Ben Johnson – WindowsTechs.com

If I’m rolling out MFA to users, should I provide TOTP, SMS or both? [duplicate]

Posted on April 22, 2024 by Ben Johnson

My site’s users currently do not have any MFA options, but we’re planning to release this feature in the near future. We’ve already built support for TOTP and have it working internally, but some on my team think that it won’t be very user… Continue reading If I’m rolling out MFA to users, should I provide TOTP, SMS or both? [duplicate]→

Should bounties be paid for information exposure?

Posted on May 30, 2023 by Ben Johnson

An ethical hacker found that a system I own, has an exposure of information. They were able to determine the programming language, a web framework and the exact versions of both from a stack trace by causing an unhandled exception in the a… Continue reading Should bounties be paid for information exposure?→

What is the correct CVSS “Privileges Required” score for a privilege escalation when it’s trivial to get user privileges?

Posted on October 20, 2022 by Ben Johnson

I’m trying to accurately score a report using CVSS as follows:

Privileges Required
This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability. This Score increases as fewer priv… Continue reading What is the correct CVSS “Privileges Required” score for a privilege escalation when it’s trivial to get user privileges?→

How does one implement chunked CBC encryption safely; is this implementation flawed?

Posted on January 3, 2020 by Ben Johnson

UPDATE: Upon further research, I discovered a library that appears to meet my needs, especially with regard to the chunked aspect. Rather than “roll my own”, I would be better served to use this well-established library:

htt… Continue reading How does one implement chunked CBC encryption safely; is this implementation flawed?→

Cybersecurity Self-Esteem: 4 Things Confident Teams Are Doing

Posted on August 31, 2016 by Ben Johnson

By increasing our cybersecurity self-esteem, we can truly make a difference in raising our collective cybersecurity resiliency. Continue reading Cybersecurity Self-Esteem: 4 Things Confident Teams Are Doing→

Shifting The Economic Balance Of Cyberattacks

Posted on June 27, 2016 by Ben Johnson

Our goal should be to simply make the cost of conducting a cyberattack so expensive that cybercriminals view attacking our organization as a bad return on investment. Continue reading Shifting The Economic Balance Of Cyberattacks→

A Real World Analogy For Patterns of Attack

Posted on June 20, 2016 by Ben Johnson

Patterns reveal exponentially more relevant information about attempted malfeasance than singular indicators of an attack ever could. Continue reading A Real World Analogy For Patterns of Attack→

Patterns Of Attack Offer Exponentially More Insight Than ‘Indicators’

Posted on June 13, 2016 by Ben Johnson

In the cyberworld, patterns of attack provide investigators with context and the precise sequence of events as a cybercrime unfolds. Continue reading Patterns Of Attack Offer Exponentially More Insight Than ‘Indicators’→

‘Must Haves’ & ‘Must Dos’ For The First Federal CISO

Posted on March 11, 2016 by Ben Johnson

Offensive and defensive experience, public/private sector know-how, ‘mini-NSA’ mindset and vision are top traits we need in a chief information security officer. Continue reading ‘Must Haves’ & ‘Must Dos’ For The First Federal CISO→