Many organisations consider performing phishing tests against their own staff; whilst this can be a great way to determine your risk exposure and to determine the effectiveness of security awareness training, it can actually introduce problems into your security strategy too. In this episode I talk about a few common issues with company phishing campaigns.
In my job as a security tester I often have the weird task of physical access penetration tests. That’s breaking into buildings for a living. So here I give a little introduction to what they are and some of the aims customers have when they procure a test of this nature. Whether it’s involves lock-picking or social engineering, it’s a weird job.
Red Teams are a romanticised part of security testing; and whilst red team engagements are usually amongst the most fun to deliver – but being fun to deliver doesn’t mean they’re always the most effective from a security point of view. A lot depends on the target organisation’s maturity, defensive capability, and engagement goals.
In this episode I talk a little about hash-cracking with AWS and pushing more workloads to the cloud! In particular I mention using p3.16xlarge instances on AWS with Hashcat to get some serious cracking speeds – like 680 GH/s for NTLM! They expensive at $18,000 per month – but using spot instances and running workloads for only a few hours can get the job done without spending a fortune; especially when compared to my ageing Thinkpad X260…
In this episode I talk a little bit about what vulnerability scanning, and how it’s different to Penetration Testing – and whether you need both. I also added a few more details here: https://gracefulsecurity.com/vulnerability-assessments-vs-penetration-tests/
How to become a Penetration Tester? Well, I talked a little bit about different paths into security testing! I also added a few more details here: https://gracefulsecurity.com/becoming-a-penetration-tester/