Penetration Testing Grows Due to Remote Work

Cybersecurity professionals are requested to conduct more penetration tests and security assessments focusing on remote work during the COVID-19 pandemic than ever before.

With the rapid transition to work from home during the COVID-19 pandemic, the organizations’ attack surface has evolved, and security measures could not remain unchanged. Businesses that care about their cybersecurity have shifted priorities to protect their network infrastructure, focusing on the growing risks of remote work, with pentesting as the means of immediate improvement.

Based on the 2021 Core Security Penetration Testing Survey report, we highlight the recent trends in the pentesting industry. This report summarizes the results of a comprehensive survey of cybersecurity professionals around the globe. The goal was to present an accurate analysis of how organizations benefit from penetration testing in these trying times.

Continue reading “Penetration Testing Grows Due to Remote Work”

Web App Pentester Training: запуск курсу 20 квітня— BSG

Анонсуємо запуск курсу — Web App Pentester Training від професіоналів з тестування веб-додатків компанії Berezha Security Group.

Старт 20 квітня 2021 року.

Якщо Ви розробник програмного забезпечення, DevOps-інженер, QA-тестувальниця та маєте бажання зануритися у кібербезпеку – цей тренінг для вас!

За 2 місяці навчимо шукати, експлуатувати та документувати вразливості безпеки в сучасних веб-додатках, оформлювати звіти та проходити перші екзамени та сертифікації! 

Continue reading “Web App Pentester Training: запуск курсу 20 квітня— BSG”

Clutch Acknowledges Berezha Security Group as Top Cybersecurity Consulting Company for 2021

Clutch, a B2B reviews platform, designated Berezha Security Group as one of the top 2021 cybersecurity consulting companies. We are humbled and proud to receive this award and are grateful to our customers for the highest testimonials rating: 5.0 based on 28 reviews. The review rating proves our ability to provide highest-quality application security, penetration testing, and cybersecurity consulting services to our clients.

“We are excited to be named an industry leader and one of the best performing cybersecurity service providers of 2020. It confirms our dedication to providing top-quality consulting services and defeating our clients’ future cybersecurity challenges – today.” – Vlad Styran, Co-founder & VP, Business Development, Berezha Security Group

Continue reading “Clutch Acknowledges Berezha Security Group as Top Cybersecurity Consulting Company for 2021”

Вебінар “Вразливості кібербезпеки вашого бізнесу”

“Ми завжди вимагатимемо від вас більше безпеки, ніж ви самі” – BSG

Наша робота – надання допомоги у всіх аспектах кібербезпеки. Ми добре розуміємо типові проблеми та вразливості в розрізі багатьох індустрій, адже щороку здійснюємо понад 50 проєктів з тестування на проникнення (Penertation Testing) та захисту програмного забезпечення (Application Security) для більш ніж 30 організацій по всьому світу.

Клієнти звертаються до нас у двох випадках. Коли вже “щось сталося”: відбувся інцидент, витік даних чи збій системи. Або коли терміново “щось потрібно”: задовольнити вимоги клієнтів, партнерів, інвесторів чи регуляторів. Тому ми вирішили узагальнити дані, які можуть бути вам корисні для кращого розуміння ваших кіберзагроз та побудови ефективнішого захисту.

Під час зустрічі ми розглянемо такі теми:

  1. Типова модель кіберзагроз сучасного бізнесу. Обговорення основних загроз.
  2. Вплив пандемії та як кіберзлочинці експлуатують вразливості віддаленої роботи (Work from Home).
  3. Що таке моделювання загроз (Threat Modeling) і як ми здійснюємо його під час проєктів?
  4. Що таке DARTS? Практика BSG безпечної та ефективної роботи з даними клієнтів.
  5. Як ми переклали досвід BSG у програму Berezha Web Application Pentester Training та що з цього вийшло?
  6. Топ-10 вразливостей кібербезпеки, які ми знайшли у 2020
  7. Вільна дискусія.

✅ Час події: 31.03. 2021 о 17:00

✅ Участь безплатна за умови попередньої реєстрації.

✅ Тривалість 2 години.

Continue reading “Вебінар “Вразливості кібербезпеки вашого бізнесу””

Web Application Pentester Training: перше безкоштовне заняття курсу

Вриваємося в кібербезпеку разом з оновленим тренінгом – Web Application Pentester Training Презентуємо перше безплатне заняття курсу Web Application Penetration Testing від експертів та лідерів індустрії – Berezha Security Group.

На першому занятті ми покажемо вам як шукати, експлуатувати та документувати вразливості безпеки в сучасних вебдодатках. Також, ми зупинимося на питанні оформлення знахідок (findings) у звіті та розкажемо як скласти іспит для отримання сертифікації в кінці курсу.

Ви познайомитеся з професією пентестера і точно зрозумієте чи відкликається вам у ❤️.

Web Application Pentester Training: більше деталей

❓Для кого тренінг?

Цей тренінг розрахований для широкого кола IT спеціалістів, студентів, а також усіх, хто цікавиться кібербезпекою. Програма буде корисна для тих, хто хоче розпочати кар’єру в Application Security, але не має змоги зробити це самостійно. Рекомендації щодо мінімально необхідного рівня теоретичної та практичної підготовки надаємо у формі консультації перед початком навчання.

❓Про що цей тренінг?

Програма навчання висвітлює такі теми:

  1. Introduction to application security and penetration testing. #appsec #pentest #burpsuite #http #proxy #www
  2. Reconnaissance and enumeration. Mapping the penetration testing scope. #recon #scanning #discovery #osint #enumeration
  3. Access control. Identification, authentication, and authorization. #access #authentication #authorization #idor
  4. Server-side attacks – part 1. #sqli #injection #lfi
  5. Server-side attacks – part 2. #ssrf #ssti #ifu
  6. Client-side attacks part 1. #xss #csrf
  7. Client-side attacks part 2. #xss #postmessage #websockets
  8. Attacks on web services. #webservice #api #xxe
  9. Attacks on web services. Business logic flaws and vulnerabilities. #businesslogic #misconfiguration
  10. Deep dive into injection attacks. #sqli #nosqli #ormi #graphql
  11. Cryptography and the web. Cryptography basics. Introduction to cryptanalysis. #crypto
  12. Mobile security. Mobile application security testing. #mobile #sslunpinning #ios #android
  13. Cloud security. Pentesting the cloud. #cloud #smuggling #deserialization
  14. Reporting, risk management, and negotiations. #reporting #riskmanagement #communication

Більше деталей про тренінг тут: https://bsg.tech/blog/pentester-training/

❓Хто ми?

BSG – українська консалтингова фірма, зосереджена на захисті програмного забезпечення та тестуванні на проникнення. Наші експерти володіють актуальними практичними навичками з наступальної кібербезпеки та найпрестижнішими сертифікатами в цій професії. Ми здійснюємо понад 50 проєктів щороку та проводимо навчання із захисту програмної розробки для наших клієнтів вже понад 6 років.

📧 Наші контакти:

[email protected]

🎓Сторінка тренінгу

https://bsg.tech/blog/pentester-training/

BSG Business Outcomes and Security Vulnerabilities Report 2020

Summary 

We have just wrapped up a whirlwind year that tested our ability to unite and rise to the challenge of these trying times. But here we go! 2020 was quite a ride, but it has shown us the Berezha Security team’s real efficiency along the way. We are impressed by our achievements, and we are happy to share them with you.

During 2020 we broke a bunch of personal records, such as the annual and monthly revenue, the total yearly projects, and the number of projects we ran simultaneously. As a result, we now know that it was a good year and the best in BSG history.

In 2021, we start a tradition of issuing this annual report. Last year, we counted our critical security vulnerabilities, learned our lessons, and shared some of them with you in this blog post. We believe that this information helps all readers of this report, so we put it in here along with the business-related BSG data.

Continue reading “BSG Business Outcomes and Security Vulnerabilities Report 2020”

Announcing the BSG Business Outcomes and Security Vulnerabilities Report 2020

OK, it is time for an announcement. We’ve been working hard this week preparing the Berezha Security Group annual report. Among other things, it contains the technical data about the vulnerabilities we found last year.

We are planning to release the report to our clients next Tuesday. But before that, we decided to play a little game. It is so simple that everyone can join. Just answer four questions in the form and get a chance to win the prize: a famous YubiKey security token https://www.yubico.com/.

So, the question is:
How many vulnerabilities Berezha Security Group found in 2020, and how this number drops down by risk level?

Here is a hint:
Overall, we did 50 projects.

To enter the contest, fill in this Google Form. The form closes on Tuesday, at 10:00 Kyiv time. BSG employees cannot take part in this survey.

Berezha Security becomes an OWASP corporate member!

OWASP is the most known global non-commercial organization dealing with software security. It was established in 2001 and had been publishing its famous application security risks rating – the OWASP Top 10 – since 2003. The number of OWASP initiatives and chapters is continuously growing, making it the leading contributor in application security methodologies and a prominent industry think tank. Do you feel like Berezha Security has a strong connection with OWASP? That’s correct, and here’s why.

In Ukraine, OWASP has several chapters in the key cities. The Kyiv chapter was founded in 2017 by Vlad Styran, Berezha Security co-founder, and Ihor Bliumental, who has since joined Berezha Security as Application Security Lead. As our company shares similar views on application security and lists global security improvement as a part of its mission, we have been active OWASP supporters since then. Our consultants are often among the speakers at various OWASP events and webcasts, and Vlad has recently joined the global OWASP Chapter Committee. So it was a logical next step for Berezha Security to become a corporate member of OWASP Foundation.

If you follow our blog, you might have read about our plans to launch a new brand. We are listed in the OWASP member directory already under the new brand name – BSG. So don’t be surprised 🙂 Corporate membership is not only a public commitment to the information security industry but also a funding source for OWASP projects and global events. By the way, OWASP has recently announced discounted membership for start-ups, which allows newly founded companies (younger than two years) to become members on more favorable conditions. Well, unfortunately (or fortunately) Berezha Security is no longer a startup and is not eligible 🙂 

We encourage you to follow the OWASP events, use OWASP projects, support OWASP chapters, and get the most out of this powerful free source of knowledge on software security.

Stay up to date and take care.

First Steps When You Get Hacked

An experienced CISO knows that talking about a security breach, the question starts not with “If…” but with “When…”. Indeed, it’s predicted that in 2021 every 11 seconds, some companies in the world will be hacked, so your organization may be among them. Even if you expect it, it doesn’t mean you are well-prepared and ready to react calmly and properly. Unfortunately, many Berezha Security customers come to us only after the breach, and we regret observing the situation was not handled well. So let us share several immediate practical steps you need to undertake when you discover a breach of your critical infrastructure.

The first immediate task after any breach is to regain control over your infrastructure. Usually, the control over the critical components is stolen by compromising the administrative or superuser accounts. The first step would be to change the passwords for ALL administrative accounts and switch on the multi-factor authentication wherever possible. We also strongly recommend subsequently acquiring and implementing the physical token for the second factor, e.g., YubiKey.

The next thing we recommend, if not yet done, is to switch on the multi-factor authentication for all users. One thing you can do is to go with a software token like Google or Microsoft Authenticator. This will significantly reduce any impact of user accounts being compromised. 

As a longer-term measure – we recommend embedding a compromised password check into the password change procedure, e.g., based on the have I been pwned service. This is not a one-click effort, so if you need help with the implementation, we can definitely help.

Implement an intrusion detection system for the early discovery of further attacks. We would definitely recommend paying attention to the Thinkst Canary. It is an innovative trending tool that efficiently solves this task without spending huge budgets.

Perform a full scan of the critical infrastructure components, especially hosts, for malware or configuration changes. Schedule end-user scans to be run ASAP if you have a centrally managed anti-malware solution. Or instruct the users on how to run the scan if you don’t. 

Once you take back the control over the infrastructure, minimize the impact on user accounts, and are prepared to react to any further attack attempt, you can deal with the next layer of actions. Data recovery (if any data was lost), communication with the users and customers about the potential data breaches, evaluating the whole attack vector and removing exploited vulnerabilities, etc. But first things first – get the control back. 

Of course, any of the steps can be executed employing different tools than mentioned; we have just provided examples of the most typical ones at this post’s date. We wanted to make our advice practical and actionable, not just a list of correct but generic action items most of the similar posts would provide. Berezha Security has no direct commercial connection to the mentioned vendors or solutions. However, we can help you with the recovery after the breach and further planning of remediation actions. 

Stay calm, be prepared, and take care.

856 running hackers

It’s good to have a hobby. It’s better if you share it with someone. It’s even better when you share it with colleagues and rediscover your teammates. It turned out that part of the Berezha Security team enjoys running. So no wonder we decided to participate in one of Ukraine’s most remarkable sport events – the Wizzair Kyiv City Marathon virtually held in early November. Let’s see whose photo you like the most 🙂

The Berezha Security virtual running team consisted of Vlad Styran, Andriy Varusha, and Anatolii Bereziuk, who took the Half Marathon distance, and Serhii Korolenko, who had hit his first formal 10k. We want to congratulate Anatolii, who managed to do the Half in less than 2 hours and became the fastest on our team. And you can see us in the below pictures – tired but happy.

Of all sports, running is probably the most universally accessible. It gives you some time off the grid and allows you to concentrate on your inner self while challenging your outer limits. Who knows, maybe this year’s Kyiv Marathon was the beginning of a new runners club… Would you run with us?

Taking the chance, we would like to announce the creation of a runner’s club – 856 running hackers. We will be glad to see other people from the cybersecurity industry and just friends joining us in this hobby. We believe it will help us stay healthy and fit, contribute to good things (running events usually have charity goals), and inspire each other for better results. While we are adding this community to the social networks and sports trackers, you can already let us know if you’d like to join. “Two legs good, four legs better” – the famous quotation may have a fresh meaning. 1712 legs would be just good 🙂

Stay fit, healthy, and take care.