Cyber Judo

???? Hackers love to exploit a misplaced level of confidence. That’s why working with a low quality #RedTeam can be dangerous; it’s the false negatives.

??? Earlier this week I had the honor to speak at Compliance Week's Cyber Risk & Data Privacy Summit on the topic of Defending Against Deepfake Attacks. Here are my top 20 practical tips ?? ? Ensure Separation Of Duties Are In Place For Financial Transactions ? Ensure Dual Authorization Controls Are In Place For Financial Transactions ? Train Staff On What #Deepfake Attacks Are And How To Report Suspected Deepfake Attacks ? Inform Staff That Phone Numbers Can Be Easily Spoofed And To Never Trust Inbound Calls Concerning Sensitive Organization Matters ? Reinforce A Culture Where Employees Are Encouraged To Follow Process, Verify Unusual Requests And Challenge Leadership When Process Isn’t Followed ? Leverage Authenticated Dual-Band Communication Verification ? Leverage A Shared Secret Or Code of the Day For Important Change Requests ? If You Have An IT MSP, Ensure They Have Helpdesk Verification Processes & Tools In Place To Prevent Impersonation Attacks ? Ensure HR Is Aware To Monitor For Job Interview Fraud ? Build Responding To Deepfakes Into Your Incident Response Plan ? Conduct A Tabletop Exercise Of A Deepfake Attack ? Ensure Phishing Resistant Multi-Factor Authentication Is Deployed Across The Organization (#FIDO2) ? Ensure Device Conditional Access Policies Are In Place To Help Prevent Account Takeover Attacks ? Ensure IT Is Monitoring For Impossible Travel Logins ? Monitor For Impersonation Of The Organization With Doppelg?nger Domain Monitoring Tools Like DNSTwist ? Reduce The Digital Footprint Of Staff Leveraging Public Data Sanitization Services Like DeleteMe/Aura/PrivacyBee, etc. ? Educate Staff On Configuring A Secure PIN With Their Cellular Carrier To Prevent SIM Swapping Attacks ? Consider Deploying An Identity Proofing Solution Like Entra Verified ID ? Ensure Any Deal Rooms & Secure Data Rooms Undergo Regular Security Reviews ? Consider Leveraging A Cybersecurity Partner To Implement Deepfake Campaigns In Your Organization’s Social Engineering Testing & Penetration Testing ?? As you can tell, just like cybersecurity in general, much of this is about pragmatism, process and having a defense-in-depth approach. That said, there are a lot of great technologies out there like Entra ID Face Check which folks should also leverage. ?? I'd highly recommend Compliance Week's conferences in the future; it was a great line up of folks, much to learn and it was great to be able to connect with so many subject matter experts. ?? One of my favorite sessions to attend was on the intersection of technology and human trafficking by Suzan Rose at AIMA - The Alternative Investment Management Association and Heather C. Fischer at Thomson Reuters. It was not just insightful, but an inspiring call to action for organizations and individuals to help eliminate human trafficking across the globe. #infosec #cybersecurity #informationsecurity #cybersecurity #redteam #pentesting #socialengineering

?? Recently the U.S. Copyright Office report on the copyrightability of #GenAI content. The report reaffirms much of their previous stance which is important to those leveraging #LLMs and #AgenticAI. Here is the breakdown ?? ?? The U.S. Copyright Office believes the existing copyright laws are sufficient to address the topic of #AI generated content. As of now, they are not planning on any additional legislation but are keeping an eye on the domain of AI content creation. ??Concisely put, material entirely generated by AI is not eligible for #copyright protection and human authorship is essential for content to be considered copyrightable. ?? While someone can utilize #GenerativeAI to help them author content, things like generating a prompt alone are not sufficient. In reality, the creative contribution of the human being needs to be perceptible in the final work and the human elements may only be considered as the copyrightable portions of the output. Even descriptive prompts are not enough, as the AI's interpretation and output are not consistent, unpredictable and lacks direct human control. >> Below is the full report below, including the prevent reports and guidance on this topic. ?? Report on Copyright and Artificial Intelligence - Copyrightability: https://lnkd.in/g967vhNF ?? Report on Copyright and Artificial Intelligence - Digital Replicas: https://lnkd.in/gy64tdrd ?? Copyright Registration Guidance on Works Containing AI Generated Content: https://lnkd.in/eZjy2ptz

?? Recently UnitedHealth revealed that 190 million individuals had their data stolen in their 2024 ransomware attack... It's important that folks take proactive steps to protect themselves from fraud & #IDTheft. Here is a start. ?? ?? Shane S. & I created this guide for less technical folks to reduce their personal attack surface and help prevent themselves from being victims of #IdentifyTheft, #SocialEngineering attacks and various forms of #CyberFraud. It's great for helping protect family and friends as well. ?? The Stolen Data Included: - Health insurance information - Protected Health Information - Billing & Payment Information - Phone Numbers & Addresses - In some instances, Social Security Numbers ?? Given there was not just Protected Health Information stolen but health insurance information; I'd also recommend that folks closely look all their explanation of benefits (EOB) statements from last year as well as continuously review them on a monthly basis. This will help folks detect potentially fraudulent medical claims. ?? (Back Story) - In February 2024, UnitedHealth subsidiary?Change Healthcare suffered a massive #ransomware attack, leading to widespread disruption to the United States?healthcare system. To date, it is the largest healthcare data breach in US history. BlackCat (ALPHV) used?stolen credentials?to breach the company's Citrix servers, which did not have multi-factor authentication enforced. After gaining access, BlackCat?stole about 6 TB of data. Later UnitedHealth confirmed it paid a ransom to receive a decryptor and to prevent the BlackCat from publicly releasing the stolen data. #Cyber #Cybersecurity #InfoSec #InformationSecurity

??? Breaking into #cyber can be hard... So, inject your resume with an AI jailbreak to get past HR hiring systems... Just Kidding, Don't Do That! In reality, cheap tricks won't land you a job, but I do have real advice. ?? ?? As a someone has built a number of cybersecurity and technology businesses, interviewing hundreds, building #OffSec teams, #SOC teams and #GRC teams; I'll be hosting a live LinkedIn event with Bob Barrett on Cyber Judo next week to provide real insight to help new folks break into cyber. ?? Our session on Cyber Judo will be able the Important Hard Truths About Breaking into #Cybersecurity on Wednesday, February 5th at 6PM ET (link in comments). It will be on LinkedIn live and we will answer questions in real-time as well! Bob is a cybersecurity community leader and educator with over 25 years of experience, who has mentored countless individuals pursuing a career in cyber. ?? We’ll Discuss in This Session: - Common myths about getting started in cybersecurity (and the truth behind them). - Practical steps for building skills and experience that stand out. - Tips on navigating the challenges of landing your first role. - Real-time Q&A with unfiltered answers. ?? What's great about Cyber Judo? - It's a non-profit cyber education collective that's no bullshit that means no ads, no sponsors, no selling ebooks, no shilling, no fake-fluencer advice - just folks in #InfoSec talking unfiltered and trying to provide helpful guidance to others in the cyber community. ?? On the side tangent about resume injection attacks... #HR teams should be aware that this is a very real thing that's easy to accomplish. One could use something like Inject My PDF but in reality, all it does is insert small invisible text at the top of a resume that anyone with zero technical skill can do. This is a very practical example why folks need to be performing #pentesting on their #GenAI and #LLM systems to prevent abuse and potentially serious injection attacks that can compromise an underlying system. ?? Also, for wise guys seriously thinking utilizing this technique, DO NOT INJECT PROMPTS INTO YOUR RESUME; obviously it's abusive, unethical, malicious, and just plain wrong. #InformationSecurity #PenetrationTesting #Pentest #RedTeam #BlueTeam

Important Hard Truths About Breaking Into Cybersecurity For many, building a career in cybersecurity can feel overwhelming and seem daunting. There’s so much information out there, and it’s hard to know what’s true, what’s useful, and what’s just noise. That’s why we’re hosting this conversation, to share honest, practical advice for anyone starting their journey in cybersecurity. This session isn’t about sugarcoating, it’s about having an honest discussion of the good, bad and the ugly when working in cybersecurity. If you’re just getting started in cybersecurity or considering a career in the field, we’d love to see you there. Join the Cyber Judo team alongside Bob Barrett, a cybersecurity leader and educator with over 25 years of experience, who has mentored countless individuals pursuing a career in cyber.

?? Seemingly everyone and their aunt is #pentester now a days. Unfortunately, the term and industry has been water-down by "enhanced vulnerability" scans and CISO/CIO/CTOs now get generic results & insights... ?? ?? It's exhausting to see so much low-quality information being peddled as "expert red team insights"... Beyond that, bad pentesters spread a false sense of confidence that leads to complacency or are hyperbolic about everything being "critical risk" though they can't practically demonstrate that risk being an issue. ?? Here are some tips for organization's trying to identify real cybersecurity partners rather than "professional vulnerability scanning experts". 1) They will go beyond providing you static reports; if they don't have some dynamic portal which provides means to communicate and collaborate securely in real-time, then you will be faced with a manual and clumsy process when requesting retests. Not to mention, your left with a 1-dimensional report that lacks important real-time metrics like MTTR. 2) They will not just tell you about vulnerabilities or exploit them, but more importantly provide context beyond the symptoms and identify the root cause that your security posture is attributed to. "Seeing the big picture". 3) They will provide specific remediation guidance on how actually fix the problems and not just give you an OWASP cheat-sheet hyperlink as a reference. Are the pentesters you working with just "professional critics" or do they have a real background in engineering building and maintaining complex technology systems? The latter will always be someone who can thoroughly advise on a remediation plan rather than talk about hypothetical things and "best practices". 4) They create open-source tools, guide and content that's truly insightful as well as engage in responsible offensive security research that's not a hit piece. When I say content, not ambiguous generative AI slop but stuff that's actually actionable. 5) They provide their expertise to talk to you and your engineers about solving the risks that were identified and don't hesitate to help discover solutions. 6) They take the time to break down what they and how they did it an easy-to-understand format. Illustrated kill-chains and diagrams of recommended security architecture for an environment are especially good. ? What are some other good signs that you folks have noticed which makes a good #OffSec partner? Feel feel to add anything I missed in the comments, just don't be self promotional, haha. #cybersec #cybersecurity #infosec #pentesting

?? I keep seeing this #GenAI #DeepFake passport across social media with many scared but few suggesting practical solutions. There are indeed practical solutions, such as Microsoft's Entra Verified ID Face Check. ?? ?? Last month, I spoke about this very topic with Suzan Rose on an AIMA - The Alternative Investment Management Association webinar where we covered the rise of GenAI deep fake attacks, but more importantly how to defend against those attacks. (Link for AIMA Members: https://lnkd.in/ghvW_URy) ??? The rise in popularity of sophisticated deepfake technology does pose a serious #cybersecurity threat given the fact the barrier is incredibly low to attempt such attacks. This ranges from deception and market manipulation, employment/hiring fraud, false image/video extortion, impersonating employees, advance wire fraud and more. ??Luckily, there are real solutions out there beyond the GenAI slop blog posts that talk about deepfakes but don't provide any concrete guidance. Microsoft Entra Verified ID, combined with Face Check can help solve challenges like this for both Enterprises as well as smaller firms. ?? Face Check can help do things like comparing a live selfie with an image tied to a trusted identity document, such as a driver’s license or employee ID. It also creates a chain of trust and identity proof that helps protect the HR department and IT Helpdesk from #SocialEngineering attacks. Oh, and it's already in the Microsoft Authenticator app that's installed pretty much on everyone's phone; so it's very easy to deploy and use for employees. ???? Microsoft has done a pretty good job at incorporating open standards such as W3C Decentralized Identifiers (DIDs) and W3C Verifiable Credentials which are backed by cryptographic proofs, ensuring authenticity of users. They also have a set of APIs and an SDK for developers to leverage which makes it easy for small developers to incorporate this technology into their own apps. ?? I've personally had a good experience with helping folks implement the Entra ID Governance suite and Verified ID. Maybe Shane S. and I should do a future Cyber Judo webinar on the topic for folks. #Cybersecurity #DecentralizedIdentity #DeepfakeProtection #IdentitySecurity #InfoSec #CyberSec

? Operational Technology (OT) systems that underpin energy, water, transportation and manufacturing critical infrastructure face unique cyber challenges compared to IT, especially from a supply chain standpoint. ?? ?? More often than not, OT systems are built to be robust and deployed for many years, in some instances greater than a decade. So, modern security measures that we often see in IT systems are not present in many OT systems and organization's frequently need to deploy compensating security controls to protect OT infrastructure. ?? Recently, CISA released this joint guide with a handful of other agencies covering important security considerations when procuring OT products and systems. While I don't think there is anything in here that's particularly groundbreaking, I believe pragmatism is a huge element to cybersecurity; practicing the foundational elements very well with a defense-in-depth approach. ? This guide covers the considerations for OT product selection across the following domains: - Configuration Management - Logging in the Baseline Product - Open Standards - Ownership - Protection of Data - Secure by Default - Secure Communications - Strong Authentication - Threat Modeling - Vulnerability Management - Upgrade and Patch Tooling OT security is not just about preventing downtime; it's about protecting the vital infrastructure that supports modern life. #OTSecurity #CyberSec #InfoSec #Cybersecurity