Alie
Ashryver

HexCon23 day 2 highlights: In a nutshell

Alie Ashryver

Sep 21, 2023

21 min read

Well, well, well, the second day of HexCon23 has wrapped up on a high. The sense of excitement and energy back here is palpable. Today saw an impressive lineup of sessions covering cybersecurity, incident response, and data privacy. In case you missed out on anything, fret not; here you go: HexCon23 day 2 highlights!

Safeguarding your online presence: Insights from recent breaches and tips for a safer tomorrow

Bryan Seely, a former US marine, who wiretapped into the US Secret Service and FBI talked about a hacker gang gaining popularity with their recent set of breaches, Lapsus$. In a daring series of breaches, a group of tech-savvy teenagers, operating under the alias “Lapsus$,” successfully infiltrated major organizations like HubSpot, Microsoft, Samsung, and NVIDIA. Moreover, they even leaked highly anticipated details of the much-awaited video game, GTA 6. While their exploits highlight their audacity, they also serve as a stark reminder of the pressing need to secure our digital lives.

Social Engineering: A stealthy weapon

What’s striking about these breaches is that they weren’t mere brute force attacks. Lapsus$ employed sophisticated social engineering techniques, even bypassing two-factor authentication (2FA) by bombarding victims with requests until frustration set in.

Bryan Seely also pointed some common mistakes we do, that leaves us exposed:

  • Dummy mobile numbers: Consider using dummy mobile numbers when setting up accounts, especially those linked to finances or crypto wallets.
  • Crypto security: Never store cryptocurrencies in online wallets without physical key access.
  • Beware of social engineering: Stay cautious if you receive unsolicited urgent requests, experience heightened emotions, or encounter offers that seem too good to be true. Always verify identities.

Social Engineering tactics to watch for
Social Engineering tactics to watch out for
 

Boost your online security with these practical steps:

  • MFA enforcement: Implement Multi-Factor Authentication (MFA) for an added layer of security.
  • FIDO tokens and YubiKey: Utilize physical tokens like FIDO Tokens and YubiKey for robust protection.
  • Authenticator apps: Opt for authenticator apps over email or SMS verification to enhance security.
  • Backup super admin accounts: Safeguard backup super admin accounts securely, such as in a fireproof safe.
  • No credential storage in browsers: Refrain from saving work credentials in browsers, a vulnerable spot.
  • Application whitelisting: Employ application whitelisting to block unauthorized software.
  • Advanced monitoring solutions: Invest in advanced monitoring solutions for swift threat detection and response.
  • Immutable backups: Ensure your backups are immutable, making it tough for attackers to manipulate them.
  • MFA number matching: When using MFA, prioritize number matching over simple allow/deny methods.
  • Segregated credentials: Use distinct credentials for user and admin accounts to limit access.

Check your data

Regularly check your data on platforms like DeHashed, Have I Been Pawned?, Privacy.com, MySudo, and ProtonVPN to uncover potential leaks and vulnerabilities. In a world of evolving cyber threats, proactive measures are paramount. By following these practical tips, you can significantly bolster your digital defenses and enjoy a more secure online experience. Vigilance is your shield; stay safe out there!

Ransomware face-off: Western hacktivists vs. Russian cyber pros

Will Thomas, a cyber threat intelligence researcher for Equinix, talked about the stark differences between the Russian and Western Cybercriminals and how they join combine forces to create concerning attacks.

In the ever-evolving world of cybercrime, it’s becoming clear that the ransomware game has two distinct players: the English-speaking “hacktivists” and the Russian cyber professionals. Let’s break down this digital showdown in simple terms.

Western hacktivists: Scattered spider

These folks are the rebels of the hacking world. While we don’t know their exact country of origin, they’re likely native English speakers. What sets them apart is that they do hacking for kicks, almost like a hobby. They use social engineering, SMS-based phishing, and even sim swapping to wreak havoc. If we notice their attacks closely, we can observe a playbook with tried-and-tested methods for different hacks. In February 2023, they hit Coinbase and Reddit hard, using these techniques to breach both platforms.

Russian cyber pros: BlackCat (or ALPHV)

On the other side, we have the Russians, known as BlackCat or ALPHV. These folks mean business. They don’t just hack for fun; they provide ransomware as a service. They’re also linked to infamous groups like DarkSide and BlackMatter. Their process is systematic: they recruit affiliates from forums, create custom ransomware, provide tools to affiliates, execute attacks, and then dive into negotiations. The ransom loot is split between the affiliate and the BlackCat gang.

In mid-2023, the Canada Centre for Cybersecurity issued a warning about BlackCat targeting Canadian companies from January 2022 to July 2023. Examining these attacks, a pattern emerges: Scattered Spider’s knack for gaining access and BlackCat’s efficient ransomware often result in successful extortions.

Mitigating the threat

To fight back against this growing threat, we need to be proactive. It’s crucial to invest in security awareness training, purple teaming, and incident response training. Using IAMs (Identity and Access Management), allowing only necessary apps through allowlisting, detecting driver-based attacks, and keeping an eye on online file-sharing sites can all play a part in keeping us one step ahead.

In this digital battlefield, understanding your adversaries and staying prepared is half the battle. Stay vigilant, stay secure.

Navigating the cybersecurity landscape: The path to zero-trust

Gerald J Caron, Chief Information Officer at the International Trade Administration took to the stage to talk about Zero-trust. In today’s digital age, trust is no longer a given. Zero-trust, a concept gaining momentum in cybersecurity, flips the script. Instead of assuming trust, it starts with the premise that everyone and everything could be a potential threat. Let’s break down this transformative journey in simple terms.

Zero-trust unveiled

Zero-trust is like the guardian angel of your digital realm. It challenges the traditional cybersecurity approach, where systems are often over-protected, leading to network constraints. With Zero-trust, the focus shifts to a more nuanced, adaptive protection strategy.

The pillars of zero-trust

Think of Zero-trust as a fortress with multiple layers. Its core pillars include:

  • Data: Safeguarding your digital treasure.
  • Device and Endpoint: Monitoring and securing all entry points.
  • Network and Environment: Constantly assessing the landscape.
  • Application and Workload: Ensuring that every digital task is trustworthy.
  • User: Validating the identity and intent of every user.
  • Visibility and Analytics: Keeping a watchful eye on the digital landscape.
  • Automation and Orchestration: Streamlining your security efforts.

An overview of Zero-trust
An overview of zero-trust
 

Embracing Zero-trust offers tangible advantages:

  • Enhanced security: Elevates your overall cybersecurity posture.
  • Threat defense: Shields against both internal and external threats.
  • Data protection: Minimizes the chances of data breaches.
  • User activity insight: Amplifies visibility into user actions.
  • Reduced threat surface: Shrinks the playground for potential attacks.

Remember, zero-trust isn’t just a destination; it’s a journey. It’s a mindset shift where everyone plays a role in safeguarding digital assets. So, let’s embark on this journey together, because in the evolving world of cybersecurity, trust is something we earn, not assume. Zero-trust is your roadmap to a more secure digital future.

Balancing act: The agent vs. agentless dilemma in IT management

Shyam Prasad V, a lead product Strategist at Hexnode shared his thoughts about an Agentless Future. In the world of IT, agents are like the behind-the-scenes magicians, working their tricks for the wizards of technology. They bring control, reliability, flexibility, and cost-efficiency to the table. But there’s a flip side – privacy and security often take a hit. Enter the “agentless” solution – the IT management’s white knight. It promises to kick those pesky agents to the curb and eliminate privacy concerns. Major players like Android and Apple are already moving in this direction, aiming for a cleaner, safer digital world.

However, even heroes have their flaws. Agentless solutions rely on structured systems, which can slow down the integration of new enterprise solutions. It’s a battle between convenience and adaptability.

Now, let’s peek into the future with Unified Endpoint Management (UEM). Imagine a single command center ruling all your devices, from birth to retirement. Sounds amazing, right? But there’s a challenge – the UEM landscape is vast and complex, with each platform adding its unique twist.

While some UEMs specialize in certain platforms like Apple or Windows, Hexnode takes a different route. Instead of reinventing the wheel, it partners with existing service providers, making it the perfect dance partner in the IT orchestra.

The agent vs. agentless battle continues in the ever-evolving IT landscape, with UEM emerging as the grand unifier. It’s a balancing act, aiming for control without compromise. The choices we make today will shape the future of IT management.

Exploring the boundless world of generative AI

Edwin Jerald, Lead Content Strategist at Hexnode talked about Generative AI and its future in business. Generative AI, exemplified by Chat-GPT, revolutionizes AI by creating new content from its data. Unlike traditional AI, it generates fresh material based on its training.

Bloomberg forecasts the Generative AI market to reach 1.3 trillion USD in a decade. To seize this growth, explore areas like Customer Operations, Marketing, Software Engineering, and Product Development. Now, let’s meet the stars of the Generative AI show:

  • Text-based: Perfect for content writing and analysis, you’ve got ChatGPT, Copy.ai, and GrammarlyGO to lend a creative hand.
  • Code-based: If you’re in need of code generation, review, or documentation, ChatGPT, Seek, and Mintlify have your back.
  • Image-based: For image generation and editing, consider Midjourney and DALL E2 as your artistic companions.
  • Audio-based: When it comes to sound conversion and generation, Jukebox and Play.ht are the maestros to trust.
  • Video-based: Need video prediction or AI avatars? Fliki and Veed.ai will bring your visions to life.
  • Generative AI for R&D: Exploring 3D object generation, product design, and discovery? Point E and Mirage are your navigators.

But every journey has its challenges. Risks like output quality, privacy, data leakage, and technical know-how lurk along the way.

Edwin demonstrates how a threat actor pretends to be an AI
Edwin demonstrates how a threat actor pretends to be an AI
 

To navigate safely:

  • Familiarize yourself with Generative AI models.
  • Establish and implement an AI usage policy.
  • Educate your staff on proper data handling.

The rise of vulnerabilities, exploitation and intelligence

Patrick Garrity, Security Research and VP at Nucleus is renowned for groundbreaking contributions in transforming vulnerability data into informative visuals that empower teams in vulnerability management and security roles. The subject expert took to the HexCon23 stage to deliver an exciting session on vulnerabilities, exploitation, and intelligence.

Patrick set the stage by first easing into the history of vulnerability management. He highlighted how vulnerability management has evolved significantly over the years. It began as a reactive approach, where organizations mainly responded to security incidents as they occurred. However, as threats became more sophisticated, a proactive approach emerged. This involved scanning systems for vulnerabilities, patch management, and implementing security best practices. Today, vulnerability management is a crucial part of cybersecurity strategy, integrating continuous monitoring, assessment, and prioritization of vulnerabilities to mitigate risks effectively.

Moving on, Patrick brushed up on the crowd’s knowledge of CVSS. CVSS stands for the Common Vulnerability Scoring System. It is a standardized framework for assessing and rating the severity of security vulnerabilities in computer systems, software, and networks. CVSS provides a common language and methodology for security professionals to communicate and prioritize vulnerabilities based on their potential impact and exploitability. Here’s a quick rundown.

The CVSS framework assigns a numerical score to each vulnerability.

This score helps organizations prioritize which vulnerabilities to address first.

The score is calculated based on various factors, including the vulnerability’s impact on confidentiality, integrity, and availability, as well as its complexity and how it can be exploited.

So, what next after CVSS? Patrick’s answer was yet another acronym, EPSS. EPSS stands for Exploit Prediction Scoring System. EPSS uses a variety of factors to calculate its score, including the time since the vulnerability was published, the availability of exploit code, and the number of systems that are vulnerable.

Unleashing the power of privileged access management

Marcus Wells, the CEO of WellSecured IT discussed how vast PAM is and how it will boost security. Privileged Access Management (PAM) is like the guardian of your digital kingdom, ensuring that only the worthy have access to the most sensitive data and resources. But how does it work? Let’s break it down.

  • Define: It all starts with defining what needs protection. Identify the crown jewels of your organization.
  • Discover: Once you know what’s precious, it’s time to discover who’s guarding it and who should be.
  • Manage and Protect: PAM takes charge of managing and protecting these treasures. It’s the gatekeeper you need.
  • Monitor: Vigilance is key. PAM keeps an eagle eye on all access attempts.
  • Detect usage: Suspicious activity? PAM is on it, detecting any unusual behavior.
  • Incident response: In case of a breach, PAM is your rapid response team, ready to contain and mitigate the damage.
  • Review and Audit: Regular check-ins ensure that PAM remains effective and up-to-date.

Now, here’s the butterfly effect of Identity Security: Identity and Access Management (IAM) leads to Customer Identity and Access Management (CIAM), which in turn leads to PAM, and all these roads eventually lead to the realm of zero-trust. Remember, PAM isn’t just about products; it’s about processes. Building a strong foundation is crucial before you start installing security tools. In the real world, PAM isn’t exclusive to corporate giants. It’s a shield for workplaces, educational institutions, and healthcare facilities alike. Your digital treasures deserve the best protection, no matter the size of your kingdom. So, embrace Privileged Access Management and fortify your digital fortress. Your data, your rules.

Don’t let the cloud blindside you: How to mitigate the risks of cloud security in your organization

Cloud computing has witnessed a significant surge in popularity, with organizations of all sizes migrating their data and applications to cloud platforms. However, this transition to the cloud has ushered in a new set of security challenges. Cloud security often takes a backseat, leaving organizations vulnerable to data breaches and security incidents. A recent study conducted by the Cloud Security Alliance underscored this concern, revealing that a staggering 70% of cloud security incidents can be traced back to misconfigurations.

Ruchira Pokhriyal, a specialist in Cloud Security and Incident Response at Amazon Web Services, took to the HexCon23 stage and expertly handled a session on cloud security. The session shed light on the looming risks of data breaches, insider threats, and the often-underestimated menace of cloud misconfigurations.

One of the key concepts that the session addressed was the shared responsibility model of cloud computing. So, shared responsibility in cloud computing is a critical concept that defines the distribution of security responsibilities between cloud service providers (CSPs) and their customers. This model helps clarify who is responsible for securing various components and aspects of cloud services. Here’s a breakdown of shared responsibility in cloud computing:

Provider’s responsibility:

  • Physical and virtual infrastructure security.
  • Network management and compliance.
  • Data center security and certifications.

Customer’s responsibility:

  • Data security and encryption.
  • Securing operating systems and applications.
  • Managing user access and permissions (IAM).
  • Configuring network security and firewalls.
  • Security group policies.
  • Data backup and compliance adherence.
  • Monitoring threats and incident response.

A comparison of Customer Responsibility and Cloud Service Provider Responsibility
A comparison of customer responsibility and cloud service provider responsibility
 

The session struck the perfect balance between conceptual understanding and practical applications with the following key takeaways.

  • Cloud security is a shared responsibility
  • Monitor for suspicious activity
  • Have an Incidence Response Plan
  • Centralize logging and monitoring
  • Educate personnel about cloud risks

The future of cyber security and the rise of intelligent defense

Ben Kereopa-Yorke, Senior Security Specialist at Telco, expertly handled a fast-paced session on artificial intelligence. The session dabbled in the future of AI for cybersecurity defense and risk mitigation. Ben focused on four main sections.

  • Leveraging AI for governance
  • Navigating data privacy vs. surveillance
  • ChatGPT and cybersecurity
  • ML security: Accessing the robustness of models

Essentially, leveraging Artificial Intelligence (AI) for governance is a transformative approach that has the potential to enhance the efficiency, transparency, and effectiveness of government processes and decision-making. With regard to data privacy and surveillance, Ben presented a nuanced evaluation of the benefits and risks associated with AI technologies. Striking the right balance requires careful consideration of individual rights, the necessity of surveillance for security and public safety, and the ethical principles that guide responsible AI development and deployment.

Can ChatGPT aid cybersecurity? With respect to cybersecurity, is ChatGPT a friend, a foe, or both? These questions formed the second half of Ben’s session.

Towards the very end of the session, Ben Kereopa-Yorke addressed the common vulnerabilities in machine learning models.

  • Data manipulation: Adversaries can tamper with training data, introducing bias or malicious samples.
  • Adversarial attacks: Attackers craft inputs to deceive models into making wrong predictions.
  • Model extraction: Adversaries clone models using query responses, risking intellectual property theft.
  • Privacy leaks: Models may inadvertently disclose sensitive data, violating privacy regulations.
  • Overfitting: Models overly specialize in training data, becoming less robust with new data.
  • Underfitting: Models can be overly simplistic, leading to inaccurate predictions.
  • Bias and Fairness: Models may inherit biases, causing discriminatory outcomes.
  • Data leakage: Test data may influence training, leading to overly optimistic performance estimates.
  • Model inversion: Attackers reverse-engineer data from model responses.
  • Lack of robustness: Models may struggle with real-world scenarios or unexpected inputs.
  • Unintended feature correlations: Models can learn unexpected data relationships.

Do not forget that privacy is fundamentally a human right and what that means for compliance

Harvey Nusz and Edward Ted Murphree, both Senior Risk and Compliance Engineers, used the HexCon23 platform to jointly reiterate the widely known yet forgotten fact that privacy is a fundamental human right. The thought-provoking discussion between Nusz and Murphree centered around the connection between privacy and compliance.

The two industry experts went back and forth to establish that there are two approaches to information privacy.

  • Business-centric approach to data protection (US)
  • Individual-centric approach to data protection (EU)

We are well aware that the inception of GDPR (General Data Protection Regulation) and Article 95/46/EC stemmed from a profound concern for safeguarding privacy as a fundamental human right. This movement gained momentum shortly after World War II, a period marked by the atrocities of genocide. Fast-forward to today, and nearly every European Union (EU) company embraces company policies centered on human rights.

Timeline of cybersecurity and privacy laws in the US
Timeline of cybersecurity and privacy laws in the US
 

Most of us have undergone the requisite training as well. In contrast, many companies in the United States do not deem it necessary to establish human rights policies. The discussion delved into this discrepancy and highlighted how this disparity might lead some private firms to perceive the risk of GDPR non-compliance as acceptable.

The speakers emphasized that this perspective often overlooks the potential consequences of GDPR violations. Penalties, including substantial fines, can not only dent a company’s finances, but also halt the processing of GDPR-protected data and disrupt cross-border data transfers. More importantly, such non-compliance infringes upon the privacy and human rights of the individuals affected, including employees, customers, and vendors.

The Digital Identity Wallet – A user perspective

John Erik Setsaas, the Director of Innovation in Financial Crime Prevention at Tietoevry Banking, steered the crowd through an intriguing session on ‘Digital Identity Wallet.’ First announced in 2020, the Digital Identity Wallet (DIW) is a specialized type of digital wallet designed for managing and securely storing an individual’s digital identity information. Unlike traditional digital wallets primarily used for financial transactions, a DIW focuses on storing and providing access to personal identity data, allowing users to control and share their identity information with various online services, organizations, and entities as needed.

Essentially, DIWs have the potential to simplify identity verification processes and enhance online security and privacy. Users can share specific aspects of their identity without revealing unnecessary information, reducing the risk of identity theft and fraud. Additionally, DIWs can streamline user experiences when signing up for new services or accessing existing ones by eliminating the need to repeatedly enter personal information. Setsaas mentioned that…

  • In the past, authentications were centralized, while interactions were more organization-centric.
  • Now, authentication is more of a mix between centralized and federated, while interactions are still organization-centric.
  • The future will see decentralized authentication combined with user-centric interactions.

Additionally,

The session cast a light on some of the key features of DIWs.

  • Data storage: DIWs securely store personal information, like names, birthdates, and government IDs.
  • Verification: Users can prove their identity online using their DIW, often through biometrics or credentials.
  • User control: DIWs empower users to decide what data to share, with whom, and for what purposes.
  • Privacy and Security: They prioritize data protection with encryption and other security measures.
  • Interoperability: Some DIWs aim for compatibility across various online services.
  • Self-Sovereign Identity (SSI): SSI principles emphasize user ownership and control over digital identity.
  • Decentralization: Blockchain tech can decentralize identity verification.
  • Authentication: DIWs offer secure authentication methods like biometrics and MFA.
  • Compliance: Many DIWs adhere to data protection regulations like GDPR.

Phishing attack failed on Passwordless

Ngô Minh Hiēu, a.k.a Hieupc, the CEO and co-founder of Chongluadao.vn, a nonprofit anti-scam organization, and a full-time threat hunter at CyPeace took center stage at HexCon23. Hieupc had the audience hanging on to his words as he made a powerful case for how passwordless authentication thwarts phishing attacks. The perfect mix of stats, information, and onstage demo kept us hooked throughout the session.

Essentially, a phishing attack is a type of cyberattack in which an attacker attempts to deceive individuals or organizations into revealing sensitive information, such as login credentials, personal information, or financial details. Phishing attacks typically involve impersonating a trustworthy entity or creating a false sense of urgency to manipulate victims into taking actions that benefit the attacker. The session took a run down the timeline from the first recorded phishing attack on America Online (AOI) till date. The timeline, presented as the history of phishing attacks, covered…

  • 1990 – first recorded phishing attack
  • The early 2000s – the rise of E-commerce and the emergence of spoofed websites for eBay and PayPal
  • 2008 – launch of Bitcoin and crypto, raising the motivation for cybercriminals
  • Late 2010s – Cybercriminals hiding malicious code inside image files to slip through users’ anti-virus software

Working of a typical phishing attack
Working of a typical phishing attack

Additionally, the session mentioned…

A reverse proxy phishing attack is a sophisticated type of phishing attack that involves a reverse proxy server to impersonate a legitimate website or service. Basically, this attack method makes it extremely difficult for victims to detect the fraudulent nature of the website they are interacting with, increasing the likelihood of successfully stealing sensitive information.

Passwordless is the key to the future…

Hieupc’s session showed demo phishing attacks that showcased both the attacker’s trap setting and the victim’s fall into the trap. The session quickly summed up the different methods of passwordless authentication.

  • Email
  • OAuth
  • Token/SSO
  • Biometrics
  • Certification

Throughout the session, and even while demonstrating how passwordless thwarted phishing attacks, courtesy of the literal lack of passwords 😉, Hieupc kept on reiterating the benefit of easier and quicker logins. No more memory exercises!

Papercuts: Stop the Bleed. Reducing information leakage from client-bound documentation

Documentation is a fundamental aspect of any organization, and much of it is intended for external clients. Regrettably, there are numerous areas, both within the structure of the documents and in their content, where crucial details about the organization can unintentionally slip through. Kristine Sihto, the documentation specialist at TinkerInk, hooked in the HexCon23 audience by handling a highly informative session on managing information leaks, specifically about the documentation process within an organization.

Information leaks stemming from documentation can be a significant concern for organizations. These leaks occur when sensitive or confidential information about the organization, its employees, internal processes, or clients unintentionally becomes accessible to unauthorized individuals. Such leaks can have serious consequences, including data breaches, privacy violations, and damage to an organization’s reputation. Here’s a look at some of the common causes of information leaks due to documentation:

  • Improper redaction: Inadequate removal of sensitive data during document sharing.
  • Metadata: Hidden information like authors and edit history exposing sensitive details.
  • Version control issues: Distribution of outdated or inaccurate documents due to poor version control.
  • Sharing permissions: Misconfigured access settings allowing unauthorized access.
  • Inconsistent naming: Irregular file naming makes sensitive documents easier to find.
  • Email errors: Sending sensitive documents to the wrong recipients.

So, what do we do? Well, here’s what the session taught me:

  • Redaction and Metadata: Clear redaction processes and regular metadata checks.
  • Access control: Strict access limits, encryption, and authentication.
  • Training: Employee training on secure document handling.
  • Version control: Effective version management.
  • Classification: Document sensitivity classification.
  • Auditing: Periodic document audits.
  • Incident response: Preparedness for swift leak mitigation.

Well, well, well…

And that’s a wrap on the day 2 highlights of HexCon23. Did you feel like the day slipped away way too fast? We did, too! Well, don’t worry, though. We’ve still got one more day of intriguing sessions and amazing discussions. So, we’ll see you tomorrow, bright and early. And don’t forget, whatever you’ve missed out on, you’ll find it right here.
Until tomorrow, then!

Share
Alie Ashryver

Product Evangelist @ Hexnode. Gimme a pen and paper and I'll clear up the cloud of thoughts in ma head...

Share your thoughts