Global Cyber Security Spends The world seems to have undergone a decade’s worth of cybersecurity acceleration within a brief period of one year. And that shows in the cybersecurity spends made across the globe. Gartner has forecasted global Cyber Security Spends to remain on a growth trajectory, despite the worldwide pandemic, and touching $123 billion […]

Before proceeding with this methodology some SAP terminologies are to be understood: Client – A client is a 3-digit number that could be understood as a specific customer. This means that all business data within a client is protected from other clients. Each client has its own customer data, which can be considered as the […]

You can read Part 1 here.   It may be possible that multiple SAP servers could run across different systems. Identify all the servers before proceeding with the assessment. This is so, as all the SAP servers (could run the different or same set of modules) interact with each other, and compromising one could lead […]

SAP is a software suite that offers standard business solutions; it is used by thousands of customers across the globe to manage their businesses to manage financial, asset, and cost accounting, production operations and materials, personnel, and many more tasks. This blog post provides a methodological overview and a comprehensive approach for SAP penetration testing […]

You can read part-1 (Passive Subdomain Enumeration) here. Active sub-domain enumeration techniques Brute force or Dictionary Attacks Brute force means guessing possible combinations of the target until the expected output is discovered. So, in the subdomain context, the brute-forcing is to try the possible combination of words, alphabets, and numbers before the main domain in […]

What is sub-domain Enumeration? Subdomain enumeration is a process of finding subdomains for one or more domains. Why need sub-domain enumeration? Sub-domain enumeration helps to create a scope of security assessment by revealing domains/sub-domains of a target organization. Sub-domain enumeration increases the chance of finding vulnerabilities. The sub-domain enumeration helps us in finding the web […]

Introduction to DIFC Law No. 5 of 2020 Dubai International Financial Center (DIFC), Dubai’s financial services free zone, has issued a new Data Protection Law (DIFC Law No. 5 of 2020), replacing the current regime. The purpose of this law is to provide enhanced standards and controls for the processing and free movement of personal […]

A few months back, I was asked to perform a security assessment of the core banking setup for a bank. The core banking application was hosted on the IBM AS/400 mainframe system As part of my research on the subject, I gathered material related to IBM AS400 (also known as IBM i) and realized that: […]

Data exfiltration is a common data theft technique and most feared cyber-attack. it is a data breach that happens when a company’s or an individual’s data is copied, retrieved, or transferred from a system. Detection of data exfiltration is quite difficult because to adequately block download/upload of data to malicious applications without restricting access to […]

Introduction Phishing is a ray of light when every attempt to breach an organization fails. However, setting up a covert SMTP infrastructure for phishing is a time consuming and painful process. By a covert SMTP infrastructure, I mean an infrastructure: which has an ability to evade detection; typically to throw off blue teams which has […]