Information Security News

/Information Security News

I’ll Tell You What You Need to Know

2018-06-14T13:46:43+00:00

I’ll Tell You What You Need to Know While walking past the president’s office, he sees and summons you into his office and asks if you can fix the printer on the back wall.  After astutely seeing the printer’s status panel is indicating “Out of paper,” you load paper and voila, it prints.  “Hey, you’re pretty good at this technology stuff.  Our last exam said we had to appoint an Information Security Officer that isn’t part of the IT Department.  That will be you.”  The president gets the Board of Directors to formalize the role and title, and before you [...]

I’ll Tell You What You Need to Know2018-06-14T13:46:43+00:00

Windows Update Management Tips

2018-05-31T14:54:27+00:00

Windows Update Management Tips Windows Updates…  Believe it or not, they’ve been around since the days of Windows 98.  They are often despised by end users and IT support staff because they may interrupt the workday, delay leaving at the end of the day, or they may break functionality.  Along the way, Microsoft has improved the deployment and installation process with functions such as Windows Server Update Services (WSUS).  Despite usually minor inconveniences, Windows Updates are vital to the security of your computer, your network, and your data, and should not be ignored. How does an admin know what updates [...]

Windows Update Management Tips2018-05-31T14:54:27+00:00

VPN

2018-05-24T16:50:07+00:00

Virtual Private Networks: Should you be using one? A VPN, or Virtual Private Network, allows you to create an encrypted connection to another network over the Internet.  Most users are familiar with them for connecting back to their institution’s network for remote access.  While this is one reason to use a VPN, it’s far from the only reason to use one.  In today’s environments, eaves-dropping, public Wi-Fi, and location tracking (just to name a few) pose significant issues that often result in unwanted privacy invasions or data theft. One method of helping to prevent this is using a VPN.  In [...]

VPN2018-05-24T16:50:07+00:00

GDPR is coming… but what does it mean, and why should I care?

2018-05-30T22:39:09+00:00

GDPR is coming… but what does it mean, and why should I care?If your organization hasn’t heard these four letters by now, it may not be time to panic - but it is time to learn what they mean and if they could impact organization.  Below is a brief overview intended to get you familiar with this new international regulation and hopefully answer some of the basic questions.What is the GDPR?  General Data Protection Regulation - A new set of rules (regulations) established by the European Union (EU) to give its citizens more control over their personal data.  This control means [...]

GDPR is coming… but what does it mean, and why should I care?2018-05-30T22:39:09+00:00

50 Shades of Administration – Managing Domain Admin Privileges

2018-05-17T18:58:04+00:00

50 Shades of Administration During our work, both our auditors and engineers have noticed a common issue our clients large and small have – overly permissive administration accounts.  Many times, we see all IT users given a Domain Admin account, from the greenest helpdesk tech, to the person overseeing the network.  Microsoft’s Active Directory has a couple of different ways to grant rights to a user, group, or organizational unit, allowing the target the ability to perform certain tasks without giving them the keys to the kingdom.  Here are just a couple simple examples. In the Springfield.local domain, Lisa Simpson [...]

50 Shades of Administration – Managing Domain Admin Privileges2018-05-17T18:58:04+00:00

New Easy Password Standards? Not so Fast!

2018-04-26T14:12:57+00:00

Passwords… it's no secret; most of us are really bad at creating and maintaining passwords. In fact, 81% of hacking related breaches leveraged either stolen or weak passwords. But unfortunately, passwords won't go away any time soon. Almost every resource, application, web site, and the like requires some form of username and password. Because of this, it's no surprise that almost all of us struggle to follow recommended password standards by many security experts.At the same time, attackers and their tools are becoming more and more sophisticated, enabling them to more easily steal, decrypt and/or brute force passwords, which allows them [...]

New Easy Password Standards? Not so Fast!2018-04-26T14:12:57+00:00

Mimikatz – How it is Used to Exploit your Network

2018-05-17T18:59:33+00:00

Bad Kitty How Mimikatz is used to exploit your network and what you can do about it. For this blog post I wanted to highlight a common attack vector that we often use in our penetration testing. My goal is to run through the process at a high level, and then cover some of the steps you can take to mitigate your risk. Specifically, this post will cover a memory scraping utility known as Mimikatz. Mimikatz has been out in the wild for roughly five years now, but its ability to obtain passwords is still relevant today. The tools effectiveness [...]

Mimikatz – How it is Used to Exploit your Network2018-05-17T18:59:33+00:00

Saying Goodbye to NetBIOS

2018-04-13T18:49:32+00:00

NetBIOS (Network Basic Input/Output System) was created in the early 1980's, but is surprisingly still alive and well on many networks today. Microsoft Windows still uses it for its name resolution function (often by default), when DNS is not available. Network resiliency and access to resources is a good thing, but keeping NetBIOS enabled for that reason, is not. There are many security concerns with NetBIOS; and disabling its support on your network and devices is strongly recommended. Disabling the use and support of NetBIOS can help to mitigate an attacker's ability to: poison and spoof responses, obtain a user's [...]

Saying Goodbye to NetBIOS2018-04-13T18:49:32+00:00

5 Top Laptop Security Tips

2018-04-13T18:54:03+00:00

Today's mobile workforce has generated the awareness and subsequent need for mobile security like never before. As data growth increases, the requirements set forth in new laws and regulations also demand that organizations demonstrate due-care in protecting sensitive customer data. Meanwhile, the ever-increasing amount of sensitive data continues to find its way onto laptops and adds additional threats to these devices. Because of these threats, organizations should follow a number of data protection and security best practices. Incorporating these top 5 practices can help any organization or individual protect sensitive information in order to mitigate the risk of regulatory and/or [...]

5 Top Laptop Security Tips2018-04-13T18:54:03+00:00

Penetration Test and the Vulnerability Assessment

2018-04-13T18:58:34+00:00

Penetration Test vs the Vulnerability Assessment Some say Potato, some say Patato. The term "Penetration Test" has been thrown around a lot in the Information Security industry. Some vendors and institutions use the term Penetration Test interchangeably with "Vulnerability Scan" (or Assessment), when in fact, the two define very different scopes, methodologies, and deliverables. The recently updated FFIEC Information Security Booklet discusses these types of tests and offers definitions and expectations of what is required of financial institutions in these areas. The short story is that yes, both are different, and yes, both are needed as part of an effective [...]

Penetration Test and the Vulnerability Assessment2018-04-13T18:58:34+00:00