John Nye

John Nye

About John Nye

John Nye is Senior Director of Cybersecurity Research and Communication for CynergisTek and has spent the majority of the last decade working in Information Security, half that time working exclusively as a professional penetration tester. Besides testing and improving security, John has a passion for educating and informing the public. He accomplishes this by presenting hacking demos regularly at industry conferences and groups as well as writing blog posts for CynergisTek and industry publications.Nye’s specialties include Wireless, web, and system penetration testing, user education and public speaking, information assurance, security auditing, policy compliance and writing, and security research and analysis. Some of his industry certifications include CISSP, Licensed Penetration Tester (LPT) and Certified Ethical Hacker (CEH).

The Future of Healthcare Security

The start of a new year causes us to reflect on the past year and determine both the current state of the industry as well as where we are heading. As 2018 began everyone poured over the 2017 annual reports and were, once again, bemoaning the sorry state of the healthcare industry’s security posture. According to HHS, there were 289 breaches reported in 2018 which is more than last year, but the total number of records lost has gone down

April 2nd, 2019|

Documentation: The Necessary Evil of IT

One of the most dreaded terms in the world of information technology and security (IT/IS) is “documentation”. Not because it isn’t massively helpful to everyone, or really for any reason other than it is difficult and fairly time-consuming to make in the first place. But, a secret your IT staff doesn’t want you to know is just how much thorough documentation can improve almost all aspects of IT/IS. The list of things that can be optimized by thorough documentation

March 5th, 2019|

Zero Days vs. Standard Ways

A few days ago, a new vulnerability was found that affects the security of encrypted data, specifically on full-disk encrypted drives using hardware encryption protocols. For some time now, it has been considered best practice in Infosec - regardless of vertical - to rely on full-disk encryption to protect sensitive data from theft. The premise of this practice is that if a hard drive encrypted using Microsoft’s BitLocker or other commercial alternatives, or the device in which it resides,

January 10th, 2019|

IoT Security: How to Effectively Manage Endpoint Device Security

IoT security is one of the most concerning and critical issues that we in healthcare face on a daily basis. All industries are affected by IoT devices threatening the integrity of their network with consumer “smart” devices and industrial control systems (ICS) being common endpoints in all networks. For some reason that I have not yet been able to pin down, almost everyone has been ignoring the dangerous little devices they have on their networks and this negligence has

September 27th, 2018|

Web Application Penetration Testing

I have been writing about penetration testing and its related skills for some time now but haven’t yet taken a good deep dive into web application penetration testing. In many ways, web application penetration testing is very similar to any other pentest, but there are some key differences and a few tools that are better suited to web application testing specifically. One of the key differences between an external web application pentest and a typical internal pentest is the

August 16th, 2018|

The 4 Most Commonly Missed Endpoint Devices in Healthcare

“Endpoint” is a term that seems to have a variable definition in many of today’s organizations. Like the name itself suggests an endpoint is simply any connected device capable of processing, transmitting, or storing data packets. Despite this relatively simple definition, many organizations I have worked with are unable to produce a complete list of the total number of endpoints they have. This issue is exacerbated by the nature of the modern hospital and how device ownership is divided.

June 20th, 2018|

Detecting and Protecting: Why Security Incidents Keep Surprising Us

Why are we so bad at detecting and protecting against security incidents? Attackers need only find a single flaw that will allow them to gain entry to a system. Those that protect them, on the other hand, have to think of every possible avenue an attacker can use. Logic dictates that this is simply not possible. In fact, only 45% of the healthcare organizations sampled for our annual report were considered to have any level of maturity by NIST

May 31st, 2018|

Attacking Your Own Network: A Lesson on Penetration Testing for Healthcare

On the Ides of March, or very close to it on March 7th, I will take the HIMSS 2018 stage with Chuck Kesler, CISO of Duke Health, talking to our fellow healthcare IT professionals about penetration testing and hacking. This is a particularly pertinent topic since the healthcare industry has become a major target for attackers in recent years. It has become a veritable race between the attackers and the protectors. Who will find the vulnerabilities first? Unfortunately, finding

February 27th, 2018|

The Top Four Healthcare Cybersecurity Trends for 2018

In order to explore the likely cybersecurity trends coming our way in 2018, we must first take a quick look back at 2017. Last year was a banner year in about as many ways as one can think of. Unfortunately, most of those “banners” are for disasters of every sort. Today we are looking at the world of healthcare and how cybersecurity fared last year. Unfortunately, the story is not much better, particularly when we focus on healthcare cybersecurity.

January 24th, 2018|

What is the NH-ISAC 90-Day DMARC Challenge?

Healthcare organizations are more vulnerable to phishing attacks as the average maturity of security controls and training is less than that of other industries, such as banking. Successful phishing attacks rely heavily on emails with either spoofed or similar-looking domain names. Emails originating outside of an organization’s domain but with similar domains can be flagged as an external email to alert the end-user. Unfortunately, emails with spoofed domains require technical controls to identify and divert to a spam folder.

December 4th, 2017|