HackerTrans
TopNewTrendsCommentsPastAskShowJobs

lmorandi

no profile record

Submissions

Ask HN: Have you performed a penetration test for your company?

4 points·by lmorandi·há 2 anos·4 comments

comments

lmorandi
·há 2 anos·discuss
I don't know if you ever hired or done a penetration test, but when someone uses a common vulnerability scanner to identify issues, that's called a VRA (Virtual Risk Assessment), which is way different as a penetration test. In a penetration test you are not only focusing on tools, but you also perform manual testing. common tools aren't able to find business logic vulnerabilities, and also they are not able to chain them.

I see you also mentioned digging into code (code review), which is a different service. In cybersecurity there are different branches, and I don't think you want a guy that "knows" how to do everything, cause that person is probably not an expert in any of the mentioned areas. a Penetration test it's not the same as a code review, and it's not the same as a VRA, and it's not the same as a Red Team. They all cover different things, and are meant to satisfy different needs.

Trust me, in cybersecurity you cannot be an expert in every area. So you better find a specialist for web apps and a specialist for code review if you need both. Same for infra, cloud, etc.

The only one that is simple is the VRA cause it only depends on running a vulnerability scanner and checking if the reported vulnerabilities aren't false positives. (but you need a license for that software and those are pretty expensive)
lmorandi
·há 2 anos·discuss
First of all, one of my advantages over larger firms like or smaller, well-established firms like Cure53 is my flexibility and personalized service. As a smaller entity I can offer quicker turnaround times and more direct communication with clients. So I can ensure that every aspect of the client’s security posture is thoroughly assessed personally by me. Additionally, while I'm currently a one-man band, I have a network of trusted and certified freelance professionals who can be brought in for either larger or urgent projects if needed. This allows me to scale without compromising on the quality and speed of the engagement. Not even mentioning that based on my experience, when you hire a penetration testing service from a big company you don't really know who's performing the pentest and sometimes it's being done by not really qualified people. (I know about some companies that outsource certain projects and they're not doing a good job at all, this means reporting non-sense findings, or not being able to properly address the impact/risk of them).

This being mentioned, I own well known cybersecurity certifications (for web apps and infra), I'm constantly developing my skills and I also have been awarded by different bug bounty programs. And planning to be a speaker soon!

Regarding the specialty, I'm not planning to focus on industrial control systems, but apart form that specific case, the approach of a pentest is the same for every web application, I mean, the pentest methodology is the same if you are testing a fintech, a bank, an insurance company, an ecommerce, or any other web app. You can show yourself as an expert in ecommerce, but in the background there's no difference at all, since the procedures and methodologies are the same.

As you may have realized, I'm gonna be focusing on web application penetration testing which is my specialty, at least at the beginning. But I have experience in either webapp, infra and mobile.

Thanks!
lmorandi
·há 3 anos·discuss
I understand it might be a pretty frustrating issue since it's difficult to evaluate companies when you don't have a background in marketing. I would say that the first step you can take is to get acquainted with how the growth marketing world works, not to become an expert at it but at least to know enough so you can tell who's bullshiting and who isn't, and the way to do it is just getting informed on the different main growth channels.

Check the following link where you can find brief summaries on how the top growth channels work: https://drive.google.com/drive/folders/1UGhUv97CjEpXHSbMH2Rk... If you need help understanding any of these channels just let me know and I would be happy to teach them to you and give you a hand.

The second best way to go once you actually understood how each channel works and whether your company is a high or low intent company, then you need to understand who you need on your team, if it's an influencer marketing expert or a SEO expert who's also generalist so he can execute other tasks aswell, which based on your company and yoour product, this last option is the best for you.

Now allow me to introduce myself, my name is Lautaro, I am a growth marketing specialist and a penetration tester, and I would be glad to help you on any of my areas of expertise. Here you can find my profile so we can be in touch: https://www.linkedin.com/in/lautaro-morandi/

Hope this helps and I wish you all the best with your launch!
lmorandi
·há 3 anos·discuss
What are the "problems" that you are facing right now and are difficult to solve?
lmorandi
·há 3 anos·discuss
If it's an HDD as you said, you can try a tool like recuva: https://www.ccleaner.com/recuva, and if it's not enough, if you have knowedge in linux you can try foremost which is a forensics tool, it's gonna take more time but it's way better than recuva because of the way it works.
lmorandi
·há 3 anos·discuss
Ussualy they collect device information such as make, model, OS, MAC Address and the browsing history. Also they can track social media information if you login with your google/facebook account.

They may use this information for marketing and advertising purposes, or sell it to Advertising companies, Third-Party Analytics Companies or even Government Authorities.
lmorandi
·há 3 anos·discuss
Yes, a VPN should do the work!
lmorandi
·há 3 anos·discuss
Oh it's not possible, I don't know why I thought it was. What are you interested in exactly, and what kind of knowledge do you have about networking and cybersecurity?
lmorandi
·há 3 anos·discuss
If you really want to learn about networking or want to improve your knowledge, I really recommend you to get into pentesting. You can learn from online platforms like tryhackme, where you have a lot of hands-on labs to learn about networking, AD, Linux, etc (even for begginers and advanced users). Also you have platforms like HackTheBox where you can practice your pentesting skills by hacking virtual machines prepared for that, simulating real scenarios. It's hard, but its fun and you learn a lot. You can use them to achieve the OSCP if you like.

If you are interested and want to know more about it just DM me, I'm a Pentester.

Hope it helps!
lmorandi
·há 3 anos·discuss
No it's not! I just accessed the site. Do you have a static IP address? if you don't, maybe you can try rebooting your router to get a different IP address. If that doesn't help you could try calling your ISP. It also can be related to DNS issues.
lmorandi
·há 3 anos·discuss
Think and Grow Rich written by Napoleon Hill is the book that had the biggest impact on me. By the name you would think that only talks about money and finance, but the real message is about the power of desire. I loved it and really changed my mind and the way of doing things. Really recommend it.
lmorandi
·há 3 anos·discuss
What does the PDF contain? Maybe this online tool is helpful for you, it converts PDF into Excel files: https://www.ilovepdf.com/es/pdf_a_excel

If it works you can extract the CSV from there.

Hope it helps!