Cyberis Blog

Reassuringly clear thinking.

  • Attack surface discovery
  • Red teaming

Shadow IT and Technical Debt: The Adversary's Allies

Shadow IT increases your business' security risks and is invisible to you. It might not be covered on your asset lists, because your asset management lists are incomplete. It might have no assigned owner, either because it doesn't fit neatly into any business unit, or isn't related to any current operational priorities but hasn't been fully decommissioned yet. It might have been installed outside of usual processes, either without authorisation or because usual processes were overridden.

Read more
  • Penetration testing

Common TLS/SSL Issues And What They Mean

Whilst it may be tempting to support older protocol versions, such as TLS 1.0 or even SSLv3, to maximise compatibility with legacy systems, this does not come without serious security compromises. Older protocol implementations can have inherent weaknesses that undermine the security they offer. They can lack support for modern encryption algorithms used in more secure cipher suites and may be missing features implemented in later versions, specifically designed to mitigate against the shortcomings of the older protocol.

Read more
  • News
  • Red teaming

Cyberis Becomes CBEST Approved

Cyberis has announced that it is now an approved Penetration Testing provider under the Bank of England (BoE)'s CBEST scheme. CBEST is a framework run by the Bank of England through the industry body CREST that delivers controlled, bespoke, intelligence-led cyber security tests, to increase the resiliency of financial services organisations against cyber attacks. Regulators such as the Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA), have integrated the CBEST security assessment framework into their supervisory strategies.

Read more
  • News
  • Research

Domain Hijacking Via Logic Error - Gandi And Route 53 Vulnerability

On 12 February 2021, Cyberis identified a weakness in the domain transfer processes of Gandi which allowed any Nominet registry domain (including .co.uk and org.uk domains) registered with Gandi to be transferred out of the owner’s control and into the control of an arbitrary AWS Route 53 account, without any authorisation being provided by the owner of the domain. 

Read more
  • Cyber Essentials

Cyber Essentials De-Perimeterised

In 2004, a ragtag fugitive fleet of CISOs created an international group working to define and promote the concept of de-perimeterisation, known as the Jericho Forum. Ten years on, after many valuable contributions to the security industry, it was declared a success and was finally sunsetted in October 2013.  In the summer that followed, the UK Cyber Essentials scheme was launched – the Government-backed scheme designed to help organisations protect themselves against common online threats.  It rather heavily focused on the importance of well-configured boundary firewalls and border routers in the office and at home! If only the walls of the Jericho Forum had stayed up for a few more months!

Read more
  • Research

Code Roulette: Windows Internal Complexities

Since its inception, the Windows operating system has been a recognizable force within the IT industry and grew increasingly common throughout the 90's and 2000's. Features of the operating system have grown over the last 20 years in response to the changing needs within the industry and shifts in attitudes towards system management, user experience and scale. In the early 2000's Windows dominance was largely driven by a combination of a widely accepted end user experience, flexible server components and a centralized authentication, authorization and configuration solution, Active Directory. Whilst there were some alternatives, the reality was that there was no one stop solution for integration that could compete with Active Directory at scale and as most things are driven by business goals, Active Directory became the central hub of IT operations within a significant portion of the commercial and government markets.

Read more
  • Red teaming

The human cost of social engineering

In the security industry, we will often talk about people being the weak link. We spend our time outlining the ways that people will fail, or be fooled, or will be tricked. Of course it’s important that we, and our customers, understand the fallibility of people in any security assumptions we make. On the other hand, we also have a moral and ethical obligation to look after the very people we are targeting, and to avoid causing undue distress. “Social engineering” is a bloodless, sterile term. We call it “social engineering” because it covers a lot of different bases, and it sounds more professional than the alternative – “lying to people”, “abusing trust”, “betraying relationships”. These are tactics that adversaries use mercilessly and without consideration for the impact on the victims. If we are to accurately simulate the attack chain and the activities of adversaries, then we need to adopt these tactics as well.

Read more
  • News
  • Red teaming

Cyberis Achieves CREST STAR-FS Accreditation

Cyberis has become one of the first cyber security companies to receive accreditation for the CREST STAR-FS framework to deliver intelligence-led penetration testing for the financial sector. The Simulated Target Attack and Response (STAR) scheme has been developed by CREST to meet the needs of Regulators to better understand the current cyber security posture of regulated financial services companies and identify where improvements in security arrangements need to be applied.

Read more

Improve your security

Our experienced team will identify and address your most critical information security concerns.

Contact us About Cyberis