It wouldn’t be a holiday if a new vulnerability wasn’t released, causing IT and Cybersecurity practitioners to have to put their plans on hold to scan and patch their systems. I have spent more than my fair share of holidays at my desk, trying to make sure everything was resolved before I joined my family and friends in whichever festivities were going on.
We often speak about burnout at conferences, in blogs, and on podcasts, but we don’t always take the advice given, or have the opportunity not to work long hours when things go sideways. This isn’t always the case though. Sometimes we like to feel important, so we over emphasize an issue, letting everyone know how busy we are. How needed we are. And it is great to feel needed.
This can lead to unhealthy behaviors, and issues in your relationships (even with yourself). So the next time you see a vulnerability published just before a holiday, take the time to ask yourself, “Is this really something urgent, or do I just want it to be?” And depending on the answer, give yourself a break for the fire drill that is our lives sometimes, and enjoy some Fireworks or Eggnog with your tribe.
In the ever-evolving landscape of cybersecurity threats, one that remains constant is social engineering. Despite advances in technology and tooling, social engineering continues to pose significant risks to organizations. We’ve all witnessed the devastating impact that social engineering attacks can have on individuals, businesses, and even governments. It was top of mind with some recent breaches, so I wanted to delve into the nuances of social engineering and explore why it remains one of the most common threats we face in cybersecurity.
Here is a quick description of social engineering for those that are newer to cybersecurity. Social Engineering is a tactic used by cybercriminals to manipulate individuals into divulging confidential information, granting access to sensitive systems, or performing actions that compromise the individual or organization. Unlike traditional cyberattacks that exploit technical vulnerabilities, social engineering exploits human psychology. Whether through phishing emails, pretexting, or impersonation, attackers leverage social engineering techniques to exploit human trust, curiosity, or fear.
One of the primary reasons why social engineering continues to thrive is its adaptability and versatility. Cybercriminals constantly refine their tactics to bypass sophisticated security defenses and exploit human vulnerabilities. Phishing emails, for example, have evolved from crude, poorly written messages to highly convincing replicas of legitimate correspondence from trusted sources, like an email from your bank, travel agency or even a family member. These emails often employ psychological triggers, urgency, or fear-inducing language to trick recipients into clicking malicious links or downloading malware.
Moreover, the widespread adoption of social media platforms, like Facebook, LinkedIn, Twitter, and Instagram has provided cybercriminals with a treasure trove of personal information that can be leveraged for targeted attacks. By profiling individuals based on their online activity, attackers can craft tailored messages that appear genuine and convincing. This personalized approach significantly increases the likelihood of success, as people are more inclined to trust messages that align with their interests, or social connections.
Another reason why social engineering remains a top threat is the inherent human element. No matter how robust an organization’s technical defenses may be, human error or manipulation can circumvent most security measures. Whether it’s an unsuspecting employee clicking on a malicious link, or a well-intentioned individual divulging sensitive information over the phone, human fallibility creates opportunities for exploitation.
The COVID-19 pandemic expanded the threat landscape by creating new opportunities for social engineering attacks. With the widespread shift to remote work, employees are more reliant on digital communication channels, making them susceptible to phishing scams, business email compromise (BEC), and other social engineering tactics. Additionally, the uncertainty and fear surrounding the pandemic has heightened emotional vulnerabilities, making individuals more susceptible to manipulation.
As cybersecurity professionals, it’s important that we remain vigilant and proactive in our efforts to combat social engineering threats. Education and awareness training are vital components of any organization’s defensive strategy. By educating employees about common social engineering tactics, red flags to look out for, and best practices for safeguarding sensitive information, organizations can empower their workforce to recognize and resist manipulation attempts.
Implementing robust technical controls such as email filtering, multi-factor authentication, and endpoint security solutions can also help mitigate the risk of social engineering attacks. Regular security assessments, including simulated phishing exercises, can also help identify vulnerabilities and gauge the effectiveness of security awareness training programs. Though phishing exercises need to be done carefully, to educate employees and not punish them, so that the right lessons are learned.
To wrap this post up, social engineering remains a pervasive and real threat to organizations of all sizes. By understanding the tactics employed by cybercriminals, raising awareness among employees, and implementing comprehensive security measures, organizations can strengthen their defenses against social engineering attacks. As cybersecurity professionals, it’s our collective responsibility to stay ahead of the curve and safeguard against this ever-present threat.
In the ever-evolving landscape of cybersecurity, the concept of Zero Trust Architecture (ZTA) has emerged as an incredible buzzword, but also as a beacon of hope in the battle against sophisticated cyber threats. The fundamental premise of ZTA is to distrust everything, both inside and outside the organization’s perimeters, and to verify every user and device attempting to connect to the network before granting access. However, the journey towards implementing ZTA has significant challenges, and one of the most significant obstacles organizations face is the lack of visibility.
Visibility, in the context of cybersecurity, refers to the ability to monitor and understand all activities and traffic within an organization’s network, including user behaviors, device interactions, and data flows. It is the cornerstone of effective security operations, enabling analysts and engineers to detect anomalies, identify potential threats, and respond quickly to incidents. However, achieving comprehensive visibility has become increasingly difficult in today’s complex, and bloated cybersecurity environments.
The proliferation of cloud services, the adoption of remote work, and the rise of IoT devices have expanded the attack surface and blurred the boundaries of traditional network perimeters. As a result, organizations struggle to gain real-time insights into their digital assets and activities, making it challenging to enforce the principles of ZTA effectively.
Here are some key ways in which the lack of visibility impacts organizations’ moves to Zero Trust Architectures:
Incomplete Asset Inventory: This has been an issue for as long as I have been in the IT and cybersecurity space. Without full visibility into all devices and assets connected to the network, organizations cannot accurately assess their security posture. Shadow IT, where employees use unauthorized applications and devices, further complicates the situation. As a result, implementing ZTA becomes akin to building a fortress without knowing all the entry points.
User Behavior Analysis: Zero Trust relies heavily on continuous monitoring of user behaviors to detect and prevent unauthorized access. However, without visibility into user activities across different platforms and applications, organizations cannot effectively distinguish between legitimate users and potential threats. This lack of insight increases the risk of insider threats and credential-based attacks going undetected.
Network Traffic Monitoring: Effective ZTA implementation requires granular visibility into network traffic to identify anomalies and potential security breaches. However, the distributed nature of modern IT infrastructures, with data flowing between on-premises systems, cloud environments, and remote endpoints, makes it challenging to monitor and analyze network traffic comprehensively.
Data Protection: Zero Trust aims to protect sensitive data by enforcing strict access controls and encryption mechanisms. However, without visibility into data flows and usage patterns, organizations cannot effectively identify and classify their critical data assets. This blind spot hampers their ability to apply appropriate security controls and encryption measures, leaving valuable data vulnerable to theft or manipulation.
Incident Response: Timely detection and response are essential components of any ZTA strategy. However, without real-time visibility into security incidents and breaches, organizations struggle to contain and mitigate the impact of cyber attacks effectively. Delayed or inadequate incident response can result in prolonged downtime, financial losses, and reputational damage.
Some Ideas to Address the Visibility Gap:
To overcome the challenges posed by the lack of visibility and facilitate the successful implementation of Zero Trust Architectures, organizations must adopt a holistic approach to cybersecurity that integrates advanced technologies, robust processes, and skilled personnel. Here are some strategies to consider:
Comprehensive Endpoint Protection: Deploy endpoint detection and response (EDR) solutions to gain visibility into endpoint activities and behaviors. Implementing advanced threat hunting capabilities can help proactively identify and mitigate potential threats before they escalate.
Network Traffic Analysis: Invest in network monitoring tools that provide deep packet inspection and behavioral analytics capabilities. By analyzing network traffic patterns and anomalies, organizations can detect and respond to suspicious activities in real-time.
User and Entity Behavior Analytics (UEBA): Leverage UEBA platforms to analyze user behaviors across multiple IT systems and applications. By establishing baselines of normal behavior and flagging deviations indicative of potential threats, organizations can enhance their ability to detect insider threats and account compromise.
Data-centric Security: Implement data loss prevention (DLP) solutions to classify and protect sensitive data wherever it resides. Encrypt data both at rest and in transit to ensure confidentiality and integrity, regardless of the visibility into underlying network infrastructure.
Continuous Improvement: Regularly assess and update security policies, controls, and technologies to adapt to evolving threats and business requirements. Foster a culture of cybersecurity awareness and collaboration across the organization to empower employees to play an active role in defending against cyber threats.
While Zero Trust Architecture offers a promising shift in cybersecurity, its effectiveness hinges on an organizations ability to leverage visibility into their environments. By addressing the visibility gap through a combination of technology, process, and skilled personnel, organizations can strengthen their security posture and navigate the complexities of today’s threat landscape with confidence.
Remember, in the realm of cybersecurity, what you can’t see can hurt you. Embrace visibility to illuminate the shadows and move towards a more secure future.
As I prepare for another year of BlackHat and Defcon, this being the 15th year or so that I have attended, it has a completely different feeling than previous years. Last year, when the COVID pandemic was still in full swing, the conferences went virtual and I was relieved that both conferences were taking it seriously. I wanted to be onsite with my friends and hacker family, but it was the right thing to do to remain virtual and wait for the next year when we could be together.
Now we are in another upswing of the COVID pandemic, after it has started to tail off, and both conferences are in a hybrid mode. I scheduled myself to be onsite, after being vaccinated and taking extreme precautions for the last 18 months. I keep telling myself, I am taking the precautions necessary to attend and be safe. I am vaccinated, wear a mask, and have plenty of hand sanitizer. I still have concerns, but my desire to see my hacker family is overriding my fear.
With the time I have had to prepare, I think that I will be safe, but understand the number of folks that are cancelling their trips. Everyone needs to do what they feel is right, and with the COVID numbers spiking around the country, it is hard to feel safe anywhere.
So, this year at Defcon, will be like no other year, and hopefully like no future year. I will be in person, meeting up with the folks that are still going to be in person, and giving elbow bumps when appropriate and missing the folks that aren’t there with us in person, though I know they are there in spirit.
Hopefully next year we will be through the spikes of this pandemic and can all be together in person. Until then, Hack the Planet!
As the clock struck 00:00 on January 1st, 2021, I felt a sense of hope. The year 2020 will be in our history books as one that tested the human spirit, and saw the best and worst of mankind. From a global pandemic, to some of the largest, and most high profile hacks, how could 2021 not be better? Well, I guess this is where the hold my beer meme should go.
Within a week we are not just talking about hacks, or politics, but full blown insurrection in the USA. When the armed mob of right wing domestic terrorists stormed the Capitol, it put an end to the idea that 2021 would be the gentler year that the previous. There continues to be more and more information being released on this attack on democracy, so we will see what these next few weeks bring.
One of the threads on this attack that has received attention on the InfoSec Twittersphere is that there were many unlocked workstations in pictures taken by the insurrectionists, and a laptop was stolen that may have included sensitive information. While there were a lot of takes on this, Jack Daniel made the most important one, pointing out that the safety of the people was the priority. We can sit back behind our keyboards thinking, “If an angry mob was storming my building I would definitely lock my workstation”, but let’s not kid ourselves, we would be fleeing.
There are measures that can be taken to get the human out of the loop, and with our threat model severely modified after the Capitol attack, here are a few to think about. Faster inactivity locks, so that if you aren’t actively working on the computer it will lock itself in a shorter time frame. This isn’t perfect, but it is easy and low impact. There is also proximity devices, that automatically lock a computer once the device is out of range. There are other options as well, and I am sure we are going to see them becoming more normal after Jan 6th.
When we look forward to the rest of the year, I think it is important to make sure we are trying to find ways to make security easier, to make it a default state.
I have not kept up with my writing as much as I would have liked, and I thought maybe with a world changing pandemic I would finally find the time. Well a few months into social distancing and I am just now sitting down to write. #covidlife
It seems like a long time ago, but it was just March when I had my wings clipped and was no longer traveling. At the time admittedly I didn’t think it would be too long until I was back in the air and to business as usual. Now I see that we will won’t be going back to “usual”. It is good though, because we can find a better way to move forward and not rely on doing things a certain way “because that is how it has always been done.”
There have been many blogs and write-ups on how to work in our new, fully remote environments. We weren’t great at defending our networks when they were within our walls. Just looking at all of the breaches we’ve suffered tells us that much. How were we going to handle going remote?
Well, luckily George at Splunk put together a nice list of things we can do today to help protect our workers and our organizations while we adjust to this brave, new world of work. From monitoring our endpoints, to monitoring who is moving data they shouldn’t, it is a good guide for those that are looking for something that they can start doing today.
Dark Reading also put out an article on patching in a pandemic. Many of the ideas, like making sure you have a solid asset inventory, and patch prioritization are things that I think we should have been doing before we were thrust into this remote world world. Sadly, I think this has shown many that the IT Emperor had no clothes, and we are being forced to change our behavior and really start protecting our orgs because the light has been shined on us.
As we all work together on this journey, let’s remember that this is a trying time for everyone. So be kind, be safe, and Hack the Planet!
I have helped with many sales opportunities where there are Request For Proposals (RFP), or other types of questionnaires that are supposedly written to let the purchaser find out which products can meet the projects, or programs requirements. If you have been through this yourself, you know these are rarely written by the people that will actually be operating the tools. It is a very similar experience to reading job requirements written by an HR team that doesn’t know what they are really hiring for, but they have a template and a passion for filling it out.
“Wanted, a Junior Software Developer. Must have a Master’s Degree in Computer Science, 10 years experience in the newest technologies, and be a champion Samba dancer.”
When you read a lot of these you start to recognize what is really being asked for, or at least which direction you need to go. At this point you buckle down, answer the questions to pass the first set of eyes that is only looking for any “no” responses, but you also add clarifying terms to make sure the folks that originally requested the information or proposal get the depth they need to make a decision.
At this point you may be thinking, that’s great. You answered their questions. But hold on. It isn’t about being able to actually do the thing that was originally requested. It is about being able to almost do it, and also be cheaper than any other solution out there, even solutions that don’t actually meet the requirements but that made it through the first set of eyes, so it must work because they said yes to everything. As in, “Yes, we would like to be able to solve this problem someday.”
The saying, “Lowest Cost, Technically Acceptable” (LC;TA) may be the cause of more failures and breaches than any other accepted practice in Information Security. This lines up with compliance being the bar to hit, and not the bare minimum. When you build out an environment to check a box, but not to perform the actual task required, you will inevitably fail. If you build a fighter jet with the LC;TA mentality, you will have them falling out of the sky, unable to complete their mission. The same holds true for Information Security.
Let’s stop building things to fail by default. Let’s stop accepting that “Technically Acceptable” is…well, acceptable. Let’s push back on the powers that be, and let them know if they want to truly secure their environments against adversaries that are motivated, highly skilled and have time on their side, we need the right tools, the right people and freedom to build them. If they don’t, we may need to start walking away from the keyboard and find organizations that will.
I have a theory. I believe it is shared by many others, and I have probably written on it before, but just in case, here it is. The more someone says they know, the less they do, and the opposite. This is my Imposter Syndrome thesis. There are many blogs on this phenomenon, and we discuss it regularly as a community. That is not what this post is about though.
There are also many people trying to help new people get into the information security industry despite this feeling. While we work to recruit more people, one of the things I try to make sure they understand is that this is not a static field. You can not learn something once and feel confident that it will not change as soon as tomorrow.
So how do you keep up with all of the changes and advances in Information Security and our adversaries tactics and techniques? There are many approaches to this, but here is mine.
I find that I have to use multiple technologies and communities to keep myself abreast of what is going on, and where I need to spend more time and focus. I use RSS, Twitter, online groups and in-person meetups, with each providing different things to my overall understanding of what is going on.
For those unfamiliar with RSS, it is basically a way to compile updates from websites you are interested in. There are different RSS readers or applications you can use to bring your feeds together, and after the death of Google Reader I don’t know that any one is better than another. I have everything from corporate sites/blogs, personal InfoSec blogs, to news sites, so I don’t have to go to each one to see if there is anything new for me to see. There are a ton of sites out there, so having one dashboard to view them all in saves me a lot of time.
I also use Twitter pretty heavily to find updates that aren’t on my RSS, and also for things that are more current. It is kind of like email (RSS) versus text message (Twitter). Find people that are part of the community and start following. You will find more and more people and companies to follow that can help you keep up with the latest in vulnerabilities, data breaches and adversary techniques.
I also am a big believer in IRL (In Real Life) meetups, and community sharing. As you build up your relationships and friendships you may find that you join slack or keybase groups that share your interests. These can be incredibly helpful in helping you learn and stay current in Information Security, or whatever field you are interested in.
If you have a Defcon group, or other InfoSec group near you, attend the meetups. I have not been to an InfoSec meetup yet that was full of great people who were willing to help out people they had just met. Attending conferences helps with this as well. The BSides conferences are run across the planet and we are at a point where it is harder to find conferences not to go to, because there are so many available.
To wrap this up, there are so many ways to keep yourself up to date and learning everyday that you don’t have to pick just one. Find what works for you and don’t forget to engage with the community. There is no shortage of people willing to mentor and help others grow and learn.
It wasn’t very long ago that I was reading a report from Cylance researchers that there was a new nation-state APT group that they had dubbed, White Company. The researchers commented on how the group was located in the Middle East, but had tendencies, or tactics, that led the researchers to believe they were ex-US Intel. It is concerning to think that the Tactics, Techniques and Procedures (TTPs) that have been created inside the US Intel community were being used for a foreign power.
The White Company was caught using an unwitting Belgian locksmiths website (and I am assuming other sites) to go after the Pakistani Air Force. Some of the TTPs the group use are adding anti-debugging code to their shellcode, using publicly available malware, and preprogrammed dates for discovery by antivirus software to distract analysts. All of these together show a level of sophistication not common outside of specific nation-state actors.
It was a few weeks later that Reuters published reports on Project Raven, a group of ex-US Intel operatives that worked with the UAE to engage in surveillance of militants, human rights activists, and other governments. This revelation should have been more shocking, but with the previous report from Cylance it just solidified the evidence that ex-US cyber warriors were going to work for the highest bidders. This is very sad news as Bob Anderson, exec assistant director of the FBI, is quoted in the Reuters report as saying, “There’s a moral obligation if you’re a former intelligence officer from becoming effectively a mercenary for a foreign government.”
One of the tools that Project Raven used was detail in another Reuters investigation, named Karma, helped the operatives hack into iPhones of diplomats and foreign leaders for the benefit of the UAE. This tool is special in that it did not require the targets to click on phishing links to gain access.
With the knowledge that US Intel operatives and analysts have it is no wonder that those outside the US would target them for recruitment. What is surprising is how many allow themselves to be recruited. As Tawakkol Karman said in the report, these people should “not be a tool in the hands of tyrannies to spy on activists and to enable them to oppress their peoples.”
We all need to take a look at ourselves and ask if the work we are doing is helping others, and at the very least not hurting them.
As I was interviewing a candidate for a Information Security job, and helping a friend prepare for an interview at another company, I kept thinking of what attributes makes the best, and worst, security professionals. There are probably a lot of studies out there with different statistics to prove one key attribute over another, but I am just writing from my gut.
When I interview folks, I am usually looking for intangibles over current skillset. I caveat that with I normally am interviewing people for more senior positions so they have a background in Information Security or a related field. The intangibles I usually probe for are teamwork, a growth mindset and curiosity.
I think of curiosity as the desire to learn, an inquisitive mind, and a joy for discovery. Individuals who think they know everything, don’t want to learn and who aren’t passionate, are not going to last long in this ever changing field. I know that the best folks I have ever worked with had a natural curiosity around technology, and knowledge in general, and will go down the rabbit hole to find answers.
So, if you ask me what it takes to be successful in Information Security I may answer, “Are you curious enough to be a hacker?”