Andrew Ginter

We've published cheat sheets for the first three volumes of NIST's new Digital Identity Guidelines! If you're planning on reading SP 800-63-4, 63A-4, or 63B-4, visit the Trusted Cyber Annex site (link in the comments) and download our cheat sheets for free. They not only highlight the recommendations and other information that we think are the most important, but they also include the NIST definition of each term next to where that term is first used. These additions make the Digital Identity Guidelines easier and faster to absorb. Please spread the word about this work! We are 100% reader-supported, so we rely on you to help us reach the cybersecurity community. Thank you!

56

8 Comments

I'm excited to share that my SANS ICS Summit 2025 presentation, "Detection is a Must: A pragmatic approach to threat detection within your industrial cybersecurity program," is now available online! In this session, we delve into why threat detection is essential, not just optional, for industrial environments. I challenge common arguments against prioritizing detection, emphasizing a pragmatic, engineering-minded approach to security. We explore the evolving reality of the OT threat landscape, highlighting how even well-segmented networks can be compromised due to vulnerabilities in foundational security controls like firewalls and VPNs. The presentation underscores the relentless pressure of ransomware, which saw an 87% increase in attacks against industrial organizations in 2024, with manufacturing as the top target, and a 150% surge in early 2025 for US industrial organizations. We also discuss the critical need for rapid detection in the face of shrinking attacker dwell times, noting that the median dwell time for ransomware attacks was just 5 days in 2023. I illustrate how threat detection seamlessly integrates with established frameworks like the SANS ICS 5 Critical Controls, forming the bedrock for visibility, hardening, and incident response. Furthermore, for electric sector entities, I explain how detection is increasingly a regulatory requirement under NERC CIP-015-1. The session also provides actionable insights into managing and mitigating false positives and offers concrete examples of detection technologies applicable to industrial environments. This presentation reinforces that detection is a must-have pillar for resilience in any industrial environment, complementing prevention and enabling rapid response. Watch the full video to gain a clear understanding of why relying solely on prevention is insufficient and how to build a pragmatic and effective threat detection capability tailored to your specific industrial context! #IndustrialCybersecurity #OTSecurity #ICS #ThreatDetection #SANSICS #Cybersecurity #NERCCIP #Visibility #Ransomware #CriticalInfrastructure https://lnkd.in/gB-Cq39H

85

2 Comments

Clorox is suing Cognizant for $380M. The reason? A 2023 cyberattack that crippled their operations, allegedly caused by poor help desk controls and a botched incident response. - This wasn’t just a breach. It disrupted supply chains, damaged customer trust, and is now turning into a legal battle with one vendor blaming the other. As security professionals, we often say: "Third-party risk is your risk." But too often, those warnings get ignored… until it’s too late. This case raises questions that CISOs and boards must be asking: - Are our vendors following the same standards we require internally? - How strong are our controls against social engineering, especially at the help desk? - Do we have contractual clarity around incident response ownership? Link to the full article is in the comments. #Cybersecurity #RiskManagement #GRC #InfoSec #CISOs

99

27 Comments

A pro-Russian hacktivist group, TwoNet, recently spent 26 hours attacking what they believed was a real water treatment plant. It wasn’t. It was a honeypot — a fake industrial control system built to study attacker behavior. Over the course of the attack, TwoNet revealed their entire playbook — scanning methods, privilege escalation attempts, lateral movement tactics — all without causing a single byte of real-world damage. This wasn’t just a clever trap; it was a masterclass in how deception and observability can transform defense. The Lesson: Observe, Don’t Just Defend Incidents like this highlight why Operational Technology (OT) observability is becoming central to modern security operations. When defenders can see exactly how attackers explore, exploit, and adapt, every failed intrusion becomes actionable intelligence. This is where Automated Moving Target Defense (AMTD) and deception technology converge — turning static defense into dynamic exposure management. The Next Evolution: Exposure Management with AMTD + Decoys Traditional Attack Surface Management (ASM) focuses on mapping and monitoring exposures. The next step — Exposure Management — integrates active countermeasures: “Continuously alter the attack surface, decreasing predictability and increasing exploit difficulty.” This is achieved by embedding AMTD techniques such as: • Decoy asset deployment (honeypots, fake OT nodes) • Surface morphing (dynamic IPs, rotating service fingerprints) • Deceptive telemetry that feeds attacker behavior into risk prioritization engines These capabilities reduce attacker confidence, generate high-fidelity threat intelligence, and turn every probe into a learning opportunity. Why It Matters The TwoNet case proves that attackers can be productively deceived. Instead of waiting to be breached, defenders can now observe, adapt, and mislead in controlled environments. As OT and IT systems converge, the integration of observability, AMTD, and deception within exposure management isn’t optional — it’s inevitable. The future attack surface won’t just be monitored; it will move, morph, and mislead — making every attacker wonder if what they see is even real. #OT #ExposureManagement #AMTD

34

🚨 CVE‑2025‑54309: Critical Vulnerability in CrushFTP A high-severity vulnerability, CVE‑2025‑54309, has been identified in CrushFTP (versions prior to 10.8.5 and 11.3.4_23). When the DMZ proxy feature is not enabled, improper AS2 validation allows remote attackers to gain administrator access via HTTPS, and this flaw has been actively exploited in the wild. 💡 Why it matters: Exploiting this vulnerability could result in: * Full administrative takeover of CrushFTP servers. * Rapid lateral movement in environments with exposed file transfer infrastructure. 🛡️ Recommended actions: * Update CrushFTP immediately: Upgrade to version 10.8.5 (or 11.3.4_23 and above) to apply the security fix. * Enable DMZ proxy as a stopgap mitigation: If patching isn't yet feasible, placing CrushFTP behind a DMZ proxy reduces exposure to this vulnerability. We got your back! Use these scripts from the Vicarius research team: 🔍 Detection script: https://lnkd.in/ekmawXUs 🩹 Remediation script: https://lnkd.in/ekgx-Hiv Remediate CVE-2025‑54309 with #vRx by Vicarius: https://lnkd.in/dXedBin6

82