Takeaways from SANS SEC560- Ethical Hacking and Pen Testing

This past week I completed the SANS SEC560 – Network Penetration Testing and Ethical Hacking course at the SANS Cyber Defense Initiative in Washington DC. With the experience fresh on my mind, I wanted to share my impressions with others considering SANS training. A Quick Overview of the SANS 560 Class Experience Curriculum Overview SANS[…]

How to Attack and Protect Network Printers and Devices

Recently I was asked by a CIO to think of and execute a simple attack at a manufacturing facility as part of an ongoing initiative to enhance cyber security awareness. I’m not at all a penetration tester or ethical hacker, but there are a few very simple “attacks” that almost anyone can execute. In this[…]

Differentiating Penetration Tests, Vulnerability Scans, and Risk Assessments

Penetration testing has become another hot, and often misused term in the marketplace, joining the ranks of other buzz words such as “Cybersecurity”, “Hacker” and “The Cloud”. Often times, organizations confuse penetration testing with vulnerability scans or security posture assessments (a.k.a risk assessment). While penetration testing does include utilizing vulnerability scans and overlaps with security[…]

Are Penetration Tests Worth the Risk?

I have had several conversations with executives recently about the role of penetration testing and whether or not penetration testing is worth the risk? There seems to be two schools of thought on this issue. One side argues that pen testing is inherently more risky than the risk it’s trying to mitigate, the other side calls[…]

WordPress Website Security Hardening Checklist (Whitepaper)

WordPress websites make up over 20% of all the websites on the internet. If you have a WordPress website that’s both a blessing and a curse. WordPress’s popularity means that there is a whole community dedicated to making enhancements and ensuring it is secure. It also means that there are plenty of people willing and[…]

Designing an Effective Information Security Training

The most vulnerable asset in any company isn’t the network or the application – it is the people. People, being the imperfect beings we are, may forget passwords, forget to lock computers, or fall victim to social engineering hacks. Studies repeatedly show that adults willingly open malicious emails, give away personal information over the phone, and[…]

Pen Testing: Malicious File Execution

What is a Malicious File Execution Vulnerability? Malicious file execution vulnerabilities (also called File Inclusion Vulnerabilities) is a vulnerability that occurs due to user input or uploads to websites not being properly handled or poor data validation by the website/web application. Web applications that are poorly designed or coded may automatically run or parse input[…]

Pen Testing: SQL Injection/Injection Flaws

What are SQL Injections/Injection Flaws? Injection Flaws allow attackers to run a malicious command or block of malicious code on the back-end (the database) of a targeted web based application. For example, an attacker may send instructions to a vulnerable back-end database via an SQL command to manipulate the functionality of an application or to steal data.[…]

Pen Testing: Cross Site Scripting (XSS)

What is Cross Site Scripting (XSS)? Cross Site Scripting (XSS) is the first test in a series of controls which exist to protect user data, prevent fraud and secure the organization’s web application and environment. Cross Site Scripting (XSS) is a common application layer web attack that, despite originating from a website is actually executed[…]