Quanheng “Q” Lim is Director of CyberOps at Horangi.
Penetration testing may be one of the most popular practices in cybersecurity, but is it the same as a vulnerability assessment and is it comprehensive enough for your organization’s security workflow?
With the advent of digitization in the business world, companies will undoubtedly be a victim of a cyber attack at some point in their lifespan. Often than not, loopholes and gaps in weak cyber security networks allow perpetrators to extract sensitive or proprietary data for various malicious endeavors. Furthermore, a cyber attack can have rippling effects leading to more, albeit
Between the 27th of June and the 4th of July, Singapore experienced its biggest and most serious cyberattack to date. A joint press release by the Ministry of Communications and Information (MCI) and Ministry of Health (MOH) revealed that SingHealth, Singapore’s largest healthcare group, was subject to a “deliberate, targeted and well-planned cyberattack”. About 1.5 million patients had their personal
Penetration testing is an authorized simulation of an attack on a system, network, or application to find potential vulnerabilities that can be exploited. Pentesting can also be loosely placed into 3 categories, black, grey or white box testing. The black box testing model is done from the perspective of an outsider with limited knowledge of the application, network, systems or
Since the previous review of web vulnerabilities mapped to the OWASP Top 10 previously published on Apr 10, 2017, the awareness document has been updated to reflect the current risk trends related to web applications. This document is meant as a reference for examples that to provide context, and support a universal understanding about the relevance of cybersecurity issues in
Knowing the common web vulnerabilities is great, but often it is hard to think of specific examples that appear in popular news to show the layman the relevance of these issues. Let’s take the approach of following the OWASP Top 10 list. At the time of this writing, the last major update to the Top 10 list was in 2013.
1. The counterfeit code-signing ceritifcates are now being custom-created Image source: https://wccftech.com/hackers-counterfeit-code-signing-certificates/ Recorded Future has found that code signing and SSL certificate services are “widely available” on the dark web, from reputable companies such as Comodo, Thawte, Symantec and Apple. These certificates can be created on request, and are believed to be done using stolen corporate identities. Malicious users will
Interest in bitcoin has been surging in the past few years. In recent months, Ethereum, smart contracts and the ethereum virtual machine has renewed interest in cryptocurrency again. However, the potential and innovative implementations of the “other” functions of components of cryptocurrency is a topic for another day. As many unwitting users have found out, the value of these currencies
Enabling Microsoft Protected View A new Zero-day attack on Microsoft Office, affecting all current Office versions on all Windows operating systems was detected by Mcafee and FireEye on 7th April. It is the latest in a long list of exploits; from the “Windows Word Intruder” kit that allowed beginners to create their own version of malware, to the phishing-led Cerber
Petya/NotPetya, another ransomware following close on the heels of WannaCry is also based on the EternalBlue exploit. Ukraine and Russia has the most attacks reported, possibly due to the suspected initial vector via MeDoc(Tax software), commonly used in Ukraine. Notably Rosneft (One of the largest crude oil producers), A.P. Moller-Maersk (Shipping said to be affected worldwide), WPP (World’s largest advertising