We conduct a wide variety of assessments for a wide range of clients. We provide assessment services for universities, health care companies, law firms, telecommunication providers, and many more. Some of our clients have mature infrastructures, while others are still trying to develop an essential security operation. Regardless of the size or maturity, one of the things we rarely see is our clients conducting their own internal audits between penetration tests.
What We See
When we wrap an engagement, we provide a report complete with technical findings and the tooling we use. Aside from our vulnerability scanners (Burp Suite Pro and Nessus), most of the tools we use are open-source and common to the field. Even the tools I have written to use in my day-to-day are open source and available. What we rarely see, however, is our clients taking those tools into their environments and using them for conducting their own periodic audits.
While this may sound like a need for a purple team, it’s not necessary. While we are happy to help provide those services, the point is for a company to take ownership of those security needs between their testing cycles. Our reports are a true snapshot in time, and the results may sometimes be quite consequential. Imagine, then, if a team were to take the results of our testing and build upon them internally. For example, referencing our tools and techniques, a security operation could conduct their own IPv6 testing with mitm6 (https://github.com/dirkjanm/mitm6) or run Responder (https://github.com/lgandx/Responder) on the network on occasion to see if vulnerable hashes are coming through. These tests are generally safe when run in controlled durations and can be remedied by stopping the scans.
What You Can Do
The point here is to encourage security teams to identify threats before we do. We appreciate the quick wins, but we also appreciate it when a client has a mature security apparatus. The intention isn’t for a client to stop seeking services, either. Instead, it is to ensure that clients improve upon lessons learned between those engagements and build a more secure environment for their employees and customers.
If you’re interested in learning more about the tools and techniques we use, check out https://academy.tcm-sec.com, where we host hundreds of hours of educational content. Our team can also provide targeted training for your security teams in the safe operation of the same tools we use on every engagement. To learn more about these types of opportunities, don’t hesitate to contact us.
About the Author: Heath Adams
Heath Adams, also known as “The Cyber Mentor,” is the CEO of TCM Security. While Heath is an ethical hacker by trade, he also loves to teach! Heath has taught courses to over 1,000,000 students on multiple platforms, including TCM Academy, Udemy, YouTube, Twitch, and INE.
Heath has held many certifications, including CISSP, PNPT, QSA, GSNA, OSCP, ECPTX, and eWPT. He also holds an MBA degree.
Finally, Heath is also a husband, animal dad, tinkerer, and military veteran.
About TCM Security
TCM Security is a veteran-owned, cybersecurity services and education company founded in Charlotte, NC. Our services division has the mission of protecting people, sensitive data, and systems. With decades of combined experience, thousands of hours of practice, and core values from our time in service, we use our skill set to secure your environment. The TCM Security Academy is an educational platform dedicated to providing affordable, top-notch cybersecurity training to our individual students and corporate clients including both self-paced and instructor-led online courses as well as custom training solutions. We also provide several vendor-agnostic, practical hands-on certification exams to ensure proven job-ready skills to prospective employers.
Pentest Services: https://tcmdev.tcmsecurity.com/our-services/
Follow Us: Blog | LinkedIn | YouTube | Twitter | Facebook | Instagram
Contact Us: sales@tcm-sec.com