Cybersecurity Articles

Article / Updated 06-23-2022

Hackers use a variety of means to gain passwords. One of the most common ways for hackers to get access to your passwords is through social engineering, but they don’t stop there. Check out the following tools and vulnerabilities hackers exploit to grab your password. Keystroke logging One of the best techniques for capturing passwords is remote keystroke logging — the use of software or hardware to record keystrokes as they’re typed. Be careful with keystroke logging. Even with good intentions, monitoring employees raises various legal issues if it’s not done correctly. Discuss with your legal counsel what you’ll be doing, ask for her guidance, and get approval from upper management. Logging tools used by hackers With keystroke-logging tools, you can assess the log files of your application to see what passwords people are using: Keystroke-logging applications can be installed on the monitored computer. Check out Veriato's Cebral, as one example. Dozens of such tools are available online. Hardware-based tools fit between the keyboard and the computer or replace the keyboard. A keystroke-logging tool installed on a shared computer can capture the passwords of every user who logs in. Countermeasures against logging tools The best defense against the installation of keystroke-logging software on your systems is to use an antimalware program or a similar endpoint protection software that monitors the local host. It’s not foolproof but can help. As with physical keyloggers, you’ll need to inspect each system visually. The potential for hackers to install keystroke-logging software is another reason to ensure that your users aren’t downloading and installing random shareware or opening attachments in unsolicited emails. Consider locking down your desktops by setting the appropriate user rights through local or group security policy in Windows. Alternatively, you could use a commercial lockdown program, such as Fortres 101 for Windows or Deep Freeze Enterprise for Windows, Linux, and macOS X. A different technology that still falls into this category is Carbon Black’s “positive security” allow listing application, called Cb Protection, which allows you to configure which executables can be run on any given system. It’s intended to fight off advanced malware but could certainly be used in this situation. Weak password storage Many legacy and stand-alone applications — such as email, dial-up network connections, and accounting software — store passwords locally, which makes them vulnerable to password hacking. By performing a basic text search, you can find passwords stored in clear text on the local hard drives of machines. You can automate the process even further by using a program called FileLocator Pro. How hackers search for passwords You can try using your favorite text-searching utility — such as the Windows search function, findstr, or grep — to search for password or passwd on your computer's drives. You may be shocked to find what’s on your systems. Some programs even write passwords to disk or leave them stored in memory. Weak password storage is a criminal hacker’s dream. Head it off if you can. This doesn’t mean that you should immediately run off and start using a cloud-based password manager, however. As we’ve all seen over the years, those systems get hacked as well! Countermeasures against weak passwords The only reliable way to eliminate weak password storage is to use only applications that store passwords securely. This practice may not be practical, but it’s your only guarantee that your passwords are secure. Another option is to instruct users not to store their passwords when prompted. Before upgrading applications, contact your software vendor to see how it manages passwords, or search for a third-party solution. How hackers use network analyzers to crack passwords A network analyzer sniffs the packets traversing the network, which is what the bad guys do if they can gain control of a computer, tap into your wireless network, or gain physical network access to set up their network analyzer. If they gain physical access, they can look for a network jack on the wall and plug right in. Finding password vulnerabilities with network analyzers The image below shows how crystal-clear passwords can be through the eyes of a network analyzer. This shows how Cain & Abel can glean thousands of passwords going across the network in a matter of a couple of hours. As you can see in the left pane, these clear text password vulnerabilities can apply to FTP, web, Telnet, and more. (The actual usernames and passwords are blurred to protect them.) If traffic isn’t tunneled through some form of encrypted link (such as a virtual private network, Secure Shell, or Secure Sockets Layer), it’s vulnerable to attack. Cain & Abel is a password-cracking tool that also has network analysis capabilities. You can also use a regular network analyzer, such as the commercial products Omnipeek and CommView, as well as the free open-source program Wireshark. With a network analyzer, you can search for password traffic in various ways. To capture POP3 password traffic, for example, you can set up a filter and a trigger to search for the PASS command. When the network analyzer sees the PASS command in the packet, it captures that specific data. Network analyzers require you to capture data on a hub segment of your network or via a monitor/mirror/span port on a switch. Otherwise, you can’t see anyone else’s data traversing the network — just yours. Check your switch’s user guide to see whether it has a monitor or mirror port and for instructions on how to configure it. You can connect your network analyzer to a hub on the public side of your firewall. You’ll capture only those packets that are entering or leaving your network — not internal traffic. Countermeasures against network analyzers Here are some good defenses against network analyzer attacks: Use switches on your network, not hubs. Ethernet hubs are things of the past, but they are still used occasionally. If you must use hubs on network segments, a program like sniffdet for Unix/Linux-based systems and PromiscDetect for Windows can detect network cards in promiscuous mode (accepting all packets, whether they’re destined for the local machine or not). A network card in promiscuous mode signifies that a network analyzer may be running on the network. Make sure that unsupervised areas, such as an unoccupied lobby or training room, don’t have live network connections. An Ethernet port is all someone needs to gain access to your internal network. Don’t let anyone without a business need gain physical access to your switches or to the network connection on the public side of your firewall. With physical access, a hacker can connect to a switch monitor port or tap into the unswitched network segment outside the firewall and then capture packets. Switches don’t provide complete security because they’re vulnerable to ARP poisoning attacks. How hackers break weak BIOS passwords Most computer BIOS (basic input/output system) settings allow power-on passwords and/or setup passwords to protect the computer’s hardware settings that are stored in the CMOS chip. Here are some ways around these passwords: You usually can reset these passwords by unplugging the CMOS battery or by changing a jumper on the motherboard. Password-cracking utilities for BIOS passwords are available on the Internet and from computer manufacturers. If gaining access to the hard drive is your ultimate goal, you can remove the hard drive from the computer and install it in another one, and you’re good to go. This technique is a great way to prove that BIOS/power-on passwords are not effective countermeasures for lost or stolen laptops. Check cirt.net for a good list of default system passwords for various vendor equipment. Tons of variables exist for hacking and hacking countermeasures depending on your hardware setup. If you plan to hack your own BIOS passwords, check for information in your user manual, or refer to the BIOS password-hacking guide. If protecting the information on your hard drives is your ultimate goal, full (sometimes referred to as whole) disk is the best way to go. The good news is that newer computers (within the past five years or so) use a new type of BIOS called unified extensible firmware interface (UEFI), which is much more resilient to boot-level system cracking attempts. Still, a weak password may be all it takes for the system to be exploited. Weak passwords in limbo Bad guys often exploit user accounts that have just been created or reset by a network administrator or help desk. New accounts may need to be created for new employees or even for security testing purposes. Accounts may need to be reset if users forget their passwords or if the accounts have been locked out because of failed attempts. Password weaknesses in user account Here are some reasons why user accounts can be vulnerable: When user accounts are reset, they’re often assigned an easily cracked or widely-known password (such as the user’s name or the word password). The time between resetting the user account and changing the password is a prime opportunity for a break-in. Many systems have default accounts or unused accounts with weak passwords or no passwords at all. These accounts are prime targets. Countermeasures against passwords in limbo The best defenses against attacks on passwords in limbo are solid help-desk policies and procedures that prevent weak passwords from being available at any given time during the new-account-generation and password-reset processes. Following are perhaps the best ways to overcome this vulnerability: Require users to be on the phone with the help desk or to have a help-desk member perform the reset at the user’s desk. Require that the user immediately log in and change the password. If you need the ultimate in security, implement stronger authentication methods, such as challenge/response questions, smart cards, or digital certificates. Automate password reset functionality via self-service tools on your network so that users can manage most of their password problems without help from others.

Cheat Sheet / Updated 03-15-2022

The General Data Protection Regulation (GDPR) was designed to streamline data protection laws across Europe as well as provide for some consistency across the European Union (EU). Although it's been in place since May 2018, it still causes a lot of confusion. This cheat sheet answers some questions about a few major misunderstandings: Does the GDPR apply to non-EU organizations? Can non-EU organizations be fined for non-compliance? Do you need an Article 27 representative?

Cheat Sheet / Updated 03-14-2022

Security awareness is much more complicated than just making users “aware.” Implementing an effective security awareness program means that you aren’t just providing information — rather, you’re specifically improving security related behaviors

Cheat Sheet / Updated 03-01-2022

Penetration (pen) testing is used by many organizations to ensure that the security controls they put in place actually work. Pen testing and security are complicated topics and can be intimidating. This cheat sheet covers basic pen testing terminology you need to know, the most commonly used pen testing tools, and a list of commonly sought-after certifications in the field of pen testing.

Cheat Sheet / Updated 02-24-2022

Some scams cyber-criminals use to target online shoppers seem to persist for years. This likely indicates that people are continuously falling prey to the scams, thereby encouraging criminals to keep using the same forms of trickery over and over. Look here to discover some straightforward tips on how to keep yourself — and your loved ones — safe when using the internet to shop, as well as how to avoid common cybersecurity mistakes.

Cheat Sheet / Updated 02-24-2022

Not all hacking is bad. It reveals security weaknesses or flaws in your computing setups. This Cheat Sheet provides you with quick references to tools and tips and alerts you to commonly hacked targets — information you need to make your security testing efforts easier.

Cheat Sheet / Updated 01-10-2022

So many computing resources have migrated to the cloud because of ease of use, accessibility, cost, maintainability, and getting your computing closer to your clients (edge computing). With all of these advantages comes additional responsibilities. Cloud service providers do provide some security for your applications and data, but you share responsibility with them. Primarily, those responsibilities include managing access to your cloud resources and maintaining the security of your applications. While it may seem that having responsibility for two things is not a lot of work, it’s quite a challenge. Following, are the essentials of cloud security.

Article / Updated 12-29-2021

One aim of the General Data Protection Regulation (GDPR), which came into effect on May 25, 2018, was to harmonize data protection laws across Europe — so its legal form is a regulation (an order that must be executed) as opposed to a directive (a result to achieve, though the means to achieve aren’t dictated). The GDPR is the successor to the European Union's (EU) Data Protection Directive 1995 (Directive 95/46/EC). Unlike a directive, when the EU enacts a regulation, it becomes national legislation in each EU member state, with member states having no opportunity to change it via national legislation. However, EU member states are permitted to make certain derogations (a fancy term for exemptions) from the GDPR (such as in the case of the need to uphold a country’s security), so data protection laws across Europe aren’t quite as harmonized as may have been desired by some of the legislators. Although EU member states cannot change the GDPR, each member state requires national legislation to accompany the GDPR, for two reasons: The GDPR needs to fit into the member state’s legal framework. National legislation is needed to choose from the exemptions permitted by the GDPR. At the time this article was written, all but three member states had passed national legislation to sit alongside the GDPR. So, you need to familiarize yourself with not only the GDPR but also the legislation that was implemented in the EU member state(s) in which your organization is established. Data protection laws Data protection laws exist to balance the rights of individuals to privacy and the ability of organizations to use data for the purposes of their business. Data protection laws provide important rights for data subjects and for the enforcement of such rights. This list describes a handful of additional points about these laws to keep in mind. Data protection laws: Protect data subjects: A data subject is an individual whose personal data is collected, held, and/or processed. Apply to organizations that control the processing of personal data (known as data controllers) and also organizations that process personal data under the instructions of data controllers (known as data processors): These include companies (both private and public), charities (not-for-profit, political, and so on), and associations (such as churches, sports clubs, and professional leagues, to name only a few). Apply throughout the world: The concept of privacy originated in the United States in the 1890s. Although the EU has been a front-runner in establishing the laws protecting data and sees itself as setting the gold standard of data protections laws, the vast majority of countries around the world have some form of data protection laws. Do not prevent organizations from using personal data: Organizations can legitimately use personal data to their benefit as long as they comply with applicable data protection laws. Every organization is likely to process some personal data — of its clients, employees, suppliers, prospects, and so on. Prevent common misuses of personal data: Organizations often fail to (a) put in place appropriate measures to keep personal data secure (b) inform the data subject at the point of data collection about what it is intending to do with the personal data and where necessary to obtain consent and (c) transfer personal data to third parties without the knowledge of the data subject. Data protection laws generally prevent these common misuses. Countries hold to varying degrees of regulation and enforcement and some countries don’t have any data protection laws. The following table rates the strength of various countries’ efforts to protect data. Regulation/Enforcement Strength of Data Protection Laws Worldwide Type of Regulation/Enforcement Countries Tough Australia, Canada, Hong Kong, South Korea Strong Argentina, China, Estonia, Finland, Iceland, Japan, Latvia, Malaysia, Monaco, Morocco, New Zealand Light Angola, Belarus, Costa Rica, Egypt, Ghana, Lithuania, Mexico, Nigeria, Russia, Saudi Arabia/UAE, South Africa, Turkey, Ukraine Limited Honduras, India, Indonesia, Pakistan, Panama, Thailand, Uruguay The 10 most important obligations of the GDPR The obligations I refer to in this section’s heading are the ten most important actions you need to take to comply with the GDPR; I’ve only summarized these obligations in the following list because I discuss them further throughout this book: Prepare a data inventory to map your data flows so that you can understand exactly what personal data you’re processing and what you’re doing with it. Work out the lawful grounds for processing each type of personal data for each purpose for which you’re processing it. Ensure that your data security strategy is robust and that you have implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risk of a data breach or other security incident. Ensure that an appropriate safeguard is in place whenever you transfer personal data outside of the European Economic Area (EEA). Update your Privacy Notice to ensure that you’re being transparent about the means and purposes of your data-processing. Update your Cookie Policy to ensure that you aren’t relying on implied consent, that browsers of your website are taking affirmative action to consent to non-essential cookies being used, and that the cookies are fired only after consent is obtained. Ensure that your staff are appropriately trained in relevant areas of the GDPR. Ensure that you have reviewed the grounds on which you process employee data, and issue a revised employee privacy notice where necessary. Determine whether you need to appoint a data protection officer (DPO). If you do, take the necessary steps to hire a suitable candidate. Review all of your processor and subprocessor arrangements and ensure that appropriate contracts are in place. Ensure that the data processors (and subprocessors) are compliant with the GDPR and that they have adequate security in place to protect the personal data. The consequences of non-compliance Think of this as a description of not only the consequences you face if you aren’t compliant with the GDPR but also the reasons you should care about being compliant. Increased fines and sanctions The GDPR has introduced significant increases in the maximum fines for breaches of its requirements. Under the GDPR, the fine for certain breaches of the GDPR have been increased to 20 million euros (about $24 million USD) or 4 percent of global turnover for the past financial year, whichever is higher. For “lesser” breaches, the maximum fines have increased to 10 million euros (about $12 million USD) or 2 percent of global turnover for the past financial year, whichever is higher. This significant increase in fines indicates the increasing importance of data protection within the EU as the value of personal data increases and the processing becomes even more sophisticated. This is not to say that you will be fined these amounts for any infringements of the GDPR. You would have to do something that significantly impacts on the rights and freedoms of a large number of data subjects to incur a maximum fine. Supervisory authorities are the regulatory authorities (often known as data protection authorities) within individual EU member states that are responsible for the enforcement of the GDPR. Civil claims Data subjects can now bring civil claims against data controllers for infringements of their data subject rights. So, if, for example, you don’t respond appropriately to a data subject right request (namely where the data subject can request details of the personal data you process for that data subject) or if you experience a data breach that affects the data subject’s personal data, you could find yourself on the receiving end of a civil claim. As you may have noticed in recent high-profile data breaches, such as the British Airways data breach in 2019, data protection lawyers are placing advertisements encouraging victims of data breaches to join group actions against the data controller. A civil claim against you would not only damage your reputation further but would also cost a significant amount of time and money to defend the claim. Data subject complaints The general public is much savvier about their data protection rights than they used to be, for these reasons: The introduction of the GDPR garnered a lot of publicity due to the increased sanctions. Supervisory authorities ran various awareness campaigns to ensure that data subjects were aware of their rights. Certain high-profile cases, such as the Facebook and Cambridge Analytica cases (where personal data was misused for political profiling), and the British Airways data breach case have received broad coverage in the media. This savviness has led to an increase in the number of complaints from data subjects whose personal data hasn’t been processed in accordance with the GDPR. Data subjects are lodging complaints both directly to the data controller and to supervisory authorities. The two situations require two different responses: If the data subject complains directly to you (the data controller): Although a complaint signals that an element of reputational damage has occurred, you have an opportunity to repair the relationship, which is particularly important if the data subject is a customer or a potential customer. If the data subject complains to the supervisory authority: Because the supervisory authority is bound to investigate that complaint, you might face more serious consequences. The supervisory authority will review all your data processing activities, policies and procedures in relation to that complaint. If it finds that the complaint is valid, the supervisory authority will use its corrective powers in relation to such complaints. These corrective powers include the ability to issue fines, to impose a temporary or definitive ban on the processing of personal data or to force you to respond to the data subject’s requests to exercise their rights. Brand damage When a data subject brings a claim against you, you risk not only sanctions from the relevant supervisory but also brand damage. A report by Axciom (a consulting firm providing marketers with data and technology assistance) entitled “Global data privacy: what the consumer really thinks” showed that individuals from around the world are, in the vast majority, quite concerned about how their personal data is used and protected. If you aren’t compliant with the GDPR, you’re showing your prospects, customers, and employees that you aren’t concerned about the protection of their personal data. Loss of trust If you don’t comply with the GDPR and, for example, you experience a data breach or don’t respond appropriately to data subject requests, you are likely to lose trust from your customers and prospects. When they don’t trust you, they don’t want to buy from you or otherwise do business with you. Similarly, when your employees don’t trust you, they no longer want to work for you. In unfortunate timing, British Airways sent an email to all of its customers to assure them that they could trust British Airways with their personal data. Just a couple of months later, British Airways suffered a large data breach that compromised the financial details of 185,000 customers, details that were sold on the dark web. As a result of this data breach, the share price of IAG (British Airways’ parent company) decreased by 5.8 percent (equivalent to a loss of £350m). In 2018, CompariTech carried out a report finding that, in the long term, organizations that have suffered data breaches financially underperformed. Be a market leader By embracing the GDPR and showing your customers, prospects, and employees that you care about the protection of their personal data, you gain a competitive advantage. Elizabeth Denham, the United Kingdom information commissioner, summed up this idea nicely: “Accountability encourages an upfront investment in privacy fundamentals, but it offers a payoff down the line, not just in better legal compliance, but a competitive edge. We believe there is a real opportunity for organisations to present themselves on the basis of how they respect the privacy of individuals and over time this can play more of a role in consumer choice.”

Article / Updated 12-29-2021

Penetration testing is always evolving. More complex cyberattacks require more sophisticated pen tester. Here are ten tips to help you refine your pen testing skills as you continue in your career or education. Continue your education to improve your pen testing skills Keep learning. Study often and do not limit the scope of your studies. You can get by in your career by learning the basics, getting the tools, and running them. However, you need to learn the finer details of information technology systems, networks, and services and how they are secured or threatened. The ways you can continue your education are unlimited. However, if on a budget (or have resources to access resources within a budget), here are a few ways you can help yourself: Use your library. To access the internet, books, publications, magazines, and other materials, use your public library system. Some libraries even hold IT classes, and in some cases, even security classes. Use the internet. You can find many sites to help with pen testing, learning about IT, security, and many other topics. You can gain access to tools and sites that allow you to learn how to conduct penetration testing, and learn operating systems and other valuable programs. Build a test PC. If you can gain access to a PC or laptop that you can turn into a test system, acquire it and use it. There are many companies likely have an older system laying around unused that you can turn into a pen test toolkit. Use virtualization. Similar to the extra PC or laptop, you can set up virtualization software that allows you access to even more systems so you can build a small virtual network within a computer and you can conduct pen testing on multiple systems from one system. The image below shows an example of a tool running within a virtualized system. Use freeware. Many demo tools give you full access for a period of time, or at least with limited functionality, that you can use to learn with. Build your penetration testing toolkit Carpenters and other trades rely on their tools to be able to do their jobs. Auto mechanics, welders, and others who use tools to conduct their work can’t do great work without tools that are maintained and preserved. The same is true of IT professionals, especially those who function in the security realm as pen testers. No matter what, consider your tools as the most important thing you can maintain. Keep the following in mind as you build your toolkit: Keeping your toolkit current is one of the hardest things to do as a pen tester. You will find some tools (sometimes older tools) are more helpful to getting the results you need. Some tools are scripts that are created and maintained by each individual pen tester. Some tools are expensive, and you need to license for them. You also need to keep them updated. For example, any tools, software, programs, applications, and systems you use need to be patched, virus scanned, updated, and kept up to date. All software must be updated. Any software that requires signature files, digital certificates, block ciphers, and any other form of additional software needs to be updated and maintained. Technology changes over time. There will be updates to the systems you use, and there will be different systems in different organizations — all this means you need to keep your toolkit current with new additions as you find you need them. Make sure your computer is updated and safe. Make sure you keep the system you run all this on current as well. Nothing is worse than the embarrassment of getting your own system hacked as a pen tester. Keep your own stuff pristine, secure, and tested. Think outside the box to be a better pen tester Never get comfortable with the same vectors, tools, patterns, and attacks. Always consider another option — the plan B. You have to constantly think outside the box to stay ahead of those who commit crimes. Think of hackers and attacks like running water. It will find a way. You, too, need to think like running water and consider, anticipate, and get ahead of different types of attacks and vectors for attacks by developing this dynamic mindset. Below is an example of a planned penetration test where the pen tester wanted to enter the network via the wireless access point. In a situation where one pen tester was working with an organization that agreed to trying another path if possible, he found another way through the internet connection (plan B) to access the network externally. He could also have accessed the network from picking up a signal from the parking lot. Think like a hacker to be a better pen tester You need to know what hackers do. As an ethical person, it’s not easy to think like a criminal. This is where the great pen testers excel. You have to think beyond what a good guy would do . . . to what someone who has ethics would do. You can read attacks that took place in the past to learn about the people who conducted the attacks. One of the oldest hackers of the past is Kevin Mitnick, who conducted hacks back in the 1990s and was arrested in 1995. Learning about Kevin and how he turned into a grey hat hacker over time helps to get inside the mind of those who conduct crimes and their motives. Get involved to improve as a pen tester Whether through conferences, online communities, or social outlets online or in person, spend some time networking with others in your field. Two conferences where you can continue your education, learn specifics of pen testing from experts in the field, meet book authors, and get access to current trends and classes about current products is Defcon and Blackhat. Normally, both are held in the United States, but over the years, the conference has grown and expanded to other countries as well. Both of these conference websites will have options to sign up for a conference, but have other options as well to view older media, papers, and research conducted over the years. It is also a great way to meet other experts in your field as you continue to grow within it. There are professional organizations that cater to pen testers, schools that form groups of like-minded individuals, governance committees, and other types of groups that allow those who conduct ethical hacking to join together and share ideas. There are government agencies that you can join to share ideas and information. Regardless of who you join up with, a community-based approach to sharing ideas has led to some of the larger crowdsharing/crowdsourcing and other group-like successes there are today. Pair up and work on some projects together to share ideas and learn more about pen testing. Use a lab for penetration testing If you buy and build one, rent space, or lease system time from others, use online resources available to you for testing or through the use of virtual machines in a lab you build — hands-on time is crucial to your success. You need to be able to run the tools, hacks, tests, and see what is possible. It’s one of the best ways to learn how to become an elite pen tester. Because there are many challenges to do this, you can still learn ways to get hands-on training: Online test sites: Online test sites let you experiment with your penetration-testing skills. A test machine: You can also set up on one computer in your home a virtual system of other machines (a virtual network) and test the systems on your base machine. The image below lays out a nice lab strategy you can use to start to develop a pen testing practice lab at work or at home. Some of the items you may want to consider in building your pen testing lab may include (but not limited to): Server infrastructure: You can either set up a server physically on your mock network or a virtual one. Either way, make sure that you have allocated resources so that you can configure targets such as a database (can be large in size), as well as multiple network connections for redundancy (cluster) or other advanced setups. Network infrastructure: From the cabling to the wireless systems —the routers, switches, access points, firewalls, and everything in between — you can configure all the network components to interconnect the devices you want to set up as resources on your mock network. Pen test system: The point of origin, which can be the laptop that you use as an ethical hacker to conduct the penetration testing. As you learn more and more, you can add systems and infrastructure to further build out the lab so you can conduct more tests. Stay informed on penetration testing Just like any other role, skill, or function, the more you know the better off you will be. Up-to-date threat information can help you learn about the myriad of attacks and patterns coming out daily. This information deepens your knowledge of what you need to be aware of as a pen tester protecting against them. You should also stay abreast of things going on in the pen test community. One great way to do this is by meeting up with others pen testers to swap information. Stay ahead of new technologies to be a better pen tester Technology is always changing. Remember when virtualization became important? Cloud? Wireless? Mobile? As each of these technologies emerged (and in some instances converged), it was important to stay on top of them because the minute they came to market, there seemed to be a ton of attacks that came right along with them. When wireless hit the market, for example, there were drive-by scanners hanging out of cars — hackers were cracking into systems in companies from the parking lot. You must know about new technologies, learning about them, and anticipating how black hat hackers might use them. There are countless resources available to learn of new technology. For example, if you know your primary targets are going to be Cisco, Citrix, Microsoft, VMWare, Linux (select a distribution), and EMC Storage, you may want to add yourself to those vendors’ websites and their mailing lists to stay ahead of updates, new patches, version updates, and so on. If you have a contract with any of these vendors, they should be sending you information; however, anyone can contact these vendors and be added to their mailing lists so you can learn more about them. For example, if you were a large Cisco networking customer, you can gain access to RSS feeds, field notices, security advisories, bug alerts, software updates, and so much more. Build your reputation as a pen tester Building your reputation is easy. For someone (anyone) to let you into these protected networks where all their data sits, they absolutely must trust you. Trust. It’s the critical piece of the proverbial pie of your career in pen testing. Identify as someone who can’t be trusted, and it’s likely you will never work for a company that needs your assistance in thwarting crime again. This means you cannot be a criminal! You need to make sure you act professionally and ethically. Build your network of peers and people who can vouch for you and continue to act in a way that is honorable and as a consummate professional. Learn about physical security All the technical knowledge, skill, tools, and experience in the world can’t save you and a company from a social engineering attack. Nothing can thwart technical security faster than social engineering. Card swipes, magnetic door locks, bio-sensor reading, cameras, physical security guards, wall hopping, and all of the other things that fall outside of the computer network where data is kept can’t stop someone from breaking and entering. Always consider physical security challenges as a pen tester and augment your technical vulnerability analysis and scans with checking how physical security and defense in depth stacks up. Ultimately, any efforts you can take to learn will help to make you a better pen tester. Learning is key.

Article / Updated 12-29-2021

As an IT professional, it doesn’t matter how much you know about penetration testing today — there is always more to learn! What you know today could become outdated as technology evolves and morphs into new innovations. With that said, here is a list of penetration testing websites and resources that will be extremely helpful to you as a security professional. If any of the websites are no longer assessible at any time, do your own online searches for keywords such as pen testing, penetration testing, and security hacking. Also make sure to fact check any data not coming from a reputable site. The sites listed here are generally reputable, but you should still consider researching things before you implement them regardless. One of the best sources of information you can use for your studies is in the help files of your software. If you use the knowledge bases that come with the tool and online at the vendor’s website, you will learn how to better use the tools and help to reinforce some of the topics learn about penetration testing along the way. SANS Institute SANS.org leads to the SANS Institute where since 1989 the site has been filled with a large amount of useful security information that is freely accessible to all. This online resource is easily searchable from the home page and within it contains many resources a pen tester can use, including the SANS Information Security Reading Room that hosts approximately 3,000 original research papers in 110 important categories of security. You can sign up for weekly bulletins, alerts, newsletters, risk alerts, and other email items that can keep you abreast of threats. You can also access the Internet Storm Center, which is an early warning system for threats. There are many other resources available such as templates, vendor product information, information on open and closed source software, and so much more. Another point of interest on the SANS website is the connection to their focused areas on pen testing. If you’re looking to make pen testing a career, being connected to this community and digging deep into their online resources can help made a value add to your education and knowledge. GIAC certifications Another point of interest on the SANS website is the connection to their certification arm of SANS, which is called Global Information Assurance Certification (GIAC). It's focused on different areas of security, such as incident response and handling, forensic, and of course pen testing. When you’re ready, you can obtain GIAC Penetration Tester certification (GPEN). Aside from being an industry standard exam that tests your ability to conduct a pen test, the GIAC website also has a wealth of information about pen testing. You’ll need to pay for the exam and the study materials that come with it. There are other tests available such as CompTIA’s Pentest+ and others, but the benefit to getting GPEN certified is that you get to connect to a community of expert pen testers as well as getting certified and educated. Software Engineering Institute Carnegie Mellon University (CMU) has long been a source of amazing security information. You’ll find information about risk assessments, pen testing, forensics, and security-based incident handling. The CMU site has a CERT landing page that hosts publications and other scholarly works about cybersecurity: CERT partners with industry experts (from areas such as technology industry, law, government, and academia) to provide advanced studies and research on relevant topics. Legal penetration sites Legal penetration sites are variously hosted by groups that provide a realistic way for ethical hackers to learn real hacking skills on networks and systems that have been left in a semi-hardened state. If you run a search on Google for “legal penetration sites,” you will pull up reputable sources to find these sites. Cisco has information in their help forums as well as security magazines (another great resource) and other sites that host these penetration test hubs where you can hone your skills. If you can’t afford to set up your own lab environment for testing purposes, then seeking outside resources such as this can really help develop your skills. Open Web Application Security Project The Open Web Application Security Project (OWASP) was established in 2001 and is currently a not-for-profit organization that works on the foundation of group collaboration. OWASP is a group that boasts open source and does so with no affiliation of any kind. Their focus is on web application hacking and the security of applications, software, web apps and programs. The frameworks, information, and resources provided help to guide a pen tester into areas of risk and vulnerabilities surrounding applications such as hacking APIs. This site can really help you better understand more in-depth details about programing and software hacking, and what you should seek to penetrate and exploit these systems as an ethical hacker. The following image shows the top ten application security risks at the any time. Tenable Tenable makes Nessus, and you can visit the website for more information on vulnerability scanning, pen testing, and risk assessments. One of the greatest things you can find on the Tenable website is a series of tools and information primarily focused on pen testing. In their research papers are details on how to become a better pen tester: The image below shows the Tenable website, where you can download Nessus for trial use, or purchase a license for permanent use. Nmap Nmap is undeniably one of the hottest and most used tools for pen testing outside of Nessus and Metasploit. Contained in Kali, Nmap is a tool that can really do it all. On the website you will find advanced usage of the tool to include subverting firewalls, spoofing scans, getting around IDS, automation and scripting of the tool, and so much more. Wireshark Wireshark is one of the de facto tools in your toolkit and a primary source of information for troubleshooting networks, information gathering, or pen testing. Within the main website you will find tons of detailed information on how to use this tool. As well, the forums where engineers talk about issues and things they find are loaded with literally thousands of pieces of valuable information that will help you learn more about networking, TCP/IP, the Internet, and how packets and frames traverse a network. Need to learn more about ports, channels, communication, sockets, protocols, packets, headers, and so on? This is the site you need to go to learn more about these details. Dark Reading In today’s pen testing world, one of the go-to sites for security professionals is Dark Reading. Dark Reading helps provide information not only on old but breaking news stories geared towards an online community of security gurus and professionals looking for more information about topics like pen testing. You’ll find newsletters and feeds and the sections on Attacks and Breaches can help you emulate scenarios in your pen testing, stay on top of trends, and conduct ethical hacks to test your security posture. Offensive Security From the distributors of Kali, Offensive Security is a company that specializes in doing penetration testing. Offensive Security offers penetration testing services as a service, and they provide a certification as well. On this site, you can learn more about pen testing from the experts who do it day in and day out. You’ll find sample checklists, tools, reports, and a lot of the things you might want to emulate in your own pen tests.