Pen Testing Active Directory Environments, Part II: Getting Stuff Done With PowerView

powerlifter

In my last post, I began discussing how valuable pen testing and risk assessments can be done by just gathering information from Active Directory. I also introduced PowerView, which is a relatively new tool for helping pen testers and “red teamers” explore offensive Active Directory techniques. To get more background on how hackers have been […]

Continue Reading →

More Sheila FitzPatrick: Data Privacy and EU Law

sheila-fitzpatrick

In the next part of our discussion, data privacy attorney Sheila FitzPatrick gets into the weeds and talks to us about her work in setting up Binding Corporate Rules (BCRs) for multinational companies. These are actually the toughest rules of the road for data privacy and security. What are BCRs? They allow companies to internally […]

Continue Reading →

“Hacked Again” Author Scott Schober on Small Business Data Security, Part II

scott-headshot

Scott Schober wears many hats. He’s an inventor, software engineer, and runs his own wireless security company. He’s also written Hacked Again, which tells about his long running battle against cyber thieves. Scott has appeared on Bloomberg TV, Good Morning America, CNBC, and CNN. We continue our discussion with Scott. In this segment, he talks […]

Continue Reading →

Pen Testing Active Directory Environments, Part I: Introduction to crackmapexec (and PowerView)

read-education-books-book

I was talking to a pen testing company recently at a data security conference to learn more about “day in the life” aspects of their trade. Their president told me that one of their initial obstacles in getting an engagement is fear from IT that the pen testers will bring down the system. As it […]

Continue Reading →

“Hacked Again” Author Scott Schober on Small Business Data Security, Part I

scott-headshot

Scott Schober wears many hats. He’s an inventor, software engineer, and runs his own wireless security company. He’s also written Hacked Again, which tells about his long running battle against cyber thieves. Scott has appeared on Bloomberg TV, Good Morning America, CNBC, and CNN. In the first part of our interview, Scott tells us about […]

Continue Reading →

Overheard: “IT security has nothing to learn from the Mirai attack”

leaky-faucet

After my post last week on the great Mirai Internet takedown of 2016, I received some email in response. One of the themes in the feedback was, roughly, that ‘Mirai really doesn’t have anything to do with those of us in enterprise IT security’. Most large companies probably don’t have hackable consumer-grade CCTV cameras or […]

Continue Reading →

Data Privacy Attorney Sheila FitzPatrick on GDPR

sheila-fitzpatrick

We had a unique opportunity in talking with data privacy attorney Sheila FitzPatrick. She lives and breathes data security and is a recognized expert on EU and other international data protection laws. FitzPatrick has direct experience in representing companies in front of EU data protection authorities (DPAs). She also sits on various governmental data privacy […]

Continue Reading →

The Mirai Botnet Attack and Revenge of the Internet of Things

bots-pexel

Once upon a time in early 2016, we were talking with pen tester Ken Munro about the security of IoT gadgetry — everything from wireless doorbells to coffee makers and other household appliances. I remember his answer when I asked about basic security in these devices. His reply: “You’re making a big step there, which […]

Continue Reading →

VIP Data Security Lessons From the Hack of Colin Powell’s Personal Email Account

neuschwanstein-castle-germany-disney-40735

Are C-levels, high-government officials, and other power elite really all that different than the rest of us? We now know after email hacks involving former Secretary of State Colin Powell’s Gmail account, former CIA director John Brennan’s AOL account, and the Gmail account of John Podesta, a top advisor to the Democrats, that they are, but not for the […]

Continue Reading →

HIPAA and Cloud Provider Refresher

cloud

As far as regulators are concerned, the cloud has been a relatively recent occurrence. However, they’ve done a pretty good job in dealing with this ‘new’ computing model.  Take HIPAA. We wrote that if a cloud service processes or stores protected health information (PHI), it’s considered in HIPAA-ese, a business associate or BA. As you […]

Continue Reading →

21st Century Cyber Wars: Defense Lags Offense

war-games

We don’t often get to see data security and cyber attacks discussed in detail on a top-rated national talk show, but that was the case last week. John Carlin, Assistant Attorney General for National Security, talked to Charlie Rose about cyber espionage, attack attribution, insider threats, and prevention. Even for those of us in the […]

Continue Reading →