03:25 PM
Dark Reading
Dark Reading
Products and Releases
Connect Directly

New PenTest Portal To Encourage Client In-House Testing

Portal designed to teach companies how to carry out basic penetration testing techniques on their own systems

London, 21 May 2013, CNS Hut3, the new CNS Group information assurance division, has launched its PenTest Portal in response to intelligence and budget issues in the IT security sector. Designed to teach companies how to carry out basic penetration testing techniques on their own systems, the PenTest Portal will enable customers to concentrate their budgets on protecting high-risk data assets.

"Penetration testing is designed to meet the needs of companies securing data against loss, but too often we come across the same basic flaws, which we think companies could solve themselves" said Shannon Simpson, Commercial Director at CNS Group. "Our PenTest Portal will provide clients with the practical and conceptual skills to carry out very basic penetration testing on a regular basis, freeing-up budget for a continual, advanced-penetration strategy for sensitive data. It will also show the non-technical and those new to security the importance of protecting a network and where they need to close the doors to hackers".

CNS initially developed and tested the PenTest Portal with students in the cyber security departments of Universities as part of their ongoing programme to encourage people into the industry. The PenTest Portal is now a safe, virtual environment deliberately configured to test hacking knowledge and show CNS Hut3 clients how to do a basic penetration testing themselves.

CNS Hut3 is looking to educate its customers in IT security and the advantages of regularly sweeping networks with a basic penetration test. This will mean that CISOs can get better value from their budgets and resolve growing concerns about hacking including the potential security issues of offshore access, or testing against the wireless network and DDOS attack or Advanced Persistent Threats.

The top four basic security errors that CNS Hut3 PenTesters still come across are:

v Default credentials - Seen on everything from high end CISCO devices, to door control systems, security cameras, printers, switches, power controllers, database servers, web servers, laptops, video conferencing systems...

v Insecure Communication - Plaintext Bad, Encryption Good. For example on a typical external penetration test CNS Hut3 will find organisations using telnet to manage a device or HTTP being used instead of HTTPS to transmit sensitive information.

v Patching - This is still a major problem in Windows environments. If systems are missing old critical patches, then a hacker can simply use an automated tool like the metasploit framework, point it at the target and deploy the payload.

v Guessable Passwords - Password complexity is not solving this, because Password1 will fit into a multi-case and alpha-numeric requirement. Password complexity sometimes means that the password requirement gets completely removed and some companies are still deploying 'password' as their password on some key applications.

Edd Hardy, Security Practice Head at CNS Hut3, explains "these days it's easy to find hacking tools on the internet, which means you no longer have to be particularly technically competent to attack an organisation. We want customers to sort out the basic penetration testing themselves and put good housekeeping practice in place, so that we can concentrate on the high-level issues". He continued, "this should also have long term cost-saving benefits. By resolving straight-forward issues in-house we can deal with customers' increasingly complex security requirements created by new technologies, new business practices and the changing tactics hackers are using".

"IT budgets are apparently prioritising security, but is it being spent in the right place?" said Shannon Simpson, Commercial Director at CNS Group. "Fulfilling your budget line item by having a penetration test won't necessarily improve your security, but it will spend the budget. Companies can improve their security posture by spending it on scenario and risk-based testing, and spend less time worrying about it", added Simpson.

Notes to Editors

CNS Group would like to invite security journalists to come and try out the CNS Hut3 PenTest Portal. If you are interested, please contact Kate Warwick or Jan Howells at PR Savvy (details below).

About CNS Group

The CNS Group is the parent company of two focused and specialist companies, dedicated to being experts in their fields:

CNS Hut3 are experts in Information Assurance. Find out more about CNS Hut3.

CNS Mosaic provide specialist Information Security and IT Security Solutions & Services. Find out more about CNS Mosaic.

CNS Group gives its clients access to the most dedicated experts in Information Assurance and IT Security. The Group aims to ensure focus and specialisation within its companies, in order that each group company is second to none and brimming with excellence, experience and enthusiasm.

CNS's customers vary in size, from FTSE 100 and large public sector organisations to SMEs, but are united in the importance of digital information to their business and in their desire for pragmatic, knowledgeable help in securing their systems and data and meeting their connectivity requirements.

By working with us, you can be assured of access to the latest security intelligence; to an understanding of the latest regulatory requirements; and to experts in IT security and Information Assurance.

The Group structure means our clients can benefit from our experience and full range of specialist products and services. They can be sure their business data is protected and secure, leaving them to focus on other business priorities. The Group's clear mission statement is to save our client's time, worry and expense by remaining at their side; helping them to build, manage and continually improve their IT business systems with confidence.

The original CNS (Convergent Network Solutions Ltd) was set-up in 1999 in the City of London. Over the years CNS has built an excellent reputation for information security and networking consultancy & services to our customers across a variety of sectors on a global scale. The company is wholly owned by its employees and directors.

The new website address is

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-10-25
The Payment for Webform module 7.x-1.x before 7.x-1.5 for Drupal does not restrict access by anonymous users, which allows remote anonymous users to use the payment of other anonymous users when submitting a form that requires payment.

Published: 2014-10-25
The slapper function in chkrootkit before 0.50 does not properly quote file paths, which allows local users to execute arbitrary code via a Trojan horse executable. NOTE: this is only a vulnerability when /tmp is not mounted with the noexec option.

Published: 2014-10-25
The shell_quote function in python-gnupg 0.3.5 does not properly quote strings, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "$(" command-substitution sequences, a different vulnerability than CVE-2014-1928....

Published: 2014-10-25
The shell_quote function in python-gnupg 0.3.5 does not properly escape characters, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "\" (backslash) characters to form multi-command sequences, a different vulner...

Published: 2014-10-25
python-gnupg 0.3.5 and 0.3.6 allows context-dependent attackers to have an unspecified impact via vectors related to "option injection through positional arguments." NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7323.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.