marcel, 7 months ago

@Folini was greeting everyone half an hour ago to #SCS23. I'm looking forward to a great day.

marcel, 7 months ago

@evacide from #EFF had a great Keynote about the human aspects, why we need 100% #HTTPS coverage (with just 99%, drive-by zero-click malware insertions can still happen).
#SCS23

marcel, 7 months ago

The IMHO most important take-away message from @evacide 's Keynote, not only with respect to #DomesticAbuse :

«Humans are more important than Things»

(aka: Don't treat #Humans as #Things! Don't even start thinking about it!)

marcel, 7 months ago

The second keynote at #SCS23 with some technical difficulties. Therefore, the screen is filmed with a camera and projected to the screen. Instead of a plain HDMI connection. (And no, it is not for security reasons aka #AirGap).

marcel, 7 months ago

#DavidJacoby in the second keynote points out that most passwords follow the following rule:

Password23!

Where "Password" is the capitalization of an important word, "23" is the (2 or 4 digit) year, and "!" is the most common special character.

marcel, 7 months ago

@ChristinaLekati now talking about #SocialEngineering at #SCS23.

marcel, 7 months ago

@ChristinaLekati talking about new trends in #SocialEngineering at #SCS23:

➡️ In some cases, one year of "lying low", ⅔ years of slow contact buildup
➡️ Buildup of "personal relationship", possibly including #flirting
➡️ Learning whether to recruit as insider (disgruntled? …)
➡️ Opinion surveys to get more information

#Phishing is upgrading to real spy recruiting qualities.
Be aware of this!

marcel, 7 months ago

@ChristinaLekati mentions that spy agencies are talking about #espionage campaigns, with a particular focus on #Switzerland.

Attackers ranging from state-sponsored, Cyber Criminals, Competitors, but also Hacktivists.

Her advice: "Be careful, especially if your organization is involved in #CriticalInfrastructure, important technology #HighTech, #research, #SupplyChain, or targeted by #APT."

marcel, 7 months ago

@ChristinaLekati advice (my summary):

• Know about the attack
• Learn how to detect it
• Learn what to do, when you think someone starts getting you involved (whether/when/how to abort)

Tell your friends and family!

marcel, 7 months ago

#ChristineBejerasco talking about "Secure-by-Design: How do You Design with a Security Mindset for the User?" at #SCS23:

• Design for ease of use
• Design with misuse in mind
• How we failed to prevent online access/commerce, word processors, email, supply chains, IoT devices, … being misused

Design approaches:

• Password meters, outdated/weak software/plugins, keygrabbing preventions, password managers → #SSO, app #sandboxing, #FullDiskEncryption #FDE, …

marcel, 7 months ago

Critique about #CyberAwareness programs:

• #DevOps teams need #ThreatModeling training
• Finance, sales reps, HR, … need specific training
• Third-Party risk management as #ShiftLeft in #NDA
• Document labeling -> #AutoLabeling (with "Internal-by-default", users have become lazy)

Q&A:

• #AI might be helpful to protect against #Phishing, which targets the user's workflow (last-minute things)
  #SCS23

marcel, 7 months ago

#SBB working on specific #AwarenessTraining, avoiding repetitions.

• Move from compliance-focused to really promote awareness/behavior change, long-term sustainment/culture change, and metrics framework
• 150 professions, 50 locations, 4 languages
• "Legacy" means up to 100 years old equipment 😊

#SCS23

marcel, 7 months ago

#SBB specific awareness:

• 1500 interviews with team leass to learn about problems, challenges, situation
• Dashboard with actionable data, interpreted
• Collection of learning nuggets (with timeouts)
• For the unmeasured parts, have risk management
• Security Champions all over the company
• Continuous improvement

#SCS23

marcel, 7 months ago

#Honeypots are often too obvious about being a #Honeypot:
#SheilaABerta looks at error messages and their differences between the emulated service and the honeypot's version. She requires only a single message to expose the fake service.

Honeypot writer need to improve their "compatibility".
#SCS23

marcel, 7 months ago

#ChristineBejerasco on the challenges of next year in the interview with @Folini :

Managing #ThirdParty risk, namely the potential security problems comes from using #SaaS services, will be the main challenge for the near future. And don't forget the subcontracters.

Christian Folini compared this to the #Xplain leak, without mentioning their name. #SCS23

marcel, 7 months ago

#StefanLüders from #CERN talking about the challenges of managing a network: "Help! I Have Data Center Nightmare"
#SCS23

marcel, 7 months ago

#StefanLüders at #SCS23 explaining that when adding more manageability, scalability, virtualization etc. you continually add abstraction layers, separate networks, ….
Only to reconnect them at the next level again, reintroducing the interdependence and kill isolation anf security.

"So, this is not #KISS, this is #ACDC!"

marcel, 7 months ago

Only opened the goodie bag today (thanks, @adfichter for the reminder! 😊).

I really appreciate the guys that included the bugs I can hunt for strength (left) and the blue pills, not only for the blue team! 🖖
#SCS23