admin, Author at OnDefend

We get this question a lot – how does someone become an ethical hacker? Let’s start by saying that almost everyone has a different story but here’s our advice on some good places to start.

First, cybersecurity in general is a field that rewards actual hands-on experience as much as anything else. You’ll need to bring along your curiosity and your determination (the path to success is paved with failures you’ll learn from) and relax in the realization that you are going to be constantly learning.

Two major paths exist:

Formal education and training
Hands-on challenges.

These two paths play an important role in how you will capitalize on the knowledge and expertise you are going to gain.

Most formalized training paths involve certifications. There is a wide spectrum of cybersecurity certifications. Some are well-established ones that have been around for a longer amount of time, and they may have differing levels of respect between technical practitioners and hiring managers. New certification and training programs pop up frequently, and while they may not be as well-known they frequently offer more contemporary and practical content. Your own selected path is likely to be managing a balance between the value of a recognized certifications and the benefits of up-to-date, actionable knowledge.

Some certifications can provide a significant advantage during job applications. They act as credentials that can help an applicant stand out to hiring managers and secure interviews, making them a valuable addition to a resume. In fact, often these certifications are used to filter resumes before a hiring manager even sees them.

It’s a cliché, but like many cliches there’s truth to it – you can pass lots of certification tests and still not be able to do the actual work. There’s no better way to learn how to do the actual work then to do the actual work! One of the best ways to begin building your skills is to participate in Capture the Flag (CTF) competitions and experiences. These CTFs are essentially puzzles requiring you to learn and apply specific techniques in order to achieve the outcome. Most CTFs also include a training guide on how to complete the challenges (once the competition is over of course) so that you can see how the creators thought the challenges could be solved.

One of the challenges in the cybersecurity industry is the often-heard phrase, “you need experience to get experience”. Companies prefer to hire those with proven experience, creating a challenging situation for newcomers. By earning certifications and participating in practical exercises like CTFs, one can gain a semblance of ‘real world’ experience, making them more attractive to potential employers.

Here is a list of certification and training:

Non-certificate training/Capture the flags

Hackthebox Academy– Hackthebox is a fantastic CTF platform which came out with an academy section that walks new professionals through the modern tools and techniques used in vulnerable labs and networks. If you are already familiar with the tools and techniques of the trade, there are other learning paths, Pro Labs or regular HackTheBox CTFs to test your skills.
Tryhackme– Tryhackme is another CTF like platform that has content divided into much smaller chunks for easier consumption. They have a number of different “learning paths” to tailor the skills and content towards a specific direction.
OWASP Juice Shop – An intentionally vulnerable web application that let’s you learn and hack a webapp written in Node.js

Certifications

CompTIA Net+– Intro to all things networking
Sec+– Intro to all thing security
CEH– Intro to the field of ethical hacking with a theoretical tighter focus on attacking systems
eJPT– One of the first “hands on” certs recommended a new person. It starts to focus on the Pentest side and how engagements are run
PTP– The more “advanced” version of the eJPT, this course work broadens the knowledge from the eJPT in hands on environment
OSCP/PWK/PEN-200– It goes by a handful of names now, but the OSCP certification is usually the hiring baseline for pentester/offsec engineer roles

These are just a fraction of the training and certifications available in the cybersecurity space but are the ones usually in reach for people just getting started.

About OnDefend:

OnDefend, established in 2016, stands at the forefront of preventative cybersecurity testing and advisory services, a reputation further enhanced by the introduction of its advanced Breach and Attack Simulation (BAS) Software as a Service (SaaS) platform, BlindSPOT. OnDefend is a trusted partner, empowering organizations globally to proactively combat real-world threats. From ensuring compliance with industry standards to building out mature security programs our mission is to ensure that the security resources our customers invest in are well-utilized, effective, and provide tangible results. For more information about their services and solutions, please visit OnDefend.com.

A new report reveals less than a quarter of CISO’s are participating in business strategy and decision-making processes.

Let’s acknowledge the elephant in the room: cybersecurity is still not a main priority for most organizations. It’s not that companies don’t care, many times investing in cybersecurity can seem out of reach, overwhelming, or an “IT problem”, but in today’s current landscape these excuses are no longer an option.

A recent survey of 150 CISO’s by BSS revealed less than a quarter (22%) of CISO’s are actively participating in business strategy and the decision-making processes. Even more staggering, only 1 in 10 (9%) of CISO’s said information security is always in the top three priorities on the boardroom’s meeting agenda.

Cybercrime is a TRILLION-dollar issue, $8 trillion to be exact and that number is expected to grow to $10.5 trillion by 2025 according to cybersecurity ventures. To give you some perspective of how much money that is, combine the worth of Apple, Microsoft, and Amazon… and then double it.

We understand cybersecurity can seem like a huge undertaking and there aren’t any tangible results. It’s a lot like investing in car insurance. You don’t need it until you’re in an accident. That’s how many companies approach cybersecurity, they don’t invest until there’s been a breach but by then the damage is done.

Now, it’s not all doom and gloom. The survey did reveal that investment in cybersecurity is slightly moving in the right direction. 61% of the CISO’s surveyed noted they received a significant increase in funding, averaging between 10-30% more. However, over half of respondents said “they we’re expected to spend their budget on cyber security issues hitting the news headlines, rather than where it’s really needed. “

However, the survey highlighted 78% of the CISO group said high-profile security incidents we’re the reason behind receiving more budget.

I’m not a big fan of scare tactics. I believe it’s important to understand the problem (which can have hints of scary) and then offer solutions.

That’s one of the reasons we saw a use case for BlindSPOT, OnDefend’s proprietary breach & attack simulation tool. It changes the mindset of a company that is historically reactive to cybersecurity incidents and makes them proactive. BlindSPOT consistently tests and tunes an organizations security control throughout the year. That way if an attacker we’re to strike, you would know your companies ready. It’s a lot like prepping for a hurricane. You can’t stop mother nature from striking but you can be prepared with flashlights, water, and rain boots for when it happens.

So, where am I going with all of this? The need to give cybersecurity a seat at the table. Once leadership changes their mind from not if we’re attacked but when, then we can all start doing the real job of protecting against the bad guys. In the end, we’re all after the same goal, right?

Security leaders deserve to be equipped with answers when their C-suite or Board of Directors ask questions.

How is that traditionally done? Investing in best-in-class security tools, hiring seasoned team members, and implementing policies to harden their environment from threats. All necessary, but you need reassurance it will all work when that inevitable attack comes.

Cybersecurity executive/former CISO Todd Salmon and OnDefend CEO/co-founder Chris Freedman identifies and solve three defense readiness questions every security leader should be able to answer, in a way that even the most non-technical stakeholders can understand, visualize, and value:

Are we prepared for threats targeting our industry?
- We’ll reveal why organizations are unknowingly not preparing for these specific threats and how to prove your organizations readiness within 24 hours of leadership asking.
Are the security controls we invest in working and worth it?
- Learn why security tools have consistent blind spots and how to prove their effectiveness all year long.
Can we effectively respond to a real-world cyber breach?
- Bring your tabletop exercises to the 21st century by safely simulating real-world cyber attacks to prove your organization is resilient.

Speakers Information:

Todd Salmon, Former CISO/Cybersecurity Executive

Todd Salmon is a tenured cybersecurity executive with a multitude of experience leading professional services organizations focused on information security and technology, spanning all the vertical markets. Todd’s prior experience includes having served as the Chief Information Security Officer for one of the largest global technology distributors in the world. In this role he had worldwide responsibility for the organization’s entire information security program to include Security Engineering & Operations, Policy & Procedure, Compliance and Physical Security.

Chris Freedman, OnDefend Co-Founder/CEO

Chris is a highly accomplished business leader with a diverse background in diplomacy, business, and philanthropy. Chris began his career serving as a diplomat with the Atlantic Treaty Association and founding a regional real-estate development firm. He continued his career by founding and managing various corporations in the U.S. including, MyBenefitsLab, a national online provider of diagnostic testing with the nation’s largest laboratories and national physician’s network. In 2016, Chris Co-Founded OnDefend, an international cyber security firm, where he currently serves as the CEO. Civically, Chris has also served several charitable organizations, including Best Buddies Jacksonville and the American Red Cross of Northeast Florida. Chris graduated with the highest honors from the University of Florida.

About OnDefend

Threat-hunting is a proactive method of identifying and mitigating potential cyber threats that may have circumvented traditional security measures. Its objective is to discover and resolve security issues before they pose any problems to an organization.

Why is Threat-Hunting Important?

Threat-hunting is an essential tool for identifying and mitigating potential security threats before they cause damage. It also helps improve an organization’s overall security posture.

Characteristics of an Effective Threat-Hunter

A good threat-hunter should possess the following characteristics:

Familiarity with the organization’s infrastructure and security processes
Strong analytical skills
Attention to detail
Persistence and patience
Creativity
Knowledge of threat intelligence and the threat landscape

Threat-Hunting Process:

Preparation

Define what we are looking for
Identify what we need to protect
Identify potential threats
Develop a hypothesis

Detection

Use different tools to detect threats
Analyze logs and other data sources
Look for anything suspicious

Analysis

Review the data to determine what kind of threat being dealt with
Identify the source of the threat
Determine the extent of the damage

Response

Deal with the threat effectively
Implement measures to prevent similar threats in the future
Share findings with appropriate parties

Tools & Techniques for Threat-Hunting:

Endpoint detection and response (EDR) tools
Security information and event management (SIEM) systems
Network traffic analysis tools
Threat intelligence feeds

Challenges in Threat-Hunting:

Lack of personnel with the right skills
Complex and diverse IT environments
Difficulty in observing everything that is going on.
Large amounts of data to sift through.
Lack of actionable intelligence

Benefits of Threat-Hunting:

Faster detection and response to threats
Improved security posture
Reduced likelihood of data breaches
Greater awareness of the threat landscape
Enhanced team incident response capabilities

How BlindSPOT Can Help

BlindSPOT is OnDefend’s proprietary breach and adversarial simulation tool that can help teams improve their cybersecurity defenses. One of its greatest strengths is its ability to facilitate threat hunting, simulate malware, test EDR/AV, tune SIEM, and other security tools.

By using BlindSPOT, teams can gain a better understanding of their organization’s security posture, identify potential vulnerabilities, and develop effective countermeasures. BlindSPOT provides a safe and controlled environment for simulating real-world cyber threats, allowing teams to practice and refine their incident response capabilities.

Compound Capabilities

In addition to its simulation capabilities, BlindSPOT also provides detailed reports and analytics that can aid in identifying security weaknesses and measuring the effectiveness of security controls. This can help organizations prioritize their security efforts and allocate resources more effectively. BlindSPOT can also help organizations comply with industry regulations and standards. By simulating real-world cyber threats, organizations can identify potential weaknesses in their security infrastructure and address them proactively. This can help organizations meet compliance requirements and avoid costly fines or legal actions.

Other Benefits of BlindSPOT

Another benefit of using BlindSPOT is its ability to provide a collaborative learning environment. Teams can work together to identify and respond to simulated cyber threats, sharing knowledge and best practices along the way. This can help foster a culture of security within the organization and improve overall cybersecurity awareness.

With BlindSPOT, teams can also gain insights into the latest cyber threats and attack techniques. BlindSPOT’s threat library is constantly updated with the latest threat intelligence, ensuring that teams are prepared to defend against the most current and sophisticated attacks.

Why BlindSPOT

BlindSPOT is a tool that organizations can use to identify and address security detection weaknesses. It offers a range of features, including simulation, reporting, compliance, collaboration, and threat intelligence. With BlindSPOT, organizations can confidently defend against cyber threats and protect critical assets. Overall, BlindSPOT is an invaluable tool for improving cybersecurity defenses. Teams can use its powerful simulation and detailed reporting capabilities to develop effective cybersecurity strategies and safeguard their organizations.

About OnDefend

With hackers constantly on the lookout for vulnerable targets, it’s important for organizations to stay one step ahead. Working in cybersecurity over the last two decades, there we can all agree pentesting continues to be one of the most powerful tools in any companies’ arsenal. A tried and true for a reason. Network Penetration Testing, commonly known as “PenTesting” is a bit like a fire drill for cyber-attacks, allowing organizations to identify and fix weaknesses before real hackers find them. But what exactly is Network Penetration Testing? Who needs it, what rules mandate its use, and why is it so important? Let’s dive in to answer these questions.

What is Network Penetration Testing?

Network Penetration Testing is a process by which trained and certified ethical hackers mimic malicious attacks on a network to identify vulnerabilities before actual hackers can exploit them. This testing process involves attacking the network’s infrastructure – servers, network devices, and system endpoints – to identify weaknesses in its defenses.

The purpose is not to cause harm, but to understand the potential weaknesses in the system. It’s about uncovering areas of improvement and ensuring that the appropriate measures are taken to secure the system.

Example of a Comprehensive Pen Test

A comprehensive penetration test, like those conducted by OnDefend, involves a systematic and thorough evaluation of your organization’s network security. Here’s a typical sequence of steps in such a test:

Planning and Scoping: The first step is to define the scope and goals of the test, including the systems to be addressed and the testing methods to be used. This stage also involves gathering intelligence to understand how the targeted systems work and what potential weaknesses might exist.
Reconnaissance: This phase involves deep-dive information gathering about the target. This might include identifying IP addresses, domain details, network topology and, in some cases, gathering information from public sources (also known as OSINT or Open-Source Intelligence) about the company or its employees.
Vulnerability Assessment: Using manual or automated tools, the testing team identifies potential points of exploit on the target systems. This might include using software to scan for known vulnerabilities, such as open ports or insecure software configurations.
Exploitation: In this stage, the pen tester attempts to exploit the vulnerabilities identified in the previous step. This could mean trying to gain unauthorized access to systems, extracting sensitive data, or performing other activities that real-world attackers might attempt.
Post-Exploitation: Once access is gained, the focus shifts to what can be done with the exploited system. This might involve identifying and documenting sensitive data, accessing user accounts, or trying to escalate privileges to gain more control over the system or network.
Reporting: The final step involves compiling a detailed report documenting the vulnerabilities found, the exploitation steps taken, and the sensitive data that could potentially have been exposed. This report also includes recommendations for mitigating the identified vulnerabilities.

Through this comprehensive process, OnDefend can provide your organization with a clear picture of your current security posture, potential vulnerabilities, and the most effective ways to address them. By revealing weak spots, a comprehensive penetration test helps organizations prioritize their security measures and ensure the most robust defense against real-world cyber threats.

Who Needs Network Penetration Testing?

The short answer is – everyone. All businesses, irrespective of their size or industry, should consider regular PenTesting to safeguard their sensitive data. This includes small businesses, corporations, government entities, and non-profit organizations.

For small and medium-sized businesses, PenTesting helps protect customer data and other sensitive information. For large corporations and government entities, it helps safeguard not only the customer and proprietary data but also their reputation and stakeholder trust.

Why is Network Penetration Testing Important?

In an era where cyber-attacks are not only more frequent but also more sophisticated, Network Penetration Testing is more important than ever. Here are some reasons why:

Identifying Weaknesses: PenTesting helps identify vulnerabilities in your network that can be exploited by hackers. By finding these weaknesses ahead of time, you can address them and fortify your network.
Regulatory Compliance: Many industries have regulations that require companies to conduct regular penetration tests to ensure that their digital assets are secure. Failure to meet these requirements can result in hefty fines.
Preventing Financial Loss: Cyber-attacks can result in financial loss due to downtime, data breaches, or loss of customer trust. By identifying vulnerabilities before they can be exploited, you can prevent these losses.
Protecting Customer Trust: Customers trust you with their sensitive data. A breach could lead to a loss of trust that can have long-term impacts on your business.

What Compliance Requires Network Penetration Testing?

Several industry standards and regulations necessitate regular network penetration testing. These include, but are not limited to:

Payment Card Industry Data Security Standard (PCI DSS): For any organization handling cardholder information, regular penetration tests are required to remain compliant.
Health Insurance Portability and Accountability Act (HIPAA): For healthcare providers, penetration testing is recommended to protect patient information and avoid breaches.
General Data Protection Regulation (GDPR): This European regulation requires companies handling EU citizen data to conduct PenTests to ensure data security.
Federal Information Security Management Act (FISMA):S. federal agencies or contractors and businesses dealing with federal agencies must adhere to this act, which includes penetration testing.
ISO 27001: This international standard outlining best practices for an information security management system (ISMS) recommends regular penetration testing.
System and Organization Controls (SOC) 2: Developed by the American Institute of CPAs (AICPA), SOC 2 is a voluntary compliance standard that applies to service organizations. It focuses on five trust service principles: security, availability, processing integrity, confidentiality, and privacy. Though SOC 2 doesn’t explicitly demand penetration testing, conducting such tests aligns perfectly with its emphasis on security. Regular penetration testing is considered a best practice to validate the effectiveness of security controls and ensure ongoing compliance with SOC 2 requirements.

Adopting Security Frameworks: NIST CSF, ISO 27001, and CIS20

Whether a business must comply with a specific regulatory standard or not, adopting a comprehensive cybersecurity framework is essential for maintaining robust security posture. These frameworks, such as the NIST Cybersecurity Framework (NIST CSF), ISO 27001, and CIS20, provide structured and systematic approaches to managing cybersecurity risks. Let’s delve into these popular security frameworks:

NIST Cybersecurity Framework (NIST CSF): Developed by the National Institute of Standards and Technology, the NIST CSF is a voluntary framework primarily intended for critical infrastructure organizations to manage and mitigate cybersecurity risk based on existing standards, guidelines, and practices. However, the flexible and scalable nature of the NIST CSF allows its use by a wide range of businesses and organizations.
ISO 27001: The ISO 27001 standard is an international standard for how to manage information security within an organization. It provides a set of standard procedures for an Information Security Management System (ISMS), detailing how to handle information in a way that ensures its accessibility, confidentiality, and integrity. Regular penetration testing, as recommended by this standard, can help organizations continuously monitor and improve their ISMS.
CIS Critical Security Controls (CIS20): The Center for Internet Security’s Critical Security Controls (often referred to as CIS20) is a concise, prioritized set of 20 controls that can drastically reduce the risk of cyber threats. These controls are a combination of policies, procedures, hardware, and software that provide a defensive architecture and cover various aspects from data recovery capabilities to penetration tests and red team exercises.

For organizations that don’t have any regulatory compliance requirements, adopting one or more of these security frameworks can provide a comprehensive and proactive approach to cybersecurity. They offer methodologies to identify potential threats, protect against cyber-attacks, detect anomalies, respond to incidents, and recover from them. Furthermore, following these frameworks and implementing regular network penetration testing can greatly enhance an organization’s security stance and resilience against cyber threats.

How OnDefend Can Help with Your Cybersecurity Needs

In an ever-evolving digital landscape, securing your business from cyber threats can seem like an uphill battle. That’s where OnDefend comes into the picture. As a cybersecurity company dedicated to helping organizations fortify their digital infrastructure, we have in-house seasoned red teamers who can help protect your business and maintain the integrity of your digital assets.

Penetration Testing and Breach and Attack Simulation (BAS) Services

OnDefend excels in providing both Penetration Testing and Breach and Attack Simulation (BAS) services. Our certified ethical hackers execute targeted cyberattack simulations to identify your network’s vulnerabilities. Complementing this, our BAS services offer continuous, automated testing that emulates real-world threats, providing real-time insights into your security readiness. These dual services allow OnDefend to offer a comprehensive analysis of your organization’s security status, empowering you to maintain robust defenses against cyber threats.

Comprehensive Security Assessment

Beyond penetration testing, we conduct thorough security assessments to identify potential risks in your cybersecurity framework. By assessing your existing security measures against globally recognized frameworks like NIST CSF, ISO 27001, and CIS20, we provide insights into your security stance and provide recommendations to enhance it.

Cybersecurity Consulting

Our cybersecurity consulting services help you build or improve your cybersecurity program. Whether it’s ensuring compliance with various industry regulations like PCI DSS, HIPAA, GDPR, FISMA, and SOC 2 or designing a security plan from the ground up, OnDefend’s team of security experts is equipped to guide you every step of the way.

Training and Awareness Programs

Recognizing that human error often plays a part in successful cyberattacks, OnDefend offers training and awareness programs. We help educate your team about the latest cyber threats, safe digital practices, and incident response procedures. This empowers your team to become an active part of your cybersecurity defense.

With OnDefend, you’re not just investing in a cybersecurity service; you’re partnering with a team dedicated to protecting your business from cyber threats. Our objective is to help you achieve the peace of mind that comes with knowing your organization’s digital assets are well defended.

Solutions Tailored to You

At OnDefend, we understand that each organization has unique security needs. That’s why we offer tailored solutions to match your specific requirements and industry best practices. Our team works closely with your organization to understand its structure, needs, and potential threats, designing a cybersecurity strategy that is as unique as your business.

Ready to learn more? Contact@ondefend.com

Originally written for RANE Network

Editors’ Note: As many companies increasingly turn to cloud providers to store proprietary and consumer data, these services are becoming attractive targets for threat actors. RANE spoke with expert Ben Finke at OnDefend to evaluate the most prevalent risks faced in the cloud environment and better understand how organizations can best protect their stored data and enhance security in the cloud.

As many companies increasingly turn to cloud providers to store proprietary and consumer data, these services are becoming attractive targets for threat actors. RANE spoke with expert BenFinke at OnDefend to evaluate the most prevalent risks faced in the cloud environment and better understand how organizations can best protect their stored data and enhance security in the cloud.

What is a “cloud” environment and why are organizations transitioning there?

A cloud environment refers to a web-based application or software that is used for particular tasks, such as website management or data storage. Broadly, there are two different types of clouds. Finke explains that “Public cloud is what most people think of when they think of cloud.” Public cloud providers create computing services, such as storage, applications, or “develop-and-deploy” environments, made available on-demand over the public internet. There are many different public providers, such as Amazon Web Services (AWS), Microsoft Azure or Google Cloud, each with its own unique products and offerings. In contrast, a private cloud can be offered over the internet, but it can also be used in a private internal network that is only available to select users rather than the general public. While a private cloud is usually fixed, a public cloud can be scaled to an organization’s preferences and adjusted to fit its needs.

Whether public or private, the primary types of cloud service models are infrastructure-as-a-service, platform-as-a-service and software-as-a-service. Organizations have the option to run an operating system as a whole and manage it as an infrastructure-as-a-service in the cloud, only paying for the resources they use, which provides cost benefits through efficient IT resource management. Platform-asa- service provides a complete platform – including hardware, software and infrastructure – which organizations can use to build and design their own cloud environment by developing, running and managing applications over the internet without the cost and complexity generated by on-premises platforms. However, Finke argues that software-as-a-service, a model that allows users to access software applications over the internet, is the most beneficial option as it requires the least organizational management . It is especially useful because it automatically integrates patches or other security updates for an operating system rather than putting the burden on the organization to manage.

Organizations are increasingly adopting cloud environments for cost savings and flexibility, especially as many companies have moved to remote work following the COVID-19 pandemic. Finke says that one of the main benefits of using the cloud is to save money. Many cloud providers, such as those that offer platform-as-a-service, enable organizations to get rid of most of their on-premises hardware and software, which can be costly and inconvenient to maintain. Additionally, cloud computing offers centralized data security. This means that organizations no longer need to expend resources to maintain on- or off-site data backups because cloud providers centralize data backups in their own data centers. This also minimizes the risks of data being lost due to physical damage, such as flooding or natural disasters. Instead, cloud providers can restore data from copies stored in their cloud storage.

What are the most prevalent risks in the cloud migration process?

As companies increasingly opt for cloud computing environments and shift away from traditional IT infrastructure, it requires a new approach to security. Finke describes this as a “total paradigm shift.” He says that there is a major risk in the fact that old security tools, such as network firewalls, which teams used when everything was held in on-premises data centers, have become irrelevant in many ways. “When we think about it from the old school security side, most of the tools that security teams used 10 years ago just don’t even work on the cloud anymore… and so a lot of the security folks kind of found themselves kind of out of their depth a little bit,” Finke says. Part of this is due to the fact that cloud configuration is largely dependent on coding, which is not a skillset that all IT security professionals have, especially older professionals who previously focused on developing skills for building complex firewalls and endpoint detection and response.

Many IT security experts are operating under a new way of thinking and cloud environments are often misconfigured, meaning they can accidentally leave access open to unauthorized third parties. Finke notes that the “cloud is all about configuration” and it is common for these environments to be misconfigured, even by experts. This is partly due to the abundance of offerings that many cloud providers have, as it is unlikely for an in-house IT professional to know how to properly set up hundreds of different offerings. The wide range of offerings can also lead to confusion about which service an organization uses and how they do or do not interact with each other. Finke says that “the problem is that they’re constantly adding new services into these things,” and they are all different in terms of default settings and configuration requirements. Some services allow organizations to segment how they pay for various services. However, Finke notes that a risk with this is not only that cloud environments are misconfigured but also that IT security professionals may look into which subscriptions an organization runs and be unable to identify which applications they belong to or which department is operating them. This means that if an employee went into the service and turned it off, there is no certainty whether doing so would go unnoticed or if it would cause a considerable disruption to business operations. It also makes it more difficult for IT security teams to inform the correct departments within an organization and respond to an incident if they find an issue within a particular application.

Additionally, default configurations can pose problems for organizations because using the cloud eliminates natural security boundaries that organizations may have previously relied upon, and many are unaware that they have to build these defenses back up since default cloud configurations do not come with the same kind of security measures. Finke states that the cloud is, by definition, accessible by the internet, which means that often the default configuration allows public access to anyone. Organizations need to take specific measures to prevent unauthorized parties from being able to enter the system. This is another consequence of a shift from traditional data centers and on-premises IT infrastructure; prior to the cloud, an organization’s network had a certain level of inherent protection, and access was only granted to those whom organizations explicitly granted permission. Without this kind of built-in security, there are inherent risks that organizations’ systems or information held on cloud servers are left exposed if not properly configured to prevent unwanted access. Finke says that “in the older style of networking where we had everything on-site in a data center, we used network ranges as boundaries, and in the cloud, that kind of doesn’t exist anymore. Everything can talk to everything if you let it…it was really helpful that you just didn’t make networks available to each other, and that instantly protected you, whereas the cloud is set up to automatically talk to each other.” Finke also notes that IT security teams now have to shift their thinking to be “more fine-grained with how they give permissions and roles,” because “in the cloud a lot of times, we do not think of networks as security boundaries; it is more like identity.” This means that organizations need new security frameworks that emphasize identity credentials and authentication more than the built-in security that comes with onpremises infrastructure.

Even once the cloud is properly configured and secured, default settings can still pose risks for organizations if they do not change default credentials. Finke warns that breaches frequently occur due to poor access control, saying that organizations will often use the default credentials and create a database that is automatically accessible over the internet and can be found through a brief online search of open database boards. “That is how a lot of cloud breaches happen. It wasn’t that they broke into something; the data just happened to be there,” Finke says.

Along with unintentionally leaving systems publicly accessible, there are problems with understanding which people in an organization do and do not have access to certain services, even if cloud environments are properly configured. This can lead to overlap or miscommunication surrounding security protocols, ultimately reducing their effectiveness. Finke says he frequently sees companies with on-premises IT security staff following one reporting line but cloud security teams reporting into a different group. The problem here stems from the fact that once an organization begins its cloud transition, it “then has to build a whole new [IT security team] for the cloud, and they never really connect the two.” Though he says this challenge has lessened, it nonetheless presents risks when combined with existing confusion around cloud security protocols and access.

Because of the ambiguity surrounding cloud services and the heightened risks of default settings, organizations will sometimes overcorrect in their security practices, causing delays that might incentivize employees to try to bypass lengthy security procedures. Finke says that in contrast with leaving cloud environments publicly accessible, he also sees “overreaction [in] the other direction where everyone is going to be very deliberate and thoughtful.” He says this can slow people down because “nothing can go [into the cloud] without something like three approvals.” This also contributes to confusion around proper configuration and access controls, as Finke highlights that “another thing we’ll see is that IT security teams will go in and they’ll build all these hard rules about things that have to comply with security standards in order to be created, but then the tools themselves don’t give you good feedback.” In other words, if something is not functioning properly in the cloud, there will often be an error message but no clear instructions as to the root of the issue or how to fix it. Because of this, employees may bypass security protocols to immediately begin working on a project using cloud services. This speaks to one of the benefits of cloud computing software, which is the ease that it offers. However, there is a tradeoff between user-friendliness and security that many providers have yet to sufficiently address. On this topic, Finke says, “what we also observe is that the cloud made it super easy to just put down a credit card and start doing stuff.” He says this has manifested in a phenomenon where “most companies, whether they know it or not, have departments in the organization that got tired of waiting for corporate IT and just went and signed up for something and the next thing you know business data is running outside of the company’s scope.” He says that in this case, “you know for sure the cloud environments are misconfigured because there are not even IT people involved.” In this case, a department may be attempting to move forward but faces obstacles when IT does not approve the request or the request may be outside the organization’s budget. When this happens, company data is potentially put at risk, oftentimes without leadership or IT security’s knowledge.

Finke often encounters another common vulnerability when individuals connect cloud services to other applications, often granting extended permissions without realizing it. He goes on to say that “it used to be that if you were an attacker and you wanted to gain persistent access to somebody’s email, you would convince them to give up credentials or run your payload.” However, these tactics have evolved as organizations increasingly move most of their information onto the cloud and individuals connect cloud services to apps to which they subsequently grant permissions. Finke says, “we see a lot of malicious apps where you only click once to grant it permissions, and it can gain send, receive and read access to your mailbox. And then an attacker never needs to touch your computer again because they can access it all in the cloud.”

How can organizations mitigate these risks?

In order to best protect against these risks, Finke shares some best practices: First, he suggests that organizations implement a plan of action for managing the new environment, including monitoring activity inside the cloud and tying it back to identity. One suggestion he makes is to utilize tagging within the cloud, which can help organizations track which departments use particular services. He also recommends regular reviews using these tags to ensure that aspects of the cloud that an organization is subscribed to are still necessary and in use. This can help avoid unnecessary costs or overlapping services and ensure costs are charged to the correct department.

Organizations can also use this planning process to help balance the tradeoff between user-friendliness and security. Finke recommends that IT teams guide employees through the cloud process, showing them the different offerings and how to implement them safely. He also recommends that IT security teams are involved from the very start of when organizations consider how to incorporate cloud services, saying organizations should “make sure that the IT security function is pushed out and embedded into other groups so that if they go to the cloud, they have somebody who is representing the IT security team in the planning and building stages.” He goes on to explain “it cannot really be centralized,” rather, “security functions should be included within groups that are going to consume the technology so that there is a security person there with them.” This is so that when a group decides to build something within the cloud, an IT security professional monitors the plan that is being created to ensure that it upholds proper security standards.

Finke also recommends that organizations invest in an outside consultant that can utilize third-party tools to validate the true state of their cloud environments. This can help organizations ensure that all data and services in the cloud have been properly secured. However, if organizations choose to bring in third-party validators, they must be sure that they uphold all data privacy commitments and do not inadvertently share client information or any personal information on employees without their knowledge, especially if they are operating in locations where regulations would require them to obtain permission before doing so. Finke notes that firms like OnDefend typically are not granted extensive permissions in the cloud when hired for security consultations, saying, “the good news is that…we don’t have access to any of the data; we only have access to the services they are using in the cloud environment that holds the data.” Thus, organizations must be sure that they are not inadvertently giving permissions to third-party validators and that they have performed due diligence to ensure they are abiding by the relevant legislation and regulations. For example, if an organization maintains any biometric data on a cloud database, such as employee fingerprints, and it operates in a state that regulates how organizations handle such biometric data, it must ensure that this information is not made available to a third-party consulting firm in this process without employee consent. This measure can help organizations avoid potential legal action like fast food chain White Castle, which, as covered in a prior RANE Advisory, is currently facing potential class action damages of up to $17 billion under Illinois’s Biometric Information Privacy Act after sharing employee fingerprints with a third party validator.

About the expert: Ben Finke is a co-founder and CTO of OnDefend. Ben has almost two decades’ worth of experience in cybersecurity, starting as a communication officer in the U.S. Air Force. Over the course of his career, Ben worked with organizations ranging from government agencies to Fortune 500 companies, including being embedded in development teams in SaaS companies, overseeing a red team for testing critical infrastructure systems and running the security practice for a managed security provider. In 2016, Ben Co-founded OnDefend, where he currently serves as the Chief Technology Officer. Ben also is the creator of BlindSpot, a purple team testing automation tool. Ben has a bachelor’s degree in computer science from Florida State University.

OnDefend is a cybersecurity consulting firm based in Jacksonville, Florida, that assists firms in reducing their cyber risk through preventative security testing and consulting services. OnDefend’s information security services include network penetration tests, attack simulation tests, application security tests, vulnerability assessments, incident response readiness, ransomware readiness assessments, compliance consulting and other security consulting services.

OnDefend Media Contact: Lauren Verno, Lauren.verno@ondefend.com

In today’s digital age, cybersecurity is a critical concern for every organization. However, it’s important to understand that cybersecurity is not just a technical issue—it’s a business problem.

Unlike IT issues, which can often be resolved with technical solutions, cybersecurity requires a comprehensive approach that involves understanding, managing, and mitigating risks. This means that we need to constantly evaluate our risk posture, which is always changing due to the dynamic nature of threats and vulnerabilities.

Threats are potential harms that cybercriminals and adversaries can inflict on our organizations. These threats are like the weather, always changing and unpredictable. As business leaders, we need to be aware of the current threat landscape, just as a weather person keeps us informed about potential storms.

Vulnerabilities are weaknesses or exposures in our organization that allow threats to manifest. With our technology environment always evolving, new vulnerabilities can emerge at any time. It’s crucial to stay informed about these vulnerabilities and take necessary actions to address them.

The key to effective cybersecurity management is regular communication. Just as we regularly update our teams about business performance and market trends, we need to keep them informed about our current risk posture. This includes discussing potential threats, vulnerabilities, and the potential impact of a security breach.

Remember, cybersecurity is not a static problem and cannot be addressed with a fixed budget. Like our legal and risk and compliance departments, our cybersecurity budget needs to be flexible to accommodate changes in threats and vulnerabilities throughout the year.

In conclusion, cybersecurity is a business function that requires a proactive approach to risk management. It’s not just about buying firewalls or other security devices—it’s about understanding and managing risks, communicating regularly with our teams, and being prepared to adapt to changes. Let’s embrace this approach to ensure the security of our organizations in the digital age.

About OnDefend

OnDefend empowers the information security industry through its cutting-edge technological innovations and battle tested professional services team. By solving the problems that the cyber security industry has not solved, OnDefend has become a critical partner of security service firms and corporations throughout the US and around the world. Whether it’s their next generation SaaS offerings of BlindSPOT and Confirm4Me or their seasoned security team leveraged by partners to meet market service demand, OnDefend has enabled cyber security firms to extend their capacities and corporations to secure their future. To learn more, visit ondefend.com.

It’s already May, and I know I’m not alone when thinking, “how did we get here? ” It’s been a hot minute since we last caught up, and there’s a lot to go over. From our threat-informed pentest webinar, BlindSPOT updates, and OnDefend in the news, let’s get started.

Threat-Informed Pentest Webinar Recap

Whether you’re new to OnDefend or have been around for a while, you’ve likely heard the phrase “traditional pentesting is no longer enough.” Budgets are thinner than ever, and hackers are as skilled as ever, which means companies need to be tactical about their investments. Traditional pentesting is necessary, but focusing those efforts on industry-specific threat actors is what we believe will give companies that edge. Go ahead and check it out for yourself; the full webinar recording is up right now.

Watch here: Threat-Informed Pentesting: Preparing for Threats Targeting Your Industry

Better Together

We’re off the ball in the game! OnDefend CEO Chris Freedman and CTO Ben Finke met with our partner DeepSeas in Cincinnati last month. OnDefend co-sponsored a night out to the Cincinnati Reds game, where we got to discuss how BlindSPOT enables Deepseas customers with breach & attack simulation capabilities.

If you’re ready to dive deeper into BAS, Deepseas VP Josh Nicholson & OnDefend CTO Ben Finke explore breach & attack simulations on “Cyber Control Testing: New Purple Teaming Revolution.” You can listen to the full podcast on Cyber Security America here: Cyber Control Testing: New Purple Teaming Revolution

——

Supply chain attacks might be one of the most elusive, engaging, and relevant cyber-attacks to talk about. This is why we obviously had to jump at the chance when ITProTV reached out to talk all things supply-chain. Check out CTO Ben Finke’s conversation with ITProTV’s Daniel Lowrie here: ITPro LIVE with Daniel Lowrie and Ben Finke

OnDefend In The News

A huge congratulations are in order for OnDefend CTO, Ben Finke being named one of Jacksonville’s 2023 Ultimate Tech Leaders!

“ The past few years have been a challenging time for those that are tasked with guiding their organizations as they implement new solutions, take advantage of new opportunities, and figure out a path to the future. The work these leaders do is vital, both to their organizations and for the growth of the local economy.” – Jacksonville Business Journal

First Coast Inno – Here are Jacksonville’s 2023 Ultimate Tech Leaders (bizjournals.com)

—

A not-so-elaborate cyber-attack could cost taxpayers 1.4 million. OnDefend CEO Chris Freedman spoke with Fox13 Tampa Bay about how scammers were able to pull off the attack and why it’s unlikely the money will be recovered.

Manatee County falls victim to cybercrime that could cost taxpayers $1.4 million (fox13news.com)

—

You’ve likely heard the phrase, “If the app is free, you are the product being sold.” While we never recommend giving away sensitive information, we realize that sometimes giving your name or even email address is inevitable when signing up for an app. But, when WJXT News4Jax reached out about a new app that seemed to ask for everything under the sun, CTO Ben Finke has a warning for the viewers at home.

A warning from cyber security experts about the TEMU app (news4jax.com)

—

The White House Cybersecurity Directive was released earlier this year. As a cybersecurity company, we are genuinely excited and optimistic about the plan, but actions speak louder than words. The main question in the end is, will it make a difference? Check out our full take on Forbes.

https://www.forbes.com/sites/forbestechcouncil/2023/04/06/the-white-house-cybersecurity-directive-is-out-will-it-make-a-difference/?sh=309f56c43594

Other News featuring OnDefend:

16 Effective Strategies To Collect Feedback On New Internal Tech (forbes.com)

14 Specialized Tech Leadership Roles That May Emerge In The Next Decade (forbes.com)

16 Business And Consumer Tech Tools Experts Say Everyone Will Be Using Soon (forbes.com)

16 Leaders’ Tips To Help Tech Pros Better Communicate With Non-Tech Experts (forbes.com)

BlindSPOT

I could go on for days about why BlindSPOT is one of the best BAS tools in the market today. It’s a one-stop shop tool that allows partners to simulate cyber-attacks, visualize a company’s security control “blind spots,” and remove security risks. One of the many reasons Plextrac and Market Research Access Services recently recognized the tool for its innovation.

30+ of the Most Popular Penetration Testing Tools in 2023 – PlexTrac

And now a word from the BlindSPOT guru himself, CTO Ben Finke…

Hello! Tons of things happening in the BlindSPOT world, but let’s dive into a few things that you should know:

Alert Validation in Beta

We spend a lot of time using BlindSPOT to test our defenses and build alerts using our security tool data that help us find malicious activity. But, how do we make sure that detection pipeline works? Enter Alert Validation!

Alert Validation leverages the BlindSPOT capabilities you already know and love to generate real activity on an endpoint, and then BlindSPOT connects to your security tools. We check to make sure 1) the log data shows up as expected, 2) the alert analytic fires as expected, and 3) it all happened within a timeframe that is acceptable to you. This whole process is completed automated, with notifications for a failure at any step. Its uptime testing for your detection pipeline! Available now for Microsoft Defender for Endpoint and Azure Sentinel, with more security tools to be added in the future!

Automated Plextrac Runbooks V2 Integration

We’re big fans of what the team at Plextrac is doing, and we’re pleased to release our full integration with the Plextrac Runbooks V2 feature. Simply, connect BlindSPOT to your Plextrac instance, and then we can push any completed BlindSPOT campaign into Runbooks, even if you don’t have the Test Plan built for it yet (we’ll take care that for you!). No need to worry about exporting and importing files, it’s a simple button in BlindSPOT to send the campaign results into your Plextrac instance!

Updated Agent and Payload Builder

We’ve rebuilt our Unified Payload Builder, allowing us to begin chaining additional transformation capabilities for agents and payloads. We’ve already added an automated obfuscation feature for both payloads and agents, and we’ve got a lot more improvements on the way (packed PE files, DLL unhooking, and more!).

Anybody else feel like we just scratched the surface? That’s because we did. Stay tuned for this bi-monthly newsletter, for all of OnDefend’s latest and greatest.

If you want to stay in the loop about what’s happening at OnDefend, including our upcoming webinars, the latest cybersecurity trends, and product updates, then follow us on Facebook, Twitter, and LinkedIn @ondefend.

Traditional pentesting is no longer enough. Leadership and board of directors hear about the latest cyber breaches and question if their security team is prepared for that specific threat actor targeting their industry. Not having a definitive answer is no longer acceptable.

The best way to win the war against these cyber criminals is by testing your organizations defenses against real-world threats. There’s no better way to do that then by emulating the tactics and techniques of these known adversaries on your real production network. Threat-informed pentesting (TIP) is the first step to covering these defenses.

TIP leverages global threat intelligence about specific emerging adversaries and one-to one tests your environment against their exact tactics and techniques. TIP can be catered to your specific environment to demonstrate your ability to detect and respond to entire attack chains. TIP is a versatile offering that can be added on to an existing pentest or as a stand-alone exercise to meet a company’s budget and security posture. This isn’t going to be a traditional year, don’t limit your company to a traditional pentest.

Join OnDefend CEO Chris Freedman and CTO Ben Finke for an expert crash-course on threat-informed pentesting. Throughout the cast — moderated by Emmy award winner Lauren Verno — you’ll learn:

What is threat-informed pentesting and its benefits compared to traditional pentesting techniques
How OnDefend executes TIP scenarios to emulate real-world threats, and how this approach can improve your organization’s security posture
Engagement options for threat-informed pentesting, and how to determine the best approach for your organization
How to answer leadership’s questions about threat actors targeting a specific industry, and how to prepare your organization for potential threats
Discover BlindSPOT technology and how it can help implement TIP in a continuous assessment strategy, providing ongoing visibility into your organization’s security posture

You can watch the full webinar here:

Speakers:

Ben Finke, OnDefend Co-Founder/CTO

Ben has almost 2 decades worth of experience in cybersecurity, starting as a communication officer in the U.S. Air Force. Over the course of his career Ben worked with organizations ranging from government agencies to fortune 500 companies including, being embedded in development teams in SaaS companies, overseeing a red team for testing critical infrastructure systems, and running the security practice for a managed security provider. In 2016, Ben Co-founded OnDefend where he currently serves as the Chief Technology Officer. Ben also is the creator of BlindSpot, a purple team testing automation tool. Ben has a bachelor’s degree in computer science from Florida State University.

Chris Freedman, Co-Founder/CEO

About OnDefend

Cybercriminals are always on the lookout for vulnerabilities to exploit, and no industry is safe from their attacks.

This is why it’s crucial for organizations to stay one step ahead by proactively identifying and addressing potential security risks before they can be exploited by malicious actors. One effective way to do this? Threat-informed pentesting – a comprehensive security testing approach that focuses on identifying and mitigating real-world threats that specifically target your industry.

It’s a proactive approach to cybersecurity that helps you sleep better at night knowing you’re taking the necessary steps to protect your organization from cyber attacks.

This isn’t going to be a traditional year, don’t limit yourself to a traditional pentest. Contact OnDefend today to learn more about how threat-informed pentesting can help protect your organization.

Our experienced team of cybersecurity experts can provide you with a customized approach to threat-informed pentesting that fits your specific industry and organization.