Blog

Intro

As cybersecurity professionals at Gray Tier Technologies, our continual goal is to share discoveries we keep finding on our commercial penetration testing efforts. These findings are not one-offs, they are habitual discoveries. Our effort in our sharing is to protect everyone’s data by helping to identify those secure weaknesses and flaws as part of our cyber threat protection plan. We believe that knowledge is power and shared knowledge is empowering.

Intro

As penetration testers and security professionals we now have a myriad of tools at our disposal. It seems like everyday a new product, program, or script is being released to make our jobs easier and increase our effectiveness (ok that’s debatable :).

When selecting a penetration testing company there are many factors to consider, not the least of which is the integrity and technical skill of their team. The first, and most critical, step is to decided whether or not you trust the team you’re considering. Make no mistake about it; you are inviting a third-party to attempt to compromise your most critical IT assets. If you do not have the utmost trust in the team you're about to hire - stop immediately and consider alternatives. With the global increase in corporate data breaches there is also a rise in penetration testing companies. So how do you know if you can trust the team you’re hiring? If the company has been around for a while it should be as easy as asking for references. However, if they’re a relatively new company, like Gray Tier, then it’s a bit harder. Regardless, you should still ask about previous clients. You should also ask about their methodology? How they approach their testing? What are their rules of engagement (ROE)? What is the background of the individual team members? How do they minimize risk to your assets during an engagement? These are just a few of the questions we expect our clients to ask, and likewise we should be able to provide answers to your satisfaction.

At Gray Tier, would like to reshape how network defense strategies are thought about. Network security policies are usually an afterthought. Put up some firewalls over here, sprinkle some IDS over there; maybe a host based monitoring system and presto - secured! Being compliant is not the same as being secure. No longer can an organization go through this robotic thinking of network security and assume that is good enough. Recently more companies are conducting penetration tests either by internal teams or external companies as a service. The issue with network penetration testing is that this assessment is only a snapshot in time of the organization's network security posture. As soon as something is changed within the network, is the previous assessment still valid? Networks are by nature complex systems-of-systems, and it’s very difficult to know if there are second or third order effects to adding, removing, or changing one of those systems. Moreover, your network might be secure, but are your business partners network’s secure? What kind of trust relationships do you have with them (e.g. Target)?

The cyber prefix is used everywhere these days - cybersecurity, cybercrime, cyber-attack, cyberspace, etc. What most people may not know is that, in the security community, there seems to be a vocal opinion that “cyber” is a useless term. This is probably strange to those not in the industry and we agree, but there is a sound reason behind it.