News & Press Releases

Pass-the-Hash is Dead: Long Live Pass-the-Hash

Date: July 31, 2014 Categories: Blog

You may have recently heard about how a new Microsoft patch has put pentesters “out of work.” Pass-the-hash is dead, attackers can no longer spread laterally, and Microsoft has finally secured its authentication mechanisms. But wait:   This is a fully-patched Windows 7 system in a fully-patched Windows 2012 domain. So what’s going on here,

Hunting for Sensitive Data with the Veil-Framework

Date: July 22, 2014 Categories: Blog

Data mining available file shares for sensitive data is a staple of red teaming. We’ve found everything from password lists, to full employee directories, salary information, network diagrams and more, all due to network shares with incorrectly configured permissions. Veil-PowerView has a few functions (Invoke-Netview and Invoke-Sharefinder) that have helped us to quickly find and

5 Steps for Successful Initiation of an Ongoing Authorization Program

Date: July 21, 2014 Categories: Blog

After a recent influx of published guidance pertaining to the migration towards an industry-wide, risk management model predicated on the ability to empower organizations to conduct security authorizations of systems on an ongoing basis, including OMB M-14-03 and the National Institute of Standards and Technology (NIST) Supplemental Guidance on Ongoing Authorization (OA), a significant portion

Making Sense of Ongoing Authorization and Near-Real Time Risk Management

Date: July 17, 2014 Categories: Articles, Blog

Ongoing Authorization – What is it and how has it changed? Most can agree that quite a bit has changed in the world of cybersecurity since the White House and the Office of Management and Budget (OMB) released Circular No. A-130. This memorandum established the first recommended frequency at which federal departments and agencies would

Internal Web Application Discovery During Post-Exploitation

Date: July 15, 2014 Categories: Blog

Penetration testing is largely an exercise in discovery and problem solving. Testers need to be able to identify as many different machines, services, etc., running within the assessment scope (unless it’s been provided in a white box testing scenario), and then attempt to manipulate what they’ve discovered to their advantage. This could be through sending

5 Tips to Help you Prepare for PCI DSS 3.0 Compliance

Date: July 7, 2014 Categories: Blog

Credit card breaches are widespread and affect everyone from small and mid-size companies to global financial institutions to individual consumers. As Card Holder Data (CHD) becomes an increasingly more prevalent target, service providers are integrating stronger security measures to protect their customer data. For these organizations, a concerted focus on improving their security processes, technology,

Veil-PowerView: A Usage Guide

Date: June 26, 2014 Categories: Blog

Veil-PowerView is a project that was originally prompted by a client who locked down their corporate machines by disabling all “net *” commands for normal users. While building pure Powershell replacements to easily bypass this protection, we explored what else could be done with Powershell from a domain and network situational awareness perspective. Drawing on

FedRAMP & PCI Assessment Similarities

Date: June 19, 2014 Categories: Blog, White Papers

Private organizations and Cloud Service Providers (CSPs) are required to abide by multiple federal and agency level requirements to ensure a reasonable and acceptable level of security exists within the organizational boundary. Depending on the business function, there are over 100 requirements these organizations are required to adhere to, including, but not limited to FedRAMP,

Veris Group, LLC, Certified As HITRUST Common Security Framework (CSF) Assessor

Date: June 18, 2014 Categories: Press Releases

For Immediate Release Veris Group now well-qualified to support healthcare organizations with data security, privacy, and compliance requirements Vienna, VA, June 18, 2014 — Veris Group, LLC, an industry-leading cybersecurity company, today announced that it has been designated as a Common Security Framework (CSF) Assessor by the Health Information Trust Alliance (HITRUST). Developed in collaboration

PowerUp Usage

Date: June 17, 2014 Categories: Blog

PowerUp is the result of needing a clean way to audit client systems for common Windows privilege escalation vectors. It utilizes various service abuse checks, .dll hijacking opportunities, registry checks, and more to enumerate common ways that you might be able to elevate on a target system. We’ve had the chance to test PowerUp in

Page 1 of 1812345...10...Last »
  • veris-group-3pao-assesment
  • PCI-QSA-logo
  • HITRUST CSF Assessor logo (logo bar)
  • SBA 8a Certified
  • veris-group-cmmi-level-2-certified
  • veris-group-gsa-schedule-certified
  • veris-group-inc-5000-award
  • veris-group-washington-tech-fast-50-award
  • veris-group-fantastic-50-award
  • veris-group-12-to-watch-award