Several years ago we “formalized” our penetration testing approach into several distinct levels that correlated with the level of assurance the client was seeking and/or the risk associated with the particular network infrastructure under assessment. In that effort we also “formalized” the “less technical” aspects of the Reconnaissance phase of our testing and began referring to this portion of the testing as Deep Web Reconnaissance (DWR) . While the overall effort has been very successful – explaining DWR and the value it provides has been, at times., a little challenging.

I tend to find that “stories” are often the best way to communicate abstract/complex jargon laden ideas (although as a security practitioner you have to be careful to obfuscate key details … which can be challenging).

The time that we found out that the firewall administrator had posted details on the configuration of his new firewall on a vendor message board that allowed us to break in and access critical intellectual property… is infinitely better than

Domain registrars, address registries, web-based services, technical support forums, social media sites, and search engines have all developed as publicly accessible rich information repositories. These data repositories can be mined for sensitive data via aggregation tools.

A recent security incident at ODesk has given us a great story … that we don’t need to obfuscate. A malicious individual commandeered their URL by gaining access to the domain registrar account used to manage that URL. He then attempted to extort ODesk to the tune of $1,000,000. Last year, a group calling itself the Iranian Cyber Army took over similar accounts belonging to Baidu and Twitter. An attack of this nature can be devastating to the company (and its clients) as the hacker could divert all of the traffic to a site under their control, including one that looks identical to the expected site.

You would have to agree that the ODesk story is much more effective than:

DWR identifies a range of potential vulnerabilities, including technical, business information, employee information, and reputation risks. For example, domain registration weaknesses, shared infrastructure weaknesses, sensitive data indexed in search engines, sensitive data disclosure in forums, corporate information leaks…

Best Practices for Firing A Network Security Administrator

Want to know how to fire a Network Admin? Need to know what precautions to take? Firing any employee can be a stressful event. Firing one who has significant knowledge of and privileged access to your Information Technology/Security infrastructure is even more stressful, as the risks are so notable.

Free Download: A Best Practices Guide to Database Security

Because data is only as secure as the systems & processes it relies on – a holistic approach to data security is essential. This roadmap is not meant to be exhaustive but rather to stimulate the necessary thought process to put you on the path to good data security.

Is ISO 27001 Right for (Y)our Organization?

Thinking about ISO 27001 Certification? View our free On-Demand ISO 27001 Webinar

• How to deal with increasing threats
• How to manage multiple regulatory requirements
• How to handle client requests for attestation
• To validate that significant changes did not have unanticipated results

Free Download: ISO 27001 Implementation Roadmap

Have no fear – our “roadmap” will guide you, step by step, through the entire ISO 27001 process.

Getting to ISO 27001 certification is a process made up of things you already know – and things you may already be doing!

Free Whitepaper: Five Best Practices for SIEM

The promise of SIEM is the consolidation of all relevant Security Event Logs from disparate sources into a single unified and normalized data store.

• Simplify compliance monitoring/reporting
• Vastly improve Incident Detection & Incident Response
• Contextualize event information with other business relevant information

Download: Information Security Attestation Guide

A Best-Practices Guide to Information Security Attestation

Download our proven Information Security Guide to simplify the process of protecting your data, proving you’re secure and growing your business.

Free Whitepaper: Stop Wasting Money on Penetration Testing

Penetration Testing is most frequently performed to:

• Substantiate the net effectiveness of a mature control environment
• Prove to a third party that an environment is secure/trustworthy
• Quickly assess the security of a less mature control environment (in a sense a technical risk assessment)
• To validate that significant changes did not have unanticipated results