Posts Tagged Security
A common theme among information security commenters and keynotes is that infosec can and either will or should evolve to be more like structural engineering, product safety, and public health, as they have all but eliminating the risk of dying in a commercial aircraft accident or dying from polio. Why don’t we follow the same process to stop getting hacked? It would be nice if attackers were just a disease, pest, or accident that we could vaccinate, spray, or certify away. But we have intelligent, adaptive, goal-driven, human adversaries. So let’s learn from the fields that have been dealing with them for centuries.
Unless you have not patched your domain controller in the past five years, chances are, if an intruder gets domain admin or enterprise admin level access, they probably did it through credential theft. One of the biggest recurring themes of countless intrusion and pentest reports is that to accomplish lateral movement and privilege escalation to […]
A combined solution to 15 different serious problems with password-based authentication, including the Pass-The-Hash (PTH) attack. No other measures come close to solving all these problems, and for many of the problems, I am unaware of any other solution at all. Sadly, both Microsoft and other security researchers did not really consider this solution or discounted it as unrealistic. The objections either showed flaws with only implementating half a solution or assuming legacy equipment or implementation difficulties will doom the project, due to a focus on what a large enterprise would be likely to implement with minimal effort right now. It reminds me of an immigration debate that focuses on people who are already here, paying less attention to future immigrants only to find that 30 years later, what happened to the future immigrants is all that mattered. Here are the objections, and why they should not stop you.