Pen Testing Active Directory

You may have been following our series of posts on pen testing Active Directory environments and learned about the awesome powers of PowerView. No doubt you were wowed by our cliffhanger ending — spoiler alert — where we applied graph theory to find the derivative admin!

We know from the many emails we received that you demanded a better ‘long-form’ content experience. After all, who’d want to read about finding hackable vulnerabilities using Active Directory while being forced to click six-times to access the entire series?

Thanks to the miracle of PDF technology, we’ve compressed the entire series into an easy-to-ready, comfy ebook format. Best of all, you can scroll through the entire contents without having to touch messy hyperlinks.

Get The Ebook Now
Or check it all out online, here.
Data Security, Varonis News

The Data Security Money Pit: An Independent Research Study from Forrester

We recently released a study with Forrester Consulting entitled “The Data Security Money Pit: Expense in Depth Hinders Maturity” that shows a candy-store approach to data security may actually hinder data protection and explores how a unified data security platform could give security professionals the protection capabilities they desire, including security analytics, classification and access control while reducing costs and technical challenges. The report finds organizations invest heavily in individual tools to try to mitigate…
IT Pros

Connecting Your Data Strategy to Analytics: Eight Questions to Ask

 in IT Pros
Big data has ushered in a new executive role over the past few years. The chief data officer or CDO now joins the C-level club, tasked with leveraging data science to drive the bottom line. According to a recent executive survey, 54% of firms surveyed now report having appointed a CDO. Taking on the role is one thing, learning out how to be successful is another. “A CDO’s job starts like this: a CEO, CFO…
Privacy

[Podcast] More Dr. Ann Cavoukian: GDPR and Access Control

 in Privacy
We continue our discussion with Dr. Ann Cavoukian. She is currently Executive Director of Ryerson University’s Privacy and Big Data Institute and is best known for her leadership in the development of Privacy by Design (PbD). In this segment, Cavoukian tells us that once you’ve involved your customers in the decision making process, “You won’t believe the buy-in you will get under those conditions because then you’ve established trust and that you’re serious about their privacy.” We also…
Data Security, IT Pros

Pen Testing Active Directory Environments, Part V: Admins and Graphs

If you’ve survived my last blog post, you know that Active Directory group structures can be used as powerful weapons by hackers. Our job as pen testers is to borrow these same techniques — in the form of PowerView — that hackers have known about for years, and then show management where the vulnerabilities live in their systems. I know I had loads of fun building my AD graph structures. It was even more fun…
Data Security

[Podcast] #realthreats

Next month, the world will be talking security at the annual RSA Conference, which will be held in San Francisco on February 13th to the 17th. When it comes to discussing security matters, experts often tell us to take stock of our risks or to complete a risk assessment. However, perhaps before understanding where we might be vulnerable, it might be more important to consider exactly what threats we’re really faced with. In this episode…
Data Security, IT Pros

How to setup a SPF record to prevent spam and spear phishing

Some things go together like peanut butter and jelly: delicious, delightful and a good alternative to my dad’s “Thai-Italian Fusion” dinner experiments as a kid. When other things are combined it can be terrifying: like SPF records and spear-phishing. While the nuances of something seemingly mundane as SPF DNS records can seem like a dry boring topic for executives in your organization, you may be able to get them to pay attention to it as…
Compliance & Regulation

EU GDPR Spotlight: Do You Have to Hire a DPO?

I suspect right about now that EU (and US) companies affected by the General Data Protection Regulation (GDPR) are starting to look more closely at their compliance project schedules. With enforcement set to begin in May 2018, the GDPR-era will shortly be upon us. One of the many questions that have not been full answered by this new law (and still being worked out by the regulators) is under what circumstances a company needs to…
Privacy

[Podcast] Dr. Ann Cavoukian on Privacy By Design

 in Privacy
I recently had the chance to speak with former Ontario Information and Privacy Commissioner Dr. Ann Cavoukian about big data and privacy. Dr. Cavoukian is currently Executive Director of Ryerson University’s Privacy and Big Data Institute and is best known for her leadership in the development of Privacy by Design (PbD). What’s more, she came up with PbD language that made its way into the GDPR, which will go into effect in 2018. First developed in the 1990s,…
Data Security

Pen Testing Active Directory Environments, Part IV: Graph Fun

If we haven’t already learned from playing six degrees of Kevin Bacon, then certainly Facebook and Linkedin have taught us we’re all connected. Many of the same ideas of connectedness also play out in Active Directory environments. In this post, we’ll start out where we left off last time in thinking about the big picture of Active Directory users and groups. Or more accurately pondering the big graph of Active Directory. And the game we’re…
Compliance & Regulation, Data Security

What We Learned From Talking to Data Security Experts

Since we’ve been working on the blog, Cindy and I have chatted with security professionals across many different areas — pen testers, attorneys, CDOs, privacy advocates, computer scientists, and even a guru. With 2016 coming to an end and the state of security looking more unsettled than ever, we decided it was a good time to take stock of the collective wisdom we’ve absorbed from these pros. The Theory of Everything A good place to…
Data Security

[Podcast] Fireside Chat with the Future

Over the past few weeks, we started seeing a few new security trends that we think haven’t yet had their defining moment and will likely see more of next year. And so we reflected on the predictions we made last year and shared our annual cybersecurity predictions for 2017. Meanwhile the Inside Out Security Show panel – Kilian Englert, Forrest Temple and Mike Buckbee – also speculated on a few things of their own based…
Varonis News

I’m Alan Cizenski, Corporate Systems Engineer at Varonis, and This is How...

Alan Cizenski is a Corporate Systems Engineer at Varonis. Based in our New York City office, he is responsible for making sure Varonis solutions work smoothly for our prospective customers. Alan helps them realize the value we can provide within their environment and maintain these relationships as they become customers. He’s also a regular panelist for the Inside Out Security show. Listen to him on our most recent episode, Is Security a Benefit or a Feature?…