2024-12-15// PRIVACY

Why Encryption is Good

Privacy is a big topic, and it ties into encryption. Our data is tracked, compiled, and leaked — and encryption is the best tool we have to keep it out of the wrong hands.

Privacy is a big topic, and it ties into encryption.

Our data, from the news sites we visit to our social media and purchases, is tracked and cataloged. This data is sometimes compiled from different sources to create profiles for each user. Most of the time, this information is provided by non-voluntary measures; however, sometimes, we offer it even if it's not required.

Maybe you're thinking a VPN could block some of this tracking, or a DNS service could help. It could help a bit, but tracking now is so sophisticated that it's unclear how much that moves the needle. Your credit card transactions will work against you, and the amount of things required to do business on the Internet will likely create a trail that's hard to shake.

With every data breach, more of our data is leaked: name, address, phone number, age, gender, and email. Other data points often collected are ethnicity, income level, voting registration, and occupation. This amount of information, pieced together from various breaches, could be used maliciously — in the same way advertisers target us using this data, hackers are likely doing the same.

How Do We Prevent This?

We can't. Too many companies collect our data. There are companies neither of us has heard of that have profiles on us and everyone we know. These profiles are used for split-second advertising auctions that determine the ad you see — or even the commercial on your streaming service.

Since we can't stop it, what can we do? Good IT practices are required to secure data, but most importantly, data must be handled carefully — specifically encrypted. That means it's only readable with a second factor (usually a key) to decrypt it, whether in transit or at rest. If a hacker steals encrypted data and can't obtain the key, that data is useless to them.

Regulatory Frameworks

Compliance requirements create the frameworks needed to protect data. PCI requires audits for companies processing credit card transactions. GDPR and NIS 2 address data collection for Europeans and create requirements for storing and deleting user data. FedRAMP covers cloud-based government contractors. Most companies collecting data on US citizens, however, face few regulations today.

Why Encryption is Good

Encryption ensures confidentiality and integrity. It renders data unreadable outside the intended parties. It applies in two scenarios:

At rest — stored data, like a network share drive or SharePoint.
In transit — moving data, like credit card transactions.

Now imagine if the government wanted a backdoor in encryption standards. Every financial transaction — from Amazon to FanDuel — must be encrypted to prevent snooping. A backdoor in the encryption protocol would shake confidence in every online transaction. Any security professional understands the CIA triad: confidentiality, integrity, and availability. An encryption protocol with a back door is simply not secure.

The next time you bet on FanDuel or make a purchase on Amazon, consider how much you're counting on your information being encrypted securely.

Without encryption, online transactions would not be possible. Please think twice before assuming encryption is a bad thing.

2023-12-03// PRIVACY

Giphy…

Some of you know the name, some of you don't. But if you've got Giphy integrated into your keyboard — you should know exactly what access you're granting it.

Giphy is an application for searching and applying GIFs on your device — and it can be integrated directly into your keyboard for easy access. But should it?

Everyone already knows data is the new gold. Every application you download most likely collects data about you to some extent — from Twitter to TikTok, every app tracks what you do, what you buy, where you go, and what you search for.

Giphy:

Instagram: Privacy Settings for Giphy

The Keyboard Problem

You use your keyboard to enter everything inputted into your phone. Every password, every piece of sensitive data passes through it — which makes any application with keyboard access extremely risky. If Giphy were ever compromised, malicious parties would have access to users' keystrokes. It's a bit of a stretch, but it's within the realm of possibility given the access level Giphy requests.

What I Do Instead

I still have Giphy installed, but I avoid allowing it keyboard access. Instead, I open the app, find the GIF I want, and copy-paste it where needed. It's not as seamless, but it's not difficult either.

Giphy is a fine company — but that level of access is too high for essentially any company. Worth noting: Giphy was previously owned by Meta and was recently sold to Shutterstock. From my experience, Facebook and Instagram are the worst offenders when it comes to data collection — pulling financial, health, and sensitive data in addition to behavioral tracking. You truly are the product when using those platforms.

2023-07-12// SECURITY

Phishing

Trust No One. Phishing has advanced well past obvious spelling errors. Here's what to watch for and how to protect yourself and your organization.

When reading an email from an unknown — or even a known — source, it pays to be skeptical.

Don't open unknown attachments. They could contain anything.
Don't click links in emails — they can lead to falsified login pages built to steal your credentials.
Don't reply to suspicious senders. At a minimum, it confirms your inbox is active.

Phishing has advanced significantly. The old tricks for identifying an attempt can't be relied upon anymore. Those annual phishing refresher courses your company offers can feel tedious, but they contain genuinely useful information.

Cyrillic Homograph Attacks

One example of phishing advancement is the use of Cyrillic characters. Roman letters are what most English speakers use daily. Cyrillic characters can mimic roman letters closely enough to fool the eye, while leading to completely different — and usually malicious — destinations. Multiple documented examples exist of URLs using different language characters to trick users into entering credentials on fake login pages.

What You Should Do

Avoid clicking links in emails. Normalize typing URLs directly into the address bar instead.
Standardize an internal email subject header that outside senders wouldn't know — this helps teammates identify legitimate internal emails.
Enable Two-Factor Authentication on everything. Good password practices plus MFA go a long way.
Use different passwords for every website. If one is compromised, attackers test it everywhere. Use a password manager with randomly generated credentials.

2023-04-15// INFOSEC

Life at an Enterprise

Two years working inside a large enterprise organization has been a vastly different experience from consulting. Being behind the curtain gives you a new perspective on what really matters.

During the last two years I've been working at an enterprise company — a new experience. Previously I worked for various IT consulting and IT assessor firms. Two years ago I joined a large organization and have worked on a compliance team for an enterprise software company. It's been a vastly different experience that has taught me several lessons.

What I've Learned

Fundamentally, mistakes in domains such as access control and asset management will continuously come back to haunt an organization. If these two foundational controls aren't built on a strong foundation, an organization can't defend itself against an audit — let alone an actual security threat.

Threat hunting is a term I hear a lot now. Cutting-edge tools can help, but at the end of the day, knowing what's in your environment and who has access to it is still the foundation of security. A strong foundation — limiting access to need-to-know and maintaining an accurate, up-to-date inventory — will go a long way. More to come.

2020-12-30// VULNERABILITY

Vulnerability Management

A lot of ambiguity exists around how to properly manage vulnerabilities. Here's a complete breakdown of what a mature vulnerability management program actually looks like.

A proper vulnerability management program encompasses multiple teams, tools, and processes with the common goal of securing the environment. A mature program produces regular metrics and enables continuous improvement.

Before You Scan

Before performing vulnerability scans, a few things must be considered. What should be scanned? How should different segments be treated — is one zone PCI and another HITRUST, while dev is out of scope? Once scope is identified, you need to discover your assets.

Asset Discovery

Keeping a valid asset inventory is not glamorous, but it is critical and often overlooked. Once assets are discovered, confirm ownership — who is responsible for patching them? Then assign criticality ratings based on business function. The inventory should include asset name, owner, criticality, location, serial number, key software, OS version, and other relevant info.

Identifying Vulnerabilities

A vulnerability scan combines automated and manual tools run against external and internal systems to expose potential vulnerabilities. Scans should be performed at minimum quarterly and after any major environmental changes. PCI requires quarterly external scans from an approved vendor. HITRUST also requires quarterly scanning.

Evaluating and Prioritizing

Findings typically range from critical, high, medium, and low — based on the CVE system maintained by MITRE since 1999. The CVSS score has three parts: Base, Temporal, and Environmental. A high vulnerability on a non-externally-exposed system rates lower than the same vulnerability on a public-facing web server. Use a defined methodology to make these comparisons consistently.

Remediation

Remediation should be tracked in a central ticketing system. Key metrics include mean time to detection, mean time to remediation, average window of exposure, and percentage of systems without critical or high vulnerabilities. A vulnerability management program should include IT (who performs remediation), Security (who manages and oversees), and a management-level representative for approvals and buy-in.

2020-06-02// CLOUD

We've Moved to the Cloud — Now What?

One common misconception about moving to the cloud is that it's secure by default. It's not. The same old boring security practices still apply — plus a few new ones.

Cloud environments make a lot of sense for businesses of all types. They're highly available, scalable, and make disaster recovery far easier. But one misconception about migrating to the cloud is that it's secure by default. That's only partially true.

AWS, for example, uses a deny-all policy for security groups by default — which is a best practice. But the security of your hosts and services remains your responsibility. An application only used by employees should limit access to those employees specifically. A public-facing application needs broader access and a different set of protections.

Layered Defense

Making a system secure requires multiple layers of protection. The same concepts apply whether in the cloud or on-premises: create a strong perimeter, shut down unused services, use a default deny-all rule, and require MFA for remote access. Beyond the perimeter, file and network access should be limited to user role — standard users don't need privileged rights. A full program also requires:

Centralized Access — One system for all user info, where permission changes propagate instantly.
Centralized Monitoring — All device logs flowing to a SIEM or Syslog server for alerting and metrics.
Network Detection/Prevention Systems — Inline systems detecting and preventing malicious traffic based on network behavior.
Application Firewalls — Required for any internet-exposed application you own.

Your new and exciting cloud hosting still requires the same old boring security practices that kept your on-premise servers secure.

Pick your vendors and contractors wisely. Mistakes in either direction — a false sense of security or wasteful remediation for misunderstood requirements — can be costly. Check credentials, ask for references, and hold real conversations before signing on.

2020-05-06// CLOUD

Is It Time to Move to the Cloud?

The pandemic forced organizations to go remote overnight. Now that the dust has settled, moving to the cloud isn't just smart — for many businesses, it's overdue.

As out-of-office work became the norm, businesses must address the security of their remote workforce. Early in the pandemic, businesses were forced to adapt on the fly. Now we must pivot from making things work to making things work securely.

A common problem for mid-sized organizations was VPN bandwidth limits — most appliances are built for under 100–200 concurrent users. Once that threshold is hit, the device becomes unstable for everyone. High-availability pairs or secondary appliances can help, but they double the cost.

The Problem with VPNs

VPNs provide network-layer access that is often unrestricted — a user frequently gets access to the entire network if it isn't segmented. Zero Trust addresses this directly: all hosts get zero trust, and access requires the same authentication process regardless of connection origin. Zero Trust and cloud computing work very well together. If you're moving to the cloud, that's the ideal moment to implement it.

Before You Make the Move

Ask yourself: Will the move be cost-effective? Will it satisfy your compliance regulations, business agreement obligations, and legal requirements? For most organizations, the answer to all of these is yes. Just don't forget the basics once you're there — limit user permissions, review access regularly, patch frequently, use secure protocols, and conduct user awareness training.

2020-04-03// RISK

Technical Risks of Third Parties

Every vendor, contractor, and API integration is a potential attack vector. Third Party Risk Management has become a vital function — and with good reason.

A third party is any contractor, business associate, partner, vendor, or volunteer working within your organization. Every third-party relationship introduces additional risk — but the level of risk depends entirely on who they are and what access they have.

Types of Third-Party Connections

Connections come in various forms: web APIs exchanging data between systems, traditional remote VPN or Citrix access, Site-to-Site VPNs between corporate networks, or SFTP file exchanges. Site-to-Site VPNs carry the highest risk — they're a constantly open connection. If one must exist, use a strict deny-all rule and only allow specifically required traffic through the tunnel. SFTP with unique credentials and source IP validation is a more controlled option for file exchange.

What Every Organization Should Be Doing

Include, review, and update contract language in BAAs addressing third-party security requirements.
Track which contractors have access to what systems — detail IP addresses, ports, and protocols for every connection.
Regularly verify unique IDs are in place for all users with the appropriate privilege levels.
Test monitoring to ensure it's working correctly — especially for third-party users.
Verify secure protocols are used for all transmission of sensitive information.
Verify stored PHI is encrypted at rest.

It's better to discover the can of worms now than to find yourself making headlines for the wrong reasons.

2020-02-01// SECURITY

What Do You Gain by Performing a Penetration Test?

Vulnerability scans tell you where the holes are. Penetration tests tell you what happens when someone actually tries to walk through them. Here's why the difference matters.

If a device is exposed on the Internet, it has the possibility of being compromised. Organizations can't avoid exposing some services — VPNs, SFTPs, HTTP logins, APIs — and these frequently become targets. Hackers scan the internet for known ports, discover your services, and test your defenses. How will they hold up?

Vulnerability Scan vs. Penetration Test

A vulnerability scan is a high-level automated assessment that identifies system versioning, exposed services, and associated risk. It determines whether configurations follow best practices and whether patching is occurring. A penetration test goes further — it uses that information and additional probing to actually attempt exploits, giving you a live assessment of real-world attack techniques.

During a pentest, an ethical hacker will also commonly attempt social engineering — spraying phishing emails to obtain credentials or trick users into entering them on a fake site. According to the Verizon DBIR 2017, 90% of all incidents and breaches included a phishing element.

Types of Penetration Tests

Web Application Testing — Tests an application for weaknesses at the application layer.
Internal Testing — Simulates an insider threat, such as a compromised remote user's credentials granting VPN access to an attacker.
External Testing — The most common. Simulates a hacker with no prior knowledge of your infrastructure, attacking only your external footprint.

In 2019, Recorded Future reported on the 100th publicly reported state or local government hit with ransomware. These numbers should motivate every organization to bolster their InfoSec budgets — for both better defenses and security awareness training.

2019-09-14// NETWORKING

An Assessor's Thoughts on Split Tunneling

Should your remote VPN users be allowed to browse the public internet while simultaneously connected to your corporate network? Here's how to think through it.

Split tunneling allows a remote VPN user to access the public internet and corporate resources simultaneously — using their local ISP for general browsing while routing business traffic through the VPN.

The Security Problem

The biggest risk of enabling split tunneling is the loss of defense-in-depth. By enabling it, you create an open connection that sends and receives traffic without passing through your organization's perimeter security — firewall, IPS, or IDS. Your organization cannot monitor the remote device's web traffic, and if that device gets infected with malware, the infection could spread across the VPN into your network. DLP controls may also be completely bypassed since exfiltrated data won't pass through your monitoring infrastructure.

When It Might Be Acceptable

The decision comes down to three questions: Does a compliance requirement prohibit it? Does the benefit outweigh the risk? How much trust do you have in the users who would use it? HITRUST has a specific requirement prohibiting split-tunnel VPNs, but only for larger organizations.

If You Must Allow It

Mitigations should include a valid BAA requiring the third party to enforce security controls on remote workstations, user training and a signed acceptable use policy, and a VPN agent that performs a health check verifying OS patches, AV installation, and update status. Most importantly — implement strong network segmentation so remote users can only reach the systems they actually need. Strong segmentation can be the deciding factor between a minor breach and a massive one.

2019-06-08// CAREER

Advice for Prospective Info Sec Careers

Before you decide on a career path in security, know that there are very different avenues — they require different skillsets, different backgrounds, and different mindsets.

I'm not an expert. I've had the benefit of meeting smart people who helped me along the way — and because of that, I feel a responsibility to pass it on.

Information Security Consultant

Info Sec Consultants work with clients or their organization to achieve strong compliance positioning. It's a less technical role than engineering. The work involves a heavy focus on policy and procedure documentation, aligned to frameworks like NIST CSF or ISO 27001. To succeed, you need strong reading comprehension, excellent writing skills, and an eye for detail. A bachelor's degree matters more here — advanced writing experience is critical.

I've met Info Sec professionals with little IT experience, and there's a real learning curve. If you don't understand what a control does, you can't properly assess it. The worst thing an inexperienced team member can do is make assumptions about technologies they don't understand.

Security Engineer

Security Engineers need a strong technical IT background — networking, server administration, access controls, web services, and secure communications at a minimum. Programming and report writing are also extremely helpful. Day-to-day work varies widely: reviewing vulnerability scans, parsing logs, implementing projects, automating tasks, responding to alerts, and coordinating with compliance. Two routes lead here: a computer science degree with a programming foundation, or starting in IT and learning the infrastructure from the ground up — which was my path.

In Security, you can truly advance as far as your capability and determination will take you.

Either way, this job doesn't end when you clock out. Security engineers who thrive will tell you that spending free time reading about new threats and building new skills is a regular occurrence. The field moves fast — it doesn't take long to become obsolete.

2019-05-09// NETWORKING

Zero Trust Architecture and the Future of Networking

In today's networks, having a strong perimeter defense is not sufficient. Zero Trust — never trust, always verify — is changing how security is architected at every level.

Strong networks implement additional defenses to protect internal boundary points, varying between segments that house data of different sensitivity levels. But we shouldn't stop there. Zero Trust architecture follows the never trust, always verify model — and does not assume that traffic within the same zone is safe.

Where It Came From

John Kindervag developed the concept of Zero Trust in 2010. In January of the same year, Google announced they had been hacked by what was believed to be an Advanced Persistent Threat from the Chinese government. That led Google to implement Zero Trust architecture throughout their network.

How It Works

Zero Trust requires multiple authentication methods for every access request, regardless of where the user is located. In practice, this typically involves:

A username and password tied to a centralized identity management system (Active Directory or LDAP)
Multi-Factor Authentication via a soft token or one-time password to a mobile device
A device certificate issued to the endpoint at deployment

This model simultaneously authenticates the user, the device, and the session — with all transmissions encrypted over SSL. An added benefit: the Zero Trust portal console maintains an inventory of devices and their access rights, which is invaluable when an assessment is approaching.

What This Means Going Forward

As IoT medical devices become more prevalent and patients transmit health data from wearables over the internet, Zero Trust will be the architecture those devices rely on. SDN and Zero Trust will fundamentally change how networking works — and these changes are coming quickly.

That said, newer techniques don't eliminate the need for basics. If a company doesn't have an updated asset list, has never tested a backup restore, or has never audited user accounts, they're asking for trouble regardless of what tools they've deployed. Companies rarely have resources to find every deficiency — which makes choosing the right assessment partner one of the most important decisions an organization can make.

2019-05-05// TIPS

Tips for Everyday Security

As any IT or security person knows, we're often asked what a normal person can do to stay secure. Here are ten practical steps that actually make a difference.

These changes will make accessing your accounts more cumbersome. But consider this: if it's harder for you, imagine how much harder it is for an attacker.

// Step 1 — Use Tougher Passwords

Use 10 or more characters with a mix of lowercase, uppercase, numbers, and symbols. Better yet, use a password manager with a random generator set to 16 characters or more. A truly random 16-character password is essentially impossible to crack via brute force.

// Step 2 — Use Different Passwords for Every Site

Yes, it's a pain. But when one site is breached and you've reused passwords, attackers test that combo everywhere. At minimum, use unique passwords for any account tied to your money.

// Step 3 — Enable Multi-Factor Authentication

Enable MFA on every account that supports it — especially banks and financial services. Use an authenticator app over SMS when possible, and never use email as your MFA method.

// Step 4 — Limit What You Share Online

Facebook, LinkedIn, Instagram — all treasure troves of personal data that attackers use to craft targeted attacks. If I see you went to Hawaii in 2014, "Hawaii2014" goes on my attack list.

// Step 5 — Turn Off Unused Services

Turn off Bluetooth when not in use. Turn off sharing. Cover your laptop camera. Know that having a smartphone means trading some privacy for convenience.

// Step 6 — Nothing Is Free

If you provide information to a company, they will likely sell it. Think before giving out your phone number, address, or email — and ask yourself whether you actually need to.

// Step 7 — Trust No One on the Phone

Microsoft won't call you. If someone calls pressuring you for money, it's a scam. If it might be legitimate, get a name and extension, look them up independently, then call back.

// Step 8 — Don't Click Email Links

If you click a link and arrive at a login page — stop. Close it. Open a new tab and navigate directly to the site yourself. This single habit eliminates the majority of phishing risk.

// Step 9 — Use an Ad Blocker

uBlock Origin and Adblock are solid options. Ad blockers prevent malicious advertisements that can silently install malware on your device.

// Step 10 — Avoid Public WiFi for Financial Transactions

Avoid logging into financial accounts over public WiFi when possible. If you must use public or hotel WiFi for sensitive activity, use a private VPN to encrypt that traffic over the wireless connection.

Security Jawn

// thoughts on tech, security, history and everything in between

Why Encryption is Good

Giphy…

Phishing

Life at an Enterprise

Vulnerability Management

We've Moved to the Cloud — Now What?

Is It Time to Move to the Cloud?

Technical Risks of Third Parties

What Do You Gain by Performing a Penetration Test?

An Assessor's Thoughts on Split Tunneling

Advice for Prospective Info Sec Careers

Zero Trust Architecture and the Future of Networking

Tips for Everyday Security

How Do We Prevent This?

Regulatory Frameworks

Why Encryption is Good

The Keyboard Problem

What I Do Instead

Cyrillic Homograph Attacks

What You Should Do

What I've Learned

Before You Scan

Asset Discovery

Identifying Vulnerabilities

Evaluating and Prioritizing

Remediation

Layered Defense

The Problem with VPNs

Before You Make the Move

Types of Third-Party Connections

What Every Organization Should Be Doing

Vulnerability Scan vs. Penetration Test

Types of Penetration Tests

The Security Problem

When It Might Be Acceptable

If You Must Allow It

Information Security Consultant

Security Engineer

Where It Came From

How It Works

What This Means Going Forward

// Step 1 — Use Tougher Passwords

// Step 2 — Use Different Passwords for Every Site

// Step 3 — Enable Multi-Factor Authentication

// Step 4 — Limit What You Share Online

// Step 5 — Turn Off Unused Services

// Step 6 — Nothing Is Free

// Step 7 — Trust No One on the Phone

// Step 8 — Don't Click Email Links

// Step 9 — Use an Ad Blocker

// Step 10 — Avoid Public WiFi for Financial Transactions