When Organizations Do Not Use Email Encryption

When Organizations Do Not Use Email Encryption

For this article, I had originally written it a few months ago. However, I didn’t get the chance to post it at that time. And, in a fortunate and positive way it turns out that my post will be some what less relevant than originally intended for the readers. When I initially had started this article, I had noticed an issue which seems to crop up anytime I am working with an organization. Many important organizations still lack basic security tools and options. In the example of this article, it looks into the lack of use of email encryption and secure email systems.

Now before I get into the nitty gritty stuff I want to list out a disclaimer. Everything I conduct, list, and discuss on my blog is and has always been for educational purposes. None of my articles are made or should be used to attack machines out there. All information on my blog is for the better purpose of learning better security methods.

Disclaimer

Now this article is not meant to bash government organizations in any way what so ever. This article is here to teach that any and all types of organizations can easily lack basic security measures. (more…)

SMTP Authentication

Hello everyone.

I am back with some more email security!

Today I’d like to talk about SMTP Authentication.
Some people may never have heard of this concept or may have simply ignored it as it seemingly may not feel that important.

However, in certain situations one may need to make use of SMTP Auth for email.

SMTP Authentication

SMTP Authentication – Outgoing Emails

As shown above in the diagram.

SMTP Auth is fairly simply to use for all incoming or outgoing emails.

Essentially, a machine has to authenticate with the central mail server.

The authentication can be done in various ways.

You can normally query LDAP, Active Directory, or some other identity management system as well as store the credentials on the mail server (not recommended).

How Does It Work?

(more…)

Network Security for IP Camera’s

Network Security for IP Camera’s & Video Surveillance Systems

These days many devices have some form of interaction with our networking devices and the internet itself! What people forget is much like our desktops, laptops and mobile devices. All of these other types of devices need to be secured. The average person is going to assume no security is needed and that the product itself is already fairly secure by default. In my personally opinion, I’d say the default security settings are usually not sufficient enough to keep the device and your network safe.

I’ve created a guide below of procedures that can be followed to enhance the security measures for your IP Camera’s and systems.

IP Camera Hardening Guide

I’ve created a hardening guide below that will look at a few key components that administrators will want to make use of in their network.

• Passwords
• LDAP/AD Authentication
• VLAN’s
• 802.1X Authentication
• Disabling Network Ports
• Disabling Unused Services
• MAC Address Filtering
• Physical Access Control

(more…)

BurpSuite & ZAP Bypass Proxy

BurpSuite & ZAP Bypass Proxy

I wanted to make this tutorial for users that might get stuck in a similar situation.

I was security testing a website using Burpsuite and would end up with SSL Handshake failures. And, it really made no sense at first since Burpsuite uses Java. And, I had the latest version of Java installed on my machine. Burpsuite was giving me SSL Handshake failure alerts and was asking me to install JCE Strong Cipher policies. Turns out the website was using VERY strong ciphers (which is a very good thing). And, they were using no medium or outdated ciphers.

Now, these ciphers are so strong that even the latest Java package does not contain them….yet.

So that meant I had to find another way to use Burpsuite, but still have the ability to make a proper SSL handshake using the strong ciphers. I then turned to another similar product called OWASP ZAP. This is a great product and I have used it back when I didn’t quite have the funds to purchase Burpsuite. What I realized was that I could use Burpsuite and have ZAP filter my traffic for me. For some reason ZAP has all of the strong ciphers and did not fail the SSL handshake, which meant I could transfer traffic as:

 Browser -> Burpsuite -> ZAP -> Webserver

(more…)

Passing the CISA exam

Passing the CISA exam – Certified Information Systems Auditor

So I though it would be interesting to post up a blog post about my experience challenging the the CISA exam last year in 2016.

I had started this blog a bit afterwards, and never really thought about posting my experience. But, many others have always asked about my experience taking the CISA exam ,and if there were any tips I could give them to better their chances of passing the exam.  My hope is this post helps those that end up reading this and gives them a better insight on the adventure of obtaining the ISACA CISA certificate.

Preparing for the CISA exam

(more…)