Shadow IT in Stores and Branches: How to Stay Compliant

– By Bob Tarzey –

Branches are where the rubber still hits the road for many organisations; where retailers still do most of their selling, where much banking is still carried out and where health care is often dispensed. However, for IT managers, branches are outliers, where rogue activity is hard to curb; this means branches can become security and compliance black spots.

Branch employees may see fit to make their lives easier by informally adding to the local IT infrastructure, for example installing wireless access points purchased from the computer store next door. Whilst such activity could also happen at HQ, controls are likely to be more rigorous. What is needed is an ability to extend such controls to branches, monitoring network activity, scanning for security issues and detecting non-compliant activity before it has an impact.

(Original Article)

Pwnie Express’s “Pwn Pulse” SaaS Security Assessment Solution Gets Top Scores in Rigorous Security Audit

TrustedSec Tests First-of-Its-Kind Enterprise Remote Location Intelligence Platform

Boston, MA, October 21, 2014 – Pwnie Express today announced that its new Pwn Pulse software as a service (SaaS) solution scored top marks in a comprehensive security audit performed by leading security-consulting firm TrustedSec, LLC. An end-to-end security assessment solution designed specifically for hard-to-reach distributed remote sites, Pwn Pulse delivers real-time wired and wireless asset discovery, continuous vulnerability scanning, pentesting, risk trending and alerting.  The enterprise-class offering uses Pwnie Express’s easy-to-deploy sensors combined with central management to provide highly scalable continuous intelligence across remote locations. “We were very impressed with how Pwn Pulse compared to the security of most other SaaS platforms,” said Dave Kennedy, President and CEO of TrustedSec. “Pwnie Express is clearly paving the way to a new baseline security profile for SaaS.” Enterprises across verticals have lauded Pwnie Express’s new Pwn Pulse software as a service (SaaS) solution, calling it “groundbreaking”  for its ability to easily provide visibility across their remote locations. “Pwn Pulse allows us to have true policies in regards to our networks and computers and a true way to test them,” said Eric Gilbert, Manager of IT Operations for Black, Mann & Gramm, L.L.P, who took part in the Beta program. “It gives us the ability to not only have the policies on hardening our hardware but also a way to verify that it’s where it’s supposed to be.” Pwnie Express CTO and Founder Dave Porcello welcomed the TrustedSec audit, remarking:  “We are thrilled that Pwn Pulse performed so well after being pummeled by some of the top web application security pentesters in the industry. The fact that we scored so impressively with zero critical or high priority vulnerabilities validates our commitment to delivering a best-of-breed differentiated remote security assessment solution.” Pwnie Express’s new SaaS solution completes the entire enterprise security assessment lifecycle. The solution delivers a robust centralized management console. It also easily and seamlessly integrates with existing security information and event management (SIEM) products. Product benefits include:

o   Provides a cost-effective lightweight, non-intrusive and easy-to-deploy solution for remote locations

o   Delivers the most comprehensive asset discovery to remote sites

o   Extends vulnerability management to remote sites

o   Enables subsequent on-demand penetration testing to remote sites

o   Allows for easy anywhere multi-site deployment

o   Increases frequency and scope of remote site assessment

o   Expands awareness of wired, wireless, BYOD and rogue devices across all sites

o   Addresses PCI DSS and HIPAA compliance requirements at remote sites

o   Reduces travel and operational overhead required to do security testing

Availability: Pwn Pulse is  generally available. For more information please contact: (855) 793 – 1337


[Press Release]

10 Reasons Why Pwn Pulse Will Save You Time and Money

1. Real Time Wired, Wireless, and Bluetooth Asset Discovery

Pwn Pulse allows you to automatically discover both wired and wireless assets and helps security professionals locate rogue devices and create a comprehensive list of network devices and exceptions that may be noncompliant or harmful. Pulse detects wireless and Bluetooth devices, unlike software-agent-based solutions, so Pwn Pulse can let you actually “see all the things”.

2. Vulnerability Scanning and Validation

Runs a custom vulnerability scanner on a schedule determined by the user and visually displays aggregate data and trends while allowing technical users to drill down into the details. So you can know what’s out there to get you.

3. Penetration testing

Users can run custom scripts and assessments remotely through Pwn Pulse to further test and validate security gaps revealed by routine vulnerability scans. It’s the classic Pwnie pentesting experience.

4. Analysis of security information across a distributed network

Analytics allow users to visualize trends across the company and/or within a remote location including  a comprehensive view of assets and vulnerabilities discovered by specific sensors or groups of sensors. Results are graphically displayed on an intuitive dashboard.Because big data has taught us that more information is better… (but only when it’s organized well)

5. Frictionless Plug and play deployment

Easy to deploy without the need to install and manage agents, Pwnie Express sensors are plug-and-play, so employees in remote locations simply plug the sensors into the network. Pwn Pulse is the perfect solution for a company without technical resources at its remote sites – my grandmother could plug in a Pwnie sensor!

6. Centrally managed, easy-to-use graphic interface

Security professionals can both see its output and control its capabilities remotely. Pwn Pulse is designed to be integrated with System Integration and Event Management (SIEM) software, but even without SIEM software Pwn Pulse is the aesthetically pleasing way to assess security – anybody can see how beautifully secure your remote sites are.

7. Safe and Secure – even Dave Kennedy of TrustedSec thinks so!

Sensors are pre-configured to only communicate with their central management server, all communications and databases are encrypted, and all services are segmented to provide the highest level of defense. Because a security tool should be secure.

8. Customers love it!

You’re not the first one to use it, and people seem to like it so far:

  • It’s a “solution that allowed me to do these scans more frequently and without having to be onsite.”
  • “It allows us to have true policies in regards to our networks and computers and a true way to test that. It gives us the ability to not only have the policies on hardening our hardware but also a way to verify that it’s where it’s supposed to be.”
  • “It solves the pressing problem of continuous and comprehensive assessment of remote locations.”

 9. Enterprise Capable

Pwn Pulse is designed to be a highly scalable solution capable of supporting thousands of sensors at remote locations. Each sensor reports back to its central console and users can remotely control individual sensors for penetration testing. This Pwnie grows with you.

10. It can find that *rogue* printer in your office

All jokes aside, wirelessly-connected printers are a problem.

*If you really want to read the dry stuff, Pwnie Express has also released a press release on Pwn Pulse.*



Derby Con and $100 Off

Did you watch the Pwnies on Security Weekly last week? No? Well then you missed out… and on more than a great show! Pwnie Express was offering $100 off an R3 to those who watched (which expires September 30). You can still catch the show (and the discount code) here or on the Security Weekly site.

Win a red Pwn Phone

Also, Derby Con 4.0 is coming up! September 24-28 in Louisville, Kentucky, and Pwnie Express will be on hand September 25-26 (and we might have stickers), so stop by the booth and say hello! We’ll be having a drawing for a free red Pwn Phone, one of only a few specially-made ones. In order to enter the drawing, stop by the booth and drop a business card. In addition, two of the Pwnies will be leading a workshop called “Make Your Own Pwn Phone” on Friday, Sept. 26 from 2:00pm – 4:00pm where you can, well, make your own Pwn Phone. We will not, however, be providing phones — so remember to bring your own Nexus 5 or Nexus tablet if you want to participate. In addition, we will be selling the “Pwn Pad DIY kit” and the “Pwn Pro DIY kit;” full kits with all adapters, case, velcro, etc. at the booth.

Crunching the Numbers: A Snapshot of Security

Here at Pwnie, we want to know just how we’re helping the industry. So we conducted a survey of you and your peers — hundreds of IT security professionals last month.

The survey found that 40.6 percent of you have no visibility into your wireless assets at remote sites. That’s right – zero. As wireless becomes omnipresent and businesses are increasingly distributed, often with hard-to-reach branch offices and remote sites, this could potentially spell disaster. TJX, anyone?

Additionally, the survey found that this may be because 43.9 percent of you are not even required to assess the wireless assets at your remote sites. And on top of it, even when assessments are taking place 53.6 percent of the time they are only happening quarterly or less. The survey also revealed that despite increasing compliance mandates, including the Payment Card Industry Data Security Standard (PCI DSS), 51.8 percent of you said they did not conduct penetration tests at remote locations.

Many of you have expressed to us how they would like to do more penetration testing and have full visibility into both the wired and wireless assets at all of your locations. The intentions are there, and so were many of the open-source tools, but by packaging these tools we at Pwnie Express are trying make it easier for the security community to effectively use them across the organization.

Here is the official press release.

Pwnie Express’s Dave Porcello and Vic Wheatman on Securing Branch Locations


Episode 20: Securing the Branch Location and Remote Sites

Hackers continue to go after the easiest target — the branch or remote office be it a gas station, retail store, bank branch, local health clinic or the like.

Armed with the knowledge that organizations are increasingly distributed and most organizations’ budgets are allocated to headquarters, a branch or remote office often provides an easy access point for attackers.

Vic Wheatman speaks at Black Hat with Dave Porcello, CTO and founder of Pwnie Express on what kinds of attack the organization should actually be concerned about.

Is it the advanced persistent threat or is it that unknown rogue access point? As you’ll hear from Porcello, your organization may have unbelievable security 99 percent of the time but it’s that one computer, or air conditioning duct, that often opens the door.

Listen Now!

(Original Post)

Pwnie Express Targets Remote Locations With New Cloud-based Security

By Fahmida Y. Rashid

Pwn Pulse Combines “Hack-in-a-box” Sensors with Central Management for Remote Location Intelligence. Pwnie Express, the experts behind network security testing platform that power the Pwn Pad, Pwn Plug, and Pwn Phone have launched a software-as-a-service (SaaS) version. Called the Pwn Pulse, the platform allows network security professionals to deploy sensors and collect real-time information about the state of wired and wireless networks. Pwn Pulse allows real-time asset discovery for both wired and wireless assets, provides continuous vulnerability scanning, supplies penetration testing tools, and offers risk-trending and alerting capabilities, the Boston-based company said.

Read Article

Pwnie Express Announces “Pwn Pulse” SaaS Security Assessment Solution

Solution Enterprise-class Offering Combines Pwnie Express Sensors with Central Management for Remote Location Intelligence
Boston, MA, August 5, 2014
Pwnie Express, the only company to assess wired and wireless network security in remote locations on demand, today announced the Pwn Pulse software as a service (SaaS) solution.  The enterprise-class offering uses Pwnie Express’s easy-to-deploy sensors to provide highly scalable continuous intelligence.

An end-to-end security assessment solution designed specifically for hard-to-reach distributed remote sites, Pwn Pulse delivers real-time wired and wireless asset discovery, continuous vulnerability scanning, pentesting, risk trending and alerting.

(Original Article)

Security Pulse of the Company

The heart of any company is the headquarters. Organizations go to great lengths to protect this center of human and security activity, but like wearing a Kevlar vest to protect the vitals, securing just the headquarters is not enough. And even scarier? Until now, there was no cost-effective way of consistently monitoring the security of systems at your remote locations.

What is it?

That’s why Pwnie Express is releasing Pwn Pulse, a centralized SaaS solution that allows security teams to “see all the things” in their remote offices. Pwn Pulse gives users complete remote control over Pwnie’s innovative white hat “hack-in-a-box” sensors, allowing them to test security systems without travel or cumbersome bandwidth requirements.

What does it do?

Pwn Pulse automatically discovers all wired, wireless, and Bluetooth devices at a location, whether on the network or unknown. Give Pwn Pulse a schedule and it will run vulnerability scans from within the firewall at each remote location. More technical users can run custom scripts and assessments remotely through Pwn Pulse to further test security gaps revealed by routine vulnerability scans. And, if necessary, security professionals can remotely operate one-to-one penetration tests.

How does it look?

Most importantly, the Pulse dashboard presents the information in an intuitive format with analysis capabilities. In addition to seeing and controlling specific sensors, the Pulse dashboard allows the user to see the information across a set of sensors or locations so as to track broader company security trends.

That’s what makes Pwn Pulse so exciting! One-to-one asset discovery and penetration testing is useful, but we wanted to make those tools even better for defending against your attackers. Pulse gives you the most important protection: information. A better-informed security team can find the chinks in the armor and appropriately allocate resources where they’re most useful. Pwn Pulse lets you can take the pulse of your organization, to properly diagnose the problem.

For more questions, please visit our website or the Pwn Pulse FAQ. Additionally, you can access the official press release here.