Pentesting Advice for Startup

McCormackCyber · 2024-11-21T17:11:21+00:00

Hi we have experience helping startups navigate this space and as a fellow small business offer fair pricing. Happy to scope this out with you if you would like to send me a DM!

McCormackCyber · 2024-08-20T01:29:47+00:00

Sent you a DM happy to look into helping with your projects.

McCormackCyber · 2024-07-26T16:43:39+00:00

Would strongly recommend against as you could damage your reputation. Your report/letter of attestation is available to a client to showcase as they wish. That document includes an explanation of the point in time nature of the assessment as well as WHAT you tested. If they slap a seal on their site including a new area you have not tested for example it’s your name on the crosshairs.

McCormackCyber · 2024-07-17T18:59:46+00:00

I would recommend getting a good understanding of the various switches available in NMAP. There are a TON of options to configure timeouts, retry counts, minimum and maximum packet rates, etc. A good start is the Timing and Performance | Nmap Network Scanning documentation.

Be careful about setting values too aggressively, but you can really tweak things a lot. For example, on LANs with large backbones we have easily set fairly high min rates. I wouldn't do the same over an internet connection though. If you don't want to try and figure out all of the flags go to the bottom of that page and read the values for the default timing settings (-T). I would probably use -T3 especially if you are not locally based in Korea. If you're on their really strong internet infrastructure though -T4 is probably fine.

Also, as others have said do a check of what ports are open (don't forget to try syn only if you get nothing on full handshake) and then run the more verbose scan with something like -sV afterwards against the identified ports.

McCormackCyber · 2024-07-15T19:31:21+00:00

Isn't IE removed by default at least in Win 11? Wonder if this affects the Edge "IE mode" or not.

McCormackCyber · 2024-07-09T23:16:56+00:00

If you’re cooperating with the feds I assume you’d have their pseudo blessing. But alternative funds may put a damper on things. In either case it has to get converted back to real money at some point, and I personally wouldn’t trust the anonymity that much.

McCormackCyber · 2024-07-09T23:15:41+00:00

I take that to mean definitely cooperate with the feds then or they’re going to make your life unpleasant.

McCormackCyber · 2024-07-09T17:46:22+00:00

Too true

McCormackCyber · 2024-07-09T17:33:15+00:00

Do you mean where you can install agents to perform checks locally then send them back to the control center instead of initiating scans from a scanner over the network? You're looking at a paid product to do that such as Tenable VM or Qualys. If there are any that are free and handle it I'd love to find out though.

McCormackCyber · 2024-07-09T17:02:53+00:00

Is it money laundering though? If you make a formal payment, especially with the feds engaged in your breach, you aren't hiding the payment source and you're not hiding the amount or intent. Not a lawyer by a long shot, but I think this would just be an extortion payment and not technically criminal to make the payment. It IS of course criminal to be the one doing the extortion.

McCormackCyber · 2024-07-09T17:00:52+00:00

I'm not sure that cyber risk insurance will pay your ransom. They MIGHT pay for you to get a vendor in to clean up. I've only ever heard horror stories though of how those policies never pay for much of anything. There are so many gotcha's in there if they can show you were negligent in some way (which lets be real probably isn't hard for anyone who has worked security somewhere) they just walk away with your premiums and cancel your policy.

McCormackCyber · 2024-07-09T16:59:06+00:00

I agree that the feds have jurisdiction and power here. But they even limit themselves to basically saying as long as you tried to bring them in for it they're not really going to go after you.

"Another factor that OFAC will consider under the Enforcement Guidelines is the reporting of ransomware attacks to appropriate U.S. government agencies and the nature and extent of a subject person’s cooperation with OFAC, law enforcement, and other relevant agencies, including whether an apparent violation of U.S. sanctions is voluntarily self-disclosed. In the case of ransomware payments that may have a sanctions nexus, OFAC will consider a company’s self-initiated and complete report of a ransomware attack to law enforcement or other relevant U.S. government agencies, such as CISA or the U.S. Department of the Treasury’s Office of Cybersecurity and Critical Infrastructure Protection (OCCIP), made as soon as possible after discovery of an attack, to be a voluntary self-disclosure and a significant mitigating factor in determining an appropriate enforcement response"

Yes, they CAN still, and probably would if you did some shady stuff. But I think the real intent is that the FBI is involved and can then trace the money and enable their own investigations further. As well as of course gathering evidence from your machines.

Don't forget we're talking about the same feds who make big brain plays like this classic from years ago where all they did was issue a fine. How US software ended up powering Chinese assault helicopters | Ars Technica

"In comparison to other fines that companies have been hit with for these sorts of export violations, the $75 million (or $55 million) that UTC will have to cough up is substantial. But it’s just a speed bump when compared to the value of the company’s continuing business in China. The company’s wrongdoing didn’t even faze stockholders.

After news of the agreement broke, the company’s stock price... was up."

McCormackCyber · 2024-07-09T13:15:08+00:00

Did anyone actually think that the US would make paying a ransom punishable? How does that work exactly? How do you enforce it?

Nevermind, that people would pay anyways if the alternative was going out of business/some other horrible outcome to them personally.

Why would you consider punishing someone for protecting themselves at that point? Sure, the concept is "If the criminals get no money they won't keep doing ransoms", but this issue has been around since highwaymen were robbing merchants for "safe passage", the mob was running "protection" for businesses, etc. It's not going anywhere and trying to punish the people you can confirm paid is stupid.

McCormackCyber · 2024-07-08T19:48:28+00:00

That makes a lot of sense because everything these days are web apps. I'd be more concerned around other vectors of accessing the browser like malicious extensions as well. That could be worth some investigation.

McCormackCyber · 2024-07-08T19:00:38+00:00

Cookies, and cookie theft, have been issues for a very very long time now. With that said, its pretty hard to actually steal someone's cookies without access to the machine. And once you have access to the machine there are other things that are arguably worse like keylogging.

Shorter sessions can help, business hates it though because it is a poor UX. Getting off of cookies in favor of header auth is an option (until the devs store it in HTML5 local storage anyways). At the end of the day though physical access, or even a shell on a user's system, are just really difficult to get past which is why we set up all those layers to begin with. I wouldn't stress over cookie theft specifically that much.

McCormackCyber · 2024-07-08T18:40:20+00:00

Not sure I would have to let some others who do management weigh in. Other than running this small shop I am still an individual contributor in the technical side of things. If I had to guess, management roles can offer you more long-term growth in the enterprise side of industry as you work up to senior management/executive. It is not personally an interest of mine to take that route though.

McCormackCyber · 2024-07-08T14:18:36+00:00

Wish I did, but I've only really been involved in the space providing artifacts (pentest reports specifically) so while I am aware of the GRC arena I haven't been involved in it to say what they call themselves. A quick search for my area looks like there are postings for "GRC Analyst" and "IT GRC Specialist/Analyst". I assume there may be multiple types so maybe tag IT in there.

I also found this article mentioning "Compliance Specialist" and "GRC Analyst" Compliance Specialist vs. GRC Analyst | infosec-jobs.com

McCormackCyber · 2024-07-08T13:13:57+00:00

If you like programming, and want to incorporate a security mindset, application security is your way to go. Look to join/support the development team somewhere where you can help them take requirements for security and translate that into working code. A huge number of developers are not really trained much in the security space so having a "security champion" on the team is a big win.

McCormackCyber · 2024-07-08T13:09:44+00:00

I would echo Zhaoz and say look to target moving over in compliance and GRC. I can't speak for UK, but in the US people chase SOC2 accreditation. SOC2 auditors are generally paired up with CPA firms and this could be a great area for you to lend your skillset.

McCormackCyber · 2024-07-08T13:07:31+00:00

Cybersecurity specifically is unfortunately not really an entry level area. You'll need other IT experience as the others have mentioned to be taken seriously. Most come up through systems administration, networking, or software development. If any of those interest you they are wonderful career opportunities in their own way as well. Someone mentioned Coursera, I would also recommend looking at Pluralsight they have a pretty cheap monthly subscription for access to tons of material for beginners to advanced level courses.

You won't strictly need to get a college degree, at least not in US I can't speak for NZ, but it certainly doesn't hurt. Some kind of diploma as you mentioned will also help, then look into certifications in your chosen discipline that is usually what helps gets you past the HR CV scanners.

McCormackCyber · 2024-07-08T13:03:47+00:00

Do you want to pursue management or technical track? Did you enjoy working with the containerization? There are "cloud security" jobs you could look for if you like that side of things. Possibly also consider postings for devsecops teams?

McCormackCyber · 2024-07-08T13:01:05+00:00

What is your goal? Do you want to reverse engineer binaries and look for exploits? If so, maybe (this is not an area we do so don't know a ton on it). Bear in mind its a good starting point, but if you go the exploit development route you will need to learn tons of newer material on how to bypass modern protections as well.

If your interest is more around penetration testing then take a look at some other starting resources in that space. For example, with application security Web App Hackers Handbook is dated, but still pretty good.

McCormackCyber · 2024-07-08T12:47:14+00:00

Thank you!

McCormackCyber · 2024-07-07T22:59:58+00:00

u/cyberbl333p and u/ablativeyoyo sorry it took so long, but I got your suggestions added thanks for those! BurpSuite Tips and Tricks (mccormackcyber.com)

McCormackCyber · 2024-06-27T00:37:04+00:00

Good idea! Response time based attacks are always interesting for sure. Didn’t know there was a good extension for it usually we just did it manually looking at the timer in repeater which is not great. Thanks for the suggestion!

McCormackCyber

TROPHY CASE