Social Engineering Blogs

An Aggregator for Blogs About Social Engineering and Related Fields

If You are Wrong – Tom Brady – Admit it Quickly and Emphatically

I don’t know about you but I’m sick and tired of athletes getting caught red-handed cheating or involved in some scandal only to defiantly maintain their innocence. Pete Rose, Lance Armstrong, A-Rod come to mind and now Tom Brady has joined the list. Eventually the truth comes out and each person only compounded his problems with the lies that ensued. Of course, this issue isn’t limited to just athletes. We’ve all seen our fair share of politicians, religious leaders, businesspeople and many others go through the same thing.Just once I’d like to hear someone say, “I did it. It was wrong. No excuses and now I’m willing to bear whatever punishment comes my way.” The public doesn’t care why they did what they did because it’s all excuses. My old high school football coach said it best, “Excuses are like a—holes. Everybody has one and they all stink!” The only thing people care about is what they did. Lying after getting caught only compounds cheating. Thus the well-known saying, “The cover up is worse than the crime.” When will they learn? I realize a lot is at stake, but had each of the aforementioned people taken their medicine when they were caught, odds are they’d be back in the good graces of the public by now. Tiger Woods, as horrible as his behavior was, fessed up, sought help, and is in a much better place than Pete, Lance, A-Rod or Tom.Football is a game of inches. Sometimes the slightest advantage makes all the difference between winning and losing. But the point is not whether or not deflating a football a little bit makes a difference or not, or whether fans and players think the rule is silly,  IT’S THE RULE. The issue with Tom Brady is twofold. First, he chose to break the rule and only did so because he felt it would be an advantage for him. If he didn’t think balls with slightly less pressure would help he wouldn’t have instructed others to let a little air out. Like the rule or not, he knowingly broke it.Second, and more important now, he lied about it. For most people when everything is on the line we see their true character. Sometimes people choose to risk life and limb for others but most people focus just on themselves. That’s the choice Tom Brady made.In Dale Carnegie’s classic How to Win Friends and Influence People,he has some great advice under the section Be a Leader (something Tom Brady is supposed to be):”When you’re wrong, admit it quickly and emphatically.”Carnegie’s advice taps into Robert Cialdini’s principle of authority. One shortcut to gain credibility with others is to admit weakness or mistakes before the other person brings them. In doing so you’ve viewed as more truthful.If I were in the NFL, I might get flagged for a 15-yard penalty for “piling on” with this blog post. I don’t dislike Tom Brady or the New England Patriots. In fact, I was pulling for them to win the Super Bowl years ago when they had a chance to go undefeated because it would have been a historic event. But no longer can I root for them at all because it seems at every turn Tom Brady, Bill Belichick and the organization are embroiled in controversy over the rules. When there’s smoke there’s usually fire. Admit you started the fire and do all you can to prevent any more from starting!Here’s my final thought: Tom Brady needs to grow a pair and take his punishment like a man. Of course, maybe he already has a pair but if so, then they’re obviously a bit deflated too.  Brian Ahearn, CMCT® Chief Influence Officer influencePEOPLE Helping You Learn to Hear “Yes”.

Pentesting vs Vulnerability Scanning: What’s the Difference?

Two very different ways to test your systems for vulnerabilities. 

Gary Glover, Dir of Security Assessment at SecurityMetrics
By: Gary Glover

Penetration testing and vulnerability scanning are often confused for the same service. And, business owners sometimes purchase one when they really need the other. 



A vulnerability scan is an automated, high-level test that looks for and potential vulnerabilities. A penetration test is an exhaustive, live examination designed to exploit weaknesses in your system.  Both types of testing can be performed on systems exposed to the Internet or only exposed on your internal network.

This post will dive deeper into the differences between the two tests.

What is a vulnerability scan?

pentest, pen testing, penetration test, vulnerability scanAlso known as vulnerability assessments, vulnerability scans assess computers, systems, and networks for security weaknesses. These scans are typically automated and give a first look into what vulnerabilities are present and could possibly be exploited.

High-quality vulnerability scans can search for over 50,000 vulnerabilities and are required by some cyber security mandates (PCI DSS, FFIEC, and GLBA, etc.) but regardless of requirements, this type of scanning is a mainstay of cybersecurity threat prevention for any company wanting to protect their digital data.

Vulnerability scans can be instigated manually or scheduled on an automated basis, and will complete in as little as several minutes, to as long as several hours.  These scans should be conducted at a minimum on all systems exposed to the Internet (for example, web servers, mail servers, etc. living in a DMZ).  To be thorough they should also be conducted on all systems exposed on your internal network to detect vulnerabilities that could be exploited by data thieves if they happen to get past your edge defenses.

Vulnerability scans are a passive approach to vulnerability management, because they don’t go beyond reporting on vulnerabilities that are detected. It’s up to the business owner or his/her IT staff to patch weaknesses on a prioritized basis or confirm that a discovered vulnerability is a false positive, then rerun the scan.

To ensure the most important vulnerabilities are being scanned for, vulnerability scans should be conducted by a skilled team or well-known vulnerability scanning company. In the case of PCI DSS compliance you must use a PCI Approved Scanning Vendor, or ASV.

See Also: Spotting Vulnerabilities – Is Vulnerability Scanning Antiquated?

Reporting
After scan completion, a report will generate. Typically, vulnerability scans generate an extensive list of vulnerabilities found and references for further research on the vulnerability. Some even offer directions on how to fix the problem.

The report identifies any identified weaknesses, but sometimes includes false positives. A false positive is when a scan identifies a threat that’s not real. Sifting through real vulnerabilities and false positives can be a chore, especially if many are falsely identified.

Benefits of a vulnerability scan

  • Quick, high-level look at possible vulnerabilities
  • Very affordable (~$100 per IP, per year, depending on the scan vendor)
  • Automatic (can be automated to run weekly, monthly, quarterly, etc.)
  • Takes minutes

Limitations of a vulnerability scan

  • False positives
  • Businesses must manually check each vulnerability before testing again
  • Does not confirm that a vulnerability is possible to exploit

See Also: Picking Your Vulnerability Scanner: The Questions You Should Ask

What is a penetration test?

pentesting, pen test, penetration test, vulnerability scanA penetration test simulates a hacker attempting to get into a business system through the exploitation of vulnerabilities. Actual analysts, often called ethical hackers, try to prove that vulnerabilities can be exploited. Using methods like password cracking, buffer overflow, and SQL injection, they attempt to compromise and extract data from a network.

Follow for more data security articles like this

Penetration testing of both external and internal systems is a very effective approach to finding vulnerabilities that need to be removed and is considered an essential element of any good security program. This type of testing is required as per PCI DSS, FFIEC, and GLBA regulations.
The cost of a penetration test can run between $5,000 to over $70,000, but it depends on how many IPs are tested and the size of tested web applications. Learn more about the cost of penetration testing.
The main aspect that differentiates penetration testing from vulnerability scanning is the live human element. There is no such thing as an automated penetration test. True penetration tests are conducted by real people.
Penetration testers are well versed in:
  • Black hat attack methodologies (e.g., remote access attacks, SQL injection)
  • Internal and external testing (i.e., perspective of someone within the network, perspective of hacker over Internet)
  • Web front-end technologies (e.g.,Javascript, HTML)
  • Web application programming languages (e.g., Python, PHP)
  • Web APIs (e.g., restful, SOAP)
  • Network technologies (e.g, firewalls, IDS)
  • Networking protocols (e.g., TCP/UDP, SSL)
  • Operating systems (e.g., Linux, Windows)
  • Scripting languages (e.g., python, pearl)
  • Testing tools (e.g., Nessus, Metasploit)
In short, penetration testers provide a deep and detailed look into the data security of an organization.
Reporting
Typically, penetration test reports are long and contain a description of testing methodologies, attacks used, detailed findings, and suggestions for remediation.
Benefits of a penetration test
  • Live, manual tests mean more accurate and thorough results
  • Rules out false positives
  • Usually performed annually or after a significant change
Limitations of a penetration test
  • Time (1 day to 3 weeks)
  • Cost ($5,000 to $70,000)

Which is better? A vulnerability scan or penetration test?

Both tests work together to validate optimal network security. Vulnerability scans are for weekly, monthly, or quarterly insight into your network security, while penetration tests are a more thorough way to deeply examine your network security. Yes, penetration tests are expensive, but you are paying a professional to examine every nook and cranny of your business the way a real-world attacker would.
The difference is comparable to that between a fuzzy x-ray image and a clear, 3-D MRI. X-rays are great for small, quick problems (V/A scan) but an MRI (PenTest) is needed for deeper, more complicated problems. Get an MRI for your network.
Gary Glover (CISSP, CISA, QSA, PA-QSA) is Senior Vice President of Assessments at SecurityMetrics with over 10 years of PCI audit experience and 25 years of Star Trek quoting skills. Live long and prosper as you visit his other blog posts.