Cover Image

Is your business vulnerable to cyber threats? Learn the importance of vulnerability identification!

January 15, 2024

Businesses in the crosshairs: why is identifying digital vulnerabilities key?

In the digital world, cybersecurity is no longer an optional extra for businesses, but a basic necessity. As businesses increasingly move their operations online, the importance of securing data and systems is growing. Cyber threats in their many forms - be it phishing, ransomware, or even internal vulnerabilities - can cause serious damage to a company's reputation, finances and customer trust. In this environment, cybersecurity solutions, vulnerability identification such as penetration testing (pentesting), are becoming essential tools for businesses, especially in light of the NIS2 and DORA regulations now coming into force, as well as the ISO27001 standard.

NIS2 (the Network and Information Security Directive) and DORA (the Digital Operational Risk Regulation) bring new challenges and requirements for businesses in the area of cybersecurity. These regulations encourage companies to improve their security protocols and systems against cyber threats. In this context, pentesting is a specific process whereby cybersecurity professionals deliberately "attack" a company's systems to identify potential vulnerabilities and security holes. This method is used as a kind of "friendly" attack, allowing companies to strengthen their defences before they are actually attacked.

ISO27001, an international standard for cybersecurity, also plays an important role in defining companies' security strategy. Vulnerability identification is not only a keyword in the world of cybersecurity, but a fundamental step in protecting businesses. With pentest, enterprises can not only discover but also understand where their systems are most vulnerable. This allows them to proactively manage these risks before they become a real problem.

In this article, we will go into detail about the importance of pentest, describe the process and explain why businesses should use this service, especially in view of the new requirements of NIS2, DORA and ISO27001. We also discuss the importance of vulnerability analysis and how it fits into the cybersecurity strategy of modern enterprises in the current regulatory environment. 

Contact our experts 

Security in cyberspace: the strategic importance of vulnerability identification 

Vulnerability identification, penetration testing, or pentesting, is a technique that plays a fundamental role in the cybersecurity strategy of modern enterprises, especially in light of the NIS2 and DORA regulations and the ISO27001 standard. This process involves carrying out deliberate 'attacks' on an organisation's IT systems, identifying potential vulnerabilities and security holes that could be exploited by a real attacker. During pentesting, cybersecurity experts use tools and techniques that mimic the methods of cyber attackers to ensure that testing is realistic and thorough.

The NIS2 Directive and the DORA regulation impose new requirements on companies' cybersecurity practices, particularly for systems and processes that are critical to the smooth running of their business. This is why pentesting and thus vulnerability identification becomes crucial, as it allows companies to proactively identify and remediate vulnerabilities that compromise the security levels required by the regulations. ISO27001, as the international standard for cyber security management, also emphasises the importance of regular vulnerability assessment and management, in which pentest as a methodology fits perfectly.

The pentest is not only used to identify technical vulnerabilities, but also provides detailed reporting and recommendations to help companies manage cybersecurity risks more effectively. Common flaws identified during the pentest include configuration issues, un-updated software, lack of strong passwords and weaknesses in the protection of internal networks. These findings provide valuable insights for companies, enabling them to strengthen their defences to meet the requirements of NIS2, DORA and ISO27001.

Such a proactive approach is essential for businesses in a rapidly changing cybersecurity environment where new threats are constantly emerging. Pentest enables companies to move forward and not just react to threats, but actively prepare for them, ensuring business continuity and the security of their customers.

The cornerstone of cybersecurity: why is vulnerability identification essential? 

Vulnerability identification is not only an important step in the cybersecurity process, it is an essential element in ensuring that businesses comply with NIS2, DORA and ISO27001 regulations. Penetration testing, or pentesting, is a particularly important tool in this process as it allows companies to identify and analyse the vulnerabilities that could pose the greatest risk to their systems and data. Vulnerability identification is a process that aims not only to identify potential vulnerabilities, but also to assess the risks that these vulnerabilities pose to the company.

The NIS2 and DORA regulations, as well as the ISO27001 standard, focus on cybersecurity risk management. These regulations encourage businesses to develop and maintain high cyber security practices that include regular vulnerability analysis and identification. This not only enhances the security of technology systems, but also ensures that companies are able to identify and manage cybersecurity risks that threaten their business.

During the pentest, vulnerability identification is a two-step process: first, security experts identify potential vulnerabilities by testing systems and identifying security holes. But it doesn't stop there: the second, equally important part of the pentest is the vulnerability analysis and prioritisation, where the experts identify which vulnerabilities pose a real and immediate threat to the company. This step helps companies to determine which vulnerabilities they need to address first and what measures they need to take to mitigate the risks.

So vulnerability identification is not just a technical process; it is also a strategic process to help businesses understand and manage cybersecurity risks. In doing so, businesses not only comply with the requirements of NIS2, DORA and ISO27001 regulations, but also take proactive steps to prepare for cyber threats, protecting their business and the security of their customers. 

See what we can do to help

Future cyber security challenges: in the light of NIS2 and DORA and TISAX regulations 

The forthcoming NIS2 and DORA regulations will bring significant changes to the cybersecurity obligations of businesses, and understanding these is essential for all business leaders. The NIS2 Directive, which is an update of the Network and Information Security Directive, sets out broader and more stringent requirements for businesses operating critical infrastructure. This includes strengthening cybersecurity measures, regular reviews of vulnerabilities and rapid reporting of security incidents. 

DORA, the Digital Operational Risk Regulation, focuses specifically on financial services and aims to increase the resilience of financial systems to cyber threats. This includes tighter supervision of critical IT service providers and better management and reporting of cyber security incidents. Both regulations emphasise a proactive approach to cybersecurity, which is essential for businesses to defend against modern cyber threats. 

NIS2, or the Network and Information Systems Directive 2, is the European Union's second directive on network and information systems security. This Directive is an update and extension of the original NIS (Network and Information Systems) Directive introduced in 2016, which was the first major step towards strengthening cyber security of critical infrastructures in the EU. The NIS2 Directive aims to further strengthen the EU's cybersecurity framework in response to the ever-changing nature of digital threats and the increasing number of cybersecurity incidents. 

ISO27001, an international information security management standard, also plays an important role in this environment. Although not new, ISO27001 remains relevant as it provides a rigorous framework for businesses to manage information security. Taken together, these regulations and standards are driving businesses to improve their cybersecurity practices, enhance vulnerability identification and management, and thereby increase the security and resilience of their business. 

TISAX (Trusted Information Security Assessment Exchange) is a standard developed specifically for the automotive industry in the area of information security. TISAX aims to provide a common framework for information security audits and assessments in the automotive supply chain. TISAX was created by the ENX Alliance, a consortium of European automotive manufacturers and their suppliers. It is based on the international standard ISO/IEC 27001, but includes specific requirements that focus on the specific challenges and risks of the automotive industry. 

SuperiorPentest's services are particularly relevant in this changing regulatory environment. The firm's experts help businesses comply with regulations, identify and manage vulnerabilities, and mitigate cybersecurity risks. Compliance with the requirements of NIS2, DORA and ISO27001 is not only a legal obligation, but also a business necessity as modern customers and partners place increasing emphasis on secure and reliable business relationships.

This regulatory change is therefore not only a challenge but also an opportunity for businesses. The right cybersecurity measures, such as those provided by Superior Pentest, can help businesses not only comply with regulations, but also grow their digital presence in the global marketplace with confidence and security.

Contact our experts

Success stories on the cyber front: How does vulnerability identification help businesses? 

Besides theoretical knowledge, the importance of penetration testing is best illustrated by concrete case studies and examples. In a number of cases, SuperiorPentest's testing has revealed vulnerabilities that businesses had not previously recognised and which could have posed significant risks if exploited. One such example is the case of improperly configured network devices, where penetration testers were able to penetrate the company's internal network and gain access to sensitive business data. This discovery allowed the company to strengthen its network security and prevent data leaks. In another example of the GhostShell attack, the Team GhostShell APT group attacked 53 universities with SQL injections, stealing 36,000 pieces of personal data. Or there was the attack on the Turkish government website. The RedHack collective used SQLi to hack into the Turkish government website and delete debts owed to state agencies.

These cases clearly show that pentest is not just a technical control, but an essential tool for companies to prepare and defend against cyber threats.

SuperiorPentest, a Hungarian cybersecurity company, plays a prominent role in strengthening the cybersecurity of enterprises in the domestic and international market. The emergence of increasingly stringent cybersecurity regulations such as NIS2, DORA and ISO27001 standards has given rise to the company's services, which focus on penetration testing (pentest). Our experts use the latest techniques and methodologies to identify and analyse vulnerabilities, ensuring that businesses' IT systems are as secure as possible.

SuperiorPentest has a particular focus on the needs of business managers with non-IT backgrounds, ensuring that their reports and advice are understandable and easy to apply. This approach is particularly important as many business leaders do not have in-depth technology knowledge, yet still need to make important decisions about their cybersecurity strategy. The firm's experts can help, enabling business leaders to make informed decisions and ensure their business is safe from cyber threats. 

SuperiorPentest is therefore more than just a cybersecurity provider; it works as a strategic partner with businesses to help them comply with NIS2, DORA and ISO27001 and TISAX regulations and keep their business secure and uninterrupted against cyber threats.

Security by standard: the importance of ISO 27001 in cybersecurity 

ISO 27001, the international standard for cybersecurity management, is a key element in the cybersecurity strategy of enterprises and is also of particular importance in the context of the NIS2 and DORA regulations. This standard provides a comprehensive framework to help companies manage information security and ensure that cyber security risks are properly managed. ISO 27001 focuses on the establishment and maintenance of an Information Security Management System (ISMS), which includes the identification of vulnerabilities, the definition of security measures, and the management of cyber security incidents.

SuperiorPentest's services are aligned with the requirements of ISO 27001 and help businesses comply with this standard. As part of the pentest process, the company's experts not only identify vulnerabilities, but also make recommendations to improve and strengthen security systems. This process is an integral part of the ISMS required by ISO 27001 and helps businesses to develop a comprehensive and effective cyber security strategy.

Vulnerability identification and analysis during the pentest not only helps to identify immediate vulnerabilities, but also facilitates long-term improvements and enhancements to the cybersecurity infrastructure of enterprises. This is in line with the principle of continuous improvement promoted by ISO 27001, which recommends that enterprises regularly review and improve their cybersecurity practices.

Compliance with ISO 27001 not only enhances security for businesses, but also improves their reputation and customer confidence. In a world where cyber security incidents are becoming more frequent and consumers are becoming more digitally aware, ISO 27001 compliance is a clear advantage for businesses. Superior Pentest's services help businesses not only comply with regulations, but also assure their customers that they take information security seriously and are committed to the highest level of protection.

On the Road to Security: how we protect businesses 

Based on what has been discussed so far, it is clear that penetration testing, or pentesting, and vulnerability identification are essential tools for modern enterprises, especially in light of NIS2, DORA and ISO27001 regulations. These regulations create new challenges and opportunities that businesses need to be prepared for in an ever-changing landscape of cybersecurity threats. As an expert in cybersecurity services, Superior Pentest is a valuable partner in this process, helping businesses manage cybersecurity risks, meet regulatory requirements, and strengthen the security of their business processes.

The case studies and examples presented in this article clearly show that pentest and vulnerability identification are not just theoretical concepts, but practical tools that bring real value to businesses. These services help companies to proactively address cybersecurity challenges and ensure business continuity.

Compliance with NIS2, DORA and ISO27001 is not only a legal obligation but also a strategic necessity for businesses. Superior Pentest's services enable enterprises to not only reactively address cybersecurity threats, but to anticipate and prevent them. This type of proactive approach increases businesses' resilience to cyber threats and ensures that their business remains safe and secure in the digital age.

SuperiorPentest's pentest and vulnerability identification services not only meet modern cybersecurity challenges, but also enable businesses to thrive in the digital world in a secure and reliable manner. In addition to NIS2, DORA and ISO27001 compliance, these services are key to the long-term success and sustainability of businesses in an ever-changing cybersecurity environment.

If you have any question about cyber security, feel free to contact us at, and don’t forget: Test your system before hackers do it!

Home Assistant - CVE-2023-27482

September 20, 2023

Home Assistant - CVE-2023-27482 (kritikus sérülékenység) kihasználása most egy aktuális téma. A sérülékenységet 2023.03.08-án fedezték fel és jelentették a HA fejlesztőinek, de a zero day sérülékenységek útjának szabályait betartva csak 2023.05.10-én került publikálásra a kihasználásához tartozó teljes leírás, miután a fejlesztők javították a sérülékenységet. Ez a verzió pedig a Supervisor 2023.03.1. Akinek ez előtti verziója van és elérhető a rendszere a publikus internet irányából, védtelen. – Fizcere Tamás, senior kollégánk beszámolója.

Többször jeleztem ezt a sérülékenységet, melyet kihasználva a teljes okos otthon központunk felett átvehetik az irányítást a támadók, de meglátásom szerint ez a legkisebb kár, amit okozhatnak nekünk.

Ha belegondolunk, hogy milyen adatokat adunk meg a rendszerünk építése közben, beláthatjuk, hogy aki hozzáférést szerez hozzá, több accountunk adatait is megszerezheti.

De milyen adatok is lehetnek ezek?

·    Mail küldés: megadjuk a belépési adatainkat. E-mail cím, jelszó, szerver.

·    ESPHome: megadjuk az otthoni WiFi elérésünket, hogy a konfigurált eszközeink fel tudjanak jelentkezni.

·    Kamerák: http/rtsp url-be megadjuk a kamerákhoz tartozó login/jelszó párost és a kamerák elérési címét a hálózatunkban

·    Samba share: megadjuk a megosztás eléréséhez szükséges login/password párost

·    MQTT, zigbee2mqtt, stb.: a brokerhez megadjuk a login/password párost

·    Felület elérése: megadjuk a felhasználó nevünket, itt egy kicsit jobb a helyzet, mert a jelszó már elkódolva található, így több időbe telik a feltörése, nem kapjuk meg egyből

· Riasztó rendszer: a PIN kód, amivel élesíthető/kikapcsolható a riasztó

·    Otthonunk címe

·    Munkahelyünk, egyéb zónáink

Ezt így leírva mindenki tudja, de szeretném bemutatni, milyen egyszerűen megszerezhetőek ezek az adatok a rendszerünkből és akár TE is ki tudd próbálni, hogy a rendszered érintett -e még a sérülékenységben.

Hackelhető rendszer létrehozása

Először is létre kellett hozzak egy megfelelő rendszert, amit szabadon hackelhetek, mert ugyan az interneten rengeteg sérülékeny rendszer található, de azokat nem lenne etikus kompromittálni. A választásom a még sérülékeny 2022.12.1-es verzióra esett és a Home Assistant OS 9.5 verzióra. Első gondolatom az volt, hogy virtual boxban felhúzom és öröm, boldogság, kezdődhet is a játék, de nem, mert a rendszer tervezői okosan lefrissítenek minden komponenst már a bootolás alatt, így mire megkapjuk a belépési felületet, már egy aktuális verzión futó rendszerünk van (az OP rendszer kivéve), ami számomra nem megfelelő, de ha ez van, akkor ezzel kell dolgozni.

Szerencsére a core downgradelhető elég könnyedén, ha konzolon belépünk és kiadjuk az alábbi parancsot:

 core update --version 2022.12.1

Ezzel egy lépéssel közelebb kerültünk a célhoz, de a supervisor még mindig a legfrissebb verzió és első googlizásra és dokumentáció olvasásra az az érzésünk lehet, hogy ezen nem is tudunk változtatni.

Ha mélyebben belenézünk a rendszerbe, akkor nincs itt semmi mágikus dolog csak a most már széles körben alkalmazott docker rendszer. Minden komponens külön docker containerbe kerül, majd okosan konfigurálva a rendszer komponensei (a konténerekben futó szolgáltatások, addonok) kommunikálnak egymással. Ebből egyenesen következik, hogy akkor mégiscsak van mód a supervisor downgrade-elérése :) Nem lesz egyszerű, de leírom, mert más is kedvet kaphat otthon a játékra. Előre is elnézés kérek, hogy ezzel ennek a blog posztnak a hosszát növelem, ha nem érdekel, tekerd át ;)

Hassio-Supervisor downgrade

Először is ki kell lépni a ha konzolból, vagyis inkább be kell lépni az oprendszer szintre, ahonnan elérjük a dockert és konfigurálni tudjuk azt. Ehhez még a Virtual Boxban futó HA rendszerünknek hagyjuk meg az internet elérését, mert a régebbi supervisor imaget a netről fogjuk letölteni. Amint letöltésre kerül a régebbi image, el kell vennünk a VM-től a hálózatot, különben lefrissíti magát ismét az aktuális verzióra, ami most nem célunk. A folyamat során kiadandó parancsok:


docker container ls
docker stop hassio_supervisor
docker rm -f hassio_supervisor

docker images
docker rmi --force <image ID>

docker image pull
docker tag
docker images

#vegyük el a VM-től az internetet, kacsoljuk ki a háló kártyát VirtualBox-ból!!!

docker run -d --name=hassio_supervisor -v /run/dbus:/run/dbus:ro -v /run/udev:/run/udev:ro -v /run/supervisor:/run/os:rw -v /etc/machine-id:/etc/machine-id:ro -v /mnt/data/supervisor:/data:rw -v /run/docker.sock:/run/docker.sock:rw -v /run/docker/containerd/containerd.sock:/run/docker/containerd/containerd.sock:rw -v /run/systemd-journal-gatewayd.sock:/run/systemd-journal-gatewayd.sock:rw -e SUPERVISOR_NAME=hassio_supervisor -e SUPERVISOR_API=http://localhost -e SUPERVISOR_SHARE=/mnt/data/supervisor --security-opt seccomp=unconfined --security-opt apparmor=hassio-supervisor --privileged --restart always

docker start --attach hassio_supervisor

ha supervisor options --auto-update=false

#most már visszaadhatjuk az internetet/háló kártyát a VM-nek

Először állítsuk le a futó hassio_supervisor containert, majd távolítsuk el minden fájljával és image-vel együtt.

Ha eltakarítottuk az aktuális (latest) supervisort, jöhet a régi image beszerzése. Amint letöltődött az image, kapcsoljuk le a VirtualBox-ban a VM hálózati kapcsolatát, nehogy frissítse a supervisor-t, amíg nem végzünk a teljes downgrade folyamattal.

Most jöhet a letöltött image-ünk futtatása. Ezt a parancsot könnyű elgépelni, nekem sem elsőre sikerült :D

A képernyő képről lemaradt az attache command, ne felejtsétek kiadni!