PENTESTIT. Practical Information Security: The Results of 2014, Part II

Hello to all our readers and just people who are interested in information security. In the previous article, we started summing up the results of 2014 and told about our unique training programs. In this article we will try to briefly describe the public life of our company and its results.

So, let's begin.

2014 began with the presentation of PENTESTIT management at the international forum “Cyber ​​Security Forum 2014” . We spoke at two forums of the forum, talking about practical information security. The performance was bright and intense. Discussing serious topics, solutions were found for some pressing and pressing issues. On the sidelines of the event, agreements were reached on launching the first training program jointly with SkillFactory .
')
The next event in which our company took part was the Russian Internet Forum RIF + KIB 2014 , in one of the sections of which Safonov Luka, technical director of PENTESTIT, delivered a report on web site security together with Acronis , our partner.


PENTESTIT employees and Sergey Gordeychik, main director of Positive Hack Days.

The historic event took place in May 2014, when PENTESTIT was presented at the main forum in Russia on practical information security "Positive Hack Days IV" . In addition to the report of our employee Alexander “Sinister” Dmitrenko, who, by the way, entered the TOP-5 of the best reports of the forum, the Pentest-lab “One Step Ahead” was deployed specifically for this event, in which both forum visitors and hackers from different countries and continents. The tasks turned out to be difficult and during the two days of PHD IV, all those who wished could try their hand at ethical hacking. The laboratory imitated a real distributed corporate network of a virtual company. By the way, soon we will open the next, new “Test.lab” laboratory, the work on which has been going on for a month already. In addition to the current attack vectors and vulnerabilities that require "aerobatics" exploitation, the attack map will be added to the new pentest laboratory, which will make hacking the laboratory even more interesting and visualized. Recall that our laboratories "Test.lab" differ from other hacker competitions in their realism - they completely imitate typical corporate networks with their inherent vulnerabilities and configuration errors. As always, participation in the laboratory is free. Follow the news in our group in VK .

At the Samsung Mobility Forum 2014 , together with Acronis, we deployed a test bench to demonstrate the insecurity of devices running Android OS. Our employees (Safonov Luka, Lesovoy Konstantin) demonstrated several actual attack vectors on mobile devices: intercepting traffic, gaining access to critical data contained on a mobile device, remotely using video / camera in hidden mode without the knowledge of the smartphone owner, etc.

In September 2014, at the invitation of the QA Club testers ' community, we gave a report on web application security at an event organized by Intel in Nizhny Novgorod. A warm welcome, a tour of Nizhny Novgorod and an audience of professionals did their job - the performance was successful. There were many questions and disputes, but the experience transferred by our technical director turned out to be positive. People still write words of gratitude, consult and it gives strength to move on. Separately, we want to thank the participants of the “QA Club” and, in particular, Igor Pomentutov. We have a common goal and we will definitely achieve it. Thanks friends. You can watch a video of the performance here .

In November 2014, we spoke at a seminar organized by SiteSecure , along with Qrator and Insales. The seminar turned out to be interesting and useful for owners of online stores. Maxim Lagutin from SiteSecure presented the results of the threat analysis, Andrey Bondarenko from Qrator revealed the topic of countering DDoS attacks, and the Insales employees shared their own experience in managing online store building projects. The seminar was quite positive, and the audience received confidence in the future (from the word day, not the bottom).

Dialogues # about iBe with PENTESTIT employees

Konstantin, you are in charge of the web application development department. As you know, web applications are one of the top targets of hackers. Are you not afraid that one day some foe hacks the website and penetrates your corporate network? Perhaps for PENTESTIT it will be a disaster?

Yes, undoubtedly, the hacking of one of the sites of our company will hit the reputation of both the company as a whole and the specialists of the web development department. The experience of our company and the global practice of information security have long proved the inability to secure network resources 100%. I'm talking about vulnerabilities that are unknown today. By developing web applications today - we take into account all modern attacks on the web and its surroundings - thus ensuring its security and stability. And do not forget to "tighten the screws" to ensure maximum protection against new attacks.

Konstantin Kovalev, head of web application development.

Maxim, tell us in a few words about laboratories - what is the idea of ​​such laboratories, what are you developing them for and are there any principles (rules).

The idea of ​​our laboratories is to create pentest sites based on corporate networks as close as possible to the networks of real companies. In it, we lay down some configuration errors, vulnerable protocols, dangerous default settings, or simply not updated vulnerable software. In general, something that is very common in different variations in most networks. Also, the laboratory is not just a set of so-called tasks, it has some kind of scenario of passage, and it is not always linear. Why do we do this? On the one hand, just just for fun. On the other hand, it allows you to keep yourself in good shape. Trying to make the laboratory more interesting, we study new technologies for ourselves. Of course, we are following the novelties of attack and vulnerability vectors. And the laboratory is a good opportunity to study under what configurations the possibility of exploitation arises, what factors influence, or vice versa. This allows a deeper understanding of the "mechanics of occurrence" of these vulnerabilities. Also, often in laboratories we embody what we encountered in our audits, which adds realism. And, as practice shows, such laboratories are successful both for beginners in learning the practical aspects of information security and in mature specialists. It turns out that this kind of competition allows us to attract more people to the problems of information security and try their hand at practical pentest. We are very impressed.

Maxim Mayorovsky, head of penetration testing laboratories development department.

Dmitry, your main task in PENTESTIT is the development of the company. Obviously, high-quality products or services contribute to this development. In your opinion, are the services provided by PENTESTIT sufficiently high-quality and how much are they in demand in the market?

Interest Ask! I think that I will not prevaricate if I answer that our services meet all quality criteria, if such can be applied to the field of information security. Any work in our company is done very efficiently and painstakingly. The advantage of the Russian market is that it is young and does not always receive services of such quality that every person would like to see in everyday life or business. You can enter any niche business, take your place in it and press the competitors only because you just do your job efficiently and on time. No more need to invent anything. Unfortunately, most companies in our country cannot offer even such simple things. Our emphasis is on the quality of both the program itself and its “presentation” for our students and students. It is important that a person understands and understands everything, but does not receive the “paper” and was able to come with it and, waving it like a magic wand, make its way to good wages and a warm place. People must pursue everything with their intelligence and sense of purpose. If you answer the second part of the question, then due to the current geopolitical and economic situation both in our country and the world as a whole, the information security direction comes out of the shadow of IT and stands out into a separate independent form not only of business, but of the sphere as a whole. Many universities in our country open the department in this area, give free seminars, conduct specialized courses. All this sets me up in a positive way as a whole, but in most cases, it’s not professionals who work and teach in this area, but people of the old school, or very young, not sniffing gunpowder, youths.
I am sure that in the future there will be no problems with personnel, but this requires time and a base on which to rely. For our part, we are promoting the growth of professional information security personnel in our country. There is both a “Zero Security: A” program for beginners and the Corporate Laboratories professional training program , and we are proud of them. The demand for services in the field of information security will grow every year more and more. The most important thing during this time is to educate a generation of Russian information security professionals and implement all projects in our country only by Russian companies, without attracting companies from Europe, the USA or China. I am convinced that we have a bright future.

Dmitry Panov, CBDO.

Luke, you often speak at conferences, seminars, forums. Why don't the rest of the staff speak? Or do you have only 2 people in your company? Or maybe they do not know anything?

I speak mainly where our partners invite us, usually they choose me from our employees, rather because of personal acquaintance. Other employees also perform, for example, Alexander Dmitrenko spoke on the PHD (his report was included in the top 5), Konstantin Lesovoy spoke on the Samsung Mobility Forum. It is difficult to convey the thoughts in “simple language” to the leading positions of the “techies”, and I am good at it, so I speak :)

Luka Safonov, CTO.

How do you see the company in 5 years? Which areas are seen as the most promising? Well, and most importantly - what is PENTESTIT for you?

We are not going to dump the “momentum” - over the year we have done a great job. It is difficult to say what will happen in 5 years, but year after year we will “grow” and move forward - I am sure of that. Regarding the prospects of directions - everything that we provide is promising, you just need to be patient and work a lot. On average, it takes about half a year to put on your feet. Absolutely all our areas are promising, but the most popular is the training program and security analysis. The rest are usually ordered in addition to the first. What is PENTESTIT for me? .. It is difficult to answer unequivocally. Exactly so if they asked a similar question to the father in relation to his son. A team, first of all a team (with a capital letter), and also a way of self-realization. Dvizhuha and sometimes sleepless nights (yes, I can’t live without it), difficult questions, general joy of success and (sometimes there is) admission of one’s own mistakes. PENTESTIT is a complex mechanism with strict discipline. And whatever happens, PENTESTIT always remains a truly friendly team of like-minded people who are ready to solve the most complex tasks! Yes, that's right, and personally I am proud of what we have done.

Romanov Roman Igorevich, CEO.

On the "road"

This is exactly the year that was remembered for PENTESTIT. He was positive and intense. We have no doubt that 2015 will be even more successful for our company. Many are afraid of crisis, do not want to take risks and responsibilities, and we are waiting for this time - this is a time of opportunity and big victories. See you soon!