This discussion unveils critical security vulnerabilities and an incident of unauthorized access, emphasizing the importance of robust security measures to prevent data breaches. While some details are withheld for confidentiality reasons, the narrative highlights common vulnerabilities and the repercussions of lax security practices.

Here is the verbatim discussion:

Accomplishment you know how I like my diagrams I will not tell you about the initial point of entry because that would be a bit too revealing and again I don't want to say enough to get myself in trouble uh so won't talk about that but number two number two uh default password for an application on a server is meant to monitor uh other applications three zero day what can you do um now with good application design when you pass the configuration back to the UI so that the engineer or technician can look at it or maybe change it you're not supposed to pass credentials if you right click and say inspect the asteris should still be asteris not in this EP once you do inspect or view Source you get to see the actual credentials Happ read Community string number four it was shared with the right Community string this is a Cisco switch right no zoning no hardening I was invited by the way to so you now um no governance no compensating controls right I got all the customer data including OTP seeds and what did I do with it wouldn't you like to know again I was invited so nothing too exciting but still it's an.

This discussion emphasizes the importance of prioritizing understanding and proactive measures over relying solely on tools in addressing cybersecurity challenges. It underscores the necessity of comprehending potential attacks specific to an organization's architecture and attack surface before implementing solutions.

Here is the verbatim discussion:

Find okay fundamentals are still important you must understand the problem what type of attacks given your architecture given the tax service the architecture what type of attacks could potentially happen What would it look like on your network what would see it can you see it only then would you understand the problem after you understand the problem then you can go looking for tools right that could see it make the tools then sit your environment and not the other way around which is how it ends up happening when you just buy things and it's slap it on right to understand that solution the tools become secondary you begin to realize that open source does a really good job instead they have a tendency to buy products or servic to solve the problem so understand the the the you know the attacks we might see against the user how we would detect that let's just slap ADR on there let's not understand attacks against the network and how we might protected and respond let's just slap.

Here is the verbatim discussion:

February it is in fact if you know the parlance there decentralized autonomous organization I think I pronounced that word right um this was a governance attack on that decentralized autonomous organization now Dow's have a governance token essentially you buy a token it's by buying votes more tokens you have the more votes you have and the more say you have in the operations of the organization apparently the owners of the Dow well their owner they were they nominally owned it meaning they just barely did they didn't have a sufficient stake really to hold it right so should anyone want to buy more tokens and uh increased their share to the it wasn't too hard to increase their share to the point where they owned more than the current owner that's why I said nomic because it was just barely they able to uh buy enough of the governor's token outvote them I'm proposal mint more of the governor's token and then sell it on the open market to the point where it destroyed the value of the governance token screwed up a lot of uh people lots of different uh different contracts including Aqua at that time due to the flooding of the market by the aqua token all right so again a diagram here so you increase your stake if you're the attacker you then obviously have more than the existing uh stakeholders you can then get to V outvote everyone in this case The Proposal was to Mint Aqua they minted a lot of it I think 20 million tokens now when I see these sorts of events what I see most of the time is someone then taking the minted token and running it back through the contract because in order to get Aqua you have to give some other token USD either so if you put in us or either to get out your Aqua Well there's then the either UCT sitting in there so you would take the token in this case aqua and send it back through the contract to the empty that other side empty the either side UT side they did not do that they went ahead and took the aqua and they would and started selling it on secondary markets flooding those secondary markets the value of Aqua tanked and again just upsetting quite a number of other secondary uh markets due to that uh the hack again so increase your stake.

This content addresses two critical security breaches in decentralized systems. Firstly, it discusses how attackers exploited vulnerabilities in the governance token system of a decentralized autonomous organization (DAO) called The DAO. By acquiring more tokens, they gained control of governance operations and executed a proposal to mint and flood the market with Aqua tokens, causing significant disruptions.

Secondly, it explores a personal experience involving a hot wallet breach, where a trusted engineer abused their privileges to drain funds from the wallet. This incident underscores the importance of access management and monitoring in securing hot wallets.

Here is the verbatim discussion: 

By buying votes more tokens you have the more votes you have and the more say you have in the operations of the organization apparently the owners of the Dow well their owner they were they nominally owned it meaning they just barely did they didn't have a sufficient stake really to hold it right so should anyone want to buy more tokens and uh increased their share to the it wasn't too hard to increase their share to the point where they owned more than the current owner that's why I said nomic because it was just barely they able to uh buy enough of the governor's token outvote them I'm proposal mint more of the governor's token and then sell it on the open market to the point where it destroyed the value of the governance token screwed up a lot of uh people lots of different uh different contracts including Aqua at that time due to the flooding of the market by the aqua token all right so again a diagram here so you increase your stake if you're the attacker you then obviously have more than the existing uh stakeholders you can then get to V outvote right all right so now some personal experience this personal experience is not public at least not until today uh so have three events and uh being is that they're not public uh I will be sharing with you just enough uh to not get myself in legal trouble or anybody else for that matter the first hack here involved a hot wallet someone abused their privileges someone was trusted abused that trust and the Privileges they were given because they're trusted right there was no privilege access management as you can imagine but there also no compensating controls person was able to just log in to the node with the hot wallet and transfer the out of the hot wallet by draining the hot wallet very simple hack you can call it that trusted engineer log in send the money away I won't do any reimagining.

Here is the verbatim discussion:

Globally today's session is on stories from the web3 battle field a hacker's point of view by Gregory Piet Gregory Piet is a blackhead USA speaker cissp GCI gpen he is the founder and head of cyber security operations for Hellfire security he has presented research at over 17 International conferences he is a six-time speaker at Defcon and three time speaker at black hat we request all attending members to to please post question throughout the session in the chat box and we'll address those questions to the speaker from time to time or at the end of the session thank you Gregory for joining us today I would request you to take it forward from here I will assist with the Q&A towards the end thank you uh we had some technical pool now this particular price Oracle was using the balance in the liquidity pool to determine the price right so if you have less of one token on one side say you put your usdt in there and you take out your Nua you have less Nua and according to the law of scarcity Nua being more scarce is more valuable right that by pushing USD into that pool you pull no out NOA becomes more uh valuable right you distorted that exchange rate in that instance and then of course if you have a very favorable exchange rate at that point in time right if you have new already you can then trade that in other direction to get more USD than you normally would have if right that pricing orle was that manipulatable right it was basing uh the price based on just that liquidity pool bounce this happened to be a case just like that someone put usct in took out the NOA due to the law of scarcity new is now more valuable value of newa goes up if you happen to get newa at the going rate from another source right for the price that is more reasonable at least the market might consider more reasonable at that lower price original price uh before was lower now you've got a particular exchange though is trading it higher now because of the manipulation and you run your Nua back through that to pull usct out more now than you would have gotten because of the restored exchange rate.

This blog offers insights into a hacker's perspective on defensive measures and concerns regarding detection and response capabilities. The speaker emphasizes the importance of monitoring for suspicious activities and implementing effective countermeasures to thwart potential attacks. Additionally, the blog delves into a specific exploit known as the Tendery hack, which involved a variation of price oracle misconfiguration in a DeFi platform. Through a hacker's lens, we will explore the vulnerabilities exploited and the implications for contract security.

Here is the verbatim discussion:

Successful but I'm also concerned on whether or not someone is going to see anything and if they see anything can they do something about it so that's my view constantly when I'm hacking and so I look at this the exact same way what could they have seen what could they have done to stop me if this was me so the first thing as a defender in that side I I would um you know be wondering if they are admitting events right so the thing they could have been doing then is admitting events admitting this case exchange rates also they could have been monitoring for large changes in that exchange rate that's what I'd be worried about as a hacker right and of course they also threat another hack the tendery hack in earlier in March a def5 platform now this is actually a variation a price Oracle misconfiguration another publicly known event now in solidity the decimal point is not explicit or strictly defined it is implicit or understood essentially the owner decides where the decimal place will be and they handle it accordingly if you have let's say this is very simplified again a number with 10 places and the number is one eight and then eight zeros right with the decimal point at the second place that's quite a different number than 1 eight and eight zeros it's much larger now throughout this contract the numbers were being handled correctly right handled with desm plat where the owner wanted it to be all except for the GMX token it was not so one GMX token because of the Des point was not being handled properly being handled at the second place or wherever supposed to be it's it one token was worth uh because that's the variable it was uh that without the decimal point it was the value of the GMX token was worth as an example eight 1 eight and eight zeros that's a large number now the actual number was much bigger and in fact this contract saw the value of one GMX token being worth more than all the Bitcoin currently in circulation yes GMX token was very much overvalued according to the contract now the GMX token uh was being used for collateral for a loan so obviously it being very valuable you could borrow a lot there you go I like my diagrams so one GMX token essentially they were able to borrow all of the either in the contract I don't think it was all of it uh but for all intens purposes why not yes all of threat another hack the tendery hack in earlier in March a def5 platform now this is actually a variation a price Oracle misconfiguration another publicly known event now in solidity the decimal point is not explicit or strictly defined it is implicit or understood essentially the owner decides where the decimal place will be and they handle it accordingly if you have let's say this is very simplified again a number with 10 places and the number is one eight and then eight zeros right with the decimal point at the second place that's quite a different number than 1 eight and eight zeros it's much larger now throughout this contract the numbers were being handled correctly right handled with desm plat where the owner wanted it to be all except for the GMX token it was not so one GMX token because of the Des point was not being handled properly being handled at the second place or wherever supposed to be it's it one token was worth uh because that's the variable it was uh that without the decimal point it was the value of the GMX token was worth as an example eight 1 eight and eight zeros that's a large number now the actual number was much bigger and in fact this contract saw the value of one GMX token being worth more than all the Bitcoin currently in circulation yes GMX token was very much overvalued according to the contract now the GMX token uh was being used for collateral for a loan so obviously it being very valuable you could borrow a lot there you go I like my diagrams so one GMX token essentially they were able to borrow all of the either in the contract I don't think it was all of it uh but for all intens purposes why not yes all of threat another hack the tendery hack in earlier in March a def5 platform now this is actually a variation a price Oracle misconfiguration another publicly known event now in solidity the decimal point is not explicit or strictly defined it is implicit or understood essentially the owner decides where the decimal place will be and they handle it accordingly if you have let's say this is very simplified again a number with 10 places and the number is one eight and then eight zeros right with the decimal point at the second place that's quite a different number than 1 eight and eight zeros it's much larger now throughout this contract the numbers were being handled correctly right handled with desm plat where the owner wanted it to be all except for the GMX token it was not so one GMX token because of the Des point was not being handled properly being handled at the second place or wherever supposed to be it's it one token was worth uh because that's the variable it was uh that without the decimal point it was the value of the GMX token was worth as an example eight 1 eight and eight zeros that's a large number now the actual number was much bigger and in fact this contract saw the value of one GMX token being worth more than all the Bitcoin currently in circulation yes GMX token was very much overvalued according to the contract now the GMX token uh was being used for collateral for a loan so obviously it being very valuable you could borrow a lot there you go I like my diagrams so one GMX token essentially they were able to borrow all of the either in the contract I don't think it was all of it uh but for all intens purposes why not yes all.

we will explore essential operational capabilities necessary for ensuring the security and integrity of decentralized finance (DeFi) platforms. Among these capabilities is the ability to blacklist wallets, transfer funds, and pause or terminate contracts in response to threats. Additionally, we will delve into a recent hack on a DeFi platform known as the Tendery hack, which involved a variation of price oracle misconfiguration. By examining these incidents, we aim to understand the importance of operational readiness and proper configuration in safeguarding DeFi systems.

Here is the verbatim discussion:

Right and two second thing we want you started on is having operation capability so important operational capabilities again starting there Blacklist wallets maybe they could black listed that wallet that imbalance the pool transfer pools right getting the money out of there basically saying All Is Lost and at least escaping with your money pause the contract kill the contract some sort of option some way to to respond to that threat another hack the tendery hack in earlier in March a def5 platform now this is actually a variation a price Oracle misconfiguration another publicly known event now in solidity the decimal point is not explicit or strictly defined it is implicit or understood essentially the owner decides where the decimal place will be and they handle it accordingly if you have let's say this is very simplified again a number with 10 places and the number is one eight and then eight zeros right with the decimal point at the second place that's quite a different number than 1 eight and eight zeros it's much larger now throughout this contract the numbers were being handled correctly right handled with desm plat where the owner wanted it to be all except for the GMX token it was not so one GMX token.

we will explore three recent incidents in the crypto space and personal experiences to extract valuable lessons that can help reduce the frequency of such events. While these incidents can be intriguing and sometimes exciting, it is in everyone's best interest to minimize their occurrence. We will also delve into common crypto attacks, including price oracle manipulation, improper access control, and validation and logic errors, and discuss how understanding these vulnerabilities can lead to a more secure Web3, DeFi, and blockchain environment.

Here is the verbatim discussion:

Make a point right uh so we're going to go over some recent incidents as well well as talk about some personal experiences there's three recent incidents as well as three events that I was personally involved in and then uh some lessons learned because this can be quite interesting right for the Right audience and exciting in some cases but our better Natures know that despite the interest despite the excitement uh it's we you know it's better ultimately in the end right it's in our interest that events of this type happen less frequency uh no matter how interesting or how exciting may be we know that it's better uh less of those types of events happen so we do want to learn some lessons and hopefully over time presumably over time uh hope ensure that uh there are less of them right speaking of less of them we'll talk about also a brighter future what that's going to look like um how we're going to get thereso we're going to talk about common attacks now if you are going to keep track of events in web three space I do recommend Block threat. it's an excellent site for doing that and in fact this is how I keep track of things uh the first uh type of attack that's common that you're going to see a lot of in fact if you go there this week you'll see several uh price Oracle manipulation taxs now when a trade is done right when one token uh is exchanged for another there's obviously a price uh where when a token X number of token a is traded for y number of token B right how is that set that exchange rate well if you can manipulate the Oracle that determines that price you can obviously gain some benefit for yourself you can get a better deal you can get more for your tokens right more than you would have in that trade so there's all sorts of attacks that attemp to do that also improper Access Control where there is a function that there's some benefit for you as an attacker to call um that was not originally intended to be called by you by the contract owner actually this is all about getting the attacker some Advantage if you can find a function that is not does not have proper access control and you get that advantage of being able to call as an attacker there's different types of attacks like that in fact I believe there's one of those this week uh improper validation and logic errors anytime that you have algorithmic decision-making there are parameters involved that are considered in order to make that decision if they are not properly validated and sanitized then decisions can be made to the attacker's favor right um or if there's logic.

Highlights :

Recent Incidents and Lessons Learned:

• Incident Analysis: We will review three recent crypto incidents, providing a detailed analysis of what occurred and the lessons that can be derived from them.
• Personal Experiences: Sharing three personal experiences, the speaker highlights the excitement and interest these events generate, but also emphasizes the importance of learning from them to prevent future occurrences.
• Reducing Frequency: Despite the intrigue, it is beneficial to reduce the frequency of such incidents. Learning from past mistakes is crucial for building a more secure future.

Common Crypto Attacks:

• Price Oracle Manipulation: This attack involves manipulating the mechanism that sets the exchange rate for token trades, allowing attackers to gain an unfair advantage by obtaining a more favorable exchange rate.
• Improper Access Control: These attacks exploit functions that were not meant to be accessible to unauthorized users, allowing attackers to gain benefits that were intended only for the contract owner or authorized parties.
• Validation and Logic Errors: When algorithms make decisions based on parameters that are not properly validated and sanitized, attackers can manipulate these decisions to their advantage. This category includes various logic errors that can be exploited in similar ways.

Understanding and learning from recent crypto incidents and recognizing common attack vectors are essential steps toward building a more secure and resilient crypto ecosystem. By analyzing specific cases and personal experiences, we can derive valuable lessons that help mitigate risks. Additionally, awareness and proactive measures against common attacks like price oracle manipulation, improper access control, and validation and logic errors can significantly reduce the frequency and impact of these incidents, paving the way for a brighter and more secure future in the Web3, DeFi, and blockchain space.

Welcome to the CISO Platform "Best of the World" Security Webinar Series, a premier event featuring the world's leading cybersecurity minds. This series presents security content that is often hard to find and understand, featuring notable experts such as Nobel Prize winner Paul D., forensic expert Dr. Phil Postra, and Black Hat researcher Jacob Tor Tarpa. The CISO Platform, with over 40,000 community members, is the world's first online community dedicated solely to senior security executives, including CISOs, CIOs, CTOs, and directors.

Here is the verbatim discussion:

Hello everyone welcome to ciso platform con Google best of the world in security webinar series The Best of the World Series features the world's best security Minds researchers inventors subject experts analysts it covers security content and Q&A that is often hard to comprehend and you simply cannot Google it it has featured great minds like Paul D Nobel Prize winner Jacob Tor tarpa Dr Phil postra Renown forensic expert black hat a little about us ceso platform is the world's first online community solely dedicated for information senior security Executives ceso CIO C CSO CTO directors Etc with 40,000 plus community members 2023 she actually did uh I prianka or nazia did the introd introductions already but there is some uh contact information uh there if you want to reach me later gregory. picket at health fire security.com given the introduction um most of you know this already there's a few things at the bottom though I have in fact hacked trains ATMs telecommunications networks cryptocurrency exchanges uh just you know why why they end up having me speak at events like this uh EC Council website and a number of multinational Banks and by hacked I don't mean finding a bug I mean on authorized access so uh quite a few adventures.

Highlights :

Featuring Top Cybersecurity Experts:

• Exclusive Content: The webinar series covers complex and unique security topics that you cannot easily find or comprehend through typical online searches.
• Renowned Speakers: Past sessions have featured renowned experts like Nobel Prize winner Paul D., Dr. Phil Postra, and Jacob Tor Tarpa, offering insights from the forefront of cybersecurity research and practice.

Adventures in Hacking:

• Speaker Highlights: One of the featured speakers shares his extraordinary experiences of hacking trains, ATMs, telecommunications networks, cryptocurrency exchanges, and multinational banks.
• Real-Life Exploits: These exploits were not just about finding bugs but involved unauthorized access, demonstrating practical challenges and the thrill of real-world hacking.
• Conference Talks: His hacking adventures have led him to speak at various security conferences, including the EC Council website and numerous multinational banks, highlighting the importance of hands-on experience in the field.

The CISO Platform "Best of the World" Security Webinar Series is a unique opportunity to gain insights from the best minds in cybersecurity. By featuring top experts and real-world hacking adventures, this series provides invaluable knowledge and experience that goes beyond typical online content. Whether you are a seasoned executive or a budding security professional, this series offers something for everyone looking to deepen their understanding of cybersecurity.

This blog delves into two critical aspects of decentralized finance (DeFi) security: the manipulation of liquidity pools and the importance of proper validation in algorithmic decision-making. By examining a specific case of liquidity pool exploitation and discussing the risks associated with improper parameter validation, we aim to highlight the vulnerabilities and necessary safeguards in DeFi systems.

Here is the verrbatim discussion:

Pool now this particular price Oracle was using the balance in the liquidity pool to determine the price right so if you have less of one token on one side say you put your usdt in there and you take out your Nua you have less Nua and according to the law of scarcity Nua being more scarce is more valuable right that by pushing USD into that pool you pull no out NOA becomes more uh valuable right you distorted that exchange rate in that instance and then of course if you have a very favorable exchange rate at that point in time right if you have new already you can then trade that in other direction to get more USD than you normally would have if right that pricing orle was that manipulatable right it was basing uh the price based on just that liquidity pool bounce this happened to be a case just like that someone put usct in took out the NOA due to the law of scarcity new is now more valuable value of newa goes up if you happen to get newa at the going rate from another source right for the pricethat in fact I believe there's one of those this week uh improper validation and logic errors anytime that you have algorithmic decision-making there are parameters involved that are considered in order to make that decision if they are not properly validated and sanitized then decisions can be made to the attacker's favor right um or if there's logic errors maybe the um parameters have been validated but there's a certain combination of parameters that produce a decision that again is not to um the owner benefit or to the users of the contract in a fair way but in fact our unfair way result unfair resolve to the attacker those types of attacks quite common someone uh discovers a combination that works just right right gives the right result for the attacker that they want or Mev attacks now I've heard that expanded two different ways minor.

This blog explores the critical features and capabilities of GameFi contracts, focusing on security measures designed to protect user funds. By implementing options such as wallet blacklisting, pausing contracts, and escape mechanisms, GameFi platforms can enhance their operational resilience. Additionally, the importance of proactive monitoring and quick action is discussed as a means to prevent significant financial losses.

Here is the verbatim discussion:

Generated wins or losses it's more of a game f contract now this is just a start there are many more possibilities it's just a start and it really will depend on the type of contract that you have and its design but one we want to one you know really we want to get you just started on this right and two second thing we want you started on is having operation capability so important operational capabilities again starting there Blacklist wallets maybe they could black listed that wallet that imbalance the pool transfer pools right getting the money out of there basically saying All Is Lost and at least escaping with your money pause the contract kill the contract some sort of option some way to to respond to that ordinary Unfortunately they didn't do those things so well someone got away with $110,000 and it so they didn't fix it could have kept doing it the idea though of course in this case is to reimagine it as I've done here so that you could possibly stop it they it possibly because it really depends on if you're monitoring and if you are as they say in America on the ball right if you are operating fast enough There's an opportunity for maybe you to even get ahead of this right you'd see that exchange rate change you could then pause before right possible now because you are prepared to actually stop it before the 110,000 profit.

Here is the verrbatim discussion:

Happens important events states to emit low balances liquidity pool ratios or exchange rates know depends on um how complicated your pricing Oracle is if it's that simple as liquidity pull hopefully not then that's enough um it may be more complicated you may uh even in fact have a surrogate for that right an exchange rate depends on um the level of detail and the uh exchange the calculations you're using all right so uh the next thing you might want to admit is the change in ownership and funds distribution if money is being taken out maybe the owner is taking some of the profit out speaking of profit when it's being taken out by the resi owner you want to know that happens okay someone else besides the owner is attempting it um that's more defi attributes away I won't do any reimagining because this is now in the area now of traditional it and there are plenty of presentations talks blog posts articles books magazines about you know how to do that right I will however give you some more background there was not in addition to no privilege access management no log aggregation no monitoring then of login log out events right if your logs are not aggregated if they're still sitting on the server at the point of origination um well it's very difficult to monitor isn't it so no aggregation no being sent to a log manager or Sim so no monitoring uh and no attestation right if someone sees that login on something so critical I well I would want to know so you'd want to contact the person he was that you why' you do it I'm not really a governance kind of guy with my background but I know that it has its uses change management one of those.

In late March, a significant incident involving the ERC-20 token Nua took place. This event was a price Oracle manipulation attack, exploiting vulnerabilities in the DeFi protocol's pricing mechanism. The attacker manipulated the liquidity pool balance to distort the value of Nua, leading to substantial financial gains. This blog post will dissect the incident, highlighting the key points and concluding with the lessons learned from this attack.

Here is the verbatim discussion:

Benefit all right so into the incident first one was the newah Haack this was in late March new is a erc20 token this was a price Oracle manipulation attack this incident is publicly known by trading some usct for some Nua all right they were able to imbalance a liquidity pool now this particular price Oracle was using the balance in the liquidity pool to determine the price right so if you have less of one token on one side say you put your usdt in there and you take out your Nua you have less Nua and according to the law of scarcity Nua being more scarce is more valuable right that by pushing USD into that pool you pull no out NOA becomes more uh valuable right you distorted that exchange rate in that instance and then of course if you have a very favorable exchange rate at that point in time right if you have new already you can then trade that in other direction to get more USD than you normally would have if right that pricing orle was that manipulatable right it was basing uh the price based on just that liquidity pool bounce this happened to be a case just like that someone put usct in took out the NOA due to the law of scarcity new is now more valuable value of newa goes up if you happen to get newa at the going rate from another source right for the price that is more reasonable at least the market might consider more reasonable at that lower price original price uh before was lower now you've got a particular exchange though is trading it higher now because of the manipulation and you run your Nua back through that to pull usct out more now than you would have gotten because of the restored exchange rate right so another diagram of that hack you have pulled the new out to imbalance the liquidity pool you have all of that newa that you purchased at the lower price uh you put all that USD in to get that newa now of course you're running it back through this particular contract to get out more usdt than you put in and the fact $110,000 more usct than they originally put in to get $10,000 us profit.

Gain insights into the fundamental challenges hindering organizations from achieving cybersecurity objectives, particularly in terms of visibility and noise reduction. Discover how prioritizing key metrics can enhance threat detection and response capabilities.

Here is the verbatim discussion:

Key fundamentals that are there um the and that's where the biggest challenge is is like organizations just don't have um that they don't have the visibility that they that they require to get to those those points those are certainly very key um the other kind of key point that organizations will will get into is um you know a lot of a lot of the the monitoring and in um doing these different assessments is you ultimately they're trying to find a needle and a haast stack is is a common analogy that's used and uh unfortunately what uh organizations will do especially early on is they'll add more and more hay uh to with the idea that they will have better visibility unfortunately there that that actually makes things more difficult because it's more difficult to actually find the needle um so as as a key metric and focus and priority area it would it it's definitely best practice to to eliminate the noise and eliminate all that excess hay that excess hay uh so you can find these needles faster and quicker and eventually get to the point where you're actually able to categorize the individual needles so you can actually identify a needle within a stack of needles that's relevant to the specific use case that you have um because what will happen with Advanced persistant threats is they'll actually come uh they'll come back time and time again and um unfortunately one of the the key things that ends up happening is uh especially with Ransom wear attacks is organizations will um they'll actually recover and Implement a backup uh or basically get to a steady state but they won't they won't address the the main entry point that that the attackers use to get in so all they do is they they come right back in and that's why uh paying for a ransomware doesn't really work because you're not a lot of times organizations don't address the the the core entry point and uh once kind of that the word gets out then it's open season so you might have multiple different criminal organizations looking to get into your environment um so and there's metrics that you can build around all of those things like reducing false positives uh reducing false negatives and then um and and overall uh measuring.

Explore the unique cybersecurity challenges faced by SMBs in today's interconnected landscape, where the threat of ransomware looms large. Brad emphasizes the importance of adopting a smarter approach to security validation, focusing on optimizing resources and maximizing protection.

Here is the verbatim discussion:

Anybody else because on the internet for a ransomware guy is the same IP so they just Target every single IP address across the globe right so how how do you think SMB should approach uh building a continuous security validation program yeah and my advice is same process but um think smarter not harder so um and really what it comes down to is uh it comes right back to the attack surface but it's it's really being strict around you and have being open and saying do we really need this so um good good aspect to it is um you know you talked about uh the attack surface getting into you know areas where uh now we have you know iot and endpoints and more things that are you know interconnected with the cloud and and more exposed it's no longer just a a network perimeter especially in these these smaller organizations they have all these end points and um and all these different aspects and and having a their environment be hardened and then um implementing uh Network segmentation and and breaking off those components so like a good example going back to the the the house analogy you know if someone breaks into my house and I lock each individual door within my house which is the equivalent of having segmentation it actually you know it it kind of hardens the the the internal aspect once they actually break in so the the overall uh impact that that exists is is greatly reduced and and that's really the fundamentals around the attack surface management component so if if it and I kind of the advice I've given organizations is like if it doesn't need to be in your environment then don't have it be in your environment so if you don't need organizations to access uh to basically not have any kind of like URL filtering or having any kind of like block websites like you shouldn't be able to go to whatever website that you want um if you're working in a corporate environment on a corporate machine.

Highlights:

Redefining the Attack Surface: Brad underscores the need for SMBs to redefine their understanding of the attack surface, considering the proliferation of IoT devices and cloud-connected endpoints. By implementing network segmentation and hardening their environment, organizations can minimize exposure to cyber threats and reduce risk.

Strategic Resource Allocation: Rather than adopting a one-size-fits-all approach, Brad advises SMBs to prioritize security measures based on necessity and relevance. By questioning the need for certain technologies or access privileges, organizations can streamline their security posture and allocate resources more effectively.

Embracing Network Segmentation: Drawing parallels to securing a physical house with multiple locked doors, Brad highlights the benefits of network segmentation in fortifying internal defenses. By compartmentalizing network assets and restricting access, SMBs can mitigate the impact of potential breaches and thwart lateral movement by cyber attackers.

Brad emphasizes the importance of adopting a smarter, more strategic approach to cybersecurity for SMBs. By redefining the attack surface, prioritizing resource allocation, and embracing network segmentation, organizations can build a robust security framework tailored to their specific needs and constraints.

Speakers:

Discover how security training and preparedness initiatives play a pivotal role in equipping individuals to recognize and respond to cyber threats effectively. Brad emphasizes the importance of instilling a cybersecurity mindset across all levels of an organization.

Here is the verbatim discussion:

You know that's the the biggest area the other area is uh security training overall just making people aware it's a mindset it's a it's a culture and and identifying if I see a fishing email I need to report it and having a process around that and then and then building it over time um so maybe uh doing a simulated fishing exercise that turns into a uh ransomware exercise so in the you and and just running that for a couple hours um a day for a month or or you whatever period and kind of like a good example that I've have come up over the years is um getting a kind of like an elementary school or or grade school um a grade school get getting a bunch of children ready for um a fire drill so if you remember when you you younger and going through that um you know the fire alarm goes off and then everybody kind of freaks out and don't know what to do and then you know basically as you go through these rehearsals you identify okay well when the alarm goes off we get single file we go outside and then we do we make sure everyone's safe.

Highlights:

Security Training: Brad underscores the need for comprehensive security training programs aimed at raising awareness and educating employees about potential cyber threats. By fostering a culture of vigilance and accountability, organizations can empower individuals to identify and report suspicious activities, such as phishing emails.

Simulated Exercises: Explore the value of conducting simulated security exercises, akin to fire drills, to prepare employees for real-world cyber incidents. Brad highlights the benefits of running simulated phishing exercises that evolve into ransomware scenarios, allowing organizations to assess their readiness and response capabilities.

Building Preparedness Over Time: Drawing parallels to emergency preparedness drills in schools, Brad emphasizes the importance of regular practice and refinement of security protocols. By continuously running simulated exercises and refining response procedures, organizations can enhance their ability to mitigate cyber threats effectively.

Brad underscores the importance of cultivating a proactive cybersecurity mindset through training and preparedness initiatives. By investing in comprehensive security training, conducting simulated exercises, and fostering a culture of awareness, organizations can strengthen their defenses against cyber threats and minimize the risk of security incidents.

Speakers:

Explore the fundamental concept of attack surface management and its role in fortifying organizational cybersecurity. Brad sheds light on the importance of evaluating and controlling the attack surface to mitigate potential threats effectively.

Here is the verbatim discussion:

And really what it comes down to is uh it comes right back to the attack surface but it's it's really being strict around you and have being open and saying do we really need this so um good good aspect to it is um you know you talked about uh the attack surface getting into you know areas where uh now we have you know iot and endpoint and more things that are you know interconnected with the cloud and and more exposed it's no longer just a a network perimeter uh especially in these these smaller organizations they have all these end points and um and all these different aspects and and having a their environment be hardened and then um implementing uh Network segmentation and and breaking off those components so like a good example going back to the the the analogy you know if someone breaks into my house and I lock each individual door within my house which is the equivalent of having segmentation it actually you know it it kind of hardens the the the internal aspect once they actually break in so the the overall uh impact that that exists is is greatly reduced and and that's really the fundamentals around the attack surface management component so if if it and that kind of the advice of given organizations is like if it doesn't need to be in your environment then don't have it be in your environment so if you don't need organizations to access uh to basically not have any kind of like URL filtering or having any kind of like block websites like you shouldn't be able to go to whatever website that you want um if you're working in in a corporate environment on a corporate machine and that's a very common mistake that organizations have they don't have any policies around what people can access can access and in some work environments it's not appropriate and doesn't make sense from a security perspective to have social access to social media or being able to uh have or uh users typical regular users have administrative access so they can download whatever programs that they want and you know I I can think of over a hundred examples where that that was common place and and organizations have come to me ask me you know is it a best practice to not have the end user have access to administrative rights and it's like well yeah absolutely and that's an easy fix it doesn't cost anything to do that um you know it's not a Bonafide business need to have them have it and it greatly reduces your scourgey risk and once you start adding in things like multiactor authentication um stricter password rules um and then password resets having the the segmentation aspect where you're locking each individ visual door uh and then basically constantly checking and going in and doing the these um these monitoring aspects and having these uh different exercises with red teams and having more of the in depth on specific use cases so like this month we're going to go in and and just validate that um know we can respond to a fishing attack or ransomware attack or um someone taking advantage of um vulnerability in our our server architecture and then um and there's a lot of Open Source software out there too there's pros and cons to that but there are a lot of tools out there and a lot of organizations are actually moving towards um a product like growth type approach where they actually have a premium level version of their product um so those are definitely things that they should absolutely take advantage of where there there's tons of tools out there that they can get exposure to and and uh get access to that they can have exposure to especially if they're tight on budgets the other thing too is to prioritize um Consolidated Solutions so with the Advent of uh empo protection platforms and uh extended detection response or xdr and a lot of the MDR um managed detection response and managed Services out there uh you you can I would certainly prioritize kind of a an all- inone type approach where you can get um it's not necessarily the best to breed in in all the different categories but you can identify certain areas that are the most important to you and and being able to implement that and and and kind of it you get.

Highlights:

Minimizing Attack Surface: Brad emphasizes the importance of scrutinizing the attack surface and eliminating unnecessary elements from the environment. Drawing parallels to securing a physical space, he explains how network segmentation acts as a barrier, reducing the impact of potential breaches.

Policy Implementation: Discussing common security pitfalls, Brad highlights the significance of implementing robust policies. He underscores the need for restricting user access, enforcing stricter password rules, and deploying multi-factor authentication to enhance security posture.

Continuous Monitoring and Response: Brad advocates for continuous monitoring and proactive response strategies to combat evolving cyber threats. He discusses the value of conducting regular exercises, such as simulated phishing attacks and vulnerability assessments, to identify and address potential weaknesses.

Utilizing Tools and Solutions: Explore the array of tools and solutions available for bolstering cybersecurity defenses. Brad recommends prioritizing consolidated solutions, such as endpoint protection platforms and managed detection and response services, to streamline security operations and maximize efficacy.

Brad emphasizes the importance of adopting a proactive approach to attack surface management. By minimizing the attack surface, implementing robust security policies, and leveraging advanced tools and solutions, organizations can enhance their cybersecurity posture and mitigate the risk of potential threats.

Speakers:

Join us as cybersecurity expert Brad shares insights drawn from his passion for both cybersecurity and magic. Discover the striking similarities between performing magic tricks and defending against cyber threats.

.

Here is the verbatim discussion:

and ultimately like I love hearing people laugh and just overall just enjoying life and um so over the years I've have certainly done that and a lot a lot of it is like you know it's very similar to what I do today in cyber security so you know when you're in you're actually um putting on a magic show or you're doing that you know first off you don't you don't really know what you're doing when you start and you know it starts by making that decision have that mindset I'm going to be a magician or I'm going to just do a magic trick um and and be really good at that one thing and then move to the second thing and then it's that whole crawl walk and run thing uh and approach and um within uh earlier you mentioned about magic magic is also I'm I'm quite passionate about it I I used to do shows at one point in time now I don't uh I had been kind of out of touch but I'm still curious so one interesting thing about magic is if you could place a lot of eyes from all possible directions around the magician and if you could continuously keep an eye then the magician can't fool you if you can look at the magician from 360 Dees but and um look at all the places simultaneously and I think you know we we are facing a similar challenge right our problem is just like in the case of magic we have only one pair of eyes so we focus on one thing mag.

Understanding the common success factors and pitfalls in implementing continuous security validation is crucial for organizations aiming to enhance their cybersecurity posture. In this segment, we explore the key insights derived from observing organizations across various industries and maturity levels.

Here is the verbatim discussion:

And  let's move to the next part which is you have seen all of these organizations which has matured over period of time and you have seen across various breadth of the industry so what what had been some of the key things which you noticed as the common success factors as well as common mistakes so some of the common success factors and failure factors when it comes to implementing continuous security validation yeah um very good point and I'll I'll kind of preface this by saying um the answer is unique to every single organization so it heavily depends on the the nature of the business the culture um unfortunately budgets and having that strategic alignment between uh the overall organ organization's financial goals and their their security goals and um you know as part of that ultimately uh you want to have um you want to prevent attacks from happening uh in the first place and there are metrics and and key metrics that you can identify uh where you're you're able to reduce uh those attempts in the first first place um so the equivalent of this would be like let's just say 2 o'clock in the morning um you you hear someone knocking on your door you know between the hours of two 2 and 3 a.m. and you know although they're not getting in that's the equivalent of reconnaissance and they're they're basically trying to probe and identify areas that you're in and those might be you know something as simple as firewall Deni logs um that might be of interest and then um and then so on and so forth so anything you can do to identify the those areas and and and eliminate them or reduce them is a key metric that you want to have um the other thing is like in the event that you actually have an incident you want to reduce uh or that you have a breach or someone someone's in your organization then number one thing is to detect them as soon as possible um and you know overall reducing What's called the dwell time uh and the amount of time that that that attacker is in your in your house effectively um and you you want to basically investigate it as quickly as possible you want to eradicate it as quickly as possible want to address what the the the core uh entry point was in the first place and then basically PS it up fix it so it doesn't happen again um and you know that's that those are key fundamentals that are there um the and that's where the biggest challenge is is like organizations just don't have um they don't have the visibility that they that they require to get to those those points those are certainly very key um the other kind of key point that organizations will will get into is um you know a lot of a lot of the the monitoring and and um doing these different assessments is you ultimately they're trying to find a needle and haast stack is that is a common analogy that's used and uh unfortunately what uh organizations will do especially early on is they'll add more and more hay uh to with the idea that they will have better visibility unfortunately there that that actually makes things more difficult because it's more difficult to actually find the needle um so as as a key metric and focus and priority area it would it it's definitely a best practice to to eliminate the noise and eliminate all that excess hay that excess hay uh so you can find these needles faster and quicker and eventually get to the point where you're actually able to categorize the individual needles so you can actually identify a needle within a stack of needles that's relevant to the specific use case that you have um because what will happen with Advanced resistant threats is they'll actually come uh they'll come back time and time again and um what unfortunately one of the the key things that ends up happening is uh especially with Ransom wear attacks is organizations will um they'll actually recover and Implement a backup uh or basically get to a steady state but they won't they won't address the the main entry point that that the attackers use to get in so all they do is they they come right back in and that's why uh paying for a ransomware doesn't really work because you're not a lot of times organizations don't address the the the core entry point and uh once kind of that the word gets out then it's open season so you might have multiple different criminal organizations looking to get into your environment um so and there's metrics that you can build around all of those things like reducing false positives uh reducing false negatives and then um and and overall uh measuring.

Highlights:

Success Factors:

1. Preventative Measures: Prioritize preventing attacks by reducing vulnerabilities and minimizing attack attempts. Effective measures include assessing and eliminating potential entry points, such as firewall logs, to thwart reconnaissance efforts.

2. Prompt Detection and Response: Swiftly detect and respond to security incidents to minimize dwell time and mitigate potential damage. Timely investigation, eradication, and remediation of threats are essential to prevent recurring breaches.

3. Visibility and Monitoring: Enhance visibility into the security landscape by reducing noise and focusing on relevant threats. Streamline monitoring processes to efficiently identify and categorize security incidents, enabling proactive threat management.

Common Mistakes:

1. Excessive Noise: Overloading security systems with unnecessary data complicates threat detection and hampers response efforts. Organizations often add more "hay" (data) with the misconception of improving visibility, leading to challenges in identifying genuine threats.

2. Failure to Address Root Causes: Neglecting to address the core entry points exploited by attackers perpetuates vulnerabilities and increases the risk of recurring breaches. Merely restoring from backups without addressing underlying security weaknesses leaves organizations susceptible to future attacks.

Success in continuous security validation hinges on proactive prevention, swift detection, and efficient response to security threats. By prioritizing preventative measures, minimizing noise, and addressing root causes, organizations can strengthen their security posture and effectively mitigate cyber risks. Avoiding common mistakes such as excessive noise and neglecting root causes is paramount for achieving robust cybersecurity resilience. Through continuous improvement and adherence to best practices, organizations can navigate the complexities of modern cybersecurity landscape and safeguard their digital assets effectively.

Speakers:

In this discussion, we delve into the strategies and considerations for small and medium-sized businesses (SMBs) looking to implement continuous security validation programs. With evolving cyber threats targeting organizations of all sizes, adopting proactive security measures is crucial for safeguarding digital assets.

Here is the verbatim discussion:

Exercise so in the you and and just running that for a couple hours um a day for a month or or you know whatever period and kind of like a good example that I have come up over the years is um getting a kind of like an elementary school or or grade school um uh grade school get getting a bunch of children ready for um a fire drill so if you remember when you you were younger and going through that um you the fire goes off and then everybody kind of freaks out and they don't know what to do and then you know basically as you go through these rehearsals you identify okay well when the alarm goes off we get single file we go outside and then we do we make sure everyone's safe and out of the building we we make sure uh everything's right and then once the the firemen come they then it's safe to get back in and um that you got to kind of treat it like that and uh you know effectively it is a fire in your organization and um doing these fire drills and doing these practices doing tabletop exercises and identifying okay what is the route that we're going to go and taking that and putting it on the wall putting it in the break room you know in the event that there is a rware attack you unplug your computer uh report it to security immediately and then having the actual templates for how you're going to communicate that internally and externally and having each of those different phases and then the continuous aspect of this is making it uh better over time so it it basically and uh when I was a functional manager one of the the key things I was telling my employees is improve every day you know if you you can have a just those micro little actions you know over a period of time you you'll actually start moving up the the security um maturity levels and and going from a one to a two a two to a three so on and so forth uh by looking at those different weak points and where attx surface management comes in is it helps you identify those weak points and then it helps you uh really prioritizing it in in in having an actual like turning it into an action plan so you you have your current state and then collectively you and your your stakeholders that you have in your company uh you have a desired State and then in the middle is is kind of that crawl walk run and that project plan that gets you there um and that that's what works the best and I've worked with you hundreds maybe thousands of organizations over the years that uh and and this is the very simple approach that works really well um you can't just throw a bunch of Technology at it it has to be a mix of people process and Technology there has to be governance around it you have to have you know modernized technology to to help especially on the automation side to make it continuous and then actually having people have the skill set and then being able to level up those organizations uh excuse me those resources to to to be effective in their in their job and their role yeah yeah that's great Point um crawl walk run and that's probably the only way to run yeah you GNA get there yeah so so let me bring up this more in the context of the small and mediumsized businesses so for them who doesn't have access to all these latest and greatest ASM and card tools Etc and may not have that number of people to run those so what do you think how should SMB approach when it comes to continuous security validation because today the attackers are targeting the SMB more or less in the same manner as anybody else because on the internet for a ransomware guy is the same IP so they just Target every single IP address across the globe right so how how do you think SMB should approach uh building a continuous security validation program yeah and my advice is same process but um think smarter not harder so um and really what it comes down to is uh it comes right back to the attack surface but it's it's really being strict around you and have being open and saying do we really need this so um good good aspect to it is um you know you talked about uh the attack surface uh getting into you know areas where uh now we have you know iot and npoints and more things that are you know interconnected with the cloud and and more exposed it's no longer just a a network perimeter uh especially in these these smaller organizations they have all these end points and um and all these different aspects and and having a their environment be hardened and then um implementing uh Network segmentation and and breaking off those components so like a good example going back to the the the house analogy you know if someone breaks into my house and I lock each individual door within my house which is the equivalent of having segmentation it actually you know it it kind of hardens the the the internal aspect once they actually break in so the the overall uh impact that that exists is is greatly reduced and and that's really the fundamentals around the attack surface management component so if if it and I kind of the advice of given organizations is like if it doesn't need to be in your environment then don't have it be in your environment so if you don't need organizations to access uh to basically not have any kind of like URL filtering or having any kind of like block websites like you shouldn't be able to go to whatever website that you want um if you're working in a corporate environment and a corporate machine and that's a very common mistake that organizations have they don't have any policies around what people can access and can access and in some work environments it's not appropriate and doesn't make sense from a security perspective to have social access to social media or being able to uh have or uh users typical regular users have administrative access so they can download whatever programs that they want and I you I I can think of over a hundred examples where that that was common place and and organizations have come to me and ask me you know is it a best practice to not have the end user have access to administrative rights and it's like well yeah absolutely and that's an easy fix it doesn't cost anything to do that um you know it's not a Bonafide business need to have them have it and it greatly reduces your secury risk and once you start adding in things like multiactor Authentication um stricter password rules um and then password resets having the the segmentation aspect where you're locking each individual door uh and then basically constantly checking and going in and doing the these um these monitoring aspects and having these uh different exercises with red teams and having more of the in depth on specific use cases so like this month we're going to go in and and just validate that um know we can respond to a fishing attack or ransomware attack or um someone taking advantage of um a vulnerability in our our server architecture and then um and there's a lot of Open Source software out there too there's pros and cons to that but there are a lot of tools out there and a lot of organizations are actually moving towards um a product like growth type approach where they actually have a premium level version of their product um so those are definitely things that they should absolutely take advantage of where there there's tons of tools out there that they can get exposure to and and uh get access to that they can uh have exposure to especially if they're tight on budgets the other thing too is to prioritize um Consolidated Solutions so with the Advent of uh endpoint protection platforms and uh extended detection response or xdr and a lot of the MDR um managed detection response and manage services out there uh you you can I would certainly prioritize kind of a an allinone type approach where you can get um it's not necessarily the best to breed in in all the different categories but you can identify certain areas that are the most important to you and and being able to implement that and and and kind of it you get the the biggest return on your investment and then over time then you can start weaving in best of breed Solutions uh as you get more budget you get more mature and you kind of move up that that uh security maturity levels yeah so Brad you made a few great points which I believe is very very helpful for these small and mediumsized businesses one point you mentioned was that you can start crawling with open source tools right of course open source tools has its pros and cons but if you have somebody who got some bandwidth that's a great way to start right so that's that's a great start for sure and there are a lot of such open source tools out there and another second very interesting strategy which you mentioned broad level strategy is uh finding those Solutions which has got multiple things together rather than go going for a single specialized thing look for Swiss Army knives kind of stuff right so which has multiple things together so those are some really really great points and uh let's let's move to the next part which is you have seen all of these organization which has matured over period of time and you have seen across various breadth of the industry so what what had been some of the key things which you noticed as the common success factors as well as common mistakes so some of the common success factors and failure factors when it comes to implementing continuous security validation yeah um very good point and I'll I'll kind of preface this by saying um the answer is unique to every single organization so it heavily depends on the the nature of the business the culture um unfortunately budgets and having that strategic alignment between uh the overall organ organization's financial goals and their their security goals and um you know as part of that you ultimately uh you want to have um you want to prevent attacks from happening uh in the first place and there are metrics and and key metrics that you can identify uh where you're you're able to reduce uh those attempts in the first first place um so the equivalent of this would be like let's just say 2 o'clock in the morning um you you hear someone knocking on your door you know between the hours of 2 and 3 a.m. and you know although they're not getting in that's the equivalent of reconnaissance and they're they're basically trying to probe and identify areas that you're in and those might be you something as simple as firewall Deni logs um that might be of interest and then um and then so on and so forth so anything you can do to identify the those areas and and and eliminate them or reduce them is a key metric that you want to have um the other thing is like in the event that you actually have an incident you want to reduce uh or that you have a breach or someone someone's in your organization then number one thing is to detect them as soon as possible um and you know overall reducing What's called the dwell time uh and the amount of time that that that attacker in your in your house effectively um and you you want to basically investigate it as quickly as possible you want to eradicate it as quickly as possible and you want to address what the the core uh entry point was in the first place and then basically pops it up fix it so it doesn't happen again um and you know that's that those are key fundamentals that are there um the and that's where the biggest challenge is is like organizations just don't have um they don't have the visibility that they that they require to get to those those points those are certainly very key um the other kind of key point that organizations will will get into is um you know a lot of a lot of the the monitoring and in um doing these different assessments is you ultimately they're trying to find a needle and hay stack is is a common analogy that's used and uh unfortunately what uh organizations will do especially early on is they'll add more and more hay uh to with the idea that they will have better visibility unfortunately there that that actually makes things more difficult because it's more difficult to actually find the needle um so as as a key metric and focus and priority area it would it it's definitely a best practice to to eliminate the noise and eliminate all that excess hay that excess hay uh so you can find these needles faster and quicker and eventually get to the point where you're actually able to categorize the individual needles so you can actually identify a needle within a stack of needles that's relevant to the specific use case that you have um because what will happen with advanced persistent threats is they'll actually come uh they'll come back time and time again and um unfortunately one of the the key things that ends up happening is uh especially with Ransom wear attack is organizations will um they'll actually recover and Implement a backup uh or basically get to a steady state but they won't they won't address the the main entry point that that the attackers used to get in so all they do is they they come right back in and that's why uh paying for a ransomware doesn't really work because you're not a lot of times organizations don't address the the the core entry point and um once kind of that the word gets out then it's open season so you might have multiple different criminal organizations looking to get into your environment um so and there's metrics that you can build around all of those things like reducing false positives uh reducing false negatives and then um and and overall uh measuring.

.