You can't secure what you don't acknowledge.SM

Wednesday, August 24, 2016

A WordPress security resource for you: WP Security Audit Log

WordPress has had its fair share of security flaws over the years. Arguably more than any other mainstream platform. A quick search of 'wordpress' at the National Vulnerability Database returns over 1,100 published vulnerabilities as old as 2004 and several as recent as this month. Despite all of the security issues, WordPress is a highly-popular platform for businesses and individuals alike to create their online presence.

There are a lot of plug-ins and related resources to help with WordPress resources but there's one that I'm familiar with that you might want to check out. They're available through WP White Security - a company run by my colleague and web security expert Robert Abela. He not only offers WordPress security consulting services around hardening, malware removal, and the like but more importantly (from a proactive security point-of-view at least) plug-ins that you can use to lock down your web presence and keep it in check called WP Security Audit Log.

I've been thinking of using WordPress to host a website but I've held off because of the security flaws that come with it if it's not proactively maintained and monitored. Tools such as WP Security Audit Log are the only way to go outside of a managed security service to ensure your website is not exploited for ill-gotten gains. If you host your own WordPress website and you're not a technical person, then something like this is an absolute no-brainer. I've been telling Robert for a couple of years now that I was going to write a blog post to share his offerings with my audience. I'm guessing I could've helped prevent untold exploits and breaches had I done it sooner! I hope you find it beneficial nonetheless.

One final thing - another good practice that's often required by law or contract - if anything, common sense - is to run periodic web vulnerability scans to check for common vulnerabilities that can create problems for your website and, ultimately, your business. Better to be safe than sorry...

Tuesday, June 28, 2016

Email phishing expertise: Lack of skills or just a lackadaisical approach to security?

I can't think of any current security test that's more important than email phishing. Yet, it seems that so few organizations actually include this phishing as part of their ongoing information security assessments and penetration tests. I suppose that's why we keep hearing about all of the Cryptolocker infections and crazy statistics being published by Verizon, Ponemon and others.

Here are some articles that I have written that can help you get your email phishing testing initiatives off the ground or, at least, provide you with some insight into why email phishing is such a big deal:

Defining Your Overarching Goal for Email Phishing Testing 

What to include in an Exchange Server phishing test

Throw users a line to thwart an email phishing attack

Top Gotchas When Performing Email Phishing Tests

Stop attackers from catching you in a phishing hack

Minimize your online footprint to combat phishing

Use an enterprise phishing tool such as LUCY. Do it manually. Whatever the means – just do it. I don't care how advanced your environment is or how mature your security program may be. Your network is one click away from compromise and you need to take the steps necessary to minimize this risk in your business. I promise you these tips that I've written can help you fight this security threat but it has to be taken seriously.

Thursday, May 5, 2016

Twitter hack--NFL draft consequences

I recently received this press release regarding Ole Miss offensive tackle Laremy Tunsil's Twitter account and how it affected his NFL draft:


Will someone please tell me how the consequences of basic security weaknesses surrounding social media, passwords, and malware do not impact us all personally and professionally.

Wednesday, May 4, 2016

Yet another over-hyped security flaw making the headlines

For years now, I've ranted here and elsewhere about the nonsensical niche security "flaws" uncovered by researchers and academic scholars that often have no real bearing on business or society. There are always caveats, always reasons why these super-complicated exploits won't work, yet they make the headlines time and again. The recent Waze app discovery is a great example:

Vulnerability in Google's Waze app could let hackers track you, researchers say

Look past the hype, the justifications for job security and research funding. Focus on the things that matter, folks. Year after year, the studies show the same stuff, yet we keep ignoring it.

Monday, April 25, 2016

Wednesday, April 20, 2016

What you need to know about Checkmarx CxSAST version 8

Application security tool version upgrade usually don't excite me as it's often the same old, same old with a few new checks and niche features. However, the new version of Checkmarx CxSAST (formerly CxSuite, CxDeveloper, etc.) is spot-on. The next generation of the popular static source code analyzer - version 8 - was recently released and it contains some much-needed improvements over its predecessor.

One thing that's glaringly evident in version 8 is the streamlined installation process. Minimal options. No tricky questions. No random services installed to junk up your system (at least that I know of). It just installs and is ready to use in less than 5 minutes. I installed CxSAST on a much less powerful virtual machine than I had version 7 running on and it actually seems to be much faster. I'm not sure if this was by design or if it's just something in my head but it's a nice new feature. Additional features in version 8 (currently 8.0.1) that I think are beneficial include:
  • Major overhaul in the user interface - it was a long-time coming and it's lot better/easier. Here's a sample screenshot:

  • A new vulnerability state option of “Proposed Not Exploitable” for findings that are likely non-issues (you get quite a few of these when performing a source code analysis)
  • I haven't yet tried it (but suspect I will as my testing environment changes often) - apparently the CxSAST engine can now be deployed without enforcing the Hardware ID for the license. Nice.
  • Incremental (partial) scans can now be run via the native IDEs in Eclipse, IntelliJ, and Visual Studio
Checkmarx CxSAST has as much language support than other products I'm familiar with by supporting the traditional languages (C#, Java, VB.Net, PHP) as well as Ruby, Objective C, JavaScript, etc. To me, the mobile app support for Android and iOS is one of its biggest selling points.

I'm seeing an uptick in source code analysis interest. Perhaps it's because people are realizing that web vulnerability scanners and manual analysis simply can't find it all. Regardless, if you're looking to integrate source code analysis into your SDLC or do some last-mile security checks on enterprise web applications, mobile apps, or even legacy client/server applications, Checkmarx CxDeveloper, I mean CxSAST, needs to be on your radar. Here's a screenshot of some sample findings from the tool after scanning a Java application - many of which were not uncovered during traditional web vulnerability testing:

By the way, in the event you're looking to brush up on your application security skills, Checkmarx's Vulnerability Knowledgebase is a good resource for details on various application security vulnerabilities.

Thursday, April 14, 2016

Will the DBIR include Verizon's latest breach?

I'm a little late to pull the trigger on this but felt compelled to ask the question nonetheless:
Will Verizon include it's recent breach in its (presumably) forthcoming Data Breach Investigations Report

...It's related to this press release I received ~3 weeks ago:

Wednesday, April 13, 2016

Why data classification is a joke

I just saw this post on Slashdot about 0bama saying that classified means whatever it needs to mean. It reminds me of how data classification is treated as an information risk management function in the enterprise: mostly non-existent:

Data classification programs that do exist are typically a joke whereby IT and security handles everything with no involvement from the business or legal or legal handles everything with IT and security being out off the loop altogether. I wrote an article related to this for Ziff Davis a couple of years ago:
The funny thing about "confidential" information

...I'm not even sure why we bother going through the's like security policies that are not enforced - who are we kidding!?

Wednesday, March 2, 2016

A patch for stupid, PCI DSS penetration testing tips, and focusing on what matters in security

Here are some articles and guest blog posts I've written for my friends at TechTarget, Ziff Davis, AlgoSec, and Rapid7: - See more at: follare some articles and guest blog posts I've written for my friends at TechTarget, Ziff Davis, AlgoSec, and Rapid7:
The following are some new articles I've written for TechTarget and Ziff Davis. Enjoy!

Maybe there is a patch for stupid
Six areas of importance in the PCI Penetration Testing Guidance
Niche security flaws should NOT be your focus
check out the other information security content I've written over the years on my website at

Also, check out the other information security content I've written over the years on my website at

Monday, February 22, 2016

New independent content on information security

Here are some articles and guest blog posts I've written for my friends at TechTarget, Ziff Davis, AlgoSec, and Rapid7:

Key Network Security Questions You Need To Ask Your Cloud Vendors - Now!

Everything happens for a reason in security

How one bad decision brought down an enterprise e-commerce site in minutes

With security, periodic and consistent is key

How emerging threat intelligence tools affect network security

The science behind bad passwords


Also, be sure to check out the other information security content I've written over the years on my website at

You can also check out the other information security content I've developed over the years on my website at - See more at:

You can also check out the other information security content I've developed over the years on my website at - See more at:

You can also check out the other information security content I've developed over the years on my website at - See more at:

Monday, January 25, 2016

LUCY - a very powerful email phishing tool

If you're an IT or information security professional you need to know about a great - and relatively new - tool that you can use as part of your security assessment and/or user awareness and training's called LUCY. I came across a small online blurb about LUCY a few months ago and thought I would check it out. Having dealt with both open source and commercial email phishing tools that have either gone kaput or the vendors have no interest in serving an independent consultant like myself, it looked like LUCY might be just what I needed. It is.  

Available as a virtual machine download or an application running in the cloud, LUCY supports traditional email phishing campaigns but it goes several steps further by supporting SMiShing (SMS phishing), the simulation of malware attacks, Word macros, and it has a bunch of other features. LUCY's reporting capabilities are nice as well. The following is a sample of one page of the LUCY Web interface and you can see more for yourself here.

Before I discovered LUCY, I was seriously considering hiring a developer to write my own email phishing tool. I'm glad I didn't because I would have missed a whole lot of features that I never would've thought about. I'm also confident that I would've ended up getting in over my head with such a project. That's the great thing about working in this industry – I get to rely on the brainpower, findings, and products of all of the researchers and developers who are way smarter than me.

LUCY's feature set is nice but, to me, the best part is the support that I have received from its Swiss-based creator, Oliver Münchow. Oliver was very responsive and extremely patient with me as I got my environment up and running. In fact, I bugged him with so many DNS/SMTP configuration and user workflow questions (when, in many cases, I should've read the fine manual) he told me that he obviously needs to make some tweaks to the documentation and the functionality of the program. :-) He already has. Pretty cool.

Studies from Verizon, Trustwave, and others all show that social engineering via email phishing is one of the most popular attacks. It's just too simple and too effective. Many (most?) businesses today are making it too easy for criminal hackers to carry out their malicious acts for ill-gotten gains. I've been doing this type of work more and more as part of my overall security assessment projects and the results are pretty scary. If you're not doing email phishing testing, you can't honestly say that you're looking at everything - testing for all possible vulnerabilities - in your environment.

Whether you work for someone else or for yourself, you should check out LUCY if you're in need of simple to use, yet powerful, email phishing and security awareness/training campaign capabilities that you can get up and running almost immediately. Minimal technical expertise is required. Maximum value is pretty much guaranteed. 

You can check out more about social engineering and email phishing (tips, tools, and techniques) in the brand-new 5th edition of my book, Hacking For Dummies.

Wednesday, January 20, 2016

Worst passwords (on your network right now)

The fifth-annual Worst Passwords List put out by SplashData is here and the findings aren't terribly surprising. Here are the top five:

#1: 123456
#2: password
#3: 12345
#4: 12345678
#5: qwerty
Good stuff! What's that quote about insanity? 

One of those security basics that we'll likely continue to ignore until the end of time. That's alright, as some of the best sideline analysts will proclaim: we need not focus on such trivial things. Well, they have a point. After all, there are really cool technologies people can spend tons of money on instead. It's that kind of investment that makes it look like things are happening in and around IT!