Joseph Cortese Presenting at Florida Cyber Conference

Joseph Cortese Presenting, A-LIGN Exhibiting at 2019 Florida Cyber Conference

TAMPA, Fla. – September 20, 2019 – A-LIGN, a leading provider in cybersecurity and privacy solutions, announced Joseph Cortese, Penetration Testing Practice Lead at A-LIGN, will be presenting on IoT Security on 5G networks at the 2019 Florida Cyber Conference in Tampa, FL. Continue reading “Joseph Cortese Presenting at Florida Cyber Conference”

Secure Your Network: Learning from Capital One

A 33-year-old woman recently accessed Capital One’s customer data and shared that data on a popular code-sharing website. As data breaches continue to happen almost daily, your organization should understand how breaches occur and proactively prevent unauthorized access to your user’s data. Continue reading “Secure Your Network: Learning from Capital One”

CLIMBERS Innovate Constantly at Girl Scouts Camp CEO STEM

The Girl Scouts of West Central Florida (GSWCF) hosted a Camp CEO STEM weekend at Florida Polytechnic University for girls in high school interested in pursuing a career in science, technology, engineering, and math. Continue reading “CLIMBERS Innovate Constantly at Girl Scouts Camp CEO STEM”

Don’t Get Reeled In: How to Prevent Phishing Scams

Phishing scams are a serious threat to an organization, and they’re increasing in scope, complexity and number – but that doesn’t mean you’re helpless to defend yourself. In fact, it’s easier than ever to proactively protect your organization from threats by following some simple tips.

Continue reading “Don’t Get Reeled In: How to Prevent Phishing Scams”

Featured Climber: Jonathan Lopatofsky

Featured Climber: Jonathan Lopatofsky A-LIGN

In honor of October being National Cybersecurity Awareness Month, we sat down with penetration tester Jonathan Lopatofsky to discuss what brought him to A-LIGN and why he thinks cybersecurity is important. Continue reading “Featured Climber: Jonathan Lopatofsky”

Hack Harder™: Going Beyond Highs, Mediums and Lows

Penetration tests have always been confused with vulnerability scans, but even penetration tests vary greatly, and it can be difficult for an organization to determine whether they’re getting a quality test. Poor penetration tests are often the result of focusing on systems and vulnerabilities instead of the target organization. Continue reading “Hack Harder™: Going Beyond Highs, Mediums and Lows”

Test the Security of Your Information Systems: A Penetration Testing Case Study

One of the best ways to test your information security posture is to simulate realistic attacks through a penetration test. Penetration testing is designed to test the information security of the technologies and systems in place at your organization, identifying vulnerabilities that can lead to a data breach or security incident. Continue reading “Test the Security of Your Information Systems: A Penetration Testing Case Study”

PCI DSS v3.2 and the Penetration Testing Requirements for Service Providers

In April 2016, the Payment Card Industry Security Standards Council (PCI SSC) released PCI Data Security Standard (PCI DSS) version 3.2.  With the updates came clarification to requirements, additional guidance, and the additional seven new requirements. Continue reading “PCI DSS v3.2 and the Penetration Testing Requirements for Service Providers”

Ask A Hacker: A-LIGN’s Penetration Testers Conduct a Reddit Q&A

ask-hacker-a-lign-penetration-testers-conduct-reddit-qaOn Thursday, October 26th A-LIGN held an Ask Me Anything (AMA) Q&A forum on Reddit, to conclude National Cyber Security Awareness Month by providing further insight into the data breach landscape. Members of our penetration testing team answered questions regarding penetration testing, hacking, and information security. Below are the top five questions asked during the forum and the answers provided by Managing Consultant, Kelly Matt, and Senior Consultants Van Bettis and Josh Valentine.

1.      Are there any common problems that you find when conducting a penetration test? What tools are used to access a system?

The most common technical problems we find are SSL vulnerabilities, TLS, and encryption-level vulnerabilities. Default credentials are definitely used to access a system, even as simple as a WordPress default or a legacy system that was never changed. This is very common on printers and other polycom systems. We find that most organizations also lack a robust vulnerability management program.

2.      Does it matter which type of 2-factor authentication you use (SMS, authenticator apps, physical devices)? Are some of them more secure from various attacks?

Absolutely! Text messaging is very susceptible to attacks. Many government entities and compliance regimes are no longer allowing multi-factor authentication (MFA) to be text-based. As long as you stay away from text-based MFA, you are in a much better state. If your options are either not doing anything or using text, I would still recommend using text. We recommend using MFA everywhere you can. Google Authenticator is open source and can be used anywhere. It can be tedious, but it’s worthwhile.

3.      Have there been any hacks that you have been particularly proud of?

Using cross-site scripting as an initial attack vector, along with vulnerability stacking to compromise the database’s users. Once an affected user logged into the system, their credentials were immediately sent to an offsite location controlled by us. Vulnerability stacking is when you use multiple vulnerabilities to elevate an attack vector.

Vulnerabilities that were used in the attack: Cross-site scripting (XSS) and cross tenant access (accessing unauthorized tenant accounts from another tenant).

4.      How does it feel to work in a field where you must “predict” what others may do? How hard is it to find solutions to the vulnerabilities that we see around?

Being an information security professional can feel overwhelming at times.  The space is constantly evolving and changing and it would seem that Moore’s Law may, in fact, apply here too.

I have found that proactive processes that help identify and manage risks are of critical importance.  The threat landscape is constantly evolving and a system that was perfectly safe this morning can have a Zero-day by the afternoon.

If you build a strong security foundation with measurable repeatable processes it is not that hard to defend against many of the most common attacks and vulnerabilities we see.  Most of this starts with good IT hygiene and a strong culture of security.

5.      When you hear of something like the Equifax breach what do you think? What could they have done differently?

Equifax had a vulnerability management program that missed a critical vulnerability allowing remote code execution. So yes, they had a program in place, however, it needed to be reviewed to ensure it was comprehensive in doing what they thought it was doing. They became security-complacent, and the breach was indicative of that. A third-party penetration test could have caught this vulnerability, no questions asked.

See more: The Expedition to Information Security [Infographic]

Have any questions regarding penetration testing and how to secure your organization from a data breach? Contact A-LIGN’s experienced penetration testers at info@a-lign.com or 888-702-5446 for more information.