CompTIA PenTest+ PT0-001 & PT0-002 Study Notes

Pentest+ Logo

If you are studying for CompTIA Pentest+ you are welcome to download and use these following notes which I built while studying for the exam. If you notice any problems with the notes, please let me know!   General Pentesting Engagement Scoping Information Gathering Vulnerability Scanning Exploitation Process Pentest Tools Exploit Specifics Post Exploit Communication Processes

Read more

RSC Managed Small Business Website

3 Major Reasons Why Your Small Business Needs a Website More credibility and professionalism – Websites provide a sense of credibility and further establishes your brand as a professional service. Without a website most people will not acknowledge your products or services simply because it cannot be found online. Having a website gives you the opportunity to build a long-lasting online relationship with your clients. Giving them the reassurance they need to trust your brand. Increase in customer reach – Online shopping has blown up over the years- everything from computers and cars to food and services can all be found online nowadays. This means, the number in online shoppers have increased and since the internet doesn’t have a closing time, sales are growing even after hours! Because you are able to access a website almost anywhere at anytime, the reach has become much wider, allowing your business to globally…

Read more

Review of SolarWinds Impact and Brief Technical Summary

An image of the sun exploiding.

General Details SolarWinds is a publicly traded company worth $5.4B dollars that developing IT infrastructure management software products for small and medium-sized enterprises. Two separate pieces of malware known as SUPERNOVA and SUNBURST worked against vulnerabilities in SolarWind’s product Orion. The malware known as SUNBURST potentially allows an attacker to compromise the server on which the Orion products run. The manner in which SUNBURST malware was used against its victims resulted in it being labelled a “supply chain attack,” a technique in which an adversary uses malware to disrupt a companies ability to produce or deliver it’s products to customers. Although the term “supply chain attack” a broad term without a universally agreed upon definition, theoretically, the intended target of a supply chain attack is not necessarily the company whose network was breached and disrupted. For example, if an attacker wanted to disrupt operations of a large retail target such…

Read more

Cyber-Security ETFs and Individual Stocks

Image of stocks rising

In a previous article the impact of cyber-breach on stock prices and the value of cyber-insurance to corporations was reviewed. Ransomware and IT breaches are increasing, and the expectation is that more companies will turn to cyber-insurance, and also increase their IT security controls. Here is a list of cyber-security listed ETFs and a list of all the companies included in those ETFs with duplicates removed, along with a company description. CIBR – First Trust Nasdaq Cybersecurity ETF Includes 40 individual stocks comprising $3.58 billion in assets Includes other industries, such as aerospace and defense (FactSet) Concentrated with 10 largest making up 47% of market cap Two stars rating by Morningstar HACK – ETFMG Prime Cyber Security ETF Includes 59 individual stocks comprising $2.04 billion in assets Modified equal-weight scheme (not concentrated) with 10 largest making up 28.5% of the market cap HACK has “a unique, cybersecurity-focused take on the…

Read more

Cyber-Security’s Impact on Corporate America

IT Security and Stocks

Tale of the Tape Hackers have kicked some big time ass against major American companies in the past 10 years. JP Morgan Chase, Capital One, Equifax, Uber, LinkedIn, eBay are just a few of the large corporate victims. Just in 2021 many corporate IT hacks have made the headlines with the Colonial Pipeline hack being the most recent. Well, that was, until JBS a major American meat processing plant revealed it had also been breached just days ago. Colonial Pipeline CEO confirmed the company paid $4.4 million ransom.  CNA Financial, one of the largest insurance companies in the US, reportedly paid hackers $40 million after a ransomware attack. Information on whether Acer ended up paying the ransom for their breach in March 2021 seems hard to come by but, the initial ransom demand was $50 million and included a threat to increase the demand to $100 million. If Acer did…

Read more

The LockPicking Lawyer on Youtube is a highly skilled locker picking professional. His videos sure to amaze and are a wealth of knowledge to pentesters looking for physical penetration testing attacks. However, not all of his videos attack the keyway with a set of picks. His videos that use other technology to bypass locks and security devices tell a very interesting tale about the state of the art of technology. I have included some of his videos with a brief description, all of which demonstrate different aspects of lock bypassing. In the first video, you see a new device on the market which is specially designed to take images of the inside of a Kwikset Smartkey keyway. The product is from a company called LockTech LTKSD, and costs about $350 USD. The implication is that this could be used to quickly build a physical key that can work with a…

Read more

Privacy Protection From Big Brother (Google and Other Corporations) Google wants to know whether you change your underwear everyday. It’s that simple. They want to know everything about you. Part of your online security is not letting Google or others know everything about you. Why you may ask? Because they can sell that information to employers who want to conduct a background investigations, serve you targeted ads enticing you, and who knows what else.  While arguably this generates revenue to improve their products and services, it can also be considered an invasion of your privacy.  Individuals involved in activism, or other activities may have their physical security put be at risk (such as police informants). Your information being available online may be considered a high-risk. Geo Location Sniffing You may also notice some websites immediately requests to know your location when you visit them.  Well, the truth is that websites…

Read more

Everyone, their mom and dog has been confronted with Internet security. Everywhere in life; the mainstream media, workplace policies, and even casual social life includes news and warnings about cybersecurity. Facebook, Google, and Twitter are in the international news constantly being accused of privacy violations and of having a negative impact on younger people by changing their lifestyles to one of screen engagement. In addition to that, many people have had the personal experience of their online accounts or personal computer being hacked. On a national security level, just last week American oil pipeline company Colonial payed 4.4 million dollars to recover ransomed data. So, do we all need a deeper understanding of Internet / IT security? Yes. It’s is a big complicated field but also an important one for users to understand. So put your seat belt on and let’s do a deep dive into Internet security. What do…

Read more

Security Of The Alexa Top Sites

Introduction The Alexa Top Websites (https://www.alexa.com/topsites) can be used to monitor the popularity trend of a website and compare the popularity of different websites (WikiPedia). In order to gauge the security posture of the internet as a whole mapping information from the Alexa Top Sites is useful. AlexaCheck.py assists by building a PostgreSQL database that stores header information from each website, the first listed resolved IP address, HTTP response code, and MX records. The header information also includes cookies that are passed during an initial connection. This approach was used to examine security of the Alexa Top Websites in a research paper CookiExt: Patching the Browser Against Session Hijacking Attacks. AlexaCheck.py can also accept a list of other domains you want to check for forced TLS encryption and inspect cookies and other header information. Specific HTTP Security Risks SSL/TLS Enforcement The Alexa Check database allows analysis of a particular website…

Read more