Back

The State of ATM Security: DMA Vulnerabilities are Lurking

According to estimates from the ATM industry association (ATMIA), there are more than three million automated teller machines (ATMs) across the globe today, making it the most common method for consumers to interact physically with their bank. Since its inception in 1967, criminals have discovered many ways to hack into ATMs – and technological advancements have only made their efforts more lucrative. 

Modern hackers aren’t solely after cash. Account numbers, pin numbers, debit card information, and points-of-entry to the internal network or firmware provider, can be accessed by exploiting known security vulnerabilities. 

One particular cybersecurity threat banks must pay closer attention to is direct memory access (DMA) attacks. DMA attacks target the areas of a computer that require direct memory access, such as the PCI bus or USB/Thunderbolt ports. DMA attacks enable an adversary with physical access to a device to read and overwrite memory, giving them full control over the operating system (OS) kernel and the ability to perform malicious activity. Unfortunately, many devices exist today that have not addressed the concerns that DMA vulnerabilities revealed years ago. 

In this blog post, I will explore common ATM security vulnerabilities and attack tactics and explain why DMA attacks require heightened awareness. Additionally, I will share best practices to implement to help strengthen your ATM cybersecurity efforts.

Common ATM security vulnerabilities

ATMs have a lengthy shelf life for an embedded device, often lasting 10 years before needing to be replaced. The ATMs are typically composed of a Windows Desktop PC provided by the ATM manufacturers (e.g. Diebold, NCR, Hyosung). The bank is then responsible for hardening the OS and ensuring updates and patches are applied to the system as needed.

Further, many ATMs that exist today still run on older more vulnerable versions of Windows. These systems can become very expensive to maintain and can take significant resources to properly protect. Keeping these systems secure becomes more difficult as they get older and require a lot of work to keep up with the latest attacks. When keeping these systems properly hardened, it’s easy to miss some potentially unrelated security measures – until it’s too late. 

It’s not always an outdated OS itself that the attackers target. While there are zero-day vulnerabilities that exist, we often see the security risks within the bank’s custom ATM user interface and applications, a lack complete of system hardening, vulnerabilities in custom security protections from the vendor/manufacturer, or unencrypted communications over the USB. Here is a sampling of the top five common ATM attacks: 

  1. Sensor Tampering/Forking Attacks: Tampering with the sensors to take out money from the ATM without it debiting the accounts. Example: Australia forking attack, 2014
  2. Black Box: Connecting an external device (“black box”) to the ATM’s cash dispenser, then using native commands to cause the machine to release currency, bypassing the need for a card or transaction authorization. Example: Diebold code theft, 2020
  3. Peripherals/Communication: Most of the important devices inside of a typical ATM are peripherals that communicate over USB and serial busses. There are some systems that have not properly implemented encryption over these media. This leads to attackers spying on the USB, replaying attacks, man in the middle attacks, or fuzzing the interfaces altering software.   These attacks aren’t always limited to the bus lines, the peripherals and the systems that support them are also vulnerable to communication attacks. Example: NFC Replay attacks, HITBGSEC 2018 D2
  4. Malware/Jackpotting: An attacker finds some flaw in the system that allows them to install their own custom software to the ATM: via an insecure firmware update, a leaked/outdated certificate, or a flaw in the encryption. These attacks do not have to be against the ATM itself, some forms of ATM malware can be administered without physical access to the machine by leveraging a known exploit against a financial institution’s servers. The malware would then be passed to every ATM in the chain, compromising many machines in one strike. Examples of ATM malware families: Ploutus, Anunak/Carbanak, Cutlet Maker, SUCEFUL
  5. Direct Memory Access (DMA): DMA allows devices to directly communicate with the system’s memory by bypassing the OS and manipulating firmware. If exploited, adversaries can gain direct access to information and privileges. They often require physical access but can also be deployed remotely. Example: DMA attack, PCILeech USB3380

The risk of DMA vulnerabilities

Despite the security precautions hardware and software vendors have implemented, DMA attacks remain a reality for many enterprise devices today. DMA attacks began making waves mostly as theoretical attacks until video game hackers caught wind. In the video game space, DMA attacks allow players to bypass protections without triggering the anti-cheat software placed by game manufacturers – but the threat reaches much farther than one industry. 

Any system where an attacker has physical access to the machine is vulnerable. And these attackers’ techniques have gotten much more covert over the years. DMA attacks have been gaining traction in the red team space and banks are shocked at how easy it is to bypass their ATM security using a single technique. Currently, not many banks are testing for DMA vulnerabilities today possibly due to the lack of awareness around this particular attack vector.

As mentioned earlier, DMA attacks may grant adversaries full control over the all the device’s memory, including the kernel as well as the entire OS. The problem with this access is that the memory is not, at least by default, segmented. This access is granted at the hardware level, and thus it can replace any area of memory it has access to… regardless of the privilege that memory is protected by. 

DMA attacks have also evolved. One avenue of accessing the systems that have DMA access are PCIe cards. These cards are similar to the cards used for adding graphic cards to a PC but modified to communicate with outside controllers to give attackers access to the computer’s memory. These custom cards now are Wi-Fi enabled. This allows for attackers insert their attack hardware and leave. The attacker can then wait until a system is up and running, then at their leisure, draw secrets from the systems ram (encryption keys, pins, credit card numbers, etc.) or modify a running authenticated system to run shellcode dynamically placed into memory outside the purview of the most thorough antivirus or malware protection. 

Remediating this issue is no easy task. ATMs employ a number of security precautions: hard drive encryption, firewalls, process monitoring software, etc. to ensure the system has not been modified. Unfortunately, DMA attacks can easily bypass these protections. 

The best way to prevent ATM security attacks, like DMA attacks, is to strengthen your foundational cybersecurity efforts and gain a better understanding of your preparedness and the impact an attack on your devices would have. To help, here are six ATM security best practices to follow, beyond physically disabling the PCIe bus with epoxy.

6 ATM security best practices

  1. Disable hardware that isn’t supposed be in the system by default. Anything that is USB that is not used, disable. This includes thunderbolt adapters, storage devices, and USB ethernet adapters. Anything that increases the attack surface and isn’t needed should be removed.
  2. Ensure encryption is set up properly and confirm all links in the chain of encryption are followed. Make sure the encryption keys are kept safe. And, that communications between peripherals are encrypted as well.
  3. If the version of Windows used allows memory segmentation, enable it. For DMA vulnerabilities, if using windows 10, turn kernel DMA protection on.
  4. Ensure the Operating Systems are properly hardened.
  5. Limit the types of USB devices the ATM accepts and limit the value of the vendor ID (VID) and product ID (PID). For example, there is no reason for an external graphics card or an audio adapter to be accepted in the USB.
  6. Perform a penetration test of your ATM applications to gain a better understanding of the impact an ATM security incident or breach would have on your systems – and learn if your existing security controls are working as they’re supposed to

The importance of ATM penetration testing services

Penetration testing services can tell you where your security is and, more importantly, where it is lacking. Pentesting can verify whether the ATM peripherals that handle sensitive data are properly encrypted or that encryption keys cannot be extracted from the firmware or the card reader. Is the encryption used to protect the hard drive strong enough or configured correctly? Is there any method that attackers can use to gain access to the keys – if so, what can they do once they have the keys? 

Sometimes, it is not possible to prevent every attack. In these cases, you need to know what will happen once there is a breach and how well you are protected once a weakness is found. Then, make it as difficult as possible for an attacker to maneuver inside a system. Using outside pentesting teams is a great way to keep appraised of the latest attack methods and view your system from the perspective of an adversary.

Engage with NetSPI to determine how DMA vulnerabilities affect your devices.

Tokenvator Release 3 is a long overdue update that includes a major overhaul to the tool. From the user interface, it will be mostly familiar with some command line tweaks. Under the surface, large portions of the code base have been reworked, and parts of the base have had some updates. In this series, we will go over some of the changes and new features added. Teaser Alert: Adding Privileges & Creating Tokens

Improvements

First and foremost, the user interface. Historically, every action had a series of positional arguments that were clunky and generally difficult to remember. They were also not very flexible, and as the commands started to have more, and additional optional arguments, they became completely unwieldy. These have been replaced with flags that will auto complete.

For instance, to list and enable privileges:

To list and enable privileges

This also works in the non-interactive mode (though it won’t tab complete – sorry, it’s Windows):

Works in the non-interactive mode

Additionally, the scroll back function was improved and numerous bugs were resolved. For instance, now when you press up you will always go to the last command issued. A printable command history has also been added if you want to copy and paste instead or keep a log of your actions.

A printable command history has also been added if you want to copy and paste instead or keep a log of actions.

The info functionality was improved again, removing many bugs and adding additional information, such as impersonation contexts:

(Tokens) > whoami
[*] Operating as NT AUTHORITY\SYSTEM

(Tokens) > info
[*] Primary Token
[+] User:
S-1-5-21-258464558-1780981397-2849438727-1001      DESKTOP-J5KC1AR\0xbadjuju

[*] Impersonation Tokens
[*] Primary Token Groups
[+] Enumerated 15 Groups:
S-1-5-21-258464558-1780981397-2849438727-513       DESKTOP-J5KC1AR\None
S-1-1-0                                            Everyone
S-1-5-114                                          NT AUTHORITY\Local account and member of Administrators group
S-1-5-32-544                                       BUILTIN\Administrators
S-1-5-32-559                                       BUILTIN\Performance Log Users
S-1-5-32-545                                       BUILTIN\Users
S-1-5-4                                            NT AUTHORITY\INTERACTIVE
S-1-2-1                                            CONSOLE LOGON
S-1-5-11                                           NT AUTHORITY\Authenticated Users
S-1-5-15                                           NT AUTHORITY\This Organization
S-1-5-113                                          NT AUTHORITY\Local account
S-1-5-5-0-870189                                   Some or all identity references could not be translated.
S-1-2-0                                            LOCAL
S-1-5-64-10                                        NT AUTHORITY\NTLM Authentication
S-1-16-12288                                       Some or all identity references could not be translated.

Now, you have the option to get additional information by using the /all flag.

(Tokens) > info /all

Option     Value
------     -----
all

[*] Primary Token
[+] User:
S-1-5-21-258464558-1780981397-2849438727-1001      DESKTOP-J5KC1AR\0xbadjuju

[*] Impersonation Tokens
[*] Thread ID: 5820
[+] User:
S-1-5-18                                           NT AUTHORITY\SYSTEM
[*] Thread ID: 1120
[*] Thread ID: 7108
[*] Thread ID: 9180
[*] Thread ID: 1152
[*] Thread ID: 8592
[*] Thread ID: 8076

[*] Primary Token Groups
[+] Enumerated 15 Groups:
S-1-5-21-258464558-1780981397-2849438727-513       DESKTOP-J5KC1AR\None
S-1-1-0                                            Everyone
S-1-5-114                                          NT AUTHORITY\Local account and member of Administrators group
S-1-5-32-544                                       BUILTIN\Administrators
S-1-5-32-559                                       BUILTIN\Performance Log Users
S-1-5-32-545                                       BUILTIN\Users
S-1-5-4                                            NT AUTHORITY\INTERACTIVE
S-1-2-1                                            CONSOLE LOGON
S-1-5-11                                           NT AUTHORITY\Authenticated Users
S-1-5-15                                           NT AUTHORITY\This Organization
S-1-5-113                                          NT AUTHORITY\Local account
S-1-5-5-0-870189                                   Some or all identity references could not be translated.
S-1-2-0                                            LOCAL
S-1-5-64-10                                        NT AUTHORITY\NTLM Authentication
S-1-16-12288                                       Some or all identity references could not be translated.

[+] Source: User32

[*] Enumerating Token Privileges
[*] GetTokenInformation - Pass 1
[*] GetTokenInformation - Pass 2
[+] Enumerated 24 Privileges

Privilege Name                               Enabled
--------------                               -------
SeIncreaseQuotaPrivilege                     False
SeSecurityPrivilege                          False
SeTakeOwnershipPrivilege                     False
SeLoadDriverPrivilege                        False
SeSystemProfilePrivilege                     False
SeSystemtimePrivilege                        False
SeProfileSingleProcessPrivilege              False
SeIncreaseBasePriorityPrivilege              False
SeCreatePagefilePrivilege                    False
SeBackupPrivilege                            False
SeRestorePrivilege                           False
SeShutdownPrivilege                          False
SeDebugPrivilege                             True
SeSystemEnvironmentPrivilege                 False
SeChangeNotifyPrivilege                      True
SeRemoteShutdownPrivilege                    False
SeUndockPrivilege                            False
SeManageVolumePrivilege                      False
SeImpersonatePrivilege                       True
SeCreateGlobalPrivilege                      True
SeIncreaseWorkingSetPrivilege                False
SeTimeZonePrivilege                          False
SeCreateSymbolicLinkPrivilege                False
SeDelegateSessionUserImpersonatePrivilege    False


[+] Owner:
S-1-5-32-544                                       BUILTIN\Administrators

[+] Primary Group:
S-1-5-21-258464558-1780981397-2849438727-513       DESKTOP-J5KC1AR\None

[+] ACL Count: 572

[+] Primary Token
[+] TokenElevationTypeFull
[*] Token: Split
[+] ProcessIntegrity: High

Impersonation Tokens

Previously, I had glossed over Impersonation (Thread) Tokens in the Tokenvator tool. When you impersonate a token, it doesn’t replace your primary token in your process. What it does is place the token in the calling thread. In this tool, this is typically the primary thread. Going forward, I will use Thread Token and Impersonation Token interchangeably.

In this example, we show the privileges on our primary token (List_Privileges), impersonate the SYSTEM account (GetSystem), list the privileges on our primary token again to show it hasn’t been altered (List_Privileges), and then finally list the privileges for the SYSTEM token we are impersonating (List_Privileges /Impersonation).

In the following example, we show the privileges on our primary token (List_Privileges), impersonate the SYSTEM account (GetSystem), list the privileges on our primary token again to show it hasn’t been altered (List_Privileges), and finally list the privileges for the SYSTEM token we are impersonating (List_Privileges /Impersonation).

In this second more complex example, we show the privileges on our primary token (List_Privileges), impersonate the SYSTEM account (GetSystem), list the privileges for the SYSTEM token we are impersonating (List_Privileges /Impersonation).

In this second, more complex example, we show:

  • The privileges on our primary token (List_Privileges)
  • Impersonate the SYSTEM account (GetSystem)
  • List the privileges for the SYSTEM token we are impersonating (List_Privileges /Impersonation)

We then:

  • Disable the SeAssignPrimaryTokenPrivilege on the Thread Token for SYSTEM (Disable_Privilege /Privilege:SeAssignPrimaryTokenPrivilege /Impersonation)
  • List the thread token privileges again (List_Privileges /Impersonation)
  • Re-enable the privilege on the token (Enable_Privilege /Privilege:SeAssignPrimaryTokenPrivilege /Impersonation)
  • List the privileges one last time (List_Privileges /Impersonation) to show that it has been reenabled

This could all be done against a remote process as well by passing /ProcessID:<ID> flag.

Similarly, thread tokens can be impersonated with the Steal_Token command by specifiying the /Thread Flag.

Similarly, Thread Tokens can be impersonated with the Steal_Token command by specifying the /Thread Flag.

Now for the Cool Stuff

The number one request I’ve gotten has been, “Can I add a privilege with this tool?” Until now, that issue has been open on GitHub. I can happily say, I can finally close this issue.

Like Morpheus said, some of these rules can be bent others can be broken. To change the privileges on the token, I’ve historically used advapi32!AdjustTokenPrivileges. This allows for privileges to be enabled, disabled, or removed. As far as I’ve been able to tell, this does not allow for adding privileges onto a token. But because that doesn’t work, it doesn’t mean that there are no other options. It’s time to enter the world of the kernel.

Exploring the Kernel

To look at the Windows kernel, you will probably need WinDbg. It involves installing several development kits from Microsoft (https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/getting-started-with-windbg–kernel-mode-). A local instance of the debugger can be started from an elevated command prompt: 

  • “C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\kd.exe” -kl
Exploring the Kernel

From here we can start exploring.

Opaque Structures

As expansive as Microsoft Developer Network (MSDN) is, it is not all-encompassing. There are things that are intentionally not documented as they are not intended to be used. Among these is the EPROCESS structure. 

Part of this is that this structure can change without notice from Microsoft. I can personally confirm that this happened. While it may be difficult to track down the layout of this structure online, we can easily view it with WinDbg. Using the dt command in WinDbg we can view each instance of it.

Exploring with windbg

Let’s look at the process structure of an elevated Tokenvator instance:

It’s running with process ID of 8140, converted to hex it is 1FCC.

Process ID of 8140

Examining that process shows:

Exploring windbg proces

The line we are looking for is:

  • PROCESS ffff9a890b963080

The EPROCESS structure can be found at is at address ffff9a890b963080. Querying for the EPROCESS structure:

Querying for the EPROCESS structure

It’s mostly truncated here, but it’s big. Really big. Excluding the KPROCESS structure which takes up the address 0x000 – 0x438 it has 238 entries.

dt nt!_EPROCESS ffff9a890b963080
   +0x000 Pcb              : _KPROCESS
  …
   +0x460 PrimaryTokenFrozen : Pos 15, 1 Bit
  …
   +0x4b8 Token            : _EX_FAST_REF
  …
   +0xa10 DynamicEnforcedCetCompatibleRanges : _PS_DYNAMIC_ENFORCED_ADDRESS_RANGES

But in this structure, there is a field called Token which references the _EX_FAST_REF structure.

Querying the _EX_FAST_REF structure for the Token field shows the following.

Querying the _EX_FAST_REF structure for the Token field shows the following.

If we were query that address for a _TOKEN structure it wouldn’t work but looking the verbose process information with the command.

If we were query that address for a _TOKEN structure it wouldn’t work but looking the verbose process information with the command.

I didn’t immediately realize why the addresses were different. Fortunately, the ired.team was able to provide a useful insight:. they realized a bitwise AND (&) would correct the address.

We can see that it is at a similar address, now at this point I need to that the ired.team blog for getting me unstuck. They realized a bitwise and would correct the address.

Evaluate expression: -65372684652448 = ffffc48b`3c5a7060

Querying that address for the token we see a structure where the privileges are stored. 

Querying that address for the token we see a structure where the privileges are stored.

Querying that field reveals a structure that contains the present field where a bitwise or for each privilege can detect if it is present.

Querying that field reveals a structure that contains the present field where a bitwise or for each privilege can detect if it is present.

AND’ing that field can allow us to put privileges back on the token. 

Pulling it All Together

We’ve found what needs to be changed in the kernel, so how do we do that? Well, that involves creating a kernel mode driver that can interact with kernel memory. Introducing: the KernelTokens driver. 

This introduces several additional commands:

  • install_driver
  • start_driver
  • uninstall_driver
  • add_privilege
  • freeze_token
  • unfreeze_token

First, we need to install the driver. The default name is TokenDriver.

First, we need to install the driver. The default name is TokenDriver.

Now, let’s look at the existing privileges on the Tokens:

In this instance we see at the start there are 24 privileges. Let’s add two privileges SeTcbPrivilege and SeCreateTokenPrivilege.

In this instance we see at the start there are 24 privileges. Let’s add two privileges SeTcbPrivilege and SeCreateTokenPrivilege. First, we run the command Add_Privilege /Privilege:SeTcbPrivilege. This connects to the driver and updates the bitfield in memory. Running List_Privileges again we see SeTcbPrivilege is now on the token. Running the Add_Privilege /Privilege:SeCreateTokenPrivilege command again allows us to add this privilege as well. As can be seen during the final List_Privileges command, 26 privileges are now present on the token including SeTcbPrivilege and SeCreateTokenPrivilege.

Causing Some Shenanigans

Critical Processes are a fun flag that can be added to a process to indicate that it is critical to the system functionality. This can be used to force a system to blue screen, or in some cases prevented the process from being killed.

Critical Processes are a fun flag that can be added to a process to indicate that it is critical to the system functionality.

When it does, well…

This can be used to force a system to blue screen or in some cases prevented the process from being killed.

Becoming Someone Else:

One of the interesting things that I always wanted to add was the ability to become another user on the system without having to steal their token from a running process. There are several ways to accomplish this with increasing levels of difficulty:

  • RunAs
  • Logon_User
  • Create_Token

Each one of these methods calls a different API.

RunAs

The RunAs is almost identical to the RunAs /netonly command. Under the surface this is just calling CreateProcessWithLogonW.

The RunAs is almost identical to the RunAs /netonly command. Under the surface this is just calling CreateProcessWithLogonW.

Logon_User

Logon_User is a little more complex, depending on the options provided it is either calling LogonUser or LogonUserExExW (no, not a typo) and then uses the newly created token to call CreateProcessWithTokenW.

Logon_User is a little more complex, depending on the options provided it is either calling LogonUser or LogonUserExExW (no, not a typo) and then uses the newly created token to call CreateProcessWithTokenW.

Using this we can become any user we have credentials for as well as local service accounts such as Network Service or Local Service.

Create_Token

Lastly, the final technique for this part of the post is create_token. Under the surface this calls ntdll!CreateToken – this is a bit of a bear. This manually crafts the token from scratch and then calls CreateProcessWithTokenW.

This manually crafts the token from scratch and then calls CreateProcessWithTokenW.

As can be seen above, with this we can become disabled users and ephemerally add them to groups by adding the group onto the token at creation time.

This release can now be accessed on GitHub. To download and learn more about Tokenvator visit: https://github.com/0xbadjuju/Tokenvator.

Back

Q&A: Diana Kelley Discusses ROI, Application Security, and Inclusivity

Cybersecurity leaders hold one of the most difficult positions today, as they’re often tasked with protecting an entire organization from sophisticated threats with limited resources. I recently sat down with founding partner and CTO at Security Curve Diana Kelley on the Agent of Influence podcast, a series of interviews with industry leaders and security gurus where we share best practices and trends in the world of cybersecurity and vulnerability management, to discuss key challenges and opportunities security leaders face today. Read on for highlights from our conversation around communicating cybersecurity ROI, building an application security program, inclusivity in the cybersecurity industry, and more. 

Nabil: Connecting and conveying a particular message to the C-suite is a common challenge across the security industry. What has worked well for you when communicating ROI or asking for budget from leadership? 

Diana: Cybersecurity ROI can be tough to communicate. First, remember, if you’re going to the executives or presenting to the C-suite, you have to look at the world through their lens. We tend to, as technical people, look at it through our lens – which is okay for our understanding, but it is the fiduciary responsibility of the stakeholders of the company to make it profitable. It is important to always think about that, think about how security translates to profitability. Do not go into a leadership or board meeting with technical detail, go in there with “this is what it means” or “this is how it impacts our bottom line.” 

Second, do not dismiss the fact that their lens is different, as if it is somehow denigrated. The craziest thing I’ve experienced was a technical person in front of a board of directors say, “I’m the risk expert here.” They may have been the technical risk expert, but they didn’t understand that the job of the board is risk assessment. It’s a different lens of risk assessment, focused on business and profit, but it’s still risk. 

People always say to speak in the language of business. The way to do this in practice is to remember their lens of profitability, remember that risk is about business risk, and then tie your technical risk in a business way that isn’t deeply technical, but is very strong and powerful. You can also share examples, such as, “Did a similar customer lose money due to a competitor having the same problem?” or “Is there new legislation coming down the pipeline that’s going to change our implementation and strategy?”

Finally, do not forget to engage leadership in the decision-making process. You want to avoid being demanding, which often happens after a breach or audit. Early on, engage with leadership and communicate the security issues, what it could mean to your profitability, and explain how the security team can help improve or protect the business in the future. Most importantly, ask if they agree that the investment is a good way to spend the organization’s money and ensure you have a consensus. 

 For more on how to showcase ROI of cybersecurity read NetSPI’s Five Metrics to Showcase the ROI of Pentesting

Nabil: Let’s talk about application security. What insight would you give people as they try to decide what frameworks they should use and how to navigate the different options out there?

Diana: Organizations must get an application security program in place – a secure software development lifecycle (SSDLC). This is the most critical part. As far as frameworks go, BSIMM is a good option to understand what other companies that look like you are doing in terms of application security. It allows organizations to have a maturity model to build towards. 

Have a framework in place to start implementing an application security program, create standards for your developers, and start application security testing early on. Identify your application security requirements and understand the threat model so that you can start to build and think about the test harness as soon as possible. It’s more important to start implementing rather than focusing on which framework you choose.

It concerns me that now we’re getting into this big shift in the enterprise where we’re no longer writing code from the ground up, we’re doing a lot of low-code no-code. This is fantastic in terms of what we’re able to build and how quickly we’re able to build it. But companies that are now creating low-code no-code solutions are using a lot of functions and libraries and they are not thinking about it as custom-built code. 

I’ve heard many times, “we don’t actually build any applications.” Then, you start talking to the company and you find out that they have many scripts that are pulling in functions from the cloud, they’re using cool tools like Zappy or Airtable, but they’re giving access into parts of their data sets, and they don’t realize those scripts are code. I’m hopeful that companies don’t solely have an application security program in place, but also an understanding that they need to extend this program to the low-code no-code serverless world that we are moving towards.

Nabil: A lot of the work that you do is focused on inclusivity in the security industry. What advice do you have for security leaders looking for new talent?

Diana: With Women in Cybersecurity (WiCyS) specifically, we’re very focused on bringing women into cybersecurity, but there are many different non-profits out there that are looking at cohorts and sectors that have not been involved in cybersecurity in the past. I think security leaders could benefit from getting involved with these organizations to look for internships for externships.

It’s very common for leaders to say, we can’t find any diverse talent and we had to hire somebody who looks like everybody else because there were no other candidates. Often, it’s not that you didn’t look far enough or hard enough. And that may be because they’re not in your network. If your network doesn’t extend out broadly to different groups of people, then work to expand it. 

Be open to people that may not have college degrees, as every job in cybersecurity doesn’t necessarily need a four-year liberal arts degree. Maybe there is somebody who has recently graduated from high school that’s completed the right training. Rethink what you know, how you’re hiring, who you’re hiring, open that aperture wider, and work with those communities that are encouraging inclusivity. 

Another tip is to think critically about how you’re writing job descriptions. There is research that shows that women will not apply for a job unless they match about 90% of the criteria or higher, whereas men will apply if they only match 50%. If you write a job description that includes every experience and skill under the sun because you want to get great resumes, what you’re actually doing is turning off the candidates who are reading that job description and believe that, if they don’t have 90 percent or 100 percent of the criteria, they’re not going to be eligible for the job. Rethink your job descriptions: do not gender the job descriptions and make sure that they’re not overstuffed. Write it for what are you looking for and focus on what is important. You’ll be surprised at the resumes it brings in.

Listen to Agent of Influence Episode 30 featuring Diana Kelley
Back

Tips for a secure cloud migration for Healthcare

On July 16, 2021, NetSPI Managing Director Nabil Hannan was featured as a guest contributor for TechTarget:

At the end of the day, for those of us on DevSecOps teams, it is all about managing risk, even in the highly regulated healthcare industry. Compliance around medical records and privacy concerns is a driver, so development and security professionals must take aggressive steps to prioritize risk management as the healthcare industry continues to be a frequent target of bad actors. According to Gartner, the worldwide end-user spending on public cloud services is forecasted to grow 18.4% in 2021 to a total of $304.9 billion, up from $275.5 billion in 2020. “The pandemic validated the cloud’s value proposition,” Gartner Research Vice President Sid Nag said.

The monetary loss from cybercrime goes beyond just affecting healthcare with an estimated $945 billion cost in 2020, according to McAfee. For those working in the healthcare industry, realize that a 2020 breach analysis report by IBM and Ponemon Institute found that healthcare breaches were the costliest. In other words, not managing risk is expensive.

Gartner also reported COVID-19 forced organizations to preserve cash and optimize IT costs, support and secure a remote workforce, and ensure resiliency. And the cloud became a convenient means to address all three. If this scenario sounds familiar to your organization, the following are four insights to consider that will help to protect data in the cloud.

Read Nabil’s 4 tips for secure cloud migration on TechTarget’s SearchSecurity: https://searchsecurity.techtarget.com/post/4-healthcare-risk-management-tips-for-secure-cloud-migration

Back

Navigating Cybersecurity Innovation and Maturity in 2021

The word innovate, as defined by Merriam-Webster, means “to make changes or to do something in a new way.” In cybersecurity, this definition goes much deeper. The goal of many, if not all, cybersecurity organizations today is to be innovative in its space, or at least be more innovative than its adversaries. That raises the question, how do we define and drive cybersecurity innovation today? 

When building a cybersecurity organization that aims to disrupt the industry, there is much to consider. Drawing from my experience working with many early-stage cybersecurity and risk management software companies, I sat down with NetSPI managing director Nabil Hannan on the Agent of Influence podcast to explore how to define cybersecurity innovation, evaluate risk factors, achieve program maturity, and more. In this blog post, I will highlight and expand on key insights from the discussion. You can listen to the full podcast episode here.

Innovation in commercial software for enterprises originates from companies that are not market leaders.

I’ve always believed that innovation in cybersecurity originates with early-stage companies that are not market leaders. Sure, market leading software companies have tremendously talented and capable people. However, innovation requires making mistakes and adjustments based on lessons learned. Market leaders have to allocate development and product management resources to meet the needs of the broadest part of the market, and prioritize the needs of their shareholders, investors, and customers. If they do this, they are successful and able to sustain market leadership. Market growth is dependent on the ability to sell software to the largest part of the market (the most customers). More customers means higher market leadership and, in turn, happy investors, shareholders and employees. 

The same economic rules apply to the enterprise market for cybersecurity products. The difference is that the broadest or largest part of the enterprise cybersecurity market is the least sophisticated in practices and controls. Therefore, innovation is not necessary for success as many enterprises often make buying decisions based on analysis of market leaders and what other respected enterprises decide to do. Early-stage cybersecurity companies that develop game changing capabilities do so because they can afford to take risks that could result in failure but also could result in innovation – market leaders can’t afford to take the same risks. The early-stage companies that have success with developing truly game changing capabilities for an enterprise to survive and thrive by creating friction for threat actors. Several large enterprises encourage early adoption of innovative capabilities for cybersecurity to keep up with the evolution of threat actor tactics and develop breakthrough technologies for enterprise protection and resilience. Their culture allows them to take risks to better manage risks for the enterprise. 

Innovation is sustained failure.

For any cybersecurity function, it is important to have a culture that supports innovation in control design. The way I define it is, “innovation requires fast failure.” Before you challenge that assumption, let me explain that innovation comes from adjustments in assumptions that are made as a result of obstacles that are discovered, causing pivots. Pivots are changes in direction from applying the sometimes-painful lessons learned after a failure.

Innovation is a constant iteration of small failures. The failures have to be acknowledged, understood, and then the lessons learned have to be applied – that’s the pivoting part. [Bonus: if you can learn from somebody else’s failure, even better.] This is the normal cycle for innovation. I’m certain that any innovation in consumer digital technology over the last 30 years is a direct result of some level of failure. 

The learning process, specifically in control design, is in a constant evolution and is always changing. On the enterprise security side, we have to remember that threat actors always change their tactics. It’s what makes them competent as hackers. With the evolution of threat actor tactics, comes additional pressure for enterprise security experts to match them with new capabilities, even if it means making some big bets on technology solutions that don’t pan out, don’t scale, or don’t solve the fundamental problem immediately. Failure is a thriving environment for technology innovation.

To achieve a mature security program, data science is key.

When building mature security programs, begin with the end in mind. Cyber resilience and maturity go hand in hand. An enterprise with the ability to recover quickly from security incidents, apply the learnings from those security incidents, and minimize the business impact is as good as it gets. Cyber resilience not only applies to the cybersecurity program, but also the entire enterprise. 

There are a few foundational components that security program maturity and enterprise resilience are based on. One of the foundational items, which is not necessarily well understood or acknowledged across the industry, is data science. The first person I’ve hired in the past two leadership roles is a data scientist dedicated to the cybersecurity  program. There are hundreds of use cases that can be addressed and automated by using data science fundamental constructs. 

There are two ways to leverage data science for cybersecurity maturity. The first way, is to apply data science skill to improve data quality for KPI information. And the second way is the game changer: use behavior models to drive frontline security controls without human intervention in near real time. 

There are many examples of attempts to use anomaly detection to discover threat actor activities within an enterprise within cybersecurity. The approach that has the highest probability of success is to actually discover the behaviors of legitimate users, and model them using an algorithm. Next, compare behavioral streaming data to the patterns (the algorithm) resulting in a deviation score. Data aligned with a pattern represents the legitimate user. If the deviation score is too high and surpasses a predetermined threshold, then an automated action (eg: revocation of privilege) is triggered. Building behavioral models for every enterprise user enables an enterprise to confirm identity based on the behavioral patterns whenever necessary. If an enterprise user requests a privilege or entitlement that is high risk, then this can trigger the comparison of digital activity compared to the behavioral pattern with a deviation score and threshold predetermined. The behavioral patterns can use attribute information that is considered relatively benign (Geo Location, type of entitlements used most frequently, time of day, etc.).

If you take attribute information and then cluster it into a group, it creates a pattern. Numerically, we can create a deviation score in which we can establish a threshold, let’s just say arbitrarily a 70 and above. Then, you can assign and automate a specific treatment or action for any behavioral deviation score that is 70 and above. By being able to identify thresholds in the deviation score, you can align it with real actions. 

In this scenario, we’re eliminating context. Instead, SOC analysts can step back and look across 1000s of transactions and change the threshold scores. Everything I’ve described are basic fundamental data science principles and practices that are relatively straightforward to do, they don’t require a high degree of difficulty, and limited human intervention. 

Go beyond risk frameworks.

When I started my cybersecurity career 20 years ago there was a one-size-fits-all model for industry standard cybersecurity practices. We had a validation process where you’d choose a risk framework, align your IT management controls with the control objectives and the risk framework, then hire a third party to do an attestation on how effective your controls are against that framework. If you lined up well, you received a high maturity rating. 

Today, we have NIST CSF, 853, ISO 27 001, and other cyber risk frameworks. These risk frameworks are very helpful, practical, and vital tools for an enterprise. But what’s different today is threat actor activity changes rapidly based on adjustments and the effectiveness of established controls. Many threat actors use compromised credentials in credential stuffing attacks on web sites and then monetize the account takeover. Conventional user IDs and passwords have served the enterprise well for 60 years and are reinforced through risk frameworks, but enterprises interested in cyber resilience need to consider designing new controls using data science that ultimately result in improvements in risk frameworks.

Now, the stakeholders applying an industry standard model – CEO, CFO, CIO, board, auditors, regulators, third party governance teams – have bought into this notion of one-size-fits-all to a specific risk framework. The threat actor is the one stakeholder that hasn’t bought in, uses networks of criminal syndicates to improve capabilities, and they are constantly changing and evolving their techniques. 

This does not mean that risk frameworks are obsolete, it’s quite the opposite. They are still foundational, they’re just not enough. Enterprises today need the ability to respond to incidents, learn from that, apply those lessons to improve practices, and do this in a continuous way. 

I’ve learned to look at the top cyber risks for the enterprise that I’m part of and drive the investment decisions and allocation of resources based on what those risks are. It is important to recognize that any given enterprise may have a different risk profile and attack surface than others, even if they’re in the same industry. Every organization is different. How they make decisions, the cultural norms and behaviors, data management processes, all factors into the attack surface.

My advice to cybersecurity professionals today is embrace those cyber risk frameworks. They’re excellent, and they are a source of wonderful practices. But, they’re not enough by themselves to stay ahead of today’s adversaries. Innovation in control design – perhaps using data science – is essential to achieve cyber resilience and maturity for large enterprises today.

For additional insights on cybersecurity innovation, listen to episode 028 of Agent of Influence.

Listen to episode 028 of Agent of Influence
Back

EY US Announces NetSPI CEO Aaron Shilts as an Entrepreneur Of The Year 2021® Heartland Award Finalist

Celebrating the 35th class of unstoppable entrepreneurs who transform the Heartland Region and beyond.

Minneapolis, Minnesota  –  Ernst & Young LLP (EY US) announced that NetSPI CEO and President Aaron Shilts was named an Entrepreneur Of The Year® 2021 Heartland Award finalist. Now in its 35th year, the Entrepreneur Of The Year program honors unstoppable business leaders whose ambition, ingenuity and courage in the face of adversity help catapult us from the now to next and beyond. 

Shilts was selected by a panel of independent judges. Award winners will be announced during a special virtual celebration on Tuesday, July 27, 2021, becoming lifetime members of an esteemed community of Entrepreneur Of The Year alumni from around the world.

Entrepreneur Of The Year is one of the preeminent competitive award programs for entrepreneurs and leaders of high-growth companies. The nominees are evaluated based on six criteria: entrepreneurial leadership; talent management; degree of difficulty; financial performance; societal impact and building a values-based company; and originality, innovation, and future plans. Since its launch, the program has expanded to recognize business leaders in more than 145 cities in over 60 countries around the world.

“This recognition validates the incredible work our team is doing,” said Shilts. “NetSPI team members operate as entrepreneurs every day and it’s an honor to help lead and support some of the most brilliant people in cybersecurity.”

Regional award winners are eligible for consideration for the Entrepreneur Of The Year National Awards, to be announced in November 2021 at the Strategic Growth Forum®, one of the nation’s most prestigious gatherings of high-growth, market-leading companies. The Entrepreneur Of The Year National Overall Award winner will then move on to compete for the EY World Entrepreneur Of The Year™ Award in June 2022.

About NetSPI

NetSPI is the leader in enterprise security testing and attack surface management, partnering with nine of the top 10 U.S. banks, three of the world’s five largest healthcare companies, the largest global cloud providers, and many of the Fortune® 500. NetSPI offers Penetration Testing as a Service (PTaaS) through its Resolve™ vulnerability management platform. Its experts perform deep dive manual penetration testing of application, network, and cloud attack surfaces, historically testing over 1 million assets to find 4 million unique vulnerabilities. NetSPI is headquartered in Minneapolis, MN and is a portfolio company of private equity firms Sunstone Partners, KKR, and Ten Eleven Ventures. Follow us on FacebookTwitter, and LinkedIn.

Sponsors

Founded and produced by Ernst & Young LLP, the Entrepreneur Of The Year Awards are nationally sponsored by SAP America and The Kauffman Foundation. In the Heartland Region sponsors also include Colliers International, Padilla, PNC Bank, SALO, LLC, and Twin Cities Business.

About Entrepreneur Of The Year®

Entrepreneur Of The Year® is the world’s most prestigious business awards program for unstoppable entrepreneurs. These visionary leaders deliver innovation, growth and prosperity that transform our world. The program engages entrepreneurs with insights and experiences that foster growth. It connects them with their peers to strengthen entrepreneurship around the world. Entrepreneur Of The Year is the first and only truly global awards program of its kind. It celebrates entrepreneurs through regional and national awards programs in more than 145 cities in over 60 countries. National Overall winners go on to compete for the EY World Entrepreneur Of The Year™ title. Visit ey.com/us/eoy

About EY Private

As Advisors to the ambitious™, EY Private professionals possess the experience and passion to support private businesses and their owners in unlocking the full potential of their ambitions. EY Private teams offer distinct insights born from the long EY history of working with business owners and entrepreneurs. These teams support the full spectrum of private enterprises including private capital managers and investors and the portfolio businesses they fund, business owners, family businesses, family offices and entrepreneurs. Visit ey.com/us/private

About EY

EY exists to build a better working world, helping create long-term value for clients, people and society and build trust in the capital markets. 

Enabled by data and technology, diverse EY teams in over 150 countries provide trust through assurance and help clients grow, transform, and operate.

Working across assurance, consulting, law, strategy, tax, and transactions, EY teams ask better questions to find new answers for the complex issues facing our world today.

EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst& Young Global Limited, a UK company limited by guarantee, does not provide services to clients. Information about how EY collects and uses personal data and a description of the rights individuals have under data protection legislation are available via ey.com/privacy. EY member firms do not practice law where prohibited by local laws. For more information about our organization, please visit ey.com.

Contact:
Tori Norris, NetSPI
victoria.norris@netspi.com
(630) 258-0277

Back

SC Magazine: EDR (alone) won’t protect your organization from advanced hacking groups

On July 12, 2021, NetSPI Director of Research Nick Landers was featured in an article from SC Magazine:

Endpoint detection and response systems can often serve as a frontline defense for many organizations, collecting and storing telemetry from dispersed employee devices and using it to detect malicious activities or behaviors. However, a recent experiment by academic researchers at the University of Piraeus in Greece indicates they are far from a silver bullet when it comes to protecting your organization….

Nick Landers, director of research at penetration testing company NetSPI, told SC Media that that it’s rare for one team or company to even have access to such a wide range of EDR systems and any research that can test and compare different products in the EDR market is valuable in and of itself. 

He said the results outlined in the study largely mirror his experience with customers, and that many advanced threat actors generally rely on two strategies for evading detection by EDR systems: using completely unique or novel tactics that can frustrate heuristic analysis or data algorithms, and “not making noise in general” by understanding what telemetry EDR systems collect and measure.

“I think the ones we see that are the most effective are ones where the attacker understands the data [the EDR system is] collecting and keeps generation of that data low,” he said. 

However, Landers said his main takeaway from the study is not necessarily that EDR products are shoddy or not worth the cost (though he again lamented the lack of access that independent third parties typically have to test such systems), but rather a “more constructive” reinforcement of the need for multiple layers of security to ensure any one tool or process doesn’t become a single point of failure.

“I think looking at the minutiae and finger-pointing and trying to identify specific products and their specific failings is a fault that belongs to everyone in the industry,” he said. “But [EDR systems] are valuable tools and while I might not agree with their strategy or their marketing or cost or licensing model or availability, I think they do contribute to a defense in depth strategy and that’s ultimately what we should all be striving for.”

To learn more, read the full article here: https://www.scmagazine.com/news/network-security/edr-alone-wont-protect-your-organization-from-advanced-hacking-groups

Back

NetSPI to Highlight Ransomware Resiliency, Risk-Based Vulnerability Management, and Penetration Testing as a Service During Black Hat 2021

Las Vegas, Nevada  –  NetSPI, the leader in enterprise penetration testing and attack surface management, is attending Black Hat USA 2021 at the Mandalay Bay Convention Center in Las Vegas. This year, the hybrid event will be held in-person and online, featuring cybersecurity trainings, expert-led briefings, networking opportunities, and more. During the conference, the NetSPI team will feature its ransomware attack simulation service and will unveil new, innovative features added to its penetration testing and vulnerability management platform, Resolve™. Connect with NetSPI’s penetration testing and ransomware experts at the Black Hat Business Hall (in-person or virtually) at booth #1579.

To learn more, visit the Black Hat USA website.

Who:

Jake Reynolds, Head of Product at NetSPI
Scott Sutherland, Practice Director at NetSPI

What:

Black Hat Business Hall (In-Person and Virtual)
Meet the NetSPI team at booth #1579 to learn more about their expertise in enterprise penetration testing and attack surface management. Get a first look and demo of NetSPI’s new risk scoring feature and learn more about its ransomware attack simulation service. Bonus: Visit the in-person or virtual NetSPI booths for a chance to win a 128 GB Oculus Quest VR headset.

CANCELED: NetSPI Happy Hour at the Mandalay Bay Foundation Room
NetSPI’s August 4 happy hour during Black Hat at the Mandalay Bay Foundation Room has been canceled to limit the spread of the COVID-19 Delta variant, following the latest CDC guidance. The ransomware session will now be available as a webinar on August 17. Register here: How to Build and Validate Ransomware Attack Detections

When:

Black Hat In-Person: 
August 4, 2021 | 10am – 6pm PT
August 5, 2021 | 10am – 4pm PT

Black Hat Virtual: 
August 4, 2021 | 8:30am – 5pm PT
August 5, 2021 | 8:30am – 4pm PT

Where:

Black Hat In-Person Business Hall: 
Booth #1579
Mandalay Bay Convention Center
Las Vegas, NV

Black Hat Virtual Business Hall: 
Booth #1579

About NetSPI

NetSPI is the leader in enterprise security testing and attack surface management, partnering with nine of the top 10 U.S. banks, three of the world’s five largest healthcare companies, the largest global cloud providers, and many of the Fortune® 500. NetSPI offers Penetration Testing as a Service (PTaaS) through its Resolve™ vulnerability management platform. Its experts perform deep dive manual penetration testing of application, network, and cloud attack surfaces, historically testing over 1 million assets to find 4 million unique vulnerabilities. NetSPI is headquartered in Minneapolis, MN and is a portfolio company of private equity firms Sunstone Partners, KKR, and Ten Eleven Ventures. Follow us on FacebookTwitter, and LinkedIn.

About Black Hat

Founded in 1997, Black Hat is an internationally recognized cybersecurity event series providing the most technical and relevant information security research. Grown from a single annual conference to the most respected information security event series internationally, these multi-day events provide the security community with the latest cutting-edge research, developments, and trends.

Press Contact:
Tori Norris, NetSPI
victoria.norris@netspi.com
(630) 258-0277

Back

Security Magazine: Four ways to optimize your red team operations

On July 12, 2021, NetSPI was featured in Security Magazine:

Red teaming is an essential activity in any security program, but it only provides value if done right.

Red teams put an organization’s security controls, policies, response and training to the test using the tactics, techniques and procedures (TTPs) of real-world adversaries. It differs from penetration testing as it aims to achieve a specific goal or target. For example, a red teaming operation may target intellectual property, infiltrate a critical business process, or exfiltrate sensitive data from a particular application. However, the real value lies in better understanding critical business processes and the level of effort and sophistication required by an attack to exploit those processes to achieve the desired outcome.

To learn more, read the full article here: https://www.securitymagazine.com/articles/95620-four-ways-to-optimize-your-red-team-operations

Back

How to Maintain Secure Social Interactions When Returning to the Office

Upon the onset of COVID-19, many organizations went from protecting a few offices, to protecting anywhere from hundreds or even thousands of satellite offices as employees headed home to work. IT and security teams were challenged to quickly – and securely – enable their colleagues to work outside of the office perimeter.

According to a recent Glassdoor survey of employed U.S. adults, 72 percent said they are ready to return to their company’s office, with 45 percent expecting to return to the office in some capacity this summer. 

What does ‘in some capacity’ mean? Well, the pandemic has reimagined where and how work gets done. PwC’s US Remote Work Survey found that employees are anticipating a hybrid work model, in which they will be required to go into the office no more than three days each week. With the growing hybrid workforce, comes its own IT and security challenges, including managing security patches and updates, ensuring security within home environments, and monitoring user behavior.

In a CIO round table discussion, Microsoft security architect Wayne Anderson pointed to user behavior as one of the biggest cybersecurity risks of today’s hybrid workforce. I couldn’t agree more. As with any crisis, the COVID-19 pandemic has created a mass amount of confusion among employees – and in turn an increase in social engineering attempts. Just look at the results of the 2021 Verizon Data Breach Investigations Report. Over the past year, 85 percent of breaches involved a human element and social engineering attacks topped the list of attack patterns. 

Social Engineering Definition

Now, the hybrid workforce and the imminent return to the office presents new opportunities for sophisticated social engineering attacks. Successful social engineering scenarios could include: 

  • A malicious link or attachment embedded in emails outlining realistic return to office protocols.
  • Contacting the help desk to enroll a new multifactor token for the VPN.
  • Gaining physical access after an attacker convinces the office manager or colleagues that it is their first day at the office.

To help prevent employees from falling victim and maintain secure social interactions, here are five considerations to pay close attention to:

  1. The hiring process did not stop over the past year. When your employees return to the office, there will be new faces and names. During this time of transition, there should be a heightened sense of awareness for your physical security. Remind employees of physical security protocols and have an established method of identity verification to confirm employment of new faces. Follow the same identity verification methods regardless of the communications channel: phone, email, and in-person.
  2. Audit your physical security procedures. Who owns physical keys to the office space, access credentials, employee badges and ID cards, etc.? Audit who has access to what and ensure you disable access that is no longer needed.
  3. Practice the principle of least privilege. Least privilege means enforcing the minimal level of user rights that allow an employee to perform their role. For example, marketing should not have access to client financial data. Restrict access for each employee to limit the breadth and impact of a social engineering attack.
  4. Allow only authorized devices on your corporate network. As people go back and forth from home offices to corporate offices, ensure that personal or BYOD (bring your own device) devices are enrolled into your IT asset management program and only provision access where necessary.
  5. Regularly test your employees with social engineering penetration tests. Real adversaries attempt to trick employees into exposing sensitive information every day. Make sure your employees are receiving the proper security awareness training and understand your organization’s procedural security controls. Social engineering penetration tests can include phishing assessments, vishing assessments, and on-site social engineering. 

NetSPI’s social engineering security consultants practice empathy and collaboration during every assessment. Empathy is critical in social engineering because it is important to recognize that the employees being tested are human, and social engineering aims to manipulate human behavior. It is imperative to not punish an employee for clicking on a malicious link, rather, inform them to correct the behavior in a proactive, positive way. Collaboration is key to a successful engagement. At project kick off we work with our clients to identify key social engineering scenarios to avoid as well as employees that should or should not be targeted.

While user behavior may be one of the biggest risks to a hybrid workforce, it is also one of your greatest assets to defend against adversaries. If you can inform employees on how to practice the best behaviors to prevent social engineering attacks, you will stay one step ahead of adversaries at a pivotal point in time: the return to the office.

Work with NetSPI’s pentesters to prevent social engineering attacks.

Discover how the NetSPI BAS solution helps organizations validate the efficacy of existing security controls and understand their Security Posture and Readiness.

X