Joseph Cortese Presenting, A-LIGN Exhibiting at 2019 Florida Cyber Conference
TAMPA, Fla. – September 20, 2019 – A-LIGN, a leading provider in cybersecurity and privacy solutions, announced Joseph Cortese, Penetration Testing Practice Lead at A-LIGN, will be presenting on IoT Security on 5G networks at the 2019 Florida Cyber Conference in Tampa, FL. “Joseph Cortese Presenting at Florida Cyber Conference”
A 33-year-old woman recently accessed Capital One’s customer data and shared that data on a popular code-sharing website. As data breaches continue to happen almost daily, your organization should understand how breaches occur and proactively prevent unauthorized access to your user’s data. “Secure Your Network: Learning from Capital One”
The Girl Scouts of West Central Florida (GSWCF) hosted a Camp CEO STEM weekend at Florida Polytechnic University for girls in high school interested in pursuing a career in science, technology, engineering, and math. “CLIMBERS Innovate Constantly at Girl Scouts Camp CEO STEM”
Phishing scams are a serious threat to an organization, and they’re increasing in scope, complexity and number – but that doesn’t mean you’re helpless to defend yourself. In fact, it’s easier than ever to proactively protect your organization from threats by following some simple tips.
In honor of October being National Cybersecurity Awareness Month, we sat down with penetration tester Jonathan Lopatofsky to discuss what brought him to A-LIGN and why he thinks cybersecurity is important. “Featured Climber: Jonathan Lopatofsky”
“Strengthen Your Defense With Our Enhanced Cybersecurity Services”
Penetration tests have always been confused with vulnerability scans, but even penetration tests vary greatly, and it can be difficult for an organization to determine whether they’re getting a quality test. Poor penetration tests are often the result of focusing on systems and vulnerabilities instead of the target organization. “Hack Harder™: Going Beyond Highs, Mediums and Lows”
One of the best ways to test your information security posture is to simulate realistic attacks through a penetration test. Penetration testing is designed to test the information security of the technologies and systems in place at your organization, identifying vulnerabilities that can lead to a data breach or security incident. “Test the Security of Your Information Systems: A Penetration Testing Case Study”
In April 2016, the Payment Card Industry Security Standards Council (PCI SSC) released PCI Data Security Standard (PCI DSS) version 3.2. With the updates came clarification to requirements, additional guidance, and the additional seven new requirements. “PCI DSS v3.2 and the Penetration Testing Requirements for Service Providers”
On Thursday, October 26th A-LIGN held an Ask Me Anything (AMA) Q&A forum on Reddit, to conclude National Cyber Security Awareness Month by providing further insight into the data breach landscape. Members of our penetration testing team answered questions regarding penetration testing, hacking, and information security. Below are the top five questions asked during the forum and the answers provided by Managing Consultant, Kelly Matt, and Senior Consultants Van Bettis and Josh Valentine.
The most common technical problems we find are SSL vulnerabilities, TLS, and encryption-level vulnerabilities. Default credentials are definitely used to access a system, even as simple as a WordPress default or a legacy system that was never changed. This is very common on printers and other polycom systems. We find that most organizations also lack a robust vulnerability management program.
Absolutely! Text messaging is very susceptible to attacks. Many government entities and compliance regimes are no longer allowing multi-factor authentication (MFA) to be text-based. As long as you stay away from text-based MFA, you are in a much better state. If your options are either not doing anything or using text, I would still recommend using text. We recommend using MFA everywhere you can. Google Authenticator is open source and can be used anywhere. It can be tedious, but it’s worthwhile.
Using cross-site scripting as an initial attack vector, along with vulnerability stacking to compromise the database’s users. Once an affected user logged into the system, their credentials were immediately sent to an offsite location controlled by us. Vulnerability stacking is when you use multiple vulnerabilities to elevate an attack vector.
Vulnerabilities that were used in the attack: Cross-site scripting (XSS) and cross tenant access (accessing unauthorized tenant accounts from another tenant).
Being an information security professional can feel overwhelming at times. The space is constantly evolving and changing and it would seem that Moore’s Law may, in fact, apply here too.
I have found that proactive processes that help identify and manage risks are of critical importance. The threat landscape is constantly evolving and a system that was perfectly safe this morning can have a Zero-day by the afternoon.
If you build a strong security foundation with measurable repeatable processes it is not that hard to defend against many of the most common attacks and vulnerabilities we see. Most of this starts with good IT hygiene and a strong culture of security.
Equifax had a vulnerability management program that missed a critical vulnerability allowing remote code execution. So yes, they had a program in place, however, it needed to be reviewed to ensure it was comprehensive in doing what they thought it was doing. They became security-complacent, and the breach was indicative of that. A third-party penetration test could have caught this vulnerability, no questions asked.
See more: The Expedition to Information Security [Infographic]
Have any questions regarding penetration testing and how to secure your organization from a data breach? Contact A-LIGN’s experienced penetration testers at info@a-lign.com or 888-702-5446 for more information.