Security testing (including scanning, penetration testing, red teaming, and more), is often seen as a compliance bug bear. However, if your security team wants to provide a level of assurance to the business that if an attack was to take place, you are well placed to both defend and detect it, it is essential that you perform the right kind of testing for your business. In this post, we’ll take a look at the types of testing you should be deploying within your organization by explaining what each type of test does and what it can (and can’t) deliver for you.
We just released our latest edition of PERCEPTION, our cyber threat intelligence briefing for the financial services sector edited by Dr Graham Shaw. This contains informative, relevant and timely information about the cyber threat landscape for financial institutions, current threat actors and recent activities, and is designed to help you address the cyber risks faced by your organization.
Cyber-attacks and the impact they have on organizations are becoming much better understood. However, in facing increasingly sophisticated, targeted and untargeted attacks, the complexity and scale of the threat means that avoiding a cyber-attack is becoming harder for organizations. If a cyber-attack is going to happen at some point, it’s essential that organizations plan for, and prepare to respond to, the inevitable. But this can be easier said than done. What steps do organizations need to take to develop a cyber security strategy that ensures they are prepared?
By Michael Fratello, Security Consultant at Nettitude
Nettitude has added another string to its penetration testing bow today, following confirmation from CREST – the not-for-profit organisation that serves the needs of the technical information security marketplace – that our testing team has successfully achieved full CREST STAR (Simulated Target Attack & Response) status. STAR is arguably one of the most sophisticated approaches for delivering penetration testing. Through combining comprehensive threat data with a “Red Team” style of testing, STAR assessments are designed to deliver some of the strongest levels of assurance available to organisations across the globe.
You can’t have failed to notice the media storm in the IT and security press around the recent vulnerability in the bedrock of the internet – SSL. The service designed to be protecting our data when sent over the big bad public wire has been wide open since early 2012 within many OpenSSL deployments (unpatched OpenSSL 1.01 or 1.02beta).
There has been a lot of talk both at Nettitude and all over the world over the last 24-hours regarding the Heartbleed bug. This is possibly the biggest kink in the armor of SSL ever found, due to the fact that it affects such a large portion of hosts on the internet1.
Here at Nettitude, we have been delivering penetration tests for clients for more than a decade. Over the last 10 years we have really seen the industry mature. Many organisations understand what penetration testing is, and as a consequence it has become an integral part of many organisations information security program. However, more often than not, organisations ask us to focus on the technical aspects of a penetration test, and ignore the social aspects. In many instances, we are told that ‘management’ don’t want to look at social engineering, and as a consequence, can we provide services that focus on the technology only?
Nettitude were strongly represented at the AKJ Associates PCI London event at the Victoria Plaza Hotel on Thursday 24th January 2013. The PCI event allowed Nettitude to exhibit some new services such as our Forensic capabilities and incident response as well as showcasing our P2PE QSA accreditation.
“Networks are no longer safe if a company takes the egg-shell approach of simply using perimeter-centric hardware devices, anti-virus and anti-malware software and other approaches to keep intruders out" - William Boni, VP and CISO T-Mobile USA – Jan 2012.