Cyberis Blog

Reassuringly clear thinking.

  • Penetration testing

The password is dead.  Long live the password...

Passwords are bad.  We've known passwords are bad for decades, but the truth is that they're unlikely to go away for a very long time, even though we know all about their flaws. 

Read more
  • Detect and respond

The Software Supply Chain

There are many different ways in which supply chain attacks can impact your cyber security resilience.  We all appreciate that third-party service providers may have access to physical premises, or to technical infrastructure, and that a compromise of these providers can grant that access to an attacker.  If you have smaller, or less-mature, suppliers in your supply chain, we know that they may have immature information security practices.  Because we think about these areas a lot, most businesses have pretty mature processes aimed at managing these risks in their supply chains.   One area where we often see weakness in our customers, however, is in management of the software inventory and their software supply chain.

Read more
  • Penetration testing

Cyber security challenges facing schools

We all want our schools and educational institutions to be secure.  We all want to ensure that our children can learn and thrive in a safe environment, and that we keep their data protected from those who might misuse it.  Schools are under attack, though – almost constantly – from increasingly organised and sophisticated criminal gangs.

Read more
  • Penetration testing

Application testing and the OWASP Top 10

Quite often, a customer will ask us to "test our application against the OWASP Top 10". I'm going to start by saying that the OWASP Top 10 is a wonderful tool which has helped improve web application security globally since it first launched. But although it’s a common request to test applications against it, I think it's helpful to explain why it might not give you the security outcomes you want from a web application penetration test.

Read more
  • News

We're rebranding!

We're excited to announce that we're rebranding Cyberis as of 1 March 2022.  We've created a whole new brand identity, including a new logo, a refreshed colour palette and new brand pillars which represent who we are, and what we do for our customers. This was a big decision, and it's been a complex journey for us as a team.  So where did we start, and how did we get where we are now?

Read more
  • Detect and respond
  • Red teaming

Using Red Teaming to upskill detection and response teams

When we talk about red teaming, it's quite easy for people to understand the benefits of using attacker techniques in our approach when it comes to exploring a particular attack pathway and to see the benefits of identifying the chains of vulnerabilities that allow a compromise to happen.  Quite frequently, though, people underestimate how effective red teaming can be when it comes to upskilling detection and response teams. I'd like to give an example of how - run well - red teaming can be used to improve detection and response outcomes.  This is, of course, an anecdote, but it certainly gives an idea of how performance changes when teams are challenged in the right way.

Read more
  • Red teaming

How Red Teaming can help you identify systemic weaknesses and control gaps

Working with mature organisations, we use full chain attack simulations to identify high level weaknesses and control gaps that simply aren’t highlighted by standard approaches such as traditional penetration testing.

Read more
  • Research

CVE-2021-20047: DLL Search Order Hijacking Vulnerability

When looking for methods of execution in controlled environments, software components are an essential area of review. With the implementation of controls such as AppLocker, running arbitrary executables becomes more difficult. In most environments we test, AppLocker is now a common configuration implementation which serves to reduce the attack surface by defining the permitted locations an executable is allowed to run from.

Read more

Improve your security

Our experienced team will identify and address your most critical information security concerns.