Pen Testing Active Directory, V: Admins and Graphs


If you’ve survived my last blog post, you know that Active Directory group structures can be used as powerful weapons by hackers. Our job as pen testers is to borrow these same techniques — in the form of PowerView — that hackers have known about for years, and then show management where the vulnerabilities live […]

Continue Reading →

EU GDPR Spotlight: Do You Have to Hire a DPO?


I suspect right about now that EU (and US) companies affected by the General Data Protection Regulation (GDPR) are starting to look more closely at their compliance project schedules. With enforcement set to begin in May 2018, the GDPR-era will shortly be upon us. One of the many questions that have not been full answered […]

Continue Reading →

Pen Testing Active Directory Environments, Part IV: Graph Fun


If we haven’t already learned from playing six degrees of Kevin Bacon, then certainly Facebook and Linkedin have taught us we’re all connected. Many of the same ideas of connectedness also play out in Active Directory environments. In this post, we’ll start out where we left off last time in thinking about the big picture […]

Continue Reading →

What We Learned From Talking to Data Security Experts


Since we’ve been working on the blog, Cindy and I have chatted with security professionals across many different areas — pen testers, attorneys, CDOs, privacy advocates, computer scientists, and even a guru. With 2016 coming to an end and the state of security looking more unsettled than ever, we decided it was a good time […]

Continue Reading →

Ransomware: Legal Cheat Sheet for Breach Notification


You respond to a ransomware attack in many of the same ways you would to any other cyber attack. In short: have plans in place to analyze the malware, contain the damage, restore operations if need be, and notify any regulatory or enforcement authorities. And your legal, IT, and communications team should be working together […]

Continue Reading →

Pen Testing Active Directory Environments, Part III:  Chasing Power Users


For those joining late, I’m currently pen testing the mythical Acme company, now made famous by a previous pen testing engagement (and immortalized in this free ebook). This time around I’m using two very powerful tools, PowerView and crackmapexec, in my post-exploitation journey into Acme’s IT. Before we get into more of the details of […]

Continue Reading →

New Mirai Attacks, But It’s Still About Passwords


Last week, Mirai-like wormware made the news again with attacks on ISPs in the UK. Specifically, customers of TalkTalk and PostOffice reported Internet outages. As with the last Mirai incident involving consumer cameras, this one also took advantage of an exposed router port. And by an amazing coincidence, some of the overall points about these […]

Continue Reading →

Pen Testing Active Directory Environments, Part II: Getting Stuff Done With PowerView


In my last post, I began discussing how valuable pen testing and risk assessments can be done by just gathering information from Active Directory. I also introduced PowerView, which is a relatively new tool for helping pen testers and “red teamers” explore offensive Active Directory techniques. To get more background on how hackers have been […]

Continue Reading →

More Sheila FitzPatrick: Data Privacy and EU Law


In the next part of our discussion, data privacy attorney Sheila FitzPatrick gets into the weeds and talks to us about her work in setting up Binding Corporate Rules (BCRs) for multinational companies. These are actually the toughest rules of the road for data privacy and security. What are BCRs? They allow companies to internally […]

Continue Reading →

“Hacked Again” Author Scott Schober on Small Business Data Security, Part II


Scott Schober wears many hats. He’s an inventor, software engineer, and runs his own wireless security company. He’s also written Hacked Again, which tells about his long running battle against cyber thieves. Scott has appeared on Bloomberg TV, Good Morning America, CNBC, and CNN. We continue our discussion with Scott. In this segment, he talks […]

Continue Reading →

Pen Testing Active Directory Environments, Part I: Introduction to crackmapexec (and PowerView)


I was talking to a pen testing company recently at a data security conference to learn more about “day in the life” aspects of their trade. Their president told me that one of their initial obstacles in getting an engagement is fear from IT that the pen testers will bring down the system. As it […]

Continue Reading →