SlideShare a Scribd company logo

Lifeguard Works

M
Mark Wolfgang

Shorebreak Security pioneered continuous penetration testing in 2013 and this case study shows how Lifeguard works to narro the gap between vulnerability identification and remediation.

Internet
1 of 4
Download to read offline
Shorebreak  Security,  8635  Holiday  Springs  Road,  Melbourne  FL  32940,   info@shorebreaksecurity.com                                                                                           Lifeguard  Works:    A  Case  Study  on  Customer  “X”       Background     Shorebreak  Security  completed  a  comprehensive  internal  and  external  penetration   test  in  August  of  2013  on  Customer  “X”,  a  very  successful,  privately  owned   Information  Technology  company.       In  February  of  2014  Customer  “X”  signed  up  for  Shorebreak  Security’s  Lifeguard   service  and  Shorebreak  Security  started  testing  the  network  daily.     The  following  is  a  timeline  of  major  events  and  lessons  learned  stemming  from  the   first  eight  months  of  Lifeguard  service.         February  2014:  Incomplete  Remediation     Despite  having  had  a  comprehensive  test  four  months  earlier,  our  engineers   discovered  the  existence  of  a  new,  externally  accessible,  root-­‐level  (administrative   access)  vulnerability.    This  vulnerability  was  identified  during  manual  penetration   testing,  and  would  not  have  been  identified  at  all  had  we  relied  on  vulnerability   scanning  alone.    Our  test  team  validated  the  vulnerability  by  exploitation,  and   gained  root  access  to  the  server.     The  customer  was  notified  via  text  message  and  email  right  away.     Customer  X’s  IT  staff  remediated  the  finding  and  the  Lifeguard  dashboard   automatically  notified  us  that  the  system  had  been  fixed.  Verification  testing,   however,  showed  that  the  fix  was  only  partially  effective,  and  that  the  vulnerability   was  still  exploitable.    The  customer  conducted  a  second  round  of  remediation,  and   upon  verification  we  were  able  to  successfully  “close”  the  finding  in  Lifeguard.     Despite  the  initially  incomplete  remediation,  this  entire  cycle  was  still  completed  in   less  than  24  hours.       March  2014:  Manual  Testing  uncovers  “0-­‐day”     Within  just  two  weeks  of  the  first  critical  finding,  manual  testing  identified  a   previously  unknown  vulnerability    (“zero  day’)  in  a  software  vendor’s  
Shorebreak  Security,  8635  Holiday  Springs  Road,  Melbourne  FL  32940,   info@shorebreaksecurity.com                                                                                         authentication  system  within  a  web  application.    The  vulnerability  could  be   exploited  to  gain  root-­‐level  (administrative)  access  to  the  underlying  operating   system.         Customer  X  remediated  the  vulnerability  with  external  security  controls  within  24   hours.    We  immediately  conducted  testing  to  verify  the  fix,  and  the  vulnerability  was   successfully  closed.    The  Shorebreak  Team  then  drafted  a  security  advisory  and  sent   it  to  the  vendor  of  the  vulnerable  software,  so  that  a  patch  could  be  developed.         April  2014:  Reaction  to  OpenSSL  “Heartbleed”     The  OpenSSL  “Heartbleed”  vulnerability  was  made  public  in  April  of  2013.    Because   Lifeguard  scans  were  constantly  cataloging  hosts,  ports,  services  and  banners,  our   team  was  able  to  immediately  identify  vulnerable  hosts.    Within  hours,  Customer  X   was  notified  and  could  begin  remediation  efforts.       Validation  testing  showed  that  Customer  X’s  remediation  was  incomplete.    In  this   case,  the  vendor-­‐supplied  patches  had  been  applied  but  the  systems  were  not   rebooted,  leaving  the  systems  vulnerable.    Customer  X  was  notified  that  the   vulnerability  was  still  present  and  a  second  round  of  remediation  and  verification   testing  was  conducted  and  completed.     Customer’s  X’s  exposure  to  the  Heartbleed  vulnerability  was  less  than  48  hours  and   remediation  was  complete  before  most  vulnerability  scanner  vendors  had  published   new  signatures  to  check  for  the  vulnerability.         September  2014:  Reaction  to  the  “ShellShock”  vulnerability     The  critical  GNU  Bash  “shell  shock”  vulnerability  was  published  in  September  of   2014,  and  we  contacted  Customer  X  to  advise  them  on  the  issue  and  proceeded  to   conduct  testing  to  identify  vulnerable  systems.    Within  24  hours,  Customer  X  had   been  reassured  that  their  exposure  to  this  vulnerability  has  been  minimized.       October  2014:  New  Apps,  New  vulnerabilities     Two  additional  critical  findings  were  identified  as  the  network  configuration   changed  and  new  vulnerabilities  were  made  public.        
Shorebreak  Security,  8635  Holiday  Springs  Road,  Melbourne  FL  32940,   info@shorebreaksecurity.com                                                                                         In  one  case,  manual  testing  discovered  that  a  new  web  application  had  been   deployed  with  a  manufacturer  default  admin  password.    In  another,  an  “SQL   injection”  vulnerability  was  identified  and  exploited,  resulting  the  ability  to  bypass   the  authentication  system  of  the  web  application  and  become  a  valid  user.       Both  vulnerabilities  were  reported  and  quickly  rectified.       Observations     On  average,  one  “critical”  finding  was  discovered  each  month.    Had  the  customer   waited  until  their  next  annual  penetration  test  to  identify  these  vulnerabilities,   criminal  hackers  or  other  adversaries  could  have  easily  compromised  network.     In  almost  every  case,  manual  testing  was  key  in  identifying  the  vulnerability.         In  many  cases,  the  customer  remediation  effort  was  insufficient  in  addressing  the   vulnerability.    Without  Lifeguard,  the  customer  would  have  believed  that  the   vulnerability  was  remediated,  but  in  reality  would  have  remained  exposed.       Why  Lifeguard  Works:     1) In  almost  every  case,  critical  vulnerabilities  were  identified  and  verified   through  manual  testing,  not  by  automated  scanners.           2) In  about  50%  of  the  cases,  the  customer’s  remediation  efforts  failed   verification  testing  and  needed  a  second  round  of  fixes  before  the   vulnerability  could  be  verified  as  completely  fixed.    Immediate  validation   “follow-­‐up”  testing  by  Shorebreak  Security  was  key  in  ensuring  that   vulnerabilities  were  no  longer  exploitable.       3) In  all  cases,  the  exposure  time  from  vulnerability  identification  to  verification   of  remediation  took  less  than  48  hours  -­‐  in  most  cases  less  than  24  hours.         4) Network  configuration  and  vulnerabilities  are  both  dynamic  variables  that   change  daily  and  continuously  create  new  vulnerable  conditions.    The  key   to  minimizing  risk  is  continuous  monitoring  -­‐  the  ability  to  quickly  identify,   remediate  and  validate  vulnerabilities.       5) The  test  team’s  ability  to  communicate  with  the  customer  before,  during,  and   after  remediation  was  crucial  in  ensuring  each  vulnerability  was  properly  
Shorebreak  Security,  8635  Holiday  Springs  Road,  Melbourne  FL  32940,   info@shorebreaksecurity.com                                                                                         remediated.    Shorebreak  Security  became  a  trusted  partner  in  all  phases  of   Risk  mitigation.           6) In  eight  months  of  service,  Lifeguard’s  metrics  showed  Customer  X’s   management  and  technical  staff  a  quantifiable  return  on  investment  (ROI).   The  data  show  a  steady  decline  of  Risk  across  the  network  as   vulnerabilities  were  fixed,  and  that  exposure  times  from  identification  to   remediation  were  decreased.    Security  and  Risk  exposure  became  a  data   point  that  could  be  used  to  identify  weakness  and  show  improvements.       7) Our  customer’s  technical  staff  no  longer  had  to  spend  time  to  run   vulnerability  scanners  and  analyze  results  –  they  could  concentrate  on  their   primary  duties  and  rely  on  Shorebreak  Security  engineers  to  do  this  tedious,   but  very  important  work.         8) Our  customer’s  management  was  indicated  that  they  confident  that  they  had   an  accurate,  up-­‐to-­‐date  risk  assessment,  and  as  risk  changes,  they  would  be   notified  and  able  to  respond  appropriately.     9) Risk  –  as  measured  by  vulnerabilities,  impact  and  exposure  –  was  decreased!           About  Shorebreak  Security     We  are  a  veteran-­‐owned  small  business  providing  exceptionally  high-­‐quality,  high-­‐ value  Information  Security  consulting  services.         We  specialize  in  conducting  a  variety  of  relevant,  real-­‐world  Information  Security   tests  that  show  you  where  your  weaknesses  are.    We  translate  Information   Technology  risk  into  organizational  risk,  and  empower  you  to  make  informed   decisions     Contact  Us:     Shorebreak  Security,  8635  Holiday  Springs  Road,  Melbourne  FL  32940   info@shorebreaksecurity.com  -­‐  1-­‐888-­‐838-­‐7311    

Recommended

The Rise of the Purple Team
The Rise of the Purple TeamThe Rise of the Purple Team
The Rise of the Purple TeamPriyanka Aash
 
Continuous acceleration devopsdaysdc2015_corman
Continuous acceleration devopsdaysdc2015_cormanContinuous acceleration devopsdaysdc2015_corman
Continuous acceleration devopsdaysdc2015_cormandaachi
 
SQL Injection - The Unknown Story
SQL Injection - The Unknown StorySQL Injection - The Unknown Story
SQL Injection - The Unknown StoryImperva
 
Full stack vulnerability management at scale
Full stack vulnerability management at scaleFull stack vulnerability management at scale
Full stack vulnerability management at scaleEoin Keary
 
Attack Vectors in Biometric Recognition Systems
Attack Vectors in Biometric Recognition SystemsAttack Vectors in Biometric Recognition Systems
Attack Vectors in Biometric Recognition SystemsClare Nelson, CISSP, CIPP-E
 
A Pragmatic Union: Security and SRE
A Pragmatic Union: Security and SREA Pragmatic Union: Security and SRE
A Pragmatic Union: Security and SREJames Wickett
 
AllDayDevOps Security Chaos Engineering 2019
AllDayDevOps Security Chaos Engineering 2019 AllDayDevOps Security Chaos Engineering 2019
AllDayDevOps Security Chaos Engineering 2019 Aaron Rinehart
 
AppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileAppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileOleg Gryb
 

Recommended

The Rise of the Purple Team
The Rise of the Purple TeamThe Rise of the Purple Team
The Rise of the Purple TeamPriyanka Aash
 
Continuous acceleration devopsdaysdc2015_corman
Continuous acceleration devopsdaysdc2015_cormanContinuous acceleration devopsdaysdc2015_corman
Continuous acceleration devopsdaysdc2015_cormandaachi
 
SQL Injection - The Unknown Story
SQL Injection - The Unknown StorySQL Injection - The Unknown Story
SQL Injection - The Unknown StoryImperva
 
Full stack vulnerability management at scale
Full stack vulnerability management at scaleFull stack vulnerability management at scale
Full stack vulnerability management at scaleEoin Keary
 
Attack Vectors in Biometric Recognition Systems
Attack Vectors in Biometric Recognition SystemsAttack Vectors in Biometric Recognition Systems
Attack Vectors in Biometric Recognition SystemsClare Nelson, CISSP, CIPP-E
 
A Pragmatic Union: Security and SRE
A Pragmatic Union: Security and SREA Pragmatic Union: Security and SRE
A Pragmatic Union: Security and SREJames Wickett
 
AllDayDevOps Security Chaos Engineering 2019
AllDayDevOps Security Chaos Engineering 2019 AllDayDevOps Security Chaos Engineering 2019
AllDayDevOps Security Chaos Engineering 2019 Aaron Rinehart
 
AppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileAppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileOleg Gryb
 
Better Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous DeliveryBetter Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous DeliveryTechWell
 
Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16Kymberlee Price
 
2017-11 Three Ways of Security - OWASP London
2017-11 Three Ways of Security - OWASP London2017-11 Three Ways of Security - OWASP London
2017-11 Three Ways of Security - OWASP LondonJeff Williams
 
Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security Jeff Williams
 
Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Cenzic
 
Java application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerJava application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerSteve Poole
 
Application Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio ScaleApplication Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio ScaleJeff Williams
 
Continuous Monitoring for Web Application Security
Continuous Monitoring for Web Application SecurityContinuous Monitoring for Web Application Security
Continuous Monitoring for Web Application SecurityCenzic
 
Winning open source vulnerabilities without loosing your deveopers - Azure De...
Winning open source vulnerabilities without loosing your deveopers - Azure De...Winning open source vulnerabilities without loosing your deveopers - Azure De...
Winning open source vulnerabilities without loosing your deveopers - Azure De...WhiteSource
 
targeted-data-breach-bulletin-sept
targeted-data-breach-bulletin-septtargeted-data-breach-bulletin-sept
targeted-data-breach-bulletin-sept*****Dominic A Ienco
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security AgileOleg Gryb
 
We explain the security flaw that's freaking out the internet
We explain the security flaw that's freaking out the internetWe explain the security flaw that's freaking out the internet
We explain the security flaw that's freaking out the internetaditi agarwal
 
CSSLP & OWASP & WebGoat
CSSLP & OWASP & WebGoatCSSLP & OWASP & WebGoat
CSSLP & OWASP & WebGoatSurachai Chatchalermpun
 
Sdl deployment in ics
Sdl deployment in icsSdl deployment in ics
Sdl deployment in icsMayur Mehta
 
Classification of vulnerabilities
Classification of vulnerabilitiesClassification of vulnerabilities
Classification of vulnerabilitiesMayur Mehta
 
Biometrics and Multi-Factor Authentication, The Unleashed Dragon
Biometrics and Multi-Factor Authentication, The Unleashed DragonBiometrics and Multi-Factor Authentication, The Unleashed Dragon
Biometrics and Multi-Factor Authentication, The Unleashed DragonClare Nelson, CISSP, CIPP-E
 
Security Hands-On - Splunklive! Houston
Security Hands-On - Splunklive! HoustonSecurity Hands-On - Splunklive! Houston
Security Hands-On - Splunklive! HoustonSplunk
 
Threat intel- -content-curation-organizing-the-path-to-successful-detection
Threat intel- -content-curation-organizing-the-path-to-successful-detectionThreat intel- -content-curation-organizing-the-path-to-successful-detection
Threat intel- -content-curation-organizing-the-path-to-successful-detectionPriyanka Aash
 
Applying principles of chaos engineering to serverless (CodeMesh)
Applying principles of chaos engineering to serverless (CodeMesh)Applying principles of chaos engineering to serverless (CodeMesh)
Applying principles of chaos engineering to serverless (CodeMesh)Yan Cui
 
Snippets, Scans and Snap Decisions: How Component Identification Methods Impa...
Snippets, Scans and Snap Decisions: How Component Identification Methods Impa...Snippets, Scans and Snap Decisions: How Component Identification Methods Impa...
Snippets, Scans and Snap Decisions: How Component Identification Methods Impa...Sonatype
 
Appsecco case studies 2019
Appsecco case studies 2019Appsecco case studies 2019
Appsecco case studies 2019Appsecco
 
Cloud Application Security Service
Cloud Application Security ServiceCloud Application Security Service
Cloud Application Security ServiceBriskinfosec Technology and Consulting
 

More Related Content

What's hot

Better Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous DeliveryBetter Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous DeliveryTechWell
 
Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16Kymberlee Price
 
2017-11 Three Ways of Security - OWASP London
2017-11 Three Ways of Security - OWASP London2017-11 Three Ways of Security - OWASP London
2017-11 Three Ways of Security - OWASP LondonJeff Williams
 
Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security Jeff Williams
 
Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Cenzic
 
Java application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerJava application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerSteve Poole
 
Application Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio ScaleApplication Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio ScaleJeff Williams
 
Continuous Monitoring for Web Application Security
Continuous Monitoring for Web Application SecurityContinuous Monitoring for Web Application Security
Continuous Monitoring for Web Application SecurityCenzic
 
Winning open source vulnerabilities without loosing your deveopers - Azure De...
Winning open source vulnerabilities without loosing your deveopers - Azure De...Winning open source vulnerabilities without loosing your deveopers - Azure De...
Winning open source vulnerabilities without loosing your deveopers - Azure De...WhiteSource
 
targeted-data-breach-bulletin-sept
targeted-data-breach-bulletin-septtargeted-data-breach-bulletin-sept
targeted-data-breach-bulletin-sept*****Dominic A Ienco
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security AgileOleg Gryb
 
We explain the security flaw that's freaking out the internet
We explain the security flaw that's freaking out the internetWe explain the security flaw that's freaking out the internet
We explain the security flaw that's freaking out the internetaditi agarwal
 
Sdl deployment in ics
Sdl deployment in icsSdl deployment in ics
Sdl deployment in icsMayur Mehta
 
Classification of vulnerabilities
Classification of vulnerabilitiesClassification of vulnerabilities
Classification of vulnerabilitiesMayur Mehta
 
Biometrics and Multi-Factor Authentication, The Unleashed Dragon
Biometrics and Multi-Factor Authentication, The Unleashed DragonBiometrics and Multi-Factor Authentication, The Unleashed Dragon
Biometrics and Multi-Factor Authentication, The Unleashed DragonClare Nelson, CISSP, CIPP-E
 
Security Hands-On - Splunklive! Houston
Security Hands-On - Splunklive! HoustonSecurity Hands-On - Splunklive! Houston
Security Hands-On - Splunklive! HoustonSplunk
 
Threat intel- -content-curation-organizing-the-path-to-successful-detection
Threat intel- -content-curation-organizing-the-path-to-successful-detectionThreat intel- -content-curation-organizing-the-path-to-successful-detection
Threat intel- -content-curation-organizing-the-path-to-successful-detectionPriyanka Aash
 
Applying principles of chaos engineering to serverless (CodeMesh)
Applying principles of chaos engineering to serverless (CodeMesh)Applying principles of chaos engineering to serverless (CodeMesh)
Applying principles of chaos engineering to serverless (CodeMesh)Yan Cui
 
Snippets, Scans and Snap Decisions: How Component Identification Methods Impa...
Snippets, Scans and Snap Decisions: How Component Identification Methods Impa...Snippets, Scans and Snap Decisions: How Component Identification Methods Impa...
Snippets, Scans and Snap Decisions: How Component Identification Methods Impa...Sonatype
 

What's hot (20)

Better Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous DeliveryBetter Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous Delivery
 
Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16
 
2017-11 Three Ways of Security - OWASP London
2017-11 Three Ways of Security - OWASP London2017-11 Three Ways of Security - OWASP London
2017-11 Three Ways of Security - OWASP London
 
Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security
 
Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...
 
Java application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerJava application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developer
 
Application Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio ScaleApplication Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio Scale
 
Continuous Monitoring for Web Application Security
Continuous Monitoring for Web Application SecurityContinuous Monitoring for Web Application Security
Continuous Monitoring for Web Application Security
 
Winning open source vulnerabilities without loosing your deveopers - Azure De...
Winning open source vulnerabilities without loosing your deveopers - Azure De...Winning open source vulnerabilities without loosing your deveopers - Azure De...
Winning open source vulnerabilities without loosing your deveopers - Azure De...
 
targeted-data-breach-bulletin-sept
targeted-data-breach-bulletin-septtargeted-data-breach-bulletin-sept
targeted-data-breach-bulletin-sept
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security Agile
 
We explain the security flaw that's freaking out the internet
We explain the security flaw that's freaking out the internetWe explain the security flaw that's freaking out the internet
We explain the security flaw that's freaking out the internet
 
CSSLP & OWASP & WebGoat
CSSLP & OWASP & WebGoatCSSLP & OWASP & WebGoat
CSSLP & OWASP & WebGoat
 
Sdl deployment in ics
Sdl deployment in icsSdl deployment in ics
Sdl deployment in ics
 
Classification of vulnerabilities
Classification of vulnerabilitiesClassification of vulnerabilities
Classification of vulnerabilities
 
Biometrics and Multi-Factor Authentication, The Unleashed Dragon
Biometrics and Multi-Factor Authentication, The Unleashed DragonBiometrics and Multi-Factor Authentication, The Unleashed Dragon
Biometrics and Multi-Factor Authentication, The Unleashed Dragon
 
Security Hands-On - Splunklive! Houston
Security Hands-On - Splunklive! HoustonSecurity Hands-On - Splunklive! Houston
Security Hands-On - Splunklive! Houston
 
Threat intel- -content-curation-organizing-the-path-to-successful-detection
Threat intel- -content-curation-organizing-the-path-to-successful-detectionThreat intel- -content-curation-organizing-the-path-to-successful-detection
Threat intel- -content-curation-organizing-the-path-to-successful-detection
 
Applying principles of chaos engineering to serverless (CodeMesh)
Applying principles of chaos engineering to serverless (CodeMesh)Applying principles of chaos engineering to serverless (CodeMesh)
Applying principles of chaos engineering to serverless (CodeMesh)
 
Snippets, Scans and Snap Decisions: How Component Identification Methods Impa...
Snippets, Scans and Snap Decisions: How Component Identification Methods Impa...Snippets, Scans and Snap Decisions: How Component Identification Methods Impa...
Snippets, Scans and Snap Decisions: How Component Identification Methods Impa...
 

Similar to Lifeguard Works

Appsecco case studies 2019
Appsecco case studies 2019Appsecco case studies 2019
Appsecco case studies 2019Appsecco
 
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdf
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdfCisco_eBook_ShiftLeftSecurity_2022_06_07a.pdf
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdfNathanDjami
 
Vulnerability Testing Services Case Study
Vulnerability Testing Services Case StudyVulnerability Testing Services Case Study
Vulnerability Testing Services Case StudyNandita Nityanandam
 
Thick Client Penetration Testing Modern Approaches and Techniques.pdf
Thick Client Penetration Testing Modern Approaches and Techniques.pdfThick Client Penetration Testing Modern Approaches and Techniques.pdf
Thick Client Penetration Testing Modern Approaches and Techniques.pdfElanusTechnologies
 
Security Testing Approach for Web Application Testing.pdf
Security Testing Approach for Web Application Testing.pdfSecurity Testing Approach for Web Application Testing.pdf
Security Testing Approach for Web Application Testing.pdfAmeliaJonas2
 
Security Testing In Application Authentication
Security Testing In Application AuthenticationSecurity Testing In Application Authentication
Security Testing In Application AuthenticationRapidValue
 
Operational Security for Transportation: Connectivity to Rails
Operational Security for Transportation: Connectivity to Rails Operational Security for Transportation: Connectivity to Rails
Operational Security for Transportation: Connectivity to Rails Ashley Finden
 
CV_case-study_cryptolocker_web
CV_case-study_cryptolocker_webCV_case-study_cryptolocker_web
CV_case-study_cryptolocker_webJeff Geissler
 
Appsecco case studies 2020
Appsecco case studies 2020Appsecco case studies 2020
Appsecco case studies 2020Appsecco
 
Penetration Testing Services - Redfox Cyber Security
Penetration Testing Services - Redfox Cyber SecurityPenetration Testing Services - Redfox Cyber Security
Penetration Testing Services - Redfox Cyber SecurityKaran Patel
 
Managed Vulnerability Scan
Managed Vulnerability ScanManaged Vulnerability Scan
Managed Vulnerability ScanShawn Jordan
 
ByteCode pentest report example
ByteCode pentest report exampleByteCode pentest report example
ByteCode pentest report exampleIhor Uzhvenko
 
The Security Vulnerability Assessment Process & Best Practices
The Security Vulnerability Assessment Process & Best PracticesThe Security Vulnerability Assessment Process & Best Practices
The Security Vulnerability Assessment Process & Best PracticesKellep Charles
 
Vulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun RathodVulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun RathodFalgun Rathod
 
Phases of Penetration Testing
Phases of Penetration TestingPhases of Penetration Testing
Phases of Penetration TestingKiwiQA
 
Demand for Penetration Testing Services.docx
Demand for Penetration Testing Services.docxDemand for Penetration Testing Services.docx
Demand for Penetration Testing Services.docxAardwolf Security
 

Similar to Lifeguard Works (20)

Appsecco case studies 2019
Appsecco case studies 2019Appsecco case studies 2019
Appsecco case studies 2019
 
Cloud Application Security Service
Cloud Application Security ServiceCloud Application Security Service
Cloud Application Security Service
 
Mobile Apps Security Testing -1
Mobile Apps Security Testing -1Mobile Apps Security Testing -1
Mobile Apps Security Testing -1
 
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdf
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdfCisco_eBook_ShiftLeftSecurity_2022_06_07a.pdf
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdf
 
Vulnerability Testing Services Case Study
Vulnerability Testing Services Case StudyVulnerability Testing Services Case Study
Vulnerability Testing Services Case Study
 
Thick Client Penetration Testing Modern Approaches and Techniques.pdf
Thick Client Penetration Testing Modern Approaches and Techniques.pdfThick Client Penetration Testing Modern Approaches and Techniques.pdf
Thick Client Penetration Testing Modern Approaches and Techniques.pdf
 
Security Testing Approach for Web Application Testing.pdf
Security Testing Approach for Web Application Testing.pdfSecurity Testing Approach for Web Application Testing.pdf
Security Testing Approach for Web Application Testing.pdf
 
Security Testing In Application Authentication
Security Testing In Application AuthenticationSecurity Testing In Application Authentication
Security Testing In Application Authentication
 
Operational Security for Transportation: Connectivity to Rails
Operational Security for Transportation: Connectivity to Rails Operational Security for Transportation: Connectivity to Rails
Operational Security for Transportation: Connectivity to Rails
 
CV_case-study_cryptolocker_web
CV_case-study_cryptolocker_webCV_case-study_cryptolocker_web
CV_case-study_cryptolocker_web
 
Appsecco case studies 2020
Appsecco case studies 2020Appsecco case studies 2020
Appsecco case studies 2020
 
Penetration Testing Services - Redfox Cyber Security
Penetration Testing Services - Redfox Cyber SecurityPenetration Testing Services - Redfox Cyber Security
Penetration Testing Services - Redfox Cyber Security
 
Managed Vulnerability Scan
Managed Vulnerability ScanManaged Vulnerability Scan
Managed Vulnerability Scan
 
ByteCode pentest report example
ByteCode pentest report exampleByteCode pentest report example
ByteCode pentest report example
 
The Security Vulnerability Assessment Process & Best Practices
The Security Vulnerability Assessment Process & Best PracticesThe Security Vulnerability Assessment Process & Best Practices
The Security Vulnerability Assessment Process & Best Practices
 
Vulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun RathodVulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun Rathod
 
Phases of Penetration Testing
Phases of Penetration TestingPhases of Penetration Testing
Phases of Penetration Testing
 
Understanding IEC 62304
Understanding IEC 62304Understanding IEC 62304
Understanding IEC 62304
 
IRP on a Budget
IRP on a BudgetIRP on a Budget
IRP on a Budget
 
Demand for Penetration Testing Services.docx
Demand for Penetration Testing Services.docxDemand for Penetration Testing Services.docx
Demand for Penetration Testing Services.docx
 

Recently uploaded

SOC Analyst Guide For Beginners SOC analysts work as members of a managed sec...
SOC Analyst Guide For Beginners SOC analysts work as members of a managed sec...SOC Analyst Guide For Beginners SOC analysts work as members of a managed sec...
SOC Analyst Guide For Beginners SOC analysts work as members of a managed sec...Varun Mithran
 
Dan Quinn Commanders Feather Dad Hat Hoodie
Dan Quinn Commanders Feather Dad Hat HoodieDan Quinn Commanders Feather Dad Hat Hoodie
Dan Quinn Commanders Feather Dad Hat Hoodierahman018755
 
Abortion Clinic in Kwa thema +27791653574 Kwa thema WhatsApp Abortion Clinic ...
Abortion Clinic in Kwa thema +27791653574 Kwa thema WhatsApp Abortion Clinic ...Abortion Clinic in Kwa thema +27791653574 Kwa thema WhatsApp Abortion Clinic ...
Abortion Clinic in Kwa thema +27791653574 Kwa thema WhatsApp Abortion Clinic ...mikehavy0
 
Reggie miller choke t shirtsReggie miller choke t shirts
Reggie miller choke t shirtsReggie miller choke t shirtsReggie miller choke t shirtsReggie miller choke t shirts
Reggie miller choke t shirtsReggie miller choke t shirtsrahman018755
 
TORTOGEL TELAH MENJADI SALAH SATU PLATFORM PERMAINAN PALING FAVORIT.
TORTOGEL TELAH MENJADI SALAH SATU PLATFORM PERMAINAN PALING FAVORIT.TORTOGEL TELAH MENJADI SALAH SATU PLATFORM PERMAINAN PALING FAVORIT.
TORTOGEL TELAH MENJADI SALAH SATU PLATFORM PERMAINAN PALING FAVORIT.Tortogel
 
APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27APNIC
 
一比一定制加州大学欧文分校毕业证学位证书
一比一定制加州大学欧文分校毕业证学位证书一比一定制加州大学欧文分校毕业证学位证书
一比一定制加州大学欧文分校毕业证学位证书A
 
一比一原版(Design毕业证书)新加坡科技设计大学毕业证原件一模一样
一比一原版(Design毕业证书)新加坡科技设计大学毕业证原件一模一样一比一原版(Design毕业证书)新加坡科技设计大学毕业证原件一模一样
一比一原版(Design毕业证书)新加坡科技设计大学毕业证原件一模一样AS
 
100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...
100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...
100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...musaddumba454
 
The Rise of Subscription-Based Digital Services.pdf
The Rise of Subscription-Based Digital Services.pdfThe Rise of Subscription-Based Digital Services.pdf
The Rise of Subscription-Based Digital Services.pdfe-Market Hub
 
一比一原版(Soton毕业证书)南安普顿大学毕业证原件一模一样
一比一原版(Soton毕业证书)南安普顿大学毕业证原件一模一样一比一原版(Soton毕业证书)南安普顿大学毕业证原件一模一样
一比一原版(Soton毕业证书)南安普顿大学毕业证原件一模一样Fi
 
I’ll See Y’All Motherfuckers In Game 7 Shirt
I’ll See Y’All Motherfuckers In Game 7 ShirtI’ll See Y’All Motherfuckers In Game 7 Shirt
I’ll See Y’All Motherfuckers In Game 7 Shirtrahman018755
 
一比一原版美国北卡罗莱纳大学毕业证如何办理
一比一原版美国北卡罗莱纳大学毕业证如何办理一比一原版美国北卡罗莱纳大学毕业证如何办理
一比一原版美国北卡罗莱纳大学毕业证如何办理A
 
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样AS
 
一比一原版英国格林多大学毕业证如何办理
一比一原版英国格林多大学毕业证如何办理一比一原版英国格林多大学毕业证如何办理
一比一原版英国格林多大学毕业证如何办理AS
 
AI Generated 3D Models | AI 3D Model Generator
AI Generated 3D Models | AI 3D Model GeneratorAI Generated 3D Models | AI 3D Model Generator
AI Generated 3D Models | AI 3D Model Generator3DailyAI1
 
Thank You Luv I’ll Never Walk Alone Again T shirts
Thank You Luv I’ll Never Walk Alone Again T shirtsThank You Luv I’ll Never Walk Alone Again T shirts
Thank You Luv I’ll Never Walk Alone Again T shirtsrahman018755
 
Beyond Inbound: Unlocking the Secrets of API Egress Traffic Management
Beyond Inbound: Unlocking the Secrets of API Egress Traffic ManagementBeyond Inbound: Unlocking the Secrets of API Egress Traffic Management
Beyond Inbound: Unlocking the Secrets of API Egress Traffic Managementseank14
 
一比一原版(Wintec毕业证书)新西兰怀卡托理工学院毕业证原件一模一样
一比一原版(Wintec毕业证书)新西兰怀卡托理工学院毕业证原件一模一样一比一原版(Wintec毕业证书)新西兰怀卡托理工学院毕业证原件一模一样
一比一原版(Wintec毕业证书)新西兰怀卡托理工学院毕业证原件一模一样AS
 

Recently uploaded (20)

SOC Analyst Guide For Beginners SOC analysts work as members of a managed sec...
SOC Analyst Guide For Beginners SOC analysts work as members of a managed sec...SOC Analyst Guide For Beginners SOC analysts work as members of a managed sec...
SOC Analyst Guide For Beginners SOC analysts work as members of a managed sec...
 
Dan Quinn Commanders Feather Dad Hat Hoodie
Dan Quinn Commanders Feather Dad Hat HoodieDan Quinn Commanders Feather Dad Hat Hoodie
Dan Quinn Commanders Feather Dad Hat Hoodie
 
Abortion Clinic in Kwa thema +27791653574 Kwa thema WhatsApp Abortion Clinic ...
Abortion Clinic in Kwa thema +27791653574 Kwa thema WhatsApp Abortion Clinic ...Abortion Clinic in Kwa thema +27791653574 Kwa thema WhatsApp Abortion Clinic ...
Abortion Clinic in Kwa thema +27791653574 Kwa thema WhatsApp Abortion Clinic ...
 
Reggie miller choke t shirtsReggie miller choke t shirts
Reggie miller choke t shirtsReggie miller choke t shirtsReggie miller choke t shirtsReggie miller choke t shirts
Reggie miller choke t shirtsReggie miller choke t shirts
 
TORTOGEL TELAH MENJADI SALAH SATU PLATFORM PERMAINAN PALING FAVORIT.
TORTOGEL TELAH MENJADI SALAH SATU PLATFORM PERMAINAN PALING FAVORIT.TORTOGEL TELAH MENJADI SALAH SATU PLATFORM PERMAINAN PALING FAVORIT.
TORTOGEL TELAH MENJADI SALAH SATU PLATFORM PERMAINAN PALING FAVORIT.
 
APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27
 
一比一定制加州大学欧文分校毕业证学位证书
一比一定制加州大学欧文分校毕业证学位证书一比一定制加州大学欧文分校毕业证学位证书
一比一定制加州大学欧文分校毕业证学位证书
 
一比一原版(Design毕业证书)新加坡科技设计大学毕业证原件一模一样
一比一原版(Design毕业证书)新加坡科技设计大学毕业证原件一模一样一比一原版(Design毕业证书)新加坡科技设计大学毕业证原件一模一样
一比一原版(Design毕业证书)新加坡科技设计大学毕业证原件一模一样
 
100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...
100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...
100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...
 
The Rise of Subscription-Based Digital Services.pdf
The Rise of Subscription-Based Digital Services.pdfThe Rise of Subscription-Based Digital Services.pdf
The Rise of Subscription-Based Digital Services.pdf
 
GOOGLE Io 2024 At takes center stage.pdf
GOOGLE Io 2024 At takes center stage.pdfGOOGLE Io 2024 At takes center stage.pdf
GOOGLE Io 2024 At takes center stage.pdf
 
一比一原版(Soton毕业证书)南安普顿大学毕业证原件一模一样
一比一原版(Soton毕业证书)南安普顿大学毕业证原件一模一样一比一原版(Soton毕业证书)南安普顿大学毕业证原件一模一样
一比一原版(Soton毕业证书)南安普顿大学毕业证原件一模一样
 
I’ll See Y’All Motherfuckers In Game 7 Shirt
I’ll See Y’All Motherfuckers In Game 7 ShirtI’ll See Y’All Motherfuckers In Game 7 Shirt
I’ll See Y’All Motherfuckers In Game 7 Shirt
 
一比一原版美国北卡罗莱纳大学毕业证如何办理
一比一原版美国北卡罗莱纳大学毕业证如何办理一比一原版美国北卡罗莱纳大学毕业证如何办理
一比一原版美国北卡罗莱纳大学毕业证如何办理
 
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样
 
一比一原版英国格林多大学毕业证如何办理
一比一原版英国格林多大学毕业证如何办理一比一原版英国格林多大学毕业证如何办理
一比一原版英国格林多大学毕业证如何办理
 
AI Generated 3D Models | AI 3D Model Generator
AI Generated 3D Models | AI 3D Model GeneratorAI Generated 3D Models | AI 3D Model Generator
AI Generated 3D Models | AI 3D Model Generator
 
Thank You Luv I’ll Never Walk Alone Again T shirts
Thank You Luv I’ll Never Walk Alone Again T shirtsThank You Luv I’ll Never Walk Alone Again T shirts
Thank You Luv I’ll Never Walk Alone Again T shirts
 
Beyond Inbound: Unlocking the Secrets of API Egress Traffic Management
Beyond Inbound: Unlocking the Secrets of API Egress Traffic ManagementBeyond Inbound: Unlocking the Secrets of API Egress Traffic Management
Beyond Inbound: Unlocking the Secrets of API Egress Traffic Management
 
一比一原版(Wintec毕业证书)新西兰怀卡托理工学院毕业证原件一模一样
一比一原版(Wintec毕业证书)新西兰怀卡托理工学院毕业证原件一模一样一比一原版(Wintec毕业证书)新西兰怀卡托理工学院毕业证原件一模一样
一比一原版(Wintec毕业证书)新西兰怀卡托理工学院毕业证原件一模一样
 

Lifeguard Works

  • 1. Shorebreak  Security,  8635  Holiday  Springs  Road,  Melbourne  FL  32940,   info@shorebreaksecurity.com                                                                                           Lifeguard  Works:    A  Case  Study  on  Customer  “X”       Background     Shorebreak  Security  completed  a  comprehensive  internal  and  external  penetration   test  in  August  of  2013  on  Customer  “X”,  a  very  successful,  privately  owned   Information  Technology  company.       In  February  of  2014  Customer  “X”  signed  up  for  Shorebreak  Security’s  Lifeguard   service  and  Shorebreak  Security  started  testing  the  network  daily.     The  following  is  a  timeline  of  major  events  and  lessons  learned  stemming  from  the   first  eight  months  of  Lifeguard  service.         February  2014:  Incomplete  Remediation     Despite  having  had  a  comprehensive  test  four  months  earlier,  our  engineers   discovered  the  existence  of  a  new,  externally  accessible,  root-­‐level  (administrative   access)  vulnerability.    This  vulnerability  was  identified  during  manual  penetration   testing,  and  would  not  have  been  identified  at  all  had  we  relied  on  vulnerability   scanning  alone.    Our  test  team  validated  the  vulnerability  by  exploitation,  and   gained  root  access  to  the  server.     The  customer  was  notified  via  text  message  and  email  right  away.     Customer  X’s  IT  staff  remediated  the  finding  and  the  Lifeguard  dashboard   automatically  notified  us  that  the  system  had  been  fixed.  Verification  testing,   however,  showed  that  the  fix  was  only  partially  effective,  and  that  the  vulnerability   was  still  exploitable.    The  customer  conducted  a  second  round  of  remediation,  and   upon  verification  we  were  able  to  successfully  “close”  the  finding  in  Lifeguard.     Despite  the  initially  incomplete  remediation,  this  entire  cycle  was  still  completed  in   less  than  24  hours.       March  2014:  Manual  Testing  uncovers  “0-­‐day”     Within  just  two  weeks  of  the  first  critical  finding,  manual  testing  identified  a   previously  unknown  vulnerability    (“zero  day’)  in  a  software  vendor’s  
  • 2. Shorebreak  Security,  8635  Holiday  Springs  Road,  Melbourne  FL  32940,   info@shorebreaksecurity.com                                                                                         authentication  system  within  a  web  application.    The  vulnerability  could  be   exploited  to  gain  root-­‐level  (administrative)  access  to  the  underlying  operating   system.         Customer  X  remediated  the  vulnerability  with  external  security  controls  within  24   hours.    We  immediately  conducted  testing  to  verify  the  fix,  and  the  vulnerability  was   successfully  closed.    The  Shorebreak  Team  then  drafted  a  security  advisory  and  sent   it  to  the  vendor  of  the  vulnerable  software,  so  that  a  patch  could  be  developed.         April  2014:  Reaction  to  OpenSSL  “Heartbleed”     The  OpenSSL  “Heartbleed”  vulnerability  was  made  public  in  April  of  2013.    Because   Lifeguard  scans  were  constantly  cataloging  hosts,  ports,  services  and  banners,  our   team  was  able  to  immediately  identify  vulnerable  hosts.    Within  hours,  Customer  X   was  notified  and  could  begin  remediation  efforts.       Validation  testing  showed  that  Customer  X’s  remediation  was  incomplete.    In  this   case,  the  vendor-­‐supplied  patches  had  been  applied  but  the  systems  were  not   rebooted,  leaving  the  systems  vulnerable.    Customer  X  was  notified  that  the   vulnerability  was  still  present  and  a  second  round  of  remediation  and  verification   testing  was  conducted  and  completed.     Customer’s  X’s  exposure  to  the  Heartbleed  vulnerability  was  less  than  48  hours  and   remediation  was  complete  before  most  vulnerability  scanner  vendors  had  published   new  signatures  to  check  for  the  vulnerability.         September  2014:  Reaction  to  the  “ShellShock”  vulnerability     The  critical  GNU  Bash  “shell  shock”  vulnerability  was  published  in  September  of   2014,  and  we  contacted  Customer  X  to  advise  them  on  the  issue  and  proceeded  to   conduct  testing  to  identify  vulnerable  systems.    Within  24  hours,  Customer  X  had   been  reassured  that  their  exposure  to  this  vulnerability  has  been  minimized.       October  2014:  New  Apps,  New  vulnerabilities     Two  additional  critical  findings  were  identified  as  the  network  configuration   changed  and  new  vulnerabilities  were  made  public.        
  • 3. Shorebreak  Security,  8635  Holiday  Springs  Road,  Melbourne  FL  32940,   info@shorebreaksecurity.com                                                                                         In  one  case,  manual  testing  discovered  that  a  new  web  application  had  been   deployed  with  a  manufacturer  default  admin  password.    In  another,  an  “SQL   injection”  vulnerability  was  identified  and  exploited,  resulting  the  ability  to  bypass   the  authentication  system  of  the  web  application  and  become  a  valid  user.       Both  vulnerabilities  were  reported  and  quickly  rectified.       Observations     On  average,  one  “critical”  finding  was  discovered  each  month.    Had  the  customer   waited  until  their  next  annual  penetration  test  to  identify  these  vulnerabilities,   criminal  hackers  or  other  adversaries  could  have  easily  compromised  network.     In  almost  every  case,  manual  testing  was  key  in  identifying  the  vulnerability.         In  many  cases,  the  customer  remediation  effort  was  insufficient  in  addressing  the   vulnerability.    Without  Lifeguard,  the  customer  would  have  believed  that  the   vulnerability  was  remediated,  but  in  reality  would  have  remained  exposed.       Why  Lifeguard  Works:     1) In  almost  every  case,  critical  vulnerabilities  were  identified  and  verified   through  manual  testing,  not  by  automated  scanners.           2) In  about  50%  of  the  cases,  the  customer’s  remediation  efforts  failed   verification  testing  and  needed  a  second  round  of  fixes  before  the   vulnerability  could  be  verified  as  completely  fixed.    Immediate  validation   “follow-­‐up”  testing  by  Shorebreak  Security  was  key  in  ensuring  that   vulnerabilities  were  no  longer  exploitable.       3) In  all  cases,  the  exposure  time  from  vulnerability  identification  to  verification   of  remediation  took  less  than  48  hours  -­‐  in  most  cases  less  than  24  hours.         4) Network  configuration  and  vulnerabilities  are  both  dynamic  variables  that   change  daily  and  continuously  create  new  vulnerable  conditions.    The  key   to  minimizing  risk  is  continuous  monitoring  -­‐  the  ability  to  quickly  identify,   remediate  and  validate  vulnerabilities.       5) The  test  team’s  ability  to  communicate  with  the  customer  before,  during,  and   after  remediation  was  crucial  in  ensuring  each  vulnerability  was  properly  
  • 4. Shorebreak  Security,  8635  Holiday  Springs  Road,  Melbourne  FL  32940,   info@shorebreaksecurity.com                                                                                         remediated.    Shorebreak  Security  became  a  trusted  partner  in  all  phases  of   Risk  mitigation.           6) In  eight  months  of  service,  Lifeguard’s  metrics  showed  Customer  X’s   management  and  technical  staff  a  quantifiable  return  on  investment  (ROI).   The  data  show  a  steady  decline  of  Risk  across  the  network  as   vulnerabilities  were  fixed,  and  that  exposure  times  from  identification  to   remediation  were  decreased.    Security  and  Risk  exposure  became  a  data   point  that  could  be  used  to  identify  weakness  and  show  improvements.       7) Our  customer’s  technical  staff  no  longer  had  to  spend  time  to  run   vulnerability  scanners  and  analyze  results  –  they  could  concentrate  on  their   primary  duties  and  rely  on  Shorebreak  Security  engineers  to  do  this  tedious,   but  very  important  work.         8) Our  customer’s  management  was  indicated  that  they  confident  that  they  had   an  accurate,  up-­‐to-­‐date  risk  assessment,  and  as  risk  changes,  they  would  be   notified  and  able  to  respond  appropriately.     9) Risk  –  as  measured  by  vulnerabilities,  impact  and  exposure  –  was  decreased!           About  Shorebreak  Security     We  are  a  veteran-­‐owned  small  business  providing  exceptionally  high-­‐quality,  high-­‐ value  Information  Security  consulting  services.         We  specialize  in  conducting  a  variety  of  relevant,  real-­‐world  Information  Security   tests  that  show  you  where  your  weaknesses  are.    We  translate  Information   Technology  risk  into  organizational  risk,  and  empower  you  to  make  informed   decisions     Contact  Us:     Shorebreak  Security,  8635  Holiday  Springs  Road,  Melbourne  FL  32940   info@shorebreaksecurity.com  -­‐  1-­‐888-­‐838-­‐7311