Pen Testing Active Directory

You may have been following our series of posts on pen testing Active Directory environments and learned about the awesome powers of PowerView. No doubt you were wowed by our cliffhanger ending — spoiler alert — where we applied graph theory to find the derivative admin!

We know from the many emails we received that you demanded a better ‘long-form’ content experience. After all, who’d want to read about finding hackable vulnerabilities using Active Directory while being forced to click six-times to access the entire series?

Thanks to the miracle of PDF technology, we’ve compressed the entire series into an easy-to-ready, comfy ebook format. Best of all, you can scroll through the entire contents without having to touch messy hyperlinks.

Get The Ebook Now
Or check it all out online, here.
Data Security

[Podcast] Details Matter in Breaches and in Business

With one sensational data breach headline after another, we decided to take on the details behind the story because a concentrated focus on the headline tends to reveal only a partial dimension of the truth. For instance, when a bank’s sensitive data is compromised, it depends on how as well as the what. Security practitioner Mike Buckbee said, “It’s very different if your central data storage was taken versus a Dropbox where you let 3rd…
Data Security

The Difference Between E3 and E5 Office365 Features

Microsoft’s Enterprise Mobility and Security offerings are additional sets of security services that can be purchased to help control, audit and protect the data and users of Microsoft’s Azure and Office 365 products. If you’re an enterprise that is concerned about data breaches, ransomware or insider threats, it’s unlikely that you would not upgrade your base (E3) Azure license to the slightly more expensive but worthwhile E5. Note: It’s a licensing distinction, not a technical…
Compliance & Regulation

North Carolina Proposes Tougher Breach Notification Rules

If you’ve been reading our amazing blog content and whitepaper on breach notification laws in the US and worldwide, you know there’s often a hidden loophole in the legalese. The big issue — at least for data security nerds — is whether the data security law considers mere unauthorized access of personally identifiable information (PII) to be worthy of a notification. This was a small legal point until something called ransomware came along. You have…
Compliance & Regulation, Data Security

How to Discover GDPR Data With Varonis

GDPR goes into effect in less than 85 days – but there’s still time to prepare. The first step in getting ready for the upcoming deadline is to discover and classify your GDPR data. More often than not, we’re seeing that customers have much more GDPR eligible data than they thought they had – or even knew existed. A recent GDPR Readiness Assessment for a mid-sized insurance company revealed some eye-opening results. In the below…
Data Security

GDPR Data Protection Supervisory Authority Listing

The DPA (Data Protection Authority) is the agency within each European Union country that is responsible for GDPR (General Data Protection Regulation) assistance and enforcement. What’s the difference between a Data Protection Authority and a Supervisory Authority? A Data Protection Authority handles reports of data breaches, mediates issues like data subject access requests and works to educate their country about best practices in keeping digital data secure. The Supervisory Authority is which particular Data Protection…
Data Security
computer with data

Do Americans Ever Change Their Passwords?

Just how cautious are Americans when it comes to cybersecurity? In today’s hyper-connected, highly-digitized society, data breaches are becoming increasingly commonplace. And they affect both corporations and individuals. In 2017 alone, the Equifax breach — considered by some to be the worst security breach in recent history — put 145.5 million Americans at risk of exposed information and identity theft. Additionally, a Gmail phishing attack last year put 1 million users at risk of exposed…
Data Security

[Podcast] Innovate First, Deliver PSAs Later

Today even if we create a very useful language, IoT device, or software, at some point, we have to go back to fix the security or send out PSAs. Troy Hunt, known for his consumer advocacy work on breaches, understands this very well. He recently delivered a very practical PSA: Don’t tell people to turn off Windows update, just don’t. We also delivered a few PSAs of our own: cybercriminals view our Linkedin profiles to…
IT Pros

Adventures in Malware-Free Hacking, Part IV

For this next post, I was all ready to dive into a more complicated malware-free attack scenario involving multiple stages and persistence. Then I came across an incredibly simple code-free attack — no Word or Excel macro required! — that far more effectively proves the underlying premise in this series: it ain’t that hard to get past the perimeter. The first attack I’ll describe is based on a Microsoft Word vulnerability involving the archaic Dynamic…
Data Security

GDPR Requirements in Plain English

You just want to answer the question: “What do I need to do for GDPR?” Maybe you’ve worked your way through a few online quizzes to test for GDPR readiness or skimmed an article that made some vague suggestions. You might even have attempted to read the source European Parliament on General Data Protection Regulation 4.5.2016 L 119/1 only to find that the human nervous system was designed to violently reject exposure to such dense…
Compliance & Regulation

Post-Davos Thoughts on the EU NIS Directive

I’ve been meaning to read the 80-page report published by the World Economic Forum (WEF) on the global risks humankind now faces. They’re the same folks who bring you the once a year gathering of the world’s bankers and other lesser humanoids held at a popular Swiss ski resort. I was told there was an interesting section on … data security. And there was. Data security is part of a report intended to help our world…
IT Pros

12 Ways Varonis Helps You Manage Mergers and Acquisitions

How Varonis Helps with Mergers and Acquisitions A well-constructed Merger & Acquisition (M&A) playbook reduces the overall time, cost and risk of the upcoming merger and/or acquisition. Gartner advises that organizations who intend to grow through acquisitions involve the CIO and IT teams early in the process by “sharing models with their business executives that raise the right questions and issues to consider.” Further, according to Gartner analysts Cathleen E. Blanton and Lee Weldon, CIOs…
Data Security

Adventures in Malware-Free Hacking, Part III

After yakking in the last two posts about malware-free attack techniques, we’re ready to handle a dangerous specimen. The Hybrid Analysis site is the resource I rely on to find these malware critters. While the information that HA provides for each sample —system calls, internet traffic, etc. — should be enough to satisfy a typical IT security pro, there is some value in diving into one of these heavily obfuscated samples to see what’s actually going…