A Modern Approach to Cybersecurity Testing

The Problem

Modern organisations are constantly at risk from cybercriminals. Keeping everything up-to-date and locked down is a fundamental part to cybersecurity - but things may get missed and risk may unintentionally be introduced to your systems.

To ensure that these systems can be found and fixed quickly, it's critical that the security of your systems are constantly tested.

Traditional cybersecurity testing such as penetration testing is often conducted annually, but that isn't in-line with the way that systems and applications are developed. Regular changes and updates to systems can introduce risks faster than those methods can detect.

Our Solution

We constantly assess your online systems for security weaknesses.

AkimboCore offers Always-on Security Testing. This is a modern approach to cybersecurity testing that offers the benefits of penetration testing but is more effective, as we apply human intelligence to the interesting parts and develop application-specific automation engines for the mundane parts.

This allows us to test more frequently, more efficiently, and much more effectively when compared to traditional penetration testing.

We provide information about your security stance through an online platform that allows you to view the security testing that's taking place, see your organisation's current level of risk, and gain assistance in remediating discovered security issues.

Always-on Security Testing: Features

State of the Union

A dashboard shows the current security stance of your organisation, including outstanding issues as well as the on-going security testing work conducted.

Attack Surface Monitoring

New systems are highlighted within the dashboard to ensure they're not unintentionally missed from the testing scope.

Vulnerability Alerts

As security issues are discovered this is communicated through the dashboard. High risk issues cause vulnerability alerts so you don't miss critical issues.

About AkimboCore

We are a cybersecurity testing company with an aim:

To work hard on the interesting problems
and to automate the mundane ones.

We find security flaws in systems by combining penetration testing activities and bespoke automation. Our goal is to be more effective than vulnerability scanning and more efficient than penetration testing.

We deliver this through an online platform which makes monitoring, managing, and controlling security testing easy.

Looking to learn more about Cybersecurity?

Content Security Policy

In our post on Finding and Fixing Cross-site Scripting, we recommended the use of Content Security Policy (CSP) to mitigate the effects of this vulnerability. It does this by allowing you to set up an allow list of resource locations (such as scripts) for your web pages, and therefore inform the browser to block any scripts that do not come from an authorised source. The problem is, you have to set up an allow list of resource locations, or the resource will be blocked.

Read More

Breaking Enterprise Wireless

In our previous posts we discussed how WEP is completely broken, known weaknesses with WPA, and bruteforcing WPA using AWS. This time around it’s time to look at “Enterprise” Wireless security. These are networks protected with EAP – Extensible Authentication Protocol.

Read More

Hashcracking with AWS

In a previous post, I showed the steps to capture a WPA handshake and crack it using Hashcat. On my tiny travel laptop I achieved 416H/s, which is…slow.

AWS offers “GPU Optimized” EC2 instances:

  • g4dn.xlarge – $0.53 per hour
  • g3s.xlarge – $0.75 per hour
  • p3.16xlarge – $24.48 per hour (that’s ~$18,000 per month!)

Read More

Wireless Security: WPA

We previously spoke about WiFi security and how utterly broken WEP is. Now it’s time to take a look at WPA and WPA2 bruteforcing. This isn’t the only weakness of these protocols – but weak keys are common.

Read More

Wireless Security: WEP

It’s well known that the WiFi security protocol WEP is broken. It’s been broken for years. However, if we’re writing a series on wireless security we should start at the beginning. Whilst it stands for Wired Equivalent Privacy, it hardly lives up to its name.

WiFi comes under the IEEE 802.11 family. WEP was part of the original standard and was quickly superseded by WPA – WiFi Protected Access.

Read More

Finding and Fixing DOM-XSS

We’ve previously written about Reflected and Stored Cross-site Scripting, however this time we want to tackle DOM-Based Cross-site Scripting, or DOM-XSS for short. The exploitation of DOM-XSS is frequently very similar to Reflected Cross-site scripting, were the payload is stored within the URL and exploitation occurs where a user can be tricked into clicking the link, such as through a phishing email – but we’ll break it down step by step.

Read More

Article Categories