NetWorks Group Blog

Adobe, MySpace, LinkedIn, and many other large organizations have had major password breaches in the last few years. Breaches where attackers have exfiltrated usernames, email addresses, passwords, and in some cases, plaintext password hints and other data from the company’s database. The initial response is always, "Log into that service, and change your password before the hackers get in and take over that account!" The sad truth is that it’s rarely that account that matters – it’s the other accounts where you (or your users) used the same password and email address that you’re (or they’re) already using on the compromised account with another service.

In March 2015, the PCI Council released their Information Supplement for Penetration Testing Guidance.  This is a fantastic move as previous guidelines were centered on the completion of penetration tests and left the methodology for completing those up to the auditor.  With this guidance in place, we now have a clear definition to what qualifies as a penetration test in the eyes of the Council.  There isn’t a need to rehash the document for you here, and I encourage everyone to read it.  I would like to focus on a few key highlights that I’m happy to see added.

In light of new PCI-DSS requirements stating that SSLv3 no longer meets the specification for “strong cryptography” prescribed by PCI standards, we wanted to give you a brief history of how the industry got here and why SSLv3 is no longer considered secure.

In this post, I'd like to talk about how to actually apply the concept of “red teams” in your enterprise.  First, and foremost, red teaming for cyber security refers to the concept of a small team of hackers reviewing an organization to determine if they can gain access to critical assets.  This may not sound much different than a penetration test, but one crucial piece is almost non-existent in a red team exercise:  scope.  A red team will utilize a web application, mobile platform, physical, social engineer, and network tester as part of a team whose goal is to profile the organization and gain access.

Whether you are a veteran security executive who has received hundreds of penetration testing reports, or a part-time security manager whose primary roles lay in traditional business management, it can be difficult to decipher the encrypted text held within some penetration testing reports.  The problem exists because there is not a standard for penetration testing reporting inside of the industry.  I’ve seen literary works that range anywhere from Dr. Seuss to William Shakespeare.  I have peer reviewed reports for associates whose bad grammar could make a first grader wince.  The goal here is to identify what makes a penetration test report good, how to interpret the results, and finally how to put them to use in your strategic planning to improve organizational security.

If you're a fan of delicious restaurants, awesome concert venues, Big 10 sports, or just a bike-friendly city, then you should probably be working with us in beautiful downtown Ann Arbor, Michigan. The team at NetWorks Group works at the corner of Main and Huron, a central-point to blocks of great places to shop, eat, and relax at. Located a short distance from the University of Michigan, NetWorks Group benefits from the feeling of both a college-town and an active business hub for southeastern Michigan. For a vibrant mixture of cultures, architecture, and activities, Ann Arbor is hard to beat!

At a recent ISSA Motor CIty chapter meeting one of our Sr. Security Engineers, Mark Stanislav, presented his thoughts on how the process of hiring Ethical Hacking (EH) services could be better accomplished by an organization who may not be familiar with doing so. During Mark's presentation he outlined ten big-picture topics and sub-points to each, covering a broad set of ideas. We thought we'd share some of those points today in a post regarding this crucial and sometimes complicated process. If your company is trying to hire penetration testing services (or other EH projects), we hope these notes may give you a bit better of a sense of what to expect and how to ensure success with your project.

At NetWorks Group, we put a lot of value in interacting in person with the various technology communities important to our team. More than that, we love to be able to meet with customers and people looking to find out more about what we do and how our team could help yours achieve tough goals.

The Certificate Authority (CA) system that currently handles how we publicly interact 'securely' with web sites, mail servers, and other services around the world can't catch a break. In the latest black-eye, an Entrust bulletin speaks about how a Malaysian CA called Digicert Malaysia recently issued 22 certificates with glaring CPS violations including the usage of 512-bit RSA keys. At this time, there's no suggestion of fraud or criminal activity being involved, but it's certainly confusing why this would have happened without it.

Fear, Uncertainty, and Doubt (FUD) are sadly a corner-stone of those who don't know enough to know better, or those that just don't care if they are wrong. When it comes to information technology, FUD is alive and well in 'cloud computing', at least from the perspective of those who want to make interesting headlines that will throw their readership into a tizzy.