Simplified Guidance on Developing a Cyber Security Baseline for the CIO and CTO

Developing a cyber security baseline can be daunting. Oftentimes the burden falls on the Chief Information Officer or Chief Technology Officer. Before implementing any tool or assessments, management should establish a security baseline.

Meltdown and Spectre – A Quick Overview

Bottom Line Up Front Security Researchers have publicly disclosed the details of CPU design flaws that are the result of design decisions made industry wide more than a decade ago to speed up processing and allow a computer’s processor to access information before it was needed. The resultant vulnerabilities, Meltdown and Spectre both exist outside[…]

Takeaways from SANS SEC560- Ethical Hacking and Pen Testing

This past week I completed the SANS SEC560 – Network Penetration Testing and Ethical Hacking course at the SANS Cyber Defense Initiative in Washington DC. With the experience fresh on my mind, I wanted to share my impressions with others considering SANS training. A Quick Overview of the SANS 560 Class Experience Curriculum Overview SANS[…]

The WPA2 KRACK Vulnerability and Potential Mitigation Steps

This week, Belgian security researcher Mathy Vanhoef released a research paper documenting his discovery of a serious weakness in the WPA2 wireless protocol, which is used to secure all modern protected Wi-Fi networks. The exploit uses a technique called a Key Reinstallation Attack (or KRACK for short), which exploits a weakness in the way that[…]

Privileged Access Workstations (PAW): A Mitigation Strategy for Pass-the-Hash, Phishing, Credential Theft Attacks and more

The Windows IT Administrator tends to be the most high-risk user in the organization. IT Administrators have the potential to perform everyday user tasks with domain admin level accounts; they are most likely to have the ability to use external media in their PCs freely; and, even in the case where the admin user is thoughtfully[…]

Developing an IT Audit & Security Plan for Microsoft Office 365

Our team was recently tasked with developing an audit plan for Microsoft Office 365. While there are plenty of tools available to assist organizations with performing ongoing audits of user privileges and object permissions in Microsoft Office 365, we were hard pressed to find any solid thought leadership on auditing Office 365 beyond user and[…]

Symantec, Illegitimate Certificates & Why We Should Care

In 2015, Symantec was caught issuing improperly signed cryptographic certifications which could be used to break HTTPS and put internet users at risk. Some of the improperly issued certificates were issued to Google owned domains, which if used maliciously, could allow for impersonation of HTTPS protected Google websites. Understandably, Google was very upset and responded[…]

Advice for Studying and Passing the CISSP Exam

This past week I sat for the (ISC)2 CISSP exam and passed on my first attempt! With the entire preparation and test taking experience still fresh on my mind, I felt I should take time to document my experience and study approach similar to when I sat for the CISA exam last year. What is[…]

How to Read a SOC Report (with Presentation)

Virtually all businesses rely on third party service providers. These third parties may range from common offerings like payroll and payment processing providers to specialized SaaS applications and solutions, or may even be leveraged to replace entire divisions of a business (e.g. technical support or IT security). To gain confidence in, and an understanding of[…]

Securing Corporate Wireless Access Points (WAPs)

The set of controls and conditions IT auditors look for during assessments of Wireless Access Points (WAPs) tends to vary auditor to auditor. In some cases, the IT auditor may make great suggestions for controls I have not seen many organizations put into place while in other cases, the auditor might point out the absence[…]