Truvantis Blog

Being able to quickly knock out the low hanging fruit vulnerabilities as a pen-tester is just having the knowledge that they exist and finding quick way to check for them. Here are a few quick hit, low hanging vulnerabilities that could provide the biggest kickoff point when doing an investigation.

A big part of penetration testing is recon and discovery. If you cannot properly identify the network you are testing, you may be missing possible avenues into the infrastructure. Nmap is a command line solution that takes the stress out of this for you. There is also a GUI interface version called Zenmap that provides the same functionality.

Being able to accurately perform a pentest on a network that you are not familiar with takes both knowledge about the underlying infrastructure (to be able to navigate) and the proper tools for the job. Just like a construction worker has his toolbox of tools needed to perform his duties, so will you. Here are my top 5 that are highly recommended in the industry.

Many companies, especially start ups, need to maintain a SOC2 certification but would rather not hire a full time CISO. So who is going to make sure that you will pass your next SOC2 audit. Enter the Virtual CISO. Outsourcing your Information Security program is a great way to support sales with the SOC2 certification without breaking the budget by staffing a large team.

QSAs have to validate the scope of a PCI assessment. It's one of the biggest areas of contention, but limiting scope is of paramount importance to reducing the complexity of an assessment. One of the ways in which QSA's are encouraged to validate scope is to have the client run a cardholder data (CHD) discovery tool over the entire environment (not just the expected Cardholder Data Environment (CDE)), to discover any unexpected CHD and either bring those people, processes and tools into the scope, or get them excluded and their access to CHD removed.

In my time in enterprise-level support, I was often asked how to reset the master password on various devices after the existing password had been lost for one reason or another.

Some organizations completely ignore important aspects of the backup recovery and validation process. This creates a significant ongoing data security vulnerability.

Something I hear continually is that recent computer science graduates have not even been introduced to the notion of secure coding. They may have been taught to program in half a dozen different languages and styles, but their assignments have never been run through a static code checker to validate that all the best practices have been followed from a security standpoint. I have interacted with many computer engineers happily producing insecure (unsafe) product. Secure Coding 101 may not exist, far less 201.

PCI DSS v3.2, section 10.4 requires all critical assets to be synchronized for time, and recommends using one of the authoritative time sources such as ntp. That requirement, however, only begins to scratch the surface of what controls time in a computing environment.

Everybody - Immediately

• Existing implementations that use SSL and/or early TLS must have a formal Risk Mitigation and Migration Plan in place
• New implementations must not use SSL and/or early TLS