Have a case of patch management fatigue? Automation can take you only so far. Even with an aggressive two week time-to-patch, many systems are left vulnerable to published flaws 50% of the time. Let us help you take a step back and isolate your most likely future exposures to both reduce risk your system maintenance burden.
You're all about practical solutions under constraints. Let us help you find those "quick hits" to cut your organization's risk and free up resources for more strategic initiatives. Or perhaps you're looking for someone to help you tackle a niche technical challenge. We're always up for a challenge.
Auditor / Compliance Officer
With the both the technical and regulatory landscape in constant change, it is nearly impossible to stay on top of the latest attack methods as well as maintaining compliance. Through penetration tests, security architecture assesments, and code reviews, we can help you satisfy a number of requirements, including the PCI DSS 11.3 and the HIPAA Security Rule's Technical Safeguards.
It is well understood that the cost of correcting software defects increases exponentially as the defect makes its way closer and closer to the customer. Security vulnerabilities are a type of defect that happen to carry a much greater potential cost, both to the customer and to your organization's reputation. On the positive side, the vast majority of security issues can be avoided in the earliest stages of development with the team-wide adoption of defensive coding practices. When is the last time your team had security training?
Is the best defense a good offense? We think so too. ;-) Demand outpacing supply? Trouble landing that bug? There's no shame in asking for a helping hand now and then. Let us be an extension of your team, or train you up on some of the new techniques we have developed.
Penetration assessments ("pentests") are designed to identify a broad range of potential vulnerabilities and risks associated with a system's design and implementation by simulating real-world attacks in a controlled environment. Pentests come in a variety of forms, depending on the types of technology being assessed, but all follow a similar pattern. Blindspot has developed a penetration assessment process which is inspired by industry standards, such as the ISO/IEC 27000 series and NIST SP800-115, and fulfills requirement 11.3 of PCI DSS 3.0. While operating within a standardized framework, Blindspot analysts go to great lengths to avoid a one-size-fits-all approach. At each stage, additional knowledge about the application, deployment environment, and use cases informs the threat model which is used to focus valuable testing effort where it is most needed.
A key element of testing activities is the development of proof of concept demonstrations and exploits for identified vulnerabilities, where appropriate. These provide analysts with a far deeper understanding of both the difficulty of exploiting specific flaws, as well as the sensitive data that may be disclosed if the issue were exploited by an adversary. This knowledge provides a stronger basis for estimating the overall risk of the issue, allowing for a better allocation of remediation resources.
Automated static and black box vulnerability scanners have come a long way over the years. But as the technologies developers use continues to change, these tools are forever playing catchup. Without the ability to reason about how your application behaves, such as what the primary use cases are and what information you most need to protect, automated tools will always be limited in many respects. Manual security testing is a hallmark of any mature secure development life-cycle. Blindspot's testing process always includes, at a minimum, an informal threat modeling phase where an understanding of your application is developed and key risks are enumerated. In addition to testing for well known classes of flaws (such as the OWASP Top Ten) and items typically picked up by automated scanners, Blindspot's analysts often spend a significant amount of effort searching for flaws that are most relevant to the application, including in-depth authorization testing and issues related to business logic.
You are a software vendor. Between never-ending feature requests and bug reports, the last thing you need is a customer calling you to ask about a "tweet" they read regarding a newly published vulnerability in your software. Or perhaps your IT department is deploying a new mission-critical application throughout the organization. How do you know the product vendor performed their due diligence to ensure their software is safe and secure? Product developers are under just as much pressure as any other tech-oriented organization to deliver new functionality and performance at minimal cost. It is rare for product companies, small or large, to invest resources on internal security experts to ensure their products do not have flaws that could impact confidentiality and integrity of deployment environments. Conducting direct penetration assessments of product deployments can be a cost effective way to help ensure that the product is deployed in a safe configuration for a particular customer, in addition to verifying a product's overall quality with respect to security.
The line between "internal" and "external" networks is blurring more everyday. Your desktops and mobile devices are now part of the security perimeter, as these are the primary ways in which modern attackers gain a foothold inside your IT infrastructure. It is critical to take a holistic view of network and system security by trying to ensure every system is patched and configured safely, regardless of where it resides in you infrastructure. Network vulnerability assessments and penetration tests are the most classic form of technical security audit. Network-oriented assessments are designed to validate that patch management and device hardening processes are in place. While many organizations perform their own internal scanning using off-the-shelf tools, it is often worthwhile to leverage external resources to validate that internal scanning approaches are effective and to illustrate how an attacker might leverage certain common issues in realistic attacks.
Fraud is as old as civilization itself. Out of necessity, most people are fairly good at spotting traditional scams. However, the advent of the Internet has redefined the playing field. Incredible amounts of information about individuals and the organizations they work for is now readily available for fraudsters. In addition, the impersonal ways in which we communicate through our devices makes it all the more difficult to spot a lie. Spear phishing and digital pretexting attacks are highly effective and are far easier for scammers to conduct than many traditional software attacks. Indeed, some of the most significant digital breaches of our decade have occurred through these kinds of attacks and allow adversaries to gain a foothold in an organization's digital infrastructure. How well would your employees fair if they were targeted in a similar attack?
Blindspot performs social engineering exercises that leverage public information to selectively test employees' resilience to a variety of scams. The key benefits of these exercises include:
- Measurement of the typical rate of exploit amongst an organization's users
- Learning opportunities for users to understand what realistic attacks look like
- Identification of simple technical controls that, if implemented, may significantly reduce key risks
- An understanding of how much time typically passes before incident response staff are first notified about an attack
- An opportunity to drill incident response procedures in a low-impact way
While there is no "patch" to cure social engineering attacks, it is very difficult to understand and mitigate the risk without performing regular testing.
Tired of playing "whack-a-mole" with application vulnerabilities? Often the most cost-effective way to get a handle on your application security situation, over the long term, is to educate your developers and quality assurance staff on the technical issues they face. After all, a significant portion of serious software vulnerabilities amount to problems that appear in a single line of code. By properly educating staff, identification and avoidance of these issues often becomes second nature.
Blindspot's experienced instructors have developed and delivered dozens of training courses, both at conferences and at customer sites. Secure software development courses can be tailored to your development team's particular situation and typically include 50% lecture and 50% hands-on exercises to help reinforce the lessons learned. Training can be delivered on a flexible schedule, such as in multi-day "bootcamp" style courses, in multiple half-day sessions that focus on particular topics, or somewhere in between. Training topics frequently delivered include:
- Introduction to SQL Injection and Cross-Site Scripting
- Communications Security on the Web
- Client-Side/Browser Security
- Spotting and Avoiding Spear Phishing Attacks
- Advanced Web Application Black-Box Testing
- Server-Side Request Forgery (SSRF)
- XML External Entities (XXE) Attacks
While Blindspot consultants pride themselves on having a broad base of knowledge in a variety of technical and business areas, our interests and experiences have pushed us to gain a deeper understanding in certain areas. Often we find ourselves acting as key advisers in the following areas because of this experience.
Breach simulations attempt to emulate the behavior of at typical digital intruder within an organization's network. Unlike traditional penetration tests, which attempt to identify every possible avenue of attack and validate those, breach simulations focus on the most likely avenues of attack. Consultants work to exploit the flaws that require the least effort and subsequently identify more flaws based on that elevated access. The goal of each simulation is typically to obtain access to high-value business targets as quickly as possible. Breach simulations are excellent for helping an organization understand what an attacker is likely to do upon gaining a foothold in the environment and are effective for organizations who wish to:
- Better understand the risk of an initial, low-level digital intrusion
- Illustrate to business stakeholders how attackers can quickly move "laterally" through an internal network
- Identify and mitigate the "low-hanging fruit" from an attacker's perspective
- Identify gaps in system and network logging
- Test the efficacy of intrusion detection/prevention and honeypots
- Drill incident response procedures
With extensive experience with incident response and digital forensics, Blindspot is well-positioned to provide realistic simulations that challenge preconceived notions about how breaches play out.
Cryptography is hard. Most software developers realize this. Security dogma of "don't invent your own crypto; use standard algorithms" has been a "best practice" for some time. But what does this mean? Use AES? As cryptographers know, and history has shown, this alone is insufficient. Using otherwise safe cryptographic primitives in custom protocols and message formats requires an understanding of cryptography that most programmers lack. As a result, many implementations are sorely insecure due to the way cryptographic primitives are combined and applied in real world contexts.
Blindspot's analysts have long held an interest in cryptography and have experience delivering training courses on secure implementation, developing black box exploit tools which test for cryptography, and also in designing systems that leverage cryptography to make development tasks easier.
IPv6 is here, whether we like it or not. Every major operating system supports the alternative Internet protocol, and while it is slow to be implemented by network operators, the technical aspects of IPv6 often introduce significant security impacts. For instance, IPv6 comes with dizzying array of transition technologies (Teredo, 6to4, and NAT64, to name a few) and often administrators are unaware of how these features could expose their systems to external attack. Whether your goal is to simply limit unintended IPv6 exposures or to deploy a next generation network securely, Blindspot can help you navigate the complex landscape introduced by this monumental Internet migration.
Few people enjoy planning for the worst. But the discovery that an adversary has penetrated your perimeter defenses almost always makes you wish you had done it better. Most organizations have a strong understanding of their own infrastructure: the data and systems that are critical for their success. However, it is rare for IT staff to understand just exactly what attacks could be performed internally to target those systems after an initial breach, or maintain a long-term, covert presence. In order to best defend against intruders, it makes sense to develop controls and response plans that are oriented around what the primary risks of intrusion and what an attacker is most likely to do once inside.
Blindspot's extensive experience in penetration testing, incident response, and forensics research place us in a unique position to see the bigger picture in these situations. Whether it be helping improve incident response plans or helping improve key technical controls, Blindspot's practical approach can greatly enhance an organizations resiliency to attack without disrupting normal business operations.