John Nye

John Nye

About John Nye

John Nye is Senior Director of Cybersecurity Research and Communication for CynergisTek and has spent the majority of the last decade working in Information Security, half that time working exclusively as a professional penetration tester. Besides testing and improving security, John has a passion for educating and informing the public. He accomplishes this by presenting hacking demos regularly at industry conferences and groups as well as writing blog posts for CynergisTek and industry publications. Nye’s specialties include Wireless, web, and system penetration testing, user education and public speaking, information assurance, security auditing, policy compliance and writing, and security research and analysis. Some of his industry certifications include CISSP, Licensed Penetration Tester (LPT) and Certified Ethical Hacker (CEH).

Multiple Government Agencies Release Joint Security Threat Alert Related to COVID-19 Crisis

The unprecedented times we are living in continue to evolve. In a rare move, the U.S. Department of Homeland Security (DHS), the Cybersecurity and Infrastructure Security Agency (CISA), and the United Kingdom’s National Cyber Security Centre (NCSC) released a joint alert on growing cybersecurity threats that are directly related to the COVID-19 crisis. This important notification should not come as a surprise but certainly serves as a reminder of how precarious and dangerous the threat environment is during COVID-19.

End-of-Life Is Not a Suggestion, It Is a Fact

About five years ago everyone who worked in IT was talking and thinking about how to deal with the impending end-of-life for the massively popular Windows XP operating system. At that time, I was part of countless meetings, email chains, and phone calls that discussed what the best method was for keeping XP on networks past the official end of support from Microsoft. At the time, most of us in IT had not dealt with anything like that: a

The Future of Healthcare Security

The start of a new year causes us to reflect on the past year and determine both the current state of the industry as well as where we are heading. As 2018 began everyone poured over the 2017 annual reports and were, once again, bemoaning the sorry state of the healthcare industry’s security posture. According to HHS, there were 289 breaches reported in 2018 which is more than last year, but the total number of records lost has gone down

Documentation: The Necessary Evil of IT

One of the most dreaded terms in the world of information technology and security (IT/IS) is “documentation”. Not because it isn’t massively helpful to everyone, or really for any reason other than it is difficult and fairly time-consuming to make in the first place. But, a secret your IT staff doesn’t want you to know is just how much thorough documentation can improve almost all aspects of IT/IS. The list of things that can be optimized by thorough documentation

Zero Days vs. Standard Ways

A few days ago, a new vulnerability was found that affects the security of encrypted data, specifically on full-disk encrypted drives using hardware encryption protocols. For some time now, it has been considered best practice in Infosec - regardless of vertical - to rely on full-disk encryption to protect sensitive data from theft. The premise of this practice is that if a hard drive encrypted using Microsoft’s BitLocker or other commercial alternatives, or the device in which it resides,

IoT Security: How to Effectively Manage Endpoint Device Security

IoT security is one of the most concerning and critical issues that we in healthcare face on a daily basis. All industries are affected by IoT devices threatening the integrity of their network with consumer “smart” devices and industrial control systems (ICS) being common endpoints in all networks. For some reason that I have not yet been able to pin down, almost everyone has been ignoring the dangerous little devices they have on their networks and this negligence has

Web Application Penetration Testing

I have been writing about penetration testing and its related skills for some time now but haven’t yet taken a good deep dive into web application penetration testing. In many ways, web application penetration testing is very similar to any other pentest, but there are some key differences and a few tools that are better suited to web application testing specifically. One of the key differences between an external web application pentest and a typical internal pentest is the

The 4 Most Commonly Missed Endpoint Devices in Healthcare

“Endpoint” is a term that seems to have a variable definition in many of today’s organizations. Like the name itself suggests an endpoint is simply any connected device capable of processing, transmitting, or storing data packets. Despite this relatively simple definition, many organizations I have worked with are unable to produce a complete list of the total number of endpoints they have. This issue is exacerbated by the nature of the modern hospital and how device ownership is divided.

Detecting and Protecting: Why Security Incidents Keep Surprising Us

Why are we so bad at detecting and protecting against security incidents? Attackers need only find a single flaw that will allow them to gain entry to a system. Those that protect them, on the other hand, have to think of every possible avenue an attacker can use. Logic dictates that this is simply not possible. In fact, only 45% of the healthcare organizations sampled for our annual report were considered to have any level of maturity by NIST

Attacking Your Own Network: A Lesson on Penetration Testing for Healthcare

On the Ides of March, or very close to it on March 7th, I will take the HIMSS 2018 stage with Chuck Kesler, CISO of Duke Health, talking to our fellow healthcare IT professionals about penetration testing and hacking. This is a particularly pertinent topic since the healthcare industry has become a major target for attackers in recent years. It has become a veritable race between the attackers and the protectors. Who will find the vulnerabilities first? Unfortunately, finding