CTRL + ALT + SEC

Category: cybersecurity

  • TryHackMe | Advent of Cyber 2024 – Day 3

    Follow along as we crack open a new year of the Advent of Cyber from TryHackMe! This is always fun! Here is the playlist on youtube, but I’ll be posting them on this site as well.

  • TryHackMe | Advent of Cyber 2024 – Day 2

    Follow along as we crack open a new year of the Advent of Cyber from TryHackMe! This is always fun! Here is the playlist on youtube, but I’ll be posting them on this site as well.

  • Weekly Cybersecurity Wrap-up 11/25/24

    Weekly Cybersecurity Wrap-up 11/25/24

    Each week I publish interesting articles and ways to improve your understanding of cybersecurity.

    Projects

    Videos

    Articles

    Podcasts

    SEI Podcasts: The Importance of Diversity in Cybersecurity: Carol Ware

    CISO Tradecraft #208 Insider Threat (with Shawanee Delaney)

  • TryHackMe | Advent of Cyber 2024

    Follow along as we crack open a new year of the Advent of Cyber from TryHackMe! This is always fun! Here is the playlist on youtube, but I’ll be posting them on this site as well.

  • 2024 Insider Threat Report: A Cybersecurity Enthusiast’s Summary

    The 2024 Insider Threat Report, produced in collaboration by Cybersecurity Insiders and Gurucul, paints a sobering picture of the evolving landscape of insider threats. Let’s break down some of the key findings and their implications.

    Here is an AI generated audio podcast, if you’d prefer to get caught up that way:

    The report highlights a disturbing increase in the frequency of insider attacks. While only 17% of organizations reported no insider attacks in 2024, this figure represents a significant decrease from 40% in 2023. This trend is further underscored by the fact that 48% of respondents confirmed that insider attacks have become more frequent in the past year. The financial ramifications of these attacks are substantial, with the average cost of remediation exceeding $1 million for 29% of respondents. To put that in perspective, with organizations reporting 6 or more attacks in the last 12 months, the potential financial damage could easily reach tens of millions of dollars.

    The report attributes this surge in attacks to several factors:

    • Complex IT Environments: The shift to hybrid work models, the increasing reliance on cloud services, and the integration of technologies like IoT and AI have expanded the attack surface and made it more difficult to secure.
    • Inadequate Security Measures: Insufficient data protection and inconsistent policies continue to plague many organizations, leaving them vulnerable to exploitation.
    • Lack of Training and Awareness: A significant number of respondents (32%) pointed to a lack of employee training and awareness as a key driver of insider attacks. This highlights the critical role of security awareness programs in mitigating unintentional insider threats.

    A key takeaway from the report is that insider threats are often more difficult to detect and prevent than external attacks. This is because insiders, by their very nature, have legitimate access to sensitive systems and data, making their malicious activities harder to distinguish from normal behavior. The report reveals that 37% of respondents find insider attacks more challenging to detect and prevent than external attacks, emphasizing the need for more sophisticated detection and prevention strategies.

    Despite the growing awareness of the risks posed by insider threats, many organizations struggle to implement effective mitigation strategies. The report identifies several key obstacles:

    • Technical Challenges: The complexity of data classification, concerns about user productivity impact, and deployment challenges to remote devices are among the technical barriers cited by 39% of respondents.
    • Cost Factors: For 31% of respondents, the cost of implementing advanced security solutions, such as User and Entity Behavior Analytics (UEBA), remains a significant obstacle.
    • Resource Limitations: Many organizations lack the necessary staffing and expertise to effectively manage insider threats, with 27% of respondents citing this as a key barrier.

    The report emphasizes the critical importance of unified visibility and control across the entire IT environment – both on-premises and in the cloud – for effective insider threat management. While a significant 93% of respondents recognize this need, only 36% report having a fully integrated solution that delivers this capability. This discrepancy highlights a critical gap in many organizations’ security postures.

    Some key recommendations include:

    • Implement Advanced Monitoring Solutions: Investing in tools like UEBA can help identify anomalous user behavior that may indicate malicious intent.
    • Integrate Non-IT Data Sources: Incorporating data from sources like HR and legal departments can provide valuable context for risk assessment and threat detection.
    • Leverage Automated Threat Detection and Response: Automating security processes can significantly enhance efficiency and effectiveness in managing insider threats.
    • Adopt a Zero Trust Framework: Ensuring continuous authentication and authorization of all users and devices can significantly reduce the risk of insider threats.
    • Enhance Employee Training and Awareness: Comprehensive training programs can equip employees to identify and report suspicious activity and promote a security-conscious culture.

    The 2024 Insider Threat Report serves as a stark reminder that the threat from within is real and growing. By understanding the evolving nature of insider threats, recognizing the challenges in detection and prevention, and embracing the best practices outlined in the report.

  • Former Verizon Employee Sentenced to Prison for Espionage

    Former Verizon Employee Sentenced to Prison for Espionage

    Ping Li, a 59-year-old former Verizon employee, was recently sentenced to four years in prison for conspiring to act as an agent of China. Li, who immigrated to the U.S. from China and became a citizen, pleaded guilty to the charges earlier this year. His espionage activities date back to at least 2012.

    When the FBI arrested Li in July, he initially tried to downplay his relationship with the MSS (Ministry of State Security, the intelligence and security agency for China) agent, claiming he was merely seeking investment advice. However, when confronted with incriminating emails, he confessed to conducting research for the Chinese government and sharing confidential cybersecurity materials from his employer.

    Espionage Activities:

    • Li shared sensitive information with MSS agents about:
      • U.S. government electronic surveillance capabilities.
      • Activities of Verizon branches in China.
      • Cybersecurity training materials from another employer.
    • Li also provided the MSS with names and identifying details of Falun Gong (also known as Falun Dafa, a religious group that is banned in China) members residing in the U.S.

    Li’s case highlights China’s efforts to infiltrate major telecom companies and exploit insiders for intelligence gathering. His actions provided the Chinese government with valuable insights into corporate operations and the activities of political opponents. While Li’s sentencing agreement doesn’t explicitly link him to the Salt Typhoon hack, his case underscores the vulnerability of telecom companies to such infiltration. This hack, attributed to the MSS-linked group Salt Typhoon, targeted major telecom giants, including Verizon.

    • Li worked for Verizon as a software engineer for at least 20 years before moving to Infosys, an Indian IT consulting firm.
    • He began working with MSS agents as early as 2012.
    • He frequently traveled to China to meet with his former classmate, an MSS agent.
    • Li also used online accounts to communicate and share information with MSS agents.

    Li was sentenced to four years in prison for his crimes. His sentencing comes amidst heightened concerns about Chinese cyberespionage, particularly in light of the recent Salt Typhoon hack. This hack potentially compromised the data of high-profile individuals, including politicians Donald Trump and Kamala Harris. It’s important to note that the sources do not explicitly connect Li to the Salt Typhoon operation.

  • The Infosec Exodus: Why Cybersecurity Professionals are Choosing Bluesky

    The Infosec Exodus: Why Cybersecurity Professionals are Choosing Bluesky

    In the ever-evolving landscape of social media platforms, the cybersecurity community has found itself at a crossroads. The once-vibrant Twitter (now X) ecosystem has been gradually eroding, pushing information security professionals to seek new digital gathering spaces. Enter Bluesky – a decentralized social network that’s rapidly becoming the new home for infosec experts, researchers, and enthusiasts.

    The mass exodus from Twitter isn’t just about platform features or leadership changes. For the cybersecurity community, it’s fundamentally about finding a space that values open dialogue, technical depth, and professional networking. Bluesky’s decentralized architecture and commitment to user control have struck a chord with a community that lives and breathes technological autonomy.

    What Makes Bluesky Different?

    Unlike traditional social media platforms, Bluesky offers several key features that appeal to cybersecurity professionals:

    1. Decentralized Protocol: The AT Protocol (Authenticated Transfer Protocol) provides a level of technological transparency that resonates with infosec experts. It’s not just a platform; it’s a potential blueprint for more secure, user-controlled social networking.
    2. Community Discovery: Bluesky’s innovative “starter packs” have been a game-changer for professionals looking to quickly find their tribe. These curated lists allow users to immediately connect with relevant communities, including specialized infosec groups, threat researchers, and security practitioners.
    3. Enhanced Privacy Controls: In a world where digital privacy is paramount, Bluesky’s approach to user data and community moderation speaks directly to the core values of cybersecurity professionals.

    What’s particularly interesting is how quickly and organically the cybersecurity community has adapted to Bluesky. From threat intelligence sharing to professional networking, the platform has become more than just a social media alternative – it’s become a virtual conference hall, a research sharing platform, and a global infosec meetup.

    Starter Packs: The Community Accelerator

    Bluesky’s starter packs deserve special mention. These curated lists allow new users to immediately find and connect with relevant professionals. This means:

    • Instant access to threat researchers
    • Quick connection with vulnerability researchers
    • Networking opportunities with cybersecurity practitioners across various specialties
    • Targeted content discovery based on specific security domains

    This is the main differentiator with Mastodon, which didn’t have an easy way to find “your people” on the service. You can search all starter packs in their directory and here are the infosec specific ones.

    Looking Forward

    While no platform is perfect, Bluesky represents a promising alternative for a community that values technical integrity, open dialogue, and professional networking. As more cybersecurity professionals make the switch, we’re witnessing the potential birth of a more decentralized, user-controlled social media landscape.

    The migration isn’t just about leaving an old platform – it’s about building a new digital infrastructure that reflects the values of technological autonomy and professional collaboration.

    Disclaimer: The views expressed are personal observations based on community trends and should not be considered an official endorsement of any platform. AKA This post is not sponsored.

  • TLDR From the CyberArk 2024 Identity Security Threat Landscape Report

    As a cybersecurity expert with 20 years of experience, I’ve witnessed the evolution of cyber threats, and the CyberArk 2024 Identity Security Threat Landscape Report highlights some critical trends that all cybersecurity enthusiasts should be aware of:

    • The Rise of Machine Identities: We are in the midst of a massive expansion of identities in the digital world. While human identities remain important, machine identities are driving a substantial portion of this growth. Organizations are expecting the total number of identities to more than double in the next 12 months, with many predicting a threefold or greater increase. This explosion is primarily fueled by machine identities. It is crucial to recognize that machine identities with access to sensitive data are privileged users and require the same level of security scrutiny as human users.
    • Generative AI: A Double-Edged Sword: While Generative AI offers promising advancements in cybersecurity, it also empowers malicious actors. Almost all organizations surveyed use GenAI for cybersecurity, but unfortunately, so do cybercriminals. We can expect a surge in AI-powered attacks, including sophisticated phishing, malware, deepfakes, and data leakage from compromised AI models. The report emphasizes the overconfidence among executives regarding employees’ ability to identify deepfakes, highlighting a dangerous perception gap that needs to be addressed.
    • Third- and Fourth-Party Risks: The interconnected nature of modern business means organizations rely on a complex web of third- and fourth-party providers. This interdependence introduces significant security vulnerabilities. The report reveals that most organizations will use three or more cloud service providers and experience a dramatic increase in the number of SaaS applications in the next 12 months. The potential for breaches to cascade through this network is a major concern, particularly with the lack of visibility and rigorous vendor risk management practices.
    • Cyber Debt and the “Shiny Object” Syndrome: Organizations often chase the latest cybersecurity technologies while neglecting basic security hygiene. This leads to cyber debt, where vulnerabilities accumulate due to a focus on “shiny objects” like GenAI while overlooking persistent threats. Phishing and vishing attacks, despite being well-known threats, continue to be highly effective, impacting 9 out of 10 organizations. The enduring threat of ransomware, exacerbated by the rise of AI-powered deepfakes, underscores the need for continuous vigilance and robust security fundamentals.
    • The Path Forward: A Holistic Approach to Identity Security: The report emphasizes the need for a comprehensive and unified approach to identity security. Implementing a Zero Trust strategy, securing every identity (both human and machine), conducting regular cybersecurity awareness training, and developing robust contingency plans are essential steps. Additionally, organizations should prioritize ITDR, passwordless authentication, and secrets management to address the evolving threat landscape. Automating routine tasks and leveraging AI for threat detection and analysis are also crucial, but it’s vital to maintain human oversight and ensure transparency in AI-driven decisions.

    The CyberArk 2024 Identity Security Threat Landscape Report offers valuable insights into the current and future state of cybersecurity. By understanding these key takeaways and proactively addressing the identified challenges, organizations can strengthen their security posture and mitigate the risks posed by a constantly evolving threat landscape.

    If you prefer here is an AI generated podcast discussing the report:

  • 2024 “Insider Threat Guide” Takeaways for Cybersecurity Professionals

    The National Insider Threat Task Force (NITTF) has released its 2024 “Insider Threat Guide,” a valuable resource for US government departments and agencies. Here’s a breakdown of key takeaways for cybersecurity professionals:

    AI generated podcast:

    Insider Threats Remain a Critical Concern

    • The threat landscape continues to evolve rapidly, making the insider threat mission highly dynamic.
    • Agencies possess sensitive information, classified or not, making insider threats a concern across various data types.
    • While progress has been made since Executive Order (E.O.) 13587 mandated insider threat programs, full implementation remains an ongoing process.

    Programmatic Minimum Standards are Essential

    • The 2024 guide focuses on aligning with the national minimum standards for insider threat programs, outlined in the White House Memorandum on National Insider Threat Policy.
    • The guide offers best practices to overcome common challenges in implementing these standards.
    • Departments and agencies with mature, proactive insider threat programs are better equipped to deter, detect, and mitigate insider threats before they escalate.

    Collaboration and Information Sharing are Crucial

    • Forming a working group with representatives from security, counterintelligence, Information Assurance (IA), HR, legal, and other relevant departments is crucial for program success.
    • Engaging with Cognizant Security Agencies (CSAs) is vital when dealing with cleared contractors, addressing information sharing, user activity monitoring, and incident response.
    • Open communication with the FBI regarding insider threat concerns and potential referrals is essential.

    Employee Training and Awareness are Paramount

    • All cleared employees must receive insider threat awareness training, covering threat recognition, reporting procedures, and counterintelligence awareness.
    • Promoting an internal website with insider threat resources and a secure reporting mechanism fosters awareness and facilitates reporting.
    • Ongoing awareness campaigns beyond mandatory training can help build a strong security culture.

    Comprehensive Information Access is Key

    • Insider threat programs need access to counterintelligence data, IA logs, HR records, and other relevant information to identify potential threats.
    • Procedures for accessing particularly sensitive information, such as special access programs or investigative records, must be established.
    • Access to U.S. Government intelligence and counterintelligence reporting provides valuable context and insight into adversarial threats.

    User Activity Monitoring is a Powerful Tool

    • User activity monitoring (UAM) on all classified networks is essential for detecting insider threat behavior.
    • Clear policies on protecting, interpreting, storing, and limiting access to UAM data are vital.
    • User agreements and network banners acknowledging monitoring activities are necessary for legal and transparency purposes.

    Information Integration and Analysis Drive Response

    • Establishing a centralized “hub” to gather, integrate, analyze, and respond to information from various sources is crucial.
    • Defined procedures for insider threat response actions, including inquiries and referrals, ensure a consistent and controlled approach.
    • Detailed documentation of insider threat matters and response actions is crucial for tracking progress and identifying trends.

    The 2024 “Insider Threat Guide” provides a roadmap for organizations to develop and mature their insider threat programs. By adhering to these guidelines, cybersecurity professionals can play a critical role in protecting sensitive information and mitigating the risks posed by insider threats.

  • When Digital Mischief Became Legendary: The Max Headroom Hack That Blew My Mind

    When Digital Mischief Became Legendary: The Max Headroom Hack That Blew My Mind

    A Cybersecurity Enthusiast’s Deep Dive into the Most Bizarre Broadcast Hijacking in History

    Holy nostalgia, Batman! I thought I knew everything about the weird tech of the 1980s, but somehow the Max Headroom broadcast intrusion had completely slipped past my radar until today. I grew up with early computer culture, I’m fascinated that this incredible piece of hacking history flew under my generational radar for decades.

    The Night Television Got Punk’d

    On November 22, 1987, something extraordinary happened during broadcasts in Chicago that would become the stuff of underground tech legend. During WGN-TV’s evening newscast and later during an episode of Doctor Who on WTTW, an unknown individual in a Max Headroom mask—yes, that pixelated, bizarre TV character—managed to override the broadcast signal and transmit their own bizarre, cryptic transmission.

    The Technical Marvel

    From a cybersecurity perspective, this wasn’t just a prank—it was a sophisticated signal intrusion that demonstrated remarkable technical skill. The hackers managed to:

    • Overcome broadcast encryption
    • Synchronize their transmission with existing broadcast frequencies
    • Create a deliberate, albeit bizarre, alternative broadcast

    The entire incident lasted only about 90 seconds, but it represented a watershed moment in understanding the vulnerabilities of broadcast systems.

    More Than Just a Broadcast Interruption

    What makes this hack truly remarkable wasn’t just its technical complexity, but its absolute weirdness. The masked figure—wearing a Max Headroom mask and a suit—engaged in a surreal performance that included:

    • Bizarre background noises
    • Nonsensical dialogue
    • A spanking scene with a flyswatter
    • References that seemed simultaneously random and pointed

    It was like cyberpunk performance art meets technological subversion.

    The Unresolved Mystery

    Despite an FBI investigation, the perpetrators were never caught. This only added to the legendary status of the broadcast intrusion. For cybersecurity professionals, it became a fascinating case study in signal vulnerability and the potential for media manipulation.

    Technical Breakdown

    The hack likely involved:

    • A powerful broadcast transmitter
    • Precise knowledge of broadcast frequencies
    • Understanding of analog broadcast technology
    • Significant engineering expertise

    Reflections of a GenX Tech Professional

    As someone who grew up during this era, I’m simultaneously impressed and unsettled. We were witnessing the early days of hacker culture—a time when technological prowess was as much about creativity and statement as it was about pure capability.

    This wasn’t malicious destruction. This was a statement. A performance. A glimpse into a future where technology could be both a medium and a message.

    The Lasting Legacy

    Today, the Max Headroom incident remains a pivotal moment in hacking history. It represents:

    • A demonstration of broadcast system vulnerabilities
    • An early example of media hijacking
    • A bizarre piece of technological performance art

    For cybersecurity professionals, it serves as a reminder that security is never absolute—and that sometimes, the most interesting breaches are the ones that make us laugh, think, and question the systems we take for granted.

    Here is a great youtube that puts everything together nicely. There are some explicit images in this so be warned.