Pen Testing Active Directory

You may have been following our series of posts on pen testing Active Directory environments and learned about the awesome powers of PowerView. No doubt you were wowed by our cliffhanger ending — spoiler alert — where we applied graph theory to find the derivative admin!

We know from the many emails we received that you demanded a better ‘long-form’ content experience. After all, who’d want to read about finding hackable vulnerabilities using Active Directory while being forced to click six-times to access the entire series?

Thanks to the miracle of PDF technology, we’ve compressed the entire series into an easy-to-ready, comfy ebook format. Best of all, you can scroll through the entire contents without having to touch messy hyperlinks.

Get The Ebook Now
Or check it all out online, here.
Privacy

[Podcast] Dr. Zinaida Benenson and the Human Urge to Click

Dr. Zinaida Benenson is a researcher at the University of Erlangen-Nuremberg, where she heads the “Human Factors in Security and Privacy” group. She and her colleagues conducted a fascinating study into our spam clicking habits. Those of you who attended Black Hat last year may have heard her presentation on How to Make People Click on a Dangerous Link Despite their Security Awareness. As we’ve already pointed on the IOS blog, phishing is a topic…
Data Security

Dedham Savings Uses Varonis to Build Trust with Their Customers and Stop Su...

Case Study Trust is important in all relationships, but even more so for a community bank like Dedham Savings. Charged with protecting the sensitive financial data of their customers, Dedham turned to Varonis. During a Varonis risk assessment, they discovered a large amount of stale customer data on their network: data that they could immediately take off the network, reducing the potential severity of a data breach and instantly improving their security posture. With default…
Compliance & Regulation

New Post-Brexit UK Data Law: Long Live the GDPR!

The UK is leaving the EU to avoid the bureaucracy from Brussels, which includes having to comply with the General Data Protection Regulation (GDPR). So far, so good. However, since the EU is so important to their economy, the UK’s local data laws will in effect have to be at very high-level — basically, GDPR-like — or else the EU won’t allow data transfers. Then there is the GDPR’s new principal of extra-territoriality or territorial…
Data Security

[Podcast] Are Cyber War Rooms Necessary?

While some management teams are afraid of a pentest or risk assessment, other organizations – particularly financial institutions – are well aware of their security risks. They are addressing these risks by simulating fake cyberattacks. By putting IT, managers, board members and executives who would be responsible for responding to a real breach or attack, they are learning how to respond to press, regulators, law enforcement, as well as other scenarios they might not otherwise…
Data Security, IT Pros

Working With Windows Local Administrator Accounts, Part III

One point to keep in mind in this series is that we’re trying to limit the powers that are inherent in Administrator accounts. In short: use the Force sparingly. In the last post, we showed it’s possible to remove the local Administrator account and manage it centrally with GPOs. Let’s go over a few things I glossed over last time, and discuss additional ways to secure these accounts. Restricted Groups: Handle with Care In my…
Data Security, IT Pros

[Podcast] Roxy Dee, Threat Intelligence Engineer

Some of you might be familiar with Roxy Dee’s infosec book giveaways. Others might have met her recently at Defcon as she shared with infosec n00bs practical career advice. But aside from all the free books and advice, she also has an inspiring personal and professional story to share. In our interview, I learned about her budding interest in security, but lacked the funds to pursue her passion. How did she workaround her financial constraint?…
Compliance & Regulation, Data Security, Varonis News

Introducing Our New DataPrivilege API and a Preview of Our Upcoming GDPR Pa...

GDPR Patterns Preview We’re less than a year out from EU General Data Protection Regulation (GDPR) becoming law, and hearing that our customers are facing more pressure than ever to get their data security policies ready for the regulation.  To help enterprises quickly meet GDPR, we’re introducing GDPR Patterns with over 150 patterns of specific personal data that falls in the realm of GDPR, starting with patterns for 19 countries currently in the EU (including…
Data Security

Working With Windows Local Administrator Accounts, Part II

Before we delve into Restricted Groups, I thought it might be worthwhile to take a closer look at how hackers take advantage of Administrator passwords. For Pass-the-Hash fans, this post will show you how hashes can be used even with local accounts. I also had a chance to try Windows Local Administrator Passwords Solution or LAPS. Spoiler alert: LAPS scares me a little. Passing Local Hashes After writing the first post, I realized that you don’t…
Compliance & Regulation

A Few Thoughts on Data Security Standards

Did you know that the 462-page NIST 800-53 data security standard has 206 controls with over 400 sub-controls1?  By the way, you can gaze upon the convenient XML-formatted version here. PCI DSS is no slouch either with hundreds of sub-controls in its requirements’ document. And then there’s the sprawling IS0 27001 data standard. Let’s not forget about security frameworks, such as COBIT and NIST CSF, which are kind of meta-standards that map into other security…
Data Security

Working With Windows Local Administrator Accounts, Part I

In writing about hackers and their techniques, the issue of Windows local Administrator accounts often comes up. Prior to Windows 7, the Administrator account was created by default with no password. This was not a good security practice, and hackers have been taking advantage ever since. Starting in Windows 7, the local Administrator accounts were disabled by default. And you should disable them in your domain regardless of which Windows OS you have! But for…
Data Security

How to Better Structure AWS S3 Security

If the new IT intern suggests that you install a publicly accessible web server on your core file server – you might suggest that they be fired. If they give up on that, but instead decide to dump the reports issuing from your highly sensitive data warehouse jobs to your webserver – they’d definitely be fired. But things aren’t always so clear in the brave new world of the cloud – where services like Amazon’s…
Data Security

[Podcast] Blackhat Briefings That Will Add to Your Tool Belt

We’re counting down to Blackhat USA to attend one of the world’s leading information security conference to learn about the latest research, development and trends. We’ll also be at booth #965 handing out fabulous fidget spinners and showcasing all of our solutions that will help you protect your data from insider threats and cyberattacks. In this podcast episode, we discussed not only sessions you should attend, but also questions to ask that will help you reduce…