Pen Testing Active Directory

You may have been following our series of posts on pen testing Active Directory environments and learned about the awesome powers of PowerView. No doubt you were wowed by our cliffhanger ending — spoiler alert — where we applied graph theory to find the derivative admin!

We know from the many emails we received that you demanded a better ‘long-form’ content experience. After all, who’d want to read about finding hackable vulnerabilities using Active Directory while being forced to click six-times to access the entire series?

Thanks to the miracle of PDF technology, we’ve compressed the entire series into an easy-to-ready, comfy ebook format. Best of all, you can scroll through the entire contents without having to touch messy hyperlinks.

Get The Ebook Now
Or check it all out online, here.
Data Security

Verizon Data Breach Digest 2017

While we’re anxiously waiting for the next edition of the Data Breach Investigations Report (DBIR), Verizon released its annual Data Breach Digest (DBD) earlier this month. What’s the DBD? It condenses the various breach patterns discussed in the DBIR.  In this year’s report, Verizon reduced 12 patterns into a mere four generalized scenarios: the Human Element, Conduit Devices, Configuration Exploitation, and Malicious Software. Of course, when you start abstracting and clustering information, you end up…
Data Security

Cloudbleed – Cloudflare Unauthorized Data Leak

Cloudflare is a huge internet infrastructure company (5.5 million websites), which means that you likely use them every day that you’re online, without ever realizing it. Depending on what metric you use, as much as 25% of the Alexa Top 10000 sites is using Cloudflare for some part of their public facing infrastructure. What Cloudflare Provides Broadly, they provide two services: Massively fast and distributed DNS services Denial of Service attack mitigation (and some related…
Data Security

[Podcast] Gambling with User Data

The debate between users volunteering their data for better service versus being perceived as a creepy company who covertly gathers user data remains a hot topic for the Inside Out Security panel –Kris Keyser, Mike Buckbee, and Kilian Englert. There were two recent stories that triggered this debate. Recently, a smart television manufacturer agreed to pay a $2.2 million fine to the Federal Trade Commission for “collecting viewing data on 11 million consumer TVs without…
Compliance & Regulation, Data Security

Cybersecurity Laws Get Serious: EU’s NIS Directive

In the IOS blog, our cyberattack focus has mostly been on hackers stealing PII and other sensitive personal data. The breach notification laws and regulations that we write about require notification only when there’s been acquisition or disclosure of PII by an unauthorized user. In plain speak, the data is stolen. These data laws, though, fall short in two significant ways. One, the hackers can potentially take data that’s not covered by the law: non-PII…
Data Security

[Podcast] Professor Angela Sasse on the Economics of Security

In part two of my interview with Angela Sasse, Professor of Human-Centred Technology, she shared an engagement she had with British Telecom(BT). The accountants at BT said that users were resetting passwords at a rate that overwhelmed the helpdesk’s resources, making the cost untenable. The security team believed that the employees were the problem, meanwhile Sasse and her team thought otherwise. She likened the problem of requiring users to remember their passwords to memory exercises. And with Sasse’s…
Compliance & Regulation, Data Security, Privacy

Interview With Medical Privacy Author Adam Tanner [TRANSCRIPT]

Adam Tanner, author of Our Bodies, Our Data, has shed light on the dark market in medical data. In my interview with Adam, I learned that our medical records, principally drug transactions, are sold to medical data brokers who then resell this information to drug companies. How can this be legal under HIPAA without patient consent? Adam explains that if the data is anonymized then it no longer falls under HIPAA’s rules. However, the prescribing…
Data Security, Varonis News

Introducing a new security dashboard, enhanced behavioral analysis, and more

Every day we hear new stories about how our customers are using DatAlert to stop cyberattacks: detecting and disabling ransomware infections, discovering misconfigurations and vulnerabilities, and setting up automatic responses to malware infections. And so, we’ve updated DatAlert to be more intuitive, powerful, and insightful than ever: 6.3.150 includes major updates to DatAlert, additional platform support, and performance enhancements. New Security Dashboard: DatAlert is easier than ever to use as a starting point for investigating…
Data Security

[Podcast] Security Monk vs. Emperor Palpatine

This week, we continue our ongoing ransomware discussion with the Inside Out Security Show panel – Kilian Englert, Mike Buckbee, and Mike Thompson. But before we launched into our conversation, as an icebreaker, I asked the panel what their advice would be to this tired sysadmin who deleted the wrong directory on the wrong server? Buckbee: Do exactly what they did to fix the problem. Englert: It happens, just have to recover and move on.…
Data Security

[Podcast] Professor Angela Sasse on Human-Centered Security

Lately, we’ve been hearing more from security experts who are urging IT pros to stop scapegoating users as the primary reason for not achieving security nirvana. After covering this controversy on a recent episode of the Inside Out Security Show, I thought it was worth having an in-depth conversation with an expert. So, I contacted Angela Sasse, Professor of Human-Centred Technology in the Department of Computer Science at University College London, UK. Over the past…
Data Security, IT Pros

Binge Read Our Pen Testing Active Directory Series

With winter storm Niko now on its extended road trip, it’s not too late, at least here in the East Coast, to make a few snow day plans. Sure you can spend part of Thursday catching up on Black Mirror while scarfing down this slow cooker pork BBQ pizza. However, I have a healthier suggestion. Why not binge on our amazing Pen Testing Active Directory Environments blog posts? You’ve read parts of it, or —…
Compliance & Regulation, Data Security

Update: New York State Finalizes Cyber Rules for Financial Sector

When last we left New York State’s innovative cybercrime regulations, they were in a 45-day public commenting period. Let’s get caught up. The comments are now in. The rules were tweaked based on stakeholders’ feedback, and the regulations will begin a grace period starting March 1, 2017. To save you the time, I did the heavy lifting and looked into the changes made by the regulators at the New York State Department of Financial Services…
Data Security

[Podcast] An Extra Factor of Authentication

Inspired by the tweet below, I asked the Inside Out Security Show panel – Kilian Englert, Mike Buckbee, and Alan Cizenski –  if they could add an extra factor of authentication, what would it be? @Pinboard pic.twitter.com/Xe5e1qYXxi — Matthew Hunt (@coneslayer) January 19, 2017 Plus, we covered a few hot topics: The risks of replacing passports and manned desks with biometric scanning and automation What would it take to set up AD for 28 million…