Truvantis Blog

What's new in PCI DSS 3.2.1

In May 2018, the PCI Security Standards Council, the authors of the PCI DSS standard, issued a new version of that standard - version 3.2.1. Let's review the changes from 3.2 to 3.2.1

Read More

Topics: PCI DSS

How much of your Information Security function can you safely outsource?

Outsourcing is now very common among technology companies. Sometimes a whole function is delegated externally such as accounting, HR, marketing. Even R&D can be delivered by remote teams, often in other countries.

So what about information security?

Read More

Topics: PCI DSS, SOC2, vCISO, HIPAA, CIS Controls

Just Walk in the front door

As an aspiring penetration tester, it is not always the extensive rootkits or the backdoor metasploit exploits that you need to focus on with every testing engagement. Sometimes, the best way in is to just try the front door. If you can learn to master a simple, repeatable process of testing the login screens of any application, device or account, you will save yourself time and effort with establishing the scope of an engagement.

Read More

Topics: Penetration Testing

7 Advantages of using a "virtual CISO" (vCISO)


A growing trend in the world of Cyber Security is the outsourcing of some or all of the Information Security team.

This can be just a small part - vulnerability management; vendor risk management; responding to customer questionnaires. It could be just the leadership function, a virtual CISO or vCISO. Or it could be the entirety of the Information Security team.

As you evaluate the pros and cons of in-house vs. outsourced, consider the following.

Read More

Topics: PCI DSS, SOC2, CISO, vCISO, HIPAA, CIS Controls

Common Key Controls Tested in PCI DSS assessments

As a company interested or required to become PCI DSS compliant, there are a list of key controls you must have in place and have proper auditing around to provide the PCI DSS auditors with during the testing period. Being able to easily identify where these controls live and how they are managed within your organization is primal. This article will give you a comprehensive overview of controls you need to get a jump start on the PCI DSS certification.

Read More

Topics: PCI DSS

The Secret Behind VI edit permissions

The art of penetration testing is one that takes a lot of fore-learned knowledge about a specific technology and system in order to really understand how they can be exploited. There are many loopholes that will allow potential malicious actors an opportunity to breach your systems. As a pentester, you want to continue to learn and build this playbook of checks to quickly execute within every engagement. One particular vulnerability that should be in every pentesting playbook is through the Linux OS and more specifically the file config editing tool called “VI”.

Read More

Topics: Penetration Testing

Hiding in plain sight: 3 Quick Checks for Low Hanging Fruit

Being able to quickly knock out the low hanging fruit vulnerabilities as a pen-tester is just having the knowledge that they exist and finding quick way to check for them. Here are a few quick hit, low hanging vulnerabilities that could provide the biggest kickoff point when doing an investigation.

Read More

Topics: Penetration Testing

Nmap sees all things

A big part of penetration testing is recon and discovery. If you cannot properly identify the network you are testing, you may be missing possible avenues into the infrastructure. Nmap is a command line solution that takes the stress out of this for you. There is also a GUI interface version called Zenmap that provides the same functionality.

Read More

Topics: Penetration Testing

Top 5 free pentesting tools for quick results

Being able to accurately perform a pentest on a network that you are not familiar with takes both knowledge about the underlying infrastructure (to be able to navigate) and the proper tools for the job. Just like a construction worker has his toolbox of tools needed to perform his duties, so will you. Here are my top 5 that are highly recommended in the industry.

Read More

Topics: Penetration Testing

Establishing and maintaining SOC2 compliance

Many companies, especially start ups, need to maintain a SOC2 certification but would rather not hire a full time CISO. So who is going to make sure that you will pass your next SOC2 audit. Enter the Virtual CISO. Outsourcing your Information Security program is a great way to support sales with the SOC2 certification without breaking the budget by staffing a large team.

Read More

Topics: SOC2

Subscribe to Email Updates

Recent Posts

Contact Us