Security Job Hunting Playbook

Good morning!

In today’s line up:

• How do you protect the attack surface?

• How effective are simulated phishing campaigns?

• A data breach exposes 10 million people

• Kroll employees fall victim to SIM swapping attack

• Free learning resources

• PLUS, my new Security Job Hunting Playbook

How do you protect the Attack Surface?

Attack Surface Management (ASM) aims to protect and reduce an organisation’s attack surface.

The threat landscape is evolving and cyber-attacks are becoming more sophisticated. We need a more unified approach.

What is the attack surface?

• The attack surface is the number of all possible points, or attack vectors, an unauthorised user can exploit to access a system and extract data.

• Many organisations are so busy firefighting issues that they overlook the source of the fire.

Top 4 issues we need to address:

• Inadequate patch management

• Improper configuration management

• Outdated IT infrastructure

• Immature DevSecOps processes

An ASM strategy helps achieve the following:

1. Tackle immediate threats

2. Prevent new vulnerabilities arising

3. Prevent repeat issues

4. Change the culture from reactive to proactive defence

Key strategy components:

Threat actors seek to move laterally across systems after the initial breach occurs, so the controls need to be in place across these areas:

1. Network segmentation

2. IAM

3. Logging and monitoring capabilities

4. Training and awareness

5. Third-party controls

Critical dependencies:

The more information you have on the context of an organisation, the better you can defend it.

You need:

1. Accurate asset inventories

2. Configuration management databases

3. Visibility via multiple data sources

4. Real-time identification

5. Clear governance

How effective are simulated phishing campaigns?

Are simulated phishing emails a worthwhile investment to reduce risk?

From my experience, it seems most organisations are aiming to produce a ‘Gotcha!’ moment, so they can share a lesson with the user and hope they’re more cautious next time.

The reality is, we all make mistakes. At some point in time, we all get stressed and fatigued. We’re all capable of clicking a bad link - especially those in security 😉

Simulated phishing campaigns risk two negative outcomes occurring:

1. People may not bother clicking report if they think it’s just another test.

2. Emails that tempt employees with reward and compensation, only to pull it away from them, is a sure way to piss everyone off…

Would it be better to use this time and money to improve security controls to decrease the chances of disruption from a single user, clicking a single link?

Note: I recognise that security teams often use the results of phishing campaigns to make a case for further security investment.

Data breach exposes 10M people

Pôle emploi, France's governmental unemployment registration and financial aid agency, has announced a data breach that exposed data belonging to an estimated 10 million people.

The exposed information includes full names and social security numbers. Email addresses, phone numbers, passwords, and banking data have not been affected.

Although the exposed data has limited utility in cybercrime, all registered job seekers should be cautious of any incoming communications.

As for the service provider responsible for the data leak, this is speculative at the moment. The security firm Emsisoft listed Pôle emploi in its MOVEit page. However, the Clop ransomware gang that performed MOVEit has not yet published the French agency on its extortion site.

Read more here.

SIM Swapping Attack

Quick explanation on what SIM swapping is:

• It allows threat actors to exploit a users’ SIM card and bring their phone number under their control. This makes it possible to intercept SMS messages and voice calls and receive MFA-related messages that control access to online accounts.

• Attackers often use phishing or social media to collect personal information about their targets, such as birthdays, mother's maiden names, and the high schools they went to, so that they can convince the cellular carrier to port the victims' phone numbers to one of their own SIM cards.

Risk and financial advisory solutions provider Kroll, announced one of its employees fell victim to a "highly sophisticated" SIM swapping attack.

Overview:

• The attacker targeted the employee's T-Mobile account. It seems that T-Mobile, without any authority from or contact with Kroll or its employee, transferred that employee's phone number to the threat actor's phone at their request.

• This enabled the unidentified actor to gain access to certain files containing personal information of bankruptcy claimants in the matters of BlockFi, FTX, and Genesis.

• SIM swap attacks are on the rise - Bart Stephens, the co-founder of Blockchain Capital, filed a lawsuit against an anonymous hacker who stole $6.3 million worth of crypto in an alleged SIM swap attack.

• Telecommunications providers need to deploy stronger security protocols to prevent SIM swapping, such as providing customers with the ability to lock their accounts and enforce stringent identity verification checks.

• To protect yourself, move away from SMS-based two-factor authentication (2FA) and switch to phishing-resistant methods to secure online accounts.

Read more here.

Free Resources

1. You can access Offensive Security Checklists, including: firewall testing, API testing, blockchain & smart contract testing, AWS tools, threat inteligence tools and many more!

2. Get hands-on SOC related experience through this home-lab project. It will help you set up Splunk SIEM and practice real-world use cases.

New Security Job Hunting Playbook

From conversations with dozens of cyber security enthusiasts, I’ve identified two reoccurring problems that need addressing:

1. They’re trying to do a bit of everything

2. They’re only applying via conventional routes

Disclaimer: if you’re new to security, haven’t completed training, haven’t got certifications, and you’re unsure what direction you’re heading in – come back to this at a later date.

Here’s My 6-Part Job Hunting Playbook:

1/ Choose a singular focus

Most security enthusiasts try to pursue multiple career paths at the same time. They need a singular focus.

• Example: If you want an entry-level GRC role, why are you learning practical hacking skills and dabbling in vulnerability scanning? 

Choose the role you want to break into and obsess over it. This is only way to be the most undeniable candidate when you apply for a role.

2/ List 15 target companies you’d like to work for

When selecting companies, make a list of what’s most important to you – values, culture and the role.

Then, check there is alignment between you and your target companies.

• Example: Years ago, I wanted to work for Revolut. From the outside, they were an innovative powerhouse, growing exponentially and I wanted in. However, from my research and after my first interview, I withdrew my application. Their culture had an intensity that didn’t align with my values and their perspective on what a Security Architect should do was different to mine – and that’s ok.

3/ Find 10-15 contacts at each company

The goal is to connect with people who could help open the door to a referral interview.

I’m talking about potential hiring managers and future colleagues in the team you want to work for.

Note: using this approach I’ve been able to get the low down on a team’s culture before even interviewing for a role.

4/ Create a plan for engagement

1. Research your person (review their LinkedIn, Google their name etc.)

2. List 3-5 ways you could add value to them – this offers multiple ways to form a deeper relationship

3. When making contact, reference areas of common ground. This increases the chances of a positive response.

Note: at no point in your early communications should you be asking for any support.

5/ Gather useful information

Don’t overload them with questions, organically try to discover:

1. What their security team’s goals are / culture

2. Whether they are looking to expand their team / where they have skill gaps

This should identify gaps that you could fill and ultimately, lead to a referral.

6/ Craft your value proposition

Companies want to know about you, but they mostly want to know if you can solve THEIR specific problem.

You want to show them you understand their goals, challenges, and initiatives.

Create a 2-3 slide pitch deck that highlights:

• The company's largest challenge / opportunity

• 3 ideas or solutions + execution plans

• Your background and why you're the best person to implement

Note: you don’t get to this position overnight, it takes work to develop connections and exchange value. However, it will open the most exciting opportunities for you.

Bring it with you to your interview. It will massively set you apart from other candidates.

Wisdom

Security teams are on a continuous journey to improve their perception within an organisation.

Far too often we are seen as a blocker, rather than an enabler.

• Security is a cost.

• Security is an extra hoop for teams to jump through before their project can go-live.

• Security is an approval step that teams try to avoid as long as possible, which actually creates more problems than if they had involved us from the design stage.

• Teams push for risk acceptance over remediation, as it may threaten project timelines.

Security is seen as problem, until… a security incident occurs.

Be empathetic to the needs of the business and foster relationships to improve to collaboration between security and business stakeholders. But never compromise on your security principles – it’s what you’re there for.

Stand your ground and continue to do the right thing.

www.cyberproclub.com