Pen Testing Active Directory

You may have been following our series of posts on pen testing Active Directory environments and learned about the awesome powers of PowerView. No doubt you were wowed by our cliffhanger ending — spoiler alert — where we applied graph theory to find the derivative admin!

We know from the many emails we received that you demanded a better ‘long-form’ content experience. After all, who’d want to read about finding hackable vulnerabilities using Active Directory while being forced to click six-times to access the entire series?

Thanks to the miracle of PDF technology, we’ve compressed the entire series into an easy-to-ready, comfy ebook format. Best of all, you can scroll through the entire contents without having to touch messy hyperlinks.

Get The Ebook Now
Or check it all out online, here.
IT Pros

Five Ways for a CDO to Drive Growth, Improve Efficiencies, and Manage Risk

 in IT Pros
We’ve already written about the growing role of the chief data officer(CDO) and their challenging task to leverage data science to drive profits. But the job of a CDO is not just about moving the profit meter. It’s less-widely known that they’re also tasked with meeting three other business objectives: finding ways to drive overall growth, improve efficiencies and manage risk. Why? All business activities and processes benefit from these three objectives. Luckily, we can…
Compliance & Regulation, Privacy

[Podcast] Adam Tanner on the Dark Market in Medical Data, Part II

More Adam Tanner! In this second part of my interview with the author of Our Bodies, Our Data, we start exploring the implications of having massive amounts of online medical  data. There’s much to worry about. With hackers already good at stealing health insurance records, is it only a matter of time before they get into the databases of the drug prescription data brokers? My data privacy paranoia about all this came out in full…
Data Security, IT Pros

Pen Testing Active Directory Environments, Part VI: The Final Case

If you’ve come this far in the series, I think you’ll agree that security pros have to move beyond checking off lists. The mind of the hacker is all about making connections, planning several steps ahead, and then jumping around the victim’s network in creative ways. Lateral movement through derivative admins is a good example of this approach. In this concluding post, I’ll finish up a few loose ends from last time and then talk about…
Data Security

[Podcast] Parents of Security

While I thought we could ride on our recent successes for just a bit longer, attackers are back in full swing, filling my twitter feed with latest jaw dropping security news. As I waded in worry, I stumbled upon an interesting Benjamin Franklin quote, “Distrust and caution are the parents of security.” Should distrust and caution be the parents of security? Who or what should the parents of security be? I brought these questions to…
Data Security

[Podcast] Security Pros Bring Out Their Game Face

With ransomware and data breaches driving headlines, it can feel like security pros are always one step behind. However, I recently found a few stories that I thought were worth celebrating. Not everyone on the Inside Out Security Show panel – Mike Buckbee, Kilian Englert, and Kris Keyser – thought the stories were good news. Nonetheless, I think that over time, as technologies mature, they do become more stable and secure. A few steps forward,…
Compliance & Regulation, Privacy

[Podcast] Adam Tanner on the Dark Market in Medical Data, Part I

In our writing about HIPAA and medical data, we’ve also covered a few of the gray areas of medical privacy, including  wearables, Facebook, and hospital discharge records. I thought both Cindy and I knew all the loopholes. And then I talked to writer Adam Tanner about his new book Our Bodies, Our Data: How Companies Make Billions Selling Our Medical Records. In the first part of my interview with Tanner, I learned how pharmacies sell our prescription drug…
Data Security, Varonis News

The Data Security Money Pit: An Independent Research Study from Forrester

We recently released a study with Forrester Consulting entitled “The Data Security Money Pit: Expense in Depth Hinders Maturity” that shows a candy-store approach to data security may actually hinder data protection and explores how a unified data security platform could give security professionals the protection capabilities they desire, including security analytics, classification and access control while reducing costs and technical challenges. The report finds organizations invest heavily in individual tools to try to mitigate…
IT Pros

Connecting Your Data Strategy to Analytics: Eight Questions to Ask

 in IT Pros
Big data has ushered in a new executive role over the past few years. The chief data officer or CDO now joins the C-level club, tasked with leveraging data science to drive the bottom line. According to a recent executive survey, 54% of firms surveyed now report having appointed a CDO. Taking on the role is one thing, learning out how to be successful is another. “A CDO’s job starts like this: a CEO, CFO…

[Podcast] More Dr. Ann Cavoukian: GDPR and Access Control

 in Privacy
We continue our discussion with Dr. Ann Cavoukian. She is currently Executive Director of Ryerson University’s Privacy and Big Data Institute and is best known for her leadership in the development of Privacy by Design (PbD). In this segment, Cavoukian tells us that once you’ve involved your customers in the decision making process, “You won’t believe the buy-in you will get under those conditions because then you’ve established trust and that you’re serious about their privacy.” We also…
Data Security, IT Pros

Pen Testing Active Directory Environments, Part V: Admins and Graphs

If you’ve survived my last blog post, you know that Active Directory group structures can be used as powerful weapons by hackers. Our job as pen testers is to borrow these same techniques — in the form of PowerView — that hackers have known about for years, and then show management where the vulnerabilities live in their systems. I know I had loads of fun building my AD graph structures. It was even more fun…
Data Security

[Podcast] #realthreats

Next month, the world will be talking security at the annual RSA Conference, which will be held in San Francisco on February 13th to the 17th. When it comes to discussing security matters, experts often tell us to take stock of our risks or to complete a risk assessment. However, perhaps before understanding where we might be vulnerable, it might be more important to consider exactly what threats we’re really faced with. In this episode…
Data Security, IT Pros

How to setup a SPF record to prevent spam and spear phishing

Some things go together like peanut butter and jelly: delicious, delightful and a good alternative to my dad’s “Thai-Italian Fusion” dinner experiments as a kid. When other things are combined it can be terrifying: like SPF records and spear-phishing. While the nuances of something seemingly mundane as SPF DNS records can seem like a dry boring topic for executives in your organization, you may be able to get them to pay attention to it as…