During a penetration test, login credentials are a highly sought-after item. While it is common to harvest that information via email scams (phishing attacks), it is not always the most practical or effective tactic to gain unauthorized access. That access, however, still requires a valid set of credentials. This poses a challenge. How does an attacker find valid accounts without social engineering? There are two main options: breached credentials and password spraying.
Topics: Cybersecurity, Network Security, Data Protection, Personal Data Protection, Security Awareness Training, Passwords, Monitoring
Buying a risky or vulnerable company is avoidable, and what you don't know can hurt you. Even with insurance or financial indemnification, cybersecurity breaches represent significant capital investment and brand risk. Cyber-related compliance requirements are often poorly understood, difficult to detect, introduce reputational risk, and cost time lost with outside auditors.
When Peter Drucker produced his seminal work, “What Makes an Effective Executive,” in the Harvard Business Review (Drucker, June, 2004), he may not have been writing with cybersecurity in mind. In fact, in 2004, the cybersecurity world had only begun to appear as the many-headed beast it’s become since then. Nonetheless, this text is an excellent guide for executives about incident response and breach management.
Topics: Cybersecurity, budgeting, security incident handling
Phishing via employment-focused social media is on the rise. While performing incident response over the last few months, ProCircular encountered multiple incidents where LinkedIn was used in employee phishing attacks. Several news articles raised awareness of this phishing vector over the last year, and the trend continues with a new wave of attacks by sophisticated threat actors.
Topics: Incident Rsponse, hacking, risk
Ransomware Prevention: DEF CON 29 Takeaways
Topics: Information Security, Incident Rsponse, security incident handling, security incident response, DEF CON