NetWorks Group Blog

Essential Infrastructure in Peril 

Critical infrastructure industries are a required foundation for a functional society. Without these sectors, vital services and products are unavailable. Health care, finance and manufacturing are three examples of markets that fall under this designation. The huge shortage of personnel with cybersecurity skills puts this essential infrastructure in peril. The demand for these experts is higher than the supply, making it difficult for organizations to appropriately protect themselves from cybercriminals. In the United States, only 66.7 percent of employer demand is met. It's even worse in other countries, with Israel only filling 28.4 percent of demand. 

What the Verizon 2017 DBIR Means for You

Every year, Verizon publishes a new version of its Data Breach Investigations Report (DBIR). For its tenth year running, this report provides analysis on trends surrounding hacking and other data breaches during the past year.

We often hear from prospective clients that they have a third party perform external penetration testing every year, and it never finds anything serious, so if the attackers can’t get in from the outside, why bother testing anything else? At first, the logic seems sound – Using a castle as an analogy for the network: You’ve built a castle with really strong walls. – If nothing can breach the walls, then the squishy villagers, the rulers, and the royal jewels inside are safe and secure. This thinking follows the traditional 90’s style of network architecture, where the only route into the corporate network was through the border firewall, through the modem – the one hardline into the office.

 It happens all the time. A new penetration test work order comes into my inbox, and the customer is asking us to test only a handful of external IP addresses. A quick WHOIS request shows me that the customer owns an entire class C of public IP space, and that they didn’t even include their public webserver in the scope. In an ideal world, I’d get in touch with our Project Manager. We’d get in touch with the customer, and we talk about the scope, the customer would say it was a simple mistake, and give us a full list of IP addresses they control.

Adobe, MySpace, LinkedIn, and many other large organizations have had major password breaches in the last few years. Breaches where attackers have exfiltrated usernames, email addresses, passwords, and in some cases, plaintext password hints and other data from the company’s database. The initial response is always, "Log into that service, and change your password before the hackers get in and take over that account!" The sad truth is that it’s rarely that account that matters – it’s the other accounts where you (or your users) used the same password and email address that you’re (or they’re) already using on the compromised account with another service.

Affected Product
Cisco UCS Central Software versions 1.2 and earlier

If you are currently running Cisco UCS Central Software you should update the software immediately.

In light of new PCI-DSS requirements stating that SSLv3 no longer meets the specification for “strong cryptography” prescribed by PCI standards, we wanted to give you a brief history of how the industry got here and why SSLv3 is no longer considered secure.

IT Security is thriving in the Detroit Metro area and we're proud to be sponsoring BSides Detroit 2013 this year!  Security BSides is an innovative new un-conference style meetup that brings local security professionals together to share experiences, knowledge, and network.

After a string of high-profile account compromises that included the Associated Press and Burger King, Twitter has added an additional (but optional) layer of authentication to help protect users from being the next big-name account that's compromised.

When it comes to the Internet, keeping your organization's presence online is crucial to the accessibility of resources for customers, potential and existing. At NetWorks Group, we understand that despite the best of intentions and planning, downtime will likely still occur, at least a few minutes per year. Many teams put forth a goal of 100% uptime for their web site, but often get a dose of reality when a large storm hits their data center or other issues pop-up that may be out of their direct control. To this end, we wanted a way to minimize full-downtime so that our presence on the Internet would only be down as minimally as possible, without going over-the-top on infrastructure to do so.