Fred Zajac

I am a fan of Nessus and OpenVAS. Nessus is free and available for Windows. You can download on local host and scan your home / small office network. Nessus / Tennable offers several plug-in’s for different types of scans. You could also do the basic scan, which we did in Ethical Hacking, but this won’t discover the Mirai vulnerability. You…[Read more]

Another online scanner you may want to check out is Censys.io. It uses Zmap and Zgrab to identify specific information about a network. It is glitchy sometimes and have to play around with how you search for mulitple IPAddresses or even a range, but it is a good and quick recon tool to identify how you may want to handle the pentest.

Are there any “Horror” movies about IoT devices killing people? Hummm….

Brock,

I would also like to see these scanners, but playing the other side of the coin…

The users of these scanners are creating the database for them. Example: As a pentester, I use Chronicle to search for vulnerabilities of a specific IPAddress. It then scan’s the IPAddress for vulnerabilities. It does or doesn’t identify…[Read more]

The attacker simply needs to scan the global IPv4 address space (only 4,294,967,296) for known open ports.

Check this out. Can be done is seconds!

Censys.io

Satwika & Frederic,

I agree patching is a very big deal, but what if the IoT manufacture didn’t provide enough space for constant patching? Example: Hardrive limit.

The patching will crash the hard drive at some point because of the file additions. Also, as you mention in a previous post,

The manufacturer may have used a very basic…[Read more]

We are using Patch Management for our clients using a third-party product. If you are interested in the product, let me know and I will give you info.

Anyway,

One of the things you mention is patching causing issues with applications. This is something we run into from time to time from our clients. Another issue we have is patching…[Read more]

Check out how easy it is to start an ATM business. It is similar to the Vending Machine Business. The owners of these ATM, with Diebold Nixdorf software (running on Windows) have no clue about Windows XP, the software, the hard drive, or even the physical controls.

These owners are making an investment in a “franchise” type business. They…[Read more]

The general public is way too willing to add content to their social conglomerate that they are forfeit basic privacy.

YES!

Challenge questions that can be guess by visiting social media sites:

What is your high school mascot?
Where did you go to elementary school?
What road did you grow up on?
What is your favorite sports team?
What…[Read more]

Is it crazy that we still use a 9 digit plain text number to conduct authentication for our federal tax reporting system?

Hey all,

Flash can be disabled in all popular internet browsers. Plus, you can set up office to not allow files with flash or any plug in.

To stop flash in group policy:

Search Group Policy editor –> Computer Configuration –> Administrative Templates –> Windows Components –> Internet Explorer –> Security Features –> Add On…[Read more]

Hey all,

I was also a bit disturbed, but honestly not shocked at all. As Jason mentioned, if I were to make a guess, Newtek didn’t include this type of Breach or have a Breach Policy in their Incident Response Plan, which is what makes me “disturbed” because how can you not include an intruder taking over one, two, three, or more of your…[Read more]

Patrick,

You should try Nessus Home scanner, it is free and includes scanner for all applications installed on a machine. You can take a look at the list and see which ones you want and uninstall the ones you want.

Then, most applications have an auto-update, as well as an ask me first update option. Just select the ask me option.…[Read more]

Matt,

Check this out…

http://www.fico.com/en/products/fico-enterprise-security-score

I wonder what these agencies “security score” is. Bad Credit.. LOL

The score is based on a few factors, but security posture and culture weighs on the number

Fraser,

The thing about patch management is testing the patch to see if it is valid or even if it will hinder your system. For instance, if you are not monitoring your hard drive space and a new patch gets installed that puts your hard drive in an unhealth state, then the good update may crash the system.

Automation on these things is…[Read more]

Mustafa,

I understand your concern, but hackers already use credit scores to target people and businesses. Anyone can purchase someone’s credit score for a few dollars, and FTC regulations require a rating on financials, rating from AAA to Junk.

In my opinion, the cyber score should be required for all publicly traded companies who handle…[Read more]

Jason,

I believe the standard should “Freeze” should be changed for everyone immediately. You must “manually” change it to be “Un-Freezed” by visiting a website or when you apply for your next loan. You may also Freeze and Un-Freeze your account at anytime for no charge. This cost will be passed onto the banks, who will pass it on to the…[Read more]

wrong link Sorry

Jason,

I believe the standard should “Freeze” should be changed for everyone immediately. You must “manually” change it to be “Un-Freezed” by visiting a website or when you apply for your next loan. You may also Freeze and Un-Freeze your account at anytime for no charge. This cost will be passed onto the banks, who will pass it on to the…[Read more]