Used to be that you had to be rich to afford servants. And what a perk they were! They would perform all types of services for you which gave you more leisure time and less toil. However, servants came with a price beyond their paychecks and livery. With servants around all the time, you could never be really sure of your privacy. You had to watch what you said and where you said it. You also had to be careful of your state of dress, actions and personal hygiene. If you failed to be discrete, you might get nasty surprises in the form of ridicule and embarrassment. If you were a military man or government official, you could even face such consequences as loss of secret information and official censure.

Continue reading →

October is Cyber Security Month!

Continue reading →

During our engagements, we routinely look for source code or other internal sensitive information that could have been inadvertently posted. The team has been doing this as part of our standard engagements for quite awhile, and we routinely identify information through this method that clients are always thankful of being notified about. “But I have DLP!” – quite frequently, DLP won’t detect uploads to sites like Pastebin or Github.

Continue reading →

If yours is like most organizations, you have a policy or requirement of periodic (usually annual) risk assessment. Financial organizations and medical concerns, for example, fall under this requirement. Also, many organizations that have no regulatory requirement to perform risk assessment, perform one as a matter of best practice. And since you are doing one anyway, you might as well get maximum use from it.

It is the season when many concerns are allocating resources for the coming year. The information security budget is usually limited, even if it is adequate to protect the system and the information it contains. It is therefore very important that information security dollars be allocated wisely, and to maximum effect. To make a wise decision, you need to have the best and most current information. The results of an enterprise-level risk assessment are an excellent source of such information.

Continue reading →

CBS News recently did an interesting piece on ransomware, and the various reasons that businesses may choose to pay the ransom.

These ransom payments can range from a few thousands – Lees, Alabama negotiated their attacker down from $50,000 to $8,000 – to half a million dollars or more.

On the flip side of the coin, Atlanta, GA decided not to pay a ransom demand of approximately $50,000 – instead spending upwards of $17 million to recover from the attack.

Continue reading →

If you look at modern information security guidance such as the Center for Internet Security Top 20, the NIST Cybersecurity Framework or MicroSolved’s own 80/20 Rule for Information Security, the first controls they recommend implementing are inventories of hardware and software assets. There are several good reasons for making IT asset inventories job number one.

Continue reading →

There has been a lot of talk recently about getting rid of passwords as a means of user identification. I can certainly understand why this opinion exists, especially with the ever-increasing number of data breaches being reported each year. It’s true that we users make all kinds of mistakes when choosing, protecting and employing passwords. We choose easy to guess passwords, we use the same passwords for business access and for our personnel accounts, we write our passwords down and store them in accessible places, we reveal our passwords during phishing attacks, we reuse our old passwords as often as we can and we exploit every weakness configured into the system password policy. Even users who are very careful with their passwords have lapses sometimes. And these weaknesses are not going to change; humans will continue to mess up and all the training in the world will not solve the problem. However, even knowing this, organizations and systems still rely on passwords as the primary factor necessary for system access.

Continue reading →

Data breaches from stolen or lost laptops are in the news far too often. And you know it happens even more often off the news. MicroSolved’s recommendation for field laptops that may contain databases with sensitive and personal information is to encrypt the data or entire volume. Using the BitLocker feature on Windows is one such solution.
Continue reading →

Over the past few years we have seen plenty of news about data being stolen from misconfigured Amazon S3 buckets and other cloud based services. Now attackers are figuring out ways to further abuse these systems beyond simply stealing data.

Magecart, a threat actor group involved in a large amount of attacks, has a currently active campaign targeting S3 hosted sites; the attack infected these sites with malicious javascript that steals customer’s credit card data.

Their attack methodology involves specifically looking for buckets that have write permissions enabled for everyone. When one of these buckets is found, it looks for javascript in the bucket – increasing the likelihood that it’s being used to host a site, or serving assets for a site hosted elsewhere. Javascript files are then edited by the attacker and the Magecart malicious javascript is injected into it.

The javascript runs in the customer’s browser, looks for specific forms, and sends that data to another server when it is submitted. Without detailing this further, as there are many other good breakdowns of exactly what this attack entails that are available. The key take away here will be what can you do to make sure a site you have isn’t hosting this code.

Continue reading →