Blog

What do you learn from your security reviews?

Posted on 2020-07-16 by Matt Strahan in Business Security


The results of the security review come in and they’re…let’s just say “less than ideal”. Vulnerabilities that could be used to break in, steal data, and potentially get the organisation in the news. Better fix those right away!

So we assign the tasks in our ITSM system and get to work. We patch what needs patching, reconfigure what needs reconfiguring, disable what shouldn’t be there and then pat our back and call it a day. We’re now secure…right?

This is what a lot of organisations do, but you’ve only got half the story. Those vulnerabilities didn’t come from nowhere, they were the symptom of an underlying problem and if you don’t fix the problem then the same thing will happen over and over again.

In a previous blog post I spoke about the “5 whys” and pinning down root causes that pop up as vulnerabilities. One of those root causes that is bound to prop up again and again is training.

Developers are often not trained in secure coding. Administrators are often not trained in secure administration. And yet the security vulnerabilities that could be placed in the environment from those teams could cause huge consequences to the organisation.

What can you do with a penetration test to help training?

Continue reading

We just need to test this one project…but will I be secure?

Posted on 2020-06-25 by Matt Strahan in Business Security


What is in scope for a penetration test will be tested and what isn’t in scope for a penetration test won’t be tested. Simple enough, right? The problem comes when the hackers don’t follow the same scope that the penetration testers follow.

The choices that are usually made when scoping a penetration test are often made around simple practicalities and the various requirements that pop up for the organisation. Security considerations are important, but can be a secondary factor to it all.

For smaller organisations it’s not uncommon to have a full annual test with the entire internal and external environment in scope. After all, it’s easier to do it in one lot and just get it over with.

For larger organisations a full annual test would be too much since there are too many moving parts. It’s more common to have the scope restricted to a single project, maybe the new web application, new SOE, or the new network environment.

For this project by project testing the idea is that you can potentially get comprehensive coverage over the entire environment by testing each project in isolation. Hopefully a group of secure systems ends up being a secure environment. In the end, though, hackers will end up not targeting the systems directly, but they’ll start manipulating how they integrate and interact together.

Continue reading

Zoom’s lesson on responding to security issues

Posted on 2020-06-09 by Matt Strahan in Business Security


When investigating software to use, I’ll inevitably have a look at their security record. What vulnerabilities have they had? Should I be worried?

Sometimes you see something really really dumb. Like an SQL injection in 2020. Or backdoor credentials… Wait I mean an “undocumented user account“.

Sometimes the security record makes news, like for Zoom at the moment. They’re suddenly one of the biggest pieces of software on the internet, and that means they’re being picked apart. There’s worries about privacy issues and their end-to-end encryption. Zoom has become a household name, and more than a few people have said to me “aren’t you worried about their security issues?”

Continue reading

Third party systems in your pentest

Posted on 2020-05-21 by Matt Strahan in Business Security


What is in scope for a penetration test will be tested and what isn’t in scope for a penetration test won’t be tested. Simple enough, right? The problem comes when the hackers don’t follow the same scope that the penetration testers follow.

The choices that are usually made when scoping a penetration test are often made around simple practicalities and the various requirements that pop up for the organisation. Security considerations are important, but can be a secondary factor to it all.

Continue reading

The security supply tree

Posted on 2020-05-13 by Matt Strahan in Business Security


How many organisations have access to your customer data?

As software-as-a-service and cloud-based environments become more standard within organisations, this question becomes harder to answer. In the modern interconnected security world, though, it’s a question that needs to be answered for all organisations.

Continue reading

Business partnerships in infosec

Posted on 2020-05-08 by Alexei Doudkine in Industry


Partnering with other business is a huge part of the Volkis business model. We spend significant effort finding, talking to, and proving our worth to potential partners. But why do we do it? It goes back one of our core principles:

Do what you love

This motto is the reason we don’t sell product or do IT managed services for our customers. However, we don’t want to outright dismiss a customer asking us for security products, engineering, managed services, programming, business consultancy or incident response. That wouldn’t be helpful. This is where business partnerships come in. We leverage our partners who DO enjoy those other parts of security and recommend them to our customers.

The inverse is also true. Because we specialise in security services, our partners who lack the capability come to us as their trusted provider. Even in our short lifetime as a company, we’ve proven this to work.

But why is it so important? Why can’t companies just start their own pentesting teams? This is what I want to explore.

Continue reading

How likely is it that you’ll be hacked?

Posted on 2020-04-29 by Matt Strahan in Business Security


There I was again, staring at the report. In each security issue in our penetration testing and compliance work we have our risk assessment rating which is a pretty simple process based on ISO 31000. You identify the risk, figure out the likelihood and impact, and then use the risk matrix to give it a risk rating. Although a fair few companies now have their own risk matrix which we are happy to use in our reports for them, our standard risk matrix looks like this:

Volkis Risk Matrix

It should be a simple enough process, yet still I am left staring at the report thinking “how likely is it that this company will get hacked using this vulnerability?”

Continue reading

“We need to strike the balance between security and convenience” … but do we?

Posted on 2020-04-22 by Matt Strahan in Business Security


I often hear a common phrase from people both in the security industry and those who are now faced with dealing with cyber security in their business: “We need to strike a balance between security and convenience!”

It’s a phrase that makes it feel like we’ve got a line with convenience at one end and security at the other. We have a slider on that line, and security as an exercise is really about picking the exact right point for that slider to land on. “This is a critical environment, so let’s take 20% convenience and 80% security.”

Maybe security within organisations is actually a battle between two parties: “Security” against “Convenience”. Maybe one of the solutions could be that organisations have a “Convenience” department like the security departments they currently have. Should we have a “Chief Convenience Officer” that sits alongside the CISO when reporting to the board?

Is that really how it is? A never-ending battle between security and convenience? Is there really such a trade-off between security and convenience?

Continue reading

New guides, welcome packs, and methodologies in the Volkis Handbook

Posted on 2020-04-07 by Volkis in Volkis News


A couple of weeks ago we put up the Volkis Handbook. It is aimed at our customers, friends, employees, infosec colleagues and really anyone interested in the inner workings of Volkis.

More than this, it aims to form the core of Volkis and a key part of our philosophy as an organisation. We would like to be transparent, open, and honest. By showing what we do and the way we work, we hope that everyone will get to know us better and perhaps just learn a thing or two that they could do better as well.

Continue reading

Are you opening a security hole for your remote workers?

Posted on 2020-04-02 by Matt Strahan in Business Security


On Tuesday Shodun showed that the number of RDP servers exposed to the internet has skyrocketed, going up by 30%. Just having RDP exposed to the internet is pretty much automatically considered a vulnerability in our penetration testing, as it’s a complex protocol that has a history of vulnerabilities (most recently BlueKeep), and exploitation can lead to administrator access to the system. Given that most RDP servers have to be connected to an Active Directory domain, often administrator access is all you need to completely compromise the network and all its data.

Clearly the rise in remote working has caused some windows to be opened in organisations’ environments. While remote working doesn’t have to be a security nightmare, it can still be surprisingly easy to open holes in your security in the name of remote working.

The two main reasons for this is a lack of a strategy and technical debt.

Continue reading