A Technologist’s Hippocratic Oath


Last month, there was a thought-provoking article on programmers who were asked to do unethical work on the job. We often talk about balancing security with precaution and paranoia, but I wondered about the balance of ethics and execution. As always, I was curious to hear the reactions from the Inside Out Security Show panel […]

Continue Reading →

Password Expert Per Thorsheim On Life After Two-Factor Authentication


Based in Norway, Per Thorsheim is an independent security adviser for governments as well as organizations worldwide. He is also the founder of PasswordsCon.org, an annual conference that’s all about passwords, PIN codes, and authentication. Launched in 2010, the conference invites security professionals & academic researchers to better understand and improve security. In part one of […]

Continue Reading →

Pen Testing Active Directory Environments, Part II: Getting Stuff Done With PowerView


In my last post, I began discussing how valuable pen testing and risk assessments can be done by just gathering information from Active Directory. I also introduced PowerView, which is a relatively new tool for helping pen testers and “red teamers” explore offensive Active Directory techniques. To get more background on how hackers have been […]

Continue Reading →

Why UBA Will Catch the Zero-Day Ransomware Attacks (That Endpoint Protection Can’t)


Ransomware attacks have become a major security threat. It feels like each week a new variant is announced –Ransom32, 7ev3n. This malware may even be involved in the next big breach. New variants such as Chimera threaten to not just ransom your data, but also leak it online if you don’t pay up. These cyber […]

Continue Reading →

Life of an IT Pro


Like many in IT, you can probably commiserate with this week’s Inside Out Security Show panel – Mike Buckbee and Alan Cizenski – on elaborating when someone asks you, “What Do You Do for a Living?” Whether you’re a programmer or a sysadmin, the scope of your role is often multi-faceted and complex. In this […]

Continue Reading →

Understanding SQL Injection, Identification and Prevention


A Word of Caution When you think of a website getting hacked, you might picture someone in a hoodie in a high tech bunker (or their mom’s basement), wailing on a keyboard, controlling thousands of remote machines in coordinated attacks, while output that looks like http://hackertyper.com/ scrolls past in a blur. You probably aren’t thinking: […]

Continue Reading →

More Sheila FitzPatrick: Data Privacy and EU Law


In the next part of our discussion, data privacy attorney Sheila FitzPatrick gets into the weeds and talks to us about her work in setting up Binding Corporate Rules (BCRs) for multinational companies. These are actually the toughest rules of the road for data privacy and security. What are BCRs? They allow companies to internally […]

Continue Reading →

The Case for Giving IT a Raise


Earlier this month at the awesome O’Reilly Security Conference, I learned from world-leading security pros about the most serious threats facing IT. Hmm, sounds like that would make a great topic to discuss with the Inside Out Security Show panel – Kilian Englert, Kris Keyser, and Peter TerSteeg. Let’s go meta. According to expert Becky […]

Continue Reading →

“Hacked Again” Author Scott Schober on Small Business Data Security, Part II


Scott Schober wears many hats. He’s an inventor, software engineer, and runs his own wireless security company. He’s also written Hacked Again, which tells about his long running battle against cyber thieves. Scott has appeared on Bloomberg TV, Good Morning America, CNBC, and CNN. We continue our discussion with Scott. In this segment, he talks […]

Continue Reading →

Three Cybersecurity Questions Your Board Should Be Asking


It’s been widely reported that a data breach is expensive. How expensive? According to the latest Ponemon research report, the average cost of a data breach is now as high as $4 million. Despite this jaw-dropping number, not all boards, C-levels, and major shareholders are adequately responding to protect their financial interests. Obviously, they should […]

Continue Reading →

Pen Testing Active Directory Environments, Part I: Introduction to Crackmapexec (and PowerView)


I was talking to a pen testing company recently at a data security conference to learn more about “day in the life” aspects of their trade. Their president told me that one of their initial obstacles in getting an engagement is fear from IT that the pen testers will bring down the system. As it […]

Continue Reading →