Have you ever run into this scenario: there is a yearly audit on the security posture of the organization and this requires certain measures to be in place. However, everyone within the security department knows that that one specific measure (let’s name it checkbox alpha) is not actually in place.
A one-off vulnerability assessment or automated penetration test may serve to raise awareness to gain focus. Still, it also bears a risk of fatigue in that it usually raises a seemingly insurmountably large heap of issues. If you're seeking to take control of and improve an existing situation, don't look once.
The clock started ticking for the sysadmins of the hundreds of thousands of Exchange servers around the world (and their risk officers or CISO’s). Exploits had been seen as early as January, so from March 2 onward the only safe assumption is that an unpatched Exchange server is a breached server.
By combining the Polar Flow data with social media profiles and other public information, Dutch journalists, together with the Bellingcat network for citizen journalism, were able to find names, addresses and photos of no less than 6460 individuals.
Are you aware of the key players in the BAS-marketplace? Don’t feel too bad, because Breach and Attack Simulation (BAS) has only recently entered the mainstream in cybersecurity.