Contextual Security Solutions Blog
INFORMATION EVOLVES
SECURITY & COMPLIANCE BLOG
Breach-Parse Basics
Open source intelligence gathering, or OSINT, can be a threat to organizations because it can be used to gather information about their employees, assets, and vulnerabilities. This information can then be used to launch targeted scanning against discovered...
PCI DSS 3.2.1 to 4.0 Control Changes – Requirement 3
Today, let’s look at some changes made to Requirement 3 for PCI DSS 4.0. I am also adding “Why does this matter?” sections at the end of each control change to hopefully shed light on why it's important. Requirement 3 Changes In Requirement 3, we will find an...
Responder – The Tool That Won’t Die
Overview One of the most common findings we make at Contextual Security Solutions during internal penetration tests is the presence of vulnerable network protocols, like Link-local Multicast Name Resolution (LLMNR), Web Proxy Auto-Discovery (WPAD)...
PCI DSS 3.2.1 to 4.0 Control Changes – Requirement 2
Today, let’s look at changes made to Requirement 2 for PCI DSS 4.0. Requirement 2 Changes In Requirement 2, we will find our first PCI DSS new control for 4.0: In 3.2.1, roles were not necessary to be defined in 2.x controls. While role definition...
PCI DSS 3.2.1 to 4.0 Control Changes
Now that you are looking at your timeline, you may be wondering how you can get from where you are now, a sage of PCI DSS 3.2.1, to where you will need to be by 2024. The PCI DSS 4.0 Summary of Changes Using the PCI DSS Summary of Changes document, you can...
Don’t Deploy Vulnerabilities
We are constantly updating and evolving our deliverables in an effort to provide more context around our security services. With that in mind we have been tracking some metrics since 2020 that allow us to see why organizations remain vulnerable to compromise. One of...
BloodHound Basics
“Hacking” isn't magic, but sometimes it is presented that way. Much of penetration testing and “hacking” is learning the tools of the trade and how they work "under the hood." In this series we hope to provide a high-level overview of common offensive tools, how they...
Exploiting the JMX Console (A slightly different path to compromise)
On a recent engagement, the client I was assessing had a relatively strong security posture. None of the old standby attacks were working. The client had disabled LLMNR and WPAD based on a previous security assessment, and all the client’s Windows machines were...
PCI DSS 4.0 Timeline
March 2022 forever changed the compliance landscape for all time. PCI DSS 4.0 was launched, the world was ushered into an era of bliss. Ok, seriously, bliss and compliance frameworks are, for most, not even in the same solar system. But, PCI DSS 4.0 is here and, for...
Intro to PCI DSS 4.0
Does your organization do anything with credit cards? Chances are you must be Payment Card Industry (PCI) compliant in some form or fashion. PCI compliance touches financial institutions, merchants, hardware and software vendors, managed support vendors, and a variety...