Dear PenTest Readers,
This summer, we prepared a great treat for all registered users. We decided to gather the best open access articles from the preview versions of our premium mags and compile a really interesting and diverse Penetration Tester’s Starter Kit! With this edition you can enter the realm of pentesting with accessible and clear guidance into its various aspects, such as offensive security, defensive security, social engineering vectors, risk management, cybersecurity in time of a pandemic, OSINT, FinTech, or communication between technical and non-technical professionals. This magazine is free to download.
What will you learn about, specifically?
- Using honeypots in the MITRE ATT&CK framework-
- Value of Purple Teaming in larger organizations
- Threat modeling
- Prevention mechanisms against DDoS attack presented with case studies
- Malicious documents dissection (on the example of .PDF files)
- Insider threats and employee-related risks
- Role of OSINT in FinTech security
- Enabling cybersafe framework during pandemic
- Strategic cyber risk assessments
- The important role of technical translation
Sounds interesting, doesn’t it? You can get all of these articles in one, convenient, electronic copy, free of charge, now. If you have friends and colleagues who are interested in pentesting, please do let them know about it! There is no doubt that they will find something for themselves!
This magazine is free to download, just register as a free user and enjoy your reading!
Table of Contents
MITRE and Honeypots
by Mikael Vingaard
This article will give you an introduction to honeypots seen both from an attacker and defender point of view. While honeypots are a well-matured defense concept, only very mature organizations seem to have such creatures implemented – mostly due to the lack of knowledge on the power of the honeypot! Join us for an introduction and see how defenders can benefit from deployment of honeypots and how everything can be mapped up to the MITRE ATT&CK framework.
The article was published in "MITRE ATT&CK in Practice" edition: https://pentestmag.com/product/pentest-mitre-attck-in-practice/
Purple Teams: A True Return On Investment For Network Security
by Tyler Robinson
An ideal Purple Team brings together stakeholders in security and information technology to illustrate the challenges on all sides of protecting a complex environment. While black box, Red Team penetration tests still have value depending on strategic objectives, a Purple Team engagement is likely to be more valuable in larger organizations who have more security engineers because they can generally build robust security programs around vulnerability management, identify management, firewall policy, security assessment, governance, and Level 1-4 security operations (even if out-sourced).
The article was published in "Purple Teaming" edition:
How is Threat Modeling Done?
by Vanshindar Singh
One must always know this is not a one-time activity; as the technology evolves similarly the threat landscape evolves. A certain system that is secure today might not be secure tomorrow. One has to keep a watch for all the system parts. It is vital to understand that all systems interact with other systems and not only users. To be precise, there is no formal process, it is more like use what works.
The article was published in "The Art of Threat Modeling" edition:
DDoS Attack, Case scenarios and Prevention Mechanisms
by Dinesh Sharma
We are not authorized to perform any kind of DoS or DDoS on any system as it is strictly illegal. But we can create our own small lab to perform a simple SYN flooding DoS that can be converted into a DDoS attack with multiple machines. We just need two virtual machines in our lab. One machine will act as a victim machine, the other will act as the attacker's machine. One machine will be Kali Linux, that is our attacker's machine, and the other one can be any machine with any OS. Make sure they are in the same network.
The article was published in "DDoS Attacks and Protection" edition:
Malware Analysis – Dissecting a PDF File
by Filipi Pires
There are a large number of cyber threats today. Many of these cyber threats can be based on malicious code, also known as Malware (Malicious Software or maldoc - Malicious Document). The term Malware is a generic term that covers all types of programs specifically developed to perform malicious actions on a computer, thus the term malware has become the name for any type of program specifically developed to perform harmful actions and malicious activities on a compromised system.
The article was published in "Fuzzing Techniques" edition:
White Hat Approach to Insider Threats
by Mike Muscatell
Several publications reference the employee as the prime concern for any organization when talking about insider threats. While this is true, the focus most of the time is on those who are disgruntled and former employees but what about the ones that do not fit those characterizations? What about the employee that is curious coupled with too much access? These employees are typically well known, dependable and trusted. While this would be considered a "good" employee, the "bad" part of it is also the fact that they are trusted, dependable and in some cases out of sight. Some of these individuals could be referred to as malicious insider hackers. This could be anyone!
The article was published in "ERP Software Pentesting" edition:
Overview of OSINT use for KYC/AML and Crime Investigations
by Oussama Louhaïdia
Regulatory compliance requires financial service institutions, law and accounting firms and similar organisations to conduct due diligence checks and compliance screening on all prospective clients. These regulatory requirements include Know Your Customer (KYC), Anti Money Laundering (AML), Politically Exposed Persons (PEP) and Countering the Financing of Terrorism (CFT).
The article was published in "FinTech Security" edition:
How to Enable a Cyber Safe Framework During COVID - 19 Pandemic
by Hariharann R
There are lots of websites and applications with the name of Coronavirus, which is getting registered on daily basis in this pandemic period. But many were found to be not genuine. Malicious vectors have created such applications to make people fall into their trap. Also, some applications are extremely dangerous as they might have a logic bomb or ransomware. Furthermore, this could affect other people in the network if they connect. Also, there are many mobile applications in rounds that trick the users and steal their personal data and PII (Personally Identifiable Information).
The article was published in "Healthcare Security" edition:
The Challenge of Assessing Strategic Cyber Risk
by Charles Harry, PhD
Organizational leaders and policy makers are struggling to assess larger consequences from what are essentially attacks conducted at a local level. The emergent consequences and our inability to model interdependence remains an enduring challenge for the field. Advancing our ability to do so, while not solving the cybersecurity problem, will help us better manage potential consequences and more efficiently allocate our scarce resources.
The article was published in "Into the Clouds" edition:
Why Technical Translation Matters in the Cyber Security World
by Ofer Tirosh
In the case of the current situation at the time of this writing, someone may use the current coronavirus global pandemic as a means to speak to someone on a more personal level. Social engineering is, in the case of cyber security, all about getting to know someone by pretending to be interested in the same things that they are, or perhaps in the case of COVID 19 to be concerned about the same things that they are concerned about.
The article was published in "Active Directory Pentesting" edition: