Attacks/Breaches
6/13/2013
03:25 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

New PenTest Portal To Encourage Client In-House Testing

Portal designed to teach companies how to carry out basic penetration testing techniques on their own systems

London, 21 May 2013, CNS Hut3, the new CNS Group information assurance division, has launched its PenTest Portal in response to intelligence and budget issues in the IT security sector. Designed to teach companies how to carry out basic penetration testing techniques on their own systems, the PenTest Portal will enable customers to concentrate their budgets on protecting high-risk data assets.

"Penetration testing is designed to meet the needs of companies securing data against loss, but too often we come across the same basic flaws, which we think companies could solve themselves" said Shannon Simpson, Commercial Director at CNS Group. "Our PenTest Portal will provide clients with the practical and conceptual skills to carry out very basic penetration testing on a regular basis, freeing-up budget for a continual, advanced-penetration strategy for sensitive data. It will also show the non-technical and those new to security the importance of protecting a network and where they need to close the doors to hackers".

CNS initially developed and tested the PenTest Portal with students in the cyber security departments of Universities as part of their ongoing programme to encourage people into the industry. The PenTest Portal is now a safe, virtual environment deliberately configured to test hacking knowledge and show CNS Hut3 clients how to do a basic penetration testing themselves.

CNS Hut3 is looking to educate its customers in IT security and the advantages of regularly sweeping networks with a basic penetration test. This will mean that CISOs can get better value from their budgets and resolve growing concerns about hacking including the potential security issues of offshore access, or testing against the wireless network and DDOS attack or Advanced Persistent Threats.

The top four basic security errors that CNS Hut3 PenTesters still come across are:

v Default credentials - Seen on everything from high end CISCO devices, to door control systems, security cameras, printers, switches, power controllers, database servers, web servers, laptops, video conferencing systems...

v Insecure Communication - Plaintext Bad, Encryption Good. For example on a typical external penetration test CNS Hut3 will find organisations using telnet to manage a device or HTTP being used instead of HTTPS to transmit sensitive information.

v Patching - This is still a major problem in Windows environments. If systems are missing old critical patches, then a hacker can simply use an automated tool like the metasploit framework, point it at the target and deploy the payload.

v Guessable Passwords - Password complexity is not solving this, because Password1 will fit into a multi-case and alpha-numeric requirement. Password complexity sometimes means that the password requirement gets completely removed and some companies are still deploying 'password' as their password on some key applications.

Edd Hardy, Security Practice Head at CNS Hut3, explains "these days it's easy to find hacking tools on the internet, which means you no longer have to be particularly technically competent to attack an organisation. We want customers to sort out the basic penetration testing themselves and put good housekeeping practice in place, so that we can concentrate on the high-level issues". He continued, "this should also have long term cost-saving benefits. By resolving straight-forward issues in-house we can deal with customers' increasingly complex security requirements created by new technologies, new business practices and the changing tactics hackers are using".

"IT budgets are apparently prioritising security, but is it being spent in the right place?" said Shannon Simpson, Commercial Director at CNS Group. "Fulfilling your budget line item by having a penetration test won't necessarily improve your security, but it will spend the budget. Companies can improve their security posture by spending it on scenario and risk-based testing, and spend less time worrying about it", added Simpson.

Notes to Editors

CNS Group would like to invite security journalists to come and try out the CNS Hut3 PenTest Portal. If you are interested, please contact Kate Warwick or Jan Howells at PR Savvy (details below).

About CNS Group

The CNS Group is the parent company of two focused and specialist companies, dedicated to being experts in their fields:

CNS Hut3 are experts in Information Assurance. Find out more about CNS Hut3.

CNS Mosaic provide specialist Information Security and IT Security Solutions & Services. Find out more about CNS Mosaic.

CNS Group gives its clients access to the most dedicated experts in Information Assurance and IT Security. The Group aims to ensure focus and specialisation within its companies, in order that each group company is second to none and brimming with excellence, experience and enthusiasm.

CNS's customers vary in size, from FTSE 100 and large public sector organisations to SMEs, but are united in the importance of digital information to their business and in their desire for pragmatic, knowledgeable help in securing their systems and data and meeting their connectivity requirements.

By working with us, you can be assured of access to the latest security intelligence; to an understanding of the latest regulatory requirements; and to experts in IT security and Information Assurance.

The Group structure means our clients can benefit from our experience and full range of specialist products and services. They can be sure their business data is protected and secure, leaving them to focus on other business priorities. The Group's clear mission statement is to save our client's time, worry and expense by remaining at their side; helping them to build, manage and continually improve their IT business systems with confidence.

The original CNS (Convergent Network Solutions Ltd) was set-up in 1999 in the City of London. Over the years CNS has built an excellent reputation for information security and networking consultancy & services to our customers across a variety of sectors on a global scale. The company is wholly owned by its employees and directors.

The new website address is www.cnsgroup.co.uk

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, January 2015
To find and fix exploits aimed directly at your business, stop waiting for alerts and become a proactive hunter.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3580
Published: 2014-12-18
The mod_dav_svn Apache HTTPD server module in Apache Subversion 1.x before 1.7.19 and 1.8.x before 1.8.11 allows remote attackers to cause a denial of service (NULL pointer dereference and server crash) via a REPORT request for a resource that does not exist.

CVE-2014-6076
Published: 2014-12-18
IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allow remote attackers to conduct clickjacking attacks via a crafted web site.

CVE-2014-6077
Published: 2014-12-18
Cross-site request forgery (CSRF) vulnerability in IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences.

CVE-2014-6078
Published: 2014-12-18
IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 do not have a lockout period after invalid login attempts, which makes it easier for remote attackers to obtain admin access via a brute-force attack.

CVE-2014-6080
Published: 2014-12-18
SQL injection vulnerability in IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.