January 07, 2020
In May 2015, Microsoft released a password management tool to combat the rising abuse of encrypted passwords (which effectively became encoded when Microsoft released the key) stored in Group Policy Preferences, or worse, in cleartext scripts pushed via GPO. Every domain user was able to access these preferences and scripts in the ‘SYSVOL’ share and could obtain the single local administrator password for all machines on the domain, which would provide total lateral movement opportunities within the domain. The necessary problem here is that at least one user has to be able to see these LAPS passwords to administer the process. Who within your domain has this power? You might be surprised at how often this is overlooked, thus leading to the availability of all these passwords to more users than intended.
September 12, 2019
It’s not a matter of ‘if’ your organization will experience a cyber-attack, but ‘when’. That’s BSI’s approach to cyber security and information resilience, through either our advisory services or certification and training. We help thousands of organizations around the world embed excellence with a focus on Organizational Resilience. One of the best ways for organizations to manage and protect their information assets is to implement ISO/IEC 27001, the internationally recognized information security management standard. Cyber-attacks are commonplace at this point; the blog post below discusses one of the most recent; an attack on twenty-two local governments in the state of Texas. Unfortunately, this is just the latest in a string of attacks on government entities, which includes the attack on the City of Baltimore earlier this year. Below, Stephen Haywood and Tim Jensen, discuss what companies should be aware of, what they need to think about, and what they can do to prepare for data breaches.
August 12, 2019
Phishing is hard. Arguably, the most important part of a successful phishing campaign is ensuring your email actually reaches the right people in the first place. This week I’m releasing Lure, a tool for helping automate target collection on phishing campaigns.