Category: Data Protection

Splunk 2020 Predictions

Jan 7, 2020 by Sam Taylor

Around the turn of each new year, we start to see predictions issued from media experts, analysts and key players in various industries. I love this stuff, particularly predictions around technology, which is driving so much change in our work and personal lives. I know there’s sometimes a temptation to see these predictions as Christmas catalogs of the new toys that will be coming, but I think a better way to view them, especially as a leader in a tech company, is as guides for professional development. Not a catalog, but a curriculum.

We’re undergoing constant transformation — at Splunk, we’re generally tackling several transformations at a time — but too often, organizations view transformation as something external: upgrading infrastructure or shifting to the cloud, installing a new ERP or CRM tool. Sprinkling in some magic AI dust. Or, like a new set of clothes: We’re all dressed up, but still the same people underneath. 

I think that misses a key point of transformation; regardless of what tools or technology is involved, a “transformation” doesn’t just change your toolset. It changes the how, and sometimes the why, of your business. It transforms how you operate. It transforms you.

Splunk’s Look at the Year(s) Ahead

That’s what came to mind as I was reading Splunk’s new 2020 Predictions report. This year’s edition balances exciting opportunities with uncomfortable warnings, both of which are necessary for any look into the future.

Filed under “Can’t wait for that”: 

  • 5G is probably the most exciting change, and one that will affect many organizations soonest. As the 5G rollouts begin (expect it to be slow and patchy at first), we’ll start to see new devices, new efficiencies and entirely new business models emerge. 
  • Augmented and virtual reality have largely been the domain of the gaming world. However, meaningful and transformative business applications are beginning to take off in medical and industrial settings, as well as in retail. The possibilities for better, more accessible medical care, safer and more reliable industrial operations and currently unimagined retail experiences are spine-tingling. As exciting as the gaming implications are, I think that we’ll see much more impact from the use of AR/VR in business.
  • Natural language processing is making it easier to apply artificial intelligence to everything from financial risk to the talent recruitment process. As with most technologies, the trick here is in carefully considered application of these advances. 

On the “Must watch out for that” side:

  • Deepfakes are a disturbing development that threaten new levels of fake news, and also challenge CISOs in the fight against social engineering attacks. It’s one thing to be alert to suspicious emails. But when you’re confident that you recognize the voice on the phone or the image in a video, it adds a whole new layer of complexity and misdirection.
  • Infrastructure attacks: Coming into an election year, there’s an awareness of the dangers of hacking and manipulation, but the vulnerability of critical infrastructure is another issue, one that ransomware attacks only begin to illustrate.

Tools exist to mitigate these threats, from the data-driven technologies that spot digital manipulations or trace the bot armies behind coordinated disinformation attacks to threat intelligence tools like the MITRE ATT&CK framework, which is being adopted by SOCs and security vendors alike. It’s a great example of the power of data and sharing information to improve security for all.

Change With the Times

As a leader trying to drive Splunk forward, I have to look at what’s coming and think, “How will this transform my team? How will we have to change to be successful?” I encourage everyone to think about how the coming technologies will change our lives — and to optimize for likely futures. Business leaders will need greater data literacy and an ability to talk to, and lead, technical team members. IT leaders will continue to need business and communication skills as they procure and manage more technology than they build themselves. We need to learn to manage complex tech tools, rather than be mystified by them, because the human interface will remain crucial. 

There are still some leaders who prefer to “trust their gut” rather than be “data-driven.” I always think that this is a false dichotomy. To ignore the evidence of data is foolish, but data generally only informs decisions — it doesn’t usually make them. An algorithm can mine inhuman amounts of data and find patterns. Software can extract that insight and render an elegant, comprehensible visual. The ability to ask the right questions upfront, and decide how to act once the insights surface, will remain human talents. It’s the combination of instinct and data together that will continue to drive the best decisions.

This year’s Splunk Predictions offer several great ways to assess how the future is changing and to inspire thought on how we can change our organizations and ourselves to thrive.


Jul 11, 2019 by Sam Taylor

Case Study #1: Rural Hospitals and New Technologies: Leading the Way in Business Continuity

The purpose of this series is to shed light onto the evolving nature of Business Continuity, across all industries. If you have an outdated plan, the likelihood of success in a real scenario is most certainly diminished. Many of our clients already have a plan in place, but as we start testing, we have to make changes or redesign the solution altogether. Sometimes the Business Continuity plan is perfect, but does not include changes that were made recently – such as new applications, new business lines/offices, etc.

In each scenario, the customer’s name will not be shared. However, their business and technical challenges as they relate to Business Continuity will be discussed in detail.


This case study concerns a rural hospital in the Midwest United States. Rural hospitals face many challenges, mainly in the fact that they serve poorer communities with fewer reimbursements and a lower occupancy rate than their metropolitan competition. Despite this, the hospital was able to surmount these difficulties and achieve an infrastructure that is just as modern and on the leading edge as most major hospital systems.


Our client needed to test their existing Disaster Recovery plan and develop a more comprehensive Business Continuity plan to ensure compliance and seamless healthcare delivery in case of an emergency. This particular client has one main hospital and a network of nine clinics and doctor’s offices.

The primary items of concern were:

  • Connectivity: How are the hospital and clinics interconnected, and what risks can lead to a short or long-term disruption?
  • Medical Services: Which of their current systems are crucial for them to continue to function, whether they are part of their current disaster recovery plan, and whether or not they have been tested.
  • Telecommunication Services: Phone system and patient scheduling.
  • Compliance: If the Disaster Recovery system becomes active, especially for an extended period of time, the Cyber Security risk will increase as more healthcare practitioners use the backup system, and, by default, expose it to items in the wild that might currently exist, but have never impacted the existing live system.

After a few days of audit, discussions, and discovery, the following were the results:

Connectivity: The entire hospital and all clinics were on a single Fiber Network which was the only one available in the area. Although there were other providers for Internet access, local fiber was only available from one provider.

Disaster Recovery Site: Their current Business Continuity solution had one of the clinics as a disaster recovery site. This would be disastrous in the event of a fiber network failure, as all locations would go down simultaneously.

Partner Tunnels: Many of their clinical functions required access to their partner networks, which is done through VPN tunnels. This was not provisioned in their current solution.

Medical Services: The primary EMR system was of great concern because their provider would say: “Yes, we are replicating the data and it’s 100% safe, but we cannot test it with you – because, if we do, we have to take the primary system down for a while.” Usually when we hear this, we start thinking “shitshows”. So, we dragged management into it and forced the vendor to run a test. The outcome was a failure. Yes, the data was replicated, and the system could be restored, but it could not be accessed by anyone. The primary reason was the fact that their system replicates and publishes successfully only if the redundant system is on the same network as the primary (an insane – and, sadly – common scenario). A solution to this problem would be to create an “Extended LAN” between the primary site and the backup site.

Telecommunication: The telecommunication system was not a known brand to us, and the manufacturer informed us that the redundancy built into the system only works if both the primary and secondary were connected to the same switch infrastructure.

Solution Proposed

CrossRealms proposed a hot site solution in which three copies of the data and virtual machines will exist: one on their production systems, one on their local network in the form of a Cohesity Virtual Appliance, and one at our Chicago/Vegas Data Centers. This solution allows for instantaneous recovery using the second copy if their local storage or virtual machines are affected. Cohesity’s Virtual Appliance software can publish the environment instantaneously, without having to restore the data to the production system.

The third copy will be used in the case of a major fiber outage or power failure, where their systems will become operational at either of our data centers. The firewall policies and VPN tunnels are preconfigured – including having a read-only copy of their Active Directory environment – which will provide up-to-the-minute replication of their authentication and authorization services.

The following are items still in progress:

  • LAN Extension for their EMR: We have created a LAN Extension to one of their clinics which will help in case of a hardware or power/cooling failure at their primary facility. However, the vendor has very specific hardware requirements, which will force the hospital to either purchase and collocate more hardware at our data center, or migrate their secondary equipment instead.
  • Telecom Service: They currently have ISDN backup for the system, which will work even in the case of a fiber outage; once the ISDN technology is phased out in the next three years, an alternative needs to be configured and tested. Currently there will be no redundancy in case of primary site failure, which is a risk that may have to be pushed to next year’s budget.

Lessons Learned

The following are our most important lessons learned through working with this client:

  • Bringing management on board to push and prod vendors to work with the Business Continuity Team is important. We spent months attempting to coordinate testing the EMR system with the vendor, and only when management got involved did that happen.
  • Testing the different scenarios based on the tabletop exercises exposed issues that we didn’t anticipate, such as the fact that their primary storage was Solid State. This meant the backup solution had to incorporate the same level of IOPS, whether local to them or at our data centers.
  • Run books and continuous practice runs were vital, as they are the only guarantee of an orderly, professional, and expedient restoration in a real disaster.


Jul 11, 2019 by Sam Taylor

Amidst a news cycle rife with malware incidents and cyberattacks, there is one shining spot of hope: 100,000 malware sites have been reported and taken down within the last year., a non-profit cybersecurity organization, has spearheaded a malicious URL hunt known as the URLhaus intiative. First launched in March 2018, a small group of 265+ security professionals have been searching for sites that feature active malware campaigns. These reported sites are passed down to information security (infosec) communities, who work to blacklist or take down URL’s completely.

While abuse reports are rolling in, there has been slow action on the web hosting provider’s part. Once a provider has been reported to have a malicious site, they need to take action in removing or altering the site. Average times to remove the malware infected site has been reported to be 8 days, 10 hours, and 24 minutes– a generous time delay that allows the malware to infect even more end users.

Heodo is one of the most popular malwares used, a multi-faced strain that can be utilized as a downloader for a variety of other attacks, acting as a spam bot, banking trojan, or a credentials swiper.

While sites aren’t responding with a particular deftness, it is still quite a feat to gather all these malicious URL’s with the power of such a limited group of researchers.


Jul 11, 2019 by Sam Taylor

This past month one of our clients experienced a security compromise with their phone system, where 3 extensions had their credentials swiped. Among the information taken was the remote phone login information, including username, extension and password for their 3CX phone system.

Our first tip off of the attack was the mass amount of international calls being made. We quickly realized that this was not your traditional voicemail attack, or SIP viscous scanner attack because the signature of it was different (more below). To alleviate the situation we immediately changed their login credentials, but to our surprise the attack happened again with the same extensions within minutes of us changing their configuration.

For those of you thinking that the issue can be related to a simple or easy username and password (extension number and a simple 7-digit password), that wouldn’t be the case here. It’s important to note that with 3CX version 15.5 and higher, the login credentials are randomized and do not include the extension id, which makes it a lot harder to guess or brute force attack.

We locked down International dialing while we investigated the issue, and our next target was the server’s operating system. We wasted hours sifting through the logs to see if there were any signs of attack, but absolutely none were present. We next checked the firewall and again saw no signs of attack– so how was this happening? How were they able to figure out the user ID and password so quickly and without triggering the built-in protections that 3CX has, like blacklisting IP addresses and preventing password guessing attempts?

Right back to square one, we needed more information. After contacting different contacts of the client, we found out that the three extensions were present at an International venue, which interestingly enough, was the target of all the International calls!!! Phew, finally a decent clue. Under the assumption of a rogue wireless access point present at the hotel, we asked them to switch to VPN before using their extension, which stopped any new authentication fields from being guessed  – – –

While we were able to get our client up and running again, there was something a bit more interesting going on here. The hackers were using a program to establish connections and then use those connections to allow people to dial an International country on the cheap (margins here are extraordinary). That program is using an identifier “user_agent” when establishing a connection to make the calls. If we filter for that, they will have to redo their programming before they can launch the attack again, which proved to be a quick and instantaneous end to this attack irrespective of source– even if they acquire the necessary credentials.

Here’s how I would deal with this next time, in 3CX you can follow the following steps:

Go to

  1. Settings
  2. Parameters

3. Filter for “user_agent”

4. Add the user agent used (The Signature) in the attack to either fields and restart services

Eg. The Signature (Ozeki, Gbomba, Mizuphone)


Jul 11, 2019 by Sam Taylor

Microsoft JET Database Engine is left unpatched.

Microsoft JET, a database engine, is currently a massive vulnerability. A recent repair has yet to repair a long-standing flaw, leaving an opening for hackers.

JET is one of Microsoft’s first database engines, created in the 90’s, used to power a variety of Microsoft applications like: Microsoft Project, Visual Basic, an Access. It has since been phased out by newer technologies, but is still included in Window’s package for sentimental reasons.






The vulnerability had reached zero- day at the time of it’s announcement. Once a Microsoft encounters a vulnerability there is a 120 day window to complete a patch, failure would require a public announcement, known as zero day. This vulnerability has been declared public so users can take cautionary action and look to protect themselves from possible attacks. It has been rated as “2 – Exploitation Less Likely”, as a hacker could exploit the opening by altering data within the database.

An attacker would target a user by sending an email with a clickable link/ attachment that would allow access to the database. The link would be a specific JET Microsoft Database file that would require opening or importing the linked data. With access to the database the hacker would be able to alter or delete data.



How to Protect Yourself


As reported on earlier, don’t open links from emails sent from unknown sources. It is unclear if Microsoft will work to patch the vulnerability.


Jul 11, 2019 by Sam Taylor
Google+ has hidden a data breach for the past 6 months in order to avoid a larger fallout.

In response to a publicized security breach, Google is looking to shut down their failed social media site. Google+ was created with the intention of overthrowing Facebook, but instead has left its scanty user base exposed to third-party data intrusions via software bug.

How Data Was Compromised

Destined to be a popular site, Google+ was once an exclusive social media alternative that required an invitation, which made it all the more alluring; how users data was then shared with others is less exclusive. When signing into apps, there was the option to sign in with Google+,  similar to signing into an app with Facebook, which then allowed the app to collect and harvest data generated by the user. When a Google+ user logged in with their account, they not only offered up their information, but also their friend’s information.

Who Was Affected

While Google+ never experienced the fame it had predicted, there was still a notable user base. 500,000 users were ultimately affected by this security bug, which revealed their age, jobs, and local information– placing them in danger of fraud. The software bug gave approximately 438 third-party vendors access to users private information from 2015 to March 2018, when the loophole was discovered.

Why Was it Not Made Public

The Google+ data leak was discovered in March– incidentally the same month that Facebook was under fire for the Cambridge Analytica scandal. Looking to avoid Facebook’s fate, Google+ chose not to disclose the data leak– instead choosing to quietly repair the software bug. The difference in data leaks is rather apparent, with Google+ having a much smaller user base in comparison to Facebook.

What You Can Do

Many users made a Google+ account when it was all the rage, but most didn’t use it after initial creation. While you may not be using Google+ anymore, one of your friends might have– leaving you exposed. Checking to see if you have a Google+ account is as simple as checking your gmail or university email, then going into your settings to completely delete the Google+ account. A lot users have an account and they don’t even realize it.

The site is said to shut down in ten months, while leaving a business aspect of Google+ still available.


Jul 11, 2019 by Sam Taylor
Windows 10 October 2018 Update

The October Windows Ten Update was released earlier this week, with changes that are sure to suit every user. The update will be available via the Windows website, or will begin to sneak onto Windows users screen as a reminder within the next week.

Kicking off this update are these ten new features:

Fewer Restarts

One of the most grating features of previous updates were sudden restarts. Dona Sakar, a Windows Insider, has noted these disruptions, “We heard you… We trained a predictive model that can accurately predict when the right time to restart the device is.” This means that getting up to get a cup of coffee won’t mean coming back to a computer in reboot mode.

Battery Usage

What’s draining your battery? Task Manager has a new feature that will allow you to view how much battery each app and program is using, best for identifying that excessive power gobbler.

Bluetooth Battery

Love your new wireless headphones? With the new update Windows users will able to see how much battery each of their bluetooth batteries has left.

Text Slider

Among the updates is one that will benefit those who need larger text. Instead of zooming in on a page and distorting the website layout, this text slider will allow the text itself to appear larger.

Snip and Sketch

Bundling multiple applications into one, the “winkey + shift + s” option will allow for a quick screenshot with the possibility of sketching on the saved image. Sharing and printing the saved clipboard image has gotten easier.

Phone Sync  

Texting doesn’t have to stop at your phone. Syncing your phone has never gotten easier, the Windows update allows for you phone to link to your computer.The new “Your Phone” feature allows for messages and photos to be linked to your Windows 10 device. This means there is no need to transfer large files via Dropbox or email. 

As for compatibility, this works best with Androids and is quickly expanding for better functionality with Apple products.

Dark Mode

Dark Mode has expanded to other Windows 10 applications: File Explorer. This fan-favorite dark screen theme has expanded to your search for files.   

Cloud Clipboard

Those that have multiple Windows 10 devices will find this feature of the update most useful. With the Cloud Clipboard feature, you can easily have the same files available across all devices. The transition of moving from a work computer to home computer has been simplified with the new update. 

Search Preview

Looking for a file just got easier. With this new search preview feature, a user can search within the start menu and will be able view previews of the files. Allowing for an effortless search.

HDR Support

With the gamer in mind, this Windows 10 update will allow for more contrast and vivid colors than ever. While HDR support has been difficult in the past, this update is looking to fix that.

The new update will also allow for ray-tracing, a Nvidia feature that will allow for better gameplay.  


Jul 11, 2019 by Sam Taylor
Could Your Wi-Fi Router Be The Death of You?

Can my wi-fi router be compromised?

Wi-Fi routers pose an easy target for most hackers. A router’s firmware will pose a risk if left running without an update. Most households will keep their Wi-Fi router running day in and day out, without being checked for the latest patches or bug fixes.

Over time, Wi-Fi routers’ vulnerabilities are amplified. Most firmware is built with open source code, which is a cost-effective way to allow for customization, but is also seen as more susceptible to cyber attacks.

Is this even a serious threat?  

Yes. In a study done by the American Consumer Institute (ACI), it was found that in a range of 186 Wi-Fi routers, from a slew of popular providers, 155 were found to be based on open source code. This means that 83% of those routers have a higher probability of being exposed to attacks.

Earlier this year there were thousands of Wi-Fi routers infiltrated by Russian hackers, reported by NBC. Barreling through little protection, a semi-experienced hacker could easily move past password barriers such as: 1234 and other simple passwords. Once they have access to your router, they can sift through private data, spy on web interactions, or even gain access to your financial institutions.  

How to protect yourself:

  1. Update your Router’s firmware
  2. Search online for vulnerabilities on your device
  3. Turn off Remote Administration

While the “Remote Admin” tool is helpful for when you need tech help from afar, it leaves a loophole that could be used by hackers.


Jul 11, 2019 by Sam Taylor

Those with a touchscreen or stylus capable Windows PC are most likely in love with the smart feature that allows a handwritten scribble to become formatted text. Introduced in Windows 8, the handwriting recognition tool was implemented with the goal of easing a user’s experience. 

The handwritten recognition tool has the capability of storing all previous texts in order to better interpret stylus scribbling and suggest corrections. All data is saved, collected and compiled into a file called WaitList.dat.

A Digital Forensics and Incident Response (DFIR) expert, Barnaby Skeggs, was the one to highlight the handwritten recognition tool. In an interview with ZDnet he reviewed complications, “The user doesn’t even have to open the file/email, so long as there is a copy of the file on disk, and the file’s format is supported by the Microsoft Search Indexer service,”.   

While this isn’t meant to be a major vulnerability, it ultimately poses a risk. WaitList.dat collects texts from other sources on the device that includes written text, like emails, written documents, passwords, and usernames.

Skeggs went on to elaborate that WaitList.dat could also recover text from deleted documents, “If the source file is deleted, the index remains in WaitList.dat, preserving a text index of the file.”

To a digital forensics expert like Skeggs this provides all the evidence he needs to show a document had once existed– as well as it’s data.

As mentioned before, the purpose of the handwritten recognition tool was to simply aid a user, not hinder them. PC users that are utilizing this tool may need to have extra precautions, but won’t be in danger unless their device is targeted.

If you’re looking to resolve this potential security issue, you can manually go to the following address and delete WaitList.dat. Skeggs listed the typical location of the file: C:\Users\%User%\AppData\Local\Microsoft\InputPersonalization\TextHarvester\WaitList.dat


Jul 11, 2019 by Sam Taylor

The one thing that makes an airport layover bearable may be more risky than many realize.

Airport Wi-Fi, though sometimes faster than cellular networks, is often unencrypted and rather unsecure, according to a study by Coronet. They created a list of the 10 U.S. airports where you’re most likely to have information stolen via the Wi-Fi.

This doesn’t mean you should never connect to airport Wi-Fi, but it does mean it is important to be careful when doing so.