Cyber Security Career Politics

👋 Good morning, Cyber Pros!

This week’s issue brings you:

• The truth about cyber security career politics

• XZ backdoor breakdown

• AI security resource roundup

Let’s dive in!

Read time: ~5 mins

CAREER
Career Politics in Cyber Security

Summary: If you don’t campaign for yourself, no one will. Or worse, you’ll be misrepresented and your contributions will be downplayed.

Anyone can opt-out of corporate politics. This gives you some level of control, but it comes at a cost.

When I started my career, I assumed that if I showed up every day and did good work, I’d be recognised and rewarded. I didn’t understand the game very well back then.

I didn’t like the idea of ‘selling myself’ or ‘bragging’ about my accomplishments. It wasn’t my ‘style’. The reality is, if you don’t effectively communicate with the decision makers in your team/company, they won’t truly understand your contributions, they won’t witness the journey or the struggle. This is what turns them into advocates.

You see, when performance reviews come round, or promotion opportunities are available, you need ‘advocates’ or ‘sponsors’. People that know of all the good work you’ve been doing, they see your potential, and feel part of your journey - your success is their success, in a way.

It’s important that you identify the key people in your organisation that have any kind of influence over the work you do and your future within the company. At a minimum, your job is to build real relationships with these people. They should all know:

• What you do, what you’re good at, and why it matters

• Your goals and ambitions, and how they align with the big picture

• Playing ‘politics’ isn’t about gossiping or getting involved in office drama. It’s about campaigning for yourself, ensuring you’re recognised for your contributions, and you have all the opportunities you deserve.

These people will be asked questions about you and you want to make sure they’re armed with the right information to represent you fairly. The more senior you become or attempt to go, you’ll realise the importance of this ‘game’. It will be played whether you like it or not.

You’ve got two options:

1. Position yourself and take control

2. Be positioned by someone else and leave it to chance

NEWS
XZ Backdoor Breakdown

Summary: A Microsoft developer discovered a backdoor in a widely used compression utility for Linux called XZ Utils, which could have allowed for the execution of malicious code. The backdoor was planted by a user who had become increasingly involved in the project and had gone unnoticed for years.

Key takeaways:

• It was a complex and carefully executed supply chain attack, which shows the level of skill and planning put into it.

• The backdoor was designed to manipulate sshd, the executable file responsible for making SSH connections, and give the attacker control over the device.

• This backdoor could have gone undetected for much longer if it weren't for the sharp eye of one developer, leading to concerns about the effectiveness of current security measures in place for identifying and preventing such attacks.

• After three years of seemingly innocent code changes and polite emails, the perpetrator, known as "Jia Tan," attempted to sabotage the software project, highlighting the importance of carefully monitoring contributors to open source projects.

• The technical details of the backdoor suggest the involvement of a well-organised state-sponsored hacker group, such as China's APT41, North Korea's Lazarus Group, or Russia's APT29.

• Some argue that Jia Tan may have simply changed the time zone of their computer and was not necessarily a member of a state-sponsored hacking group.

• It is also unlikely that Jia Tan was a lone individual and instead was the online persona of a larger organisation.

If you want to dive into the weeds even more, you can check out this detailed write up by Evan Boehs.

AI & SECURITY
Weekly Resource Roundup

1/ AI-Powered SOC: it's the end of the Alert Fatigue as we know it?

• This article discusses the role of detection engineering and security analytics practices in enterprise SOC and their impact on the issue of alert fatigue.

• Detection management is crucial in preventing the "creep" of low-quality detections that can contribute to alert fatigue. It ultimately hinders an analyst's ability to identify and respond to real threats.

2/ Updates on the OWASP Top 10 for LLM Applications Project V2

• The OWASP Top 10 for LLM Applications Project and its impact on the cybersecurity industry has been huge. Their latest announcement was the launch of Version 2 (V2) of the project, including updates to the charter, roadmap, and core team.

3/ When Your AI Becomes a Target: AI Security Incidents and Best Practices

• Despite extensive academic research on AI security, there's a scarcity of real-world incident reports, hindering thorough investigations and prevention strategies.

• To bridge this gap, the authors compile existing reports and new incidents into a database, analysing attackers' motives, causes, and mitigation strategies, highlighting the need for improved security practices in AI applications.

4/ Against The Achilles' Heel: Survey on Red Teaming for Generative Models

• The rapid integration of generative models into everyday applications raises safety concerns, prompting significant growth in the field of red teaming to address emerging vulnerabilities and develop better strategies.

5/ Wiz backdoored AI model to Hugging Face 

• AI cloud services, like Hugging Face, are seeing a great demand as companies adopt AI technology at a rapid pace.

• Wiz Research, who partnered with Hugging Face, found security risks that could have compromised their service and potentially given access to private data and models.

6/ Deploy Securely with GitHub Copilot

• Be cautious when using code generated by GitHub Copilot and disable the option to share your code snippets.

• It is recommended to carefully review code and possibly add a third human reviewer. The handling of code snippets and telemetry data by GitHub is unclear and confusing.

7/ A Retrospective in Engineering Large Language Models for National Security 

• This document discusses the findings, recommendations, and lessons learned from engineering a large language model for national security use cases.

FEEDBACK
Did you enjoy this one?

If you’ve got a question or feedback, you can reply to this directly!

I want to create a newsletter that you can’t wait to open every week.

Your feedback will help me do that.

REFERRALS
Share Cyber Pro Club!

If you found this newsletter valuable, share this link with others: https://www.cyberproclub.com/subscribe

Thanks for reading.

Cal J Hudson

@caljhud