Tag

Zero Trust Architecture

Zero trust architecture posts dive into the technical frameworks and infrastructure designs that support zero trust implementations. Topics include identity-aware proxies, software-defined perimeters, network access control, policy engines, and integration with cloud and hybrid environments.

posts

NIST Standards

NIST Standards: What Actually Matters for Your Security

800 Pages of Security Guidance — and Most Teams Read None of It In 2023, the MOVEit Transfer breach compromised data from over 2,600 organizations worldwide. Many of those organizations claimed compliance with major frameworks. The problem wasn't that NIST standards didn't cover the vulnerability class

Carl B. Johnson May 01, 2026 5 min read
Cybersecurity for Financial Services

Cybersecurity for Financial Services: A 2026 Playbook

The Industry That Can't Afford a Single Mistake In November 2023, the SEC fined several financial advisory firms a combined total of nearly $750,000 for cybersecurity failures following credential theft incidents that exposed thousands of customer records. The firms had the basics — firewalls, antivirus — but lacked the

Carl B. Johnson Mar 29, 2026 5 min read
Security for System

Security for System Environments: A 2025 Field Guide

The Breach That Started With a Single Unpatched System In February 2024, UnitedHealth Group's subsidiary Change Healthcare suffered a ransomware attack that disrupted healthcare payment processing across the United States for weeks. The attackers gained access through a Citrix remote access portal that lacked multi-factor authentication. One system.

Carl B. Johnson Nov 06, 2025 7 min read
Cloud Computing Security

Cloud Computing Security: What Goes Wrong in 2025

In January 2025, the Verizon Data Breach Investigations Report team was already tracking a sharp rise in cloud-specific intrusions — a trend that accelerated throughout the year. By mid-2025, roughly 45% of all breaches involved cloud assets, up significantly from prior years. If your organization moved to the cloud and assumed

Carl B. Johnson Sep 27, 2025 7 min read
Security in Cloud Computing

Security in Cloud Computing: What Goes Wrong in 2025

The Breach That Started With a Single Misconfigured S3 Bucket In 2023, Toyota disclosed that the vehicle data of 2.15 million customers had been publicly accessible for over a decade — because a cloud database was set to public instead of private. No sophisticated threat actor. No zero-day exploit. Just

Carl B. Johnson Sep 27, 2025 7 min read
Zero Trust Security Model

Zero Trust Security Model: Why Perimeter Defense Is Dead

In January 2024, Microsoft disclosed that the Russian threat actor Midnight Blizzard had breached corporate email accounts — not by exploiting some exotic zero-day, but by password spraying a legacy test tenant that lacked multi-factor authentication. One overlooked account. No MFA. Catastrophic access. If a company with Microsoft's resources

Carl B. Johnson Jun 12, 2025 7 min read
Zero Trust

What Is Zero Trust? A Practical Guide for 2025

The Breach That Made "Trust But Verify" Obsolete In January 2024, Microsoft disclosed that a Russian state-sponsored threat actor known as Midnight Blizzard had compromised executive email accounts — not by exploiting some exotic zero-day, but by password-spraying a legacy test tenant account that lacked multi-factor authentication. One overlooked

Carl B. Johnson Jun 12, 2025 8 min read
Zero Trust Network Access

Zero Trust Network Access: A Practical 2025 Guide

The VPN That Let Attackers Walk Right In In January 2024, the Cybersecurity and Infrastructure Security Agency (CISA) confirmed that Chinese state-sponsored threat actors had exploited Ivanti Connect Secure VPN vulnerabilities to breach multiple U.S. federal agencies. The attackers didn't kick down the door. They walked through

Carl B. Johnson May 25, 2025 7 min read
Zero Trust Implementation

Zero Trust Implementation: A Practical Guide for 2025

In January 2024, Microsoft disclosed that a Russian threat actor known as Midnight Blizzard breached corporate email accounts — not through some exotic zero-day, but by password-spraying a legacy test account that lacked multi-factor authentication. One forgotten account. No segmentation. No least-privilege enforcement. The result: a nation-state actor reading executive emails

Carl B. Johnson May 25, 2025 7 min read
Remote Desktop Security Risks

Remote Desktop Security Risks: What Attackers See

Port 3389: The Door You Left Wide Open In January 2024, the FBI and CISA issued a joint advisory warning that the Phobos ransomware group had been exploiting exposed Remote Desktop Protocol (RDP) services to breach organizations across government, healthcare, education, and critical infrastructure. The attackers didn't use

Carl B. Johnson May 18, 2025 8 min read