Monthly Archives: October 2017

National Cyber Security Awareness Month

Although National Cyber Security Awareness Month is coming to a close, COMPASS maintains a commitment to raising cyber security awareness throughout the year. The following are this year’s top blog posts that demonstrate ways to implement cyber security risk management in your organization and minimize the threats you may face.

  1. A Risk Manager’s Approach to Cyber Security 

Cyber security threats arguably pose the greatest danger to an organization’s risk management strategy. Risk managers should leverage their organization’s existing risk governance processes and methodologies to effectively analyze and manage cyber threats.

  1. Top 10 Assessment Findings

Although COMPASS’ client base is highly diverse, there are common findings we encounter on almost every single engagement. They are grouped by our approach to cyber security risk management which focuses on the 3 pillars of cyber security – people, policy and technology.

It is important for organizations to regularly assess not only their technical infrastructure, but also their organizational security awareness and policies. Organizations that fail to perform periodic assessments risk leaving themselves exposed to hackers who can exploit these vulnerabilities or negligent insiders who expose data unintentionally.

  1. 5 Steps to Develop a Security Program

Developing a practical and effective cyber security plan is vital to incorporating security into your organization’s risk management strategy. A common misconception is that a cyber security plan is lengthy and difficult to follow. However, that does not have to be the case. COMPASS recommends 5 steps for your cyber security plan.

  1. Business Email Compromise

BECs remain a prominent threat and will continue to be used in targeted scams. The victims of BEC attacks range from small business to large corporations and all employees should be aware of the dangers. Organizations that utilize robust prevention techniques have proven highly successful in recognizing and deflecting BEC attempts.


If you have any questions or would like to discuss the unique cyber threats your organization faces, please CONTACT US.

Protecting Critical Infrastructure from Cyber Threats

The basic infrastructure that supports our daily lives is deeply dependent on the Internet, and, therefore, continually exposed to the risk of new threats and cyber attacks. As security breaches grow in frequency and sophistication every day, it’s crucial to build resiliency and then take steps to protect critical infrastructure to remain safe and secure online.

It’s important to identify current and future strategies to protect your infrastructure and manage your risk. Cyber security is one of the biggest challenges organizations face today. Regardless of size or industry, every organization must ask themselves, is my security strategy up to date? If your organization is looking to stay on the front line of cyber security, it’s imperative to know how an end-to-end risk management strategy can help you properly secure your infrastructure.

Our security experts have an abundance of experience, and several areas of expertise we can put to work for you. We are committed to keeping your organization safe and secure, and can help design, deploy, and support solutions to address your critical risks and defend your critical infrastructure. For more information, contact one of our security experts today!

The post Protecting Critical Infrastructure from Cyber Threats appeared first on Connected.

Protecting Critical Infrastructure

In this blog, the focus is on protecting critical infrastructure—the essential systems that support our daily lives such as the electric grid, financial institutions, and transportation. Unfortunately, attacks on critical infrastructure have become a concern worldwide. A devastating attack isn’t just a theoretical possibility anymore. As we’ve recently seen with Equifax, and other security breaches in healthcare and other industries, the growing threat of serious attacks on critical infrastructure is real. These days, hackers have become much more formidable, and we will undoubtedly see more of these attacks in the future. It’s no longer a matter of if there will be another attack, but when.

Protecting your infrastructure requires constant vigilance and attention to evolving cyber attacks. Risk is inherent in everything we do, so trying to stay ahead of the cyber security curve is key. Our team of security experts can help you build a security strategy to detect, protect, and react to the complete threat lifecycle. The threats we all need to manage today evolve quickly, and we can help you minimize your risk and maximize your defenses to improve your cyber resiliency.

The post Protecting Critical Infrastructure appeared first on Connected.

Introducing GoCrack: A Managed Password Cracking Tool

FireEye's Innovation and Custom Engineering (ICE) team released a tool today called GoCrack that allows red teams to efficiently manage password cracking tasks across multiple GPU servers by providing an easy-to-use, web-based real-time UI (Figure 1 shows the dashboard) to create, view, and manage tasks. Simply deploy a GoCrack server along with a worker on every GPU/CPU capable machine and the system will automatically distribute tasks across those GPU/CPU machines.

Figure 1: Dashboard

As readers of this blog probably know, password cracking tools are an effective way for security professionals to test password effectiveness, develop improved methods to securely store passwords, and audit current password requirements. Some use cases for a password cracking tool can include cracking passwords on exfil archives, auditing password requirements in internal tools, and offensive/defensive operations. We’re releasing GoCrack to provide another tool for distributed teams to have in their arsenal for managing password cracking and recovery tasks.

Keeping in mind the sensitivity of passwords, GoCrack includes an entitlement-based system that prevents users from accessing task data unless they are the original creator or they grant additional users to the task. Modifications to a task, viewing of cracked passwords, downloading a task file, and other sensitive actions are logged and available for auditing by administrators. Engine files (files used by the cracking engine) such as Dictionaries, Mangling Rules, etc. can be uploaded as “Shared”, which allows other users to use them in task yet do not grant them the ability to download or edit. This allows for sensitive dictionaries to be used without enabling their contents to be viewed.

Figure 2 shows a task list, Figure 3 shows the “Realtime Status” tab for a task, and Figure 4 shows the “Cracked Passwords” tab.

Figure 2: Task Listing

Figure 3: Task Status

Figure 4: Cracked Passwords Tab

GoCrack is shipping with support for hashcat v3.6+, requires no external database server (via a flat file), and includes support for both LDAP and database backed authentication. In the future, we plan on adding support for MySQL and Postgres database engines for larger deployments, ability to manage and edit files in the UI, automatic task expiration, and greater configuration of the hashcat engine. We’re shipping with Dockerfile’s to help jumpstart users with GoCrack. The server component can run on any Linux server with Docker installed. Users with NVIDIA GPUs can use NVIDIA Docker to run the worker in a container with full access to the GPUs.

GoCrack is available immediately for download along with its source code on the project's GitHub page. If you have any feature requests, questions, or bug reports, please file an issue in GitHub.

ICE is a small, highly trained, team of engineers that incubate and deliver capabilities that matter to our products, our clients and our customers. ICE is always looking for exceptional candidates interested in solving challenging problems quickly. If you’re interested, check out FireEye careers.


Nchini Tanzania Matumizi ya TEHAMA yame endelea kukua katika maeneo mbali mbali. Hii ime endelea kurahisisha upatikananaji wa huduma muhimu na kuwezesha watu kuendelea kuwasiliana kwa urahisi.

Viwanda na Taasisi mbali mbali zimeendelea kutumia TEHAMA ili kukuza ufanisi na kufikia watu wengi kwa kipindi kifupi. Miamala ya kifedha, ukusanyaji kodi, pamoja na mawasiliano ni baadhi tu ya mambo yanayo wezeshwa na TEHAMA nchini.

Usalama wa mifumo ya TEHAMA ni moja ya jambo muhimu sana ambapo Tanzania inapaswa kuwekeza ili kujilinda na aina zozote za kialifu mtandao ambazo zinaweza kupelekea huduma muhimu kutopatikana na hatimae uchumi wa Nchi kuyumba.

STATISTICS: Tanzania installed 27,000 KMSof optic fiber connecting all regions and it has 7 mobile operators – About 94%network coverage, 85% SIM penetration and 40% internet users.
Mkutano mkuu wa mwaka wa wataalam wa TEHAMA nchini Tanzania ulio fanyika mwishoni mwa wiki iliyopita (26 – 27, Octoba – 2017) jijini Dar-es salaam ulipata kujadili usalama mtandao ambapo mada kadhaa zilizo jikita katika kutoa elimu ya namna bora za kuimarisha usalama wa mifumo yetu zili wasilishwa na kujadiliwa.

Binafsi, Nilizungumza na washiriki kuhusiana na namna bora ya kulinda taarifa zinazo patikana kwenye simu zetu na komputa mpakato (Protecting Mobile devises Data) ambapo vifaa hivi vimekua vikitumika katika utendaji wa shughuli za kiofisi na kufanya miamala ambapo taarifa hizo zimekua muhimu kulindwa dhidi yawahalifu mtandao.
QUOTE: “Companies today allow Individuals to make use of their own mobile devises to perform their jobs with direct access to organization’s sensitive data – Therefore, Data in our mobile device are very important for the operations and financial well-being of our business.” – Yusuph Kileo.

Kumekua na kawaida ya kusoma barua pepe za ofisini kupitia simu zetu za viganjani, Kufanya kazi za kiofisi kupitia komputa mpakato binafsi tukiwa maeneo mbali mbali huku yote haya yakipelekea kuweka taarifa muhimu za kikazi kua hatarini kuweza kuingia katika mikono ya wahalifu mtandao endapo hatua stahiki ya kuzilinda hazitachukuliwa.

KUTOEA KUSHOTO: Yusuph Kileo (Mjumbe wa bodi ya wakurugenzi AfICTA), Prof. Mike Hinchey (Raisi wa IFIP) , Samson Mwela (Mkurugenzi Mkuu Tume ya TEHAMA), Prof. Rai (Mkuu wa chou kikuu cha zanzibar - SUZA) na Neema Sinare (Raisi wa ISACA)

Aidha, Vifaa hivi vinaweza kuibiwa na taarifa hizi muhimu kuwa katika hatari ya kutumika vibaya. Hivyo umuhimu wa kuzilinda taarifa hizi muhimu ni wajibu wa kila mtumiaji.

Umakini wa Programu tumishi, tunazo zi weka kwenye simu zetu ni wa kuzingatiwa kwa kiasi kikubwa kwani kutokana na chunguzi mbali mbali ambazo tumeendelea kuzifanya katika ngazi ya kidunia, umebaini asilimia kubwa ya program tumishi kua na tabia ya kuiba taarifa za watumiaji na kuzitumia watakavyo.

Non-sanctioned applications create a risk to the mobile devises and for enterprises.
October, 2016 – The Top 10 flash App were discovered as Malware.
Feb, 2017 – According to Cisco, 27% of 222,000 assessed applications present a high-risk.
May, 2017 –100’s of Apps investigated were all found with serious Snooping and spying Characteristics.


Jitihada mbali mbali zimechukuliwa ikiwa ni pamoja na makubaliano ya mwaka 2014 yaliyo elekeza kila program tumishi kueleza kwa ufupi kila watakacho toa bure kwa mtumiaji na watakacho chukua kwa mtumiaji sanjari na kutoa fursa ya mtumiaji kukubali au kukataa. Aidha, Tuliasa watengenezaji wa Program tumishi kuhakiki wanazilinda ili kutoruhusu wahalifu mtandao kuziingilia na kuzitumia vibaya kwa kufanya uhalifu.

Wazungumzaji wengine walionyesha mapungufu mbali mbali ya kiusalama mtandao yanayo patikana nchini na kuasa taifa kufunga mikanda zaidi.

Kiujumla, Kukuza uelewa kwa watumiaji mitandao kua na matumizi bora, Kuongezea wataalam wetu ujuzi, Kuimarisha mashirikiano katika kudhibiti matukio ya kihalifu mtandao, Kuondoa urasimu usio wa lazima katika kukabiliana na uhalifu mtandao, Kuwa na watu sahihi maeneo sahihi ya kudhibiti uhalifu mtandao, na kua na vifaa sahihi na madhubuti vya kukabiliana na uhalifu mtandao ni miongoni mwa mambo yaliyo onekana kutakiwa kufanyiwa kazi ili kuweza kupiga hatua dhidi ya kukabiliana na uhalifu mtandao nchini.

Matukio ya kihalifu mtandao yanayo kumba taasisi moja hayapaswi kujirudia kwenye taasisi nyingine – huo ulikua wito wangu kwa washiriki wote. Utoaji wa taarifa za kialifu mtandao ili ziweze kupatiwa suluhu ni muhimu pia kwani kuficha taarifa hizi huku matukio kuendelea kuonekana yakijirudia kunaweza kupelekea changamoto za upotevu wa fedha kimtandao kuendelea kukua nahii ina athari kubwa kwa uchumi wa taifa.

Wito ulitolewa kwa vyuo vyetu Nchini kuondokana na mifumo ya kizamani iliyo nyuma na wakati kwa kujitazama upya na kuandaa mitaala itakayo weza kutengeneza wataalam wenye uwezo wa kukabiliana na uhalifu mtandao nchini.

The Internet Wants YOU: Consider a Career in Cyber Security.

With the continuous state of change in the global threat landscape, organizations face cyber attacks and security breaches that are growing in frequency and sophistication every day. But now, consider this: according to a study by the Center for Cyber Safety and Education, there will be a shortage of 1.8 million information security workers by 2022. This gap should be of great concern to organizations.

Skilled people make the difference in protecting sensitive data, so it’s more critical than ever that organizations begin to attract and retain the cybersecurity talent needed to defend against the evolving threat landscape. At Connection, we help inspire individuals coming out of universities to engage in co-op or intern-related opportunities, and I strongly encourage other organizations to see what they can do to help young people today who are really interested in building their skills in this area.

The figures don’t lie. The demand for cyber security will only continue to grow. Through local collaborative efforts between employers, training providers, and community leaders, we can ensure individuals have the opportunity to build on their tech knowledge and participate in a secure, thriving economy.

The post The Internet Wants YOU: Consider a Career in Cyber Security. appeared first on Connected.

Employee Security Awareness Training

Because humans are often the weakest link when it comes to cyber security, it is critically important to integrate employee security awareness training into your cyber security action plan. By educating employees on best practices, policies, procedures, popular attack methods and trends, organizations can significantly reduce their risk of a data breach.

Increasing your investment in cyber security awareness training can decrease the threat of a cyberattack by 45% to 70%. Common and effective employee training methods include:

  • On-boarding – When a new employee joins your organization, immediately make them aware of cyber security best practices your organization requires. This will create a strong cyber security posture throughout the employee’s lifespan.
  • Mock phishing exercises – Phishing attacks are one of the most common forms of social engineering that can harm businesses. By employing these exercises organizations can test their email platform and see how their employees would react in a real-life scenario.
  • Webinars – Webinars on cyber security trends give employees a chance to ask questions and hear firsthand of the importance of keeping data secure. These interactive sessions empower employees with the information necessary to support the organization’s goal of protecting its sensitive data.
  • Policy check surveys – Regularly testing the knowledge of employees is important to their understanding of company policies and procedures. These can identify and prioritize gaps that should be addressed in further employee training sessions. In addition, these surveys and their results will be important if your organization is audited or breached.
  • Regularly discuss cyber security with employees – Make cyber security part of your workplace culture so that employees are regularly acting with the organization’s best interests in mind. Proactively address employee negligence as it is one of the top causes of security incidents.
  • Incident response plan –Ensure employees are aware of their role in the company’s incident response plan. Practice this plan quarterly so in the event of a breach your organization can respond quickly and comprehensively to minimize the impact and associated costs.
  • Onsite training – Providing face-to-face security awareness training on cyber best practices and company policies and procedures gives employees an opportunity to ask questions and learn from experienced personnel.

Proactively training employees before an information security incident is critical to protecting the future of your business. Create policies and guidelines that assume your company will be targeted by cybercriminals and make sure employees know the appropriate actions that are necessary to keep the company’s data safe. Implementing employee training in your organization at least quarterly is one of the best and most cost-effective ways to reduce cyber security risks.

For more information on employing training in your workplace, please contact us.

Cyber Security Careers Are in High Demand

It’s impossible to overstate the importance of security in today’s digital world. Cyber attacks are growing in frequency and sophistication every day, and a key risk to our economy and security is the lack of professionals to protect our growing networks. According to a study by the Center for Cyber Safety and Education, by 2022, there will be a shortage of 1.8 million information security workers. So, it’s critical that that we begin now to prepare our students—and any others who are interested in making a career move—to fill these gaps. Many colleges and universities have developed information assurance programs that help technical, security-minded students achieve a great foundation in this industry. We also challenge corporations to offer intern and co-op opportunities for students in these degree programs, so they can see what security looks like in practical, business-world applications.

Connection is committed to promoting cyber security and online safety.  Cyber security is a viable and rewarding profession and we encourage people from all backgrounds to see information security as an essential career path.

Read this next:

The post Cyber Security Careers Are in High Demand appeared first on Connected.

WPA2 Hacks and You

The world has been rocked once again with a serious flaw in a basic security mechanism that we all take for granted to keep us safe and secure. According to Dark Reading, researchers at Belgium’s University of Leuven have uncovered as many as 10 critical vulnerabilities in the Wi-Fi Protected Access II (WPA2) protocol used to secure Wi-Fi networks. This is a protocol that—as we have all learned over the last several years—must be configured to keep us safe.

The key reinstallation attack—or KRACKs—impacts all modern wireless networks using the WPA2 protocol. The flaw gives attackers the ability to decrypt data packets that make all private (encrypted) communication no longer private. Although the flaw requires the attacker to have close proximity to the network to execute, this is especially bad news for those with far-reaching wireless signals—such as hotel and hospital lobbies—where an attacker can just sit down and work their trade.

The Vulnerability Notes Database provides a summary and detailed description of the vulnerabilities. It includes a list of vendors who may be affected by the vulnerability, and a status field indicating whether the vendor has any products that are affected.

What can you do?

Vendors are currently identifying their affected products and working on patches to address this attack. In the meantime, here are a few things you can do to keep your information safe:

  1. Apply patches as they are released
  2. Pay careful attention to your wireless environment
  3. Watch for people and technology that look out of place
  4. Utilize a trusted VPN solution
  5. When possible, transfer data over an encrypted channel—such as HTTPS
  6. Restrict sensitive information that would normally pass over a wireless network
  7. And, as always, it’s a good practice to monitor access logs and wireless traffic to look for anomalies in standard business communication

How has this WiFi vulnerability affected your organization? Leave a comment bellow to share your experience and any additional advice you have for staying protected.

Read this next:


The post WPA2 Hacks and You appeared first on Connected.

Mobile Device Management

Mobile Device Management (MDM) is a great method to ensure that your employees remain productive and do not violate any corporate policies. In the ever-expanding Bring Your Own Device (BYOD) world, more organizations are allowing employees the freedom to work from their own mobile devices. Tablets, smart phones, and personal laptops are taking a larger and larger space on corporate networks.

While there are numerous advantages to a BYOD environment, allowing personal devices onto a corporate network introduces a variety of security threats. A Mobile Device Management solution helps in securing that environment.

Here are 5 Tips you should implement when securing your devices with a MDM approach:

  1. Require standards for password strength – Make sure that your MDM is configured to require device passcodes that meet or exceed guidelines concerning length, complexity, retry and timeout settings for the appropriate device.
  2. Device Update Compliance – Set a minimum required version for employee mobile devices. This will require that employee devices are kept updated and restrict devices that do not comply with this setting.
  3. Prevent Jail-breaking – Prevent jail-broken or ‘rooted’ mobile devices. Allowing these devices could add an additional attack vector as many ‘rooted’ or jail-broken devices install third-party app stores that may contain malicious apps. Preventing these devices helps secure access to company data.
  4. Require usage of signed apps and certificates – Use your MDM to screen any mobile devices for suspicious applications before allowing access to company resources. These could be email programs, mobile apps, and networks (Wi-Fi or company VPN access). As with jail-broken devices, unsigned apps and certificates may allow malware to infect the device.
  5. Seek Employee BuyIn – Prior to allowing a user device onto your network, require the user acknowledge and accept basic corporate policies. Make sure that the user understands that company administrators will be able to revoke and/or restrict access to devices that don’t comply with company policy.

The best idea is to decide your corporate strategy and then choose a MDM solution that fits your project. For more information on mobile device security, download our iPhone and Android Security Guides. If you would like to begin a conversation about Mobile Device Management, please CONTACT US.

A Massive Cyber Breach at a Company Whilst it was Considering the ‘Cloud’

(A Must-Read for all CEOs, CFOs, CIOs, CISOs, Board Members & Shareholders Today)


Today was supposed to be an exciting Friday morning at a Multi-Billion $ organization since the world's top Cloud Computing companies were going to make their final pitches to the company's C-Suite today, as it was considering moving to the "Cloud."

With Cloud Computing companies spending billions to market their latest Kool-Aid to organizations worldwide (even though much of this may actually not be ready for mission-critical stuff), how could this company too NOT be considering the Cloud?

The C-Suite Meeting

Today was a HUGE day for this multi-billion dollar company, for today after several months of researching and evaluating their choices and options, the company's leadership would finally be deciding as to which Cloud Computing provider to go with.

This meeting is being chaired by the Chairman of the Board and attended by the following organizational employees -

  1. Chief Executive Officer (CEO)

  2. Chief Financial Officer (CFO)
  1. Chief Information Officer (CIO)

  2. Chief Information Security Officer (CISO)

 Also in attendance are about a dozen Vice Presidents, representing Sales, Marketing, Research and Development etc.

Meeting In-Progress

After breakfast, the presentations began at 9:00 am. The organization's CIO kicked off the meeting, rattling off the numerous benefits that the company could enjoy by moving to the Cloud, and minutes later the Vice President of Cloud Computing from the first Cloud Computing company vying for their business started his presentation. His presentation lasted two hours.

The C-Suite then took a break for lunch.

The next presentation began at 1:00 pm and was expected to last till about 4:00 pm. The Vice President of Cloud Computing from the second Cloud Computing company had started her presentation and was almost an hour into it, when all of a sudden this happened...

... the CISO's assistant unexpectedly entered the room, went straight to the CISO and whispered something into his ear.

Everyone was surprised, and all eyes were on the CISO, who grimly asked his assistant - "Are you 100% sure?"  He said "Yes."

Houston, We Have a Problem

The CISO walked up to the CIO and whispered something into his ear. The CIO sat there in complete shock for a moment!

He then gathered himself and proceeded to request everyone except the C-Suite to immediately leave the conference room.

He told the Vice President of this Cloud Computing company - "Hopefully, we'll get back to you in a few weeks."

He then looked at the CEO and the Chairman of the Board, and he said - "Sir, we have a problem!"

Its Over

The CEO asked the CIO - "What's wrong? What happened?"

The CIO replied - "Sir, about 30 minutes ago, an intruder compromised the credentials of each one of our 20,000 employees!"

The CEO was almost in shock, and just couldn't believe what he had just heard, so he asked - "Everyone's credentials?!"

The CIO replied - "I'm afraid yes Sir, yours, mine, literally everyone's, including that of all our privileged users!"

The CEO could sense that there was more bad news, so he asked - "Is there something else I should know?"

The CIO replied - "Sir, 15 minutes ago, the intruder logged on as an Enterprise Admin, disabled the accounts of each one of our privileged users, and used Group Policy to deploy malicious software to each one of our 30,000 domain-joined computers! By now, he could have stolen, exfiltrated and destroyed the entirety of our digital assets! We may have lost literally everything!"

The CEO was shocked! They'd just been breached, and what a massive breach it was - "How could this have happened?"

Mimikatz DCSync 

The CIO turned to the CISO, who stepped in, and answered the question - "Sir, an intruder used a tool called Mimikatz DCSync to basically request and instantly obtain the credentials of every single user from our foundational Active Directory deployment."

The CEO asked - "What is Active Directory?"

The CISO replied - "Sir, simply put, it is the very foundation of our cyber security"

The CEO then asked - "Wait. Can just anyone request and extract credentials from Active Directory?"

The CISO replied - "Sir, not everyone can. Only those individuals whose have sufficient access to do so, and by that I mean, specifically only those who have Get-Replication-Changes-All effective-permissions on the domain root object, can do so."

The CEO then said - "This does not sound right to me. I'm no technical genius, but shouldn't we have known exactly who all have this, whatever you just said, er yes that Get-Replication-Changes-All effective permissions in our Active Directory?!"

The CISO replied - "Sir, it turns out that accurate determination of effective permissions in Active Directory is actually very difficult, and as a result it is almost impossible to figure out exactly who has this effective permissions on our domain root!"

The CEO figured it out - "So you're saying that the intruder had compromised the account of someone who was not on your radar and not supposed to have this access, but actually did, and the intruder used that access to steal everyone's credentials?"

The CISO replied - "That's right. It appears we did not know that this someone had sufficient access (i.e. effective permissions) to be able to replicate secrets from Active Directory, because it is very difficult to accurately figure this out in Active Directory."

The CEO was furious! - "You're kidding right?! Microsoft's spent billions on this new fad called the "Cloud", yet it doesn't even have a solution to help figure out something as vital as this in Active Directory? How long has Active Directory been around ?!

The CISO replied - "Seventeen years."

The CEO then said in disbelief - "Did you just 17 years, as in S-E-V-E-N-T-E-E-N years?!  Get Satya Nadella on the line now! Perhaps I should #REFRESH his memory that we're a customer, and that we may have just lost a few B-I-L-L-I-O-N dollars!"

This is for Real

Make NO mistake about it. As amusing as it might sound, the scenario shared above is very REAL, and in fact today, most business and government organizations worldwide that operate on Active Directory have no idea as to exactly who has sufficient effective permissions to be able to replicate secrets out of their Active Directory. None whatsoever!

We can demonstrate the enactment of this exact scenario, and its underlying cause, to any organizations that wishes to see it.

This Could've Been (and Can Be) Easily Prevented 

This situation could easily have been prevented, if this organization's IT personnel had only possessed the ability to adequately and accurately determine effective permissions in their foundational Active Directory deployments.

Sadly, since Microsoft apparently never educated its customers about the importance of Active Directory effective permissions, most of them have no clue, and in fact have no idea as to exactly who can do what across their Active Directory deployments!

Unfortunately, Mimikatz DCSync is just the Tip of the Iceberg. Today most organizations are likely operating in the dark and have no idea about the actual attack surface, and thus about exactly who can create, delete and manage the entirety of their domain user accounts, domain computer accounts, domain security groups, GPOs, service connection points (SCPs), OUs etc. even though every insider and intruder could try and figure this out and misuse this insight to compromise their security.

Technically speaking, with even just minimal education and the right tooling, here is how easy it is for organizations to figure this out and lock this down today, i.e. to lock this down before an intruder can exploit it to inflict colossal damage - RIGHT HERE.

Oh, and you don't need to call Microsoft for this, although you certainly can and should. If you do, they'll likely have no answer, yet they might use even this to pitch you their latest toy, Microsoft ATA, and of course, their Cloud offering, Microsoft Azure.

Wait, weren't these C*O discussing the Cloud (and likely Microsoft Azure) just a few hours (and a few billion dollars) ago?!

Fast-Forward Six Months

Unfortunately, given the massive scale of this breach, the company did not survive the attack, and had to declare bankruptcy. The C*Os of this company are still looking for suitable employment, and its shareholders ended up losing billions of dollars.

All of this could've been prevented, if they only knew about something as elemental as this, and had the ability to determine this.


The moral of the story is that while its fine to fall for the latest fad, i.e. consider moving to the "Cloud" and all, but as AND while you consider and plan to do so, you just cannot let you on-prem cyber defenses down even for a moment, because if you do so, you may not have a company left to move to the Cloud. A single excessive effective permission in Active Directory is all it takes.

I'll say this one more time and one last time - what I've shared above could easily happen at almost any organization today.

Best wishes,

CEO, Paramount Defenses

PS: If this sounds too simple and high-level i.e. hardly technical, that is by intent, as it is written for a non-technical audience. This isn't to showcase our technical depth; examples of our technical depth can be found here, here, here, here, here  etc.  etc.

PS2: Note for Microsoft - This may be the simplest example of "Active Directory Access Control Lists - Attack and Defense."

Here's why - Mimikatz DCSync, which embodies the technical brilliance of a certain Mr. Benjamin Delpy, may be the simplest example of how someone could attack Active Directory ACLs to instantly and completely compromise Active Directory. On the other hand, Gold Finger, which embodies the technical expertise of a certain former Microsoft employee, may be the simplest example of how one could defend Active Directory ACLs by being able to instantly identify/audit effective permissions/access in/across Active Directory, and thus lockdown any and all unauthorized access in Active Directory ACLs, making it impossible for an(y) unauthorized user to use Mimikatz DCSync against Active Directory.

PS3: They say to the wise, a hint is enough. I just painted the whole picture out for you. (You may also want to read this & this.)

PS4: If you liked this, you may also like - How To Easily Identify & Thwart Sneaky Persistence in Active Directory


FINANCIAL threats are still profitable for cyber criminals and, therefore, continue to be an enduring part of the threat landscape. From financial Trojans that attack online banking, to attacks against automated teller machines (ATMs) and fraudulent interbank transactions, there are many different attack vectors utilised by criminals.

Symantec predicted in 2015, there was an increase in attacks against corporations and financial institutions during 2016. This was evident from a series of high-value heists targeting Society for Worldwide Interbank Financial Telecommunication (Swift) customers. While there is no evidence of any such high value heists on Swift customers this year, the 2016 attacks saw several such institutions lose millions of dollars to cyber criminals and nation state-supported attackers such as the Lazarus group.

On average, 38 per cent of the financial threats we detected in 2016 were found in large business locations. Most of these infection attempts were not targeted attacks but were instead due to widespread email campaigns. Although we have seen a 36 per cent decrease in detection numbers for financial malware in 2016, this is mainly due to earlier detection in the attack chain and more focused attacks.

With more than 1.2 million annual detections, the financial threat space is still 2.5 times bigger than that of Ransomware. The financial Trojan threat landscape is dominated by three malware families: Ramnit, Bebloh (Trojan.Bebloh), and Zeus (Trojan.Zbot). These three families were responsible for 86 per cent of all financial.

Trojan attack activities in 2016. However, due to arrests, takedowns, and regrouping, we have seen a lot of fluctuations over the last year. Globally, financial institutions in the US were targeted the most going by the samples analysed by Symantec, followed by Poland and Japan.

Infection vectors for financial Trojans haven't changed much in the past year and are still identical to other common Trojans. Distribution mainly relies on spam email with malicious droppers attached and web exploit toolkits. The use of scam emails was the most prevalent method of distribution for financial Trojans in 2016.

The already well-known Office document attachment with malicious macros continued to be widely used. However, Microsoft Visual Basic Scripting (VBS) and JavaScript (JS) files in various attachment forms have also been used in massive spam runs to distribute malware.

We have also seen Office documents without macros, and instead with embedded OLE objects and instructions for the user to double-click the payload. The Necurs botnet (Backdoor.Necurs), which sent out more than 1.8 million JS downloaders in one day alone in November 2016, highlights the magnitude of some of these campaigns.

Phishing emails, where the victim is lured to fake websites that trick them into revealing their account details, decreased to just one in 9,138 emails in March 2017. In 2016, the average number of phishing emails was slightly higher than one in 3,000 emails. Simple phishing no longer works against most banks and financial institutions, as they rarely rely on static passwords alone. But phishing attacks can still be successful in stealing online retail account credentials and credit card details.

Equifaxhas revealed 2.5 million more Americans than previously thought may have had information compromised in a huge cyber security breach at the firm.
The credit report giant said, about 145.5 million of its US customers might have been affected, up from a previous estimate of 143 million.

ATM and point of sales (POS) attacks continued to increase in 2016. ATM malware has been around for 10 years but is still effective. With the increase of targeted attacks aimed at banks, we also saw an increase in attacks against ATMs from within the financial network. Since the adoption of Chip & PIN has begun to spread outside of Europe, we have seen a decrease of classic memory scraping threats, as they are no longer efficient for the attackers.

There are various degrees of sophistication seen in the wild when it comes to ATM attacks. For some attacks, the criminals need physical access to the ATM computer and they get this by opening the cover with a stolen key or picking the lock.

Once they have access to a USB port or the CD-ROM, they can install malware and attach a keyboard to issue commands (the Ploutus malware uses this attack vector).

Similar attacks have been reported in hotels where attackers used the often exposed USB ports on the backside of the check-in computers to install malware.

 In retail stores the attackers added their sniffer to an exposed network port inside the shop. This allows them to compromise any attached POS device and scrape the memory for payment card information.

With physical access to the ATM, another attack vector is possible. As reported in April 2017, some attackers discovered they could drill a hole into the ATM casing in order to access the internal bus system. Once access is obtained, a cheap microcomputer is all that is needed to send commands to the bus in order to make the ATM dispense its cash.

We have also seen trends in financial malware attempting to hide configuration files from researchers as well as the move to redirect attacks or even manually log into the system to issue large transactions if interesting financial software is detected.

Mobile threats on Android are mainly focusing on form overlay attacks or fake online banking apps. We have seen more than 170 mobile apps targeted by mobile malware. Mobile threats are still relevant as many financial institutions have deployed two-factor authentication through mobile phone applications.

As it has become more difficult to conduct such attacks on the latest Android OS, we have seen attackers reverting to social engineering attacks, where they trick victims into authorising fraudulent transactions. The end-user still remains the weakest link in the chain during an online transaction, which means even the strongest technologies are susceptible to social engineering attacks.

When a cyberattacker successfully compromises an internal network, he can steal any credentials that will help maximise his profits. This could mean stealing online banking credentials, sensitive personal data or other passwords. It is common for financial threats to steal any other account information that they can find on a compromised computer.

Once compromised, cyberattackers can use any stolen information to spread their malware further, or even sell them on underground forums. Credit card details are still the most sold digital goods on the underground forums, while bank account access information is priced according to the account balance.

For example, an account with US$1,000 in it can be sold for US$10. An account with a greater balance will be on sale for a larger sum.

The attacks are not only targeting the banks' customers. We have seen several attacks against the financial institutions themselves, with attackers attempting to transfer large sums in fraudulent inter-bank transactions. Financial institutions are confronted with attacks on multiple fronts. The main two types are attacks against their customers and attacks against their own infrastructure.

In the event of a cyber breach, companies' losses extend far beyond just monetary value. Their reputation and customers' trust - areas that take time and effort to develop - will also be damaged. We expect financial threats to remain a problem for end-users in the future, but attackers will likely increase their focus on corporate finance departments and using social engineering against them. Prevention is by far the best outcome, so it pays to pay attention to how cyber breaches can be avoided. Emails and infected websites are the most common infection vectors for malware. Adopting a robust defence against both these infection vectors will help reduce the risk of infection.

We expect financial threats to remain a problem for end-users in the future, but attackers will likely increase their focus on corporate finance departments and using social engineering against them.

Penetration Testing vs. Vulnerability Scanning

Frequently, new or existing clients will come to us requesting a penetration test. Usually, one of the first things we tell them is that they do not need a penetration test done…yet. Within IT, and within InfoSec specifically, there is a disconnect between terms used by industry professionals, their clients, and the media/public. Two of the most confusing terms are:

  • Penetration Testing
  • Vulnerability Scanning

Most clients will seek out security consulting services to have a ‘pen test’ performed, without knowing what a penetration test entails. Too often they picture a scene from Mr. Robot, or Hackers – someone in a darkened room, in front of a console, furiously typing away to hack into servers.

Most of our clients are organizations that have not worked with a security consulting firm before, but are used to working with managed service providers, so they expect to be sold hardware or software solutions. Because COMPASS is vendor agnostic, we evaluate what our clients’ needs are, and then offer a series of services that we think will help our clients achieve their goals.

As previously mentioned, we almost always have the conversation about Penetration Testing. Whenever we discuss this with our clients we try to help them understand the difference between a penetration test and a vulnerability scan. So, let us get into defining the two:

Penetration Test

A Penetration Test has a specific goal, to exploit weaknesses and gain access to data within your network, to achieve administrator privileges or possibly alter financial data. A Penetration Test should not be performed as a start to your information security program. It should be something performed when you have a security configuration in place that needs to be tested for example; once you have established a patch management process, hardened network devices and essentially closed any known gaps within your network architecture.

A Penetration Test should only be performed once vulnerability assessments have been executed and all remediations implemented, since they can be expensive and should be employed when you want to test security that is already assumed to be in place and adequate.

Vulnerability Scan/Assessment

A Vulnerability Scan or Assessment, whichever flavor you prefer, should be an organization’s first step in building a strong security stance. Vulnerability scans are technical assessments that that are designed to discover as many vulnerabilities as possible within a target network. Vulnerability scan reports include severity ratings for the discovered vulnerabilities, remediation/mitigate instructions and allows for prioritization of vulnerability remediation.

A Vulnerability Scan/Assessment should be performed at the start of your security journey. It will help you to generate a prioritized list of things wrong with the network, from OS patches and third-party vulnerabilities to open ports and services running on perimeter devices. The goal of a vulnerability scan should always be to fix as many findings as possible.

For more information on how to get started with your security assessment, download our Cyber Security Assessment Checklist or CONTACT US for a deeper discussion.