8 Tips for Penetration Testing

Posted by Ashley Sims - Marketing Manager on Tue, May 24, 2016

You think that you're safe, that your network is secure, that your firewalls are protecting you - but how will you know if you don't test it? 

A penetration test, or pen test, is an attempt to evaluate the security of an IT infrastructure by safely tring to exploit vulnerabilities. You may have also hear the term "Red Hat" or "White Hat" when it comes to testing because, while they are trying to hack into your system, these "attackers" are doing so in an ethical effort to find the vulnerable parts of your network in order to patch them. 

There are many options for penetration testing - either manual or automated, a pen test systematically compromises servers, endpoints, web applications, wireless networks, network devices, mobile devices, and other points of exposure. 

With so many things to test and so many options for testing, how do you know if you're getting the most out of your test? 

Download 8 tips to help you get the most out of your penetration test. 



Tags: vulnerability management, vulnerability, pen-testing, penetration testing

New Version of TeslaCrypt, Cisco Patches Five Vulnerabilities, Sony Confirms Two-Factor Authentication Coming to PlayStation and More in This Week's #TechTuesday.

Posted by Harley Boykin - Marketing Coordinator on Tue, Apr 26, 2016
In this week's #TechTuesday: A new TeslaCrypt variant is being hidden in delivery tracker emails, Cisco patches five product vulnerabilities, researcher finds backdoor that accessed Facebook employee passwords, man arrested in data breach that exposed 55M Filipino voters, and Sony confirms two-factor authentication for PlayStation network. 

Tags: authentication, #techtuesday, data breach, malware, password, vulnerability

How does Vulnerability and Access Risk Management Work?

Posted by Felicia Thomas on Thu, Mar 31, 2016
When a company wants to prevent breaches that come through vulnerabilities, it can detect them with a vulnerability scanner. These scanners will show all vulnerabilities in the iStock_000074019755_Double.jpginfrastructure, from tens to thousands, based on the size of the network. In addition, many vulnerability management solutions offer antivirus software capable of fact-finding analysis to discover undocumented malware. If it finds software behaving suspiciously—such as attempting to overwrite a system file—it will provide an alert.
Fast-acting correction to these vulnerabilities, such as adding security solutions, or educating users about social engineering, will be the difference between exposing a system to potential threats and protecting the system from those threats.
iStock_000076260879_Full.jpgAccess risk management (ARM) is the part of an IAM solution that identifies, assesses, and prioritizes risks from an access provisioning and compliance perspective. Because there are various sources from where risk comes from, utilizing access risk management helps to continuously monitor a system while providing preventative measures to manage user access and account entitlements.
Having VARM as a threat solution helps when identifying the sources of potential risk. Risk sources are more often identified and located not only in technological assets but within infrastructure and other tangible elements. It is extremely difficult for IT security personnel to be able to apply an objective and systematic observation of the state of their network without a solution in place. Utilizing VARM helps to identify not only that something is wrong, but it can support the clear
understanding of how, when and where to act on a potential threat. 

Want to learn more about Vulnerability and Access Risk Management and how it can help your organization?VARM_600x315.png Download our new eBook and learn: 


  • How Vulnerability and Access Risk Management really works
  • VARM's impact on governance and remediation 
  • Tools to remediate vulnerabilities 
  • Prioritization for reducing risk 
  • Check list for a VARM solution 

Tags: access governance, access risk, access management, vulnerability management, vulnerability risk management, vulnerability, Vulnerability and access risk management, VARM

Checklist for a Vulnerability and Risk Management Solution

Posted by Felicia Thomas on Thu, Mar 10, 2016

Tags: access rights, access risk, identity and access management, Identity & access management, vulnerability management, vulnerability risk management, vulnerability, Vulnerability and access risk management, VARM

Details of 40K Cox Employees for Sale on Dark Web, Macintosh Computers Targeted with Ransomware Campaign, and More in This Week's TechTuesday Roundup

Posted by Harley Boykin - Marketing Coordinator on Tue, Mar 08, 2016

In this week's #TechTuesday: The personal details of 40K Cox Communications employees are up for sale, Apple users are targeted in the first ransomware campaign against Macs, direct deposits for Illinois State University employees were rerouted, the Pentagon creates 'Hack The Pentagon' program, and Cisco patches vulnerabilities in Nexus devices.


Tags: personal data, ransomware, #techtuesday, hack, data breach, vulnerability

What is Vulnerability and Access Risk Management?

Posted by Felicia Thomas on Thu, Mar 03, 2016

Threat intelligence is a company’s worst nightmare which pushes cyber security and risk management to the top of the list for standard operating procedures (SOP). Traditional risk management is a thing of the past, and corporations have begun investing in top-notch security solutions for their various databases. Although no solution will ever be 100% capable of preventing attacks, there are solutions that can help provide roadblocks to deter these occurrences. With proper detection solutions, a company becomes proactive—rather than reactive—to fight against vulnerabilities that exist in their systems.

Large organizations are riddled with increasing threats to their system infrastructures and customer data. TheiStock_000065499107_Full.jpg vast majority have moved into protecting these assets with Identity and Access Risk Management (IAM). An emphasis on compliant provisioning of users, identifying management of roles, the maintenance of compliant roles, and processes to manage segregation of duties (SoD) are the focuses of this type of management tool. However, in some cases, the traditional IAM solution is not enough protection against threats.

Many large corporations want an automated, rules-driven solution that can provide quick remediation around network access controls. However, before an attack occurs and remediation can begin, there is the challenge of anomalous activity detection from the infrastructure level. To help with this detection, many companies have instituted consistent monitoring by scanning the system for potential threats to safeguard their infrastructures.

Dynamic provisioning capabilities through IAM, and the proper protection to deter attacks from the infrastructure level with vulnerability management, can position a corporation to achieve the best level of protection possible. This introduces the concept of the acronym VARM – Vulnerability and Access Risk Management. It’s not just the first line of defense; it’s a complete, end-to-end solution that will break the “kill chain” from system threats within the enterprise.


Want to learn more about Vulnerability and Access Risk Management and how it can help your organization?VARM_600x315.png Download our new eBook and learn: 


  • How Vulnerability and Access Risk Management really works
  • VARM's impact on governance and remediation 
  • Tools to remediate vulnerabilities 
  • Prioritization for reducing risk 
  • Check list for a VARM solution 

Tags: access risk management suite, IAM, access risk, intelligent IAM, identity and access management, Access Risk Management, Identity & access management, vulnerability management, vulnerability risk management, vulnerability, Vulnerability and access risk management, VARM

How to Think Like an Attacker - Part 2

Posted by Ashley Sims - Marketing Manager on Tue, Mar 01, 2016

Today we are live from the RSA showroom as our Director of Product Management, Ray Suarez, gets ready to present "A Vulnerability Maturity Model That Thinks Like an Attacker". We brought you the first part of this series last week, and if you haven't read it yet, I would urge you to go back and read How to Think Like an Attacker - Part 1

For those of you not lucky enough to hear Ray's presentation in person, we have convinced him to share his actual presentation with all of you. Keep reading for the conclusion of "How to Think Like an Attacker." 

 We started last week with a funny look at cyber security with a top 5 "you're in trouble when" list, but let's be honest, there is nothing funny about the risks in your organization. Let's imagine that you are the new CISO of an organization, and you walk in on your first day and sit down with your security team. Your first question is: "how many vulnerabilities are there in our system?" What would be an acceptable number to you? 100? 100K? What if you had 700K+, and you need to know which ones are most important. How many are high risk? How many are relatively low? Where do you even start? 

That number changes every day. With the number of servers in your environment growing at 15% per quarter - along with your business units and IT staff - you need to know what your biggest risks are so that you can target them immediately. 

Let's do some math. Out93_highs.png of your 700K vulnerabilities, let's just look at the "high" threats. If there are: 

  • 93K High Threat Vulnerabilities 
  • 250 Working days in a year 
  • You can fix 372 vulnerabilities per day or 1,860 per week 

The problem here? We are overwhelmed by data. Even if we spent every minute of every day fixing just the high risk, high severity problems, would we really solve almost 2,000 every week? Oh, and that is considering that no new vulnerabilities pop up. The attackers are taking advantage of that limitation and are using it against you. You need a vulnerability managment system that thinks like an attacker. 

Peak data overload is the most common issue for most IT security teams. Take a look at this model:


In the first two levels, you are in the wonderful stage we call "blissful ignorance" where your threats are nonexistent, and you just start the scanning process. Then you get the results of your scan which is where you first encounter the magnitude of your issues. We will start here, with your scanner, and give you the five steps to building a vulnerability management model that thinks like an attacker. 

1. Scanning - Get the basics in order 

The first step in setting up your solution is to incorporate your busines goals into your vulnera bility management program. By aligning your business and IT security goals, you will establish a unified team. You need to adopt or acaquire a vulnerability scanning capability that will regularly scan and help you find vulnerabilities. 

2. Assessment and Compliance - Begin actually managing vulnerabilities 

Just like with any other business system, you will need to establish a repeatable process to create metrics that you can measure. Adopting a compliance framework (PCI, FISMA, HIPAA, etc) is the bass for vulnerability scanning and patching and help you to implement a basic prioritization framework to deal with data overload. 

3. Analysis and Prioritization - Formalized Process 

A vulnerability management program that deals with vulnerabilities, prioritization, and patching are part of a complete ecosystem. These tools help security and/or IT operations adopt tools that can add value to the data, enable prioritization, and deal with the problem of too much data. In this stage, vulnerabilities are prioritized to facilitate limited resources and bandwidth and metrics begin to focus on improving security rather than being busy. 

4. Attack Managment - Attacker Focused 

In this stage, processes and metrics are coupled together to understand security posture trends and to improve process and execution. Security and IT departments build continuous processes that manage the lifecycle of a vulnerability and analytics and risk management processes and tools are used to measure risk to critical assets. The focus of the vulnerability management program has shifted from the need to patch and comply to being attacker and threat focused. Penetration testing is conducted by internal red teams and, likely, validated by external professional service teams. 

5. Business-Risk Management - Business-risk and vulnerability context 

A vulnerability managment program incorporates business goals and critical assets as it looks at risk as a business wide issue. Business leaders become engageed at the program level and make decisions routinely about where to apply limited security resources. All potential threat vectors (mobile, web, network, social, identity, wireless) have been integrated into the vulnerability management program and the tools and processes that measure risk and provide prioritization are fully integrated with security, IT, operational and enterprise risk management functions. 

Is your vulnerability management system prepared to think like an attacker? 

For more information on how to prioritize vulnerabilities and secure your business assets, download Ray's presentation here.


Ready to see what this can look like in your organization? Request a demo of Core Insight, our market-leading vulnerability management solution. 



Tags: vulnerability management, vulnerability risk management, vulnerability, Ray suarez, Vulnerability and access risk management, rsa

How to Think Like an Attacker - Part 1

Posted by Ashley Sims - Marketing Manager on Thu, Feb 25, 2016

Confession - I loved David Letterman and I couldn't get enough of his Top 10 lists. So in that theme, I give you the

Top 5: You Know You're in Trouble When... 


5. You’re asked to move the Active Directory server to an open part of the network to insure users can easily LOGIN
4. When your boss, who is responsible for security, asks you, “What type of security software do we use?”
3. You remind him, “the freeware version of Malwarebytes Anti-Malware”
2. A press release states, “our IT system and security measures are in full compliance with industry practices.”
1. The second press release states, “we were the victim of a sophisticated cyber attack operation.”

Top 5 list is sort of a funny way to look at it, but if there is one thing that everyone in the security industry can agree on, it is that the hackers are getting smarter.

A firewall isn't enough to keep your network safe. You can have the strongest password in the world, and still have it taken from you in a phishing scam. Healthcare and financial services records are the most valuable in the world, their security systems are top notch, and yet still the hackers are getting in. So the question becomes: how do you think like an attacker? anatomy_of_a_cyber_attack.png

First you have to understand the anatomy of a cyber-attack. Let's use the Target hack as our example for this. Target was breached the same way that many other organizations are - through stolen credentials. One of Target's partners, an HVAC company, had access to its network as a non-employee and fell victim to a phishing campaign. Once the hacker had the contractor's information, he was able to use a web application to get into Target's network. From there, the hacker was able to take any one of many lateral paths to information. 

Once the network was accessed, it was easy for the hackers to make their way to the POS system and start to exfiltrate data from their system. The attack path here seems simple, he was in and out in only six steps. The issue is, how would you have stopped him? 

The firewall held, there was no vulnerability exploited (the hacker had valid credentials), and there were no alarms raised when the network was accessed. However, there were also no alarms raised when a contractor working on their HVAC system started working their way into the POS system. That is the problem. The hacker knew that there were no obstacles in place to alert anyone of his activity so they were free to roam around the network finding the information they wanted and exfiltrating it straight to the black market. 

Would you have caught the hacker when they entered the system? Would you have noticed when he accessed applications that should have been out of his reach? Would you even have caught on when massive amounts of data started disappearing from your network? Dummies_book.png

It's time to stop playing defense and start thinking like an attacker.

Are you ready? Join us next Tuesday for a special #TechTuesday blog where Ray Suarez will be at the RSA Security Conference presenting Grow up: It's time for a vulnerability model that thinks like an attacker

Don't want to wait? Find out what it means to "think like an attacker" with a demo of Core Insight and see how attack path modeling  can help you visualize what an attacker sees. Or download a copy of Intelligent IAM for Dummies and see what you should be looking for in an intelligent IAM system. 



Tags: Courion, cyber attack, vulnerability management, vulnerability risk management, vulnerability, Vulnerability and access risk management, VARM

Hollywood Hospital Coughs up Cash to Ransomware Crooks, Instagram Adds Two-Factor Authentication, and More in This Week's #TechTuesday Roundup

Posted by Harley Boykin - Marketing Coordinator on Tue, Feb 23, 2016
In this week's #TechTuesday roundup: Hollywood Presbyterian Medical Center pays up to ransomware crooks, Instagram announces the roll-out of two-factor authentication, the University of Greenwich exposes student info online, a Lyft flaw lets users access the information of other riders, and a vulnerability in SimpliSafe's home security sytem could allow hackers to control the alarm system. 

Tags: personal data, ransomware, #techtuesday, security flaw, vulnerability, Multifactor authentication

Nest Thermostat Leaks Zip Codes, New PayPal Spam, TaxAct Data Breach and More in This Week's #TechTuesday Roundup

Posted by Harley Boykin - Marketing Coordinator on Tue, Jan 26, 2016

In this week's #TechTuesday roundup: Nest thermostat leaked the zip codes of users, $0 PayPal invoice spam was recently discovered, tax preparation software TaxAct detected a data breach and suspended customer accounts, a major flaw in Apple's Gatekeeper system was left unpatched and Cisco patched several critical bugs that could allow device takeover.

Tags: #techtuesday, data breach, security flaw, vulnerability