Title Image


  • October is National Cyber Security Awareness Month, and the Delap Cyber Team wants to take this opportunity to share three simple steps you can take right now to protect yourself from cyber criminals. Our digital lives and "real-world" lives are increasingly intertwined. Your bank accounts, private messages, photos, GPS location, and public image are all extremely valuable to identity thieves, scammers, and other cyber criminals. We hope everyone can implement these easy, personal cyber security hygiene tips in order to significantly reduce the likelihood of your digital—and real—life being compromised. 1.

  • An email account takeover (ATO) is a cyber attack where criminals gain access to your email account or system. Access can be gained by social engineering, malware, credential stuffing, cross-site breaches or a multitude of other methods. This article serves as a guide to help administrators prepare for this type of cyber attack. If you have recently been attacked, please follow our guide How to Respond and Recover from an Email Account Takeover or contact our dedicated cyber security team immediately. RECOMMENDED PREVENTION TIPS 1. Enable Reporting • Microsoft currently does NOT log

  • There's a new network security threat to be aware of, and it affects one of the world's most widely used operating systems, VXWorks. In fact, VxWorks is so commonly used, it powers more than 2 billion devices around the world, including firewalls, printers, elevators, Boeing 787s, and more. Armis, a Califonia-based enterprise IoT security company, describes it as "the most widely used operating system you have likely never heard about." They recently discovered 11 zeroday vulnerabilities within it, with an estimate that more than 200 million devices or networks can

  • An email account takeover is a cyber attack where criminals gain access to your email account or system. Access can be gained by social engineering, malware, credential stuffing, cross-site breaches or a multitude of other methods. If you are reading this response plan, the cyber-attack has likely already been successful, and you may have a compromised email account within your organization. This guide is a walk-through of how to respond and recover from an Email Account Takeover (ATO) cyber-attack. Take the following actions immediately after an Email Account Takeover. 1. Change your

  • Communication is vital to all aspects of life and business, especially when it comes to cyber security. I consider having solid communication so important, that I would go as far as saying it isn’t possible to have an effective security program without equally effective and high-quality communication. Here are some common symptoms and risks associated with poor communication or complete lack thereof: Delayed (or lack of) response to security events Personnel following inconsistent procedures Shadow IT (people doing their own thing, buying their own tools without leadership visibility or being supported

  • There are many approaches to blocking email spoofing. Today we will walk through a simple method using Office 365 email transport rules to prevent employees from receiving emails sent from an attacker pretending to send email from Login to Office 365 using an account with administrator rights. Open the 'Admin centers' navigation tree on the left and click on 'Exchange'. Click on 'Mail flow'. Click on the '+' sign to create a new rule.   Congrats, you have a shiny new anti-email spoofing rule in place!   If you found this article useful or would like

  • It has become an increasingly common tactic for hackers to create auto-forwarding rules to automatically send email to an external inbox (under the attacker's control) in instances where the hacker has managed to compromise an email account. This allows the attacker to snoop on email communications without needing to be active in the victim's email inbox. Knowing that this is a common tactic in a hacker's toolbox, it is always a good idea to be aware of any instances where auto-forwarding is enabled in your environment. In fact, Microsoft's security best

  • Quantum computing. Possibly the only technology that is currently more hyped than blockchain. Quantum computing is frequently mentioned; however, it is rarely understood. It has the potential to transform humanity on a scale larger than any prior technological advance in human history. Let's try to piece together the basics and begin to understand this looming technology. Does it actually exist or is just the idea of it relegated to doctoral theses and theory? To begin exploring the basics of quantum computers, you have to start with a high-level understanding of quantum physics.

  • KGW News recently released a story about how an Oregon family lost $123,000 after falling victim to an email scam. Aaron Cole and his family had just sold their Oregon City home, which they had been improving for six years in order to buy their new dream home. They found their dream home and received confirmation from their title company that they'd be in touch soon with detailed instructions for wiring the $123,000 down payment. The next day, Cole received an official-looking email that appeared to be from the title company with wiring

  • Phishing and spam email are a pain to deal with. While you may never be completely rid of them in the modern communication age, there are steps you can take to reduce the ability for hackers and scammers to send emails that appear to be coming from your email domain (i.e., spoofing). These three steps are available on the majority of email platforms in use and are relatively simple to implement. That being said, this walkthrough is specific to Microsoft’s Office 365 platform and Amazon’s Route53 DNS service. Step 1 – Configure

  • While there are some legitimate reasons where a company may wish to allow auto-forwarding of business email, the vast majority of the time the best course of action is to simply disable email auto-forwarding functionality. Not only does this follow Microsoft’s security best practices, but it limits an attacker’s ability to silently forward all email to an external email account in the event they are able to compromise one of your employee’s email accounts. My position on the value of user passwords alone is fairly well known: passwords alone are not good

  • One of the largest data breaches in the history of the Internet was announced on November 30th, 2018. Marriott announced that it's Starwood Hotel chain had a breach of information from a secure reservation system. The information of approximately 500 million customers around the world was exposed. According to Marriott, the hackers accessed people’s names, addresses, phone numbers, email addresses, passport numbers, dates of birth, gender, Starwood loyalty program account information, and reservation information. For some, they also stole payment card numbers and expiration dates. Marriott says the payment card numbers

  • Introduction: Biometrics – the epitome of “high security” in today’s movies and TV shows. Whether it is protecting a vault containing millions in diamonds or safeguarding top-secret CIA documents, biometrics are tasked by Hollywood to protect the most sensitive of assets. However, biometrics is no longer relegated to futuristic movie plot lines. Biometric access control systems have become widely adopted and inexpensive to implement in the real world. Everyone with a modern cellphone has had at least some personal interaction with biometrics. Fingerprint sensors first came to cell phones in 2011. Since

  • Up 55% from 2016, 61% of small and midsized businesses experienced attacks in 2017. Small businesses are routinely tasked with making important decisions on a daily basis. Often with limited resources, key decision makers within organizations are responsible for balancing risk, profitability, cost, and competitiveness. Understandably, priority is often given to the core revenue stream of the organization. Supplemental considerations such as overhead and the IT environment tend to be lower on the day-to-day priority list. Unfortunately, there are real risks towards small businesses when it comes to cyber-attacks. A 2017

  • In late June 2018, the Wi-Fi Alliance announced the most significant update to the Wi-Fi Protected Access standard in 14 years: WPA3. The Wi-Fi Protected Access 3 protocol brings significant security updates to the ubiquitous but aging, WPA2 protocol which was first introduced back in 2004. WPA3 will operate in two distinct modes consistent with WPA2 before it: WPA3-Personal and WPA3-Enterprise. Most significant points of Wi-Fi Protected Access 3: Increased protection against brute-force attacks: WPA3 introduces a new handshake method that according to the Wi-Fi Alliance, "delivers robust protections even when users choose

  • Most company password policies employ a few security measures that, for a long time, have been largely regarded as unchallenged, logical best practices. These measures are typically: password rotations every 90 days, complexity requirements (upper, lower, number, and special characters), etc. For Domain Administrators and End-Users alike, these restrictions have long been the bane of our password management experience. But let's admit it, you probably have terrible passwords; we all do. According to a 2017 survey by Keeper Security, most people have a single password that they use across all systems.

  • Delap is pleased to announce the launch of our new website showcasing Delap’s growing cybersecurity service offerings! Delap has been serving the industry as trusted experts in information security since 1992, from active participation in developing domestic and international payment security standards (ANSI and ISO) to supporting customers in achieving their security and compliance objectives. Every week seems to bring with it news of another security breach, from Chipotle and the DNC to the latest Equifax breach impacting at least 143 million people! A quick search of ‘company hacked’ or ‘data breaches’ reveals

  • Yesterday, researchers at Armis announced that they had found a series of vulnerabilities in Bluetooth that can allow an attacker to take over a device in seconds, with no interaction from the user end. They have dubbed this new attack "BlueBorne." Bluetooth is a short range wireless protocol most commonly used to send things like audio and pictures between devices, such as between your phone and your car, and between your computer and wireless speakers or headphones. It is also used to connect mobile devices together, for example, syncing smart watches

  • Intel confirmed that a critical vulnerability exists in computers running an affected version of the Intel Active Management Technology (AMT), Intel Standard Manageability (ISM) and Intel Small Business Technology. This is a hardware-level vulnerability and undermines security or controls implemented at the operating system or application levels. In brief, it allows an attacker to gain administrative privileges to system memory (even worse, access is not logged [no audit trails] from this attack vector). If you haven't already, please review systems in your environment to validate whether any are vulnerable. If they are,

  • With the inevitable rise in chatter regarding the recent rollback of FCC privacy rules related to internet service providers (ISPs) handling of consumer data, it's crucial to understand the role privacy plays in our own lives. To read the original FCC ruling and the Congressional joint resolution signed by the President on April 3rd, 2017, see the reference detail for 'S.J.Res.34' at this end of this article. The initial question to answer is, "How do internet browser sessions actually work?". At a high level, it all starts with DNS (Domain Name System).

  • It's that time of year again; fraudsters are out in droves looking for ways to obtain data about you and your employees in order to cash in on filing fraudulent tax returns! So what are a few steps you can take as an employer to reduce the risk of unknowingly providing fraudsters with the very information they desperately want (e.g., W-2 forms)? For starters, implement a policy to require a validation step for any request for employee data or completed W-2 forms. The formal control term is 'out of bound'

  • Have you heard the Steve Martin quote "Be so good they can't ignore you"? The outcome of following this advice is typically positive for society. But unfortunately, our cyber adversaries have also tackled this quest and through rapid advancements, ultimately pose a greater and more constant threat to business and consumers alike, a threat which we can't ignore. Let's take a quick look into the reality of cyber threats to gain an understanding of how frequent and common they can be. The following is a cyber threat map developed by Kaspersky and

  • This is a high-level, crash course on two common types of VPNs (Virtual Private Network) and implementations in use at companies worldwide. In today's dynamic work environment, employees value the ability to work remotely. End-users are often more concerned with the performance and reliability of a VPN and often worry less about how secure it is. VPN is commonly used as a term to describe a way to access company network and data resources when outside the office. While this is fairly accurate, this common understanding leaves end-users with the risk

  • So, how should organizations be mitigating these significant risks to their environments? For one, the notion that having RFID physical access control systems guarantee that they are secure needs to be abolished. It is far too often forgotten that there are no "silver bullets" in security and RFID security is a perfect example. Organizations need to stop relying solely on their RFID badge systems to provide security assurance for physical access control. Other mechanisms need to be implemented in conjunction with their RFID systems (i.e., defense in depth). Probably the most

  • The ProxMark III is the de facto device for attacking RFID-based physical access control systems. Originally created by Jonathan Westhues for his master's thesis, both the software and the hardware has been continually developed by an active online community ( This very flexible and powerful device is the size of a deck of cards and is able to read, simulate and clone both high frequency and low frequency RFID devices. Anyone with $399 and a moderate amount of technical ability will have a viable platform to gain access to your

  • If you've dropped in to grab coffee from a downtown Starbucks on a weekday morning, you've probably noticed that seemingly everyone has a small, white plastic badge attached to their clothing somewhere. These are otherwise known as Radio Frequency Identification (RFID) badges, and are widely deployed by organizations around the world to control physical access to buildings, data centers, and other sensitive areas. Unbeknownst to many however, is that RFID is a rather simple technology that facilitates tracking, logging and identification via radio waves. RFID badge systems allow organizations to reduce

  • Throughout my experience in the information security industry, I have come into contact with individuals who seem to like the idea of having quality security controls in place, but simply do not want to deal with the reality of the information environment we live in. In a way, these folks are like Linus from Peanuts, content as long as they have their security blanket, but not ready to face the reality of whether or not said blanket provides anything significant in the way of actual security. The following are a few