EliteSec Cyber Security Consultants, Inc.

I post a lot about #cybersecurity, specifically #penetrationtesting, but did you know that we also offer gamified #tabletop exercises? These are scenario-based exercises for organizations to practice dealing with a disaster, such as a ransomware outbreak, shutdown due to weather (blizzard, etc.) or major outage in a data center. Think of it as a fire drill for a disaster recovery plan. I came up with the idea for adding a gamified element to the traditional tabletop exercise to make it more fun and relatable, (h/t to the fine folks @Axonify for the idea), and now I'm proud to announce that I am writing a book on building gamified tabletops! I'm still very early in the process, but I am hoping to bring my experience in building and running gamified tabletops for the past few years to a wider audience. Personally I feel that documentation on tabletop design isn't really available outside of snippets in some books and random blog articles around the internet. That and I know nobody does it quite like I do. :-) If you are looking to test your disaster recovery plans to maintain your #SOC2 or #ISO27001 compliance, and you're looking for something more engaging, by all means let me know. We can go through a quick discussion on how gamified tabletops are different and how we can help prepare your own organization for the unexpected.

Why do companies seek a penetration test? In my experience, it normally boils down to 3 reasons: 1. They're trying to adhere to a compliance requirement such as PCI-DSS, ISO27001, SOC2, CIS Controls, etc. 2. They have customers requesting/demanding a report. 3. They want peace of mind. Penetration testing is one of those things that can make a significant impact to the security of your business network and/or product, but it's often overlooked due to the "mystery" behind what's involved. At EliteSec Cyber Security Consultants, Inc., we do a lot of SaaS and web-based penetration testing. Our methodology revolves around the OWASP® Foundation's Web Security Testing Guide (https://lnkd.in/gnh4NQs7) to ensure we're using an industry standard set of checks. There isn't much mystery in what we're doing during our testing, and we always ensure our customers understand any findings, including detailed steps to reproduce each finding, as well as remediation options to repair any findings. We can speak with developers, and provide risk ratings based on tailored CVSS scores for each finding. The goal of a penetration test isn't to get a "high score" for the penetration testers, nor should it be a piece of paper to get a compliance stamp for the client. It should be a realistic view of the risk for the project under scope in terms of what harm a malicious actor could cause for a company if exploited. Clearly there are other benefits, but from a penetration testing vendor's perspective, they shouldn't be the only focus. When selecting a vendor to perform penetration testing, be sure to pick someone who you can trust and who has your best interests in mind. Spending time trying to fix a low-risk issue because someone marked it as critical without telling you why doesn't help anyone. All the compliance in the world won't help if you have exploitable vulnerabilities in your company's infrastructure/product, because malicious actors don't care what the auditors signed off on.

Penetration Testing (commonly called pen testing), is our main focus at EliteSec, and we're proud of our process and reports provided to our clients! We use the OWASP Testing Guide, an open standard for testing web-based applications. As most of our pen tests cover SaaS applications and offerings, this is a great standard to work with. It also slots nicely with mobile applications, as the API calls to a back-end server are similar. For network pentests, we use the Pen Test Execution Standard (PTES) as our blueprint for testing to ensure we are following standardized methodologies designed by trusted experts to ensure comprehensive coverage. But why? Quite simply, we don't want to overlook something. Some firms will use their own checklist or methodology that is often less comprehensive, or it focuses on more recent threats as opposed to the common ones that make up well known lists such as the OWASP Top 10 for web-based applications. While modern threats are important, they are not always as common or as long-lasting as some folks may believe. There's a difference in having a bug in the way a component is coded versus a vulnerability in a 3rd party library. You should check for both, but being exclusive in checking for "headline generating" vulnerabilities isn't the right approach for your customers. Check for both. Our experience at EliteSec is that we've seen the "classic" OWASP Top 10 vulnerabilities across different verticals, from SQL injection to cross-site scripting (XSS), even some examples of XML External Entity (XXE) vulnerabilities that allowed us to extract data from a Docker container, not to mention other issues. Most modern frameworks protect against these types of vulnerabilities, unless they're mis-configured. That's why we test, and that's why having a standard to test against is important. Penetration testing is normally done to test the quality of an application from a security perspective. It is often required by potential customers who want assurances from the vendor that their software is designed to provide protection for the data provided by the customer that is entrusted to the vendor. These customers often ask for proof of such testing. Compliance frameworks such as PCI-DSS and even some SOC2 auditors are looking for penetration testing reports to complete the certification. There are even times when a CEO may request the testing for peace of mind due to a competitor or some other organization they have read about being compromised and customer data being lost due to a flaw in their application. Regardless of the reason, penetration testing can help. Not all penetration testing firms are created equal. Ask for sample reports, methodology, and feedback from customers if there are no reviews available online from an independent source. Pen testing is an investment in time, money, and resources, so you should receive a report worthy of all three. Let us know if you have questions, we'd love to help.