Popeax is a member of the Synack Red Team.

Often people think security research requires deep knowledge of systems and exploits, and sometimes it does, but in this case all it took was some curiosity and a Google search to find an alarmingly simple exploit using default credentials.

On a recent host engagement, I discovered an unusual login page running on port 8080, a standard but less often used HTTP port. The login page did not resemble anything I had encountered in the thousands of login pages across hundreds of client engagements.

Nothing new. Even for a seasoned member of the Synack Red Team (SRT), it isn’t unusual to discover commercial products that one hasn’t seen before.

The login page clearly showed the product as some type of IBM server. In the URL, I noticed the string “profoundui.” A quick Internet search identified an IBM resource that stated:

“Profound UI is a graphical, browser-based framework that makes it easy to transform existing RPG applications into Web applications, or develop new rich Web and mobile applications that run on the IBM i (previously known as the AS/400, iSeries, System i) platform using RPG, PHP, or Node.js.”

Given these facts, I Googled for “IBM AS/400 default password” and found IBM documentation that listed default AS/400 credentials.

As any elite hacker would do, I copied and pasted all six default usernames and passwords into the login form.

Sure enough the last set of credentials worked with user QSRVBAS and password QSRVBAS.

It was beyond the scope of the engagement to proceed any further to see how much access was possible. The vulnerability was documented in the report that was given to the client to be remediated.

After a few days, the client requested a patch verification of the vulnerability using Synack’s patch verification workflow. This workflow allows a client to request the SRT to verify an implemented patch within the Synack Platform. After receiving the patch verification request, I quickly verified the vulnerability was no longer exploitable.

It is hard to believe, but even today commercial products still ship and are installed with default credentials. Often the onus is on the end user to be aware they must change the credentials and lock the default accounts.

The ingenuity and curiosity of the SRT cannot be replicated by scanners or automated technology. The SRT members are adept at finding this type of vulnerability in custom and commercial applications, even while running in obscure locations, which leads to exploitable vulnerabilities being surfaced to the customer.

The post Exploits Explained: Default Credentials Still a Problem Today appeared first on Synack.

Trevor Granger is a Technical Manager in Operations, Federal. He has 18 years of service and is currently in Officer Training School for the Air Force.

I was a freshman in high school when September 11th, 2001 happened. I will never forget my principal’s somber voice on the intercom telling us matter-of-factly that a terrorist attack had occurred. We spent the rest of the day watching the news to try to understand what took place. I couldn’t have known it at the time, but that traumatic event set in motion a personal journey that, many years later, would see me enter the field of cybersecurity as a member of the military. 

I was unfocused as a kid and was headed in the wrong direction. Fortunately, my brother and cousin encouraged me to join the Marines, which I did at age 17. I turned 18 in boot camp at Marine Corps Recruit Depot San Diego, but nothing seemed to matter less than my birthday while there. I quickly learned the individual matters far less than the mission and the Marines around them.

Fast forward to 2010: With one Iraq deployment in the bag, I was getting out of active duty to become a city cop, my dream job at the time. I joined the Army National Guard, served in the Field Artillery and was a cop for less than a year until I realized I wanted nothing to do with that career. It just wasn’t for me.

I had no idea what I was going to do, but with some advice from my family, I used my GI Bill benefits to get a cybersecurity degree. In 2017, after another Middle East deployment, I switched services again into an Air National Guard Cyber Operations Squadron, which is when I realized how incredible a career in cybersecurity could be for me, my family and my nation.

I started working for Synack in the summer of 2018. I can’t believe how much my life has changed in the course of a few years. Giving up on my dream of being a police officer seemed like the end of the road for my lofty career aspirations, but I was now making quite a bit more money, working for a company that cares about its employees and their families, and still serving the greater good. I am now at 18 years in the military and 4 years with Synack, and I couldn’t be happier! I believe I found my calling here and am grateful to love what I do.

There’s no magic formula for breaking into the field of cybersecurity from the military. But it helps to build a solid LinkedIn profile: Don’t downplay your experience or intelligence. Armed services like the Marines may drill away the importance of the individual in deference to the mission, but when it comes to seeking employment in IT or cybersecurity, don’t be afraid to highlight your unique skills! I’d recommend joining a group like VetSec that can get you “plugged in.” There are so many opportunities out there. 

Don’t focus all your attention on degrees and certifications (unless required for your “dream job”) and instead, network. Meeting people in this industry will help you develop, focus your studying and skill-building and give you the best chance of finding someone willing to take you on and train you up. And know that there are many, many reservists, veterans and military spouses already in the cybersecurity community ready to support you on your journey!

For more information about Synack’s work with veterans, visit our Veterans Page.

The post How I Found My Next Mission In Cybersecurity appeared first on Synack.

With the anniversary of Log4j looming, it is a good time to reflect on the wider significance of the vulnerability that had security teams scrambling in December 2021. What can the response to the flaw in a widely used Apache Software Foundation logging tool tell us about the state of global IT security? Most importantly, how should we respond to similar vulnerabilities that are bound to emerge in the future? 

The reason for the heightened concern surrounding Log4j stemmed not only from the scale of the exposure, but also the difficulty in quantifying that exposure. People knew or suspected they were using Log4j but did not necessarily know to what extent and on which devices. It’s like a fire alarm going off: You suddenly know you may have a problem, but you don’t know exactly how big a problem or where in the house it might be. 

Log4j also speaks to the well-documented challenge of relying on open source software. We cannot live without it, but in doing so we introduce dependency and risk in ways we had not always anticipated or prepared for. Events like Log4j won’t deter organizations from using open source software. The cost and pain of building tech stacks from scratch is simply too great for the vast majority of organizations.

Much of the media coverage of Log4j highlighted the panicked response. Security teams reacted swiftly and decisively as they sought to contain the risk, with much of the work happening over the festive holiday period to the chagrin of those affected.

That was the right course of action, but it is unsustainable to react in crisis mode all the time. This will burn out your hard-working security team, not least the experts on your networks and systems—key people you don’t want to lose. Vulnerabilities like Log4j are a fact of life, so a different pattern of response is needed. One that allows business operations to continue and risk to be continuously managed. 

That calls for first understanding the information security risks you are trying to manage. It sounds obvious, but can you articulate this for your organization? Does your leadership fully understand? Is this something you review with your board periodically? Your security response should flow from a set of priorities articulated by your experts and endorsed by your leadership, or else you are destined for infosec busywork rather than purposeful risk management. 

It follows closely that you also need to understand your assets. What data, information and systems do you have? How do you rely on them and what happens if they go away?

With these foundations in place, you can start to build what you need to take all sorts of security challenges in stride, including the next Log4j, whatever that may be.

Training is a key aspect of a measured response. Your whole organization should be trained on the basics of cybersecurity and how to improve cyber hygiene. The security, engineering and infrastructure teams need a plan of action to manage your organization’s response to a new, major vulnerability. Plan your incident response and consider simulating how you would respond as part of a table-top exercise. Revisit this plan from time to time—don’t let it gather dust in a ring-binder in an office no one goes to any more! 

These suggestions aren’t easy to implement, but they’re an investment in the longevity of your organization and your security teams. Synack can help augment your security team’s efforts by leading one-off missions to assess assets, going through security checklists or performing continuous pentesting on your entire organization. Contact us to learn more.

The post Battling the Next Log4j: How to Prepare Your Security Team While Avoiding Burnout appeared first on Synack.

Jeremiah Roe is a Synack Solutions Architect for the Federal and DoD space and We’re In! Podcast host. As a solutions architect, he helps organizations understand and implement effective security from an offensive perspective. He has an extensive background including work in the Marine Corps, network penetration testing, red team operations, wargaming and threat modeling.

What is interesting about you? Nothing, you say? Well, I beg to differ. There are many interesting things about you! Where do you work? What is your role at work? What are your interests? What are your hobbies? Where do you frequently go? And, how can this information be used against you by someone with malicious intent?

If you’re like me, you’ve always been intrigued by a good spy story: the how, the why, the operations, the tradecraft, the methodology. As a boy, I was always excited by the spy image. I would hang on every action scene depicted in movies and shows—I was enthralled by the bait and hook within the spy narrative.

Before we get into how your personal information and spies relate, let’s review some important definitions:

• Reconnaissance: “A preliminary survey to gain information, especially an exploratory military survey of enemy territory” – Merriam Webster
• Open-source intelligence (OSINT): “the collection and analysis of data gathered from open sources (overt and publicly available sources) to produce actionable intelligence.” – Wikipedia
• Social Engineering: “(in the context of information security) the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.” – Google
• Spy: “A person who secretly collects and reports information on the activities, movements, and plans of an enemy or competitor.” – Google

Reading through these, we can see some parallels to cybersecurity beginning to take shape. If we alter a few words from what a definition of a spy is, we can easily see how a hacker could be synonymized with a spy.

Shifting this context changes perspectives on who could be considered to be malicious or a bad actor. The spy in your life could be a coworker, a friend, a neighbor, a family member, the person delivering your mail, the person sitting next to you on a plane. At this point, probabilities come in, context takes over and you realize your mother-in-law probably isn’t a covert operator hacking their way into your bank account (maybe).

Given that a malicious entity could be anyone at this point, where does that leave you?

As you begin to sift through the news you’ll begin seeing story after story about corporate espionage, insider threat, trade secrets stolen and malicious actors. Would you be able to tell if someone was an insider threat? How would you detect them? How would you protect your systems from being breached by them? Here are some recent headlines:

• FBI investigation determined Chinese-made Huawei equipment could disrupt US nuclear arsenal communications
• Ex-C.I.A. Engineer Convicted in Biggest Theft Ever of Agency Secrets
• Former Army Special Forces Officer Charged in Russian Espionage Conspiracy

In any offensive operation, the first phase is reconnaissance—digital attackers do the same thing. They want to know what’s there, what’s vulnerable, what’s end of life, what’s not properly maintained, what technologies are in use, what’s fully exposed and how they can coordinate an attack against you. Unfortunately, we often find that organizations aren’t taking the right steps to ensure their environments are properly secured. As for the reasons, I’ll let you pick.

To cultivate additional insight into your networks, here are some tools that offensive practitioners use to understand a network and its potential weak points.

Maltego theHarvester Recon-ng Amass FOCA SpiderFoot EyeWitness Nmap

Whois SimplyEmail Droopescan Dnsmap Dnsrecon Sslscan Curl Wpscan

Here’s a sample of the data some of these tools provide:

This first view is from a relational graph created by SpiderFoot in an actual operation we were conducting reconnaissance for. This is helpful in understanding how things connect to other things, which an attacker may exploit to try to find an avenue in. 

This next capture is from a tool called Recon-NG. It’s good to utilize in conjunction with other tools for identifying systems to target within an organization. 

This is a fantastic tool for finding insight into people, places, interests, likes, location and potential social engineering avenues into an organization.

In developing an understanding of where your risks are within the organization, these are the types in information categories an attacker is looking for as well. Here’s a list of the types of information we were able to obtain in a real operation by utilizing Open Source Intelligence (OSINT) techniques: 

Once an attacker compiles the data they’ve obtained, either internal or external, they can begin to craft an appropriate weaponization and delivery process that’ll have the highest chances of being successful. It’s often as easy as scraping the header information towards assets you’ve sent requests to. In the screenshot below, we highlight several responses that share versioning information that can be used in weaponizing an attack.

DATA = INTELLIGENCE

As you begin to dig into the weak points of an environment and its people, you begin to develop a level of insight into what their proclivities are. This is helpful in leveraging social engineering and phishing techniques which can also lead to a direct compromise. The most vulnerable (and easily exploitable) asset in any environment is always YOU!

At the end of the day, it’s the goal of the attacker to gain a foothold into your environment through any means necessary, whether they can leverage a remote capacity or need to have some sort of physical presence. If they want to get in, they can usually find a way in. By increasing the attacker’s cost to compromise, you will reduce the overall risk of an attack taking place. If there’s anything a spy (or hacker) hates, it’s being found out and identified. Take the steps I’ve listed here and look at your network with a spy’s perspective to find the best ways to harden your security posture.

Want to hear more from Jeremiah? Check out his episode on Darknet Diaries.

The post Exploits Explained: A Spy’s Perspective On Your Network appeared first on Synack.

The cybersecurity industry continuously evolves to keep up with fast-moving threats. But for nearly two decades, there’s been at least one constant: October marks Cybersecurity Awareness Month! 

Launched by the U.S. Department of Homeland Security in 2004 to raise public awareness about digital risks, Cybersecurity Awareness Month has since grown into a global phenomenon, drawing government and private sector participation from Ukraine to Japan. 

We at Synack are honoring this year’s theme, See Yourself in Cyber, with an array of content and events that kicked off Saturday, Oct. 1, in western India. Synack solutions architect Hudney Piquant delivered a timely talk at the BSides Ahmedabad conference on securing the human element in the cyber industry, emphasizing the importance of effective education and training. 

The See Yourself in Cyber theme, chosen by the Cybersecurity and Infrastructure Security Agency and the nonprofit National Cybersecurity Alliance, recognizes that not everyone needs to have a technical background to contribute to the collective defense of our most critical networks. From accountants to recruiters, pentesters to policymakers – everyone has a role to play. With an estimated 700,000 open cybersecurity positions in the U.S. alone, there’s an urgent need to build a bigger tent for the cybersecurity community and welcome individuals of diverse backgrounds and skill sets. Closing the cyber talent gap can start with personal effort. 

“As the threat of malicious cyber activities grows, we must all do our part to keep our Nation safe and secure,” President Biden said in a White House proclamation Friday. 

That can mean enabling multi-factor authentication, using a password manager or keeping software up to date, as the White House pointed out. But it can also mean providing mentorship, crafting a welcoming environment for anyone interested in cybersecurity and sharing the tools and technologies needed to secure our increasingly interconnected world. 

At Synack, we believe that diverse perspectives in security testing are essential to hardening systems against the full spectrum of cyberthreats. That means opening doors for individuals from underrepresented backgrounds through programs like the Synack Academy, which is designed to build student participants’ cybersecurity education and skills while recognizing their unique circumstances and providing mentorship. We empower members of our elite Synack Red Team community of security researchers through the Artemis Red Team, a community open to women, trans and nonbinary security professionals and others who identify as a gender minority. 

So keep an eye out this month as us Synackers do our part to promote cybersecurity awareness. We’ll be adding new entries to our Exploits Explained blog series, in which Synack Red Team members share insights on the latest threats and vulnerabilities gleaned from years of pentesting. You can hear our CEO and co-founder, Jay Kaplan, speak to security talent and prioritization strategies at an Oct. 19 webinar on A Better Way to Pentest for Compliance. Or you can catch us at one of several upcoming cybersecurity events, from CyberGov UK to the SecTor conference in Canada. And we’ll continue to offer helpful and engaging cyber content through our WE’RE IN! podcast, the README cybersecurity news source and our social media channels including Twitter and LinkedIn. 

The cybersecurity industry can seem like it’s full of intractable and highly technical problems, whether it’s new challenges like API security testing or old threats like phishing. But our collective success in defending society from cyberattacks hinges on each of us. CISA said it best when unveiling this year’s See Yourself in Cyber theme: “While cybersecurity may seem like a complex subject, ultimately, it’s really all about people.” 

Tackling our biggest security challenges will take collaboration and creativity. We hope you can See Yourself in Cyber, engage in this year’s Cybersecurity Awareness Month programming and get in touch with us if we can help. 

Happy October! 

The post Synack Celebrates Cybersecurity Awareness Month appeared first on Synack.

Working Together to Provide Comprehensive Cybersecurity

Protecting Your Organization from Cybercrime

You already know that you need to be proactive regarding cybersecurity to protect your organization’s information and your resources. In 2020 cybercrime cost organizations an average of $4.35 million, and it took 277 days to find and contain the attack. But what’s the best way to mitigate against your organization falling prey to an attack? There are a number of different types of cybersecurity tools available with more being announced seemingly every day. VC funding for cybersecurity startups reached a record high of $29.5 billion in 2021 and there have been 300+ new startups every year. With this assortment of tools at your disposal, which ones should you deploy? 

One way to proceed is to select tools that complement each other. For example, deploying pentesting for breadth of vulnerability test coverage works hand in hand with red teaming for more targeted testing of specific assets or problem areas. Another complementary pairing is pentesting with asset discovery and management. In this article, we’ll take a look at how penetration testing can use the information from asset discovery and management tools to make sure you are testing everything you need to test and provide you with comprehensive cybersecurity protection.

Asset Discovery and Management

Pentesting will provide you with actionable knowledge of how a cyber attacker can hack into your organization and what damage that attack can cause. But before diving into pentesting it’s important to have a picture of your organization’s external attack surface and an assessment of its known vulnerabilities. 

Determining Potential Attack Points with External Attack Surface Management (EASM)

EASM is at the forefront of Gartner’s Top Security and Risk Management Trends for 2022. Broadly defined EASM is the process of identifying, inventorying and assessing your organization’s IT assets including all external-facing internet assets and systems. And with the increasing use of cloud resources, your attack surface is expanding rapidly. Forty-three percent of IT and business leaders state that the attack surface is spiraling out of control, and nearly three-quarters are concerned with the size of their digital attack surface. Having a good EASM process will provide your pentesters with a map of where all of your assets are, whether they are internal or external, so they can better determine how to mount as all-inclusive a test as possible.

Identifying and Managing Your Vulnerabilities

A vulnerability scan can identify gaps in your security controls and find security loopholes in your software infrastructure. These scans are optimized for breadth and completeness of coverage with the goal of ensuring that no vulnerabilities are missed. A vulnerability assessment will check for security issues such as misconfigurations, unchecked or incorrect privileges, excessive services and missing operating system updates. You can then prioritize the exposed vulnerabilities according to how likely they are to be exploited in your organization and how much damage can be caused by a hacker exploiting them. 

Putting It All Together

EASM, vulnerability management and penetration tests complement each other but have different goals. The first step in determining your organization’s vulnerability to cyberattack is to do an EASM study. EASM results helps you see what all of your potential attack points are. It’s not uncommon for an EASM study to expose assets and points of potential attack an organization didn’t even know they had. 

Using the EASM results you can perform a vulnerability assessment to expose any known vulnerabilities associated with those assets. The vulnerability scan and prioritization will tell you what your known vulnerabilities are. Usually these vulnerabilities are already known to the security community, hackers, and software vendors. These scans normally don’t uncover unknown vulnerabilities.

With an EASM and vulnerability results in hand you can then perform a penetration test.  Where vulnerability scans are optimized for depth and completeness, penetration tests are optimized for depth and thoroughness. Pentests will search for all potential attack points and actively exploit all detected known and as yet unknown vulnerabilities to determine if unauthorized access or malicious activity is possible. Then a good pentesting operation will prioritize its results and assist in remediation or mitigation of detected problems.

Using these three cybersecurity tools and processes will help you answer these important questions:

• What do we have that might be attacked? (EASM)
• Could an attack happen on things we own and how likely is it that something will happen to us? (Vulnerability Assessment and Management)
• What can happen if an attacker gets into our system? (Pentesting)

The post Pentesting and Asset Discovery & Management: Symbiotic Benefit of Complementary Cybersecurity Tools appeared first on Synack.

When the Log4j vulnerability emerged in December 2021, Synack and our clients’ security teams immediately sensed its urgency. The Synack Red Team began testing within hours of the initial discovery for our customer base. 

Almost a year later, Log4j continues to show up in our pentesting results. Here are some quick stats from our findings:

• 750+ instances of the Log4j (CVE-2021-44228) missions run by SRT researchers since 2021 as part of our zero day response coverage
• 100+ susceptible instances found so far as part of Synack Penetration Testing
• Over 2 million IPs checked to date  

Log4j Is “Endemic,” Says Federal Cyber Board

The Cyber Safety Review Board (CSRB) called Log4j (CVE-2021-44228) an “endemic” vulnerability in the board’s first published report. The group of public and private sector cybersecurity leaders stated that the vulnerability is expected to continue to be a prominent threat for “a decade or longer.”

The CSRB’s consideration of Log4j as a persistent threat points to the critical nature of such zero days. They are not something to be solved in the week they appear, with security teams “working through the weekend” and then moving on. They highlight the larger need for readily available talent and emergency response processes across a longer span of time.

Luckily, there have been no successful Log4j-based attacks to critical infrastructure, according to the CSRB. However, the board urges organizations to continue to mitigate risk related to Log4j and prepare for future zero day vulnerabilities of similar criticality. 

Log4j and the Cyber Talent Gap – Surge Capacity

Nearly two in three organizations say they are understaffed in cybersecurity. But even for those that report having enough cyber talent on hand, the surge demand needed to respond to a vulnerability like Log4j can still be taxing. The CSRB report states:

“Perhaps most significantly, the force exerted on the urgent response and the challenges in managing risk also contributed to professional “burnout” among defenders that may, compounded with the generally intense pace of many cybersecurity jobs, have a long-term impact on the availability of cybersecurity talent.”

Chris Hallenbeck writes for VentureBeat about lessons learned in the face of Log4j, including the fact that the “skills shortage is an existential threat.” If organizations are to effectively prepare for future CVEs and zero days, they must consider their hiring strategies in the face of the cyber talent shortage, while also considering how to deal with potential burnout and stress from surge demand in the face of emergency. 

Preparing for Zero Day Response with Human Talent

The CSRB issued recommendations to mitigate zero day risks, including the documentation of a vulnerability management and response program, and consideration of “cultural shifts” that are “necessary to solve for the nation’s digital security.”

Synack believes that the most effective way to test for a zero day vulnerability is with human expertise. Scanners are not able to detect zero day vulnerabilities until they are updated with a signature for the vulnerability. 

In the face of the cybersecurity talent gap, testing with humans to meet the surge demand of a zero day can be challenging. That’s why on-demand access to a community of researchers is paramount. Synack provides access to such a community, the Synack Red Team, through a SaaS platform, for on-demand zero day response. This talent augmentation can be a key cultural shift for companies struggling to hire or retain cyber talent, and can help prevent an in-house team from experiencing the severe burnout alluded to above.

Within the Synack Platform is a catalog of CVEs that can be tested on-demand by skilled SRT researchers. When Log4j first emerged, it was added to the catalog within hours, and top researchers began testing and collaborating on methodologies. 

After only a few days, Synack had checked over half a million IP addresses confirming the status of thousands of CVE-2021-44228 checks and providing detailed reports containing proof of work and methodologies. 

Contact us today for a conversation about how we can help you mitigate Log4j risk or prepare for future zero days.

The post Preparing for the Next Log4j in the Face of the Cyber Talent Gap appeared first on Synack.

The U.S. Department of Health and Human Services (HHS) draws on Synack’s trusted security researchers and smart pentesting platform to stay nimble in the face of fast-moving cyberthreats. 

With 84,000 federal employees, the agency’s sheer size poses challenges when it comes to addressing the cyber talent gap or pentesting its most critical networks. It’s the largest U.S. civilian agency by spending.

“We have an enormous footprint on the internet,” said Matthew Shallbetter, director of security design and innovation at HHS, during a webinar Wednesday hosted by Synack. “Across the board, HHS is both vast and well-known – and so a good target for troublemakers and hackers.” 

He cited constant cyberthreats to the National Institutes of Health, HealthCare.gov and the Centers for Disease Control and Prevention – some of the most recognizable federal research centers and government services. All those resources fall under HHS’s purview.

So how does the agency hire for mission-critical cybersecurity roles, stay on top of shifting zero-trust requirements and satisfy the need for continuous security testing?

Shallbetter shared his insights with Synack’s Scott Ormiston, a federal solutions architect who’s no stranger to the challenges facing public sector organizations globally.

With an estimated 2.72 million unfilled cybersecurity jobs worldwide, government agencies are struggling more than ever to meet diverse infosec hiring needs.  

“Attackers are responding so much faster today than they were even five years ago,” Ormiston pointed out. “In the time that a vulnerability is released to the public, within minutes of that release, attackers are out scanning your systems. If you don’t have enough skilled personnel to run a continuous testing program and to continuously be looking at your assets, how do you address that challenge?”

Here are a few themes and highlights from the webinar:

Continuous pentesting is a must

It can take weeks to spin up a traditional pentest to find and fix urgent software bugs. Meanwhile, bad actors almost immediately start scanning to exploit those same vulnerabilities, whether they’re blockbuster flaws like Log4j or lesser-known CVEs.

Against that backdrop, traditional pentesting clearly falls short. But is continuous pentesting realistic?

“The short answer is yes, because your adversaries are doing it every day: They’re continuously testing your environment,” Ormiston said.

Shallbetter noted that HHS has its own set of pentesting teams that are centrally located and focus on high-value assets. But there isn’t enough in-house talent to keep up with regular testing, scanning and patching.

“If we could focus on what’s really, really important and test those [assets], we might have enough bodies,” he said. “But it’s really a challenge to try to patch vulnerabilities… The footprint never shrinks; it’s always expanding.” 

To augment his own agency’s workforce capabilities, Shallbetter pulls from Synack’s community of world-class researchers. The diverse members of the Synack Red Team (SRT) allow HHS security testing to keep up with rapid software development cycles and the unrelenting pace of digital transformation.

HHS led 196 assessments using Synack’s platform, adding up to over 45,000 hours of testing on its perimeter services as part of an established vulnerability disclosure process.

There’s no match for human insight

That adds up to a lot of actionable data.

“We really couldn’t have done the VDP the way we did… without using a centralized platform like Synack,” Shallbetter said. “The human insight was key.”

He pointed out that HHS has automated tools across the board to help developers weed out vulnerabilities and drive down risk.  

But over and over, SRT members would find more.

Shallbetter said his favorite examples are when a system owner engages the Synack Platform to validate that HHS has really fixed a vulnerability. “They ask for a retest and the researcher says, ‘Oh, I did X, Y, and Z, but I did it again…’ And the system owner says, ‘Wow, that’s really cool.’”

Those exchanges also build trust between the SRT community and HHS developers who appreciate researchers’ ability to find the vulnerabilities that matter, cutting through the background noise of automation. An average of 30 SRT members contribute their expertise to each HHS assessment, according to Shallbetter.

“When you put a bunch of humans on a target, even if it’s been scanned and pentested by an automated tool, you will find new problems and new issues,” he said.

Zero trust is no longer just a buzzword

The White House early this year unveiled its highly anticipated zero trust strategy, M-22-09, which set federal agencies on a path to achieve a slate of zero-trust principles.

Those five security pillars include identity, devices, applications and workloads, networks and data.

“It’s great to have this architecture,” Ormiston said of M-22-09. “But this also means additional stress on a cyber workforce that’s under pressure.”

Zero trust is a “hot topic” at HHS, as Shallbetter noted.

“It doesn’t feel like a marketing term; people are really beginning to understand what it means and how to implement it in certain ways,” he said.

And pentesting has emerged as “a significant part” of meeting HHS’s zero trust goals. 

“I do think the scope and scale of technology now means the real vision for zero trust is possible,” he said. “For HHS, penetration testing has been an important part of speeding our deployment processes.”

Agencies have until the end of fiscal 2024 to reach the pillars of the zero trust paradigm described in the White House memo.

In the meantime, Synack will continue working as a trusted partner with HHS, delivering on-demand security expertise and a premier pentesting experience.

“I love being able to sort of toss the schedule over the fence and say, ‘hey, Synack, we need four more [assessments], what are we going to do?’—and have it happen,” Shallbetter said.

Access the recording of the webinar here. To learn more about why the public sector deserves a better way to pentest, click here or schedule a demo with Synack here.

The post Inside the Biggest U.S. Civilian Agency’s Pentesting Strategy appeared first on Synack.

Wade Lance is the Field CISO for Synack. 

Picture this: You’re seated at a dinner table surrounded by a dozen security leaders. Appetizers are on the way, and the conversation starts to pick up. Your neighbor says something about the Russia-Ukraine conflict, while across the table, a few CISOs engage in a lively discussion about something they read in the Wall Street Journal. 

As field CISO for Synack, I’ve attended many such dinners with executives from a range of industries. The events offer a venue to speak frankly about security wins and challenges. Each CISO I’ve met on the road has brought unique perspectives on their most pressing cybersecurity concerns. Without naming any names, here are four themes I picked up on: 

Disaster readiness is urgently needed. To say Log4j was a wakeup call would be an understatement. Many CISOs were left scrambling to find on-demand expertise needed to respond to the open source vulnerability that seemed to be everywhere when it first appeared in the news last December. They lacked surge capacity to meet their cybersecurity needs at a critical time, as nation-state threats started exploiting Log4j before their own overworked teams could find and fix it.  One idea is to have a relationship with a Pentesting as a Service (PTaaS) partner so that surge capacity is immediately available in the same model that most organizations have with Incident Response partners.

Continuous penetration testing is great (on paper). Wouldn’t it be nice to have someone watching your back, ready to spring into action and find vulnerabilities at the drop of a hat? Sure, but is continuous pentesting really possible, let alone affordable? Getting to a place where top security researchers are constantly assessing their networks can seem like a mirage for organizations struggling to find cyber talent to fill 9-to-5 roles. But continuous development requires a new approach to security testing, so security leaders are looking at their options.

Auditors can be as motivating as malicious hackers. In 2022, it’s a truism that compliance does not equal security. CISOs understand that divide, but that doesn’t make it any easier to navigate. They need to keep auditors happy and keep hackers at bay if they want to stay off the front page of the Wall Street Journal as the next victim of a major hack. That means scaling security teams to juggle both shifting regulatory requirements and constantly evolving cyberthreats. Easier said than done.

Ditch the swag. OK, I’ll admit this one hurt a bit to hear. I love a YETI tumbler as much as the next security pro. But I also understand why CISOs–who know what’s at stake in our cyberthreat landscape–aren’t itching to wear branded socks or apply a Synack patch to their suits. This is a serious business!

…

By the time I steer the conversation back to Synack, I’ve heard fascinating and sometimes provocative viewpoints from the people on the front lines of security leadership. (At one dinner, I was flabbergasted when I heard an executive claim, “We’ve never had any breaches and don’t really consider ourselves a target.”) 

Here’s what Synack brings to the table:

• Surge capacity. For the Log4js of the world, our global Synack Red Team of 1,500+ elite security researchers stands ready to bridge the cyber talent gap, augmenting your own organization’s infosec capabilities when major vulnerabilities drop. But this relationship needs to be in place before the next new vulnerability is discovered to engage researchers immediately, instead of waiting to get through the onboarding process with a new vendor.
• Diverse perspectives. Synack Red Team members hail from over 80 countries and bring a depth of knowledge that can’t be replicated by in-house pentesters. Your diverse security needs call for diverse answers that just aren’t available from smaller, local teams.
• Continuous and on-demand pentesting. Our Synack Platform is a one-stop shop where you can harness the talent of our Synack Red Team to find and remediate vulnerabilities that matter, generate clear, actionable reports, check off security tasks to assist with compliance and scale up tests as needed to keep up with your software development process. 

To find out more, you can contact us to schedule a demo here. Or maybe I’ll catch you around the dinner table on my next trip!

The post Overheard at the CISO Table: 4 Takeaways From Dinner Discussions appeared first on Synack.

Charlie Waterhouse is a senior security analyst at Synack.

One major challenge in addressing the cybersecurity talent gap centers on capability. Even when you’ve found a candidate, do they have the right skills for your organization’s tech stack or just the list of certifications from the job description? Many organizations are missing out on talent and talent augmentation because of outdated hiring practices. 

Traditional Hiring Methods Might Screen Out the Best Candidates

If you’re having a hard time finding your next cyber candidate, ask yourself: Are you filtering out the best ones? Many great candidates are screened out by hiring systems for lacking traditional requirements like a four-year degree or a certain level of experience. Sometimes, the listed expectations are not only prohibitively rare, but impossible. I’ve seen job postings ask for five years’ experience in a technology that has only been around for three—and for an entry level position at that! There are also many job postings asking for an unreasonable 5-10 years in testing and analysis experience for an associate position. 

These job description errors have two detrimental effects: First, you discourage quality candidates from applying because they doubt their qualifications are applicable. Second, experienced practitioners may dismiss your company because they view the expectations as unreasonable. 

I have met many individuals with valuable cybersecurity skills who are frustrated at not being able to even land an interview. Priorities should shift to finding a candidate with the right skills, rather than looking for a litany of degrees or certifications. Often, these titles reflect theoretical knowledge but don’t necessarily signal actual hands-on experience or skill. A candidate may lack traditional resume items, but be a driven, passionate security professional who proves to be a star in your organization. 

Education and Investing in Employee Skills

There are plenty of training resources to help individuals start an IT or security career: BUiLT, FedVTE, Love Never Fails and others educate underserved communities. At Synack, we sponsor the Synack Academy, a program to train people for cybersecurity roles and recruit them for full-time roles upon graduation. Synack also actively recruits veterans both internally and for our global Synack Red Team community of top-notch security researchers.

The candidates who benefit from these educational efforts are hungry to advance and excel, putting in hours of their own time to learn new skills. Should you turn these individuals down just because they don’t check boxes like having a four-year degree? I wouldn’t. In my view, the people who graduate from these programs are some of the best you can hire. I would also encourage employers to provide access to training to advance skills of existing employees, an affordable initiative compared to the cost of searching for and hiring new candidates.

I know firsthand how successful a nontraditional candidate can be, as I was a nontraditional hire into security. I spent more than 20 years in the airline industry before coming to Synack as a security analyst. I do not have a degree in cybersecurity or a related field, but I did have an interest and drive to learn. I spent time working on real-life security problems and focused my energy on those scenarios. For example, I worked on Hack the Box to understand network security and exploitation of websites. Today, I am routinely brought into projects or client meetings as a technical expert on securing large enterprise environments. 

Evaluating What Skills Are Needed in Full-Time Roles

Even when a candidate has enticing skills, another dilemma can arise: Is your organization able to use them? Is there enough work to justify filling a full-time role?

Security needs come and go, and sometimes temporary work is a better option than adding a full-time employee. However, managing contractors is time-consuming, and finding them is challenging in its own right. 

Synack is particularly suited to address that challenge through talent augmentation. Researchers in our Synack Red Team can perform security testing on demand. When recruiting for the SRT, we assess each candidate’s skills and vet them carefully. This makes for a community with diverse, highly-skilled researchers who can tackle any attack surface. Some have traditional four-year degrees and practitioner experience, while others hail from less traditional backgrounds. But they all have the capability to help secure your organization. 

It’s Time To Rethink Your Approach to the Cybersecurity Talent Gap

At the end of the day, there are cyber candidates out there who can help bridge the talent gap. But traditional job descriptions might be prohibitively limiting. There are education initiatives underway aimed at bringing new, passionate people to the workforce, but additional hiring challenges may remain for cyber leaders. Alternative talent augmentation, like that brought by the Synack Red Team, may be the best option. 

The post Bridging The Cyber Talent Gap: Removing Barriers for Nontraditional Talent appeared first on Synack.

Mental health is health. A common refrain during Mental Health Awareness Month, and one that strikes true when embarking on a journey to improve your emotional wellbeing. Health is an ongoing journey, funnily, with many parallels to cybersecurity. So, in honor of Mental Health Awareness Month, here are a few lessons I’ve learned from working in cybersecurity that resonate with my own mental health journey.

Mental Health is Dynamic Like an Attack Surface

At Synack, we often talk about how attack surfaces are dynamic — changing and evolving daily because of the continuous updates and improvements. The same is certainly true for mental health. 

Just as an attack surface should be continuously assessed, so too should your mental health. Checking in with yourself and others routinely only makes sense given the dynamic nature of mental wellbeing. Some of my best months or days come right after some of my worst. Don’t make assumptions about your own or others’ mental states, and keep in mind that change is crucial and expected.

Treatment Should be Continuous

In 2017, my therapist diagnosed me with depression. Today, my mental health and my ability to manage it are leaps and bounds better, and I credit that mostly to a routine of mindfulness meditation and using other mental health tools. Because I know mental health is dynamic, I know that meditation isn’t just for when I’m feeling down but rather a practice I continue through good and bad times to find balance. The same can be said of other tools like therapy or journaling.  

These tools work because they build habits and defenses that can stand up to the next challenge you face, just like protecting an organization with cybersecurity principles. If you’ve stopped your daily meditation, therapy appointments or journaling about your day, you might not have the habits and responses you want in place the next time a challenge presents itself. But if you treat your mental health daily, instead of only in a crisis, you can be prepared for anything. Like when an organization responds confidently to a security challenge, such as log4j.

Normalize Investment 

One of my favorite security messages that I’ve heard says that security should be treated as an essential business function. It’s not a side project you are burdened to fund, it’s an integral part of doing business and should be “baked in” to your budget. 

Similarly, investing your time into your mental health should be normalized. Take time to see your therapist or for daily habits that contribute to your emotional wellbeing. When seeing a therapist, I was fortunate enough to have supportive managers to take time off in the afternoon. I also had friends that supported me on my journey that I could turn to.

There’s no Better Time Than Now to Start

You can start your mental health journey at any time. You don’t have to wait for a low point to make positive changes. Just like you shouldn’t wait for a crisis to start enacting effective cybersecurity measures, you shouldn’t wait to tackle your mental health. Recognizing that it’s a dynamic challenge you need to prepare for, and invest in, is the first step in making a positive change for yourself.

The post Mental Health and Cybersecurity: Two Continuous Journeys appeared first on Synack.

By Kim Crawley

The impact of some software vulnerabilities is so far-reaching and affects so many applications that the potential damage is near impossible to measure. The series of vulnerabilities known as Spring4Shell is a perfect example.

The vulnerability is found in the Spring Framework, which is used in too many Java-based applications to name. Its framework contains modules that include data access and authentication features, so there’s a potential disaster if an attacker can exploit it.

Vx-underground shared news of the discovery of Spring4Shell and linked to a proof-of-concept exploit via Twitter on March 30. The vulnerability facilitates remote code execution and impacts Spring Core in JDK (Java Development Kit) 9 through 18. Frustratingly, Spring4Shell pertains to a bypass for another remote code execution vulnerability that researchers discovered in 2010. That alone emphasizes how critical Spring4Shell is, and how difficult it is to patch or otherwise mitigate.

Because Spring Framework’s modules have so many functions and because of how Spring Framework is used in so many different types of networking applications, there are many ways to exploit Spring4Shell.

One worrisome example is how Spring4Shell has been used to execute Mirai malware and acquire remote root access maliciously. 

First surfacing in 2016, Mirai botnet malware has been used by attackers to execute crippling assaults and now it’s coming back with a vengeance. It works by infecting routers and servers and giving attackers the ability to control massive botnet networks. One of the most damaging Mirai attacks hit the Dyn DNS network hard and took out much of the internet in October 2016.

Now, Spring4Shell is aiding the return of Mirai. Spring4Shell’s bugs have been used to write a JSP web shell into web servers with a carefully coded request. Then remote attackers use the shell to execute commands with root access. Mirai is downloaded to a web server’s “/tmp” folder before execution.

Spring4Shell is similar in many ways to Log4Shell, which was initially discovered in November 2021. Log4J is Apache’s Java logging utility that’s been implemented in a plethora of network logging applications from 2001 to today. It’s a little bit of useful software code that’s run in a wide variety of internet servers and services. Exploiting the Log4Shell vulnerability can give attackers administrative access to all kinds of internet targets. Ars Technica’s Dan Goodin called it “arguably the most severe vulnerability ever,” and Apache started deploying patches on Dec. 6. It has not been an easy job because there are multiple CVEs and they aren’t simple to fix. 

Spring4Shell and Log4Shell both pertain to Java’s vast libraries and resources. Java is one of the most commonly used application development technologies on internet servers and on a variety of types of endpoints, especially Android devices. The downside to a technology being so popular and useful is that it’ll also be a prime target for attackers. Inevitably, there will be many more devastating Java library vulnerabilities discovered in the years to come.

Businesses should quickly work to patch Spring4Shell and Log4Shell vulnerabilities across their entire networks. 

Rigorous, continuous pentesting can help organizations spot these vulnerabilities quickly. The more traditional approach to pentesting just isn’t robust enough to help organizations find and fix the latest complex vulnerabilities. 

Reach out today to discover how Synack can help. 

The post What’s the Spring4Shell Vulnerability and Why it Matters appeared first on Synack.

By Bruce Kang, Associate Security Operations Engineer

Introduction

In the 2021 iteration of the OWASP Top 10, Cryptographic Failures moved up one ranking to take the No. 2 spot. Its name also changed from “Sensitive Data Exposure” to “Cryptographic Failures” to more accurately describe the vulnerability. In this article, we will take a deep dive into this vulnerability and explain how and why it exists, and also how to prevent them from being exploited.

A Brief Explanation of Cryptography

To understand what falls under the broad category of Cryptographic Failures, it’s important to first understand what cryptography is exactly. To keep things simple, cryptography can be thought of as a way of secure communication so that sensitive information can only be viewed by authorized parties. The process for this usually involves having an original “plaintext” message, which is then put through some sort of encryption algorithm, which turns it into unreadable “ciphertext.” This ciphertext is then only able to be decrypted back to its original plaintext by the intended recipient(s), usually by using a cryptographic key that only the intended recipient(s) have access to. 

Implementations of Cryptography

Cryptography is ubiquitous in today’s computing world. It is implemented in technologies like:

• Protocols: HTTPS, FTPS, SFTP, SSH, SMTPS, etc. to ensure that all communication between two endpoints are encrypted.
• Hashing (one way encryption): passwords, authentication, file integrity verification, etc.
• Website certificates to verify authenticity.

Explanation of Cryptographic Failures

Since cryptography is used so widely and has many different implementations, there are several ways for vulnerabilities to occur. This could be through implementation errors, using weak encryption methods, not encrypting data at all, and much more. Therefore, a Cryptographic Failure vulnerability is a broad vulnerability category that encompasses all types of attacks that are related to anything cryptography related. As one could imagine, a vulnerability of this type could lead to serious consequences, as cryptography is meant to secure sensitive information. Thus, if there is a failure at any point in this process, this information could be exposed to any number of malicious attackers.

Simple Example with Man in the Middle Attacks

For our first example of a Cryptographic Failure, imagine if a banking website did not use HTTPS. To give some context, HTTPS encrypts traffic being sent between the user and the website, as opposed to HTTP which sends everything “in the clear”. This is very important considering things like passwords, social security numbers, etc. could be communicated between the user and website. Using HTTPS means an attacker would not be able to view the information being exchanged if they were to intercept the traffic. Therefore, failure to use HTTPS would make users vulnerable to what would be called a “Man in the Middle” attack. As the name suggests, this type of attack happens when an attacker is able to intercept traffic between two nodes and view the information being exchanged, usually possible by being on the same network. This attack would look something like this:

Here the attacker is able to view all the information the user is sending to the website, possibly including things like the credentials for their bank account. This is all because the website failed to implement the necessary cryptographic controls for preventing this attack.

Real World Example #1: Weak Ciphers 

Usually, a Man in the Middle attack can prove to be pointless if the data is encrypted, as the collected data will be impossible to read without the decryption key. However, there are ways to bypass this. A real example of this attack vector was found by one of our Synack researchers (sensitive information redacted). They found that the application they were testing was using weak, outdated block ciphers for encrypting communication being sent back and forth between the users and the application. It is important to remember that block ciphers encrypt data in “blocks” of data. The larger the blocks, the more layers of complexity are added to the encryption, in turn making the data harder to decrypt without the key. 

However, the application was found to be using only 64 bit block ciphers, an outdated method of block cipher encryption due to it being vulnerable to the “Sweet32” vulnerability (CVE-2016-2183, CVE-2016-6329). Without getting into the mathematics behind this vulnerability, it can essentially be understood as being used to crack any encryption that uses 64 bit block ciphers. Because of this, it has been advised to use encryption algorithms that use block sizes of at least 128 bits, such as AES. 

What this means is that attackers could potentially conduct a Man in the Middle attack (as described earlier) to capture encrypted traffic between the user and the application, then crack the encryption easily due to the weak cipher.

This vulnerability was found by the researcher utilizing a tool called testssl.sh (https://github.com/drwetter/testssl.sh). This tool was run against the target website like so:

After identifying that the website uses weak ciphers, testssl.sh can be used again to find that this causes it to be exploitable via Sweet32.

With this information, an attacker now knows that a Man in the Middle attack could be used to capture sensitive data, then easily be cracked using the Sweet32 vulnerability.

This vulnerability showcases how important it is to ensure that the strongest, most up to date encryption algorithms be used whenever possible, especially considering that encryption algorithms are constantly evolving.

Real World Example #2: Unencrypted Admin Credentials 

In our second real world example showcasing Cryptographic Failures, one of our own Synack researchers managed to find hard-coded admin credentials for an application through source code review (sensitive information changed or redacted). The researcher found that the target was running “Manage Engine Service Desk Analytics Plus Application.” Upon finding this, the researcher was able to request for the source code of this application from the vendor. 

The researcher then found that the source code contained hard-coded credentials

These credentials were then able to be used on the target that was running this application, thereby granting administrative access to the hosting server. This is a very clear and simple example of a Cryptographic Failure, as these credentials should have been encrypted or stored in a key vault, instead of being hard-coded into the source code.

Real World Example #3: Unencrypted file backups in Microsoft Azure 

This third example of Cryptographic Failures also shows an example of an organization not encrypting all of their data. A Synack researcher managed to find a client’s file backups that were not completely encrypted. Specifically, the vulnerable application backed up Office 365 mailboxes in a Microsoft Azure storage account, and claimed that these files were in fact encrypted with the key being stored in Azure Key Vault. However, the researcher discovered that the data was only encrypted server-side. This meant that the encryption would only protect the backups if an attacker were able to gain physical access to the hard disk on the host server, which would be incredibly difficult to do considering Microsoft Azure is a major cloud provider. 

Instead, the researcher found that any user who had access to the Microsoft Azure storage account would be able to view every mailbox that was backed up to it, without even needing the key. This vulnerability was found by first creating the backup via the vulnerable website: 

After the backup is created, a blob storage folder is created in the Azure storage account called “o365-backups”, which contains all backed up mailboxes and attachments. One could then view the location of any user’s attachments folder by logging into the storage account and accessing this URL: 

https://storage_account.blob.core.windows.net/o365-backups/<mailbox_user>/attachments/

From here all the researcher had to do was generate a download URL for any of the attachments found. After downloading the file, a Hex Editor can then be used to change the file from its original custom file format to a PNG, making it viewable. This would work for any attachments for other users on the application as well, potentially exposing sensitive information stored in user’s mailboxes.

What was probably intended here was for the storage account to be used to manage the mailbox backups without actually being able to read what was in them. Thus cryptography was not properly implemented and allowed the Azure storage account to view more information than was necessary, violating the principle of least privilege and potentially exposing sensitive information to unwanted eyes.

Real World Example #4: GitHub Exposes JWT Encryption Key 

This next example is very similar to the second one that was shown, as it involves the hardcoding of sensitive cryptographic information. This information was found through source code review on a client’s GitHub repository. One of our Synack researchers reviewed the publicly available code and found that it exposed a JWT private signing key. 

JWT stands for “JSON Web Token,” which is usually used for authentication. These tokens contain various data in JSON format about a user, and also must be signed by a private signing key in order to be used for authenticating into a specific application. If an attacker knows the fields needed for a valid JWT, and has the private signing key, it is possible for them to create their own valid JWT to impersonate other users. In turn, they would have full access to all that user’s data.

The researcher was first able to find this private key in the client’s GitHub repository

• Private static string privateKey = <KEY>

Using this private key, they then could generate a public key using openssl. Then, by using information found from the GitHub repository, the researcher was able to find the other fields used in the JWT. The resulting JWT was this. Note: the username of the user being impersonated must be known beforehand, likely through some type of user enumeration.

The header was also found to be using HS256

Then, a JWT generator website like https://jwt.io/#debugger-io could be used to combine all this information to create a valid JWT token that could be used. The payload, header, private key, and public key were all used to create the encoded JWT, as shown below.

This was then used to authenticate the application as “USER2” by changing the attacker’s cookie. The researcher then had access to all of USER2’s data.

Thus, it is important to remember that hardcoding sensitive information into viewable source code is almost always bad practice.

Real World Example #5: Crackable Password Hash Retrieval 

Cryptographic Failure vulnerabilities can also arise when the original plaintext itself is not following best practices. This mostly applies to the encryption of passwords, as having weak passwords can often lead to them being compromised, even if proper encryption is used to hash them. 

Offline password cracking usually involves having a set of compromised passwords that are still hashed, then using some kind of cracking tool to decrypt them. These include tools like hashcat, John the Ripper, THC Hydra, and more. The basis of all these tools is that they will go through each hashed password and attempt to guess the plaintext using a wordlist of common passwords, or use a rainbow table of pre-calculated hashes for common passwords.

An example of this involves another one of our Synack researchers, who cracked an administrator’s password for a server management application running on a client’s network. The researcher was first able to find that the vulnerable host was running HP Integrated Lights-Out (iLO), which uses the IPMI v2 authentication protocol. The problem is that IPMI v2 has a design flaw that could be used to dump the password hash of the requested user, before even authenticating. The only requirement is that a valid username be known. The following Metasploit module can be used to dump these hashes.

After the password hashes are retrieved, they can then be cracked offline. Normally, strong passwords that are salted are extremely hard to crack. This is because 1) a unique, complex password will generate an equally unique hash that is not part of any existing rainbow tables, and the password itself will not be in any common brute force wordlists.  2) Salting the password adds more complexity to the hash, as it will add a unique, random string of characters to each password before it is hashed, which is then only known by the application.

However, the researcher found that this application was not following either of these practices for their administrator passwords, and thus was able to crack them very easily. All the researcher had to do was run hashcat on a text file containing the dumped hashes, along with another text file containing common administrator usernames (admin, administrator, root, etc.).

These credentials could then be used to gain administrative access to iLO, in turn allowing the attacker to have a shell environment on the host. This vulnerability has even been reported as being used in ransomware attacks: https://www.bleepingcomputer.com/news/security/ransomware-hits-hpe-ilo-remote-management-interfaces. 

This is why it is of the utmost importance to ensure that strong password policies are enforced to ensure that they cannot easily be cracked. Best practices include having policies around password length, complexity, or just using a password management solution.

Final Thoughts

Ensuring that cryptography is properly implemented is critical. Understanding why cryptography is important and how it works is paramount to using it correctly. To find out more about preventing these vulnerabilities, The OWASP guide can be found here. 

It is clear why the OWASP Top 10 has put Cryptographic Failures so high up on its list, as the prevalence and consequences of these vulnerabilities are enormous. Learn more about how Synack can help prevent these and other vulnerabilities in your systems here.

The post Preventing Cryptographic Failures: The No. 2 Vulnerability in the OWASP Top 10 appeared first on Synack.

By Kim Crawley

Keep your trenchcoat in your closet. The only magnifying glass you’ll need is that icon on your PC monitor or smartphone touchscreen. In the world of cybersecurity, you can become a detective by learning open-source intelligence, or OSINT for short. 

OSINT is all about how to use publicly available information sources to better understand cyberthreats, attacks and targets. Occasionally, OSINT work can be done by looking through old books, newspapers or paper documents like property or court records, but most relevant open-source intelligence sources can be found on the internet. All of that means you can become a master detective without ever leaving home.

OSINT isn’t accessing information that’s legally protected or requires hacking or other illicit actions to acquire. Doxxing isn’t OSINT. Spyware isn’t OSINT. It doesn’t involve bypassing encryption. Also, OSINT is passive research. If you need to communicate with the subjects of your research, that’s not OSINT. But exploring publicly available information sources, both digital and analog, is what OSINT is all about. And, more and more, it’s an important skill that’s used by both offensive and defensive security professionals. 

In Episode 14 of WE’RE IN!, Micah Hoffman, principal investigator and owner of Spotlight Infosec and founder of MyOSINT.Training, discusses how he honed his OSINT skills and how those abilities help offensive and defensive cybersecurity practitioners. 

“OSINT is a reconnaissance skill. It’s all about that preparation work that needs to be done before you do anything in cyber, whether it’s attacking or defending,” he told WE’RE IN! co-hosts Bella DeShantz-Cook and Jeremiah Roe. 

[You can listen to this episode of WE’RE IN! on Apple, Spotify, Simplecast or wherever you get your podcasts.]

Hoffman also discussed that often just really clever Googling can help security researchers who are hunting for vulnerabilities in customers’ websites. “Part of our process was just to Google the name of the website. I pulled back a PDF help document that said, ‘Hey, if you want to log into this website, use a username like this and a password like that.’ And wouldn’t, you know, it, I just typed those exact credentials in … and logged right in.”

He remembered thinking: “Wow, this is so powerful. Who needs hacking when I can just log right in?”

While OSINT researchers take advantage of just how easy it is to access individuals’ private information on the open web, they also understand the privacy risks of social media platforms better than most. “People don’t realize what is online and being revealed about their organizations, themselves, their activities and their families,” said Hoffman. “The reality is that we give up our privacy every single time we use an app, every single time we choose to purchase something.”

The full transcript of the interview is available here. 

 

The post WE’RE IN! Episode 14: How to Become a Master OSINT Detective Without Leaving Home appeared first on Synack.

Synack works with innovative government security leaders who are responsible for protecting their organizations by finding and remediating exploitable vulnerabilities before they can be used by an attacker. In this effort we have formed trusted partnerships with federal agencies and their consultants, helping them to achieve mission-critical goals safely. Synack has worked with more than 30 federal agencies to quickly identify known and unknown vulnerabilities before attackers can take advantage of them. And Synack has received Moderate “In Process” status from the Federal Risk and Authorization and Management Program (FedRAMP) underscoring Synack’s commitment to stringent data and compliance standards. This work is especially important in light of President Biden’s recent cybersecurity memorandum laying out steps that federal agencies need to take to protect the nation’s critical assets – its networks and data.

An example of such recent and essential work brings us back to December 12, 2021, when the U.S. Department of Homeland Security (DHS) issued a warning about the Log4j vulnerability. Federal agencies were required to identify if they had the vulnerability and remediate it by December 24th. The challenge for agencies trying to find this vulnerability was that the effort could take weeks. Synack’s SWAT team was able to identify vulnerability (and variants) in a matter of hours for agencies. Without Synack, this could have taken days or weeks to find. One Synack federal customer was able to successfully test more than 520 active hosts and 200 in a 24-hour period for this critical vulnerability. 

Accenture Federal Services (Accenture) is a premier consultant to cabinet-level federal agencies, providing end-to-end cybersecurity services and skilled professionals to help agencies innovate safely and build cyber resilience. In partnering with Synack, Accenture brings to bear the power and speed of the Synack platform to help federal agencies be more proactive with their cybersecurity practices. Working together, Synack and Accenture are delivering innovative solutions, including continuous security testing, which empowers agencies to quickly detect and remediate vulnerabilities before they can be exploited. Synack’s comprehensive security testing complements Accenture’s hands-on consultative engagements support agencies integrating security into their organization.

Proactive components of security programs are so critical and yet often hard to perform at scale, primarily due to the cyber talent gap. Together, Accenture and Synack are successfully building proactive measures into agency-wide security programs with clear impact and staying power. We are regularly delivering on unprecedented find-to-fix vulnerability cycles, Vulnerability Disclosure Programs VDP (BoD 20-01), and testing in pre-production environments. 

The Power of Synack & Accenture Federal Enables Security Teams for On-Demand Security Testing

• Penetration testing at scale
• Nimble responsiveness to time-sensitive customer needs
• Continuous security posture testing
• Evaluation of high-value assets and testing of internal, external, and cloud assets
• Policy and compliance audits

The Synack/Accenture  partnership is a strong example of how Synack can provide a higher level of pentesting and security evaluation to government customers with varying levels of security expertise. In-house pentesting is difficult to scale, but Synack’s community of the world’s most skilled and trusted ethical researchers delivers effective, efficient, and actionable security testing on-demand and at scale, allowing security teams to focus on the vulnerabilities that matter most.

The post Synack and Accenture—Working Together to Protect the Nation’s Critical Assets appeared first on Synack.

Synack works with Microsoft to provide a one-stop shop for Microsoft Azure-based cloud security.

Microsoft Azure comes equipped with all the right security controls, but effective deployment and management of these controls is an ongoing process, driven by evolution and risk tolerance . Proper implementation of cloud rollouts and ongoing maintenance can be a challenge, even for large organizations, leading to a lack of protections such as least privilege for access controls. And attacks on the cloud appear to be growing. Verizon’s 2021 Data Breach Investigations Report found that “external cloud assets were more common than on-premises assets in both incidents and breaches.”

Security teams are left responsible for not only securing cloud assets, but also for ongoing cyber hygiene training and developing common sense policies to protect an organization’s assets. It can be an overwhelming task. Based on an increase in cloud misconfiguration vulnerabilities reported by the Synack Red Team in 2020, it is clear the existing solutions and frameworks are fragmented—leaving ample room for malicious exploits.

But now, finally, there is a better way!

By combining the power of Synack, the premier crowdsourced platform for on-demand security expertise, with Microsoft’s Azure Security Modernization (ASM) solution, enterprise and government organizations now have a scalable solution for cloud security planning, management, and improvement.

Per a Microsoft Blog Post from earlier this year, Microsoft Azure applications and infrastructure deployments have grown at leaps and bounds for nearly 20 years. In parallel, Microsoft has emerged as a cybersecurity leader—recently announcing a whopping $10 billion in revenue for its security business over the past 12 months. This represents more than 40 percent year-over-year growth (Vasu Jakkal, 2021). Microsoft security experts have deployed Microsoft services and solutions to secure 400,000 customers across 120 countries, including 90 of the Fortune 100. Integrations such as the one with Synack amplify Microsoft’s ability to continue to grow and innovate across all types of organizations.

Microsoft ASM solution  helps its clients stay ahead of adversaries. It deploys a Microsoft Azure-centric, continuous approach to security (see chart below), led by Microsoft security experts, and powered by the Synack Platform. ASM includes a four-phase continuous security model: Plan, Develop, Deliver, and Measure which programs, implements, and tests Microsoft Azure security requirements and controls.

Synack’s unique combination of a continuous, crowdsourced platform and smart vulnerability detection technology makes the discovery of security vulnerabilities easy, fast, and actionable! Synack-found vulnerabilities are reported and fed into ASM’s “Measure” phase to enable future “Planning” phases with real-world security testing data. Synack’s controlled and 24/7 testing, alongside its Azure integrations, ensures the changing boundaries and assets of today’s dynamic environments are tested safely and comprehensively.

“Thanks to our integration with Synack, we can now go beyond reviewing security configurations against recommended practices to include real time scanning of an environment against known security vulnerabilities. This allows us to help our customers further reduce risk by having a more comprehensive and tailored remediation plan fit to their needs.” says Heath Aubin, Director of Business Program Management, Security Strategy and Solutions at Microsoft Corp.

Synack’s cloud integrations allow for quick deployment of a variety of pentesting methodologies within a Microsoft Azure environment based on an organization’s goals and requirements. The first is open vulnerability discovery to uncover and report exploitable issues within a Microsoft Azure environment. The second includes targeted, offensive assessments aligned to the Microsoft Azure Security Benchmark.

Synack designed these targeted tests alongside the ASM Solution Owners for an on-demand mechanism to quickly highlight areas of weakness within a Microsoft Azure environment.

Leveraging the integration between Synack and ASM customers can experience a comprehensive testing and mitigation sequence to support compliance, asset management and planning, and expert level insight into the security of their Azure assets.

To find out more, download our datasheet here.

The post Synack Partners with Microsoft to Help Customers Improve Their Microsoft Azure Security Posture appeared first on Synack.

Synack Trust Report – an Essential Guide for CISO, CIOs, and Cybersecurity Professionals

The Synack 2021 Trust Report 

Well underway into 2021, we have already seen how cyber attackers have rocked consumers’ trust over the past few months and caused panic at the pump. Not only at the pump, but to our transportation systems, at our schools and to our daily necessities derailing our everyday life. 

All this comes after a year of business turmoil, and continued transformation. The pandemic accelerated initiatives to digitally transform operations, and drove efforts to implement Zero Trust security for remote workforces. Reinforcing cyber resilience continues to be top of mind in our organizations, firms, and societies, and goes hand in hand with trust. 

The Biden Administration has made cybersecurity a priority and recently issued a memo to business leaders urging them to take significant steps to prevent ransomware and other cyberattacks, including the use of third-party pen testing services to test systems and businesses’ “ability to defend against a sophisticated attack.” Executives that are actively focused on stakeholder trust and companies that put a premium on security testing, and take proactive steps to analyze new assets and digital applications will, in the long run, have stronger defenses and fewer breaches.

Trust continues to be more valuable than ever. Trust is not only crucial to our business relationships and customers, but in our everyday lives.

The 2021 Trust Report is Synack’s essential guide for CISOs, CIOs, security practitioners, C-suite and board executives to understand how to measure security, determine risks and build trust with data and insights on the state of different industries and sectors of the economy. 

In its fourth volume, the authoritative global report shares data from the most trusted brands based on thousands of security tests conducted by the world’s most skilled ethical hackers, The Synack Red Team (SRT). The report spotlights the different industries and sectors of the economy and reveals new insights into how critical organizations are prepared to fight ransomware and other digital threats and stay resilient. 

Average Industry ARS rating by years
(As published in previous Trust Reports)

Industry	2019	2020	2021
Government	47	61	64
Healthcare	60	56	61
Financial Services	57	59	58
Technology	46	55	57
Ecommerce	48	47	57
Retail	45	46	55
SLED	46	50	49
Consulting/Business & IT Services	53	48	52
Manufacturing/Critical Infrastructure	70	45	50

ARS rating based on data from the Trust Report: 2019. Data through January 2019
ARS rating based on data from the Trust Report: 2020. Data through July 2020
ARS rating based on data from the Trust Report: 2021. Data through April 2021.

The report data is based on Synack’s patented Attacker Resistance Score (ARS) Rating and includes a macro industry comparison that demonstrates how the most trusted organizations use the ARS rating and how to use the rating to benchmark attacker resistance against other industries. 

All too often, vulnerabilities leave organizations dangerously exposed. Last year, the US-CERT Vulnerability Database recorded nearly 17,500 vulnerabilities—a record number for the fourth year in a row. More than a third— 16%—of vulnerabilities found in 2020-April 2021 by the Synack Red Team (SRT), our global network of highly skilled and vetted security researchers were considered critical. Beyond that, the SRT saw a 14% increase over the past two years in authorization and permission vulnerabilities, which can give attackers access to the most sensitive networks and systems. 

According to Synack’s CEO, Jay Kaplan “We’re facing a global cybersecurity crisis. Some organizations are doing the right thing, creating effective defense strategies and being proactive. Others are simply checking boxes. But the nature of today’s threat requires an aggressive and assertive approach,” said Jay Kaplan, CEO and Co-Founder of Synack. “The Trust Report and the ARS are vital tools for understanding the gaps in any organization’s security plan, and can be used as a tool for CISOs and other security leaders to prioritize security efforts and focus on the most pressing threats and vulnerabilities first.”

The increased sophistication of today’s threats makes the CISO even more vital. On top of digital transformations, organizations faced punishing nation-state hacks with cyber attacks continuing to rise in 2021. Going forward, the role of the CISO and security teams will continue to evolve and expand. In fact, 55% of enterprise executives plan to increase their cybersecurity budgets in 2021 and 51% are adding full-time cyber staff in 2021.  

“Testing—when it comes to security, safety, and resilience—makes all the difference in the world,” wrote Ritesh Patel, Security Principal at bp, in the foreword to the 2021 Synack Trust Report. “Measurements such as the Attacker Resistance Score (ARS) keep us honest and informed. The ARS lets us constantly assess our performance and compare how we’re doing across sectors. It’s a strong indicator that bp is performing above industry average, which sends a clear and powerful message within the organization that security—and trust—are essential in everything we do at bp.”

Read on to learn how the most trusted brands in the world measure security and build trust while diving into the different industries and sectors of the economy. 

Synack leads the industry in finding the most critical and dangerous vulnerabilities in customers’ digital assets and apps, giving them the insight necessary to prevent attacks as found in our report’s key findings. 

The Synack 2021 Trust Report is your guide for measuring the value of security and cyber resilience. 

The post The Economy Runs on Trust – The Synack Trust Report appeared first on Synack.

Why executives are drilling down on security ROI and business disruption

The operational chaos of last year is accelerating a number of cybersecurity trends. And as companies pushed their infrastructure to the cloud, Zero Trust security and other security frameworks became top priorities.

In addition, executives are more focused on connecting cybersecurity with business priorities. Over the last year, business continuity rose to become the top concern, while companies also increased their focus on whether the security team is delivering the most bang for the business’s buck. 

Security return-on-investment (ROI) and the security team’s ability to stay within budget has also become more important this year, according to the 2021 Signals in Security Report, a newly released survey of more than 600 security professionals. Read more about these insights in the 2021 Signals in Security Report. Click here to download the full report.

Amongst the different metrics executives hold security teams accountable, only measures of ROI and ability to stay within their budget increased by 3 percentage points in 2021, this is no small measure especially for security teams covering more attack surfaces with less budget.

Common operational metrics, such as the number and severity of vulnerabilities detected, how efficient teams were in fixing issues, and how long issues were in the IT environment all declined in 2021. The ability to stay within budget tied with the number of vulnerabilities found as the No. 2 accountability metric, still behind the severity of vulnerabilities found.

The focus on metrics that matter to the business matches the overall trend of companies gauging the impact that security has on the business. Case in point: The top cybersecurity concern for executives and workers is no longer data breaches but business downtime. Less than a sixth of respondents listed data breaches as their top worry, a drop of 5 percentage points in the past year, while 17% of respondents listed business downtime as their biggest cybersecurity concern, an increase of 3 points.

Worries of business interruption were likely exacerbated by the economic turbulence caused by the pandemic—and from the shift to the trend among cybercriminals toward favoring ransomware over stealing data. Two separate reports noted that the absolute number of breaches declined in 2020—19% in one report and 48% in another—and the number of people affected by breaches dropped by two-thirds. At the same time, ransomware attacks doubled in 2020, compared to the previous year. 

Business executives also likely felt more vulnerable in 2020, because the firms now have a greater reliance on cloud infrastructure—rather than on-premise technology—to power their operations, requiring greater visibility and coverage to maintain business operations. Most companies scaled back capital (83%), operations (53%) and workforce (49%) expenses in 2020, while keeping a focus on digital transformation and cybersecurity, with only 16% and 3% of companies considering cutting the budgets for those areas, according to consultancy PricewaterhouseCoopers. 

The result is that companies will focus on increasing cloud infrastructure with an eye toward business resiliency and tracking metrics to determine security efficiency.

Executives should adopt a continuous approach to security that matches the cloud-native approach to business applications and infrastructure. Visibility into cloud services and infrastructure should be considered mandatory.

For security teams, orchestrating tests around peak demand, for example, can reduce the risk of overloading applications and infrastructure. In addition, the security team should have an automated process—a “one button” approach—to restore operations in the event of an outage.

The post Cybersecurity Trends & Insights from the Pandemic appeared first on Synack.

Tracy Cariker, Synack Stands Program Manager 

Following a series of challenging weekly coursework modules, interactive presentations, and energetic meet-ups, we are excited to celebrate our participants’ successful completion of our first Synack Academy cohort program! The mission of Synack Academy is to provide emerging individuals from underrepresented minority groups access to future career pathways in technology and cybersecurity through structured, mentor-supported training programs. 

Through an extensive application and interview process, in partnership with Blacks in Cybersecurity, a diverse group of students with a variety of tech interests from Washington D.C., Virginia, and New York were invited to participate in a three-month cohort. The course content and themes presented were geared toward providing foundational technical knowledge necessary for a path into cybersecurity. Prior to the start of the program, each student was paired with a Synack employee mentor from a range of teams including Community, Engineering, Product Design, and IT. The one-to-one mentorship was designed to ensure each student received encouragement and daily support, as they aimed to complete a Google IT Fundamentals course offered via Coursera. 

In January, Synack Academy kicked-off, and with the guidance of their mentors, students boldly embarked on a weekly deep dive into challenging content. Each Google IT Fundamentals module covered a range of essential tech topics and skills-building related to hardware, operating systems, networking, and software. Every Friday, the week culminated in a lively and interactive Mentors-Mentees virtual gathering featuring a discussion in review of specific segments of the course content. Additionally, the Friday review sessions included a Security Corner segment, during which students were introduced to numerous cybersecurity focus topics and job roles presented directly by Synack employees! These featured guest speakers provided Synack Academy students with a glimpse into the day-to-day life of cybersecurity professionals, their career trajectories, and available educational pathways. 

To celebrate their success, our first cohort wrapped up with a virtual Pizza Party for students who had achieved key benchmarks. Our mentors and mentees gathered for an hour-long party which featured yummy pizza generously provided courtesy of Domino’s Pizza, interactive games, and light-hearted cybersecurity banter.

After three months of hard work and perseverance, Synack Academy’s first student cohort emerged with invaluable insights and extended tech knowledge! While many of the students aspire to pursue a career in cybersecurity, it was clear that they will be successful in whatever path they choose to take. 

Are you interested in participating in a future Synack Academy cohort? Please visit our Synack Academy info page!

The post Synack Academy Celebrates the First Cohort’s Success! appeared first on Synack.

As the new year approaches, Ed Amoroso, CEO of TAG Cyber, world-class cybersecurity research, advisory, and consulting firm, recently published an article outlining the importance of “transcending conventional security” to stay ahead of the adversary. The article offered 5 superb ideas for enterprise security programs to adopt in 2021, based on their work with commercial vendors, enterprise security professionals, and government agencies. As a crowdsourced security platform that leverages the diverse skill sets and deep experiences of the Synack Red Team to stay ahead of the adversary by testing like the adversary, Synack takes a more effective, efficient approach to penetration testing than traditional methods. 

Below is Synack’s take on each of the five ideas. Organizations can apply these 5 ideas to their security testing strategies to set themselves up for a more secure 2021. 

Idea 1: Localize Your Security Compliance

“Perhaps you might consider focusing on a divide-and-conquer approach to security compliance. Think small and local in your compliance work, versus large and overarching.”

In order to localize the crowd on specific, targeted tasks (e.g. by vulnerability type, asset, business unit etc.), the Synack Red Team (SRT) conducts Missions by completing pre-determined tasks and providing documentation of their work. Synack’s Missions were created for security leaders to utilize the SRT for targeted vulnerability discovery such as demonstrating adherence to regulatory standards or focused research on specific assets.

Synack handles a wide range of target types that can be tested individually or in combination (such as a Mobile App using a REST API). Hybrid target environments (such as the infrastructure and applications in a PCI Cardholder Data Environment) are eligible for testing. As TAG suggested, dividing your compliance initiatives into smaller, more manageable projects is a great way to reach the type of completeness that is required by most auditors and assessors. Synack’s Missions can help with that. 

Idea 2: Crowdsource Your Security Testing 

“The foundation justification is that a diversity of techniques, tactics, backgrounds, expertise levels, and motivations will help uncover unforeseen exploitable vulnerabilities in your infrastructure.”

As TAG pointed out, the diversity of thought provided by a crowd of researchers from varying backgrounds and expertise provides invaluable creativity, allowing you to uncover vulnerabilities from the adversarial perspective. However, without proper crowd standards, quality assurance, or technical controls and management, bug bounty can introduce unwanted risk and operational burden into an organization. Furthermore, it can be daunting managing hundreds, if not thousands, of ethical hackers.  Synack’s crowdsourced security testing platform provides bounty-driven security testing with the right crowd and platform. This means you get the scale and rigor of bug bounty, but with optimal control and quality.

This includes:

• A realistic view of your attack surface from the world’s best ethical hackers
• An ability to rapidly deploy tests
• Real-time analytics on testing activity, coverage and benchmarking performance
• Additional scale through a machine-learning enabled scanner
• Access to actionable, audit-ready reports complete with a compliance checklist

Synack goes beyond bug bounty to address many of the challenges where bug bounty falls short. We recruit and retain only the top-performing crowd and vet them through a 5-step process for both skill and trust. Our customers receive high-quality, actionable results with a 99% signal to noise ratio. Essentially, by combining the best elements of human and machine intelligence, you’re better equipped to take your security to the next level in 2021. 

Idea 3: Simplify Your Security Dashboard 

“Every company seems to have dozens of dashboards for reporting data to leadership, and the design goal appears to be 100% coverage of every square inch on the PowerPoint screen….we strongly recommend simplifying your enterprise security dashboard in 2021.” 

At one of our recent Courageous Women CISO Virtual Events, Jeanne Tisinger, former CIO of the CIA said, “Speak the truth in a way that people can hear it.” The truth behind this statement cannot be understated. From interns to executives to customers, the ability to communicate key information in a way they can hear it is essential to success in any context. With that said, dashboards for test management and reporting are critical elements of security testing. 

As far as simplifying the security dashboard for testing management, the Synack Client Portal enables security teams to quickly and easily manage security testing enterprise-wide, monitor security performance, prioritize assets for testing and share detailed findings with your team. Inside the portal, access the main dashboard with a summary of your findings reported in real time as they are discovered and triaged. Some of the key values on the dashboard include:

1. How many SRT members have signed up to hack
2. Number of testing hours completed
3. Breakdown of SRT activity
4. Number of active scans 

From the main dashboard of key metrics, you can double click any of the high-level metrics for details and view detailed vulnerability findings, manage active assessments, get analytics on security performance (Attacker Resistance Score rating), learn outcomes of SRT security checks through Missions and read or download audit-ready reports, as needed.

So that reports can be tailored to the right audience, Synack’s platform goes beyond traditional reporting (often manual, point-in-time, and lacking in usable insights) to develop powerful, on-demand, customizable reports by presenting your testing data in a functional, easy to understand way. These reports help your organization make more informed security decisions. You can choose between human-written analysis, audit-quality reports for compliance mandates, custom report templates, high-level summaries with key metrics for leadership, as TAG suggests, or even actionable vuln data for development teams.

Idea 4: Expose Complexity to Executives 

“The biggest mistake we see on a day-to-day basis in the communications between CISOs and other executives is the over-simplification used to convey security concepts to non-security leaders. In the best case, this involves a bit too much baby-talk.”

Indeed, measuring security involves complex variables and concepts that cannot be disregarded or overlooked when communicating with senior executives or board members. Nevertheless, per Idea #4 and Jeanne Tisinger’s point, information must be communicated in a digestible fashion. 

Synack’s Attacker Resistance Score rating is a trusted benchmark to measure and track your security. The score is calculated based on customers’ unique crowdsourced penetration test data to provide a measure of how susceptible an asset is to attack. The image below outlines the inputs used to calculate each score.

The Attacker Resistance Score is dynamic and changes over the course of testing to reflect improvements in an asset’s hardness. As you remediate, your score increases, and your organization can show how you’ve made it harder for the adversary to attack. The higher a score, the lower the security risk.  They can diagnose the readiness level to deploy applications. This metric allows security teams to review meaningful metrics on a company’s security risk with the executive team and board members without disregarding key inputs in an effort to simplify. As an organization, teams can compare testing performance across assets within an organization and against other organizations.

Idea 5: Expand Your Security Internships 

“It is commonly reported (including from the ad-board on the C-Train to Brooklyn) that a skills shortage exists in cyber security. … We thus recommend that you consider increasing the intensity, scale, coverage, and investment in your internship program in 2021.” 

As part of our ongoing efforts to address the lack of diversity in cyber and the dramatic skills gap the industry faces, we launched the Synack Academy. The cybersecurity community must create new pathways for minorities to excel in the field and generate new passions and interests in future careers in cybersecurity for underrepresented minorities. In partnership with Blacks in Cybersecurity (BIC), the program aims to provide individuals from underrepresented minority groups access to career pathways in technology and/or cybersecurity through structured, support-driven training and mentorship.  The Synack Academy’s mission is to create a welcoming and inclusive environment in cybersecurity anchored by ongoing mentorship. We’re committed to fostering the next generation of Cybersecurity professionals. Through the Synack Academy and BIC, students will have the foundational knowledge and confidence to continue their cybersecurity journey and pursue further knowledge that can be applied to many fields within the technology and security sector.

The post TAG Cyber’s Top Five Ideas for your 2021 Enterprise Security Program: The Synack Way appeared first on Synack.