Tag

Zero Trust Architecture

Zero trust architecture posts dive into the technical frameworks and infrastructure designs that support zero trust implementations. Topics include identity-aware proxies, software-defined perimeters, network access control, policy engines, and integration with cloud and hybrid environments.

posts

Mobile Device Security Policy

Mobile Device Security Policy: What Most Companies Get Wrong

In March 2023, Samsung employees accidentally leaked sensitive source code and internal meeting notes by pasting proprietary data into ChatGPT — on their mobile devices. No malware was involved. No sophisticated threat actor broke through a firewall. Employees simply used their phones in ways the company's mobile device security

Carl B. Johnson Sep 18, 2023 7 min read
Third Party Risk Management

Third Party Vendor Cybersecurity Risk: A Practical Guide

In March 2023, the Cybersecurity and Infrastructure Security Agency (CISA) issued emergency directives related to the 3CX supply chain compromise — a desktop phone app used by over 600,000 organizations globally. Threat actors had trojanized the software update itself, meaning every company that trusted the vendor's legitimate update

Carl B. Johnson Jun 08, 2023 8 min read
Cloud Computing Security

Cloud Computing Security: What Goes Wrong and How to Fix It

In April 2022, researchers at Palo Alto Unit 42 reported that nearly 99% of cloud user accounts, services, and resources grant excessive permissions — permissions that are granted but never used. That gap between what's allowed and what's needed is exactly where threat actors operate. If you&

Carl B. Johnson Jun 20, 2022 6 min read
Zero Trust Security Model

Zero Trust Security Model: A Practical Guide for 2022

In May 2021, a single compromised password shut down the Colonial Pipeline and triggered fuel shortages across the U.S. East Coast. The attackers used a legacy VPN account with no multi-factor authentication — a textbook example of what happens when an organization trusts its perimeter instead of verifying every access

Carl B. Johnson Jan 15, 2022 7 min read
Zero Trust Network Access

Zero Trust Network Access: A Practical Guide for 2022

In May 2021, Colonial Pipeline paid a $4.4 million ransom after a single compromised VPN credential gave attackers the keys to the kingdom. One password. No multi-factor authentication. No segmentation between IT and operational technology networks. The attackers from the DarkSide group walked through a flat network like it

Carl B. Johnson Jan 15, 2022 7 min read
Zero Trust Implementation

Zero Trust Implementation: A Practical Guide for 2022

The Colonial Pipeline Made "Never Trust, Always Verify" a Boardroom Priority In May 2021, a single compromised password shut down the largest fuel pipeline in the United States. Colonial Pipeline paid a $4.4 million ransom — and the real costs ran far deeper. The attack exploited a legacy

Carl B. Johnson Jan 15, 2022 7 min read
Remote Desktop Security Risks

Remote Desktop Security Risks: What Attackers See

An Open Door You Didn't Know You Left Unlocked In August 2021, the FBI and CISA issued a joint advisory warning that threat actors exploiting Remote Desktop Protocol (RDP) was the single most common initial access vector in ransomware attacks. Not phishing emails. Not zero-day exploits. RDP. The

Carl B. Johnson Jan 06, 2022 7 min read
Cloud Security Best Practices

Cloud Security Best Practices That Actually Stop Breaches

A Single Checkbox Left Unchecked Cost Capital One $80 Million In 2019, a former AWS employee exploited a misconfigured web application firewall to access over 100 million Capital One customer records. The breach led to an FTC investigation, an $80 million fine from the OCC, and a $190 million class-action

Carl B. Johnson Jan 01, 2022 7 min read
Cloud Computing Security

Cloud Computing Security: What Goes Wrong in Practice

Capital One Lost 100 Million Records Because of One Misconfigured Firewall In 2019, a former cloud services employee exploited a misconfigured web application firewall to steal the personal data of over 100 million Capital One customers and applicants. The breach cost Capital One over $80 million in fines from the

Carl B. Johnson May 18, 2021 6 min read