May 20 2024


Category: Least Privilegedisc7 @ 10:19 am

The Principle of Least Privilege (PoLP) is a foundational concept in cybersecurity, aimed at minimizing the risk of security breaches. By granting users and applications the minimum levels of access—or permissions—needed to perform their tasks, organizations can significantly reduce their attack surface. In the context of cloud computing, implementing PoLP is critical. This article explores how to enforce PoLP in the three major cloud platforms(cloud security): Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP).


1. Identity and Access Management (IAM)

AWS IAM is the core service for managing permissions. To implement PoLP:

  • Create Fine-Grained Policies: Define granular IAM policies that specify exact actions allowed on specific resources. Use JSON policy documents to customize permissions precisely.
  • Use IAM Roles: Instead of assigning permissions directly to users, create roles with specific permissions and assign these roles to users or services. This reduces the risk of over-permissioning.
  • Adopt IAM Groups: Group users with similar access requirements together. Assign permissions to groups instead of individual users to simplify management.
  • Enable Multi-Factor Authentication (MFA): Require MFA for all users, especially those with elevated privileges, to add an extra layer of security.

2. AWS Organizations and Service Control Policies (SCPs)

  • Centralized Management: Use AWS Organizations to manage multiple AWS accounts. Implement SCPs at the organizational unit (OU) level to enforce PoLP across accounts.
  • Restrict Root Account Usage: Ensure the root account is used sparingly and secure it with strong MFA.

3. AWS Resource Access Manager (RAM)

  • Share Resources Securely: Use RAM to share AWS resources securely across accounts without creating redundant copies, adhering to PoLP.


1. Azure Role-Based Access Control (RBAC)

Azure RBAC enables fine-grained access management:

  • Define Custom Roles: Create custom roles tailored to specific job functions, limiting permissions to only what is necessary.
  • Use Built-in Roles: Start with built-in roles which already follow PoLP principles for common scenarios, then customize as needed.
  • Assign Roles at Appropriate Scope: Assign roles at the narrowest scope possible (management group, subscription, resource group, or resource).

2. Azure Active Directory (Azure AD)

  • Conditional Access Policies: Implement conditional access policies to enforce MFA and restrict access based on conditions like user location or device compliance.
  • Privileged Identity Management (PIM): Use PIM to manage, control, and monitor access to important resources within Azure AD, providing just-in-time privileged access.

3. Azure Policy

  • Policy Definitions: Create and assign policies to enforce organizational standards and PoLP. For example, a policy to restrict VM sizes to specific configurations.
  • Initiative Definitions: Group multiple policies into initiatives to ensure comprehensive compliance across resources.


1. Identity and Access Management (IAM)

GCP IAM allows for detailed access control:

  • Custom Roles: Define custom roles to grant only the necessary permissions.
  • Predefined Roles: Use predefined roles which provide granular access and adhere to PoLP.
  • Least Privilege Principle in Service Accounts: Create and use service accounts with specific roles instead of using default or highly privileged accounts.

2. Resource Hierarchy

  • Organization Policies: Use organization policies to enforce constraints on resources across the organization, such as restricting who can create certain resources.
  • Folder and Project Levels: Apply IAM policies at the folder or project level to ensure permissions are inherited appropriately and follow PoLP.

3. Cloud Identity

  • Conditional Access: Implement conditional access using Cloud Identity to enforce MFA and restrict access based on user and device attributes.
  • Context-Aware Access: Use context-aware access to allow access to apps and resources based on a user’s identity and the context of their request.


As a Cloud Security Analyst, ensuring the Principle of Least Privilege (PoLP) is critical to minimizing security risks. This comprehensive guide will provide detailed steps to implement PoLP in AWS, Azure, and GCP.



  1. Access the IAM Console:
    • Navigate to the AWS IAM Console.
    • Review existing policies under the “Policies” section.
    • Look for policies with wildcards (*), which grant broad permissions, and replace them with more specific permissions.
  2. Audit IAM Roles:
    • In the IAM Console, go to “Roles.”
    • Check each role’s attached policies. Ensure that each role has the minimum required permissions.
    • Remove or update roles that are overly permissive.


  1. Set Up Access Analyzer:
    • In the IAM Console, select “Access Analyzer.”
    • Create an analyzer and let it run. It will provide findings on resources shared with external entities.
    • Review the findings and take action to refine overly broad permissions.


  1. Simulate Policies:
    • Go to the IAM Policy Simulator.
    • Simulate the policies attached to your users, groups, and roles to understand what permissions they actually grant.
    • Adjust policies based on the simulation results to ensure they provide only the necessary permissions.


  1. Enable AWS CloudTrail:
    • In the AWS Management Console, go to “CloudTrail.”
    • Create a new trail to log API calls across your AWS account.
    • Enable logging and monitor the CloudTrail logs regularly to detect any unauthorized or suspicious activity.
  2. Use AWS Config:
    • Navigate to the AWS Config Console.
    • Set up AWS Config to monitor and evaluate the configurations of your AWS resources.
    • Implement AWS Config Rules to check for compliance with your least privilege policies.


  1. AWS Trusted Advisor:
    • Access Trusted Advisor from the AWS Management Console.
    • Review the “Security” section for recommendations on IAM security best practices.
  2. AWS Security Hub:
    • Enable Security Hub from the Security Hub Console.
    • Use Security Hub to get a comprehensive view of your security posture, including IAM-related findings.



  1. Azure AD Roles:
    • Navigate to the Azure Active Directory.
    • Under “Roles and administrators,” review each role and its assignments.
    • Ensure users are assigned only to roles with necessary permissions.
  2. Role-Based Access Control (RBAC):
    • Go to the “Resource groups” or individual resources in the Azure portal.
    • Under “Access control (IAM),” review role assignments.
    • Remove or modify roles that provide excessive permissions.


  1. Review Resource Policies:
    • For each resource (e.g., storage accounts, VMs), review the access policies to ensure they grant only necessary permissions.
  2. Network Security Groups (NSGs):
    • Navigate to “Network security groups” in the Azure portal.
    • Review inbound and outbound rules to ensure they allow only necessary traffic.


  1. Azure Activity Logs:
    • Access the Activity Logs.
    • Monitor logs for changes in role assignments and access patterns.
  2. Azure Security Center:
    • Open Azure Security Center.
    • Regularly review security recommendations and alerts, especially those related to IAM.


  1. Azure Policy:
    • Create and assign policies using the Azure Policy portal.
    • Enforce policies that require the use of least privilege access.
  2. Azure Blueprints:
    • Use Azure Blueprints to define and deploy resource configurations that comply with organizational standards.
  3. Privileged Identity Management (PIM):
    • In Azure AD, go to “Privileged Identity Management” under “Manage.”
    • Enable PIM to manage, control, and monitor privileged access.



  1. Review IAM Policies:
    • Access the IAM & admin console.
    • Review each policy and role for overly permissive permissions.
    • Avoid using predefined roles with broad permissions; prefer custom roles with specific permissions.
  2. Create Custom Roles:
    • In the IAM console, navigate to “Roles.”
    • Create custom roles that provide the minimum necessary permissions for specific job functions.


  1. Service Accounts:
    • In the IAM & admin console, go to “Service accounts.”
    • Review the permissions granted to each service account and ensure they are scoped to the least privilege.
  2. VPC Firewall Rules:
    • Navigate to the VPC network section and select “Firewall rules.”
    • Review and restrict firewall rules to allow only essential traffic.


  1. Cloud Audit Logs:
    • Enable and configure Cloud Audit Logs for all services.
    • Regularly review logs to monitor access and detect unusual activities.
  2. IAM Recommender:
    • In the IAM console, use the IAM Recommender to get suggestions for refining IAM policies based on actual usage patterns.
  3. Access Transparency:
    • Enable Access Transparency to get logs of Google Cloud administrator accesses.


  1. Security Command Center:
    • Access the Security Command Center for a centralized view of your security posture.
    • Use it to monitor and manage security findings and recommendations.
  2. Forseti Security:
    • Deploy Forseti Security for continuous monitoring and auditing of your GCP environment.
  3. Policy Intelligence:
    • Use tools like Policy Troubleshooter to debug access issues and Policy Analyzer to compare policies.


  1. Schedule Periodic Reviews:
    • Regularly review IAM roles, policies, and access patterns across your GCP projects.
    • Use the Resource Manager to organize resources and apply IAM policies efficiently.

By following these detailed steps, you can ensure that the Principle of Least Privilege is effectively implemented across AWS, Azure, and GCP, thus maintaining a secure and compliant cloud environment.

Implementing the Principle of Least Privilege in AWS, Azure, and GCP requires a strategic approach to access management. By leveraging the built-in tools and services provided by these cloud platforms, organizations can enhance their security posture, minimize risks, and ensure compliance with security policies. Regular reviews, continuous monitoring, and automation are key to maintaining an effective PoLP strategy in the dynamic cloud environment.

Securing DevOps: Security in the Cloud 

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: cloud security, least privilege, Security in the Cloud

May 16 2024

ISO 27001 Standard, Risk Assessment and Gap Assessment

Category: ISO 27kdisc7 @ 10:45 am

The core section of the standard retains its 11 clauses with minor modifications, while significant structural revisions have been implemented in the Annex A controls. Control categories have been rearranged, resulting in a reduction in the total number of controls. Broadly speaking, 11 new controls have been added, 57 controls have been consolidated, 23 controls have been rebranded, and three controls have been eliminated. The introduction of these 11 new controls underscores the heightened significance of Cloud, DevOps, and Personal Information, which have evolved over the past decade.

  • A.5.7 Threat intelligence 
  • A.5.23 Information security for the use of cloud services 
  • A.5.30 ICT readiness for business continuity 
  • A.7.4 Physical security monitoring 
  • A.8.9 Configuration management 
  • A.8.10 Information deletion 
  • A.8.11 Data masking 
  • A.8.12 Data leakage prevention 
  • A.14.1.4 Secure development policy 
  • A.16.2.4 Security of supplier services 
  • A.18.2.3 Protection of personal information in public clouds 

ISO 27002:2022 has three control types, #Preventive, #Corrective and #Detective. Some of these controls share more than one control types. There are total 12 Detective, 13 Corrective, and 83 Preventive controls and 15 controls (12+13+83 = 108 -15 = 93) which share more than one control type in ISO 27002:2022 latest guidance. If you like to know more about how and when to start complying with new and latest control guidance, please contact us to book an appointment to discuss the details, how DISC llc can assist your organization with ISO 27001 compliance or certification plans. 

for more details: iso-27001-assessment

To download and review the standard: COPYRIGHT PROTECTED DOCUMENT

ISO 27001 Controls Handbook: Implementing and auditing 93 controls to reduce information security risks

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: ISO 27001 2022

May 14 2024

Free & Downloadable Access Control Policy Template

Category: Access Control,Information Securitydisc7 @ 7:18 am

Ensuring the security of your organization’s information systems is crucial in today’s digital landscape.

Access Control is a fundamental aspect of cybersecurity that safeguards sensitive data and protects against unauthorized access. To assist you in establishing robust access control measures, we are pleased to offer a comprehensive Access Control Policy Template, available for download.

Download the templates

  1. Access Control Policy Template – PDF
  2. Access Control Policy Template – Word
  3. Access Control Policy Template – Google Docs.

What does the Access Control Policy template include?

Our Access Control Policy template is designed to provide a clear, structured framework for managing access to your organization’s information systems.

Here are some of the key components included in the template:

  • Document Control;
  • Purpose and Scope;
  • Policy Statement;
  • Roles & Responsibilities;
  • Access Control Principles;
  • Access Control Measures;
  • Access Control Technologies;
  • Monitoring and Auditing;
  • Incident Management;
  • Policy Compliance;
  • Policy Review.

Benefits of using our Access Control Policy template

Implementing an effective access control policy offers several key benefits:

  • Enhanced security: Protects sensitive data and systems from unauthorized access and potential breaches.
  • Regulatory compliance: Helps ensure compliance with relevant regulations and standards.
  • Operational efficiency: Clearly defined roles and responsibilities streamline access management processes.
  • Risk mitigation: Regular monitoring and auditing identify and address vulnerabilities proactively.

To take advantage of our comprehensive Access Control Policy Template, simply click on the links at the top of the article to download them. The download will start automatically.

You can then customize the template to fit the specific needs and context of your organization.

By doing so, you’ll be taking a significant step towards securing your information systems and safeguarding your valuable data.

Feel free to check out our other cybersecurity templates, such as patch management templatesincident response plan templatesemail security policy templatesthreat and vulnerability management templates, and more.

Gabriella is the Social Media Manager and Cybersecurity Communications Officer at Heimdal®, where she orchestrates the strategy and content creation for the company’s social media channels. Her contributions amplify the brand’s voice and foster a strong, engaging online community. Outside work, you can find her exploring the outdoors with her dog.


Free and Downloadable Account Management Policy Template [2024]

Free and Downloadable Email Security Policy Template [2024]

[Free & Downloadable] Cybersecurity Incident Response Plan Templates – 2024

[Free & Downloadable] Cybersecurity Risk Assessment Templates – 2024[Free & Downloadable] Threat & Vulnerability Management Templates – 2024

[Free & Downloadable] Patch Management Templates – 2024

Privacy Policy Template

Employee policy handbook template

The Complete Company Policies

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

May 13 2024

Tycoon 2FA Attacking Microsoft 365 AND Google Users To Bypass MFA

Category: 2FAdisc7 @ 8:22 am

Tycoon 2FA, a recently emerged Phishing-as-a-Service (PhaaS) platform, targets Microsoft 365 and Gmail accounts, which leverage an Adversary-in-the-Middle (AitM) technique to steal user session cookies, bypassing multi-factor authentication (MFA) protections. 

By acting as an intermediary between the user and the legitimate login page, Tycoon 2FA captures cookies that grant attackers unauthorized access to compromised accounts and cloud services, even if additional security measures are implemented. 

The Tycoon 2FA phishing kit received an update in March 2024, specifically designed to bypass security defenses, and the update enhanced the kit’s evasion capabilities through obfuscated JavaScript and HTML code, making the code unreadable, hindering analysis.

Tycoon 2FA to facilitate MFA token theft and bypass. 

On Telegram, it sells pre-made phishing pages targeting Microsoft 365 and Gmail credentials, which lowers the technical barrier for attackers by offering easy-to-use templates. 

Proofpoint TAP Dashboard campaign snapshot from December campaigns. 

The attack works through a reverse proxy, capturing login credentials and relaying them to the real service to bypass the login page, as the attackers steal the session cookies returned during successful logins, granting unauthorized access even with MFA enabled. 

It facilitates credential theft by bypassing multi-factor authentication (MFA), and attackers use various lures such as emails with fake authentication links, voicemail-themed threats, and PDFs with QR codes leading to phishing pages. 

QR code and voicemail lure examples for the Tycoon 2FA threats that were seen in late 2023. 

The pages often include CAPTCHAs to appear legitimate and steal login credentials and MFA tokens. Security researchers at Proofpoint identified rules to detect Tycoon landing pages based on these tactics. 

AI-powered behavioral analytics and a URL sandbox are used to identify and block malicious landing pages and phishing activity associated with Tycoon 2FA and similar threats that are achieved by combining threat intelligence with machine learning to recognize suspicious behaviors. 

Global threat intelligence feeds give information about bad infrastructure, which helps defenders stop known and new threats before they happen by making it easier to find them, fix problems, and manage human risk when it comes to new phishing techniques.

The Beginner’s Guide to Cybersecurity: Master the Art of Online Safety – From Passwords to Privacy, Everything You Need to Know for a Secure Digital

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: 2FA Attacking

May 11 2024

Unlock The Power of 1000+ ChatGPT Prompts!

Category: ChatGPTdisc7 @ 12:02 pm

Get the Most Out of Your Content Creation, Lead Generation, and Innovation Efforts!

Awesome ChatGPT Prompts

OpenAI Cookbook – Code and example prompts for accomplishing common tasks with the OpenAI API

Linus on Twitter

Barsee – ChatGPT Full Course

Rohit Ghumare on Twitter – ChatGPT for DevOps Engineers

Pratham Kumar on Github – ChatGPT Prompts

Kavir Kaycee – ChatGPT prompts for product Managers – ChatGPT Copywriting Prompts

Pascio – Copywriting ChatGPT prompts

Hasan – The Ultimate ChatGPT Guide

GarryFlix – ChatGPT Business Crash Course Playbook

donbader – The Ultimate ChatGPT Business Course

Abhishek – ChatGPT All-In-One Resources

Fatih Kadir – The Art of ChatGPT Prompting: A Guide to Crafting Clear and Effective Prompts

Sushant Lakhyani – 333+ Mind-Bending ChatGPT Prompts

Martin Slaney – The Product Manager’s Prompt Book

BONUS: Awesome Innovations using ChatGPT

Curated by: Rohit Ghumare

ChatGPT jailbreak prompts proliferate on hacker forums

ChatGPT FOR CYBERSECUITY: The Ultimate Weapon Against Hackers

ChatGPT Hacking (in Portuguese)

PROMPTLY SPEAKING A COMPREHENSIVE GUIDE TO CHATGPT PROMPTS: From Basics to Brilliance, Unravel the Secrets of Effective AI Communication

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: ChatGPT, ChatGPT Prompts

May 09 2024

Polish Government Under Sophisticated Cyber Attack From APT28 Hacker Group

Category: APT,Cyber Attackdisc7 @ 8:55 am

The Polish computer emergency response team has issued a warning about an ongoing cyberattack campaign by the notorious APT28 hacking group, also known as Fancy Bear or Sofacy. The campaign is targeting various Polish government institutions with a new strain of malware.

According to the analysis, the attack begins with spear-phishing emails containing malicious attachments or links.

The malware is deployed once the victim opens the attachment or clicks the link, establishing a foothold in the targeted network.

Subject: I solved your problem

Hello Paweł!
I did a little research and found this mysterious Ukrainian woman.
Now she is in Warsaw.
She runs a rather unusual company that sells used underwear.
also has clients from senior authorities in Poland and Ukraine.
All information on this subject is available at this link - ALINA-BOKLAN (Link)

Threat actors are increasingly using free, commonly-used services like and to deliver malware while evading detection.

This technique involves redirecting through these services to obfuscate the final malicious payload. The link first goes to, a free API testing service, which then redirects to for logging requests.

A ZIP archive disguised as an image file (e.g. is downloaded from

With default Windows settings hiding extensions and hidden files, the victim sees the ZIP as an image, potentially leading them to open the malicious payload.

entire attack flow

Using free services reduces costs and makes malicious links harder to flag as they blend in with legitimate developer traffic. This stealthy approach is becoming a trend across many APT groups.

“The malware used in this campaign is a new variant of the X-Agent backdoor, which allows the attackers to execute arbitrary commands, exfiltrate data, and move laterally within the compromised network,” explained in their report. urges all Polish government agencies and critical infrastructure operators to remain vigilant and implement security measures.

APT28 is a highly sophisticated cyber-espionage group believed to be associated with the Russian military intelligence agency GRU.

The group has been active since at least 2007 and has been linked to numerous high-profile cyberattacks, including the 2016 Democratic National Committee email leak and the 2017 NotPetya ransomware outbreak.

This latest campaign highlights the persistent threat posed by state-sponsored hacking groups and the importance of maintaining robust cybersecurity measures, especially for critical government and infrastructure systems.

The report details the attack flow, providing indicators of compromise (IOCs) and recommendations for detecting and mitigating the threat.

The Bear Roars: Russia’s Cyber Spies And Global Threat To Security

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: APT28, Hacker Group

May 07 2024

Hackers Use Custom Backdoor & Powershell Scripts To Attack Windows Machines

Category: Information Securitydisc7 @ 7:45 am

The Damselfly Advanced Persistent Threat (APT) group, also known as APT42, has been actively utilizing custom backdoor variants, NiceCurl and TameCat, to infiltrate Windows machines.

These backdoors are primarily delivered through spear-phishing campaigns, marking a significant escalation in the capabilities and focus of this Iranian state-sponsored hacking group.

Sophisticated Tools For Stealthy Operations

The NiceCurl and TameCat backdoors represent a sophisticated toolkit in Damselfly’s arsenal, enabling threat actors to gain initial access to targeted environments discreetly.

NiceCurl, a VBScript-based malware, is designed to download and execute additional malicious modules, enhancing the attackers’ control over compromised systems.

On the other hand, the TameCat backdoor facilitates the execution of PowerShell and C# scripts, allowing for further exploitation by downloading additional arbitrary content.

These tools are part of a broader strategy employed by Damselfly to conduct espionage and potentially disrupt operations at targeted facilities.

According to Broadcom report, the group’s activities have been primarily directed at energy companies and other critical infrastructure sectors across the U.S., Europe, and the Middle East.

The sophistication of their methods and the critical nature of their targets underscore the high level of threat they pose.

These include adaptive, behavior, file, and network-based detection mechanisms, ensuring robust defense against Damselfly’s tactics.

The security firm’s efforts are crucial in mitigating the risks posed by such state-sponsored cyber activities, characterized by their complexity and stealth.

The operations of the Damselfly group highlight the ongoing challenges in cybersecurity, where state-sponsored actors employ advanced techniques and malware to achieve their objectives.

Using custom backdoors like NiceCurl and TameCat, coupled with spear-phishing campaigns, enables these actors to maintain persistence in their target networks and carry out their missions with a high degree of secrecy and efficiency.

Ethical Hacking Module 6 – Trojans and Backdoors

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

May 06 2024

How to prepare for the CISSP exam: Tips from industry leaders

Category: CISSPdisc7 @ 9:14 am

The Certified Information Systems Security Professional (CISSP) is the most widely recognized certification in the information security industry. CISSP certifies that an information security professional possesses extensive technical and managerial expertise for designing, engineering, and managing an organization’s security stance.

In this article, CISSP-certified cybersecurity leaders provide practical tips and strategies to help candidates navigate the extensive study requirements and effectively manage their CISSP exam prep time. Whether you’re just starting your study journey or in the final stages of preparation, these guidelines will help ensure you are well-equipped to tackle the CISSP certification exam.

Biljana Cerin, CEO, Ostendo Consulting

My preparation for the CISSP exam took exactly 10 sunny afternoons while working on a project in Palo Alto. Every day after work, I took “Shon Harris,” at that time the so-called “CISSP exam prep Bible.” I remember studying by the pool, swimming in between the chapters, so overall, it was a fun way to spend these afternoons without feeling like I was missing the sunny California weather.

I divided the contents of the book in a way that allowed me to read it all in eight days, while I dedicated the last two entire days to practicing exam questions and revisiting domains where my answers were incorrect, studying them a bit deeper. I remember that at that time (2013), there was a very popular site where colleagues from the profession would discuss questions or topics they struggled with, and “talking” to colleagues on that platform was of huge help.

The exam itself, I think, took about an hour and a half, and I passed on the first attempt. Now, this may all sound easy, but the truth is that by the time I decided to pursue the CISSP, I already had 13 years of experience, numerous other industry certifications, and had been deeply involved in the cybersecurity field since the day I graduated; my Master’s thesis was also in cybersecurity.

Looking back at the exam itself, I believe that having a strong knowledge foundation, coupled with real-life experience, and a network of colleagues you can always turn to and discuss certain topics you are less familiar with, is the key to success in passing the CISSP exam.

Shannon Brewster
Shannon Brewster, Executive Director, General Manager, AT&T Cybersecurity

Passing the CISSP exam is an ambitious goal, especially if you hope to pass on your first attempt. I recommend a 90-day preparation plan tailored to reinforce key cybersecurity concepts and identify weaker areas through regular practice.

Being intentional with your time is crucial; consider mapping out each domain as a “sprint” and mapping core concepts to learn each week. Schedule daily dedicated study time and regular practice exams. Testing with approved sample questions helps gauge your readiness and pinpoint specific topics you need to shore up on.

Most security professionals will find themselves very strong in the domains they work in most often, and weak in others. Cryptology is the Achilles’ heel for many.

I incorporated tools like handwritten index cards for constant review to boost memory retention. This method of repetition embeds critical information, making it more readily recalled.

An important element of my preparation was participating in a 6-day bootcamp. The bootcamp was a source of confidence because I had the benefit of a thorough review of the all the content that was necessary to understand. It also helped me build a new network of peers who supported each other as accountability partners and encouragement.

Make sure you take the exam within two weeks of a bootcamp to maximize the “cone of learning” on memory retention.

Lastly, don’t forget about the physical dimension, staying focused on your health and wellness throughout your preparation. Deep sleep is required for memory retention and recall, so avoiding alcohol and practicing sleep hygiene will improve your score. I brought a jump rope to my test and stepped out regularly to infuse fresh blood to my brain, vastly improving my focus.

This strategy worked for me to pass on my first attempt, I hope these ideas might work for you.

CISSP exam prep
Ryan Williams Sr., IT Security Analyst, Buddobot

Here’s how I effectively studied for the CISSP certification, relying solely on comprehensive study materials rather than quick-fix dumps or quizlets. This method ensured a deep understanding of the content required to pass the CISSP exam:

1. Bootcamp: I started my preparation with a rigorous week-long bootcamp (40 hours). This intensive course helped establish a solid foundation and highlighted areas where I needed further study. Even though I had over five years of experience in cybersecurity and over ten years in IT, my practical knowledge was only in specific domains (i.e. Security and Risk Management, Asset Security, Communications and Network Security, etc.). A good bootcamp will expose your weak areas and help you to hone in on where you need to obtain more knowledge.

2. Targeted reading: After identifying my weak spots during the bootcamp, I skimmed the Official ISC2 CISSP Common Body of Knowledge (CBK) specifically focusing on those areas.

3. In-depth study guides: I read the ISC2 CISSP Official Study Guide from cover to cover to ensure a comprehensive grasp of all domains. Additionally, I went through the Eleventh Hour CISSP: Study Guide twice, which is excellent for refreshing your memory due to its concise format.

4. Video courses and webinars:

  • I watched Kelly Henderhan’s Cybrary CISSP course twice. Her engaging teaching style and clear explanations helped reinforce the key concepts.
  • Larry Greenblatt’s series, “CISSP Practice Question with Spock & Kirk”, was instrumental in applying theoretical knowledge practically through scenario-based questions.
  • Pearson VUE’s Complete CISSP Video Course was another resource I used, which also included domain challenge questions that tested my understanding as I progressed.

5. Motivational prep: Before the exam, I watched Kelly Henderhan’s motivational video, “Why you WILL pass the CISSP”. This not only boosted my confidence but also put me in the right mindset to tackle the exam.

This structured approach to studying for the CISSP took approximately 6 months, using a mix of reading, practical exercises, and motivational content, equipped me with the knowledge and confidence to successfully pass the exam.

CISSP exam prep
Stein A. J. Mollerhaug, Senior Cybersecurity Advisor

For most people, passing the CISSP exam is the main obstacle. In addition to passing the exam, you must also document at least five years of experience in two or more of the eight CISSP knowledge domains. But don’t worry, if you miss that experience, you can get an associate status while you work on gaining the needed experience. Once the experience is documented, you will get upgraded without the need for a new exam.

You don’t need to follow any official course to sit for the CISSP exam and get CISSP certified, but the feedback from almost all students is that following an official course with an official instructor helps – a lot.

In my experience, there are three critical success factors for passing the exam:

1. Understand the basics of cybersecurity and information technology.
2. Understand how management systems work for the key processes in information security.
3. Be able to apply that knowledge to real life situations or imagined scenarios.

If you are unable to explain how the encryption in AES actually works, you are still fine with regards to the exam. If you don’t know that AES is a symmetrical algorithm and what it can be used for, you have some learning to do before sitting for the exam. This is just one example. CISSP is not a technical course, but as a cyber- or information security leader, you must know the basic technology you are going to use.

Management systems ensure the quality of the security implementations. Standards like ISO/IEC 27001 contain some of the framework for having measurability and the ability to improve your cybersecurity. There are such standards in almost all areas of cybersecurity. Knowledge of them is key to passing the exam.

The exam itself often asks for “best”, “most” or “not”. The key here is that you are to apply your knowledge and experience to find the right answer. Even if you don’t know a specific answer, you should be able to apply your knowledge to find the right answer through the process of elimination. That means you have to think and not just recall from memory when you sit for the exam.

This is also why many find the exam to be very exhausting. For each question, you need to read the answer alternatives and the question, think – and then answer. The good news is that for almost all questions, there will be two answer alternatives that you can easily eliminate – if you know your cybersecurity – and have read the question properly. Then you spend your time to choose between the two remaining.

And another piece of good news: You don’t need to be 100% right, 70% is the requirement for passing. And to destroy a myth: Time is not a key issue. Exhaustion is. Take breaks, even if the clock is not stopping during the breaks.

Andrea Szeiler-Zengo
Andrea Szeiler-Zengo, President of the Women4Cyber Hungarian Chapter

When I decided to get CISSP certified, I signed up for local training, but honestly, I learned more independently than in class.

The CISSP is unlike other exams where you can memorize the answers. You must understand the security domains. When I took the CISSP exam, the cloud and third-party risk sections were a big focus. However, these topics were not discussed in detail in the study materials.

You absolutely need to plan how you will prepare for it.

I gave myself a deadline, registered for the exam, and spent six months studying. I read all the study materials and did practice questions, but I also kept up with news and new technologies.

I tried to set aside 30 minutes each day to review materials. I read on public transport, at the beach, and pretty much everywhere else. The most significant help arrived via my network. They helped me out with questions and motivated me during these challenging days.

You might be asking yourself – why bother getting the CISSP certification in the first place? It makes you more recognizable to employers who trust people holding the certification. And let’s be honest, they’re more likely to pay you more. So, go for it, good luck!

CISSP exam prep
Edwin Covert, Head of Cyber Risk Engineering, Bowhead Specialty

Earning my CISSP in 1999 was a different experience from today’s process. Back then, comprehensive study guides and boot camps weren’t a thing. We had a two-week course delivered in segments—a week-long session followed by three weeks off, then another week to wrap up. We relied heavily on ISC2’s list of recommended books.

Sitting in that George Mason University classroom in Virginia, I was surrounded by a wealth of information security knowledge, a term not yet replaced by cybersecurity. I wanted to absorb everything. The discussions were phenomenal – a constant back-and-forth exchange of ideas among experienced professionals. I mostly listened, soaking it all in, occasionally contributing my thoughts. This became my learning model throughout my career.

The saying goes, “If you’re the smartest person in the room, you’re in the wrong room.” This held true for me. I actively sought out those more experienced in cybersecurity.

My advice is to start small, find mentors, and become a knowledge sponge. Don’t limit yourself to books—seek practical knowledge as well. Talk to veterans in the field, learn from their experiences, and integrate your ideas as you grow.

ISC2 CISSP Certified Information Systems Security Professional Official Study Guide & Practice Tests Bundle

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: CISSP Certified Information Systems Security Professional Official Study Guide

May 05 2024

68% Of Data Breach Occurs Due To Social Engineering Attacks

Category: social engineeringdisc7 @ 9:40 am

In the latest edition of Verizon’s Data Breach Investigations Report (DBIR) for 2024, a concerning trend has been highlighted, a significant 68% of data breaches are now occurring due to social engineering attacks.

This revelation underscores the increasing sophistication and prevalence of these tactics in the cyber threat landscape.

Social engineering exploits the human factor, manipulating individuals into breaking normal security procedures.

The DBIR’s findings suggest that despite advancements in technology, human vulnerabilities remain a critical weak point.

The report indicates that phishing, pretexting, and other forms of social engineering are not only prevalent but are also becoming more sophisticated.

Breakdown of breaches by attack type
Breakdown of breaches by attack type

Verizon’s 2024 DBIR has revised its methodology to provide clearer insights into breaches involving the human element.

It excludes cases of malicious privilege misuse to focus on incidents that could potentially be mitigated through improved security awareness and training.

The Role Of Ransomware And Extortion

The report also sheds light on the role of ransomware and extortion in the cybersecurity threat landscape.

Approximately one-third of all breaches involved these tactics, with pure extortion attacks marking a significant rise over the past year.

This shift indicates a strategic evolution among cybercriminals, who are increasingly leveraging ransomware and extortion to capitalize on their attacks.

Breakdown of breaches by attack type.
Breakdown of breaches by attack type.

The combination of ransomware and other forms of extortion has been particularly impactful, affecting 32% of breaches and being a top threat across 92% of industries surveyed.

This highlights the critical need for organizations to enhance their defensive strategies against these forms of cyberattacks.

Third-Party Vulnerabilities And Preventive Measures

An expanded concept of breaches involving third-party entities was introduced in this year’s report.

This includes incidents where partner infrastructure is compromised or where indirect software supply chain issues occur.

The report notes a 68% increase in such breaches, primarily fueled by zero-day exploits used in ransomware and extortion attacks.

                                            68% increase in such breaches
                                            68% increase in such breaches

This finding emphasizes the importance of diligent vendor selection and the need for organizations to prioritize security in their supply chains.

By choosing partners with robust security measures, companies can significantly mitigate the risk of being compromised through third-party vulnerabilities.

Verizon’s 2024 DBIR provides a stark reminder of the persistent and evolving threats in the digital world.

With a significant portion of breaches attributable to social engineering, the human element continues to be a critical battleground in cybersecurity.

Organizations must prioritize comprehensive security training and robust protocols to safeguard against these insidious attacks.

Meanwhile, the rise of ransomware and extortion, along with the vulnerabilities in third-party partnerships, calls for an urgent reassessment of current security strategies and vendor management practices.

Social Engineering: The Science of Human Hacking

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: Social Engineering Attacks, Social Engineering: The Science of Human Hacking

May 03 2024

Work from Home: Precautions, Risks, and Potential Outcomes

Category: WFHdisc7 @ 3:26 pm

Did you know that working from home carries additional security risks? Fortunately, there are simple — yet critical — steps your employees can take to ensure they can work remotely from home as securely as possible. Even more, these tips will help to make a far more safe and secure home for your employees and their families moving forward.

Via SANS Security Awareness:

The Future of the Office: Work from Home, Remote Work, and the Hard Choices We All Face

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: work from home

May 03 2024

What is Smishing?

Category: Information Security,Phishingdisc7 @ 10:21 am

What is Smishing and Why?

Smishing is a type of social engineering attack. Social engineering is when a cyber attacker tricks their victim into doing something they should not do, such as giving money, their password, or access to their computer. Cyber attackers have learned the easiest way to get something is just ask for it. This concept is not new, con artists and scammers have existed for thousands of years, it’s just that the Internet makes it very simple for any cyber attacker to pretend to be anyone they want and target anyone they want.

Phishing is one of the most common forms of social engineering as it’s one of the simplest and most effective and an attack method we are all familiar with. However, both organizations and individuals are becoming not only far more aware of how phishing attacks work, but much better at spotting and stopping them. Phishing is still an effective attack method, but it is getting harder and harder for cyber criminals to be effective with phishing. This is where smishing comes in.

Smishing vs Phishing

Smishing is very similar to phishing, but instead of sending emails trying to trick people, cyber attackers send text messages. The term smishing is a combination of the words SMS messaging and phishing. You may have noticed a rise in random text messages that are trying to get you to click on links or respond to text messages. That’s smishing.

Why the Increase in Smishing Attacks?

  1. It is harder for organizations to secure mobile devices. Security teams often have neither the visibility nor control of employees’ mobile devices like they do for workstations. This means it’s harder to both secure and monitor mobile devices.
  2. There are far fewer security controls that effectively identify and filter smishing attacks. This means when a cyber attacker sends a smishing text message to victims, that message is far more likely to make it and not be filtered.
  3. A text message tends to be much shorter than an email, there is far less context or information, making it harder to determine if the message is legitimate or not. In other words, people are more likely to fall victim.
  4. Texting tends to be far more informal than email, as such people tend to trust and act on text messages more. In other words, people are more likely to fall victim.

The Smishing Attacks

So, what type of text messaging attacks are there? While these attacks are always evolving, some of the most common are detailed below.


The text message entices you to click on a link, often through a sense of urgency, something too good to be true, or simple curiosity. Once you click on the link, the goal is usually to harvest your personal information (by getting you to fill out a survey) or your login and password (to your bank or email account, for example). Notice how, in the link in the message below, the cyber attacker uses HTTPS, an encrypted connection to make the link look more legitimate.


In these attacks, the cyber attacker will attempt to start a conversation with you, build trust, and ultimately scam you. Romance scams are one common example where cyber criminals randomly text millions of people to find those who are lonely or emotionally vulnerable, build a pretend romance, and then take advantage of them.


Like some phishing emails, the text message has a phone number in it and is urging the victim to call. Once the victim calls the phone number they are then scammed.

What to Do About Smishing Attacks?

While many security training programs focus on phishing, we far too often neglect text based smishing attacks. In fact, this can create a situation where your workforce is highly aware of phishing attacks but may mistakenly think that cyber attackers only use email for attacks. From a training perspective, we recommend you teach people that cyber attackers can use a variety of different methods to trick people, to include both email phishing and text based smishing. For smishing, we do not recommend that you try to teach people about every different type of attack possible. Not only will this likely overwhelm your workforce, but cyber attackers are constantly changing their lures and techniques. Instead, like in phishing training, focus on the most commonly shared indicators and clues of an attack. This way, your workforce will be trained and enabled regardless of the method or lures cyber attackers use. Of note, the indicators below are the same indicators of an email phishing attack.

  • Urgency: Any message that creates a tremendous sense of urgency, trying to rush the victim into making a mistake. An example is a message from the government stating your taxes are overdue and if you don’t pay right away you will end up in jail.
  • Pressure: Any message that pressures an employee to ignore or bypass company policies and procedures. Gift card scams are often started with a simple text message.
  • Curiosity: Any message that generates a tremendous amount of curiosity or is too good to be true such as notice of an undelivered UPS package or receiving an Amazon refund.
  • Sensitive: Any message that requests (or requires) highly sensitive information such as your password or unique codes.
  • Tone: Any message that appears to be coming from a coworker, but the wording does not sound like them, or the overall tone is wrong.

Smishing Minefield: Defusing Text Message Threats

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: Smishing

May 03 2024

2024 Data Breach Investigations Report: Most breaches involve a non-malicious human element

Category: Data Breachdisc7 @ 7:19 am

This spike was driven primarily by the increasing frequency of attacks targeting vulnerabilities on unpatched systems and devices (zero-day vulnerabilities) by ransomware actors. The MOVEit software breach was one of the largest drivers of these cyberattacks, first in the education sector and later spreading to finance and insurance industries.

“The exploitation of zero-day vulnerabilities by ransomware actors remains a persistent threat to safeguarding enterprises,” said Chris Novak, Sr. Director of Cybersecurity Consulting, Verizon Business.

In a possible relief to some anxieties, the rise of AI was less of a culprit vs challenges in large-scale vulnerability management. “While the adoption of artificial intelligence to gain access to valuable corporate assets is a concern on the horizon, a failure to patch basic vulnerabilities has threat actors not needing to advance their approach,” Novak said.

Analysis of the CISA Known Exploited Vulnerabilities (KEV) catalog revealed that on average it takes organizations 55 days to remediate 50% of critical vulnerabilities following the availability of patches. Meanwhile, the median time for detecting the mass exploitations of the CISA KEV on the internet is five days.

“This year’s DBIR findings reflect the evolving landscape that today’s CISO’s must navigate – balancing the need to address vulnerabilities quicker than ever before while investing in the continued employee education as it relates to ransomware and cybersecurity hygiene,” said Craig Robinson, Research VP, Security Services at IDC. “The breadth and depth of the incidents examined in this report provides a window into how breaches are occurring, and despite the low-level of complexity are still proving to be incredibly costly for enterprises.”

Last year, 15% of breaches involved a third party, including data custodians, third-party software vulnerabilities, and other direct or indirect supply chain issues. This metric—new for the 2024 DBIR — shows a 68% increase from the previous period described in the 2023 DBIR.

The human factor remains the primary entry point for cybercriminals

68% of breaches, whether they include a third party or not, involve a non-malicious human element, which refers to a person making an error or falling prey to a social engineering attack. This percentage is about the same as last year. One potential countervailing force is the improvement of reporting practices: 20% of users identified and reported phishing in simulation engagements, and 11% of users who clicked the email also reported it.

“The persistence of the human element in breaches shows that there is still plenty of room for improvement with regard to cybersecurity training, but the increase in self-reporting indicates a culture change that destigmatizes human error and may serve to shine a light on the importance of cybersecurity awareness among the general workforce,” Novak added.

Other key findings from this year’s report include:

  • 32% of all breaches involved some type of extortion technique, including ransomware
  • Over the past two years, roughly a quarter (between 24% and 25%) of financially motivated incidents involved pretexting
  • Over the past 10 years, the Use of stolen credentials has appeared in almost one-third (31%) of all breaches
  • Half of the reaches in EMEA are internal
  • Espionage attacks continue to dominate in APAC region

“The Verizon 2024 Data Breach Investigations Report shows it’s the still the basics security errors putting organizations at risk, such as long windows between discovering and patching vulnerabilities, and employees being inadequately trained to identify scams. This needs to change as a priority because no business can afford to gamble or take chances with cyber hygiene. Just look at Change Healthcare, the breach was executed via an unsecured employee credential and the organization is now facing over a billion in losses. No other organisation wants to find itself in this position,” William Wright, CEO of Closed Door Security, told Help Net Security.

Big Breaches: Cybersecurity Lessons for Everyone

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: 2024 DBIR, data breaches, Verizon data breach report

May 02 2024

VNC Is The Hacker’s New Remote Desktop Tool For Cyber Attacks

Category: Hacking,Security Toolsdisc7 @ 7:26 am

While facilitating remote work, remote desktop software presents security challenges for IT teams due to the use of various tools and ports.

The multitude of ports makes it difficult to monitor for malicious traffic. 

Weak credentials and software vulnerabilities are exploited to gain access to user systems.

Hackers may also use technical support scams to trick users into granting access.  

The Most Targeted Remote Desktop Tools In The Last 12 Months

Researchers identified VNC, a platform-independent remote desktop tool using RFB protocol, as the most targeted remote desktop application (98% of traffic).

The attacks leveraged weak passwords and a critical vulnerability (CVE-2006-2369) in RealVNC 4.1.1, allowing authentication bypass. 

Over 99% of attacks targeted unsecured HTTP ports rather than TCP ports used for application data exchange, which suggests attackers exploit the inherent lack of authentication on HTTP for unauthorized access.

The security of VNCs varies depending on the specific software, while some offer weak password limitations, others leverage SSH or VPN tunnelling for encryption.

VNC uses a base port (5800 for TCP, 5900 for HTTP) with an additive display number, making it difficult to secure with firewalls compared to single-port remote desktop solutions. 

Additionally, pinpointing the origin of VNC attacks is challenging due to attackers using proxies and VPNs, but a significant portion seems to originate from China. 

Attackers target RDP, a remote desktop protocol, for credential-based attacks and exploit vulnerabilities to execute malicious code, as RDP is more likely to be involved in large attacks compared to VNC. 

Flaws Exploited

In one study, 15% of RDP attacks leveraged obsolete cookies, possibly to target older, more vulnerable RDP software,  and RDP vulnerabilities like CVE-2018-0886 (targeting credential security), CVE-2019-0708 (with worm potential), and CVE-2019-0887 (hypervisor access) have been reported by Barracuda

Attackers exploit vulnerabilities in RDP to gain access to systems. Brute-force attacks are common, targeting password hashes for privileged accounts. RDP can also be used to launch denial-of-service attacks. 

In social engineering scams, attackers convince users to grant RDP access to fix fake technical problems, and vulnerable RDP instances are sold on the black market for further attacks.

North America is a leading source of RDP attacks, but location tracking is difficult due to anonymizing techniques. 

TeamViewer, a remote desktop tool, rarely encounters attacks (0.1% of traffic). Recent versions target enterprises and integrate with business applications, offering security features like fingerprinting, strong password enforcement, and multi-factor authentication. 

Encrypted communication channels further enhance security. However, phished credentials and technical support scams can still compromise TeamViewer sessions and may use ports beyond the primary port 5938, making malicious traffic detection more challenging for security teams. 

Citrix created ICA as an alternative to RDP. It uses ports 1494 and 2598, while older ICA clients and the ICA Proxy have had RCE vulnerabilities. 

AnyDesk, another RDP solution, uses port 6568 and has been abused in tech support scams and malware, while Splashtop Remote, using port 6783, has been involved in support scams and can be compromised through weak credentials.

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

May 01 2024

Cybersecurity careers and resources to kickstart your professional journey

Category: Cyber career,cyber security,InfoSec jobsdisc7 @ 7:53 am

Cybersecurity Jobs 3-in-1: Resume Marketing, Career Paths and Work From Home with cybersecurity

Confident Cyber Security: How to Get Started in Cyber Security and Futureproof Your Career

Women Know Cyber: 100 Fascinating Females Fighting Cybercrime

Cybersecurity Career Master Plan: Proven techniques and effective tips to help you advance in your cybersecurity career

Navigating the Cybersecurity Career Path

See Yourself in Cyber: Security Careers Beyond Hacking

Career Pathways in Cyber Security: From Classroom to Boardroom

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Apr 30 2024

Tracecat: Open-source SOAR

Category: Open Source,Security Toolsdisc7 @ 7:11 am

Tracecat is an open-source automation platform for security teams. The developers believe security automation should be accessible to everyone, especially understaffed small- to mid-sized teams. Core features, user interfaces, and day-to-day workflows are based on existing best practices from best-in-class security teams.

Use specialized AI models to label, summarize, and enrich alerts. Contextualize alerts with internal evidence and external threat intel:

  • Find cases using semantic search
  • MITRE ATT&CK labels
  • Whitelist / blacklist identities
  • Categorize related cases
  • MITRE D3FEND suggestions
  • Upload evidence and threat intel

Tracecat is not a 1-to-1 mapping of Tines / Splunk SOAR. The developers aim to give technical teams a Tines-like experience but with a focus on open-source and AI features.

While Tracecat is designed for security, its workflow automation and case management system are also suitable for various alerting environments, such as site reliability engineering, DevOps, and physical systems monitoring.

Turn security alerts into solvable cases:

  • Click-and-drag workflow builder – Automate SecOps using pre-built actions (API calls, webhooks, data transforms, AI tasks, and more) combined into workflows. No code required.
  • Built-in case management system – Open cases direct from workflows. Track and manage security incidents all-in-one platform.

Tracecat is cloud-agnostic and deploys anywhere that supports Docker. It’s available for free on GitHub.

Practical Threat Intelligence and Data-Driven Threat Hunting: A hands-on guide to threat hunting with the ATT&CK(TM) Framework and open source tools

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: Tracecat

Apr 29 2024

PoC Exploit Released For Windows Kernel EoP Vulnerability

Category: Security vulnerabilities,Windows Securitydisc7 @ 7:22 am

Microsoft released multiple product security patches on their April 2024 Patch Tuesday updates.

One of the vulnerabilities addressed was CVE-2024-26218, associated with the Windows Kernel Privilege Escalation vulnerability, which had a severity of 7.8 (High). 

This vulnerability relates to a TOCTOU (Time-of-Check Time-of-Use)Race Condition that could be exploited.

Successful exploitation of this vulnerability could allow a threat actor to gain SYSTEM privileges.

This vulnerability existed in multiple versions of Windows 10, Windows 11, and Windows Server (2019, 2022). 

However, Microsoft has patched this vulnerability, and users are advised to update their Operating Systems accordingly.

Technical Analysis

proof of concept for this vulnerability has been published in GitHub which consists of a DEF file, a EXP file, a LIB file and an SLN file.

Additionally, another folder was found on the repository, which had a C file, a VCXPROJ file, and a VCXPROJ filters file.

On investigating further, an explanation of this vulnerability was provided by the researcher who discovered this proof of concept.

The explanation suggests that this vulnerability exists due to a double fetch performed by the PspBuildCreateProcessContext function in Windows.

When creating a process, multiple attributes are created and provided to NtCreateUserProcess syscall via PS_ATTRIBUTE_LIST, an array of PS_ATTRIBUTE structures.

This list of attributes will reside in the user mode memory which are then processed by the PspBuildCreateProcessContext function.

As a matter of fact, this function contains a large number of scenarios for handling every attribute type it processes.

On looking deep into it, it was discovered that this PspBuildCreateProcessContext function performs a double-fetch of the Size field when handling the PsAttributeMitigationOptions and PsAttributeMitigationAuditOptions attribute types.

This is where the race condition exists in which the value of the Size field can be changed between the fetches that could potentially result in a stack buffer overflow.

Though this vulnerability has a proof of concept code in GitHub, there is no explanation of exploitation provided.

Windows 23H2 edition code (Source: Exploit for Sale)
Windows 24H2 Edition code (Source: Exploit for Sale)

Affected Products And Fixed In Versions

ProductFixed in Build Number
Windows 10 Version 22H2 for 32-bit Systems10.0.19045.4291
Windows 10 Version 22H2 for ARM64-based Systems10.0.19045.4291
Windows 10 Version 22H2 for x64-based Systems10.0.19045.4291
Windows Server 2022, 23H2 Edition (Server Core installation)10.0.25398.830
Windows 11 Version 23H2 for x64-based Systems10.0.22631.3447
Windows 11 Version 23H2 for ARM64-based Systems10.0.22631.3447
Windows 11 Version 22H2 for x64-based Systems10.0.22621.3447
Windows 11 Version 22H2 for ARM64-based Systems10.0.22621.3447
Windows 10 Version 21H2 for x64-based Systems10.0.19044.4291
Windows 10 Version 21H2 for ARM64-based Systems10.0.19044.4291
Windows 10 Version 21H2 for 32-bit Systems10.0.19044.4291
Windows 11 version 21H2 for ARM64-based Systems10.0.22000.2899
Windows 11 version 21H2 for x64-based Systems10.0.22000.2899
Windows Server 2022 (Server Core installation)10.0.20348.2402
Windows Server 202210.0.20348.2402
Windows Server 2019 (Server Core installation)10.0.17763.5696
Windows Server 201910.0.17763.5696
Windows 10 Version 1809 for ARM64-based Systems10.0.17763.5696
Windows 10 Version 1809 for x64-based Systems10.0.17763.5696
Windows 10 Version 1809 for 32-bit Systems10.0.17763.5696

It is recommended that users of these vulnerable versions upgrade to the latest versions to prevent threat actors from exploiting this vulnerability.


InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: PoC Exploit

Apr 26 2024

What is Vishing

Category: Phishingdisc7 @ 11:04 am

Ready to learn about Vishing? Let’s play Vishing Vigilante. The term vishing is short for Voice Phishing which is basically a scam carried out over the phone. Vishing calls are often cash driven. The attacker wants to trick you into gaining access to your money. Scammers may also take advantage of your desire to be helpful, create a sense of urgency, or stir strong emotions like fear and curiosity. It’s easy to impersonate someone over the phone, but here’s the thing; you’re always in control because you can always disconnect. A scammer may try to manipulate you by trying to scare you. They might claim that you have overdue taxes and will be arrested unless you pay them immediately. Scammers may try to excite you by claiming you have won a prize or a vacation, and to claim it you just need to pay a small fee. They may tug at your heart strings by claiming to be a charity that needs your donations. Pretty low right. So the next time you receive a strange phone call, ask yourself if it could be a vishing attack and remember you can always disconnect. When it comes to cybersecurity we all need to level up.

Vishing: Voice Vishing

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot


Apr 26 2024

25 cybersecurity AI stats you should know

Category: AI,cyber securitydisc7 @ 7:33 am

Security pros are cautiously optimistic about AI

Cloud Security Alliance and Google Cloud | The State of AI and Security Survey Report | April 2024

  • 55% of organizations plan to adopt GenAI solutions within this year, signaling a substantial surge in GenAI integration.
  • 48% of professionals expressed confidence in their organization’s ability to execute a strategy for leveraging AI in security.
  • 12% of security professionals believe AI will completely replace their role.

AI abuse and misinformation campaigns threaten financial institutions

FS-ISAC | Navigating Cyber 2024 | March 2024

  • Threat actors can use generative AI to write malware and more skilled cybercriminals could exfiltrate information from or inject contaminated data into the large language models (LLMs) that train GenAI.
  • Recent quantum computing and AI advancements are expected to challenge established cryptographic algorithms.

Enterprises increasingly block AI transactions over security concerns

Zscaler | AI Security Report 2024 | March 2024

  • Today, enterprises block 18.5% of all AI transactions, a 577% increase from April to January, for a total of more than 2.6 billion blocked transactions.
  • Some of the most popular AI tools are also the most blocked. Indeed, ChatGPT holds the distinction of being both the most-used and most-blocked AI application.
cybersecurity ai stats

Scammers exploit tax season anxiety with AI tools

McAfee | Tax Scams Study 2024 | March 2024

  • Of the people who clicked on fraudulent links from supposed tax services, 68% lost money. Among those, 29% lost more than $2,500, and 17% lost more than $10,000.
  • 9% of Americans feel confident in their ability to spot deepfake videos or recognize AI-generated audio, such as fake renditions of IRS agents.

Advanced AI, analytics, and automation are vital to tackle tech stack complexity

Dynatrace | The state of observability 2024 | March 2024

  • 97% of technology leaders find traditional AIOps models are unable to tackle the data overload.
  • 88% of organizations say the complexity of their technology stack has increased in the past 12 months, and 51% say it will continue to increase.
  • 72% of organizations have adopted AIOps to reduce the complexity of managing their multicloud environment.

Today’s biggest AI security challenges

HiddenLayer | AI Threat Landscape Report 2024 | March 2024

  • 98% of companies surveyed view some of their AI models as vital for business success, and 77% have experienced breaches in their AI systems over the past year.
  • 61% of IT leaders acknowledge shadow AI, solutions that are not officially known or under the control of the IT department, as a problem within their organizations.
  • Researchers revealed the extensive use of AI in modern businesses, noting an average of 1,689 AI models actively used by companies. This has made AI security a top priority, with 94% of IT leaders dedicating funds to safeguard their AI in 2024.
cybersecurity ai stats

AI tools put companies at risk of data exfiltration

Code42 | Annual Data Exposure Report 2024 | March 2024

  • Since 2021, there has been a 28% average increase in monthly insider-driven data exposure, loss, leak, and theft events.
  • While 99% of companies have data protection solutions in place, 78% of cybersecurity leaders admit they’ve still had sensitive data breached, leaked, or exposed.

95% believe LLMs making phishing detection more challenging

LastPass | LastPass survey 2024 | March 2024

  • More than 95% of respondents believe dynamic content through Large Language Models (LLMs) makes detecting phishing attempts more challenging.
  • Phishing will remain the top social engineering threat to businesses throughout 2024, surpassing other threats like business email compromise, vishing, smishing or baiting.
cybersecurity ai stats

How AI is reshaping the cybersecurity job landscape

ISC2 | AI Cyber 2024 | February 2024

  • 88% of cybersecurity professionals believe that AI will significantly impact their jobs, now or in the near future, and 35% have already witnessed its effects.
  • 75% of respondents are moderately to extremely concerned that AI will be used for cyberattacks or other malicious activities.
  • The survey revealed that 12% of respondents said their organizations had blocked all access to generative AI tools in the workplace.
cybersecurity ai stats

Businesses banning or limiting use of GenAI over privacy risks

Cisco | Cisco 2024 Data Privacy Benchmark Study | February 2024

  • 63% have established limitations on what data can be entered, 61% have limits on which employees can use GenAI tools, and 27% said their organization had banned GenAI applications altogether for the time being.
  • Despite the costs and requirements privacy laws may impose on organizations, 80% of respondents said privacy laws have positively impacted them, and only 6% said the impact has been negative.
  • 91% of organizations recognize they need to do more to reassure their customers that their data was being used only for intended and legitimate purposes in AI.
cybersecurity ai stats

Unlocking GenAI’s full potential through work reinvention

Accenture | Work, workforce, workers: Reinvented in the age of generative AI | January 2024

  • While 95% of workers see value in working with GenAI, 60% are also concerned about job loss, stress and burnout.
  • 47% of reinventors are already thinking bigger—recognizing that their processes will require significant change to fully leverage GenAI.
cybersecurity ai stats

Adversaries exploit trends, target popular GenAI apps

Netskope | Cloud and Threat Report 2024 | January 2024

  • In 2023, ChatGPT was the most popular generative AI application, accounting for 7% of enterprise usage.
  • Half of all enterprise users interact with between 11 and 33 cloud apps each month, with the top 1% using more than 96 apps per month.

Artificial Intelligence for Cybersecurity

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: cybersecurity AI stats

Apr 24 2024

PoC for critical Progress Flowmon vulnerability released (CVE-2024-2389)

Category: Security vulnerabilitiesdisc7 @ 9:57 am

More details of and a proof-of-concept exploit for an unauthenticated OS command injection vulnerability (CVE-2024-2389) in Flowmon, Progress Software’s network monitoring/analysis and security solution, have been published.

The critical vulnerability has been disclosed and patched by Progress earlier this month. “Currently, we have not received any reports that this vulnerability has been exploited, and we are not aware of any direct impacts on customers,” the company says in an advisory that was last updated on Friday.

According to Progress Software, more than 1,500 organizations from all over the world use Flowmon for network monitoring and anomaly detection. Sega, TDK, and Kia are on the list.

About CVE-2024-2389

CVE-2024-2389 is command injection vulnerability affecting Flowmon versions 11.x and 12.x, but not versions 10.x and lower.

“Unauthenticated, remote attackers can gain access to the web interface of Flowmon to issue a carefully crafted API command that will allow arbitrary system commands to be executed without authentication,” the company explained.

The vulnerability was discovered and reported to Progress by David Yesland, a penetration tester at Rhino Security Labs, who detailed the discovery in a blog post published on Tuesday.

He noted that once the vulnerability is exploited and command execution is achieved, “the application runs as the ‘flowmon’ user so command will be executed as this user. The flowmon user can run several commands with sudo and several of the commands can be abused to obtain a root shell.”

Rhino Security Labs published a PoC exploit and has created a module that will soon be merged into Metasploit.

Firemon customers are advised to upgrade to one of the patched versions – v12.3.5 or 11.1.14 – as soon as possible, and to then upgrade all Flowmon modules.

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: CVE-2024-2389, PoC

Apr 24 2024


Category: Antivirus,Hacking,Malwaredisc7 @ 9:04 am

A malware campaign has been exploiting the updating mechanism of the eScan antivirus to distribute backdoors and cryptocurrency miners.

Avast researchers discovered and analyzed a malware campaign that exploited the update mechanism of the eScan antivirus to distribute backdoors and crypto miners.

Threat actors employed two different types of backdoors and targeted large corporate networks

The researchers believe the campaign could be attributed to North Korea-linked AP Kimsuky. The final payload distributed by GuptiMiner was also XMRig.

“GuptiMiner is a highly sophisticated threat that uses an interesting infection chain along with a couple of techniques that include performing DNS requests to the attacker’s DNS servers, performing sideloading, extracting payloads from innocent-looking images, signing its payloads with a custom trusted root anchor certification authority, among others.” reads the analysis published by Avast. “The main objective of GuptiMiner is to distribute backdoors within big corporate networks.”

The threat actors behind this campaign exploited a vulnerability in the update mechanism of the Indian antivirus provider eScan that allowed them to carry out a man-in-the-middle attack to distribute the malware. Avast already reported the issue to eScan and the India CERT. eScan acknowledged the flaw and addressed it on July 31, 2023. The issue in the update mechanism was present for at least five years.

The infection process begins when eScan requests an update from the update server. However, the attackers carry out a MitM attack and replace the legitimate update package with a malicious one. Subsequently, eScan unpacks and installs the package, which results in the sideloading of a DLL by eScan’s clean binaries. This DLL facilitates the continuation of the process, leading to the execution of multiple shellcodes and intermediary PE loaders.

eScan antivirus

The researchers noticed that the downloaded package file is replaced with a malware-laced one on the wire because the process doesn’t use an HTTPS connection. 

Below the infection chain described by Avast:

  1. The eScan updater triggers the update 
  2. The downloaded package file is replaced with a malicious one on the wire because of a missing HTTPS encryption (MitM is performed) 
  3. A malicious package updll62.dlz is downloaded and unpacked by eScan updater 
  4. The contents of the package contain a malicious DLL (usually called version.dll) that is sideloaded by eScan. Because of the sideloading, the DLL runs with the same privileges as the source process – eScan – and it is loaded next time eScan runs, usually after a system restart 
  5. If a mutex is not present in the system (depends on the version, e.g. Mutex_ONLY_ME_V1), the malware searches for services.exe process and injects its next stage into the first one it can find 
  6. Cleanup is performed, removing the update package 

GuptiMiner operates its own DNS servers to provide legitimate destination domain addresses of C2 servers through DNS TXT responses.

GuptiMiner connects directly to malicious DNS servers, bypassing the DNS network entirely. This use of the DNS protocol resembles telnet and is not considered DNS spoofing, which typically occurs within the DNS network. Although the servers requested by GuptiMiner exist, it’s likely an evasion tactic.

In the second-stage the shellcode from the PNG file extracts and executes the Gzip loader. This loader is a simple PE that decompresses another shellcode using Gzip and executes it in a separate thread that kiads the Stage 3 malware Puppeteer.

Puppeteer orchestrates the core functionality of the malware, including the cryptocurrency mining as well as the backdoor deployment.

Surprisingly, the ultimate payload disseminated by GuptiMiner can be also XMRig, which was somewhat unexpected given the level of sophistication of this campaign.

The researchers speculate that using the miner could be a diversionary tactic.

“During our research, we’ve also found an information stealer which holds a rather similar PDB path as was used across the whole GuptiMiner campaign.” concludes the report. “What is truly interesting, however, is that this information stealer might come from Kimsuky operations.”

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot


Next Page »