Blog

New guides, welcome packs, and methodologies in the Volkis Handbook

Posted on 2020-04-07 by Volkis in Volkis News

A couple of weeks ago we put up the Volkis Handbook. It is aimed at our customers, friends, employees, infosec colleagues and really anyone interested in the inner workings of Volkis.

More than this, it aims to form the core of Volkis and a key part of our philosophy as an organisation. We would like to be transparent, open, and honest. By showing what we do and the way we work, we hope that everyone will get to know us better and perhaps just learn a thing or two that they could do better as well.

Continue reading

Are you opening a security hole for your remote workers?

Posted on 2020-04-02 by Matt Strahan in Business Security

On Tuesday Shodun showed that the number of RDP servers exposed to the internet has skyrocketed, going up by 30%. Just having RDP exposed to the internet is pretty much automatically considered a vulnerability in our penetration testing, as it’s a complex protocol that has a history of vulnerabilities (most recently BlueKeep), and exploitation can lead to administrator access to the system. Given that most RDP servers have to be connected to an Active Directory domain, often administrator access is all you need to completely compromise the network and all its data.

Clearly the rise in remote working has caused some windows to be opened in organisations’ environments. While remote working doesn’t have to be a security nightmare, it can still be surprisingly easy to open holes in your security in the name of remote working.

The two main reasons for this is a lack of a strategy and technical debt.

Continue reading

Volkis up and running!

Posted on 2020-03-24 by Volkis in Volkis News

Since the start we’ve had a remote-first philosophy and even with these troubled times we’re up and running providing penetration testing, security consulting, and strategy work. There are obviously a few things we can’t do for now such as internal penetration testing, physical intrusion, and onsite debriefs, but most of our services including external and web app penetration testing, red team, security strategy, and compliance are still running.

Given internal penetration testing is out we do have gaps in our schedule now, so if you have urgent penetration testing work please let us know.

In this post we thought we might give some updates on what we’ve been up to and some of our future plans.

Continue reading

Why remote working isn’t the security nightmare you think it is

Posted on 2020-03-19 by Matt Strahan in Business Security

A couple of days ago we posted up tips and advice to deal with this period of remote working. It’s a scary time not just for our health but also for our security, with organisations suddenly needing to have everyone to stay away from the office and to work from home, safe from the coronavirus.

For today, I’d like to provide a bit of reassurance: this period of remote working probably won’t present new risk to your organisation. Don’t get me wrong – there’s still a lot of risk in cyber security, but having a whole bunch more people working remotely probably isn’t going to open you up to new threats.

Continue reading

Security precautions for remote work – Quick wins

Posted on 2020-03-17 by Alexei Doudkine in Business Security

The sad truth of the world is that there are people out there who will take advantage of the COVID-19 crisis. As more organisations shut down their offices and ask employees to work from home, those that are less geared towards remote work will be targeted by threat actors.

It is my goal to give organisations pushing for remote work the basic necessities for securing their remote workforce. Rather than long-term strategies, these are things you can do or start doing this week to protect your employees and keep the organisation safe at the same time.

Continue reading

Attacking the backups

Posted on 2020-03-13 by Matt Strahan in Business Security

There are a critical systems inside any organisation where the compromise of those systems are almost automatically business threatening. When performing penetration testing we try and think about the “crown jewels” as a bit of a target – if we get access to this the risk is pretty well self evident. Most of these systems are the obvious: financial systems, domain controller, key business process systems, safety systems, and often the web presence nowadays. One such system that is not considered nearly enough is the backup system.

Let’s first look at the obvious: to properly backup data, the backup systems have to have access to that data. This means the backup systems often have the keys to the kingdom, so to speak. If the backup systems are compromised, then all of your data should be considered compromised.

Believe it or not, though, in modern IT environments the backup systems are even more important than just having access to data.

Continue reading

Should you go for bug bounties or penetration testing?

Posted on 2020-03-03 by Matt Strahan in Business Security

At school I was taught that a good piece of writing should “say what you’re going to say, say it, then say what you’ve said”. In that vein, I’m going to talk about the advantages and disadvantages of bug bounties and penetration testing but it will all come down to this:

Penetration testing and bug bounties tend to complement each other extremely well. The disadvantages of penetration testing tend to be the advantages of bug bounties and visa versa. Let’s go through it in more detail.

Continue reading

Trust hierarchies in your everyday life

Posted on 2020-02-25 by Alexei Doudkine in Personal Security

Well, it finally happened! Last Sunday my phone died. Proper died, no response, no battery indicator, nothing. It’s a brick. 🙁 Naturally, being a slave to our little black rectangles that we carry in our pockets, I promptly went to purchase a new one and start setting it up. This is where most articles start preaching about the importance of backups, but you already know about that so I won’t go down that road. I will mention that backups did saved me days of my life and leave it at that.

Rather, it made me think of all the little systems that I use in my every day life that I almost never consciously think about and the trust relationships they have with one another. For example, logging into my Twitter account from a new device prompted Twitter to require I validate the new device through my email (Gmail). In this case, Twitter has a trust relationship with my Gmail account and assumes that I, and only I, have access to that email account. I quickly realised that I don’t have access to Gmail anymore. This is where things got interesting.

Continue reading

The Five Whys and security vulnerabilities

Posted on 2020-02-20 by Matt Strahan in Business Security

When reading about the Toyota Production System and the Lean Methodology, a remarkably simple technique was talked about called the “Five Whys”. It was used by Toyota to solve the underlying problems, not just the symptoms. The technique was made popular by books such as The Lean Startup.

When there is a production failure, outage, or problem, the “Five Whys” facilitator will bring all the relevant people into a room and ask “why” again and again to try and pull the thread of the full sequence of events that led to the issue. The Wikipedia page for Five Whys gives this example:

• Why? – The battery is dead. (First why)
• Why? – The alternator is not functioning. (Second why)
• Why? – The alternator belt has broken. (Third why)
• Why? – The alternator belt was well beyond its useful service life and not replaced. (Fourth why)
• Why? – The vehicle was not maintained according to the recommended service schedule. (Fifth why, a root cause)

When reading about this technique, I began thinking about security vulnerabilities. How often do we talk about patching the vulnerability without thinking enough about what caused the vulnerability in the first place? And I’m not just saying “we didn’t do the patch”, I’m saying the underlying processes that people don’t even realise are there that made us end up here.

Continue reading

Living off the land and why it’s so hard to pick up good hackers

Posted on 2020-02-11 by Matt Strahan in Offensive security

A lazy Tuesday

“I need a list of high value clients for our board meeting tomorrow. Get it to me so I can review it and practice tonight.”

As much as she’d like everyone to submit tickets over the fancy ITSM system the CIO paid for, when the CIO gives a direct request like that, Steph the sysadmin just has to follow. Luckily although it’s annoying to get this kind of request in the afternoon, it’s not particularly hard to fulfil.

Steph loads up Tableau. With SSO she doesn’t even need to sign in. She can make a custom report of the high value clients, plug in financials and client figures, and click export. The report, though, is a bit big so she can’t just send it over email. Instead, she knows the CIO can retrieve it over Office365, so she uses OneDrive and sends the CIO the link so he can download it when he’s at home.

She only has one more task. Someone in finance put in a ticket to reset their password. Steph logs into Active Directory, resets the password, and sends the info to finance. Done for the day, she packs up.

Continue reading