What area of your business would benefit the most from a penetration test? 
By: Chad HortonPenetration Testing ManagerCISSP, QSAPenetration testing is a form of ethical hacking that simulates attacks on a network and its systems. It goes beyond running an automated vulnerability scanner; the tests are performed by experts that dive deeper into your environment.In a previous blog post, Types of Penetration Testing: The What, The Why, and The How, we discussed the different ways a penetration test can be performed: black-box, white-box, and gray-box. We also told you why it’s a good idea for a business to have penetration tests performed regularly.So, what type of penetration test should you get for your business?
TweetWhat areas should you focus on? There are several tests or activities that penetration tests include. Here are a few you may want to consider.Network penetration test
The objective of a network penetration test is to identify security issues with the design, implementation, and maintenance of servers, workstations, and network services.Commonly-identified security issues include:Misconfigured software, firewalls, and operating systemsOutdated software and operating systemsInsecure protocolsThe remediation of commonly-identified security issues include:Reconfigure software, firewalls, and operating systemsInstall updatesEnable encryption or choose a more secure protocolSEE ALSO: Configuring and Maintaining Your Firewall with SecurityMetrics Managed FirewallSegmentation checkThe objective of a segmentation check is to identify whether there is access into a secure network because of a misconfigured firewall.Commonly-identified security issues include:TCP access is allowed where it should not beICMP (ping) access is allowed where it should not beThe remediation of commonly-identified security issues are the same:Reconfigure the segmentation control (firewall rules) to properly restrict accessSEE ALSO: New 3.2 Requirements for Penetration Testing and Segmentation: What You Don’t KnowApplication penetration testThe objective of an application penetration test is to identify security issues resulting from insecure development practices in the design, coding, and publishing of the software.Commonly-identified security issues include:Injection vulnerabilities (SQL injection, Cross-site scripting, remote code execution, etc.)Broken authentication (The log-in panel can be bypassed.)Broken authorization (Low-level accounts can access high-level functionality.)Improper error handlingThe remediation of commonly-identified security issues include:Re-design the authentication and authorization modelRecode the softwareDisable remote viewing of errors meant for developersFollow for more data security articles like thisWireless penetration testThe objective of a wireless penetration test is to identify misconfigurations of authorized wireless infrastructure and the presence of unauthorized access points.Commonly-identified security issues include:Insecure wireless encryption standardsWeak encryption passphraseUnsupported wireless technologyRogue/open access pointsThe remediation of commonly-identified security issues include:Update wireless protocol to an industry accepted protocol (WPA2)Replace the insecure passphrase with a longer, more complicated oneIdentify the open access point and disable itSEE ALSO: Wireless Access Point Protection: Finding Rogue Wi-Fi Networks
Social engineeringThe objective of a social engineering assessment is to identify employees that do not properly authenticate individuals, follow processes, or validate potentially dangerous technologies. Any of these methods could allow an attacker to take advantage of the employee and trick them into doing something they shouldn’t.Commonly-identified issues include:Employee(s) clicked on malicious emailsEmployee(s) allowed unauthorized individuals onto the premisesEmployee(s) connected a randomly discarded USB to their workstationThe remediation is always the same: training.Because the intent of this assessment is to take advantage of the trusting nature of employees, this type of assessment should only be done after employees have completed a training course on defending against social engineering attacks.SEE ALSO: Social Engineering Training: What Your Employees Should KnowWhich type of penetration test is right for you?For starters, choose the type of penetration test that focuses on the controls you are most concerned about:Web application or API = application penetration testInfrastructure = network penetration test (and possibly a wireless penetration test)People = social engineeringIf your objective is to obtain PCI compliance, at the very least, you’ll want to consider getting a network and an application penetration test.Once you have an idea on the type of test you would like and how comprehensive you would like the results to be, you need to decide from which perspective you would like testing to be performed.By making these decisions wisely, you can choose a penetration test that matches your business’ needs and budget.Need a penetration test? Talk to us!Chad Horton has been the Penetration Testing Manager at SecurityMetrics for over five years. His responsibility includes managing a team of eight employees who conduct manual assessments of web applications and corporate networks. In addition, Horton is QSA, CISSP, and CompTIA Security+ certified, and has written numerous web application tools to assist in exploiting vulnerabilities.
Patching the Shoplift Bug: What You Should Be Doing
If you haven’t patched this vulnerability, you should. 
By: Chase PalmerSenior Program ManagerCISSP In early 2015, Magento found a vulnerability known as Shoplift Bug and released a patch for it. Unfortunately, many businesses still haven’t patched this vulnerability, which could threaten their e-commerce integrity.Here is some more information about the Shoplift Bug, how it makes your system vulnerable, and what you need to do to combat it.SEE ALSO: How do Hackers Hack?How does the Shoplift Bug work? 
Through the Shoplift Bug, hackers can remotely execute code on Magento software. This vulnerability seems to affect both the community and enterprise versions of Magento.The Shoplifting exploit is actually a chain of vulnerabilities in the Magento core software, but is frighteningly simple. The exploit uses a Python script that forces the server to downgrade the website from HTTPS to HTTP and then uses SQL injection to create a new user with administrative privileges.Once the attacker has access to the dashboard with administrator access, they will typically install software through the console that will create a backdoor that allows the attacker to remotely alter the functionality of the online store, add or remove products, change the price of products, add phony coupons, and much more.Follow for more data security articles like thisWhat should I do? Unfortunately, this exploit was highly automated and nearly all vulnerable instances of the Magento dashboard are assumed to be compromised. If you don’t know if you’ve patched your site recently or if you’re a Magento user, check on MageReport.com.If you haven’t installed this patch, here’s a list of steps you should take to patching your website:
Download and implement the two patches from the Magento Community Edition download pageTest the patches in a development environment first to make sure they’re working properly before deploying them in your production environmentCheck for unknown files in web server document root directory. If you find any, remove the files, keeping a secure copy if possibleCheck all admin accounts to make sure they’re all authorized. Change all admin passwords have you suspect a breachCheck for unknown IP addresses accessing the system, since hackers may be using legitimate credentials to gain access to your system. Examples of addresses could include 62.76.177.179, 185.22.232.218, and 23.245.26.35 If you need help installing patches, refer to Magento’s Community Security patch forum where community members, moderators, and Magento can assist with questions about downloading and installing patches.If you haven’t already installed this latest patch, you should do so as soon as possible.TweetPatch your systemsRemember, it’s important to stay up to date on your systems and patch any vulnerabilities that pop up. Tips to do this include:Sign up for newsletters/notifications from vendors you use: Once they release a new patch, you’ll be notified. Patch the vulnerability as soon as possible: The sooner you fix the vulnerability, the less time you’ll be open to attacksSet up a schedule to regularly patch and update software: This will keep your software updated in its most secure state. SEE ALSO: Security Patches in Your Business: Complying with PCI Requirement 6.1Chase Palmer (CISSP) is the Senior Program Manager and has been working at SecurityMetrics for seven years. He manages the company’s largest corporate partners in running mass Level 4 PCI DSS programs worldwide. Chase has a Bachelor’s degree in Business Management from Western Governor’s University. He currently lives in Provo, Utah, and he loves everything about motorcycles.
Employee Data Security Training: What You Should Do
Don’t let employee training fall to the side of data security. 
By: David PageSecurity AnalystQSAWhen it comes to data security, many businesses tend to think of things like locks, firewalls, and the latest technology to protect their sensitive data. But they often overlook their biggest vulnerability: employees.Now, I’m not saying employees are bad; they’re just human, and humans make mistakes. Unfortunately, many hackers will take advantage of human error to gain access to your data. You need to spend just as much time and money on your employees as you do on secure technology.Follow for more data security articles like thisMany data breaches happen as a result of a well-meaning employee doing something to make your business vulnerable, whether it’s clicking on a phishing email that downloads malware, giving out sensitive information to someone they shouldn’t, or not being diligent in protecting their passwords. Most of these cases aren’t even intentional or malicious.Why is training important?
A question a business may have is why should employee training matter so much? After all, a business just has to have a firewall and security policies in place and they should be good, right?Wrong.Your security policies are useless if your employees aren’t aware of them. For example, you may have a policy on what to do if you suspect a data breach. But if your employees aren’t trained in what they should do in that situation, they will likely make an error or waste time in reporting it to the right people, potentially causing your business more damage.Another problem is social engineering, which is rapidly becoming a big threat against businesses of all types and sizes. The problem with social engineering is that it targets your employees specifically. If your employees aren’t trained to recognize social engineering tactics, you could be vulnerable to a data breach.Finally, you and your employees should care about data security and maintaining compliance with PCI, HIPAA, and other industry data security standards. You need to instill a sense of urgency in your employees when it comes to data security. Sometimes they’re all that stands between your business and a damaging data breach.Who should be trained in data security?It’s important to train all of your employees on basic data security best-practices.It’s critical that employees with access to sensitive data know how to protect it.TweetThings like email phishing scams and social engineering can affect anyone in your business from the top executive to the janitor. Make sure all of your employees are briefed on policies involving basic physical and data security.What should employees be trained on?It’s good to make a list of policies employees should be made aware of and be trained on. Some policies may include:technology usepassword managementdata handling proceduresincident response plansdata security best practicessocial engineering techniquesBasically, if you have a policy about security that involves your employees, your employees should know about it. Tips for training employeesHolding yearly meetings doesn’t really do it anymore—your employees need a constant reminder to prioritize data security in their daily activities. They will also absorb more information if they receive training more often. Here are some tips to get your employees ready.
Set monthly training meetings: focus each month on a different aspect of data security, such as passwords, social engineering, email phishing, etcGive frequent reminders: these could be sent out in an email or newsletter that includes tips for employeesTrain employees on new policies ASAP: also, newly hired employees should be trained on policies as quickly as possibleMake training materials easily available: Intranet sites are a great way to provide access to training and policy informationCreate incentives: reward your employees for being proactiveWatch out for your employeesIt’s important to make sure your employees understand how critical their role is in keeping your business’s data secure. Training employees should be a top priority in your overall data security strategy. After all, your employees are the ones standing between your data and the bad guys. Shouldn’t you make sure they know what to do?Need help finding resources for employee training? Talk to us!David Page is a Qualified Security Assessor and has been working at SecurityMetrics for 2 and a half years. He has over 18 years experience in network and system engineering, design, and security.
- 1
- 2
- 3
- …
- 6
- Next Page »