If the threat is coming from inside the house, the front door was probably misconfigured.

Unlike an external pen test, where hackers are tasked with breaking into a network, internal pen tests begin from an interior vantage point.

During internal tests, pen testers are looking for security holes like poor patch management, unsegmented networks, and weak identity management, or more complicated exploits like link-local multicast name resolution (LLMNR) poisoning/relaying or disabled server message block (SMB) signing. Active Directory seems to be a perennial weak spot.

Pen testers who spoke with IT Brew spilled the beans on the most common vulnerabilities they find during internal tests.

Read more here.—TM

Do you work in IT or have information about your IT department you want to share? Email [email protected]. Want to go encrypted? Ask Tom for his Signal.

Chances are, your hybrid work strategy is a work in progress—and that’s okay! Whether your team is made up of hybrid work pros or you’re still figuring out that WFH balance, keeping your hybrid work strategy fresh (and your team engaged) is crucial. Be productive anywhere with Cisco.

Cisco’s hybrid work solutions are designed with you and your team in mind. Empower your team on the go with the networking, security, and collaboration tools they need to be successful: from home, in the office, and wherever else life might take them.

With future-ready tech and flexible financing, Cisco’s solutions make upgrading your hybrid work strategy a breeze.

Get the scoop from the pros in a demo.

Microsoft’s efforts to placate European Union antitrust regulators over the bundling of its Teams video conferencing app have failed, Bloomberg reported.

The European Commission (EC) is preparing a formal list of complaints pegged to Microsoft’s practice of bundling Teams with its other business productivity software, Bloomberg’s sources reported—and a Microsoft proposal to fend off the inquiry by unbundling Teams from Microsoft 365 and Office 365 in Europe and selling it to enterprise customers separately with an annual discount of $26.20 apparently isn’t good enough to satisfy the EC.

Reached for comment, a spokesperson for Microsoft, Sarah Naciri, directed IT Brew to the blog post where Microsoft VP of European Government Affairs Nanna-Louise Linde originally raised the unbundling proposal.

Linde had also written that Microsoft would work to increase interoperability with Microsoft 365 and Office 365, as well as “create new mechanisms to enable third-party solutions to host Office web applications.”

Read more here.—TM

Do you work in IT or have information about your IT department you want to share? Email [email protected]. Want to go encrypted? Ask Tom for his Signal.

The Log4j catastrophe exposed countless servers and applications to a major vulnerability in the Java-based logging platform, empowering bad actors to infiltrate or hijack devices. More than two years after the flaw came to light, there’s one silver lining: The government is paying attention.

At the second Secure Open Source Software Summit, Biden administration leaders like acting National Cyber Director Kemba Walden and deputy national security advisor Anne Neuberger convened alongside big industry players to map out strategies for a safer software ecosystem.

The event, which ran from Sept. 12–13, showcased the momentum driving the development and implementation of protocols to make open-source software components more transparent and traceable, attendee Moran Ashkenazi, chief security officer at software platform JFrog, told IT Brew.

“It’s clear to them how crucial, how critical it is,” she said of the government’s commitment to open-source improvements. “Open source leads to technology, leads to business, and eventually, to every civilian’s life. That’s a line that is super clear to the government. And therefore it’s funded.”

The summit, organized by the Open Source Security Foundation (OSSF) and held next door to the White House, also showed off significant progress toward practical steps that will limit the impacts of corrupted open-source code in the future, JFrog Senior Product Manager Sharan Hiremath told us.

Keep reading here.—KG

Do you work in IT or have information about your IT department you want to share? Email [email protected].

Today’s top IT reads.

Stat: 38 terabytes. That’s how much data a Microsoft misconfiguration leaked through GitHub, exposing “passwords to Microsoft services, secret keys, and over 30,000 internal Microsoft Teams messages from 359 Microsoft employees.” (PCMag)

Quote: “What we’re trying to figure out right now is A: ‘Is this as big of a problem as we think it is?’ and B: ‘What are different models that might work?’”—Nick Leiserson, assistant national cyber director for cyber policy and programs at the Office of the National Cyber Director, on streamlining redundant federal cyber regs (Cyberscoop)

Read: An old-school threat is resurfacing in developing countries: the humble USB drive. (Wired)

Ready for a refresh?: Give your hybrid work strategy a boost with Cisco. Cisco’s solutions are designed with you + your team in mind so you can be productive anywhere. See it in action.*

Digital defense: Ready to protect your tech like a pro? Learn how to take on cyber threats with Amir Tarighat and Mike Hanley at our free virtual event on Sept. 28. Snag your spot.*

^{*A message from our sponsor.}