What is Smishing and How You Can Protect Yourself

May 20, 2024

This is an article I’ve put together for my internal Security Awareness program. Feel free to grab and use in your own program. Created with help from ChatGPT.

In today's digital age, cybersecurity threats are evolving rapidly, and one of the rising threats is "smishing." Smishing, a blend of "SMS" (short message services) and "phishing," is a form of phishing that involves sending fraudulent SMS messages designed to deceive recipients into revealing personal information or installing malware.

Understanding Smishing

Smishing attacks typically involve a text message that appears to come from a legitimate source, such as a bank, a well-known retailer, or even government agencies. These messages may claim that there's an urgent issue requiring your immediate attention, such as a problem with your bank account, a missed delivery, or a tax refund opportunity. The message will usually include a link that you are urged to click to resolve the issue.

How Smishing Works

The goal of smishing is to trick the recipient into providing sensitive information, such as login credentials, credit card details, or personal identification numbers. Alternatively, the link may download malware onto the recipient’s phone, which can lead to data theft or loss, financial loss, and sometimes even identity theft.

Examples of Smishing Attacks

Financial Frauds: "Notice from Bank XYZ: Unusual activity detected on your account. Please verify your identity immediately to prevent closure. Click here [link]."
Fake Contests: "Congratulations! You’ve won a $500 gift card from [Popular Brand]. Claim your prize now [link]."
Impersonation of Authorities: "Urgent COVID-19 alert in your area. Click here for safety measures to follow [link]."
CEO Fraud: “Hi [employee], are you available? I have an urgent need.”

Tips to Protect Yourself from Smishing

Be Skeptical of Unsolicited Messages: Always be wary of text messages that ask for personal information, especially if they convey a sense of urgency.
Verify the Source: If a message claims to be from an organization you do business with, verify its authenticity by contacting the organization directly using a phone number or email address from their official website—not the contact details provided in the message.
Avoid Clicking on Suspicious Links: Do not click on links in unsolicited texts or emails. Instead, go directly to the website by typing the URL into your browser.
Educate Yourself and Others: Awareness is your best defense. Learn about the latest smishing tactics and educate your family and friends on how to protect themselves.

Conclusion

Smishing is a significant and growing threat in the realm of cyber scams. By staying informed and cautious, you can protect yourself from falling victim to these malicious attacks. Always remember that when it comes to protecting your personal information, vigilance is key. If you suspect you’re being targeted by a smishing attack please contact [INTERNAL SECURITY TEAM INBOX].

Exploring the Verizon DBIR - Image created by ChatGPT

2024 Verizon DBIR Insights and Thoughts

May 13, 2024

The Verizon Data Breach Investigations Report (DBIR) for 2024 was recently released. It’s a must read of those in cybersecurity. It gives great insight into the overall threat landscape and then breaks it down by industry. Working in healthcare this is important because while ransomware grabs the news a bigger concern may actually be insider threat. This is highlighted even more this year with new requirements around reporting on security incidents and breaches insider threat and specifically the Miscellaneous Error category. My random thoughts from the report are below with a lean towards healthcare.

Insights and thoughts on the Verizon DBIR

Vulnerability exploitation on the rise

Exploitation of vulnerabilities tripled from last year. I’ve read similar numbers from other trend reports and it makes sense. As organizations get more controls in place such as Multi-Factor Authentication (MFA) and people get better at identifying phishing (later in the report) attackers will pivot to other ways of getting in. We’ve already seen a rash of vulnerabilities in network appliances over the last several months that could allow attackers into the network.

Human Element Calculation Change

Privilege misuse was removed from the human element calculation which means the human element metric dropped to 68% instead of 76% if it were kept in this year. I’m a little torn because I still believe it’s human element misusing privilege. The idea is to align their security awareness recommendation better. From that angle I get it because privilege misuse is more intentional regardless of security awareness training.

Added third-party vendor and supply chain issues

This is a good one to add. As organizations get better at defending attackers will look to get in via third-party vendor or supply chain issues. Which really isn’t a new concept see: Target breach or the Trojan War. A good third-party vendor risk management program is essentially to keeping organizational data secure.

Errors Increases due to mandatory breach notifications

Errors increased to 28% this year. Internal actors increased from 20% to 35%. Organizations that don’t have to report won’t. In healthcare if a breach is under 500 records then reporting doesn’t have to occur, so there’s even more Errors not being reported. I expect more regulation will make this number continue to grow for healthcare . This will hopefully highlight and shift focus to finding solutions to the insider threat problem. Yes, there’s Data Loss Prevention (DLP) but it’s a pain in the ass to get in place.

Security Awareness is Improving

20% of people are reporting simulated phishing emails and 11% are reporting after clicking. That’s positive improvement. I also really like that the report focused on report rates and not clicking. Click rates can fluctuate depending on the difficulty of the phish and the time of year. Too much focus is put on clicking when what’s really needed is an improvement in reporting.

Reporting gives the security team an opportunity to respond to an incident sooner. I always tell people that clicking doesn’t bother me. Did they report it? It’s much easier to respond now, than several weeks later when there’s a bigger issue. Encouraging reporting, even when a click happens, also helps build a more positive security culture. We’re all human and make mistakes. I’ve fallen for my own phish before.

Generative AI Not as much of an issue as we thinK

It’s recognized that AI is helping attackers in writing phishing email and malware and being deployed in political campaigns but it’s not being used in way that is significantly contributing to breaches. This is why I love the Verizon DBIR. Despite the news headlines and play on social media AI and all the awful things it can do is not currently having a measurable impact. It’s certainly still something that needs to be discussed, understood, and controls put in place, but it may be better to focus on efforst that may make a more substantial impact such as vulnerability management and security awareness.

Distributed Denial of Service is the top action in incidents

This is where understanding the verbiage of the report is important. Incident vs breach. Breach is a loss of data. An incident is a security incident that may not involve data being stolen. Hence, DDoS isn’t about taking the data it’s about taking the service offline for an extended period of time. This shocked me a little. DDoS is still happening and it’s impacting a lot of organizations. Having mitigating controls and a plan in place to respond is important for any organization.

Jen Easterly comments on vulnerabilities and the need to shift focus

“...recurring classes of software defects to inspire the development community to improve their tools, technologies, and processes and attack software quality problems at the root.”

Quality code is secure code is something I’ve been preaching for years. If the quality is there then the security will be there. It’s in the documentation. When developers don’t follow best practices and the documentation that’s when vulnerabilities get created. The reason why security folks have a job is because people aren’t developing, coding, or configuring things right in the first place.

I like that Jen is taking a more broad view and it’s not something I’ve thought about. Instead of focusing on individual vulnerabilities or bugs we should go a level up. Every organization is different and every development team is going to have different issues with certain quality issues. We need to be looking at the class of bugs and trying to solve for the large grouping of vulnerabilities. This will help the development community identify where they can make improvements in their tools, technologies, and most importantly processes.

Social Engineering Section

BEC attacks had a median transaction of $50,000. They have a great graph that shows most organizations can get their money back by reaching out to law enforcement. I had a great conversation with Jayson E. Street recently on the Exploring Information Security podcast on social engineering and he had a great idea to send everyone involved in financial transactions a card with a code word on it. If that code word wasn’t authenticated then it’s very likely a BEC attack. I love the simplicity of the solution and I think it can make a good impact.

WEB APPLICATION ATTACKS SECTION

Credential stuff and brute force attacks are the most common against APIs. Authentication and authorization are the biggest issues for APIs, not so much injection vulnerabilities. This improves security but also means permissions should be top of mind when developing APIs. Things like MFA and rate limiting also need to be in place to help mitigate the potential of a breach. 1000 credentials are available online daily for $10. Credentials are cheap and easy to come by.

Free gaming currency lures lead malicious NPM packages was not something on my radar. This is the younger generation looking to make a fast bUck in the gaming landscape. Unfortunately, they’re downloading malware. Typo squatting was second. From the report it talked about packages checking external repositories before internal. It’s always better to try and build an internal repo system that pulls updates from the known good repositories. This is easier said than done.

Miscellaneous ERrors

This is often overlooked by organizations. Insider threat is the bigger concern in industries like healthcare where people are handling personal, health, and financial data. There’s a lot of data flying around. More than 50% was due to misdelivery which means people sent sensitive information to the wrong party and often non-malicious.

87% of users accounted for errors. System administrators go from 46% last year to 11% this year. System administrators largely accounted for internal threat issues due to misconfiguration. They’ve tightened up but it also highlights how under reported user errors were.

Data Loss Prevention (DLP) is huge to help prevent this. The problem is that DLP is a pain in the ass to implement. I hope that highlighting how big of an issue insider threat will encourage companies to try and tackle the problem in more creative ways.

Healthcare Industry

I’ve already talked a lot about healthcare above. Miscellaneous Errors regained the top spot after being second to system intrusions last year. I would expect system intrusions to continue to decline in next year’s report due to law enforcements increased involvement in taking down ransomware gangs. Privilege misues was second. This is the more malicious actions internal threat actors are taking. System intrusions were third.

Conclusion

The 2024 Verizon Data Breach Investigations Report (DBIR) is a must read. It provides critical insights into the evolving threat landscape, particularly emphasizing the increasing complexity of cybersecurity challenges across various industries. It’s a good anchor point for challenging assumptions about the biggest risk to our own organization.

As cybersecurity environments become increasingly complex, the DBIR’s insights are invaluable for professionals seeking to bolster their defenses and anticipate potential threats. The report serves not only as a tool for understanding but also as a catalyst for implementing robust security measures tailored to specific industry needs. For those in cybersecurity, especially in sectors as sensitive as healthcare, the DBIR is an essential resource that supports ongoing efforts to protect sensitive information and systems from both external and internal threats.

Exploring the security awareness newsletter - *Image created by ChatGPT*

Security Awareness Newsletter April 2024

May 6, 2024

These are the stories I’ve been tracking that are of interest to people outside of security. Feel free to take this and use it as part of your own security awareness program. The items were created with the help of ChatGPT

Confirmed: AT&T Data Breach Exposes Millions

A large data leak containing personal information of millions of AT&T customers is being investigated. While AT&T denies the breach originated from their systems, this incident highlights the importance of protecting your personal information.

Here are some steps you can take to stay safe:

Be mindful of the information you share online and over the phone.
Use strong passwords and change them regularly.
Monitor your bank statements and credit reports for suspicious activity.

AI in Elections: Beware the Deepfakes!

AI is shaking up elections! Check Point Research warns of deepfakes and voice cloning being used to mislead voters. They found evidence in 10 out of 36 recent elections. Stay informed - the future of voting might depend on it!

Heads Up, Gamers! Malware Lurks in YouTube Video Game Cracks

Phishing for free games can land you in hot water!

A recent report by Proofpoint discovered threat actors using YouTube to distribute malware disguised as popular video game cracks.

Here's the breakdown:

Compromised Accounts: Hackers are targeting both legitimate and newly created YouTube accounts.
Deceptive Content: Videos promise free software or game upgrades, but descriptions contain malicious links.
Targeting Young Gamers: The campaigns exploit younger audiences' interest in bypassing paid features.

Alert on Privacy Risks in Dating Apps: Spotlight on Hornet

Recent investigations by Check Point Research have exposed critical privacy vulnerabilities in the popular dating app Hornet, affecting its 10+ million users. Despite Hornet's attempts to safeguard user locations by randomizing displayed distances, researchers found ways to determine users' exact locations within 10 meters using trilateration techniques. This finding poses a significant privacy risk, particularly in dating apps that rely on geolocation features to connect users.

Highlights:

Hornet's geolocation vulnerabilities could allow attackers to pinpoint users' precise locations.
Even after implementing new safety measures, locations could still be determined within 50 meters.
Check Point Research advises users to be cautious about app permissions and consider disabling location services to protect their privacy.

The study illustrates the ongoing challenges and potential dangers of balancing app functionality with user privacy, urging both developers and users to remain vigilant.

Ransomware Scams Can Get Creative

Ransomware gangs are constantly looking for new ways to pressure companies into paying up. A recent article on TechCrunch describes a hilarious (but ultimately unsuccessful) attempt by a hacker to extort a company through their front desk Ransomware gang's new extortion trick? Calling the front desk.

While this specific incident might be lighthearted, it serves as a reminder that ransomware attackers are always adapting their tactics. Here's what you should be aware of:

Be cautious of any unsolicited calls or emails claiming a security breach. Don't engage with the sender and report them to the IT department immediately.
Never click on suspicious links or attachments. These could contain malware that gives attackers access to our systems.
Be mindful of what information you share over the phone. Hackers may try to sound legitimate to gather details about our company's network.
Stay informed about cybersecurity best practices. The IT department may send out phishing simulations or training materials – take advantage of these resources.

By staying vigilant and following these tips, we can all play a part in protecting our company from ransomware attacks. Remember, if you see something suspicious, report it!

FBI Alert: Increase in Social Engineering Attacks

The FBI has issued a warning about the rise in social engineering attacks targeting personal and corporate accounts. These attacks employ methods like impersonating employees, SIM swap attacks, call forwarding, simultaneous ringing, and phishing, which are designed to steal sensitive information.

Key Techniques:

Employee Impersonation: Fraudsters trick IT or helpdesk staff into providing network access.
SIM Swapping: Attackers take control of victims' phone numbers to bypass security measures like multi-factor authentication.
Call Forwarding and Simultaneous Ring: Calls are redirected to the attackers' numbers, potentially overcoming security protocols.
Phishing: Cybercriminals use fake emails from trusted entities to collect personal and financial data.

How to Protect Yourself:

Ignore unsolicited requests for personal information.
Ensure unique, strong passwords for all accounts.
Contact mobile carriers to restrict SIM changes and call forwarding.
Regularly monitor account activity for signs of unauthorized access.

If Compromised:

Immediately secure accounts by changing passwords and contacting service providers.
Report the incident to the FBI’s Internet Crime Complaint Center at www.ic3.gov.

Stay vigilant and implement these protective measures to defend against these sophisticated social engineering threats.

Smishing Scam Hits the Road!

Beware of texts claiming unpaid tolls! Scammers are targeting drivers with smishing attacks. The texts claim that the recipient has unpaid tolls. Don't click links or give out info. Report scams to the FBI: https://www.ic3.gov/Home/ComplaintChoice. Stay safe!

Data Breach at Hospital: Ex-Employee Admits to Sharing Patient Records

Patients at Jordan Valley Community Health Center in Missouri are being notified of a data breach involving over 2,500 individuals. The culprit? A former employee, Chante Falcon, who admitted to accessing and sharing patient records.

Facing federal charges for wrongful disclosure of patient information, Ms. Falcon pleaded guilty and awaits sentencing. The potential penalty? Up to 10 years in prison.

Tax Time Trouble: Don't Fall Victim to Tax Scams!

It's tax season again! While you're busy gathering documents and filing your return, scammers are out in force trying to steal your money and personal information.

This year, security experts are seeing a rise in Artificial Intelligence (AI)-powered tax scams. These scams can look and feel more sophisticated than ever before, making them even trickier to spot.

Here are some red flags to watch out for:

Urgency and Threats: Scammers often try to pressure you into acting quickly by claiming you owe overdue taxes or face penalties.
Suspicious Emails and Texts: Be wary of emails or texts claiming to be from the IRS or tax software companies. Don't click on links or attachments unless you're sure they're legitimate.
Phishing for Information: Scammers may ask for your Social Security number, bank account details, or other personal information you wouldn't normally share via email or text.

Stay Safe This Tax Season:

Go Directly to the Source: If you receive a message about your taxes, contact the IRS directly using a phone number you know is correct (don't use the one provided in the message).
Don't Share Personal Information Unsolicited: The IRS will never ask for sensitive information through email or text message.

By following these tips and staying vigilant, you can protect yourself from tax scams and ensure a smooth tax season!

Tracking AI's Influence in Global Elections

Rest of World, a news organization, has launched a new initiative to monitor and document the impact of artificial intelligence (AI) on global elections. This effort comes as generative AI tools become increasingly accessible, presenting both innovative uses and potential risks in political contexts.

Scope and Objective: The project tracks AI incidents across the globe, particularly focusing on regions outside the Western hemisphere. From the general elections in Bangladesh to those in Ghana, the tracker will compile AI-generated content related to elections, encompassing both positive applications and problematic issues like misinformation.

Noteworthy Incidents:

In Belarus, a ChatGPT-powered virtual candidate is providing voter information while circumventing censorship.
AI-generated videos have enabled Pakistan’s former Prime Minister Imran Khan to address the public from imprisonment.
A spam campaign against Taiwan’s president has been linked to a Chinese Communist Party actor.
Deepfake videos falsely depicted Bangladeshi candidates withdrawing on election day.

Comprehensive ChatGPT Risk Assessment

Walter Haydock from StackAware has conducted an exhaustive risk assessment of OpenAI's ChatGPT. This summary encapsulates the critical findings and documentation from the assessment, aiming to enhance your understanding and governance of AI tools.

Key Findings from the Assessment:

Purpose and Criticality: ChatGPT serves multiple functions, from generating marketing content to converting unstructured data into structured formats. Its operational importance is significant, with potential major business impacts in case of system failure.
System Complexity and Reliability: Despite its complex nature, ChatGPT has shown reliable performance, although occasional performance and availability issues have been documented on OpenAI’s status page.
Environmental and Economic Impacts: ChatGPT's operation is energy-intensive, with considerable carbon emissions and water usage. However, it also offers potential economic benefits, potentially contributing significantly to global productivity and economic output.
Societal and Cultural Impacts: The system’s ability to automate repetitive tasks could liberate millions from mundane work but also poses risks to employment and misinformation, particularly during sensitive periods like elections.
Legal and Human Rights Considerations: The system's deployment must carefully navigate potential impacts on employment and privacy, with strict adherence to legal and human rights norms.

Deepfake Phishing Attempt Targets LastPass Employee: Audio Social Engineering on the Rise

A recent incident reported by LastPass sheds light on a concerning trend: the use of audio deepfakes in social engineering attacks.

What Happened?

A LastPass employee received a series of calls, text messages, and voicemails supposedly from the company's CEO.
The voice messages utilized deepfake technology to convincingly mimic the CEO's voice.
The attacker attempted to pressure the employee into performing actions outside of normal business communication channels and exhibiting characteristics of a social engineering attempt.

Why This Matters:

This incident marks a potential turning point in social engineering tactics. Deepfakes can bypass traditional email-based phishing attempts and create a more believable scenario for the target.
Audio deepfakes pose a significant threat because they exploit the inherent trust we place in familiar voices.

How LastPass Responded:

The targeted employee, recognizing the red flags of the situation, did not respond to the messages and reported the incident to internal security.
LastPass highlights the importance of employee awareness training in identifying and reporting social engineering attempts.

Change Healthcare Cyberattack: A Costly Reminder for Physicians

A recent cyberattack on Change Healthcare, a major healthcare IT provider, has had a significant impact on physicians across the country. According to a KnowBe4 article, a staggering 80% of physicians reported financial losses due to the attack. United Health announced the attack cost them $1.6 billion alone.

The High Cost of the Breach

The article details the financial strain placed on physician practices:

Revenue Loss: Disruptions caused by the attack made it difficult to submit claims and verify benefits, leading to lost revenue.
Increased Costs: Extra staff time and resources were required to complete revenue cycle tasks.
Personal Expenses: Some practices were forced to use personal funds to cover business expenses.

USPS Now the Most Impersonated Brand in Phishing Attacks

Phishing attacks are one of the most common cyber threats. Criminals impersonate well-known brands to trick people into giving up personal information. According to a recent report, the United States Postal Service (USPS) has surged to the top spot on the list of most impersonated brands.

Here are some tips to avoid falling victim to a USPS phishing attack:

Be wary of emails or text messages that claim to be from USPS about a delivery issue or package requiring additional fees.
Do not click on any links or attachments in suspicious emails or text messages.
If you are unsure about the legitimacy of an email or text message, contact USPS directly.
Be mindful of the sender's email address and look for typos or inconsistencies.

By following these tips, you can help protect yourself from phishing attacks.

Exploring phishing threat intelligence from April 2024 - *Image created by ChatGPT*

Phishing Threat Intelligence April 2024

April 29, 2024

These are the phishing related stories I paid attention to in April 2024. Feel free to use these and share them with your own security teams.

The NaurLegal Campaign Unveiled

BlueVoyant's Threat Fusion Cell has exposed a new cyber attack campaign, dubbed ‘NaurLegal’, led by the notorious eCrime group Narwhal Spider. This campaign ingeniously exploits the trust in legal transactions by distributing malicious PDF files posing as invoices from reputable law firms. With filenames like "Invoice_[number]from[law firm name].pdf," these documents are crafted to bypass casual scrutiny and initiate malware infections.

Key Insights:

Tactic Exploitation: NaurLegal leverages the routine nature of legal document exchanges, using this as a vector to deploy malware, including sophisticated threats like WikiLoader and potentially IcedID.
Infrastructure: The campaign operates through compromised WordPress sites for command and control (C2), a hallmark of Narwhal Spider’s modus operandi.
Evolving Threat: Unlike previous attacks primarily targeting Italian entities, NaurLegal broadens its focus, indicating a strategic shift towards exploiting a wider array of organizational vulnerabilities.

Google Ads Malware Alert for Security Professionals

In a recent discovery by AhnLab Security Intelligence Center (ASEC), a sophisticated malware distribution campaign has been identified exploiting Google Ads' tracking feature. Dubbed by ASEC, this campaign cleverly disguises malware as popular groupware installers like Notion, Slack, and Trello, leveraging Google Ads to reach a broad audience. The exploitation of the Ads platform's vast user base and complex targeting options presents a notable security concern, highlighting the innovative strategies of cybercriminals to breach defenses.

Key Campaign Insights:

Malware Distribution: Attackers create or hijack Google Ads to distribute malware through tracking URLs hidden in legitimate-looking ads, leading unsuspecting users to download harmful executables.
Targeted Malware: The campaign specifically uses malware-laden files with names mimicking reputable software installers to trick users into initiating downloads.
Sophisticated Evasion Techniques: Upon execution, the malware contacts attacker-controlled servers to fetch additional malicious payloads, utilizing compromised domains and text-sharing sites for hosting.
Payloads and Execution: The Rhadamanthys infostealer malware, fetched from these links, is then injected into legitimate Windows system files, enabling it to steal private data while avoiding detection.

Security Alert: New Loader and Agent Tesla Campaign Detected

SpiderLabs has identified a phishing campaign deploying Agent Tesla via a sophisticated new loader. Initiated via email attachments disguised as bank payment receipts, this campaign utilizes advanced obfuscation and encryption to deliver its malicious payload while evading detection.

Key Insights:

Attack Vector: Phishing emails with attachments that trigger a complex infection chain to deploy Agent Tesla.
Evasion Tactics: The loader showcases advanced evasion, including polymorphism and AMSI bypass techniques, to execute the payload stealthily.
Agent Tesla Execution: Executes entirely in memory, focusing on data theft and utilizing SMTP for data exfiltration through compromised accounts.

AI-Powered Malware Spreads Through Social Media Malvertising Campaigns

This article from Bitdefender highlights a recent surge in information-stealing malware campaigns targeting social media users.

Key Points:

Attackers Exploit Popularity of AI Software: Cybercriminals are leveraging the rising interest in AI-powered image and video generators to distribute malware.
Malicious Ads Impersonate Legitimate Software: Fake social media pages and sponsored ads mimic popular AI tools like Midjourney, Sora, and CapCut.
Ads Trick Users into Downloading Malware: Clicking on these ads leads users to download malicious software disguised as official installers.
Malware Steals Sensitive Information: The malware steals login credentials, browsing history, cookies, and even crypto wallet information.
Rilide V4, Vidar, IceRAT, and Nova Stealer Used: The report identifies various information stealers used in these campaigns, including Rilide V4, Vidar, IceRAT, and Nova Stealer.
Midjourney Most Targeted Platform: Midjourney, a popular AI image generation tool, was the most impersonated platform in this campaign.

Attention Security Teams: Malware Spreads Through YouTube Video Game Cracks

Threat actors are leveraging compromised YouTube accounts to distribute information stealers disguised as popular video game cracks. This campaign, detailed in a recent Proofpoint report, targets unsuspecting gamers, particularly younger audiences.

Compromised Accounts: Legitimate and newly created YouTube accounts are being used to upload malicious videos.
Deceptive Content: Videos advertise access to pirated software or game upgrades. Descriptions contain links that download malware upon clicking.
Targeted Audience: The campaign exploits the desire to bypass paid features, likely appealing to younger gamers.

Security Implications:

Information stealers like Vidar, StealC, and Lumma Stealer can compromise user credentials and other sensitive data.
Compromised accounts can be used to further distribute malware or host phishing attacks.
Younger audiences may be less familiar with online safety best practices, increasing susceptibility.

For further investigation: The Proofpoint report provides Indicators of Compromise (IOCs) to assist in identifying these malicious videos.

ReliaQuest’s Annual Cyber-Threat Report: 2024

According to the report:

Phishing links or attachments were involved in 71% of all initial access phases of cyber attacks
The top three MITRE ATT&CK techniques in attacks involved phishing or spear phishing
Drive-by-compromise was used in 29% of attack
QR code phishing saw a 51% increase in just one month – September – over the previous 8 months combined

Android Malware Vultur Expands Its Capabilities

A recent report by Fox-IT details the evolving capabilities of the Android malware Vultur. Key takeaways:

New Functionality: Vultur now possesses features that enable remote interaction with a device's screen through Accessibility Services.
Enhanced File Management: The malware can now download, upload, delete, install, and locate files on infected devices.
Evasion Techniques: Vultur employs app impersonation and communication encryption to evade detection.

These expanded capabilities pose a significant threat to Android users, as Vultur can now perform a wider range of malicious activities.

Agent Tesla Targets US and AU Organizations: A Newsletter for Security Professionals

A recent campaign by cyberespionage actors, nicknamed "Bignosa" and "Gods", has been targeting organizations in the United States and Australia. The attackers use phishing emails with topics related to purchasing goods and order delivery to distribute the Agent Tesla malware. Once installed, Agent Tesla can steal keystrokes and login credentials.

Key takeaways:

Malicious Mails: Phishing emails with seemingly legitimate topics are being used to lure unsuspecting victims.
Agent Tesla: This malware steals keystrokes and login credentials, posing a significant threat to compromised systems.
Stay Vigilant: Keeping software updated and exercising caution regarding unexpected emails are crucial for mitigating such attacks.

New Download Threat: Latrodectus Emerges

A new downloader malware called Latrodectus has emerged, posing a threat to system security. Two threat actors, TA577 and TA578, have been distributing Latrodectus, raising concerns about its potential reach.

This malware functions as a downloader, capable of not only information theft but also installing additional malware, potentially escalating the attack. Security experts believe Latrodectus might be linked to the creators of IcedID, another malicious software. Key takeaways:

Latrodectus's Reach: The involvement of multiple threat actors (TA577 and TA578) indicates a wider distribution network, increasing the potential for encountering this malware.
Multi-faceted Threat: Latrodectus goes beyond information theft; its ability to install additional malware poses a serious risk of system compromise.
Possible Connection to IcedID: The link to IcedID suggests a potentially sophisticated threat actor behind Latrodectus.

New Malware Delivery Techniques on the Rise

New research from Check Point reveals that cybercriminals are developing new methods to deliver malware. These techniques involve novel infection chains designed to bypass common security measures and deliver Remcos, a powerful Remote Access Trojan (RAT).

The report also highlights the evolving tactics employed by attackers to exploit vulnerabilities. While Lockbit3 remains the most prevalent ransomware, Blackbasta has worryingly climbed the ranks, entering the top three.

Key takeaways:

Cybercriminals are developing new methods to deliver malware, employing novel infection chains to bypass common security measures.
Remcos, a powerful Remote Access Trojan (RAT), is being delivered through these new techniques.
Lockbit3 remains the most prevalent ransomware, but Blackbasta has risen in prominence.
FakeUpdates is the most common malware encountered.

Tycoon 2FA: Phishing As A Service Evolving to Bypass MFA

MFA Fatigue? Tycoon 2FA Raises Concerns

A new variant of the Tycoon 2FA phishing kit is making waves for its effectiveness in bypassing multi-factor authentication (MFA). This phishing-as-a-service (PhishingaaS) tool targets Microsoft 365 credentials and utilizes a technique known as adversary-in-the-middle (AiTM) to steal session cookies, granting access even with MFA enabled.

Key Points for Security Teams:

Active Threat: First observed in August 2023, Tycoon 2FA has become a prevalent threat due to its ease of use and affordability.
MFA Bypass: The phishing kit steals Microsoft 365 session cookies, allowing attackers to bypass MFA and gain access to compromised accounts.
Stealthier Than Ever: Recent updates enhance the kit's stealth capabilities, potentially reducing detection by security products.
Widespread Impact: Sekoia has identified over 1200 domain names associated with Tycoon 2FA infrastructure since its release.

Alert: Cisco Duo's Multifactor Authentication Service Compromised

Cisco Duo has issued a warning to its customers following a breach involving a third-party telephony service provider. This incident, which unfolded on April 1, 2024, involved the unauthorized access of SMS logs due to a social engineering cyberattack.

Key Details:

Breach Dynamics: Threat actors gained access by using compromised employee credentials at a third-party provider that handles SMS and VOIP services for Cisco Duo's multifactor authentication (MFA).
Data Compromised: The breach resulted in the unauthorized download of message logs for SMS messages sent between March 1, 2024, and March 31, 2024. These logs included phone numbers, carriers, country and state data, and other metadata like the date, time, and type of messages.
No Message Content Exposed: It's important to note that the content of the messages was not exposed in the breach.

Customer Advisory: Cisco Duo has advised all impacted users to notify individuals whose information was compromised and to stay alert for potential phishing attacks leveraging the stolen data.

Tech Giants Lead Phishing Charge: Microsoft, Google Top Q1 Brand Impersonation

Phishing remains a top threat, with technology brands the most impersonated.

A recent report by Check Point Research (CPR) paints a concerning picture of the evolving phishing landscape. Their analysis of brand phishing attempts in Q1 2024 reveals a worrying trend: technology giants are the most targeted sectors.

Key Findings:

Microsoft Maintains Top Spot: Microsoft continues to be the most impersonated brand in phishing attacks, accounting for a staggering 38% of all attempts in Q1 2024.
Google Makes Gains: Google rose to the second-place position, capturing 11% of phishing attempts – a significant increase from its previous third-place ranking.
Tech Sector Dominates: Technology remains the most impersonated industry, likely due to its prevalence in corporate environments and the potential for lucrative access to company assets through stolen credentials.

Why Tech Brands?

Cybercriminals often target technology brands for several reasons:

Widespread Use: These brands are familiar and widely used, making them a believable target for phishing attempts.
Access to Sensitive Data: Gaining access to compromised accounts in these platforms can grant attackers access to sensitive corporate data or financial information.
Remote Work Reliance: The increased use of cloud-based services and remote work environments expands the potential attack surface for tech-focused phishing campaigns.

Beware of Sophisticated Phishing Attacks Targeting Help Desks!

Alert! A recent report from the Department of Health and Human Services (HHS) warns of a rise in sophisticated social engineering attacks targeting IT help desks within the healthcare sector.

Here's what you need to know:

Impersonation Tactics: Attackers are making phone calls to help desks, impersonating employees (often in financial roles) and claiming they require urgent assistance.
Credentials at Risk: These imposters are armed with convincing details about the targeted employee, including the last four digits of their Social Security number and corporate ID. This information allows them to bypass initial security checks.
Potential for Data Breaches: The ultimate goal of these attacks is to steal login credentials or trick help desk personnel into granting access to sensitive systems and data.

Malvertising Campaign Targets IT Teams with "MadMxShell" Backdoor

Threat actors are leveraging malvertising campaigns to distribute a previously unseen backdoor dubbed "MadMxShell." This campaign targets IT security and network administration teams by spoofing legitimate IP scanner software websites.

Key Details:

Attack Chain: The threat actors register typosquatted domain names resembling popular IP scanner software.
Google Ads Abuse: They then exploit Google Ads to push these malicious websites to the top of search engine results pages (SERPs) for relevant keywords used by IT professionals searching for IP scanner tools.
Delivery of Backdoor: Unsuspecting victims who visit the spoofed websites are redirected to download links that deliver the MadMxShell backdoor.

Technical Analysis:

MadMxShell Backdoor: This backdoor offers remote access capabilities, allowing attackers to gain unauthorized control over compromised systems.
Limited Information: While details about MadMxShell's functionalities are scarce, the report suggests it possesses file system manipulation and process execution abilities.

Shift in Attack Tactics: Vulnerability Exploitation on the Rise

Phishing Declines, Zero-Days Soar

A recent report by Mandiant indicates a significant shift in cyberattacker tactics. Vulnerability exploitation has overtaken phishing as the primary method for gaining initial network access. Researchers found that in 2023, vulnerabilities were exploited in 38% of intrusions, a 6% increase over 2022. Phishing attempts, while still the second most common initial infection vector, dropped from 22% to 17% over the same period.

The report also highlights a sharp rise in the exploitation of zero-day vulnerabilities, previously unknown flaws in software, by 56% year-over-year. Chinese cyber espionage groups were found to be the most active users of zero-days, while financially motivated attackers continue to leverage these vulnerabilities to steal financial data.

Key Takeaways

Patching vulnerabilities promptly is crucial to preventing initial network access by attackers.
Organizations should prioritize vulnerability management and invest in threat detection solutions capable of identifying zero-day exploits.
While phishing remains a threat, user awareness training should be supplemented with additional security measures to mitigate the evolving tactics of cybercriminals.

Ransomware on the Rise: More Groups, More Victims

Ransomware is back with a vengeance. A GRIT report shows a worrying 20% increase in victims in Q1 2024 compared to the same period last year. This coincides with a surge in active ransomware groups, jumping from 29 to 45 (a 55% increase). BlackBasta and Play are new major players, joining the persistent LockBit.

Brutality and Distribution Mark New Era

These groups are targeting critical infrastructure like hospitals, highlighting a ruthless shift in tactics. Additionally, RaaS groups are recruiting affiliates, creating a more distributed threat landscape.

Key Takeaways:

Patching and Detection are Critical: Shore up defenses by patching vulnerabilities and implementing security solutions.
Beyond Phishing: Non-phishing attacks are the new norm, so vulnerability management is key.
Backups are Essential: Regular backups ensure a swift recovery from an attack.
Stay Ahead of the Curve: Keeping informed about the evolving threat landscape allows for proactive defense.

Phishing Attacks on the Rise: AI-powered Threat Landscape

A recent report by AI-ThreatLabz highlights a significant increase in phishing attacks, with a staggering 58% rise observed in 2024 compared to the previous year. This surge is attributed to the growing adoption of Artificial Intelligence (AI) by attackers, enabling them to craft highly personalized and believable phishing campaigns.

Key Takeaways

Phishing Attacks are Soaring: Phishing remains a major threat, with a sharp increase in incidents this year.
AI-powered Attacks: Attackers are leveraging AI to create more believable and personalized phishing emails, making them harder to detect.
Zero Trust Security is Key: Traditional security approaches may not be sufficient. Zero trust security principles can help mitigate the risk of phishing attacks by continuously verifying access requests.

FBI PSA on Social Engineering techniques *- Create by ChatGPT*

FBI Warning: Rising Social Engineering Threats Targeting Personal and Corporate Accounts

April 12, 2024

This is a timely article I put together for internal distribution as part of a Security Awareness program. Feel free to grab and use as part of your Security Awareness program.

Link: https://www.ic3.gov/Media/Y2024/PSA240411

The Federal Bureau of Investigation (FBI) has issued an alert regarding an increase in social engineering attacks that cybercriminals are using to compromise personal and corporate accounts. The techniques identified include impersonating employees, SIM swap attacks, call forwarding, simultaneous ringing, and phishing—each designed to manipulate victims into divulging sensitive information.

Social Engineering Techniques:

Employee Impersonation: Cybercriminals pose as company employees to trick IT or helpdesk staff into granting them network access.
SIM Swapping: Attackers deceive mobile carriers to transfer a victim’s phone number to a device they control, potentially bypassing multi-factor authentication to access financial and other secure accounts.
Call Forwarding and Simultaneous Ring: This method involves forwarding a victim’s calls to the attacker’s number, again potentially circumventing multi-factor authentication.
Phishing: Phishing emails mimic legitimate institutions to solicit sensitive information, such as login credentials and personal identification numbers.

Protection Recommendations:

Personal Security Measures:

Avoid responding to unsolicited requests for personal information.
Set unique passwords for voicemail and mobile accounts.
Contact your mobile carrier to block unauthorized SIM changes and call forwarding.
Regularly check your account activity for any unauthorized changes.
Use complex passwords and avoid posting personal data online.

Corporate Security Measures:

Pay attention to email banners for messages coming from external sources.
Use non-email based multi-factor authentication.
Report any phishing and social engineering attempts.

Reporting and Additional Actions:

If you believe you are a victim of a social engineering attack:

Contact your service providers to secure your accounts.
Report the incident to the FBI’s Internet Crime Complaint Center at www.ic3.gov for further investigation.
Reach out to [INSERT SECURITY INBOX] if you suspect any of these social engineering techniques are being used at work.

This alert underscores the need for heightened vigilance and proactive measures to safeguard against sophisticated social engineering tactics that are increasingly prevalent in today’s digital landscape. We thank you for helping keep [COMPANY] secure.

AI security and healthcare - created by ChatGPT

Embracing AI with Care: A Guide for using AI in the healthcare workplace

April 10, 2024

This is an article I put together for internal communication on my companies intranet. I actually put two different articles together. Both are along the same lines just written different. I would love feedback on anything I may have missed. Otherwise feel free to use this as part of your company’s internal communication. This was most written by ChatGPT.

Introduction

In the rapidly evolving world of healthcare, Artificial Intelligence (AI) has emerged as a beacon of hope and innovation. From improving patient outcomes to optimizing operational efficiencies, AI's potential is undeniable. However, as we integrate these powerful tools into our daily operations, it's imperative to approach AI with a blend of enthusiasm and caution.

The Power of AI in Healthcare

AI's application within healthcare spans from predictive analytics in patient care to automating administrative tasks, allowing healthcare professionals to focus on what they do best—caring for patients. AI algorithms can analyze vast amounts of data to predict patient deterioration or optimize treatment plans. Additionally, AI-driven chatbots can enhance patient engagement and support, providing timely information and assistance.

Ethical Considerations and Patient Privacy

While AI can significantly improve efficiency and patient care, its implementation in healthcare comes with profound ethical implications, especially concerning patient privacy and data security. As stewards of sensitive health information, it's our collective responsibility to ensure that AI tools are used ethically and in compliance with all applicable laws and regulations, such as HIPAA.

Transparency and Consent: Patients should be informed about how AI might be used in their care, including the benefits and potential risks. Obtaining informed consent is not just a legal requirement; it's a cornerstone of trust.
Data Privacy: Always ensure that AI systems handling patient data are secure and compliant with data protection laws. Anonymization of data before AI analysis is a critical step in safeguarding patient privacy.
Bias and Fairness: AI systems are only as unbiased as the data they're trained on. It's essential to continuously monitor and evaluate AI tools for any form of bias, ensuring equitable healthcare outcomes for all patients.

Cybersecurity Implications

The integration of AI into healthcare systems increases the complexity of our cybersecurity landscape. AI can both bolster our cybersecurity defenses and represent a novel vector for cyber threats. Therefore, a proactive and informed cybersecurity approach is essential.

Adherence to Security Policies: All use of AI technology must comply with our comprehensive security policies, which are designed to protect both patient data and our IT infrastructure. This includes strict access controls, regular security audits, and adherence to best practices in AI ethics and governance.
Education and Awareness: Employees must be educated about the potential cybersecurity risks associated with AI, including social engineering attacks that leverage AI-generated content.
Handling of sensitive data: It is crucial to ensure that sensitive data is not entered into or processed by AI systems that are not under our direct control and that do not meet our strict security and privacy standards. Employees should avoid the use of unauthorized AI tools and platforms that could inadvertently expose sensitive patient information or proprietary data. This includes being aware of third-party companies that have integrated AI into their platforms.
Secure AI Development: AI systems must be developed and maintained with security in mind. Threat modeling helps to identify potential issues before they arise. Regularly updating and patching systems helps maintain the integrity and security of systems.
Vigilance and Reporting: Employees are empowered to report any suspicious activities or vulnerabilities. Early detection is key to preventing cyber incidents or data privacy issues.

Looking Ahead

As we journey forward, integrating AI into our healthcare practices, let us do so with a vigilant eye on the ethical, privacy, and security implications. By fostering a culture of responsible AI use, we not only protect our patients and their data but also contribute to the advancement of healthcare, making it more accessible, efficient, and effective for all.

Conclusion

The integration of AI in healthcare represents a frontier of endless possibilities. Yet, as we harness these technologies, we must navigate this terrain thoughtfully and responsibly, ensuring that we remain steadfast in our commitment to patient care, privacy, and security. Together, we can create a future where AI empowers us to deliver better healthcare than ever before.

Phishing Threat Intelligence March 2024

April 3, 2024

Tax Season Phishing Campaigns - Targeting New Tactics

Microsoft Threat Intelligence (MSTI) has uncovered a rise in phishing campaigns targeting taxpayers during the tax season. These campaigns leverage social engineering tactics to trick victims into revealing sensitive information or clicking on malicious links.

Targets and Techniques:

High-Risk Groups: New taxpayers, small business owners, and older adults are identified as the most vulnerable demographics.
Phishing Methods: Emails disguised as legitimate tax documents or communications from employers are common methods. The emails may contain urgency or use scare tactics to pressure recipients into clicking malicious links or opening attachments containing malware.

Iranian Threat Actor TA450 Shifts Tactics in Latest Campaign

Summary: A recent campaign by Iranian threat actor TA450 has been detected leveraging a new technique.

Previous Tactics: Historically, TA450 has targeted Israeli users via email campaigns containing malicious links directly embedded within the email body. These links typically led to file-sharing sites that, when clicked, downloaded remote access trojans (RATs).

New Development: Proofpoint researchers observed a shift in TA450's tactics. The latest campaign utilizes PDF attachments containing malicious links. The social engineering lure involves emails disguised as pay slips, likely designed to trick victims into opening the attachments.

Security Implications: This new delivery method makes TA450's emails appear more legitimate, potentially increasing the success rate of these phishing attacks. Security professionals should be aware of this evolving technique and update email security filters accordingly.

New Trojan: VCURMS Discovered by Fortinet

Fortinet researchers have uncovered a new trojan named VCURMS. This trojan leverages obfuscation techniques to bypass traditional antivirus detection and establish persistence on compromised systems.

VCURMS Capabilities:

Information Theft: VCURMS can steal sensitive information from infected devices.
Remote Access: The trojan grants remote access to attackers, enabling them to control the compromised system.

Delivery Method:

VCURMS primarily spreads through phishing campaigns. Attackers target victims with emails containing malicious attachments. Once a user opens the attachment, the trojan infects the system.

Zscaler ThreatLabz Releases New Report on AI Security Trends and Risks

A recent Zscaler report, "New AI Insights: Exploring Key AI Trends and Risks ThreatLabz 2024 AI Security Report," delves into the evolving landscape of AI security. Key takeaways for security professionals include:

Soaring Enterprise AI Adoption: The report highlights a significant increase (595%) in enterprise adoption of AI technologies. This presents both opportunities and challenges for security teams.
Balancing Benefits and Risks: While AI offers significant advantages, it also introduces new security risks. The report emphasizes the need for a well-defined security posture to mitigate these risks.
Heightened AI-Driven Threats: Zscaler ThreatLabz observed an 18.5% rise in blocked AI traffic, indicating a rise in malicious actors leveraging AI.
Security Best Practices: The report outlines essential security practices for securing AI deployments. These include data loss prevention (DLP) controls and granular access controls to safeguard sensitive data and prevent unauthorized access.

Exploring the newsletter below - Image created with the help of ChatGPT

Security Awareness Newsletter March 2024

April 1, 2024

This is a security newsletter I’ve put together as part of our security awareness program. This leans more towards healthcare and news items that are more general in nature. I’ll have a more technical focused newsletter later this week that’s targeted at security teams. Feel free to take this newsletter and use it internally as part of your security awareness program.

The Great Zoom-Skype-Google Masquerade: Beware of digital doppelgängers. Fake Zoom, Skype, and Google Meet sites are the latest traps set by cyber tricksters. These spoofed meetings can trick users into downloading harmful software that compromises their computer. Ensure you’re clicking on the real deal to keep those malware masqueraders at bay. Beware of QR codes that will try to steal credentials as part of this type of attack.

Beware of fake websites mimicking popular brands!: Typosquatting attacks are surging, and cybercriminals are exploiting user mistakes to steal login credentials and spread malware. Typosquatting is where an attacker registers a similar domain to one a person is familiar with. This increases the chance a malicious link will be clicked.

Small Businesses Hit Hard by Cybercrime: Some social engineering techniques highlighted in the article include: malicious ads; attackers starting a conversation before trying to get the person to take an action; and the move to PDF attachments. These types of attacks help launch ransomware against small businesses.

Beware of AI-Driven Voice Cloning in Vishing Scams: The Better Business Bureau (BBB) has issued a warning about the rise of voice phishing (vishing) scams utilizing AI-driven voice cloning technology. Scammers can now mimic voices convincingly with just a small audio sample, leading to fraudulent requests for money transfers or sensitive information. Tips to Stay Safe:

Pause Before Acting: Resist the urge to act immediately on unexpected requests, even if they seem to come from a familiar voice.
Verify Directly: Contact the supposed caller using a known, saved number—not the one provided in the suspicious call.
Question the Caller: Ask specific questions that an impostor would struggle to answer correctly.
Secure Your Accounts: Implement multi-factor authentication and verify any changes in information or payment requests.

Update on Change Healthcare Cyberattack Recovery: Change Healthcare is on track to bring its systems back online by mid-March following a cyberattack that has caused widespread disruption since February 21. The cyberattack has significantly affected healthcare operations nationwide, with providers facing difficulties in payment processing, insurance verification, and clinical data exchange. This highlights why security awareness is so important. Identifying and reporting security threats to the organization is the responsibility of everyone.

Beware of Tax Season Scams Targeting SMBs and Self-Employed Individuals: As tax season unfolds, a new scam has surfaced targeting small business owners and self-employed individuals. Scammers are using emails to lure victims to a fraudulent site, claiming to offer IRS EIN/Federal tax ID number applications. However, this service is free through the IRS, and the scam site is designed to steal personal information, including social security numbers, creating a significant risk for identity theft and fraud. A Microsoft report identifies green card holders, small business owners, new taxpayers under 25, and older taxpayers over 60 as prime targets for these scams. Check Point has some example phishes in their tax scam article.

Apple Users Beware: "MFA Bombing" Phishing Attacks on the Rise: Leveraging Apple's password reset system attackers can bombard users with password reset prompts. If a person clicks "allow" on one of the prompts, the attackers can gain access to the user's account. The attackers may also call the person pretending to be Apple support. Some ways to protect yourself from this attack include not clicking on any of the prompts and contacting Apple directly if you receive a suspicious call.

The Art of Secure Passwords: Safeguarding Your Digital Life

March 27, 2024

This is a blog post I plan to submit to my companies intranet site as part of security awareness program. I wanted to post this here in case others would like to use it for their own internal programs. This was largely generated with ChatGPT. I have gone through and made my own edits and adjustments.

In today’s interconnected world, passwords are the gatekeepers to our digital existence. Whether it’s accessing your email, online banking, or social media accounts, a strong password is your first line of defense against cyber threats. In this blog post, we’ll explore essential practices for creating and managing secure passwords.

The Key to Your Account: Guard Your Passwords

Your passwords are like the keys to your virtual kingdom. Treat them with utmost care and never share them with anyone. Remember, a password shared is a vulnerability exposed. Whether it’s your Netflix account or your corporate email, keep those keys close and confidential.

Password managers are great for both storing and creating passwords. Password managers generate and store complex, unique passwords for each of your accounts. Instead of remembering dozens (or even hundreds) of passwords, you only need to remember one master password. Password managers can auto-fill your login information on websites and apps, streamlining the login process. Below are some recommended password managers for personal use:

LastPass

Features: LastPass offers a user-friendly interface, secure password storage, and strong password generation. It's accessible across various devices and browsers, making it convenient for users who need to manage their passwords on the go. LastPass also features secure sharing options, allowing users to safely share login information with trusted individuals.

1Password

Features: 1Password is known for its strong security measures, including a unique security key for encryption, making it nearly impossible for unauthorized users to access your vault. It also offers a Travel Mode, which temporarily removes sensitive data from your devices when crossing borders. 1Password's user interface is clean and intuitive, with excellent organization features for managing passwords and documents.

Dashlane

Features: Dashlane provides a robust set of features, including password management, a secure digital wallet, and a VPN for safe browsing. Its password changer feature can automatically update passwords on various sites, enhancing security with minimal user effort. Dashlane is suitable for individuals and businesses looking for a comprehensive security solution.

Bitwarden

Features: Bitwarden stands out for being open-source, offering transparency in its security practices. It provides a secure vault for passwords and sensitive information, with options for self-hosting for users who prefer complete control over their data storage. Bitwarden's free version is feature-rich, making it an excellent choice for budget-conscious users seeking reliable security.

Keeper

Features: Keeper is noted for its high-level security features, including biometric logins and a secure messaging vault. It offers flexible storage options for passwords, files, and private client data, making it a suitable option for both personal and professional use. Keeper also includes breach monitoring to alert users of potential security threats.

Browsers

Browsers can be a good place to store passwords for users seeking convenience and simplicity, offering several features that facilitate better password practices. However, for those who require more robust security features, flexibility, and functionality, a dedicated password manager might be a more suitable option. As with any security tool, the best choice depends on your specific needs, habits, and the level of risk you're comfortable with.

Crafting Strong and Memorable Passwords

Creating strong and memorable passwords is essential, especially for securing critical accounts like those for work, email, and finances. Here's how to craft passwords that are both robust and easy to remember:

Ensure Uniqueness for Each Account

Distinguish your work and personal passwords to safeguard against potential breaches. Each account should have a unique password to prevent a security issue in one from affecting others. Websites like Have I Been Pwned offer valuable insights by letting you check if your email has been involved in any breaches, underscoring the importance of uniqueness.

My personal email shows up in the LinkedIn breach

Opt for Passphrases with Special Characters

Early in my career, I learned the effectiveness of using multi-word passphrases with special characters interspersed. This strategy not only makes passwords more difficult for attackers to guess or crack but also helps in keeping them memorable. Despite witnessing 22-character passwords being compromised, it's clear that security isn't solely about length. Crafting your password—a mix of length, complexity, and unpredictability—is key.

Avoid common or popular phrases. Instead, draw inspiration from less obvious sources, like obscure quotes or unique phrases from your favorite media. This approach significantly lowers the risk of your password being easily cracked while ensuring it remains memorable to you.

By focusing on creating unique, complex passphrases that are personal and meaningful, you can significantly enhance the security of your online accounts while maintaining ease of recall.

Conclusion

By adopting recommended practices—treating passwords as keys to our digital domains, leveraging password managers for enhanced security, and crafting strong, memorable passwords—we fortify our digital presence against unauthorized access.

Password managers like LastPass, 1Password, Dashlane, Bitwarden, and Keeper offer robust protection. For added simplicity, browser-stored passwords can also serve as a basic defense. Utilizing unique passphrases enriched with special characters further strengthens our security posture, as echoed by services like Have I Been Pwned, which emphasize the importance of password uniqueness.

In conclusion, secure password practices are not just about technical security; they're about empowering ourselves to navigate the digital space confidently and securely. Let's prioritize our digital safety by embracing these practices, ensuring our online presence is shielded from potential threats.

Demystifying the Dark Web: Challenging the Myth of a Hidden Internet

March 22, 2024

I’m still adjusting to my new role as Sr Specialist of Security Awareness and Training at Acadia Healthcare, so things have gotten behind on this site. Behind the scenes I’m still recording and editing episodes and I’ve got some really good ones coming up. I still want to post content on this site and try to get one blog post out a week. I have some ideas to do that with the time allotted and one of those ideas is AI. This article was entirely written by AI.

I would love feedback in the comments below if you liked or didn’t like and if you feel there are any corrections that need to be made. I have read over it and thought it did a pretty good job but my experience is limited on the “Dark Web.”

The dark web is often portrayed as a shadowy underworld of the internet, a place where anonymity reigns supreme and illicit activities thrive. This portrayal has been popularized by media and folklore, painting a picture of a digital "no-man's-land" inaccessible to the average user and law enforcement alike. However, upon closer examination, the assertion that the "dark web doesn't exist" can be a provocative way to challenge misconceptions and misunderstandings about what the dark web truly is and what it represents.

Understanding the Internet's Layers

To debunk the myth, it's essential to understand the internet's structure, which is more nuanced than a binary division between the "surface web" and the "dark web." The internet is better described in layers, with the surface web comprising websites indexed by search engines. Beneath this lies the deep web, which contains unindexed content like private databases, academic journals, and secure personal accounts. The dark web is a small portion of the deep web, accessible only through specific, anonymizing networks like Tor.

The Dark Web: A Concept, Not a Place

One critical argument against the dark web's mythical status is the recognition of it as a concept rather than a physical or digital "place." The dark web refers to the use of anonymized networks to access content and services that are either intentionally hidden from the surface web or require specific software to access for privacy and security reasons. It is not a separate internet but part of the broader, intricate ecosystem that constitutes the web.

The Role of Anonymity and Privacy

The dark web's existence is often justified by its role in protecting anonymity and privacy. Activists, whistleblowers, and those under oppressive regimes use it to communicate safely. This aspect challenges the notion that the dark web is solely a haven for illegal activities. It serves a crucial function in facilitating secure communication, underscoring that its existence is not inherently malevolent but rather a tool that can be used for good or ill.

Misconceptions and Exaggerations

The sensationalization of the dark web contributes to its mythical status. Stories of nefarious activities and marketplaces often overshadow the less dramatic, yet equally important, uses of the dark web for privacy and security. By challenging the existence of the dark web as a singular, monolithic entity, we can shed light on the realities of digital anonymity and its implications for society.

Conclusion

The assertion that "the dark web doesn't exist" serves as a starting point for a more nuanced discussion about the internet's complexities and the importance of privacy and anonymity online. It invites us to reconsider our preconceptions and understand the dark web not as a hidden den of iniquity but as a component of the internet that reflects the diverse needs and ethical considerations of its users. In demystifying the dark web, we confront not just the technical realities of the internet, but also the broader questions of rights, freedoms, and responsibilities in the digital age.

Exploring the job market with my handy briefcase

Exploring the cybersecurity job market from late 2023 to early 2024

March 13, 2024

A job search is work

Below you will find several log entries from me as I recently went through a job search. I wanted to do this to highlight how things have changed and show that even for someone who has several years of experience it’s tough. I started my search around the end of November and had it end in early March. The holiday’s certainly slowed things down but it still took a good three solid months. Getting hired at the end of a year is a rare thing because companies aren’t looking to add more to their books. Their focus is to close out the books and look as good as possible from a financial standpoint.

A lot more job posting went up at the beginning of the year and things seemed to pick up from a reach out and interviewing perspective. The job I eventually accepted had their posting up in early December but didn’t start talking to me until the beginning of the year.

I cater my resume to the role and despite all that I still got A LOT of rejection letters. In fact I just got another one yesterday. Prepare for baseball type of stats where it’s normal to bat .300 instead of .800. I did notice that it’s less likely a company will talk to you if their not in their city. Through my network I heard this quite a bit despite my willingness to relocate to certain parts of the country. Talking to some recruiters it was certainly a weird market with a lot of companies wanting to be back in office and with the layoffs last year it was harder to stand out.

Another factor is my background. I have a broad background and have successfully implemented programs in multiple disciplines. I have confidence I can adapt my skillset to any role. I’ve done it in just about every job I’ve had. Unfortunately, a lot of hiring managers are looking for a specific skillset and only that skillset. Recruiters are another layer where they often are just looking for keywords in a resume. I also found that AI was starting to play a part. I had a screening call that utilized AI. I tried to better understand how that worked on the backend but couldn’t find a lot of materials. I’d like to see how AI is impacting candidates both positively or negatively.

Last year I took some time to reflect on what I really wanted to do and where my background and skillset could really be useful. I found that security awareness was something I’ve done at all my previous jobs and that there were companies hiring and paying well enough for the role. That’s where I focused my job search and that’s where I’ve ended up. I’m excited for what’s ahead. Below is my journey to that role.

Log

Entry 1: Willo and one-way video interviewing. This was an interesting experience because I was given a set of questions and asked to record my responses. I’ve never done this before and found it interesting. I had three minutes to record. I could save and continue or re-record. There was only one question I needed to re-record multiple times either because I ran out of time or screwed up. I thought it was a great way to do a screening. I also loved that the screening involved behavioral questions. Which I’m a big proponent of using.

Entry 2 (five days later): To this point I’ve applied to 16 roles: I’ve got one early stage interview setup; I’ve had one one-way video screening; and two, “we think you’re a great candidate but we don’t want to talk to you.” The last one I know one of them was due to pay because they reposted and took out the top part of the salary range and the other probably my resume. The one early stage interview I have is due to knowing someone at the company who put me in for a role. Which is why I always recommend networking to find a job.

I haven’t had to do a job search where I submitted blindly to companies for over 10 years. This is an experiment for me. Is my resume just not up to snuff anymore or is there some other factor. A couple factors I’m keeping in mind is that it’s the end of the year which means deadlines and goals. People outside of government work are usually pretty busy trying to wrap up the year and so hiring takes a back seat. Financially, people aren’t looking to add budget to their team at the end of the year.

It’s also been a tougher job market with the economy being down. I’ve talked to recruiters and they say it’s been a slow weird end of the year. There’s more competition for me in the job market so I’ll get less looks or get looked over. I’m also being more picky about the opportunities I apply for because I feel like I know what I want to do. My experience can be an issue because it’s a little all over the place. The closest I came to niching was application security but two years into that role I was promoted to manager over security engineers, pentesters, and application security.

Which brings me back to my resume. When I redid it over 10 years ago it was due to not getting call backs. It ended up taking 15 months to find a new job. Redoing it to the current format increased my interview opportunities by 50%. My resume format may be dated. My theory is that my resume may work for hiring managers but not for recruiters or talent acquisition people because they’re not in the field. They’re looking for those specific words and probably something more eye appealing. I’ve already started experimenting with different formats and I’ll provide the results here when it’s completed.

Entry 3 (Star Date -299052.05): The rejection emails have come in. I got two this morning and I expect more if I haven’t been reached out to by a recruiter. This means my resume is a problem and I need to work on that. I watched this talk from BSides San Francisco 2023 by Zach Strong on Hacking the Hiring Process. I think I need to simplify my resume and get it back down to under two pages. My master resume is currently at five pages. When I customize it to the job role it get’s down to four pages but I think I still need to cut that in half. Next role that I’m interested in, I’ll have to be brutal with my cuts. The last few I have added a new section called, “Applicable Qualifications” or “Applicable Experience” to try and highlight what makes me a potential candidate. We’ll see if that helps.

Ultimately, networking is still the best way to get in front of the hiring manager. I’ve gotten in front of one. Had the interview and then haven’t heard from them in about a week. This is unfortunately typical and disappointing. I’ve had enough of these that the behavior doesn’t bother me as much anymore. I’ve probably eliminated myself but it’d still be nice to be told that and given any feedback on what I’m lacking.

Entry 4 (some time later): More rejection letters have come in. I’ve gotten my resume down to two pages. I’m not sure the format is great but I like it and I’d like an organization that would want that kind of format. That’s me being naïve though and I’ll end up changing it. I want to make small tweaks just to see if I start getting more screening calls.

I did recently talk to someone else doing a job search and they said it was tough. They had read an article or something on reddit where someone had applied to 500 jobs. Got 20 call backs and two offers. I think it highlights the current state of the job market. It’s tough but I feel like I’m starting to see more posts go up and as people start ramping up for 2024.

To be continued…

Entry 5 (later): I got the rejection email from the place that had me do a one-way interview. I noticed it mentioned AI in the email and now I’m curious what that actually means for the hiring process.

Ignyte AI is the tool that was used for the screening. Looking it up there’s not a lot of information on it other than marketing material. Definitely something to explore in the future. Here are some links I found on it.

https://www.ignyteai.com/

https://huntscanlon.com/recruiting-platform-ignyte-ai-launches/

Entry 6 (Happy New Year!): I got a screening call setup for a position I applied for a few weeks ago. Hiring slows down during the holiday pretty significantly. Either the talent acquisition people are out or the hiring people are out or both. I’m hoping thinks pickup thought I expect I’ll continue to get rejection letters.

Entry 7 (busy): I’ve been focusing on getting podcast and blog posts produced and published so this has gone by the wayside a little bit. Screening call and interview with the hiring manager went well. I am setup for another interview with a panel of people and then a decision will be made. I have gotten more rejection letters, but I also recorded and published a really interesting podcast with Erin Barry from Code Red Partners.

I learned a couple things from the conversation. As I suspected it’s a weird time to be looking for a job. Networking is still king but there’s also some really crappy things that organizations do. They’ll put up a posting just to see what the market. There’s also people just looking for keyword searches and not getting anywhere near your resume. One of the key points she made was not getting down on yourself as part of the process. There’s a lot of factors that go into an opening that we just don’t see.

As part of another recording session I had, the guest pointed out to me that my LinkedIn page needed some work. I followed their recommendation around adding a banner and cleaning some other stuff up. Today I got a call from a recruiter for a director cybersecurity position in my area. Not sure it’s a great fit but the resume is off and we’ll see if we ever hear anything back.

Entry 8 (end of January): I just had a final interview for the one position that has progressed significantly. I’m still in for another position that I started the conversation in early December but it’s been very quiet. Talking with the hiring manager it sounds like a lot of internal politics and a question about remote work. The position is unfortunately up north and a region that is off limits for my family. I am still looking at job postings and applying to the ones I find interesting. I have also reached out to a recruiter about one position but haven’t heard back from them.

I like the idea of reaching out to recruiters and feel I should have done it before but I imagine some of them may not get back to me because they’re busy. I have seen encouraging signs though for the market with recruiters seeing there’s more jobs being posted. There are also more people getting back into the job market hunt so I would expect it’s still a competitive market. The place of my final interview is local. I have an advantage there because the discussion around relocation won’t be necessary.

Entry 9 (beginning of February): Shortly after my final interview for one position, I had another one start with a screening. That has progressed to another panel interview that I’m still waiting to hear back on. I still have not heard anything from the one I had a final interview on. I’m okay with that because I’m still in process on a couple other things and I continue to find security awareness positions being posted. It seems to be a position that a lot more companies are looking at and that hopefully means I can land in one. I haven’t really talked about it here but security awareness is where I want to head with my career. several years ago it was an addon to GRC or other roles. I did it as a passionate project but that were was never the thought of it being a full time gig. I’m happy to see this because I have the experience, knowledge, and desire to be successful in this discipline. It’s now just a matter of convincing someone else I’m right for the job.

I will say the waiting is a bit frustration. Even if things are being lined up a yes or not would be fine with me because it allows me to adjust and something I’ll talk about more in a future blog post. I did have some progression on the first position where I’ve had some conversations. That’s actually shifted to a discussion on being a contractor and would significantly help me with continuing down the self-employed path.

One other item I want to talk about is using AI to prepare for an interview. I took the job description and information I got from the recruiter and had ChatGPT create me some interview questions. I then wrote the questions on one side of a notecard and my answers on the other. Then I practiced the question and answering the question out loud. This is something I’ve always done for interviews but AI helped me create the questions a lot easier and made them applicable to the questions I get accessed. I had a technical assessment on the panel interview. I suck at technical questions in interviews. I always overthink them. I didn’t do great but the idea that came from that experience was to use AI practice for the technical assessment in an interview.

Entry 10 (later that week): Got a call this morning for one job and my salary requirements. Also got an email about not moving forward in another interview process because of the competitive talent pool. I’ll address both below.

Salary requirements are always an interesting thing for me. I am not a person that is motivated by money. I’ve reached all my financial goals and so the range I’m in now. I’ve been told I can go make 200k easily and have several peers that do. I don’t need that much money. The problem with telling people that though is that I get the sense they feel bad and then don’t give me the work I need to stay busy. So I’m in this weird balancing act of taking less money or making my requirements higher. I’m always willing to negotiate lower if it’s a position I’m interested in. I’m also very likely overthinking it.

It’s tough getting a notice that I won’t be moving on in a process or another candidate was selected. I got no feedback other than it was a competitive pool of candidates which I have no doubt there are. I was told salary was not a factor in the decision. This is the part where I need to remind myself that I may have interviewed well but the decision could have been any number of factors out of my control. Someone may have been referred. There may have been an internal candidate preferred. The process may have not been set up to allow me to shine properly. It could have been any number of things. I would have still liked to get more feedback because I want to improve but I’ve said the same thing to other candidates. I had multiple people and liked both and one just edged out the other for whatever reason. The one thing I knew I could have been better on was the technical assessment. I have played around with AI a bit and I think it would be very useful for practice for a technical assessment. I will have a future blog post on the topic.

Entry 11 (last one): I did get a job offer the next week and I’ve started the onboarding process, which is why I haven’t updated this post until now. I start next Monday and this post will be up shortly after I start. The onboarding process has been good. I think a lot of organizations have embraced automations and using platforms to onboard people. This is a good thing and it seems like I’m getting a lot of the stuff I need lined up ahead of time. I’ve also got my first day orientation schedule which is nice to have and know ahead of time.

I’m excited for this opportunity. I’ll be focusing on security awareness for my career which is a role that wasn’t around a few years ago. Organizations seem to be taking security awareness a lot more seriously instead of it being just a checkbox. I’ve been doing security awareness at organizations as a passion project for years, so it’s nice to have a role where I can just focus on that. I’ll be writing more about it more in other blog posts and probably talking about it on the podcast. While I have a full-time job now, I do plan to continue to producing content on this site.

Exploring Information Security - Change Log - March 1 -7 , 2024

March 8, 2024

This is a log of changes to the site over the last week.

Podcast posts:

Navigating the Currents of Open Source Intelligence: Insights From the Field - Micah Hoffman and Griffin Glynn join me to discuss OSINT.

ShowMeCon: Bypassing MFA with Shameer Amir - A ShowMeCon sponsored episode on bypassing MFA

Blog posts:
Charting a New Course Into Security Awareness at Acadia Healthcare - Thoughts on my new role

Other:

The podcast is now available on Spotify

Exploring Information Security Now Available on Spotify

March 8, 2024

Exploring Information Security is now on Spotify.

If you have other preferred platforms you listen to podcasts on let me know and I’ll submit the RSS feed there.

Security explorer heading into the security awareness field - Created by ChatGPT

Charting a New Course in Security Awareness at Acadia Healthcare

March 6, 2024

I have started a position as a Senior Specialist, Security Awareness and Training at Acadia Healthcare. I’m excited for this opportunity because it’s a role that’s only more recently started to get some traction. I’ve been doing security awareness activities at previous organizations as a part-time thing. I’m excited to get the opportunity to really focus on security awareness training. It’s something that has been seen as a checkbox for a lot of organizations. I think it can be more than that. I think it can help build a security culture and foster a security mindset at an organization which result in a more secure organization.

I’ve been in a bit of a career transition the last 2-3 years. I’m not looking to get super technical. I’ve been in management and would probably be okay going back but I don’t play the political game as well as other. Reflecting over these last few years, I discovered that I enjoyed educating others. It’s actually something I wanted to do since high school but the only path I saw then was a high school teacher and I wasn’t really interested in leaving high school only to return shortly thereafter.

In the Navy I got the opportunity to go through instructor training and do some training while being an electronics technician. That led to me getting into the information technology field and eventually into security. At previous roles I’ve always either created content for distribution or presented internally. This past fall, I started looking for security awareness roles and found that several organizations were hiring for security awareness roles. This fit well with my desire to educate and where I was at in my career. I have a generalist background so I can speak to a variety of different fields within security.

I want to make security awareness interesting and impactful for an organization. Not just a checkbox. In my view I am here to foster and improve the security culture at the organization. To do that I’ll have to be creative and identify what engages people to think more about security. I’m excited for this challenge. I see people as the most complex systems in an organization.

I am going to continue to run Exploring Information Security (EIS) with a focus on security awareness. I believe this new role and EIS will compliment each other well. Next week I am planning to post my job search log. As part of the job search I decided to put in entries documenting my progress and thoughts during the hiring process. I wanted to show others that the hiring process is stressful, even for someone with 22+ years of IT experience. It’s also changed significantly since I first got in the job market and I wanted to highlight some of those changes as well.

Exploring Information Security - Change Log - February 22-29, 2024

March 1, 2024

This is a log of changes to the site over the last week.

New pages:

Zero Trust - Deep Dive - Getting deeper into Zero Trust

Podcast posts:

What cybersecurity tools every organization should have - Hacker Historian Mubix joins me to discuss useful tools for security

Blog posts:
Impressions from the 2024 Palmetto Cybersecurity Summit - Thoughts from last weeks conference

7 Tips and Best Practices for Threat Modeling - Some of the tips and best practices I do to make threat modeling efficient and effective

Leveraging AI to Prepare for an Interview - My experience and some ideas around using AI to prepare for an interview

Leveraging AI to Ace Your Next Job Interview

February 29, 2024

In today's rapidly evolving job market, Artificial Intelligence (AI) has become more than just a buzzword—it's a tool that can provide a competitive edge in various aspects of life, including job hunting and interview preparation. As interviews become increasingly sophisticated, candidates are seeking innovative ways to prepare and stand out. I’ve recently gone through a few different interview processes and as part of that I leveraged AI to help do research and prepare for my interviews. Here's how AI can be your ally in acing your next job interview.

Understand the Role and Company

Before you even start preparing for the questions, it's crucial to have a deep understanding of the role you're applying for and the company behind it. AI-powered tools can analyze job descriptions, company websites, and news articles to provide a comprehensive overview of what the company values in its employees and what skills and experiences are critical for the role. This information can help tailor your interview responses to align with the company's culture and needs.

Personalized Practice Sessions

AI-driven interview preparation tools can simulate realistic interview scenarios tailored to the job you're applying for. These platforms use natural language processing to evaluate your answers, providing feedback on content, tone, clarity, and even body language in video-based practice sessions. This personalized feedback can help identify strengths to highlight and weaknesses to improve upon, making your preparation more focused and efficient.

I’ve taken the job description and my resume and put them into ChatGPT to help identify how my experience aligns with the role. I’ve also taken the job description and any other information about the interview I’ve been provided and asked ChatGPT to create practice questions. I then take those questions and practice saying out loud my responses. I found the interview questions to be pretty close to the real questions I got asked. The questions allowed me to think through how I would answer questions and lean on past experiences. While not an exact match it did afford me an opportunity to think through my experiences and apply those to similar questions.

If there is a technical aspect to the interview AI can be used to prepare by getting quizzed on technical questions. Unfortunately, I didn’t think of this use case until after I had already gone through an interview that had technical questions in it. I struggled through those questions and did not move one. Had I prepared using AI I would have been better prepared to answer those questions and a better shot at moving on.

Enhancing Your Answers

AI doesn't just stop at practice; it can also help refine your answers. Tools like GPT (Generative Pre-trained Transformer) can suggest ways to structure your responses more effectively or creatively. Input your basic answer, and AI can enhance it, ensuring you communicate your thoughts coherently and compellingly. However, it's essential to keep your answers authentic to your experiences and voice; use AI as a tool for improvement, not a crutch. It’s also very important to say the responses out loud to understand how the responses will come off. Sometimes what’s in our head doesn’t sound as good when it’s said out loud.

Final Thoughts

As AI continues to transform the job market, its role in interview preparation is undeniable. By offering personalized feedback, and enhancing response, AI can be a valuable asset in your job search toolkit. However, it's important to remember that AI is a supplement, not a substitute, for genuine preparation. The goal is to use AI to enhance your authentic self, showcasing your skills, experiences, and personality in the best possible light.

Embrace AI as part of your interview preparation strategy, but keep the focus on your unique contributions and how you can add value to the company. With the right preparation and mindset, you can use AI not just to prepare for interviews but to excel in them.

This blog post created with the help of ChatGPT

7 Tips and Best Practices for Threat Modeling

February 28, 2024

In the ever-evolving landscape of cybersecurity, threat modeling emerges as a crucial practice that helps organizations identify, assess, and mitigate potential security threats. It's a proactive approach that focuses on understanding the assets that need protection, identifying what threats those assets might face, and defining measures to mitigate those threats. Here are some essential tips and best practices for effective threat modeling:

1. Start Early and Integrate Continuously

Begin threat modeling at the earliest stages of system design and continue to integrate it throughout the development lifecycle. Early integration helps in identifying potential security issues when they are easier and less costly to resolve. Studies has shown the fixing issues later in development or IT project are more costly.

A chart showing the cost of fixing a bug throughout the development lifecycle

2. Involve a Cross-Functional Team

Threat modeling should not be the sole responsibility of the security team. It requires a collaborative effort involving developers, operations, architects, and business stakeholders. Each group brings a unique perspective that contributes to a comprehensive understanding of the system and its potential vulnerabilities.

There are other benefits to threat modeling outside of security. It get’s everyone involved in the project on the same page. Often development and infrastructure teams can be at odds about what needs to be done to complete the project. Threat modeling is an opportunity to bring everyone together to better understand and clarify what needs to get done.

3. Watch for scope creep

Identify what is being discussed at the start of the session. This will help setup boundaries for the discussion. People will want to dive into are other topics adjacent to the project. While they may need to be discussed at some point now is the time to discuss what was defined in the scope. I often will tell people let’s setup another session or move the discussion to later in the meeting if there’s time. This will help the meeting run more smoothly and ensure the topic of discussion get’s threat modeled.

4. Keep the Attacker's Perspective Simple

Thinking like an attacker can provide invaluable insights into potential vulnerabilities and attack vectors. Understand the capabilities, motives, and methods of potential attackers to better anticipate and counteract their actions. Not everyone has an attacker mindset. Most people in an organization are builders. We as attackers are looking to tear things down and break them.

This can take some getting used to for people. It may take multiple sessions before they start getting into the attacker mindset. It’s a lot like exercise. It takes time to build up those security muscles but once it happens it will make the meeting run a lot more smoother. I often start with simple attacks such as offering someone a million dollars for their access.

5. Use silence

As I’m drawing out a diagram, I will often be thinking of attacks. This isn’t necessarily the case with people outside of security. Especially, if threat modeling is new to them. If I provide all the attack scenarios it won’t help the others in the room foster that security mindset. Use silence to get people engaged in the discussion.

Most people are uncomfortable in a group setting with silence. The facilitator of the session will need to get comfortable with silence. After a period of time someone will speak up with an idea. Don’t shoot down all ideas. Write them down like you would a brainstorming session. This will help encourage more people to speak up with their ideas.

6. threat modeling discussions are chaos

If it feels like chaos you’re likely doing it right. As you go through the session you may feel like you’re taking a step back and adding things to the diagram or the security profile. That’s okay. Keep your eraser tool handy because you may need to adjust different things on the diagram. I’ve been in sessions that I thought were going to take 20 minutes and they ended up taking three hours.

7. Meeting notes and action notes

Identify someone to help take notes. This will with more thoroughly document the meeting. Governance Risk and Compliance (GRC) folks are great at this. After the meeting ask for the notes to compare with your own. Virtual meetings can be recorded for later viewing and ensuring notes are complete.

After the meeting send the meeting notes, a picture or screenshot of the diagram, and action items. This will help document the meeting and allow anyone to make corrections on the notes. Action items are important for any follow up items that need to be addressed. Make sure to identify a person to follow up with and not a group. Also, it doesn’t hurt to document these in a central repository that everyone can access.

Conclusion

Threat modeling is an essential practice in the toolkit of cybersecurity professionals. Threat modeling sessions can often feel like chaos and that’s okay. Make sure to start early and integrate into development and IT projects. Involve anyone that has work to be done as part of the process. Watch for scope creep and offer to set up another time to discuss. Use silence and keep the attacks simple to get people engaged in the conversation. Finally, remember to document each discussion, assign action items, and give people the opportunity to make corrections on the topic discussed.

Threat modeling is one of the low cost and most effective tools in your organization. These tips and best practices will ensure that threat modeling being performed at an organization will be efficient and effective. Leave a comment below if you have any tips or best practices for threat modeling.

The five stages of cybersecurity grief from Mathieu Gorge at the 2024 Palmetto Cybersecurity Summit

Impressions from the 2024 Palmetto Cybersecurity Summit

February 26, 2024

Last week I had the pleasure of attending the 2024 Palmetto Cybersecurity Summit in Columbia, SC. It was a great conference with a good venue and really great speakers. The keynote speakers brought a really great insight and of course the hot topics was artificial intelligence (AI). I’m hoping to attend again next year!

Prior to the conference I presented at ColaSec which is a local cybersecurity user group that I helped start about 10 years ago. I gave my threat modeling talk that I presented at the conference the next day. I like using ColaSec as a first run for my talks because I get a lot of really great feedback to refine the talk. You can watch the talk on ColaSec’s YouTube page. I adjusted the acronyms section and made some other minor adjustments to make the talk flow better. That helped for the conference the next day because I realized I had 10 less minutes for my presentation due to a reading error.

What I’m really excited about for this years conference is doing a demo of a live threat modeling session. I have about 20-25 mins of content and then we get into the demo. I like it because I want people to get a feel for how a threat modeling session should flow. I am planning to switch up the demo for each talk so that each version is a little different.

One of the things I rate conferences on is the drinks and food. I’m happy to report that the conference got an A in both regards. They had tea which is great because I’m not a coffee drinkers and the food was pretty good. Sometimes you go to a conference and the food is just meh or in a box. This was not the case for this conference. The other thing to call out is the chairs. Big comfy adjustable chairs. You could spend all day in those chairs.

The keynotes were really great. Mathieu Gorge talked about cybersecurity from a broader global level and the 5 Pillars of Security Framework. The picture above is the five stages of cybersecurity grief. William MacMillian was the former Chief Security Information Officer (CISO) at the Central Intelligence Agency (CIA) and he talked about his experience taking over there right before Solarwinds came out. He also talked about platform centric vs best-in-breed and how platform can provide simplicity to security teams that live in a world of complexity. Both provided some different perspectives and insights on the cybersecurity landscape and dropped some thought provoking ideas.

The majority of talks I attended were around AI. Before I get to that though I also went to Michael Holcomb’s talk on industrial control systems (ICS/OT). He gave some really good insights but more impressive he put together free ICS/OT courses on YouTube for people looking to get into the ICS/OT space.

The second day was filled with talks on AI. That will be a thing throughout this year and potentially for the next 2-3 years. I love that it’s something new to learn. A lot of the conferences I’ve attended in the last few years haven’t really provided me with the opportunity of learning new things. A lot of the talks just confirmed my own ideas and thoughts around security topics. Nothing really challenged those ideas either. There is value in confirming my knowledge and experiences but I want to continue to learn. AI is that current topic.

Dr. Sybil Rosado talked about the social engineering aspects of AI. While she talked about some of the malicious uses of AI she was a big proponent of using AI and learning how to work with it. She’s a professor at Benedict College in Columbia, SC, and has seen students using it. She actually likes that it’s making the writing better. Dr. Donnie Wendt talked about deepfakes and how they’re playing a role in the world today. It’s super easy to use and get started with. My own thought is that deepfakes are a great way to improve a security awareness program simply by talking about it and showing some examples. Plus there are already attacks where someone is using AI to imitate a voice and ask for money to be sent. Finally, Tom Scott talked about managing your security program with AI. One nugget that really stuck with me was that AI does not remember your interaction in a new chat. To continue to train it you need to keep the same chat.

The conference was a really great start to the year for conferences. I learned some new things, got to meet some new people, and catch up with some people I haven’t seen in a while. I’d definitely recommend checking it out for next year. Talking to one of the organizers it sounds like it’s going to get even bigger.

Exploring Information Security - Change Log - February 16-22, 2024

February 23, 2024

This is a log of changes to the site over the last week.

New pages:

Resources for Threat Modeling - A page I put together for my talk on threat modeling

Content From Threat Modeling Conference Talks - A place where I will drop videos and slides of my talks from my threat modeling talk

Podcast posts:

What is a Canary? - My conversation with Tyron Kemp of Thinkst Canary on canaries

ShowMeCon: Bypassing MFA with Brandon Potter - A sponsored podcast episode by ShowMeCon on bypassing MFA

Blog posts:
Tools and Resources for Effective Threat Modeling - I share tools and resources for threat modeling

Threat Modeling at BSides Nashville 2024 - I will be at BSides Nashville May 11, 2024, to give my threat modeling talk

How to Become a Cybersecurity Kevin Bacon - I talk about my tips and experiences networking in the infosec community

Be a cybersecurity Kevin Bacon - *Image created with the help of ChatGPT*

How to become a Cybersecurity Kevin Bacon

February 21, 2024

The Six Degrees of Kevin Bacon proposes that anyone in the Hollywood film industry is linked to Kevin Bacon within six steps. I’ve somehow had the title applied to me by a few different people. A large part of that is the networking I’ve done in the industry. I’ve hung out and talked to a lot of people. I don’t know everyone in the industry but I have meet people for the first time and we’ve known similar people. In this post I want to cover the networking that may have put me in the same breadth as Mr. Bacon.

Attend Conferences

My very first conference when I got into security was BSides Charleston in 2013. I went down with a buddy to the conference and meet a few people. One of those people that stood out was Evan Davison who goes by the hacker name Pentestfail. He gave a great talk on defense in-depth (this is the same talk at a ISSA local chapter). Evan and I would cross paths multiple times over the next 10 years. We would volunteer and get to know each other at BSides Augusta and the Social Engineering Village at DEF CON.

It’s not just about attending conferences it’s about getting involved and interacting with people. That could be meeting and talking to people, participating in capture the flag competitions, volunteering, or speaking. If you’re nervous about meeting people volunteering is a great way to meet and interact with people.

At one point I was going to 8-10 conferences a year. Most conferences were one day events within a a five hour driving distance so it was only a day or two. Still that’s a lot and it’s not something I’d necessarily recommend as I did get burned out and decided to tone back the conference attendance to three in 2019. There was also the cost. My company did always cover travel. I got maybe one a year. The rest was on my dime but I will say it was worth it for the connections I was able to build within the community.

Going to events allows for shared learning and job opportunities. I’ve learned a lot from just talking to people in the hallway at conferences. It’s a safe space for sharing interesting stories that you wouldn’t hear otherwise. If you’re the type that has a hard time starting a conversation, ask questions. People love talking about themselves and sharing their insights into the industry. I’ve had entire conversations with people who never asked a question or knew my name but I knew a ton about them and got some really great security stories.

Volunteer at events

When I first started attending conferences I would volunteer. This forced me to meet people and as a bonus got me a free ticket into the conference. To get away from registration or door duty I started asking organizers if I could bring my camera and shoot pictures for them at the conference. This was great because I got to be more mobile and allowed me to meet and talk to a variety of people at the conference.

This also opened the door for invitations to work other conferences where my travel expenses were covered. If you have an interest see if it fits into helping out with a conference. I know several people volunteer just to do video for a conference. I’ve also seen people contribute by providing a quilt that was auctioned off. Find something you feel can contribute to the conference. Working the registration desk is also fine.

Volunteering helped me get a really great job in Nashville, TN. I had been traveling to BSides Nashville since it’s inception. There was an opening at a company one of the organizers was working at. I didn’t know that organizer really well but when they were asked about me for the position they responded that I showed up and did my job. Not necessarily a glowing endorsement but it helps and you never know who you’re going to interact with while volunteering.

Attend Local User Groups

Local user groups are great if you’re looking to network within your own city. If there’s not one I’d recommend starting one up. It’s definitely a lot of work but very rewarding. When people ask me my greatest accomplishment I often will tell them it’s starting a local user group in Columbia, South Carolina, that has 20-25 regular attendees. That’s massive for a local user group by the way. If you need guidance on starting a local user group there’s a couple podcasts for that.

How to Start a Successful CitySec Meetup - Part 1

How to Start a Successful CitySec Meetup - Part 2

Starting the local user group allowed me to meet a lot of people in town. You never know if you’ll meet your future employer or someone that starts their own company. I had both those experiences starting a user group. The first was switching to a different state department after meeting the South Carolina state CISO at a meetup and going to lunch with him.

The other is meeting Andrew Morris who is the founder of GreyNoise a company that’s starting to make waves in the cybersecurity community. I met him at a conference called Trends in 2015 where he told me about his idea for the company. I’ve had him on the podcast a couple of times to talk about being a pentester.

Start a blog or podcast

Speaking of podcasts, most people don’t know that I had a podcast prior to my security podcasts. I ran The Crawfish Boxes (TCB) podcast for the Houston Astros fan site on SB Nation. I gained some notoriety with the Houston Astros organization due to that podcast and blogging I did for TCB. It’s amazing how more accessible people become when you offer to interview them. I have a big leaguer or two in my cell phone and at one point had two baseball General Manager’s following me on Twitter.

I took the lessons and experience from covering baseball and brought it into the infosec community and it has really helped my career. I’ve gotten to meet and talk to a lot of great people in the field on my podcast. I’ve had a lot of success just reaching out and asking people if they’d be interested in talking about a topic they’re presenting on or have blogged about. There are people who never responded or responded and then stopped responding but more often than not I can get an interview set up with them.

One of the hardest things getting started is imposter syndrome, “Why would people want to listen or read me?” “Someone else is already doing what I would want to do.” I had those same thoughts but went ahead because I have my own unique perspective to offer. It’s still nerve-racking but the longer I did it the more I realized I have something to offer to the community. I love having a conversation with people and learning more about what they know. Which made podcasting a great fit.

Blogging, on the other hand, is the one I’ve struggled with. I was never good in English class and if I had concerns about podcasting and what people thought my writing is on a much higher level of imposter syndrome. But blogging isn’t about perfect English, it’s about sharing a unique viewpoint. English and grammar help but it’s more about the idea and finding my voice. Plus, the more I do it my writing is bound to improve, right? Right? AI is something I’m leveraging as an assistant. It’s not always great but it can help.

Summary

To be a Kevin Bacon you gotta get out there. Attend conferences and local user groups. You’ll get to meet a lot of really great people. If you struggle with talking to people volunteer. It can force you to meet people and show your willingness to contribute to the community. Start a blog or podcast or vlog. Putting yourself out there can help you grow as a professional and open up doors. If blogging or podcast aren’t your thing that’s okay. Identify what you’re interested in and see how that can fit into the community. There’s a lot of ways to contribute. Contributing to an open source project or participating in a capture the flag event can do similar things for your career. Find ways to get involved.