Missed out on Day 1 @HexCon23?
We've got you covered. Check out this blog to catch up on everything you missed on Day 1 of HexCon23.
Get fresh insights, pro tips, and thought starters–only the best of posts for you.
Sep 21, 2023
21 min read
Well, well, well, the second day of HexCon23 has wrapped up on a high. The sense of excitement and energy back here is palpable. Today saw an impressive lineup of sessions covering cybersecurity, incident response, and data privacy. In case you missed out on anything, fret not; here you go: HexCon23 day 2 highlights!
Bryan Seely, a former US marine, who wiretapped into the US Secret Service and FBI talked about a hacker gang gaining popularity with their recent set of breaches, Lapsus$. In a daring series of breaches, a group of tech-savvy teenagers, operating under the alias “Lapsus$,” successfully infiltrated major organizations like HubSpot, Microsoft, Samsung, and NVIDIA. Moreover, they even leaked highly anticipated details of the much-awaited video game, GTA 6. While their exploits highlight their audacity, they also serve as a stark reminder of the pressing need to secure our digital lives.
What’s striking about these breaches is that they weren’t mere brute force attacks. Lapsus$ employed sophisticated social engineering techniques, even bypassing two-factor authentication (2FA) by bombarding victims with requests until frustration set in.
Bryan Seely also pointed some common mistakes we do, that leaves us exposed:
Boost your online security with these practical steps:
Regularly check your data on platforms like DeHashed, Have I Been Pawned?, Privacy.com, MySudo, and ProtonVPN to uncover potential leaks and vulnerabilities. In a world of evolving cyber threats, proactive measures are paramount. By following these practical tips, you can significantly bolster your digital defenses and enjoy a more secure online experience. Vigilance is your shield; stay safe out there!
Will Thomas, a cyber threat intelligence researcher for Equinix, talked about the stark differences between the Russian and Western Cybercriminals and how they join combine forces to create concerning attacks.
In the ever-evolving world of cybercrime, it’s becoming clear that the ransomware game has two distinct players: the English-speaking “hacktivists” and the Russian cyber professionals. Let’s break down this digital showdown in simple terms.
These folks are the rebels of the hacking world. While we don’t know their exact country of origin, they’re likely native English speakers. What sets them apart is that they do hacking for kicks, almost like a hobby. They use social engineering, SMS-based phishing, and even sim swapping to wreak havoc. If we notice their attacks closely, we can observe a playbook with tried-and-tested methods for different hacks. In February 2023, they hit Coinbase and Reddit hard, using these techniques to breach both platforms.
On the other side, we have the Russians, known as BlackCat or ALPHV. These folks mean business. They don’t just hack for fun; they provide ransomware as a service. They’re also linked to infamous groups like DarkSide and BlackMatter. Their process is systematic: they recruit affiliates from forums, create custom ransomware, provide tools to affiliates, execute attacks, and then dive into negotiations. The ransom loot is split between the affiliate and the BlackCat gang.
In mid-2023, the Canada Centre for Cybersecurity issued a warning about BlackCat targeting Canadian companies from January 2022 to July 2023. Examining these attacks, a pattern emerges: Scattered Spider’s knack for gaining access and BlackCat’s efficient ransomware often result in successful extortions.
To fight back against this growing threat, we need to be proactive. It’s crucial to invest in security awareness training, purple teaming, and incident response training. Using IAMs (Identity and Access Management), allowing only necessary apps through allowlisting, detecting driver-based attacks, and keeping an eye on online file-sharing sites can all play a part in keeping us one step ahead.
In this digital battlefield, understanding your adversaries and staying prepared is half the battle. Stay vigilant, stay secure.
Gerald J Caron, Chief Information Officer at the International Trade Administration took to the stage to talk about Zero-trust. In today’s digital age, trust is no longer a given. Zero-trust, a concept gaining momentum in cybersecurity, flips the script. Instead of assuming trust, it starts with the premise that everyone and everything could be a potential threat. Let’s break down this transformative journey in simple terms.
Zero-trust is like the guardian angel of your digital realm. It challenges the traditional cybersecurity approach, where systems are often over-protected, leading to network constraints. With Zero-trust, the focus shifts to a more nuanced, adaptive protection strategy.
Think of Zero-trust as a fortress with multiple layers. Its core pillars include:
Embracing Zero-trust offers tangible advantages:
Remember, zero-trust isn’t just a destination; it’s a journey. It’s a mindset shift where everyone plays a role in safeguarding digital assets. So, let’s embark on this journey together, because in the evolving world of cybersecurity, trust is something we earn, not assume. Zero-trust is your roadmap to a more secure digital future.
Shyam Prasad V, a lead product Strategist at Hexnode shared his thoughts about an Agentless Future. In the world of IT, agents are like the behind-the-scenes magicians, working their tricks for the wizards of technology. They bring control, reliability, flexibility, and cost-efficiency to the table. But there’s a flip side – privacy and security often take a hit. Enter the “agentless” solution – the IT management’s white knight. It promises to kick those pesky agents to the curb and eliminate privacy concerns. Major players like Android and Apple are already moving in this direction, aiming for a cleaner, safer digital world.
However, even heroes have their flaws. Agentless solutions rely on structured systems, which can slow down the integration of new enterprise solutions. It’s a battle between convenience and adaptability.
Now, let’s peek into the future with Unified Endpoint Management (UEM). Imagine a single command center ruling all your devices, from birth to retirement. Sounds amazing, right? But there’s a challenge – the UEM landscape is vast and complex, with each platform adding its unique twist.
While some UEMs specialize in certain platforms like Apple or Windows, Hexnode takes a different route. Instead of reinventing the wheel, it partners with existing service providers, making it the perfect dance partner in the IT orchestra.
The agent vs. agentless battle continues in the ever-evolving IT landscape, with UEM emerging as the grand unifier. It’s a balancing act, aiming for control without compromise. The choices we make today will shape the future of IT management.
Edwin Jerald, Lead Content Strategist at Hexnode talked about Generative AI and its future in business. Generative AI, exemplified by Chat-GPT, revolutionizes AI by creating new content from its data. Unlike traditional AI, it generates fresh material based on its training.
Bloomberg forecasts the Generative AI market to reach 1.3 trillion USD in a decade. To seize this growth, explore areas like Customer Operations, Marketing, Software Engineering, and Product Development. Now, let’s meet the stars of the Generative AI show:
But every journey has its challenges. Risks like output quality, privacy, data leakage, and technical know-how lurk along the way.
To navigate safely:
Patrick Garrity, Security Research and VP at Nucleus is renowned for groundbreaking contributions in transforming vulnerability data into informative visuals that empower teams in vulnerability management and security roles. The subject expert took to the HexCon23 stage to deliver an exciting session on vulnerabilities, exploitation, and intelligence.
Patrick set the stage by first easing into the history of vulnerability management. He highlighted how vulnerability management has evolved significantly over the years. It began as a reactive approach, where organizations mainly responded to security incidents as they occurred. However, as threats became more sophisticated, a proactive approach emerged. This involved scanning systems for vulnerabilities, patch management, and implementing security best practices. Today, vulnerability management is a crucial part of cybersecurity strategy, integrating continuous monitoring, assessment, and prioritization of vulnerabilities to mitigate risks effectively.
Moving on, Patrick brushed up on the crowd’s knowledge of CVSS. CVSS stands for the Common Vulnerability Scoring System. It is a standardized framework for assessing and rating the severity of security vulnerabilities in computer systems, software, and networks. CVSS provides a common language and methodology for security professionals to communicate and prioritize vulnerabilities based on their potential impact and exploitability. Here’s a quick rundown.
The CVSS framework assigns a numerical score to each vulnerability.
This score helps organizations prioritize which vulnerabilities to address first.
The score is calculated based on various factors, including the vulnerability’s impact on confidentiality, integrity, and availability, as well as its complexity and how it can be exploited.
So, what next after CVSS? Patrick’s answer was yet another acronym, EPSS. EPSS stands for Exploit Prediction Scoring System. EPSS uses a variety of factors to calculate its score, including the time since the vulnerability was published, the availability of exploit code, and the number of systems that are vulnerable.
Marcus Wells, the CEO of WellSecured IT discussed how vast PAM is and how it will boost security. Privileged Access Management (PAM) is like the guardian of your digital kingdom, ensuring that only the worthy have access to the most sensitive data and resources. But how does it work? Let’s break it down.
Now, here’s the butterfly effect of Identity Security: Identity and Access Management (IAM) leads to Customer Identity and Access Management (CIAM), which in turn leads to PAM, and all these roads eventually lead to the realm of zero-trust. Remember, PAM isn’t just about products; it’s about processes. Building a strong foundation is crucial before you start installing security tools. In the real world, PAM isn’t exclusive to corporate giants. It’s a shield for workplaces, educational institutions, and healthcare facilities alike. Your digital treasures deserve the best protection, no matter the size of your kingdom. So, embrace Privileged Access Management and fortify your digital fortress. Your data, your rules.
Cloud computing has witnessed a significant surge in popularity, with organizations of all sizes migrating their data and applications to cloud platforms. However, this transition to the cloud has ushered in a new set of security challenges. Cloud security often takes a backseat, leaving organizations vulnerable to data breaches and security incidents. A recent study conducted by the Cloud Security Alliance underscored this concern, revealing that a staggering 70% of cloud security incidents can be traced back to misconfigurations.
Ruchira Pokhriyal, a specialist in Cloud Security and Incident Response at Amazon Web Services, took to the HexCon23 stage and expertly handled a session on cloud security. The session shed light on the looming risks of data breaches, insider threats, and the often-underestimated menace of cloud misconfigurations.
One of the key concepts that the session addressed was the shared responsibility model of cloud computing. So, shared responsibility in cloud computing is a critical concept that defines the distribution of security responsibilities between cloud service providers (CSPs) and their customers. This model helps clarify who is responsible for securing various components and aspects of cloud services. Here’s a breakdown of shared responsibility in cloud computing:
The session struck the perfect balance between conceptual understanding and practical applications with the following key takeaways.
Ben Kereopa-Yorke, Senior Security Specialist at Telco, expertly handled a fast-paced session on artificial intelligence. The session dabbled in the future of AI for cybersecurity defense and risk mitigation. Ben focused on four main sections.
Essentially, leveraging Artificial Intelligence (AI) for governance is a transformative approach that has the potential to enhance the efficiency, transparency, and effectiveness of government processes and decision-making. With regard to data privacy and surveillance, Ben presented a nuanced evaluation of the benefits and risks associated with AI technologies. Striking the right balance requires careful consideration of individual rights, the necessity of surveillance for security and public safety, and the ethical principles that guide responsible AI development and deployment.
Can ChatGPT aid cybersecurity? With respect to cybersecurity, is ChatGPT a friend, a foe, or both? These questions formed the second half of Ben’s session.
Towards the very end of the session, Ben Kereopa-Yorke addressed the common vulnerabilities in machine learning models.
Harvey Nusz and Edward Ted Murphree, both Senior Risk and Compliance Engineers, used the HexCon23 platform to jointly reiterate the widely known yet forgotten fact that privacy is a fundamental human right. The thought-provoking discussion between Nusz and Murphree centered around the connection between privacy and compliance.
The two industry experts went back and forth to establish that there are two approaches to information privacy.
We are well aware that the inception of GDPR (General Data Protection Regulation) and Article 95/46/EC stemmed from a profound concern for safeguarding privacy as a fundamental human right. This movement gained momentum shortly after World War II, a period marked by the atrocities of genocide. Fast-forward to today, and nearly every European Union (EU) company embraces company policies centered on human rights.
Most of us have undergone the requisite training as well. In contrast, many companies in the United States do not deem it necessary to establish human rights policies. The discussion delved into this discrepancy and highlighted how this disparity might lead some private firms to perceive the risk of GDPR non-compliance as acceptable.
The speakers emphasized that this perspective often overlooks the potential consequences of GDPR violations. Penalties, including substantial fines, can not only dent a company’s finances, but also halt the processing of GDPR-protected data and disrupt cross-border data transfers. More importantly, such non-compliance infringes upon the privacy and human rights of the individuals affected, including employees, customers, and vendors.
John Erik Setsaas, the Director of Innovation in Financial Crime Prevention at Tietoevry Banking, steered the crowd through an intriguing session on ‘Digital Identity Wallet.’ First announced in 2020, the Digital Identity Wallet (DIW) is a specialized type of digital wallet designed for managing and securely storing an individual’s digital identity information. Unlike traditional digital wallets primarily used for financial transactions, a DIW focuses on storing and providing access to personal identity data, allowing users to control and share their identity information with various online services, organizations, and entities as needed.
Essentially, DIWs have the potential to simplify identity verification processes and enhance online security and privacy. Users can share specific aspects of their identity without revealing unnecessary information, reducing the risk of identity theft and fraud. Additionally, DIWs can streamline user experiences when signing up for new services or accessing existing ones by eliminating the need to repeatedly enter personal information. Setsaas mentioned that…
The session cast a light on some of the key features of DIWs.
Ngô Minh Hiēu, a.k.a Hieupc, the CEO and co-founder of Chongluadao.vn, a nonprofit anti-scam organization, and a full-time threat hunter at CyPeace took center stage at HexCon23. Hieupc had the audience hanging on to his words as he made a powerful case for how passwordless authentication thwarts phishing attacks. The perfect mix of stats, information, and onstage demo kept us hooked throughout the session.
Essentially, a phishing attack is a type of cyberattack in which an attacker attempts to deceive individuals or organizations into revealing sensitive information, such as login credentials, personal information, or financial details. Phishing attacks typically involve impersonating a trustworthy entity or creating a false sense of urgency to manipulate victims into taking actions that benefit the attacker. The session took a run down the timeline from the first recorded phishing attack on America Online (AOI) till date. The timeline, presented as the history of phishing attacks, covered…
Passwordless is the key to the future…
Hieupc’s session showed demo phishing attacks that showcased both the attacker’s trap setting and the victim’s fall into the trap. The session quickly summed up the different methods of passwordless authentication.
Throughout the session, and even while demonstrating how passwordless thwarted phishing attacks, courtesy of the literal lack of passwords 😉, Hieupc kept on reiterating the benefit of easier and quicker logins. No more memory exercises!
Documentation is a fundamental aspect of any organization, and much of it is intended for external clients. Regrettably, there are numerous areas, both within the structure of the documents and in their content, where crucial details about the organization can unintentionally slip through. Kristine Sihto, the documentation specialist at TinkerInk, hooked in the HexCon23 audience by handling a highly informative session on managing information leaks, specifically about the documentation process within an organization.
Information leaks stemming from documentation can be a significant concern for organizations. These leaks occur when sensitive or confidential information about the organization, its employees, internal processes, or clients unintentionally becomes accessible to unauthorized individuals. Such leaks can have serious consequences, including data breaches, privacy violations, and damage to an organization’s reputation. Here’s a look at some of the common causes of information leaks due to documentation:
So, what do we do? Well, here’s what the session taught me:
And that’s a wrap on the day 2 highlights of HexCon23. Did you feel like the day slipped away way too fast? We did, too! Well, don’t worry, though. We’ve still got one more day of intriguing sessions and amazing discussions. So, we’ll see you tomorrow, bright and early. And don’t forget, whatever you’ve missed out on, you’ll find it right here.
Until tomorrow, then!