PROACTIVE RISK
  • About
    • 800 lb Gorilla
    • Our Manifesto
    • Simple Agreements >
      • Mutual Confidentiality and Non Disclosure Agreement
      • Master Agreement | Work Order
    • BLOG
    • Capabilities Summary
    • Request Support
    • Contact Us
  • SOLUTIONS
    • Fractional CIO/CISO
    • Cyber Recruiter
    • Threat Modeling
    • Policies and Plans
    • MonitorIT®
    • Software Development
    • Domains | DNS
    • PhishIT®
    • MeasureRISK®
    • Vendor Risk
    • CATSCAN®
    • Physical Security
    • Backup Resiliency
    • ProtectIT®
    • ManageIT®
    • FINDIT® >
      • RAPTOR eDiscovery
  • RESOURCES
    • Tech News
    • Videos
    • Store
    • Guides | Tools
    • STAFF

GRAY BEARD BLOG

SHARING RANDOM THOUGHTS ON TECH

proactive security testing

2/23/2023

Comments

 
Conducting a comprehensive cyber security penetration test assessment for a commercial business involves asking a wide range of questions to ensure that all potential vulnerabilities and weaknesses are identified and addressed. Here are some key questions to ask when conducting a penetration test assessment for a commercial business:
  1. What are the critical assets defined by the business.
  2. What are the potential attack vectors that a malicious actor could use to gain access to these critical assets?
  3. What are the current security controls in place, and have they been validated?
  4. Are there any vulnerabilities in the system that have already been identified by your own internal vulnerability assessment?
  5. How are employee accounts and privileges managed. 
  6. How are software and hardware updates managed. 
  7. What unique protocols, ports or services exist.
  8. How are backups managed, and are they regularly tested and validated?
  9. Are there any third-party vendors or partners with access to the system, and how are they managed from a security perspective?
  10. What are the key business functions that could be impacted by a successful cyber attack, and what is the potential impact to the business in terms of financial, reputational, or legal risks?
By asking these and other related questions, a cyber security professional can gain a comprehensive understanding of the organization's current security posture and identify areas that need to be improved.

If you would like to measure your security we invite you to learn more about CATSCAN
Comments

Threat Models help security

2/18/2023

 
Threat modeling is a process of identifying and analyzing potential security threats to a system or application. Here is a general process for threat modeling a custom web application connected to the internet:
  1. Identify the assets: Start by identifying the assets that need to be protected, such as sensitive data, intellectual property, or the web application itself.
  2. Identify the potential attackers: Identify the potential attackers, including their motivations and resources, such as hacktivists, insiders, or nation-states.
  3. Create a data flow diagram: Create a data flow diagram to map out the flow of data and information through the web application, including inputs, outputs, and storage locations.
  4. Identify potential threats: Identify potential threats to the web application based on the data flow diagram and the attackers identified earlier. This could include threats such as injection attacks, cross-site scripting, cross-site request forgery, or broken access control.
  5. Assess the likelihood and impact of each threat: Assess the likelihood and impact of each potential threat, taking into account the assets that need to be protected and the attackers that are likely to target the web application.
  6. Prioritize the threats: Prioritize the threats based on the likelihood and impact, and identify the ones that need to be addressed first.
  7. Develop mitigations: Develop mitigations to address the prioritized threats, such as implementing secure coding practices, using encryption, or adding access controls.
  8. Test the mitigations: Test the mitigations to ensure they are effective, including penetration testing, vulnerability scanning, or code reviews.
  9. Monitor and update: Continuously monitor the web application and update the threat model as new threats emerge or as the application changes over time.
Threat modeling is an iterative process, and the above steps may need to be repeated several times throughout the lifecycle of the web application. It is important to involve all stakeholders in the threat modeling process, including developers, security teams, and business owners, to ensure that all aspects of the application are considered and protected.

For more information on Threat Modeling, contact us.

Data breach coach?

2/18/2023

 
A data breach coach, also known as a breach response coach or cyber incident coach, is a specialized professional who provides guidance and support to organizations that have experienced a data breach. The primary purpose and function of a data breach coach are to help organizations respond to data breaches in a timely, effective, and efficient manner, minimizing the potential damage and protecting the organization's reputation.
Here is how a data breach coach can help you before, during, and after a data breach:
Before a data breach:
  • Conducting a risk assessment: A data breach coach can help you identify potential vulnerabilities in your systems and processes, and develop a plan to address them.
  • Developing an incident response plan: A data breach coach can help you create a comprehensive plan for responding to a data breach, including roles and responsibilities, communication protocols, and escalation procedures.
  • Training and awareness: A data breach coach can provide training and awareness programs for employees, so they understand the risks and know how to respond to a breach.
During a data breach:
  • Providing guidance and support: A data breach coach can provide immediate support and guidance during a data breach, helping you make critical decisions and navigate the complex legal and regulatory requirements.
  • Coordinating with third parties: A data breach coach can work with your legal counsel, IT staff, and other third-party service providers, ensuring that everyone is working together to minimize the impact of the breach.
  • Managing communications: A data breach coach can help you manage internal and external communications, including notifying affected individuals, communicating with regulators and other stakeholders, and managing the media.
After a data breach:
  • Conducting a post-incident review: A data breach coach can help you evaluate the effectiveness of your response to the breach and identify areas for improvement.
  • Addressing remediation: A data breach coach can help you implement remediation measures to prevent future breaches, such as implementing new policies and procedures, upgrading security systems, or providing additional employee training.
  • Managing legal and regulatory issues: A data breach coach can help you navigate legal and regulatory issues, including responding to any lawsuits or regulatory inquiries that arise as a result of the breach.
In summary, a data breach coach can provide valuable guidance and support to organizations before, during, and after a data breach. Their expertise in breach response and their ability to work with multiple stakeholders can help organizations respond effectively to a breach and minimize the potential damage to their reputation and operations.

CIO, CTO Whats the difference?

2/18/2023

 
The Chief Information Officer (CIO) and Chief Technology Officer (CTO) are both senior executives responsible for technology-related decisions in an organization, but they have different primary roles and responsibilities.
The primary role of the CIO is to oversee the organization's overall technology strategy and ensure that it aligns with the company's business goals. They are responsible for managing the technology infrastructure, including hardware, software, and networks, and ensuring that they are secure, reliable, and scalable. The CIO also manages the organization's data, including storage, security, and analytics. They work closely with other departments to identify technology needs, implement solutions, and ensure that technology is integrated effectively with the business.
The primary role of the CTO is to drive the organization's technology vision and innovation. They are responsible for evaluating emerging technologies, identifying potential new business opportunities, and developing strategies to implement those technologies. The CTO is often involved in the development of new products and services, working closely with product managers and engineering teams. They may also be responsible for research and development, including creating prototypes, testing new technologies, and assessing the viability of emerging trends.
While both the CIO and CTO are responsible for technology-related decisions, their primary focus and responsibilities are different. The CIO is focused on managing the current technology infrastructure and ensuring that it supports the business, while the CTO is focused on driving innovation and identifying new opportunities for the organization. In some organizations, the CIO and CTO roles may overlap or be combined, depending on the size and complexity of the business.

Wireless security

2/18/2023

 
Wireless routers are essential devices that provide internet connectivity to devices via Wi-Fi. However, they can also be a target for cyber attacks, especially if the security controls on the router are not configured properly or if they have vulnerabilities. Here are some common methods used by attackers to bypass security controls on wireless routers:
  1. Default Passwords: Attackers often try to log in to a wireless router using default passwords, which are often easily guessable or readily available on the internet.
  2. Brute-Force Attacks: Attackers use software programs to automate the process of guessing passwords, using common passwords or dictionary words.
  3. Firmware Vulnerabilities: Attackers exploit known vulnerabilities in the firmware of a router, which can be used to bypass security controls and gain access to sensitive information.
  4. Exploiting WPS: Wi-Fi Protected Setup (WPS) is a feature that allows users to easily connect devices to a wireless network. However, it can also be exploited by attackers who use brute-force attacks to guess the WPS PIN and gain access to the network.
  5. Rogue Access Points: Attackers can set up rogue access points that mimic legitimate ones, tricking users into connecting to them and providing sensitive information.
  6. MAC Spoofing: Attackers can change the Media Access Control (MAC) address of their device to match an authorized device on the network, bypassing MAC address filtering security controls.
  7. Packet Sniffing: Attackers can use software to intercept and analyze wireless network traffic, potentially capturing sensitive information.
  8. Denial of Service (DoS) Attacks: Attackers can overwhelm a wireless router with traffic, causing it to crash or become unresponsive, potentially allowing the attacker to bypass security controls and gain access to sensitive information.
To protect against these attacks, users should configure their wireless routers with strong passwords and firmware updates, disable WPS, implement MAC address filtering, and regularly monitor network traffic for suspicious activity. Additionally, users should consider using additional security measures, such as a virtual private network (VPN), to further secure their network and data.

How to test api security

2/18/2023

 
Conducting an API security assessment involves several steps to identify potential security vulnerabilities, bugs, and flaws in the API code. The following is a general process for conducting an API security assessment:
  1. Define the Scope: The first step in conducting an API security assessment is to define the scope of the assessment. This includes identifying the specific APIs to be tested, the types of vulnerabilities to be tested for, and the level of testing coverage required.
  2. Discover the API: The second step is to identify all the endpoints of the API. This can be done manually, by reviewing the API documentation, or by using an API discovery tool to identify all the endpoints.
  3. Identify Vulnerabilities: The next step is to identify potential vulnerabilities, such as injection attacks, authentication flaws, and access control issues. This can be done manually by reviewing the code, using automated tools or a combination of both.
  4. Test the API: Once vulnerabilities have been identified, the API must be tested to determine whether they can be exploited. This can be done using a combination of manual and automated testing techniques, such as penetration testing, fuzzing, and vulnerability scanners.
  5. Analyze Results: After the testing is complete, the results must be analyzed to identify potential vulnerabilities and to determine the severity of each vulnerability. This can be done manually, using automated analysis tools, or a combination of both.
  6. Prioritize Vulnerabilities: Once the vulnerabilities have been identified and analyzed, they should be prioritized based on the level of risk they pose to the application or system. This can be done by assigning a severity rating to each vulnerability, based on factors such as the likelihood of exploitation and the potential impact.
  7. Report Findings: Finally, the findings of the API security assessment should be documented and reported to the relevant stakeholders. This report should include a summary of the findings, detailed descriptions of each vulnerability, and recommendations for how to address each vulnerability.
Overall, conducting an API security assessment is a critical step in ensuring the security and resilience of an application or system. By following a structured process that includes discovery, vulnerability identification, testing, and analysis, organizations can identify potential vulnerabilities and take steps to mitigate them before they can be exploited by attackers

For more information about our CATSCAN service contact us.

What is DAST?

2/18/2023

 
Dynamic Application Security Testing (DAST) is a type of security testing that evaluates the security of web applications while they are running. In the context of a service provider selling DAST to a buyer, the service would involve the following steps:
  1. Scope Definition: Proactive Risk as a example and buyer would define the scope of the testing by identifying the web applications to be tested, the specific vulnerabilities to be tested for, and the desired level of testing coverage.
  2. Tool Selection: Proactive Risk would select the appropriate tools and technologies for the DAST service based on the scope of the testing. These tools would be used to automate the testing process and provide accurate and detailed results.
  3. Testing Execution: Once the scope and tools have been defined, the service provider would begin the testing process. This involves running the selected DAST tools against the web applications to identify potential vulnerabilities, such as SQL injection or cross-site scripting.  A popular measurement is the OWASP Top 10 or OWASP ASVS.
  4. Vulnerability Analysis: After the testing has been completed, the service provider would analyze the results to determine which vulnerabilities were detected and the level of severity of each vulnerability. They would also prioritize vulnerabilities based on the level of risk they pose.
  5. Reporting: The service provider would create a report detailing the vulnerabilities identified during the testing process. This report would include a summary of the findings, detailed descriptions of each vulnerability, and recommendations for how to address each vulnerability.
  6. Remediation: Based on the results of the testing and the report provided by the service provider, the buyer would take steps to address the vulnerabilities. This might involve patching software, updating configurations, or modifying user permissions.
  7. Retesting: Once the vulnerabilities have been addressed, the Proactive Risk will conduct a follow-up DAST service to confirm that the vulnerabilities have been successfully remediated.
Overall, DAST is a critical component of any web application security program, and a service provider can provide valuable expertise and experience to ensure that the buyer's web applications are secure and protected from potential threats. By offering a comprehensive DAST service, Proactive Risk can help our customers to identify and mitigate potential security risks, and ultimately enhance the overall security and resilience of their web applications.

For more information about our CATSCAN service contact us

watch out for social engineering

2/15/2023

 
Social engineering is a tactic used by cybercriminals to trick individuals into divulging confidential information. Here are ten common ways social engineers gain access to confidential information:
  1. Phishing: Social engineers send an email or message that appears to be from a legitimate source, such as a bank or company, and requests sensitive information like passwords or account details.
  2. Baiting: Social engineers leave a tempting item, such as a USB drive or CD, in a public place in the hope that someone will pick it up and use it on their computer, which is infected with malware.
  3. Pretexting: Social engineers create a fake persona or pretext, such as posing as an IT support person or government official, to trick individuals into divulging information.
  4. Tailgating: Social engineers gain access to a secure area by following an authorized person, such as an employee or visitor, through a locked door.
  5. Piggybacking: Social engineers gain physical access to a secure area by requesting entry while impersonating an authorized person or pretending to have a legitimate reason for entry.
  6. Reverse social engineering: Social engineers make an individual feel important or valued in order to build trust and convince them to divulge confidential information.
  7. Spear phishing: Social engineers send highly targeted and personalized messages to a specific individual or group in order to gain access to confidential information.
  8. Phone phishing: Social engineers call individuals and pretend to be a legitimate source, such as a bank or company, in order to request confidential information.
  9. Dumpster diving: Social engineers search through an organization's trash to find sensitive information, such as financial statements or employee records.
  10. Human hacking: Social engineers use a combination of these tactics and other psychological tricks to manipulate individuals into divulging confidential information.
In order to protect against social engineering attacks, individuals and organizations should be vigilant, exercise caution, and follow best practices for data security and privacy.

For more information about our CATSCAN services contact us today

Finding needles in a haystack

2/2/2023

Comments

 
I recently did a interview on the Reimagining Cyber Podcast about advancements in the software security industry. I then took some time to think about the Fortify product that I have worked with for so many years.  The pro and the con, what are your thoughts?

OpenText - Fortify

Pros of using source code tools like Fortify for software code quality:
  1. Identifying security vulnerabilities: Fortify helps identify security vulnerabilities in source code, such as buffer overflows, cross-site scripting (XSS), and SQL injection. This can help prevent attacks and protect sensitive data.
  2. Improving code quality: Fortify provides in-depth analysis of source code, helping developers improve the quality and maintainability of the code. This can lead to faster development and reduced time spent fixing bugs.
  3. Automation: Fortify automates many code quality checks, reducing the time and effort required to manually review code. This can help developers focus on more important tasks and reduce the risk of human error.
  4. Integration with development tools: Fortify can integrate with development tools such as integrated development environments (IDEs) and continuous integration (CI) pipelines, making it easier to use and incorporate into the development process.
Cons of using source code tools like Fortify:
  1. False positives: Fortify may produce false positives, indicating security vulnerabilities that don't actually exist. This can lead to wasted time and resources fixing non-existent issues.
  2. False negatives: Fortify may miss real security vulnerabilities, as it can only identify vulnerabilities it has been programmed to find.
  3. Resource requirements: Fortify can be resource-intensive and slow down the development process, especially on large codebases.
  4. Cost: Fortify can be expensive, making it a challenge for smaller organizations or projects with limited budgets.
Overall, source code tools like Fortify can be a valuable tool for improving software code quality and identifying security vulnerabilities. However, it's important to understand its limitations and to use it as part of a comprehensive software development process, including manual code reviews and other security measures.
Comments

    Tom Brennan

    This is my blog, there are many like it but this one is mine. Enjoy.

    View my profile on LinkedIn

    BLOG Archives

    March 2023
    February 2023
    January 2023
    December 2022
    November 2022
    August 2022
    April 2022
    August 2021
    March 2021
    January 2021
    August 2020

    Categories

    All
    CMMC
    COMMUNITY
    TECHTIP

    RSS Feed

Contact Info

Proactive Risk Inc.
Tel: +1 (973) 298-1160
Web: www.proactiverisk.com
eMail: sales(at)proactiverisk.com

CONTACT US
Picture
© COPYRIGHT 2023. ALL RIGHTS RESERVED.
  • About
    • 800 lb Gorilla
    • Our Manifesto
    • Simple Agreements >
      • Mutual Confidentiality and Non Disclosure Agreement
      • Master Agreement | Work Order
    • BLOG
    • Capabilities Summary
    • Request Support
    • Contact Us
  • SOLUTIONS
    • Fractional CIO/CISO
    • Cyber Recruiter
    • Threat Modeling
    • Policies and Plans
    • MonitorIT®
    • Software Development
    • Domains | DNS
    • PhishIT®
    • MeasureRISK®
    • Vendor Risk
    • CATSCAN®
    • Physical Security
    • Backup Resiliency
    • ProtectIT®
    • ManageIT®
    • FINDIT® >
      • RAPTOR eDiscovery
  • RESOURCES
    • Tech News
    • Videos
    • Store
    • Guides | Tools
    • STAFF