Tag Archives: penetration testing

CISO Forum 2019: Vulnerability Management, Red Teaming and a career in Information Security abroad

Today, at the very end of 2019, I want to write about the event I attended in April. Sorry for the delay ?. This doesn’t mean that CISO Forum 2019 was not Interesting or I had nothing to share. Not at all! In fact, it was the most inspiring event of the year, and I wanted to make a truly monumental report about it. And I began to write it, but, as it usually happens, more urgent tasks and topics appeared, so the work eventually stopped until now.

The first discussion was about Offensive Security and Red Teams in particular

At CISO Forum 2019 I participated in two panel discussions. The first one was about Offensive Security and Red Teams in particular.

Continue reading

PRYTEK meetup: Breach and Attack Simulation or Automated Pentest?

Last Tuesday, November 27, I spoke at “Business Asks for Cyber Attacks” meetup organized by PRYTEK investment platform. The event was held at the PRYTEK Moscow office in a beautiful XIX century building of a former textile manufactory.

PRYTEK Breach and Attack Simulation meetup

The goal of the meetup was to talk about new approaches in Vulnerability Analysis and how they can reduce the Information Security costs for organizations.

There were two presentations:

  • The first one was by Doron Sivan, Cronus CEO. He talked about his company’s product.
  • The second was mine. I criticized traditional vendors of vulnerability scanners, talked about things that work in companies, and things that don’t work, and what you should pay attention to when choosing a Vulnerability Management tool.

For the most part this was my report from the last ISACA VM Meetup. The only difference was in the conclusions, since the topic of this event and the audience were different.

I stressed that the Attack Simulation tools, like Cronus, that analyze vulnerabilities and network connectivity of hosts can be very helpful. They allow you to assess the criticality of each vulnerability better and help to justify the need in prompt patching for IT Team (see “Psychological Aspects of Vulnerability Remediation“).

Continue reading

Getting public IP address ranges for an organization

Small bash script to automate the work with Qrator Radar public API.

Qrator Radar

The idea is to get autonomous system (AS) number of the organization by it’s name and retrieve all related IPv4 Prefixes. Why you may need it? To be sure, for example, that you scan all the hosts of organization available from the Internet for vulnerability management, penetration testing or bug bounty activity. For smaller organizations that don’t have own AS that obviously will not work.

Continue reading