Services
Services
SOC & Attestations
SOC & Attestations
Payment Card Assessments
Payment Card Assessments
ISO Certifications
ISO Certifications
Privacy Assessments
Privacy Assessments
Federal Assessments
Federal Assessments
Healthcare Assessments
Healthcare Assessments
Penetration Testing
Penetration Testing
Cybersecurity Assessments
Cybersecurity Assessments
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Industry Solutions
Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Learning Center
Learning Center
Articles
Articles
Whitepapers
Whitepapers
Case Studies
Case Studies
Events & Live Webinars
Events & Live Webinars
On-Demand Webinars
On-Demand Webinars
About Us
About Us
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility

Blog

The Schellman Blog

Stay up to date with the latest compliance news from the Schellman blog.

KENT BLACKWELL

Kent Blackwell is a Director with Schellman. Kent has over 9 years of experience serving clients in a multitude of industries, including the Department of Defense and top cloud service providers. In this position, Kent leads test efforts against client's web applications, networks, and employees through social engineering campaigns. Additionally, Kent works with Schellman’s FedRAMP and PCI teams to ensure customer’s compliance needs are met in a secure and logical manner.

Blog Feature

FedRAMP | penetration testing

By: KENT BLACKWELL
July 8th, 2019

Though Amazon’s Relational Database Services (RDS) can make hosting a database much easier, using them can also present new challenges, including some that crop up when you’re trying to scan against security benchmarks or meet compliance initiatives.

Blog Feature

By: KENT BLACKWELL
February 18th, 2019

Phishing still steamrolls organizations Phishing attacks rely on a single moment of inattention or ignorance. Follow a link and the results are front-page news. A strategy for combating these attacks on multiple fronts is vital. Alan R. Earls reports.

Blog Feature

Pen Testing

By: KENT BLACKWELL
September 22nd, 2016

Many of the requests that we receive are limited in scope to Internet facing assets.  A true understanding of the threats facing your networks requires a complete evaluation of all possible threat vectors. So what kinds of vulnerabilities does an internal test find that an external would miss? Schellman was recently engaged to perform an external and internal penetration test for a software development firm. The external test revealed very little about the company. Strong firewall rules opened only the most necessary of ports (80 and 443) to the Internet. All external facing servers were well patched, running modern operating systems and lacked any exploitable vulnerability. However, the internal assessment told a completely different story. We began the test with no credentials on a “rouge device” that was placed on the internal network. A database server running an automation tool exposed a scripting console that allowed unauthenticated commands to be run on the underlying OS. A VBS script that downloaded an executable was run followed by another VBS script that executed the shell program.  With this foothold, we impersonated the token of a database administrator who also happened to be a Domain Administrator. A few commands later, we’d taken over the domain. If our client had only engaged us for an external test, none of this would’ve been found.

Blog Feature

By: KENT BLACKWELL
July 6th, 2016

Activities related to Russian espionage can be found nearly everywhere in the past month.  First, it was the Season Finale of “The Americans”, then a NPR story on the evolution of Russian Espionage and finally it was revealed that the servers of the Democratic National Committee (DNC) had been breached by multiple Russian actors. Technical details about the attack remain scarce, but opinions are plentiful. Some attempts at attribution have placed the blame on traditional espionage by Russian intelligence assets, while individual actors have also claimed responsibility.  In particular, an individual named “Guccifer 2.0” claimed responsibility for the hack and offered files stolen from the DNC as proof. In the coming weeks a more complete timeline will emerge and more details about the vulnerability used to gain a foothold into the network will be revealed. It may be possible that more than one entity had access to the DNC data.  In all likelihood, the vulnerability that provided the initial access will be one of a few common methods malicious actors will use to gain access to a target network. Let’s look at some of the vulnerabilities that could be to blame and talk about what your company can do to prevent these kinds of attacks from happening to your networks.