Security Risk Advisors

Category: Red Teams

Plastic Beach: Gaining Access to CDEs

January 11, 2016 | Posted in Red Teams by Dan Astor

Penetration testing engagements should begin with a mutually-agreed "trophy list" which represent the assets to be targeted for proof-of-concept compromise. During our penetration tests where PCI systems are in-scope, accessing the CDE and the covete… Continue Reading

2014 Pittsburgh Security B-Sides

June 23, 2014 | Posted in Red Teams by Jake Liefer

We recently presented at the 2014 Pittsburgh Security B-Sides on the topic of gaining physical access to facilities. From social engineering to cloning RFID badges, we discuss ways attackers can gain access as well as ways to protect your critical ph… Continue Reading

Social Engineering Past 2-Factor Authentication

November 13, 2013 | Posted in Red Teams by Dan Astor

Two-factor remote access can go a long way to make compromised network passwords less useful to an attacker; however, gaps in procedures and training can make even these robust security controls useless.  To illustrate, here’s a short story from one … Continue Reading

User Enumeration

January 21, 2013 | Posted in Red Teams by Chris Salerno

One of the most common and underestimated web application vulnerabilities I find frequently is user enumeration. Simply put, I can figure out a list of valid user accounts that are allowed to login to an application. This isn’t just assuming there’s … Continue Reading

SecureWorld: Building a Mobile App Security Risk Management Program

May 24, 2012 | Posted in Red Teams by Chris Salerno

We recently co-presented a case study with Vas Rajan (CISO, INGDirect) discussing how we jointly developed a security risk management program for customer-facing mobile apps. We discussed the security risks and challenges, and a programmatic approach… Continue Reading