If you look at modern information security guidance such as the Center for Internet Security Top 20, the NIST Cybersecurity Framework or MicroSolved’s own 80/20 Rule for Information Security, the first controls they recommend implementing are inventories of hardware and software assets. There are several good reasons for making IT asset inventories job number one.

Continue reading →

There has been a lot of talk recently about getting rid of passwords as a means of user identification. I can certainly understand why this opinion exists, especially with the ever-increasing number of data breaches being reported each year. It’s true that we users make all kinds of mistakes when choosing, protecting and employing passwords. We choose easy to guess passwords, we use the same passwords for business access and for our personnel accounts, we write our passwords down and store them in accessible places, we reveal our passwords during phishing attacks, we reuse our old passwords as often as we can and we exploit every weakness configured into the system password policy. Even users who are very careful with their passwords have lapses sometimes. And these weaknesses are not going to change; humans will continue to mess up and all the training in the world will not solve the problem. However, even knowing this, organizations and systems still rely on passwords as the primary factor necessary for system access.

Continue reading →

Data breaches from stolen or lost laptops are in the news far too often. And you know it happens even more often off the news. MicroSolved’s recommendation for field laptops that may contain databases with sensitive and personal information is to encrypt the data or entire volume. Using the BitLocker feature on Windows is one such solution.
Continue reading →

Over the past few years we have seen plenty of news about data being stolen from misconfigured Amazon S3 buckets and other cloud based services. Now attackers are figuring out ways to further abuse these systems beyond simply stealing data.

Magecart, a threat actor group involved in a large amount of attacks, has a currently active campaign targeting S3 hosted sites; the attack infected these sites with malicious javascript that steals customer’s credit card data.

Their attack methodology involves specifically looking for buckets that have write permissions enabled for everyone. When one of these buckets is found, it looks for javascript in the bucket – increasing the likelihood that it’s being used to host a site, or serving assets for a site hosted elsewhere. Javascript files are then edited by the attacker and the Magecart malicious javascript is injected into it.

The javascript runs in the customer’s browser, looks for specific forms, and sends that data to another server when it is submitted. Without detailing this further, as there are many other good breakdowns of exactly what this attack entails that are available. The key take away here will be what can you do to make sure a site you have isn’t hosting this code.

Continue reading →

Times are getting hard for concerns that collect or sell information about individuals. People are becoming more concerned about their privacy and want their personal information protected. It’s taken a while, but folks are waking up to the fact that information about who they are, where they live, what they like to do, what they like to buy and a plethora of other information is being systematically collected and sold all the time.

National information security and privacy legislation has been bandied about now for a long time, but with no results as yet. So, the States are getting sick of waiting and are drafting their own privacy acts, especially since the inception of the European Union’s General Data Protection Regulation (GDPR).

Continue reading →

Several paths led me to a blog on this topic. I have a friend and a close relative who are currently going through a home loan process. In addition, in a work-related project, I have been researching mortgage fraud and real estate scams. Statistics reveal about 1% of loan applications contained an element of fraud, and it has been on a general upward trend for the last decade.
Continue reading →