True Digital and the Holy FAIL - Hacking APIs
After talking with a few developers and admins over the past couple of years, it's become clear that most devs/admins don't realize that these APIs can be accessed just as easily as the webapp itself. Many admins were under the impression that the API is accessible only through the internal network, as a backend endpoint. It often surprises them that we're able to not only access the API, but also to ransack it and download TONS of data about clients/users/PII/PHI/etc.
Read More
The Hafnium Exchange Hack: Identify the Signs & Mitigate Risk
There has been a flood of articles and directives coming from the most recent Microsoft Exchange Server exploits. To help you navigate advice on what steps are most important for you to take, I have endeavored here to assemble the key links and details you will need to know to help you–
Read More
I Do Not Think You Need What You Think You Need.
It is a fairly common occurrence that organizations approach us unsure what type of security testing they need because a particular security framework, best practice, or compliance requirement states they need quarterly scanning or a penetration test. While these security frameworks serve an important purpose of ensuring a standard set of expectations and requirements for organizations, the language surrounding various technical controls or Security Testing Services can be confusing, generic, or all sound very similar to one another.
Read More
Wasted Security Resources Part II: Why Adding Microsoft’s Advanced Threat Protection Makes Sense for Most of Us
Many organizations that use Microsoft’s O365 platform for email and collaboration do not utilize the Advance Threat Protection (ATP) that is built-in. Yes, unless your company has purchased the 365 Business Premium or E5 and higher license, the ATP will need to be purchased as an add-on, and the reason many opt out of the ATP is due to the associated cost per user to enable this feature. However, in many cases, adding this to your licensing will save you from having to spend more money to lock down endpoints with other technologies, not to mention the time to vet, configure, integrate, and roll those technologies out.
Read More
Securing Your 2021 Remote Workforce with Microsoft Defender
With the advent of the Covid-19 pandemic, Microsoft increased the push for its non-enterprise business Malware Security solution, marketing it as the product to protect assets as companies have their employees work from home.
Read More
2021 Cannabis Banking Legislation and What it Could Mean for PCI Compliance
Few industries have transformed as rapidly in recent years as cannabis. With major hits to the economy due to COVID-19, however, these moguls have had to reshape their strategies to compete with local dispensaries and smaller growers, many of whom appear to have had sticking power simply due to their lack of sophisticated investments. Those able to implement technology that not only sustains operations, but protects them from costly cyber-attacks, meets current and future regulatory requirements, and is flexible enough to adapt to evolving requirements are certain to have an edge.
Read More
Is my organization prepared for a ransomware attack?
The reality is that preparing for ransomware attack continues to be a game of cat and mouse. As security technologies continue to advance with heuristics and machine learning capabilities to protect against and detect advanced attacks, our adversaries respond with capabilities to evade detection mechanisms. This can be discouraging to IT professionals anxious to get ahead of an attack and protect their systems, as well as their organizations, from risk.
Read More
Recap of the new Microsoft 365 Model – Where do I go from here?
We talk a lot at TRUE about leveraging the tools you already have at your fingertips to achieve security objectives, but if you return to your subscription to try to identify what you have versus what you may need, you may have found yourself confused trying to navigate all the new names and components. In fact, you may even have found yourself confused by a new title for the popular office suite.
Read More
Wasted Security Resources: You’re Not Getting the Most Out of Your IT Tools
When an organization identifies a new technology threat, the first response is often to look for a piece of technology or a service that can mitigate or remove the threat. Frequently when working with clients, I have encountered situations where the client was looking to purchase a new tool to fulfill a specific need, but they already had a tool that could have solved the problem. The issue here is that many organizations only utilize a small subset of their IT tools and may not even realize the full or updated capabilities of what they already have.
Read More
HIPAA Trends & Predictions for 2021
Since passing in 2003, the OCR has issued total fines and penalties in excess of $129,000,000. The fact is, data breaches, hacks, ransomware, etc., are nothing new, but regulators are painfully aware that malicious actors are actively exploiting “windows of opportunity” due to COVID. Those who are succeeding in 2021 understand that their wins are directly tied to maintaining effective security and compliance programs this year. Before exploring those solutions, though, let’s dive deeper into the drivers behind this need.
Read More