Behzad Najjarpour Jabbari

How do you crash a plant with an Nmap scan? Just run it. Cybersecurity in Industrial Control Systems and how it differs from standard IT. 🏭 👨🏻‍💻 💀 The presentation 'Investigating Industrial Control Systems' by Antti Rössi from the Finnish National Cyber Security Center provides a deep dive into what is wrong with ICS today, what attackers need to do to succeed, and why the fragility of plants today may easily lead to a plant shutdown, but causing more sophisticated damage is much harder. And yes, an Nmap scan can crash an entire factory because old devices have weak network stacks. More details: Youtube: https://lnkd.in/dUmhYD-B #technology #cyber #security #cybersecurity #isc #industrial #SCADA #ISC #research #future #privacy #hacking

359

1 Kommentar

The latest SharePoint 0-day attack chain (CVE-2025-53770 + CVE-2025-53771) results in unauthenticated RCE on on-prem servers. I break down how it was discovered, how it works, and how to protect your servers in this new video. PLUS a demo of the exploit working in a lab environment! Watch now! https://lnkd.in/ezQRJiQE

406

9 Kommentarer

Cybersecurity incidents can be tracked and managed in many ways. If not on paper, then in shared mailbox, in excel, or in professional ticketing system. There is new experiment system based on Notion - where it is a set of tables (i.e. like sheets in Excel, with Forms - kind of web browser based, Access-like system, for collaboration): https://lnkd.in/dRszniXg . I have tried it, it is really great to see the data model and relations. How it would work in production for small teams - this needs to be tested (still alfa version, and not suggested to run in production :) Definitely, good tool to test and learn, biggest drawback - it is not migratable, even to newer version. I wonder, probably someone tried as sharepoint system many times before something similar... For Notion lovers - this should be great inspiration #CSIRT #SOC #incidentresponse

87

1 Kommentar

Censys and VirusTotal are part of the backbone of threat monitoring and alerting services which Cybersecurity and Infrastructure Security Agency provides - free of charge - to American critical infrastructure sectors. The agency uses Censys and VT data to inform your schools, your towns, your hospitals, energy, food supply, water, you name it, the list goes on - CISA informs them when something looks imminently dangerous in their public facing networks. This monitoring has to happen, because our government doesn't fund cyber protections for our critical infrastructure sectors. Not even your hospitals. It is the haves, and the have nots. If you have the money, you are aware of your security problems and can fix them. If you don't have the resources, you are destined to experience a security event, which could and often is the worst case scenario: complete operational disruption. When this happens in a hospital, people can die. So we are grateful to CISA, as they extend their services to our nation's 6,000+ hospitals, all of which are built completely differently. I have directed many needy healthcare organizations to use these service offerings, many of which had no ability to fund such a capability on their own. CISA quite literally keeps their lights on and keeps their doors open. In your darkest hour of need, you are grateful for that. Tampering with the integrity of these services, which is what we are seeing here, makes this nation less safe. Cybersecurity intelligence requires marrying disparate sources of information to create a composite. Not all services see the same things. You need as much as you can get. Censys is an incredibly deep well of data which - in the years I have been using their data - surfaces things no one else sees. Virustotal is one of our planet's oldest and largest malware resources. You would never consciously stop using it as a reference. Unless your endgame was some wet behind the ears, AI-generated efficiency mission lacking any kind of practical experience. Which seems in large part what our administration is hell bent on moving forward lately. Chop it down, drive it off a cliff, don't worry - we'll let you know later what the plan is. That's not how you run a business. It's not how you run a government. It's shadowy, it's not transparent, and it's not democratic. Everyone deserves more than this. Everyone. There are costs to be saved in this government. This is not how you do it. I don't care how you voted, but you didn't vote for this. This isn't some kind of chainsaw artistry, where the end result defies your initial expectations. This is a hack job which very likely intends to line someone's pocket. It's not going to be yours, and it's going to be at the expense of your safety. If you are so inclined, please tell your elected representatives to leave CISA the hell alone. The unfollow button is right there. https://lnkd.in/e7T6uq6j

211

14 Kommentarer

Are #cybersecurity incidents growing more costly? Cyentia Institute's recent Information Risk Insights Study points to a 15-fold increase in the cost of #incidents and #databreaches over the last 15 years. The chart on the left shows the distribution of known/reported financial losses from incidents across the time period of study. The typical (median) incident costs about $600K, while more extreme (95th percentile) losses swell to $32M. Note that the chart uses a log scale, so the tail of large losses is a lot longer than it appears. The chart on the right trends the escalating costs of cyber events over time. Median losses from a security incident have absolutely exploded over the last 15 years, rising 15-fold from $190K to almost $3 million! The cost of extreme events has also risen substantially (~5x). So, yeah—cyber events are definitely growing more costly. That said, this picture looks a lot different among different types and sizes of organizations. How are cyber losses trending for orgs like yours? Download the full IRIS 2025 to find out! Link in the comments.

102

15 Kommentarer

Finally understand ISO 27001, SOC 2, TISAX, C5, and NIS2.  5 frameworks, 1 reality Every week, I meet CxOs asking the same question.  Which framework do we actually need?  They all sound different.   They all promise security.   But underneath, they share the same foundation.  Information security. Risk management. Governance. Continuous improvement. So what actually separates them?  ISO 27001   - The international gold standard.   - Focuses on setting up an Information Security Management System (ISMS).   - It defines how you manage security, not just what you secure.   - Globally recognized and the best baseline if you want structure and scalability.  SOC 2   - Born in the U.S., designed for SaaS vendors.   - Less about management systems, more about trust.   - Proves to enterprise customers that you handle data securely across five categories: Security, Availability, Processing Integrity, Confidentiality, and Privacy.   - Ideal for B2B SaaS or vendors working with U.S.-based clients.  TISAX   - Built on ISO 27001 but tailored for the automotive industry.   - Same principles, but with industry-specific extensions.   - Required if you want to do business with major automotive OEMs.  C5   - Developed by the German BSI.   - A control catalog for cloud providers.   - It builds on ISO 27001 and adds requirements for cloud transparency, data location, and incident response.   - If your product runs in the cloud and your clients are German enterprises, this matters.  NIS2   - Not a certification, but an EU directive.   - It raises the bar for critical infrastructure and key digital service providers.   - Think of it as ISO principles turned into law.   - You cannot buy a NIS2 certificate. You can only prove compliance through audits and risk-based measures.  How they connect   - ISO 27001 is your operating system.   - SOC 2 is a report you can generate from it.   - TISAX and C5 are ISO-based add-ons for specific industries.   - NIS2 is the new legal layer on top that forces everyone to play by the same rules.  Start with ISO 27001 as your core.   Add SOC 2 if you sell to U.S. clients.   Add TISAX or C5 if you’re in regulated industries.   And align with NIS2 now, before regulators force you to.  When you understand the overlap, you stop wasting effort.   One solid foundation can cover 70 to 80 percent of all frameworks.  Security should not be duplicated work.   It should be integrated work.  Which of these frameworks currently drives your compliance strategy?  

76

4 Kommentarer

I haven't seen any announcement about this, but the PCI Security Standards Council has published an update in the last few days to the "Guidance for PCI DSS Requirements 6.4.3 and 11.6.1" Information Supplement. In the original version, it said "Note that PCI DSS Requirements 6.4.3 and 11.6.1 do not apply to merchants with webpages that redirect to a TPSP’s page (for example, via an HTTP 30x redirect, a meta redirect tag, or a JavaScript redirect)." That's been removed, and in its place it now says "Note that, where scripts are used as part of a redirection mechanism, PCI DSS Requirements 6.4.3 and 11.6.1 will apply to those scripts." The thing is, by fully-redirecting to a PCI DSS-compliant payment service provider or processor to take payments, the merchant doesn't have a payment page - and it's only the payment page (or parent page when iframes are used) that these requirements apply to. While I think protecting all JavaScript on a website is a really good security best practice - whether that's using CSP+SRI, Jscrambler's Webpage Integrity product, or something else, I'm currently scratching my head as to how this change to the guidance - which "does not replace or supersede requirements in any PCI SSC Standard" - currently applies. I'm curious to hear what others think...

54

17 Kommentarer

A sharp observation from our colleagues at Truesec suggests that the attackers may have done more than just obtain working VPN credentials - they could have compromised the entire firewall, presumably using a zero-day exploit. "Based on tests conducted of victims externally facing firewalls, the default behavior should assign an authenticated SSL-VPN user an IP from a predefined IP-address pool 10.10.11[.0]/24, and any traffic from an SSL-VPN connected client towards the internal LAN would be sourced from that assigned IP-address. Despite this expected behaviour, traffic was sourced from 192.168.1[.]1 when the TA authenticated to any of the internal machines in the victims environment." [1] [1] https://lnkd.in/eN57MUwR

71

1 Kommentar

💡 OT Pro Tip: It's great that you're learning how to perform pentesting on cyber-physical components. But along with that, I’d really suggest spending time understanding the process side too like learning how to read Single Line Diagrams (SLDs) or any other process document. I’m doing the same. And every time you study or revisit one, you notice something new. It genuinely changes how you think. I'm sure you've had that feeling too, when you're testing an OT (Operational Technology) environment and realize you can gain admin access. Maybe the systems are outdated, missing patches, use weak or reused passwords, or there’s little to no proper network segmentation. You can even move across sites or geographies without much restriction. But then you pause. You’ve reached a system, but you don’t know what it does. You don’t know how it fits into the bigger OT network, what role it plays, or what could happen if it’s disrupted. All you know is, if this system fails, the impact could be huge. So, you note it as a high or medium risk, and move on. But when you do that same testing with process awareness, when you begin to understand what the system actually controls or supports, everything changes. Suddenly, it makes sense how someone, even from a remote location, could compromise a specific cyber-physical device and cause major damage to a critical process. You start to see the bigger picture, how every piece connects and why it matters. We’ve written a blog that dives into this exact topic. You can jump straight to the technical section, it will help make everything I've discussed here click into place. And if you’ve worked with substations, you already know: no matter where a breaker trip command originates, it always flows through protection relays or bay controllers. That’s exactly what the blog focuses on, and why we think it matters. Blog Link: https://lnkd.in/gxTtSgRF Happy Learning. 😊 #OperationalTechnology #OTSecurity #IndustrialControlSystem #CyberSecurity #Pentesting #BlueTeam #CyberPhysicalSystems #Substation #Relays #Transmission #Distribution #TransmissionSystemOperator #Generation

347

27 Kommentarer

They said GRC was boring. Then the GRC Engineer newsletter went from 150 to 1,200 subscribers in just 60 days. 📈 That's nearly a 10X increase in just 2 months! And it's not just about the numbers... ...It's about the feedback from the readers. Here it from them: "You are truly revolutionising GRC" "Your newsletter is central to how we understand GRC professionals" "What's crazy is how you translate complex technical concepts into accessible frameworks without sacrificing depth" "I love the way you break down foundational concepts" "How do you put out that good GRC content every week" What's resonating? The goal isn't to just speak about GRC or tell everyone they need to learn how to code, it is to architect an entirely new discipline where compliance and engineering truly intersect. It's about creating the intellectual frameworks, mental models, and organized systems that transform GRC from a documentation exercise into an engineering discipline. By pairing honest critique with actionable solutions, we're building bridges between traditionally siloed worlds and constructing new ways for security professionals to think about their work - regardless of their technical starting point. If you haven't subscribed yet, now's the time: https://lnkd.in/epvcr3R3 #GRCEngineering #SecurityCompliance

101

6 Kommentarer

𝐇𝐨𝐰 𝐋𝐨𝐧𝐠 𝐃𝐨𝐞𝐬 𝐚 𝐑𝐚𝐧𝐬𝐨𝐦𝐰𝐚𝐫𝐞 𝐍𝐞𝐠𝐨𝐭𝐢𝐚𝐭𝐢𝐨𝐧 𝐓𝐚𝐤𝐞? Every ransomware group has patterns. Some follow formulas, others are unpredictable. Here’s how we assess motives, settlement ranges, and timelines — and why most cases average about a week and a half to resolve

29

The UK Government has released guidance for a voluntary Software Security Code of Practice, with plans for offering a certification based on compliance. There are four themes: Secure design and development, Build environment security, Secure deployment and maintenance, and Communication with customers. The guidance consists of fourteen principles which are reasonable for vendors of all shapes and sizes to satisfy (at least to some degree). I typically dislike these generic guidance documents stating things like "Distribute software securely to customers," but not everyone is fortunate enough to have a team of internal security professionals. If it's any signal for software supply chain security, to see even the most fundamental guidance include software composition analysis and maintenance of third-party components is a huge win!

24

Self-Healing IAM Systems - A Business Centric Framework 🚀"The Identity Navigator" Podcast - New Episode Alert🚀   A self-healing IAM system enhances enterprise security by automating identity governance, mitigating operational risks, and ensuring adaptive security resilience.  By leveraging this framework organizations can create dynamic, self-correcting identity frameworks that reduce administrative overhead and improve security posture. Self-healing mechanisms ensure robust access management by automatically detecting and mitigating disruptions, policy misconfigurations, or security anomalies.   https://lnkd.in/ecm7Bz8V   Tune in now and let's check them out together 🎧🔍   #TheIdentityNavigator #IAM #Podcast #TechTalk #IdentityAndAccessManagement #IAM

36

2 Kommentarer

So much of NIST 800-53 is dated and academic. One such area is in the SA-8 controls. These are "Security and Privacy Engineering Principles". While generally useful, they're extremely abstract, dated, and academic. As an example... SA-8(9): Trusted Components "The principle of trusted components states that a component is trustworthy to at least a level commensurate with the security dependencies it supports (i.e., how much it is trusted to perform its security functions by other components). This principle enables the composition of components such that trustworthiness is not inadvertently diminished and the trust is not consequently misplaced. Ultimately, this principle demands some metric by which the trust in a component and the trustworthiness of a component can be measured on the same abstract scale. The principle of trusted components is particularly relevant when considering systems and components in which there are complex chains of trust dependencies. A trust dependency is also referred to as a trust relationship and there may be chains of trust relationships." "The principle of trusted components also applies to a compound component that consists of subcomponents (e.g., a subsystem), which may have varying levels of trustworthiness. The conservative assumption is that the trustworthiness of a compound component is that of its least trustworthy subcomponent. It may be possible to provide a security engineering rationale that the trustworthiness of a particular compound component is greater than the conservative assumption. However, any such rationale reflects logical reasoning based on a clear statement of the trustworthiness objectives as well as relevant and credible evidence. The trustworthiness of a compound component is not the same as increased application of defense-in-depth layering within the component or a replication of components. Defense-in-depth techniques do not increase the trustworthiness of the whole above that of the least trustworthy component. " One has to kind of laugh at this control. It's so painfully academic and circular dependent logic. I'm sure it made sense 10 years ago, but this could easily be replaced with ZeroTrust and clarified with practical guidance. Curious what Dr. Chase Cunningham thinks about ZeroTrust and NIST 800-53. Any reason this hasn't been folded in to the "Security and Privacy Engineering Principles"? 🤓 🤓 🤓

25

20 Kommentarer