“[High quality attackers] are paid only if they make it through your defenses,” Los said. “I got a news flash for you kiddo: they’re going to make it through your defenses. It’s not a question of if, because if they can’t through by penetrating your website, they’ll try your partners, they’ll try your vendors. Worst case scenario, they’ll get hired in your call center and steal data that way. How do I know? I’ve watched it happen, it’s very real and it sucks.”
Validation is an absolute requirement when it comes to a security program. The organization’s defenses, responses, and technology, must all be validated. And true validation comes from being attacked realistically. This is where the notion of a Red Team comes in to play.
Go read the entire article. It is well written and very informative.
This company, Red Team Security is plagiarizing the contents of this blog, from the phrase Plan, Execute and Vanish, to the rules and description of the website.
Please go to their contact page and let them know.
EDIT: The page is now gone. Thanks to a few well placed messages from friends.
I'm going to leave the post here as an example of what crap people do sometimes.
- Plan red teaming from the outset. It cannot work as an afterthought.
- Create the right conditions. Red teaming needs an open, learning culture, accepting of challenge and criticism.
- Support the red team. Value and use its contribution to inform decisions and improve outcomes.
- Provide clear objectives.
- Fit the tool to the task. Select an appropriate team leader and follow their advice in the selection and employment of the red team.
- Promote a constructive approach which works towards overall success.
- Poorly conducted red teaming is pointless; do it well, do it properly.
"Red Teams assume the role of the outsider to challenge assumptions, look for unexpected alternatives and find the vulnerabilities of a new idea or approach. By consciously working to assume another perspective and out-do the standard team, they provide one means to getting “out-of-the-box” views and insights."
"Nobody ever defended anything successfully, there is only attack and attack and attack some more."
-- George S. Patton
The information security industry needs to hit rock bottom, says Akamai's Joshua Corman. And then - to truly improve information risk management - it needs to develop a new, adversarial view of the world.
"No one changes until they're sick and tired of being sick and tired," says Corman, director of security intelligence at security vendor Akamai. And in his view, it's time for the security industry to face a grim reality: Threats and adversaries have evolved, but security policies and practices haven't changed much since 2003.
Staying safe and protecting your valuables when away from home should always be a priority. Like most people, you might think that your electronically locked hotel door is secure enough to keep out the unwanted. There’s no physical lock to pick and you need a key card to get in, that’s good, right?
Unfortunately, it’s not. There’s a tiny device out there that can open approximately one third of all hotel doors in seconds.
Using an Arduino microcontroller and a few other components, almost anyone can build a device small enough to fit inside of a dry erase marker. This can then be used to unlock most hotel doors, including the dead bolt, in no time at all.
"There's nothing wrong with staying small. You can do big things with a small team."
"Prepare for the unknown by studying how others in the past have coped with the unforeseeable and the unpredictable."
-- George S. Patton