Pen Testing Active Directory

You may have been following our series of posts on pen testing Active Directory environments and learned about the awesome powers of PowerView. No doubt you were wowed by our cliffhanger ending — spoiler alert — where we applied graph theory to find the derivative admin!

We know from the many emails we received that you demanded a better ‘long-form’ content experience. After all, who’d want to read about finding hackable vulnerabilities using Active Directory while being forced to click six-times to access the entire series?

Thanks to the miracle of PDF technology, we’ve compressed the entire series into an easy-to-ready, comfy ebook format. Best of all, you can scroll through the entire contents without having to touch messy hyperlinks.

Get The Ebook Now
Or check it all out online, here.
Data Security

[Podcast] Details Matter in Breaches and in Business

With one sensational data breach headline after another, we decided to take on the details behind the story because a concentrated focus on the headline tends to reveal only a partial dimension of the truth. For instance, when a bank’s sensitive data is compromised, it depends on how as well as the what. Security practitioner Mike Buckbee said, “It’s very different if your central data storage was taken versus a Dropbox where you let 3rd…
Data Security

The Difference Between E3 and E5 Office365 Features

Microsoft’s Enterprise Mobility and Security offerings are additional sets of security services that can be purchased to help control, audit and protect the data and users of Microsoft’s Azure and Office 365 products. If you’re an enterprise that is concerned about data breaches, ransomware or insider threats, it’s unlikely that you would not upgrade your base (E3) Azure license to the slightly more expensive but worthwhile E5. Note: It’s a licensing distinction, not a technical…
Compliance & Regulation

North Carolina Proposes Tougher Breach Notification Rules

If you’ve been reading our amazing blog content and whitepaper on breach notification laws in the US and worldwide, you know there’s often a hidden loophole in the legalese. The big issue — at least for data security nerds — is whether the data security law considers mere unauthorized access of personally identifiable information (PII) to be worthy of a notification. This was a small legal point until something called ransomware came along. You have…
Compliance & Regulation, Data Security

How to Discover GDPR Data With Varonis

GDPR goes into effect in less than 85 days – but there’s still time to prepare. The first step in getting ready for the upcoming deadline is to discover and classify your GDPR data. More often than not, we’re seeing that customers have much more GDPR eligible data than they thought they had – or even knew existed. A recent GDPR Readiness Assessment for a mid-sized insurance company revealed some eye-opening results. In the below…
Data Security
computer with data

Do Americans Ever Change Their Passwords?

Just how cautious are Americans when it comes to cybersecurity? In today’s hyper-connected, highly-digitized society, data breaches are becoming increasingly commonplace. And they affect both corporations and individuals. In 2017 alone, the Equifax breach — considered by some to be the worst security breach in recent history — put 145.5 million Americans at risk of exposed information and identity theft. Additionally, a Gmail phishing attack last year put 1 million users at risk of exposed…
Data Security

[Podcast] Innovate First, Deliver PSAs Later

Today even if we create a very useful language, IoT device, or software, at some point, we have to go back to fix the security or send out PSAs. Troy Hunt, known for his consumer advocacy work on breaches, understands this very well. He recently delivered a very practical PSA: Don’t tell people to turn off Windows update, just don’t. We also delivered a few PSAs of our own: cybercriminals view our Linkedin profiles to…
IT Pros

Adventures in Malware-Free Hacking, Part IV

For this next post, I was all ready to dive into a more complicated malware-free attack scenario involving multiple stages and persistence. Then I came across an incredibly simple code-free attack — no Word or Excel macro required! — that far more effectively proves the underlying premise in this series: it ain’t that hard to get past the perimeter. The first attack I’ll describe is based on a Microsoft Word vulnerability involving the archaic Dynamic…
Compliance & Regulation

Post-Davos Thoughts on the EU NIS Directive

I’ve been meaning to read the 80-page report published by the World Economic Forum (WEF) on the global risks humankind now faces. They’re the same folks who bring you the once a year gathering of the world’s bankers and other lesser humanoids held at a popular Swiss ski resort. I was told there was an interesting section on … data security. And there was. Data security is part of a report intended to help our world…
IT Pros

12 Ways Varonis Helps You Manage Mergers and Acquisitions

How Varonis Helps with Mergers and Acquisitions A well-constructed Merger & Acquisition (M&A) playbook reduces the overall time, cost and risk of the upcoming merger and/or acquisition. Gartner advises that organizations who intend to grow through acquisitions involve the CIO and IT teams early in the process by “sharing models with their business executives that raise the right questions and issues to consider.” Further, according to Gartner analysts Cathleen E. Blanton and Lee Weldon, CIOs…
Data Security

Adventures in Malware-Free Hacking, Part III

After yakking in the last two posts about malware-free attack techniques, we’re ready to handle a dangerous specimen. The Hybrid Analysis site is the resource I rely on to find these malware critters. While the information that HA provides for each sample —system calls, internet traffic, etc. — should be enough to satisfy a typical IT security pro, there is some value in diving into one of these heavily obfuscated samples to see what’s actually going…
Data Security

[Podcast] Security Alert Woes

IT pros could use a little break from security alerts. They get a lot of alerts. All. The. Time. While alerts are important, a barrage of them can potentially be a liability. It can cause miscommunication, creating over reactivity. Conversely, alerts can turn into white noise, resulting in apathy. Hence the adage: if everything is important, nothing is. Instead, should we be proactive about our security risks rather than reactive? Articles discussed: Heatmap reveals secret…
Data Security

Malware Protection: Defending Data with Varonis Security Analytics

Malware has become the catch-all term for any bit of code that attempts to hide and then subvert the intentions of the computer’s owner. Viruses, rootkits, lock-screens, and Trojan horses are as common today as a web browser and used by everyone from criminals, governments, and security researchers. Malware detection on endpoints is commonplace, but as WannaCry and NotPetya taught us, malware can end up in your servers as well, creating vulnerabilities and backdoors to…