🔏 Simplifying Cybersecurity Issue #10

Welcome to the latest issue of Simplifying Cybersecurity!

This newsletter is packed with info to help you up your cybersecurity game. Whether you're just getting started or a seasoned cybersecurity professional, I've got you covered with tips, tools, and resources to help you keep growing and keep your career moving forward.

In this issue:

• Cybersecurity news stories you should read

• Security tools you should explore

• Tips to stand out in your next interview

• Training resources to improve your skills

• Career opportunities you can apply for today

• Recommended reading from The Bookstore

📰 Cybersecurity in the News

City of Columbus sues man after he discloses severity of ransomware attack. In a misguided attempt to perform their civic duty, City of Columbus officials opted to sue a security researcher in the wake of a data breach. While the breach was perpetrated by a ransomware gang, the City put the researcher in their crosshairs because he share with the press that yes, the data was definitely exposed and usable. What a world…

CEO's Arrest Will Likely Not Dampen Cybercriminal Interest in Telegram. France arrested Telegram CEO Pavel Durov, holding him partially accountable for criminal activity conducted using his platform. France holds that while Durov’s arrest is unlikely to significantly impact cybercriminal activity on the platform in the short term, increased scrutiny or policy changes resulting from the arrest could lead to a gradual shift towards alternative communication channels in the long run.

Red Teaming Tool Abused for Malware Deployment. Threat actors are misusing MacroPack, a tool designed for red team exercises, to spread malware. MacroPack enables the quick generation of payloads into various file types, and its code includes features intended to evade anti-malware systems. This is another example of the ethical challenges cybersecurity pros face when developing tools that could potentially be misused by criminals.

IT worker charged over $750,000 cyber extortion plot against former employer. A former IT engineer is facing federal charges for allegedly locking his former employer out of their computer systems and demanding a $750,000 ransom. Investigators claim they traced the attack back to the accused, citing incriminating web searches and suspicious activity logs. How do you know who you can trust in your organization?

Rapid Growth of Password Reset Attacks Boosts Fraud and Account Takeovers. While there are a lot of stories about cutting edge attack techniques and tools, criminals are still leaning into tried and true methods. Password reset attacks, often driven by bots, have risen sharply, leading to increased account takeovers and fraud. Desktop users, especially the elderly, are more vulnerable due to weaker security compared to mobile apps, highlighting the need for stronger authentication and better-protected password reset tools.

How CISOs Can Effectively Communicate Cyber-Risk. I thought this was an interesting approach toward putting communication skills into practice. A proximity resilience graph is a visual tool that helps CISOs communicate cyber-risk to leadership by showcasing the impact of security investments and external threats on an organization's risk posture, allowing for more nuanced discussions about specific risk areas. The graph's axes represent an organization's cybersecurity resilience and the proximity of threats, while data points indicate key risk impacts, enabling leaders to understand and engage with the complex narrative of cyber-risk.

🧰 For Your Security Toolbox

Cybersecurity pros need to continually sharpen the saw. Sometimes that might mean reading a book, other times that might mean completing a training class.

But from time to time, it also means rolling up your sleeves and doing some hands-to-keyboard work.

This week, I’m featuring two (2) open source tools to help you bolster your cloud security skills: CloudSploit and Prowler.

CloudSploit from Aqua Security is a Cloud Security Posture Management (CSPM) tool. From their GitHub repo: “CloudSploit by Aqua is an open-source project designed to allow detection of security risks in cloud infrastructure accounts, including: Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), Oracle Cloud Infrastructure (OCI), and GitHub. These scripts are designed to return a series of potential misconfigurations and security risks.”

A similar tool in this space is Prowler. From their repo: “Prowler is an Open Source Security tool for AWS, Azure, GCP and Kubernetes to do security assessments, audits, incident response, compliance, continuous monitoring, hardening and forensics readiness. Includes CIS, NIST 800, NIST CSF, CISA, FedRAMP, PCI-DSS, GDPR, HIPAA, FFIEC, SOC2, GXP, Well-Architected Security, ENS and more.”

➡️ Give both CloudSploit and Prowler a spin in your home lab.

💼 Interview Tips

Where do you draw the line when it comes to “hacking” or “security research?”

This isn’t a technical question as much as it is an ethical one.

If you find yourself interviewing for a role as an ethical hacker, a penetration tester, or a red teamer, you can count on this discussion being part of your interview process.

For starters, you should be able to explain the concept of responsible disclosure to the interviewer. At a high level, responsible disclosure simply means that you report security vulnerabilities in a way that doesn’t put people, systems, or data at risk.

Contacting the organization’s security team over a secure channel for a private conversation? Sounds great to me! Posting exploit code on X? Not so much…

This article from Bugcrowd provides even more context if you’d like to dig deeper.

Related to the first story I shared above, the one about the City of Columbus suing a security researcher for following responsible disclosure protocols 🤦, I shared this post on LinkedIn.

I read multiple articles on incident, drafted a post-incident timeline based on that information, and shared my professional opinion on where folks did well, where they didn’t, and whether the researcher (Connor Goodwolf, aka David Leroy Ross) crossed any ethical lines.

You can use this as an example for how to prepare for ethical discussions during your interview process.

Know the landscape, and know where you stand.

➡️ Check out the original post here!

💡 Training Opportunities

This week, I have a few courses on ethics and ethical hacking to share with you from LinkedIn Learning.

If you’ve got a Premium profile, or if your company has a LinkedIn Learning subscription, you can check out these courses anytime you’d like.

But even if you don’t have a LinkedIn Learning subscription, you can use these links to take these courses for FREE. The links themselves shouldn’t expire, but as soon as you click on them, you have 24 hours to complete the courses. You can bookmark them for a rainy day.

• Introduction to Ethical Hacking

• Ethics in Cybersecurity

• Applied Cybersecurity Ethics

➡️ Knock out a course over lunch or bookmark them all for a rainy day.

🚀 Career Opportunities

If you’re looking for an Entry Level or Associate role, you might want to check out these opportunities:

• IT Security Administrator, Perkins & Co

• Maritime Cyber Specialist, Insight Global

• Cyber Security Analyst, Talentify.io

• Associate Cybersecurity Risk Analyst, Dice

• Tier 1 SOC Analyst, Binary Defense

If you’re looking for a Mid-Senior Level role, you might want to check out these opportunities:

• Centralized Logging & SIEM Deployment Specialist, NR Labs

• Cyber Security Specialist, Madrivo

• Audit and Cyber Security Senior Consultant, Elevate

• Cybersecurity Architect, Cypress Cyber Consulting

• Senior Offensive Security Consultant (Cloud Pentester), Soteria

📚 The Bookstore

Hacking: The Art of Exploitation by Jon Erickson is a technical guide that dives into the world of computer security by explaining the inner workings of software vulnerabilities and network protocols. It teaches readers how to exploit these weaknesses through practical examples and hands-on exercises, ultimately empowering them to understand the mindset of hackers and develop defensive strategies against potential attacks. This book bridges the gap between theoretical knowledge and practical application, providing valuable insights into the realm of computer exploitation for both security enthusiasts and aspiring professionals.

👕 Con swag

The Simplifying Cybersecurity store is live!

I wanted some cybersecurity swag of my own that I could start wearing to hacker cons, but I’m not the biggest fan of swag that’s covered with vendor logos. 🤷

So I decided to design some swag my own. 😉

I’ve got a handful of designs in the store now, and I’m planning to add more soon. Oh! And stickers! I haven’t uploaded any sticker designs just yet, but they’re on their way.

If you want to grab your own hoodie or tee, head on over to the store today!

That's it for this week. If I’m doing my job right, you’re a few steps closer to making the career moves you want to make.

If you’re digging this newsletter, I’ve got two quick asks:

➡️ Share it with a friend or colleague who might like it as well. We’re all in this together, and sharing what we learn along the way helps everyone.

➡️ If someone forwarded this to you, subscribe here.

➡️ Connect with me on LinkedIn! I'm always up for chatting about all things cybersecurity and career growth.

Stay safe out there, and keep learning!

Jerod