Define Perimeter

Define Perimeter

Its surprising to us that people still define their network perimeter by their firewall, which is often the perceived demarcation point between the Internet and the Local Area Network (LAN). The fact of the matter is that the real demarcation point has nothing to do with the firewall at all. In fact these days the real demarcation point has more to do with the human element (you) than with technology in general.
I bring this up because the issue surfaces during penetration testing engagements frequently. Specifically, customers want penetration testing services against their perimeter but they don’t actually know what their perimeter is. Once we explain it to them their perspective on what a penetration test is changes significantly and for ever. Their perimeter is defined by any point that is accessible to an Internet based attacker, but what does that really mean?
Clearly firewalls, web servers, email servers, ftp servers, etc. are accessible to an Internet based attacker. But what about all of those services that businesses use on a daily basis that reach out to the Internet to collect data. What about what you are doing right now? You are likely reading this post in your web browser which means that you’ve reached out from the safety of your LAN to our web server. What if I told you that this blog entry was specifically designed to exploit a vulnerability in your web browser and compromise your system? Yes, by reading this blog entry your computer just got hacked. (Not really, but imagine).
Truth be told, your web browser is not the only technology that is vulnerable to this sort of attack. In fact, this is what defines a client side attack. In this case the client is your web browser, but in some cases it might be your MP3 player, your email client, your smart phone, your PDF reader, or maybe even the update functionality in your anti-virus software. Anything and everything that reaches out to third party networks from your network is a component of your network perimeter and each of those things helps to define your total attack surface. If you’re not including those types of tests when you receive penetration tests then you’re really only testing a very small fraction of your total attack surface. Considering the number of businesses that are compromised on a daily basis with client side attacks, is that really something that you can afford to overlook? Just an idea…

Blog Posts

- For More Information -

We Protect You From People Like Us.

Karen Huggins

Chief Financial, HR and Admin Officer
Karen joined the Netragard team in 2017 and oversees Netragard’s financial, human resources as well as administration functions. She also provides project management support to the operations and overall strategy of Netragard.
 
Prior to joining Netragard, she worked at RBC Investor Services Bank in Luxembourg in the role of Financial Advisor to the Global CIO of Investor Services, as well as several years managing the Financial Risk team to develop and implement new processes in line with regulatory requirements around their supplier services/cost and to minimize the residual risk to the organization.
 
With over 20 years of experience in finance with global organizations, she brings new perspective that will help the organization become more efficient as a team. She received her Bachelor of Finance from The Florida State University in the US and her Master of Business Administration at ESSEC Business School in Paris, France.

Philippe Caturegli

Chief Hacking Officer
Philippe has over 20 years of experience in information security. Prior to joining Netragard, Philippe was a Senior Manager within the Information & Technology Risk practice at Deloitte Luxembourg where he led a team in charge of Security & Privacy engagements.

Philippe has over 10 years of experience in the banking and financial sector that includes security assessment of large and complex infrastructures and penetration testing of data & voice networks, operating systems, middleware and web applications in Europe, US and Middle East.

Previously, Philippe held roles within the information system security department of a global pharmaceutical company in London. While working with a heterogeneous network of over 100,000 users across the world and strict regulatory requirements, Philippe gained hands-on experience with various security technologies (VPN, Network and Application Firewalls, IDS, IPS, Host Intrusion Prevention, etc.)

Philippe actively participates in the Information Security community. He has discovered and published several security vulnerabilities in leading products such as Cisco, Symantec and Hewlett-Packard.

He is a Certified Information Systems Security Professional (CISSP), Certified Ethical Hacker (CEH), PCI Qualified Security Assessors (PCI-QSA), OSSTMM Professional Security Analyst (OPSA), OSSTMM Professional Security Tester (OPST), Certified in Risk and Information Systems Control (CRISC)and Associate Member of the Business Continuity Institute (AMBCI).

Adriel Desautels

Chief Technology Officer
Adriel T. Desautels, has over 20 years of professional experience in information security. In 1998, Adriel founded Secure Network Operations, Inc. which was home to the SNOsoft Research Team. SNOsoft gained worldwide recognition for its vulnerability research work which played a pivotal role in helping to establish today’s best practices for responsible disclosure. While running SNOsoft, Adriel created the zeroday Exploit Acquisition Program (“EAP”), which was transferred to, and continued to operate under Netragard.
 
In 2006, Adriel founded Netragard on the premise of delivering high-quality Realistic Threat Penetration Testing services, known today as Red Teaming. Adriel continues to act as a primary architect behind Netragard’s services, created and manages Netragard’s 0-day Exploit Acquisition Program and continues to be an advocate for ethical 0-day research, use and sales.
 
Adriel is frequently interviewed as a subject matter expert by media outlets that include, Forbes, The Economist, Bloomberg, Ars Technica, Gizmodo, and The Register. Adriel is often an invited keynote or panelist at events such as Blackhat USA, InfoSec World, VICELAND Cyberwar, BSides, and NAW Billion Dollar CIO Roundtable.