Pen Testing Active Directory

You may have been following our series of posts on pen testing Active Directory environments and learned about the awesome powers of PowerView. No doubt you were wowed by our cliffhanger ending — spoiler alert — where we applied graph theory to find the derivative admin!

We know from the many emails we received that you demanded a better ‘long-form’ content experience. After all, who’d want to read about finding hackable vulnerabilities using Active Directory while being forced to click six-times to access the entire series?

Thanks to the miracle of PDF technology, we’ve compressed the entire series into an easy-to-ready, comfy ebook format. Best of all, you can scroll through the entire contents without having to touch messy hyperlinks.

Get The Ebook Now
Or check it all out online, here.
Data Security

Understanding SQL Injection, Identification and Prevention

A Word of Caution When you think of a website getting hacked, you might picture someone in a hoodie in a high tech bunker (or their mom’s basement), wailing on a keyboard, controlling thousands of remote machines in coordinated attacks, while output that looks like http://hackertyper.com/ scrolls past in a blur. You probably aren’t thinking: “I added a couple characters onto the end of a URL in my browser, now I’m committing felony unlawful access…
Data Security

[Podcast] More Sheila FitzPatrick: Data Privacy and EU Law

In the next part of our discussion, data privacy attorney Sheila FitzPatrick gets into the weeds and talks to us about her work in setting up Binding Corporate Rules (BCRs) for multinational companies. These are actually the toughest rules of the road for data privacy and security. What are BCRs? They allow companies to internally transfer EU personal data to any of their locations in the world.  The BCR agreement has to get approval from…
Data Security

[Podcast] The Case for Giving IT a Raise

Earlier this month at the awesome O’Reilly Security Conference, I learned from world-leading security pros about the most serious threats facing IT. Hmm, sounds like that would make a great topic to discuss with the Inside Out Security Show panel – Kilian Englert, Kris Keyser, and Peter TerSteeg. Let’s go meta. According to expert Becky Bace, you can generalize security challenges as a cycle of new attacks and vulnerabilities, requiring damage control and remedies, and…
Data Security

[Podcast] “Hacked Again” Author Scott Schober on Small Business...

Scott Schober wears many hats. He’s an inventor, software engineer, and runs his own wireless security company. He’s also written Hacked Again, which tells about his long running battle against cyber thieves. Scott has appeared on Bloomberg TV, Good Morning America, CNBC, and CNN. We continue our discussion with Scott. In this segment, he talks about the importance of having layers of security in place to reduce the risks of an attack. Scott also points out…
Data Security

Three Cybersecurity Questions Your Board Should Be Asking

It’s been widely reported that a data breach is expensive. How expensive? According to the latest Ponemon research report, the average cost of a data breach is now as high as $4 million. Despite this jaw-dropping number, not all boards, C-levels, and major shareholders are adequately responding to protect their financial interests. Obviously, they should be. After all, there are only two types of companies: those that have been breached and those that don’t know…
Data Security

Pen Testing Active Directory Environments, Part I: Introduction to crackmap...

I was talking to a pen testing company recently at a data security conference to learn more about “day in the life” aspects of their trade. Their president told me that one of their initial obstacles in getting an engagement is fear from IT that the pen testers will bring down the system. As it turns out, IT has really nothing to be concerned about. Some of the most interesting pen testing can be done…
Data Security

[Podcast] “Hacked Again” Author Scott Schober on Small Business...

Scott Schober wears many hats. He’s an inventor, software engineer, and runs his own wireless security company. He’s also written Hacked Again, which tells about his long running battle against cyber thieves. Scott has appeared on Bloomberg TV, Good Morning America, CNBC, and CNN. In the first part of our interview, Scott tells us about some of his adventures in data security. He’s been a victim of fraudulent bank transfers and credit card transactions. He’s…
Data Security

[Podcast] Making Security Great Again

Since October was Cyber Security Awareness month, we decided to look at what’s holding back our efforts to make security—to coin a phrase—“great again”. In this episode of the Inside Out Security Show panel – Kilian Englert, Kris Keyser, and Mike Buckbee – shared their thoughts on insider threats as discussed on a recent Charlie Rose show, the brilliant but evil use of steganography (the practice of concealing a file, message, image, or video within…
IT Pros

Definitive Guide to DNS TTL Settings

DNS is a foundational piece of technology. Nearly every higher level network request, all internet traffic, web searches, email, etc. rely on the ability to resolve DNS lookups (translate names like some.domain.org to IP Addresses or other domains). We wanted to write about Time To Live (TTL) as most Sysadmins don’t interact with DNS configurations on a daily basis and much of the information that’s out there is based upon half-remembered war stories handed down…
Data Security

Overheard: “IT security has nothing to learn from the Mirai attack”

After my post last week on the great Mirai Internet takedown of 2016, I received some email in response. One of the themes in the feedback was, roughly, that ‘Mirai really doesn’t have anything to do with those of us in enterprise IT security’. Most large companies probably don’t have hackable consumer-grade CCTV cameras or other low cost IoT gadgetry that can be de-authed and taken over by the neighborhood teenager.  At least we hope…
Data Security, Privacy

[Podcast] Data Privacy Attorney Sheila FitzPatrick on GDPR

We had a unique opportunity in talking with data privacy attorney Sheila FitzPatrick. She lives and breathes data security and is a recognized expert on EU and other international data protection laws. FitzPatrick has direct experience in representing companies in front of EU data protection authorities (DPAs). She also sits on various governmental data privacy advisory boards. During this first part of the interview with her, we focused on the new General Data Protection Regulation…
Data Security

The Mirai Botnet Attack and Revenge of the Internet of Things

Once upon a time in early 2016, we were talking with pen tester Ken Munro about the security of IoT gadgetry — everything from wireless doorbells to coffee makers and other household appliances. I remember his answer when I asked about basic security in these devices. His reply: “You’re making a big step there, which is assuming that the manufacturer gave any thought to an attack from a hacker at all.” Privacy by Design is…