Cybersecurity Education and Learning

Few areas of cybersecurity measure up against penetration testing in terms of importance and excitement. This activity boils down to finding flaws in computer systems so that organizations can address them proactively and forestall real-world attacks.

A pentester worth their salt should have outstanding tech skills, be a social engineering guru, and have enough confidence to try and outsmart seasoned IT professionals working for large corporations. Pentesters are often referred to as ethical hackers, and for good reason – they need to infiltrate well-secured systems to pinpoint loopholes that black hat hackers can parasitize for nefarious purposes.

The MOVEit Attack: 'Human2' Fingerprint

The group behind Cl0p has used a number of vulnerabilities in file transfer services, such as GoAnywhere MFT in January (CVE-2023-0669), and the MOVEit managed file transfer platforms in late May and early June (CVE-2023-34362).

Initially, the attackers installed a web shell, named LEMURLOOT, using the name "human2.aspx" and used commands sent through HTTP requests with the header field set to "X-siLock-Comment". The advisory from the Cybersecurity and Infrastructure Security Agency also includes four YARA rules for detecting a MOVEit breach.

The attack also leaves behind administrative accounts in associated databases for persistence — even if the Web server has been completely reinstalled, the attackers can revive their compromise. Sessions in the "activesessions" database with Timeout = '9999' or users in the User database with Permission = '30' and Deleted = '0' may indicate an attacker activity, according to CrowdStrike.

One hallmark of the MOVEit attack, however, is that often few technical indicators are left behind. The extended success of the Cl0p attack against MOVEit managed file transfer software and the difficulty in finding indicators of compromise shows that product vendors need to spend additional effort on ensuring that forensically useful logging is available, says Caitlin Condon, a security manager with vulnerability-management firm Rapid7.

Below detail at this link: https://owasp.org/www-project-top-10-for-large-language-model-applications/descriptions/

This is a draft list of important vulnerability types for Artificial Intelligence (AI) applications built on Large Language Models (LLMs) LLM01:2023 - Prompt Injections

Description: Bypassing filters or manipulating the LLM using carefully crafted prompts that make the model ignore previous instructions or perform unintended actions. LLM02:2023 - Data Leakage

Description: Accidentally revealing sensitive information, proprietary algorithms, or other confidential details through the LLM’s responses. LLM03:2023 - Inadequate Sandboxing

Description: Failing to properly isolate LLMs when they have access to external resources or sensitive systems, allowing for potential exploitation and unauthorized access. LLM04:2023 - Unauthorized Code Execution

Description: Exploiting LLMs to execute malicious code, commands, or actions on the underlying system through natural language prompts. LLM05:2023 - SSRF Vulnerabilities

Description: Exploiting LLMs to perform unintended requests or access restricted resources, such as internal services, APIs, or data stores. LLM06:2023 - Overreliance on LLM-generated Content

Description: Excessive dependence on LLM-generated content without human oversight can result in harmful consequences. LLM07:2023 - Inadequate AI Alignment

Description: Failing to ensure that the LLM’s objectives and behavior align with the intended use case, leading to undesired consequences or vulnerabilities. LLM08:2023 - Insufficient Access Controls

Description: Not properly implementing access controls or authentication, allowing unauthorized users to interact with the LLM and potentially exploit vulnerabilities. LLM09:2023 - Improper Error Handling

Description: Exposing error messages or debugging information that could reveal sensitive information, system details, or potential attack vectors. LLM10:2023 - Training Data Poisoning

Description: Maliciously manipulating training data or fine-tuning procedures to introduce vulnerabilities or backdoors into the LLM.

TIL the French government may have broken encryption on a LUKS-encrypted laptop with a "greater than 20 character" password in April 2023.

• https://nantes.indymedia.org/posts/87395/une-lettre-divan-enferme-a-la-prison-de-villepinte-perquisitions-et-disques-durs-dechiffres/

When upgrading TAILS today, I saw their announcement changing LUKS from PBKDF2 to Argon2id.

• https://tails.boum.org/security/argon2id/index.en.html

The release announcement above has some interesting back-of-the-envelope calculations for the wall-time required to crack a master key from a LUKS keyslot with PBKDF2 vs Argon2id.

And they also link to Matthew Garrett's article, which describes how to manually upgrade your (non-TAILS) LUKS header to Argon2id.

• https://mjg59.dreamwidth.org/66429.html

The cybersecurity awareness trainer role aligns with the NICE Workforce Framework to Oversee and Govern, Protect and Defend, and Securely Provision.

Here are your responsibilities in this role:

• Train employees and users on how to recognize and prevent email security threats. This includes phishing scams, spoofing, vishing, whaling, and others.

• Promote organization-wide security awareness. This will apply to in-house and outsourced teams, including employees working from home.

• Train employees on how to protect against malware attacks like ransomware, spyware, scareware, adware, and keylogger. This will also cover anti-virus measures.

• Organize periodic security awareness training to ensure employees adopt security practices. This will also ensure that all personnel are conversant with the latest security threat.

• Provide real-world threat simulations to reinforce the importance of security awareness in the organization.

• Establish organization-wide password security and management measures. This includes how often passwords are changed, password format, and the use of multi-factor authentication.

• Train employees on how to respond to and report incidents.

• Provide training on acceptable practices for personal and corporate devices, including removable media. Part of this training will cover how to disable autorun on PCs and ensure the IT team scans all removable devices before use.

• Establish guidelines on social media use. This includes instructions on clicking links and responding to people pretending to be C-Level executives or other fake customer representatives.

• Train employees on safe internet habits, such as differentiating between secure and unsecured websites, recognizing watering hole attacks, downloading from suspicious sites, and identifying spoofed domains.

• Provide data management guidelines. This includes the approved storage locations for company data and how to handle data in motion.

• Developing the Bring Your Own Device Policy (BYOD).

• Establishing physical security measures such as clean desks and office hygiene. This also includes security measures against shoulder surfing, dumpster diving, eavesdropping, tailgating, etc.

Google is committing more than $20 million dollars to support the creation and expansion of cybersecurity clinics at 20 higher education institutions across the United States, the company announced on Thursday.

Such clinics rely on university students to provide free cybersecurity services to local institutions. By deploying students to community organizations to improve digital defenses, university cybersecurity clinics aim to give students cybersecurity experience, improve local defensive capacity and steer students toward work in cybersecurity.

“This investment that Google’s made today recognizes the value of experiential training. This is not only important for national security but for economic opportunities and national innovation,” Kemba Walden, the acting national cyber director, said at Thursday’s event announcing the funding. “Cyber clinics provide an on-ramp to cyber careers by enabling students from different backgrounds and majors to learn cyber skills.”

Businesses must get better at attracting, supporting, and hiring new cybersecurity talent. Here are eight initiatives launched this year to facilitate entry-level skills development and career opportunities.

• ThreatX partners with Cyversity, ICIT to offer free cybersecurity training - Learn more
• EC-Council launches CCT scholarship to spark new cybersecurity careers - Learn more
• (ISC)2 makes entry-level cybersecurity certification free for 20,000 Europeans - Learn more
• EU Cybersecurity Skills Academy aims to become entry point for cybersecurity careers - Learn more
• Google launches entry-level cybersecurity certificate to teach threat detection skills - Learn more
• Upskill in Cyber program returns to aid career changes to cybersecurity - Learn more
• Cyber Million program targets one million entry-level cybersecurity jobs ISACA pledges to help grow cybersecurity workforce in Europe - Learn more

Here is a step-by-step guide to reducing your digital footprint online, whether you want to lock down data or vanish entirely.

There's the idea that once something is online, it is immortal, immutable, and almost impossible to contain. The golden rule is simple -- you should not put anything online you wouldn't want your grandmother to see, although, sometimes you aren't in control of what gets published.

Abuse, stalking, and bullying may also factor as reasons to erase our digital footprints and seize control of our devices. If you want to take control of your privacy and online data, these are the steps to start with.

In this episode of ThreatWise TV, Brandon Stultz and Nick Mavis not only provide a great overview of Snort 3.0, but they also touch on the kind of vulnerabilities that tend to trigger the most Snort signatures.

I’m rushing all of a sudden to study up and take the CySA exam before December when I think it switches to a newer 003 version and my study materials might be out of date. I know that sounds like a long time but in my hectic life feels fast!

I’m using Chapple’s book, Dion Training, ITProtv, and some special Udemy courses on like Wireshark and NMap. Any other recommendations?

Looking for low cost cybersecurity awareness training for small companies. Ideally includes some videos, written material and hopefully a little testing to reinforce learning. The stuff from the major players is expensive!