On a recent red team engagement, our team was tasked with focusing on Active Directory Certificate Services (ADCS) exploitation. The objective was to identify certificate template misconfigurations and potentially achieve privilege escalation by abusing them. The concepts and attacks used were based around the work and whitepaper by Will Shroeder (@harmj0y) and Lee Christensen (@tifkin_).

There are many facets to preparing your organization for a major cyber incident. Incident response playbooks, proper network hardening, and multiple levels of employee cyber hygiene training are par for the course. In theory, these solutions should ensure you're ready for any cyber threat. But how can you be sure all of that will pay off when you're faced with a real-world scenario? Enter, tabletop exercises.

This partnership is to offer an accessible online course in Offensive Cybersecurity Operations, and Open-Source Intelligence taught by practitioners.

​

Fortalice Solutions has partnered as a Data Privacy Champion. With the goal of increased awareness about online privacy among individuals and organizations, one goal of Data Privacy Week is to help organizations understand why it is important that they respect the data of their users, employees and suppliers.

Fortalice Solutions released a white paper, The Privacy Pitfalls and Security Dangers of Internet Trackers, which details the privacy concerns surrounding an organization's use of internet trackers. For the last 10 months, Fortalice has completed more than 40 investigations related to third-party tracking technologies in the healthcare field. To that end, our team has provided the following update based on our experience.

​

Fortalice Solutions CEO and Founder, Theresa Payton has announced the promotion of Bridget O'Connor and Melissa O'Leary to the position of Partner of Fortalice Solutions.

​

​

T-Mobile announced on January 19 that it was reviewing a November 2022 data breach, potentially impacting 37 million accounts through one of its APIs. This advisory is intended to help our clients understand the urgent need to understand and review their API security, while also summarizing recent T-Mobile breaches.

In a matter of months, public companies will have several new rules to follow with respect to cybersecurity incident reporting. The Securities and Exchange Commission (SEC) proposed rules changes focus on ensuring the availability and comparability of public company disclosures across industries.

​

​

​

​

Domain fronting is a generic technique based on HTTPS that allows an actor to hide the true destination of a communication from network equipment in the path. While domain fronting has been used in offensive engagements for several years now, the number of frontable cloud services continues to dwindle. Today, Fortalice is publicly adding another service to that list: Azure Front Door.

​

​

API security protects an API's confidentiality, integrity, and availability. Securing your API is essential as it helps protect your application and your data from malicious attacks, such as data theft, malicious code injection, and denial of service attacks. Prioritizing API security today will protect your business and customers from the devastating consequences of cyberattacks tomorrow.

​

​

Retailers are trying to understand why some customers abandon their online shopping carts before pressing “proceed to checkout” or “place your order.” To solve these riddles, retailers are increasingly turning to web tracking services and fine-tuning their targeting efforts. Organizations need to be aware of the ramifications of how they are using internet trackers.

For a newly minted chief information security officer (CISO), the first 90 days are a time of both peril and possibility. If CISOs move too fast or push too hard, they risk alienating the organization. Move too slowly and new CISOs risk squandering their momentum and honeymoon period. Experienced CISOs tell Endpoint how they navigated their first few months on the job. Here's how to navigate your new role.

Buyer beware: Scammers have set up shop on Facebook. Here's how to avoid falling victim to some common Facebook Marketplace scams.

​

Discover the significance of comprehensive application security assessments in identifying and addressing software vulnerabilities. Learn about the different types, including manual code reviews, automated vulnerability scanning, penetration testing, and security architecture reviews. Fortalice blog offers valuable insights to help you choose the right assessment for your organization.

During the course of our investigative work, Fortalice has observed an increasing and alarming trend: personal email compromise is leading to business email compromise. Threat actors will leverage weaknesses regarding executives' or board members' personal cybersecurity hygiene to gain access to their business accounts. Extortion also remains a top cybersecurity threat, with organized criminals overseas routinely targeting corporations and the people who support them.

​

​

Maintaining data privacy, or data security, involves the proper handling, storage, and dissemination of information. This doesn't only apply to organizations, but to everyday internet users as well. If you have ever allowed location access, accepted cookies on a web page, or even posted a family picture on Facebook, you have left a digital footprint.

Theresa Payton, the founder and CEO of Fortalice Solutions is energized to announce the promotion of Kathy Lu to Director of Application Security.