Blog

From SysAdmin to Pentester - Part 1 - The hard way

Posted on 2022-10-05 by Nathan Jarvie in Industry

This is the first part of a 5 part series in which I will walk through the decision making process and the steps involved in transitioning from a system administrator to a penetration tester. The certifications taken and the the issues and obstacles that I faced along the way.

This is my story, and I hope it helps to inspire people who are considering a mid-life career change that it is possible to do so and to take the leap.

Continue reading

Active Directory Hacking Speedrun

Posted on 2022-09-23 by Alexei Doudkine in Tools of the Trade

On Saturday 24th of September, I gave a presentation at CSECcon titled, “Active Directory Hacking Speedrun! 14 attacks in 30 minutes.” This post is here to provide some post-talk resources to those wanting to learn about any of these attacks, how they work and recreate them.

Continue reading

5 methods for Bypassing XSS Detection in WAFs

Posted on 2022-08-09 by Karel Knibbe in Tools of the Trade

Ever since the 1990s, Cross-Site Scripting (XSS) vulnerabilities have plagued the world wide web. It’s been a difficult problem to solve because of the many ways that it can introduce itself in applications. This, and other application level attacks, contributed to the rise of Web Application Firewalls (WAFs). However, like any other solution that does not tackle the problem by its roots, it’s not ideal. Pentesters, red teamers, bug hunters and malicious actors alike have been playing cat and mouse with vendors to find ways around these additional defence mechanisms. In this post, we’ll be discussing a few fundamental techniques that you can use to bypass these firewalls.

Continue reading

We were vulnerable - how a security company could have vulns

Posted on 2022-06-22 by Alexei Doudkine in Volkis News

Well, it finally happened! We received the first submission to our Vulnerability Disclosure Program with actual possible impact. And, although it didn’t actually affect us or our clients in any way, it could have. So we awarded it a P3! But how could this happen? We’re security experts ourselves, so shouldn’t we have picked up on it? Well, as we always tell our clients, “security is hard” and no one is perfect.

In the interest of transparency (one of our core values), let’s dig deeper to see how this tale unfolded so that others may learn.

Continue reading

Attack Surface Management - The importance of knowing what you have

Posted on 2022-05-18 by Volkis in Business Security

Here’s the problem: technology is evolving rapidly, cloud adoption is at an all time high, development is faster than ever, infrastructure has become more dynamic, and security is struggling to keep up! The first step to regaining control: knowing what you have.

Let’s talk about it!

Continue reading

The value that Volkis brings as a company for penetration testing

Posted on 2022-04-13 by Matt Strahan in Volkis News

When building a cyber security company there’s a question we have to keep front of mind at all times. What value do we bring as a company? It’s one thing to just say “yes of course we provide value as a company” but for me I’ve tried to make an actual list. I’ve put up the results of this up in a new handbook page.

This exercise is more than just a bit of a boost for our egos. Rather, it’s a genuine component of the consulting model - of the business model that Volkis fits into. Whenever we have an engagement, there are three parties that come into play. They are the client, the consultancy, and the consultants themselves. The value of the consultants’ time is obvious: they perform the work. They find the security vulnerabilities in the systems that are being tested or find the ways the system might not be up to spec.

Why would the client not just contract someone out directly or employ their own pentester? If we don’t provide actual value then what’s the point? Thinking about this question directly has helped me solidify in my mind what we need to do well as a company and helped build our business model.

Continue reading

How to Get the Most Out of Your Penetration Test 🤷

Posted on 2022-04-05 by Volkis in Business Security

Our experience performing thousands of penetration tests has given us an in-depth understanding of common issues when engaging a consultant to complete a penetration test. We like to see our customers get the most possible value out of their penetration tests. Much of the responsibility lies with the penetration test provider, but cooperation and communication from our customers is also a key factor in the value that is provided.

In this article, we will be outlining some ways in which you, as an organisation receiving a penetration test, can get the most value for the money you are spending.

Continue reading

Basic security for humans in 4 Fridays

Posted on 2022-03-09 by Alexei Doudkine in Tools of the Trade

This post is going to be a little different. Instead of talking about the industry or business security, I’m going to share my guide on how to set up your own basic personal security. It is intended to be followed by non-technical people in 4 Fridays. My goal is to get as many people on this basic programme as I can, so I do ask you to share it with your friends and family. And, if you are a bit more tech-savvy, please help them along the way. 🙂

Continue reading

How to Share Social Media Credentials Securely

Posted on 2022-03-01 by Jessica Williams in Tools of the trade

Social media has become the platform that companies all over the world use to communicate with their customers, clients, critics, and investors. An attacker who gains access to an organisation’s social media accounts is able to send any message that they wish, posing as the organisation. Sending the wrong message on social media can cause a backlash, bad publicity, and in rare cases even be illegal as Elon Musk found out in 2018 when he was sued by the SEC over one of his tweets.

Continue reading

What questions should a board ask about cyber security reports?

Posted on 2022-02-07 by Matt Strahan in Business Security

Cyber security is now one of the top-of-mind topics for boards in Australia. Security assessment reports including technical reports such as from penetration testing are being placed in board papers. Although cyber security skills are becoming more commonly represented in boards, it is still the case that boards are called to interpret and act on the results of cyber security assessments without really understanding the practicalities that can underly it all.

What makes it even more difficult for board members is that the regulation and standards around cyber security reports aren’t as mature as for financial reports. While there’s a lot the cyber security assessment report might say, there’s also information that you might not be able to get until you ask the right questions.

While this is not a comprehensive list of questions you might want to ask, I’ve put together some questions that might uncover some of the gotchyas and catches you might not expect when reading a cyber security assessment report.

Continue reading