Blog

Volkis launches

Posted on 2020-02-06 by Volkis in Volkis News

$ chmod +x volkis
$ ./volkis -D

[+] Initialising Volkis...

     .       .
    /|       |\
   / |       | \
  |\ |       | /|
  | \|       |/ |
  |   \     /   |
   \    \ /    /
     \   |   /
       \ | /
         '
    V O L K I S

[+] Launched Volkis!
[+] Randomly generating corporate launch message...

We are proud to be formally launching our dedicated information security consulting company, Volkis. Our new security consultancy will provide penetration testing, security assessment, red team, GRC, and training services at its core.

At Volkis we want to do better, finding more, helping our clients get better outcomes with a modular ecosystem of services. We will be providing services beyond what a penetration test normally includes, such as playing an active role in remediation, helping you with your compliance, testing your detection and response capability, and providing detailed security reviews for your business-critical services. From this you’ll be able to get a more fruitful result out of the original test and expand your field of vision.

Continue reading

6 things to look for when choosing your penetration test company

Posted on 2020-01-29 by Alexei Doudkine in Business Security

Nothing grinds my gears more than seeing companies flog cheap, crappy scans as penetration tests. It insults penetration testers like myself, but worse than that, it exploits the unsuspecting clients that genuinely want to improve their security.

When a company realises that they need a penetration test, this task is usually delegated to one person who is almost never a penetration tester themselves. They may have had some experience in the past with selecting a company to perform penetration testing and the outcomes may or may not have been satisfactory. A lot of uncertainty in that last sentence, isn’t there?

The fact of the matter is, penetration testing can be a bit of a mystery and it can be extremely hard to know if the one you chose will be good or not. It’s like when you go to the mechanic to service your car. You drive your car in, leave it for a day, pick it up and drive it out. The car feels exactly the same. Did the mechanic do anything, or did you just pay for some very expensive parking?

Continue reading

The easiest way to test your detection and response capability

Posted on 2020-01-21 by Matt Strahan in Business Security

Every year there’s a guy who comes out and tests my smoke alarm. The smoke alarm guy visually inspects the alarm, runs the internal test, and then uses a small device that, in my head, I ignorantly name “the smoke gun” to trigger the alarm. It’s a simple process that makes sure that the alarm still works.

Watching him work, I thought it curious how so many organisations check their smoke alarms this way but have probably never actually tested whether their security systems are working or not. Probably most organisations don’t even know specifically what their security systems will detect and probably don’t have the capability or know how of testing their security system themselves. I’m going to go a bit further and show my cynicism here: Probably most organisations don’t actually know what happens when their security system alerts, don’t know what the alert looks like, and wouldn’t know what the alert would mean. It’d be like someone wandering through their home looking at the box on the roof and saying “that’s an alarm. I don’t know what it sounds like. When it goes off something is wrong – but I don’t know what it could be!”

Continue reading

The value of experience (or "don't fire the person that got phished")

Posted on 2020-01-15 by Matt Strahan in Social Engineering

When performing social engineering attacks, physical intrusion attacks, or red teams we have to be particularly careful. At all times we have to be aware that we’re not dealing with emotionless systems here, but with real people who are often just trying to do their jobs. What’s more, the people on the other end can feel mislead, manipulated, and betrayed. Perhaps the hardest challenge of designing an effective user awareness programme is getting the desired outcome of increased security when you’re dealing with real people. People who have emotions and potentially unpredictable behaviours.

With systems, getting the outcome of being more secure generally means fixing bugs, tightening configuration, or implementing more controls. Usually once you’re done you can look back and say “yep things are more secure”.

People are more complex than that. Actions that you take can backfire and make things worse. I’d like to talk about perhaps the most extreme of these actions: disciplinary action including firing the person who got phished.

Continue reading

The money concious, yet secure company

Posted on 2020-01-07 by Alexei Doudkine in Tools of the trade

Let’s face it, security in an organisation can be expensive. You need corporate antivirus, firewalls, a SIEM, a Vulnerability Management solution and of course, that NextGen Threat Analytics and Attack Simulating Toaster (NGTAAST™). Congratulations, you’ve just racked up over a million dollars’ worth of gear. If you are a large corporation with large security budgets, that’s great! Chances are, these controls are legitimately useful for you and help with your day-to-day defence. However, if you are a smaller company, the reality is that you have very finite resources to stop the exact same adversaries that threaten large corporations.

The good thing for smaller companies is that it’s not just black and white. You don’t have to choose between having the best AV or none at all. There are many free and open source tools available that can help if not completely replace paid software. What I love about the infosec industry is that it is full of people who truly care. They write and release software not for money, but to make a difference in the world. Let’s take a look at some of my favourite free and/or open source tools.

Continue reading

I make toasters

Posted on 2019-12-23 by Matt Strahan in Business Security

In the beginnings of my career in security, I spent a long time on the technical side as a penetration tester. I was a hacker, tasked with breaking into their websites and networks, trying to test their security. Although sometimes that job can be like banging your head against a brick wall, when you get in there is definitely a rush that comes with it. When something you try works, there’s a feeling of exhilaration and victory.

I knew why I was doing it. It was fun, and I was getting paid for it. I lived for that thrill of getting in.

Being focused on what I was trying to do, I wasn’t really looking to see why the customer was getting me to do it. Why were they getting me to hack their organisation?

Continue reading

Welcome to the Volkis website!

Posted on 2019-12-04 by Volkis in Volkis News

Welcome to our new Volkis website!

Continue reading