[vlog] Problems Phishing

Many organisations consider performing phishing tests against their own staff; whilst this can be a great way to determine your risk exposure and to determine the effectiveness of security awareness training, it can actually introduce problems into your security strategy too. In this episode I talk about a few common issues with company phishing campaigns: 1. Vanity Metrics – where company perform biased testing (unintentionally or otherwise) which cause a positive shift in their metrics but not necessarily the same positive shift in their security. 2. Repetitive Scenarios – there’s a lot of different scenarios a phisher could try, if …

Read More

[vlog] Physical Access Testing

In my job as a security tester I often have the weird task of physical access penetration tests. That’s breaking into buildings for a living. So here I give a little introduction to what they are and some of the aims customers have when they procure a test of this nature. Whether it’s involves lock-picking or social engineering, it’s a weird job.

Read More

[vlog] Pen Testing v Red Teaming

Red Teams are a romanticised part of security testing; and whilst red team engagements are usually amongst the most fun to deliver – but being fun to deliver doesn’t mean they’re always the most effective from a security point of view. A lot depends on the target organisation’s maturity, defensive capability, and engagement goals.

Read More

[vlog] An Introduction to Cloud Computing

Many Clouds in the Sky A couple of days ago, I posted an article about Penetration Testing within AWS. I made comment on the different kinds of testing within this kind of environment however I didn’t add much detail regarding the kinds of environments – as I was speaking specifically of AWS. So I decided to break things down a little further: Part 1. An Introduction to Cloud Computing (you are here) Part 2.  An Introduction to Penetration Testing AWS: Same Same, but Different Part 3. An Introduction to PenTesting Azure I’m going to do a short piece here to …

Read More

[vlog] Vulnerability Assessments vs Penetration Tests

I occasionally see the terms Vulnerability Assessment and Penetration Test used interchangeably, or worse, phrases such as “Automated Penetration Test” – something that really pains me, as there are very distinct types of assessment. In this article I’d like to show the distinctions between the different types of assessment. Setting aside any argument of specific terminology, I aim to explain the different approaches that can be taken and the aims of each – regardless of what you choose to call them. I aim to assist companies engage with their security assessment providers to ensure that the service they’re getting is what they are …

Read More

[vlog] Becoming a Penetration Tester

The aim of this post is not to talk about how to perform effective penetration tests, but it’s more around taking the first steps towards a career as a Penetration Tester. I want to talk about the kind of things that I look for in candidates, the kind of skills that I found useful when starting out, and as a candidate what to look at first. Information Security is a huge field and you’ve got a whole career to learn all of the details, but where should you start?

Read More