AWS does IR, credit card canarytokens, shared responsibility, phishing tests do harm – ESW #387

The more I think about this, the more it makes sense. AWS is constantly changing, documentation is difficult to parse, and mistakes are easy to make. Having a service that can quickly undo malicious account takeovers, or shut down malicious activity could be a huge plus for an org that's all-in on AWS for production workloads.

Stupid simple

Stupid effective

We need more security tools like this

"Right now, Kunst is looking for companies from consumer, the defense sector, and dev tools and infrastructure. A pressing issue for Kunst is that it’s too easy for scammers to target their victims. “You can pretend to be anyone on social media or a dating app,” she said."

"The deadline to apply to the accelerator is January 20, with a February 24 start date."

I've loudly voiced my doubts that CISA's Secure by Design would have much of an impact, but if Snowflake follows through on this, I might have to reconsider. Obviously, we want Secure by Design to have a broader impact than one security control at one vendor, and an argument can be made that it was maybe 5% Secure by Design and 95% massive customer breaches that helped make this happen, but whatever - details. It might inconvenience some customers, but overall, a necessary move, I think.

An 11-year old vulnerability.

Being exploited in the wild.

Attack vector is the web console.

Cmon folks. Do better.

I swear this report was available for free when I first added this. Oh well. I just created an IEEE account and paid $21 for it. FML.

This is more of what we already know from other studies - phishing training generally doesn't work, and can potentially do harm. There's better stuff we can be doing instead.

Abstract—This paper empirically evaluates the efficacy of two ubiquitous forms of enterprise security training: annual cybersecurity awareness training and embedded anti-phishing training exercises. Specifically, our work analyzes the results of an 8-month randomized controlled experiment involving ten simulated phishing campaigns sent to over 19,500 employees at a large healthcare organization. Our results suggest that these efforts offer limited value. First, we find no significant relationship between whether users have recently completed cybersecurity awareness training and their likelihood of failing a phishing simulation. Second, when evaluating recipients of embedded phishing training, we find that the absolute difference in failure rates between trained and untrained users is extremely low across a variety of training content. Third, we observe that most users spend minimal time interacting with embedded phishing training material in-the-wild; and that for specific types of training content, users who receive and complete more instances of the training can have an increased likelihood of failing subsequent phishing simulations. Taken together, our results suggest that anti-phishing training programs, in their current and commonly deployed forms, are unlikely to offer significant practical value in reducing phishing risks.

Love him or hate him, Brian Krebs is the first major independent cybersecurity journalist and has had a huge impact on the industry and on cybercrime. It hasn't been easy for him, and that's what this writeup focuses on, in addition to his recent assistance in bringing the Snowflake hacker (Waifu) to justice.