies on an ongoing basis and help to update them when needed, putting you in a position to keep up with the ARMS RACE of cyber attack and defence.

You'll have the confidence and independence necessary to take action and grow your business. Secure in the knowledge you’ve done everything possible to reduce your attack surface.  

Following our steps will not only help you and your staff know you’re more secure. It will contribute to complying with regulatory requirements and client expectations. Helping you acquire and keep larger clients by demonstrating you to have effective security processes and testing in place. 

Read more

Start now for free

Start scanning your projects for free. You will get a free breakdown of your security status. Start securing your future now.

Get started