Andrei Agape

How do you crash a plant with an Nmap scan? Just run it. Cybersecurity in Industrial Control Systems and how it differs from standard IT. 🏭 👨🏻‍💻 💀 The presentation 'Investigating Industrial Control Systems' by Antti Rössi from the Finnish National Cyber Security Center provides a deep dive into what is wrong with ICS today, what attackers need to do to succeed, and why the fragility of plants today may easily lead to a plant shutdown, but causing more sophisticated damage is much harder. And yes, an Nmap scan can crash an entire factory because old devices have weak network stacks. More details: Youtube: https://lnkd.in/dUmhYD-B #technology #cyber #security #cybersecurity #isc #industrial #SCADA #ISC #research #future #privacy #hacking

359

1 Kommentar

Cybersecurity incidents can be tracked and managed in many ways. If not on paper, then in shared mailbox, in excel, or in professional ticketing system. There is new experiment system based on Notion - where it is a set of tables (i.e. like sheets in Excel, with Forms - kind of web browser based, Access-like system, for collaboration): https://lnkd.in/dRszniXg . I have tried it, it is really great to see the data model and relations. How it would work in production for small teams - this needs to be tested (still alfa version, and not suggested to run in production :) Definitely, good tool to test and learn, biggest drawback - it is not migratable, even to newer version. I wonder, probably someone tried as sharepoint system many times before something similar... For Notion lovers - this should be great inspiration #CSIRT #SOC #incidentresponse

87

1 Kommentar

Are #cybersecurity incidents growing more costly? Cyentia Institute's recent Information Risk Insights Study points to a 15-fold increase in the cost of #incidents and #databreaches over the last 15 years. The chart on the left shows the distribution of known/reported financial losses from incidents across the time period of study. The typical (median) incident costs about $600K, while more extreme (95th percentile) losses swell to $32M. Note that the chart uses a log scale, so the tail of large losses is a lot longer than it appears. The chart on the right trends the escalating costs of cyber events over time. Median losses from a security incident have absolutely exploded over the last 15 years, rising 15-fold from $190K to almost $3 million! The cost of extreme events has also risen substantially (~5x). So, yeah—cyber events are definitely growing more costly. That said, this picture looks a lot different among different types and sizes of organizations. How are cyber losses trending for orgs like yours? Download the full IRIS 2025 to find out! Link in the comments.

102

15 Kommentarer

I haven't seen any announcement about this, but the PCI Security Standards Council has published an update in the last few days to the "Guidance for PCI DSS Requirements 6.4.3 and 11.6.1" Information Supplement. In the original version, it said "Note that PCI DSS Requirements 6.4.3 and 11.6.1 do not apply to merchants with webpages that redirect to a TPSP’s page (for example, via an HTTP 30x redirect, a meta redirect tag, or a JavaScript redirect)." That's been removed, and in its place it now says "Note that, where scripts are used as part of a redirection mechanism, PCI DSS Requirements 6.4.3 and 11.6.1 will apply to those scripts." The thing is, by fully-redirecting to a PCI DSS-compliant payment service provider or processor to take payments, the merchant doesn't have a payment page - and it's only the payment page (or parent page when iframes are used) that these requirements apply to. While I think protecting all JavaScript on a website is a really good security best practice - whether that's using CSP+SRI, Jscrambler's Webpage Integrity product, or something else, I'm currently scratching my head as to how this change to the guidance - which "does not replace or supersede requirements in any PCI SSC Standard" - currently applies. I'm curious to hear what others think...

54

17 Kommentarer

Finally understand ISO 27001, SOC 2, TISAX, C5, and NIS2.  5 frameworks, 1 reality Every week, I meet CxOs asking the same question.  Which framework do we actually need?  They all sound different.   They all promise security.   But underneath, they share the same foundation.  Information security. Risk management. Governance. Continuous improvement. So what actually separates them?  ISO 27001   - The international gold standard.   - Focuses on setting up an Information Security Management System (ISMS).   - It defines how you manage security, not just what you secure.   - Globally recognized and the best baseline if you want structure and scalability.  SOC 2   - Born in the U.S., designed for SaaS vendors.   - Less about management systems, more about trust.   - Proves to enterprise customers that you handle data securely across five categories: Security, Availability, Processing Integrity, Confidentiality, and Privacy.   - Ideal for B2B SaaS or vendors working with U.S.-based clients.  TISAX   - Built on ISO 27001 but tailored for the automotive industry.   - Same principles, but with industry-specific extensions.   - Required if you want to do business with major automotive OEMs.  C5   - Developed by the German BSI.   - A control catalog for cloud providers.   - It builds on ISO 27001 and adds requirements for cloud transparency, data location, and incident response.   - If your product runs in the cloud and your clients are German enterprises, this matters.  NIS2   - Not a certification, but an EU directive.   - It raises the bar for critical infrastructure and key digital service providers.   - Think of it as ISO principles turned into law.   - You cannot buy a NIS2 certificate. You can only prove compliance through audits and risk-based measures.  How they connect   - ISO 27001 is your operating system.   - SOC 2 is a report you can generate from it.   - TISAX and C5 are ISO-based add-ons for specific industries.   - NIS2 is the new legal layer on top that forces everyone to play by the same rules.  Start with ISO 27001 as your core.   Add SOC 2 if you sell to U.S. clients.   Add TISAX or C5 if you’re in regulated industries.   And align with NIS2 now, before regulators force you to.  When you understand the overlap, you stop wasting effort.   One solid foundation can cover 70 to 80 percent of all frameworks.  Security should not be duplicated work.   It should be integrated work.  Which of these frameworks currently drives your compliance strategy?  

76

4 Kommentarer

If you look at the MITRE ATT&CK matrix overlaid on attack data (circle size = % of attacks in category), you instantly see the problem areas. Remote services, predominantly RDP and SSH, are _the_ way attackers move laterally towards their real target, over 80% according to 4 different data sources. There are three major implications: 🚨Lateral movement is undefended: the data says clearly that we're not defending this highway for attackers with existing solutions. That's unsurprising: PAM/EDR/MFA etc. all fall short once an attacker has remote access to a device because they all actually _trust_ the compromised device (!). 🚨Lateral movement is underinvested. In an attack chain, it is closest step to the critical data; if you want to protect jewelry, sure you can lock the doors of the building, but wouldn't you also put it in a safe? 💡Lateral movement is a chokepoint: there aren't many strategies available to attackers to stealthily pivot from less-important into critical systems. This is a massive opportunity for defenders! In the spirit of true #defenseindepth and #zerotrust, we must invest more resources into blocking EXPAND than just preventing the initial LAND -- and the data supports it. #cybersecurity

58

10 Kommentarer

Your CMS isn’t safe—Mimo moves fast. Here’s how one zero-day gave hackers free reign in 48 hours: CVE-2025-32432 hit Craft CMS in April. Two days later, threat actors used it to hijack thousands of systems. I’ve worked with teams who thought patching could wait. They were wrong. Mimo—a group active since 2022—used the flaw to inject cryptominers and proxyware. With one payload, they: - Killed rivals’ miners - Evaded detection by altering preload files - Used your bandwidth to make money They even hardcoded "FBI" into their scripts—mocking defenders in plain sight. This wasn’t random. They’ve hit Log4j, Confluence, PaperCut—always jumping on new exploits fast. Here’s the fix? Patch fast. Craft CMS v3.9.15, 4.14.15, or 5.6.17 stops this threat cold. Then check for signs: - Modified /etc/ld.so.preload - Suspicious Python using alias “fbi” - IP traffic involving 85.106.113.168 (Turkey) Skip these steps, and attackers might turn your systems into cash machines. Don’t ignore what looks small. One missed update cost an org I worked with $40K in lost compute and outbound traffic. Stay sharp. They only need one opening.

99

10 Kommentarer

Investigation Scenario 🔎 A Windows prefetch file named RUNDLL32.EXE-3A2B9C71[.]pf shows a referenced file at C:\Users\Public\update.dll, but the DLL is missing. You're unable to collect a memory dump and no EDR is available. What do you look for to investigate whether an incident occurred? #InvestigationPath #DFIR #SOC

41

22 Kommentarer

The latest SharePoint 0-day attack chain (CVE-2025-53770 + CVE-2025-53771) results in unauthenticated RCE on on-prem servers. I break down how it was discovered, how it works, and how to protect your servers in this new video. PLUS a demo of the exploit working in a lab environment! Watch now! https://lnkd.in/ezQRJiQE

406

9 Kommentarer

“Security frameworks don’t fail. People fail to use them correctly.” 78% of organizations compliant "on paper" still suffer breaches. Standards like NIST, IEC 62443, and NCA OTCC-1 aren't flawed. Yet over 60% of their implementations stay stuck in PDFs, not practices. Why read further? - See common compliance errors clearly - Learn from an authentic client scenario - Turn frameworks into effective security actions Compliance without real-world capability is merely paperwork. - Especially in Operational Technology (OT), the gap isn't just technical it's deeply cultural. REAL-WORLD CLIENT STORY: - We recently partnered with a major manufacturing organization, responsible for multiple critical facilities. Their documentation for IEC 62443 compliance was outstanding: - Clearly defined OT network segmentation - Fully documented cybersecurity roles - Asset inventory marked as comprehensive But our on-site validation revealed something very different: ⇨ Asset Inventory: Managed via quarterly Excel updates, creating significant blind spots between reviews. ⇨ Network Segmentation: Logical on paper, but physically nonexistent, with IT and OT systems openly interconnected. ⇨ Privileged Account Management: Shared passwords were common practice, significantly compromising accountability. - The standard wasn't faulty the implementation was. PROBLEM: ↳ Many organizations mistakenly equate passing audits with real security. True security requires continuous testing, clear ownership, and constant refinement. INSIGHT: - Standards mark your start not your finish line. Real security comes when frameworks become daily practices: ⇨ Clearly map security controls to operational tasks. ⇨ Regularly perform realistic security drills. ⇨ Embed clear security accountability throughout the organization. MINDSET SHIFT: - From: "We passed the audit." ⇨ To: "We confidently handle real-world incidents." - From: "The policy covers it." ⇨ To: "Our team actively practices security daily." KEY TAKEAWAYS: - Move from checklist compliance to actionable, daily security behaviors. - Validate controls through realistic exercises not just paper-based audits. - Develop a culture where compliance naturally follows from proactive security. 📩 Ready to turn standards into practical security? ↳ DM me for our Frameworks-to-Action Toolkit, designed specifically to help OT and cyber leaders bridge the compliance-practice gap effectively. 👇 Join the discussion: Have you witnessed frameworks being misapplied? Share your insights! #CyberResilience #SecurityFrameworks #IEC62443 #NISTCSF #GRC #OTSecurity #CyberStrategy

194

27 Kommentarer

Tomorrow is the #NISDUC conference on NIS2, and we would like to share how the Vulnerability-Lookup software can support NIS2 requirements and best practices. https://lnkd.in/e4kGBySt Vulnerability-Lookup is an open-source platform developed to help organizations identify, track, and manage software vulnerabilities. It aggregates data from multiple trusted sources, allows collaborative input, and supports processes aligned with vulnerability disclosure standards. The NIS2 Directive (Directive (EU) 2022/2555) establishes a high common level of cybersecurity across the EU. This document outlines how Vulnerability-Lookup helps stakeholders meet the directive’s key requirements, especially Articles 11, 12, 21, and 29. The following paragraphs analyse these articles and contextualise Vulnerability-Lookup’s feature support capabilities. #nis2 #cybersecurity #vulnerabilitymanagement #vulnerability CIRCL (Computer Incident Response Center Luxembourg)

111

AI Security Incidents forensics report A year or two ago we constantly heard the same question literally from everyone. "yeah, AI can be vulnerable but are there real incidents already?" we almost ended up paying cybercriminals to perform one ... oh cmon! just joking ;) Now especially last month news were bombarded with quite profound AI security incidents from Asana AI to the latest Amazon Q. It felt like someone in the galaxy knew that we are preparing a report and decided to add a few lines ;) Long story short, we at Adversa AI just released the Top AI Security Incidents (2025 Edition) — a detailed, real-world report that shows how AI systems are actually failing in practice, and what security teams can do to stop it. Show it to your CISO next time if he will ask about real AI attacks. From chatbots leaking personal info, to agents triggering unauthorized crypto transfers, to cross-tenant data exposure via MCP — the incidents are real, and the impact is serious. ↓ Some key points: — Prompt injection caused 35.3% of all documented cases. — Even simple prompts led to $100K+ in real losses. — GenAI was involved in 70.6% of incidents — but Agentic AI caused the most dangerous ones. — Many failures happened outside the model — in Models, memory, MCP and the logic between components. What’s inside: - Vivid visualizations to expose where AI systems are failing — by time, type, sector, and severity. - Data Across Layers: Timelines, exploit complexity matrices, and stack-wide failure maps reveal how attacks evolve - 17 real examples, clearly explained. - A look at how the attacks worked. - Steps teams can take to prevent similar issues. References to AI Security initiatives from OWASP GenAI Security Project , Coalition for Secure AI, Cloud Security Alliance, MITRE ATLAS. Steve Wilson, Christina Liaghati, PhD, Daniele Catteddu, Omar Santos, David LaBianca, Ken Huang, CISSP, Anton Chuvakin, Kapil R. R., Michael Coates → Download the full report: https://lnkd.in/dcFASFcG If you’re building, deploying, or protecting AI systems — this report is for you. Let me know what you think or feel free to share with others who might find it useful. #AIsecurity #GenAISecurity #AgenticAISecurity #CISO #AIRedTeaming #Cybersecurity

47

19 Kommentarer

Who is actively monitoring the installation/dropping of Python interpreters? The image below is from an ESET report [1], but we, for example, discovered a Python backdoor in a recent incident response case (a blog post is currently in progress). After some baselining and fine-tuning, the execution of a Python interpreter should function as an early warning, no? Or to the folks who manage huge fleets, how common are Python interpreters (bundled with software, for example) on endpoints and servers? 🕵 [1] https://lnkd.in/e4bz8s8t

152

4 Kommentarer

About a year ago, we ran a secret drill on an external SOC team. We executed 30 TTPS, but nobody from their company received an update. The SOC team had no clue about the drill. Even when they detected a hint of something wrong, they closed the case after 15 minutes of investigation. The attacks originated from within the network—the worst kind. Imagine a thief is in your house. When the police arrive, they inspect the premises and give you the "all-clear." Leaving you with a reassuring smile, they advise you to call again if needed. However, when you close the door, you're in total shock: All your furniture is gone, leaving you without a bed tonight. As an attacker, I believe that alerts are more crucial than defenses. Your response time will determine how significant and long-lasting an incident is. In many organizations, work is done with outdated playbooks and zero customization for the specific company. For this client, we employed the most basic TTPs—the kind that anyone who has completed an attack course is familiar with. But the SOC team didn't catch on. Just as you conduct market research before buying an EDR, you should apply the same care when evaluating different SOC companies. If you already have an external SOC, test it out. It's better to do it today than after an actual attack.

117

28 Kommentarer