The cyber security consequences of technical debt “Our job is to make everyone’s worst nightmare come true.” – Tim McGuffin, Lares Consulting Tim McGuffin and I go way back. Tim is the Senior Red Team manager with Lares Consulting. A self-described “hacker in the old school sense of the word,” Tim takes protocols and systems apart, figures out how they work, and then bends them to his will.[...]
Part 1: How to Properly Evaluate SaaS Risk Using Your Business Context Affordability, data accessibility, and ease of use are just a few of the reasons that 73% of organizations say nearly all their apps will be Software as a Service (SaaS) by 2020. Although SaaS is not a new concept, with some of the earliest SaaS providers such as Salesforce.com dating back to the 1990s, the SaaS business space[...]
The Common Vulnerability Scoring System (CVSS) is designed as a numeric measure of vulnerability and is widely used in IT organizations as a method to understand and prioritize remediation efforts. When it comes to using CVSS scores in the world of the Internet of Things (IoT), Industrial Control Systems (ICS), or more broadly Operations Technology (OT), there are many challenges, and some would[...]
Cyber security threats are evolving at a rapid rate, which makes it challenging for organizations to keep current with their internal and external threat landscape. In a race to keep pace, organizations often skip building foundational elements in favor of buying applications to enhance their protection measures. This approach does more harm than good.
It’s W2 time! You know it, I know it, and criminals know it. Every year dozens of human resource professionals fall victim to phishing schemes. Criminals target HR departments posing as C-level leadership, often with spoofed email addresses that look very similar to the correct email address, requesting a copy of the W2s for all employees. Eager to comply – and possibly flattered by the[...]
4 Online Scanning Methods That Won’t Take Your Plants Down It’s hard to believe it’s already been a week since I presented at S4x19 on assessment tools for ICS environments. After a brief introduction weighing the risks posed by traditional online tools versus the risk of doing nothing, I walked through four online scanning techniques that offer low impact, high value results. I know these can[...]
Supercharge your hardware security in IoT devices The IoT marketplace moves fast, and device vendors continuously struggle to balance speed to market with implementing proper security measures. When devices cross over between industrial control systems (ICS) and IoT connectivity (often referred to as Industrial IoT or IIoT) ensuring deployed devices are properly secure becomes paramount to[...]
Although value can be derived from offline methods such as paper-based framework assessments, many critical discoveries can only be uncovered through a technical assessment using online, active assessment techniques.
Prioritize Now for Proactive Defense As 2018 saw more massive data breaches, disruptive attacks, and business email compromise, we look ahead at how organizations should be prioritizing security initiatives to combat the current state of cyber security amidst an ever-evolving threat landscape. Here are five cyber challenges we predict board rooms and security teams will be prioritizing this[...]
Meltdown and Spectre Overview On January 8, 2018, Revolutionary Security reported on Meltdown and Spectre, which are kernel-level vulnerabilities impacting the processing of unauthorized local memory. These vulnerabilities take advantage of a CPU feature called “speculative execution,” which is leveraged by the CPU to optimize performance by running tasks that may not actually be required. The[...]