PEN-300 Course Review

Posted on 2021-05-21 by Alexei Doudkine in Industry

It’s done! I just completed my OSEP exam and submitted the report. In true Offensive Security style, the course was challenging but very doable given enough motivation. But was it worth it? Did PEN-300, one of Offensive Security’s new replacement courses for the outdated and retired Cracking the Perimeter course live up to the expectations? If you’re thinking about taking the course, read on as I go into the good parts and bad parts of the course.

Continue reading

What to do to prepare for a penetration test

Posted on 2021-03-31 by Matt Strahan in Business Security

You’re spending a lot of money on getting your systems tested, with expensive consultants spending days, weeks, or even months making sure your systems are secure. You want to get the most for your money, right? You can make the test more effective just by properly preparing.

In general, the more you put into something the more you’ll get out. Penetration testing is no exception. With five steps you can properly prepare for testing, make the test run smoother, and get a better result.

Continue reading

Cease and desist from calling our products insecure

Posted on 2021-03-03 by Matt Strahan in Business Security

Earlier today Xerox reportedly threatened the Airbus Security Lab researcher Raphaël Rigo with legal action to prevent him from presenting at the Infiltrate security conference. Although obviously we haven’t seen the presentation, the summary said that he was going to talk about vulnerabilities in Xerox printers and give tips on how to secure them.

Is this going to prevent vulnerabilities from being exploited in the wild, or are the organisations who have Xerox printers now just less secure because they won’t know the steps they might need to take to protect themselves?

Continue reading

Our competitor has worse security, so we're doing well aren't we?

Posted on 2021-02-23 by Matt Strahan in Business Security

In business you have a day-to-day competition that feels very “survival of the fittest”. Your competitors come up constantly in meetings. You note their movements and announcements and try and match their moves. Companies don’t exist in a bubble, they exist in a constantly moving industry and competitive landscape.

It’s no wonder then that when we talk about risks for a business after performing penetration testing or testing their compliance against ISO27001 or NIST we’re asked “how does this compare to the industry we’re in?” This is a valid question, don’t get me wrong, but I sometimes wonder, what difference does it make?

Continue reading

The Volkis independence policy

Posted on 2021-02-16 by Matt Strahan in Industry

When setting up Volkis, we wanted to set up a team the way we perceive that it should be set up. With quality, skill, effectiveness, ethics, and transparency. We didn’t only look at the security industry for inspiration, though. Instead of just looking in we looked around at other industries as well. Cyber security is barely a child, only having really been around for a few decades. Other industries have centuries if not millenia on us.

We looked over at finance and found that what their auditors do is in essence similar to what we do, but their processes and standards have a maturity that we don’t have. After all, cyber security isn’t known for being mature in processes, standards, personality…

Let’s take a look at one standard in the finance industry but practically unheard of in cyber security: the independence policy.

Continue reading

Our first anniversary

Posted on 2021-02-09 by Matt Strahan in Volkis News

Today marks the 1 year anniversary of our official launch!

We’re thrilled with what we’ve been able to achieve over the past year. It’s extremely humbling to receive so much support from friends, family and colleagues; we couldn’t have done it without you. Thank you! 🍻

Continue reading

Volkis Stage 2

Posted on 2021-01-05 by Alexei Doudkine in Volkis News

Last year was definitely… something. I’m glad its over and although we’re not out of the woods yet, I am hopeful that 2021 will bring a much needed peace for us all. That being said, Volkis is now in its 2nd year of operation! Our first year was an amazing ride and such a humbling learning experience; equal parts excitement and terror!

In this post I wanted to look back on some of the achievements from last year that I’m proud of and give a few teasers about what is to come.

Continue reading

Cracking Passwords with Michael McIntyre

Posted on 2020-10-14 by Billy Cody in Tools of the Trade

I was watching the comedian Michael McIntyre’s most recent Netflix special “Showman” when he began a segment on the evolution of the online password. He described an algorithm that would’ve cracked most of my pre-teen online passwords. I decided to dig further and see how effective this algorithm is against some real world data.

Is Michael McIntyre really a master hacker?

Is he watching me right now?

How do I protect myself from him?

No. No. Read on!

Continue reading

Security and availability in healthcare

Posted on 2020-10-08 by Matt Strahan in Business Security

Imagine you’re laying on a hospital bed in an emergency room. The doctors and nurses are rushing around in seemingly organised chaos. You hear beeping and shouting as they investigate and prepare. Imagine the fear you feel, the uncertainty of this life or death situation. Imagine, then, you hear a voice of a doctor: “Damn I can’t remember my password!”

When considering security in healthcare it sometimes feels like you’re going into an entirely different domain. One of the biggest mistakes in cyber security is to treat every organisation the same way, a one size fits all approach. Healthcare has such a different set of rules and requirements to most businesses that it’s hard to even slightly entertain that illusion.

When asked about security in healthcare, most people’s minds go to the security of their patient data. They think about their privacy, about those sensitive answers they give the doctor. When you think about mental health practices, patient records can be as personal as your diary, and the exposure of those records would be violating. Is that the worst case when it comes to healthcare cyber security though?

Continue reading

Three crazy ideas for reforming the penetration testing industry

Posted on 2020-10-02 by Matt Strahan in Industry

In two posts I looked at how it’s almost impossible to validate penetration testing results and where an Evilfirm penetration testing firm might cut costs and invest.

As much as we like to think we’re unique, there are other industries that have exactly the same issues as we do. In other industries there’s the situation where you can’t really verify the results because you’re after the skills of the other party. Some do it badly (I still don’t quite trust my mechanic), but others have made great strides in solving this problem.

Could we potentially use some of the ideas from other industries to do things better?

Continue reading