By Chris Green, Structured Security Engineer, CISSP-ISC2, CISA ISACA, QSA PCI SSC, PCIP PCI SSC Amid rising global tensions and numerous warnings from the Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency (CISA), organizations across the globe can expect to see an increase in cyber attacks from nation-states, criminal gangs, and copycats riding the wave. These attacks may vary in sophistication depending on the source of the malicious actor, but organizations should be prepared to encounter any level of foe. While a robust security program is tasked with focusing on numerous facets such as continuous posture assessment, monitoring and detection, threat hunting, and incident response, Structured’s Governance, Risk and Compliance team would like to share some of the most common findings from penetration testing that often lead to compromise. While many organizations are transitioning to cloud-based infrastructure, user-endpoints and cloud infrastructure can still be a focus of attack. The following details common findings from penetration testing public-facing assets, followed by what we commonly see while probing internal assets. Common Findings from Penetration Testing Public-Facing Assets No multi-factor authentication (MFA) on public-facing authentication portals – During testing, we mimic the most popular attacks used by malicious actors: social engineering and…