Ever wondered how safe your digital life really is? Prepare to open your eyes to the unseen dangers lurking in your inbox and online transactions. Welcome to our latest episode of Unmasked, where the superheroes of cybersecurity provide a clearer understanding of the threats we face in our digital world.
About this episode:
In this compelling episode, we dive deep into the ever-present threats of phishing attacks, remote work risks, and take a closer look at the MOVEit platform data breach and its implications for organizations beyond just MOVEit. In addition, we have a very special event on our show. Join us as we welcome our first guest, Assura’s Offensive Security Operations Technical Director, Nick Berrie. We sit down with Nick and discuss the highly anticipated DEFCON 2023 hacker conference. We share our excitement about this unique networking opportunity and the wealth of insights from industry experts. Beyond the business side, we also dish on the fun aspects of DEFCON, from the diverse food scene to the overall Las Vegas experience.
This is your chance to dive into the deep end of cybersecurity. Come hang out with us!
You can subscribe to Unmasked wherever you get your podcasts.
Show notes
Phishing story
Initial Story: Fairfax schools apologizes for sending phishing test to teachers – NBC4 Washington (nbcwashington.com)
Mark’s Comments:
So, I still say it’s valid to test faculty and staff with phishing. But… considering that teaches are overworked and underpaid, it’s not appropriate to trick them with the offer of money. The key aspect of a phishing campaign is ironically Education for both the users and administrators, the amount of clicks a phishing email gets isn’t as relevant to the process as much as the number of reports you get about the phishing attempt.
Anyone can fall for a phish given enough time and effort on the side of the threat actor, while the phishing email they sent was realistic it wouldn’t be out of the realm of possibility for similar phishing emails to come in as Teacher Retirement accounts, benefits updates, funding programs etc. Dr Jessica Barker has an excellent video going over the ethics of phishing campaigns.
Like Dr Barker says the point is to educate the staff and get a grasp of your organization’s cybersecurity mindset. If you get a large click rate and low reporting, it’s not that your users are incompetent… they either lack proper cybersecurity awareness or more likely they don’t feel comfortable asking the IT/security group if something is or isn’t a phishing email. A phishing campaign is the perfect opportunity to learn if your staff likes interacting with your IT or Security group, if your staff feels that they won’t receiver help or will get belittled for asking a simple question… well then you learned a lot more about your security posture. If the staff isn’t reporting something as simple as a suspicious email then they probably aren’t reporting any suspicious activity or issues on work computers or other systems, so work with the staff and make sure that your users are comfortable asking “Is this email real or not?” because you might end up getting a call that blocks something before it turns into a nightmare.
Malicious employee story
The initial story also cites the Florida incident and Cisco had a similar issue…
Cisco engineer resigns then nukes 16k WebEx accounts, 456 VMs (bleepingcomputer.com)
Offboard your staff, don’t just fire people and hope that someone drops the access. Don’t let staff rig up a system so they can remotely work without supervision or controls. Working remotely is a good thing, Assura is a 100% remote workforce. But the most important thing about working remotely is the same as working onsite… don’t let people walk away with the keys to the building. It’s the exact same thing, you wouldn’t let a random person just keep some house keys would you? Take the time to establish a system with Management, HR, and IT so that nobody can just log in and wreck the place.
If you don’t have systems in place to stop someone from doing the wrong thing… it’s only a matter of time.
MoveIT Story
Please take the time to read John Hammons blog post over at Huntress.
We’re going to be talking about MoveIT for the rest of the year most likely. It’s bad and it hit a ton of Organizations and a lot of those orgs are going to have tons of users/clients affected by this.
Make sure you look at the IOAs and remember to patch.
Defcon Note:
Defcon isn’t the wild west anymore. You don’t need a “Burner” and you probably aren’t going to be robbed… by con attendants anyway, I mean its Vegas.
What to bring:
- Water bottle
- Reasonable amount of tech
- phone
- laptop
- a little bit of cash
- deodorant
- good shoes
- good attitude
The vast majority of people who are going will be safe following the cybersecurity awareness tips we hand out every day on the job.
- Don’t plug into anything weird or suspicious.
- Don’t scan anything weird or suspicious.
- Don’t click anything weird or suspicious.
- Don’t hand or take anything to/from someone weird or suspicious.
- Don’t eat or drink anything weird or suspicious.
Ok, that last one isn’t cyber related… but it still applies to life.
Yes, some people are creeps and will attempt to creep on people… but that’s society as well, not just Defcon. Just be smart and don’t do anything that would be in a basic cybersecurity “what not to do” compliance video and you’ll be fine.
Networking at events like this is fun and has a ton of value, you’ll meet people with the same interests and be able to share skills all over the place.
What not to do:
- Try and be a ghost. (Use your name… your real name and LinknedIn)
- Try and be the smartest in the room (Defcon is after Blackhat… I wouldn’t try your “NSA Hacker” story in the wrong room.
- Be shy. (Defcon has a diverse population of people from all over the world and backgrounds.)
- Be afraid to fail. (Its Defcon buddy, if you think you’re an apex Hacker or Lockpicker… yeah, someone is there to educate you. And that’s what makes it fun!)