By Chris Green, Structured Security Engineer, CISSP-ISC2, CISA ISACA, QSA PCI SSC, PCIP PCI SSC Amid rising global tensions and numerous warnings from the Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency (CISA), organizations across the globe can expect to see an increase in cyber attacks from nation-states, criminal gangs, and copycats riding the wave. These attacks may vary in sophistication depending on the source of the malicious actor, but organizations should be prepared to encounter any level of foe. While a robust security program is tasked with focusing on numerous facets such as continuous posture assessment, monitoring and detection, threat hunting, and incident response, Structured’s Governance, Risk and Compliance team would like to share some of the most common findings from penetration testing that often lead to compromise. While many organizations are transitioning to cloud-based infrastructure, user-endpoints and cloud infrastructure can still be a focus of attack. The following details common findings from penetration testing public-facing assets, followed by what we commonly see while probing internal assets. Common Findings from Penetration Testing Public-Facing Assets No multi-factor authentication (MFA) on public-facing authentication portals – During testing, we mimic the most popular attacks used by malicious actors: social engineering and…

Worried about Higher Cybersecurity Insurance Premiums? Here’s How to Limit Your Exposure.


Cybersecurity Insurance

By The Structured Security Team -- Experts agree, it isn't a matter of if your organization will come against a cybersecurity threat, it's a matter of when. And companies that provide cybersecurity insurance are passing along the costs, increasing premiums to combat the risk of increasing payouts. Cybersecurity Insurance Costs Are Increasing Rapidly Cybersecurity insurance…

Read More

Protect Identities with MFA, Validation and Strict Management


National Identity Management Day 2021

By Brad Pierce, Structured Managing Director of Security, CISSP/CISA/PCIP -- Last week in the news were reports of more than a billion accounts being leaked online from just two sources (Facebook (533M) and LinkedIn (500M)). The data is still being validated, but the source seems to largely be public information that has been aggregated, bundled…

Read More

Trust is Dead, Long Live Trust!


MFA & Zero Trust Business

By Brad Pierce, Structured Managing Director of Security, CISSP/CISA/PCIP -- Zero Trust is a philosophy, a journey. No one manufacturer or security product will get you where you’re going. It will take all of your technologies, and likely some new ones, to arrive at a Zero Trust architecture. Trust is dead, long live trust! Zero…

Read More

Supply Chain Hacks: Fallout from a nation-state-backed attack


By Jesse Wilson, CISSP, Sr. Security Engineer -- Two weeks have passed since the discovery of Sunburst (https://us-cert.cisa.gov/ncas/alerts/aa20-352a), an exploit so vast it likely will become the biggest breach in history – at least to date. Government agencies and private businesses alike are scrambling to detect indicators of compromise (IOCs), install patches and implement damage…

Read More

Secure Critical Infrastructure Demands Proactive Measures


Electricity Infrastructure with Cityscape

By Collin Miller, Director of Cloud Security -- Given the emergency brought on by rapid spread of COVID-19, many businesses have been shut down or are transitioning to telework to comply with public health measures. However, for the group of organizations that make up our critical infrastructure, shutting down is not an option.  Critical infrastructure…

Read More

Back to Basics – Inventory Documentation and Network Visibility


Calm Worker in Clouds

By Brad Pierce, Structured Managing Director of Security, CISSP/CISA/PCIP -- One of the first things you must do as a network or systems administrator is document. Oh, Documentation! The bane of IT professionals everywhere. In our harried work lives, it is a tedious, time-consuming process. Most people prefer to avoid documentation. But, when it is…

Read More

Supply Chain Hacking 101


An educational piece about the supply chain attack By Jesse Wilson, CISSP, @CyberWarior1775 To start, let’s talk about what the supply chain is in relation to Information Technology. In this case, the supply chain refers to the coordination of order generation; order processing; order fulfillment via the distribution of products, services and/or information; manufacturing; and…

Read More