Hunter Foo

Most companies invest heavily in employee phishing training. Yet phishing still drives most breaches. Recent research from ETH Zurich shows “embedded” phishing training reduced click rates by only 2% over eight months. The small drop came from short-term reminders, not real learning. Even worse, 75% of employees spent less than one minute reviewing post-click materials, and many closed them immediately. Some even finished training more confident but not more capable, a false sense of security that increases risk. Awareness training is not a viable defense. Human error is steady and predictable. Real protection comes from speed, automation, and visibility.

37

5 Comments

Audits and forensics aren’t witch-hunts to “name the hacker.” They’re how you stop the next breach. A good audit/forensic review will: Expose misconfigurations and control gaps Surface broken processes (people • tech • vendors) Produce a clear timeline to improve response Provide evidence for insurance claims and regulators Demonstrate senior management intent and due diligence One breach costs more—in money, trust, and time—than doing the work properly up front. At Tylers, we turn incidents into hardening plans: fixes, owners, deadlines. Not blame—better security. #CyberSecurity #DigitalTrust #Forensics #Audit #IncidentResponse #Tylers

17

2 Comments

The pentest market is getting saturated. But somehow, pricing hasn’t caught up? We see firms charging $12K to $20K for the same talent others get for $4K. Same tester. Same tools. Different logo. Then there’s the other end of the spectrum. MSPs selling vulnerability scans with a cover page and calling it a pentest. (You know who you are.) So how are some firms still able to charge top dollar? Trust. Brand. Confusion? A SaaS CEO getting SOC2 can’t tell the difference and there’s no real enforcement body making them understand. National Institute of Standards and Technology (NIST) does mention the use of "testers" in pentesting and says nothing about automated or AI driven pentesting when defining pentesting (https://lnkd.in/g8VN-Mc7)... the AICPA is nowhere to be found and peer reviews don't work if you both are using automated pentesting on SOC2... PCI DSS has a manual pentesting standard. The market is shifting though. More talent. More scrutiny. More demand for results, not fluff. You can’t fake the value forever.

30

Munich Security Conference released this 123-page report Munich Security Index - https://lnkd.in/eMiZBETf. The findings show that G7 countries (🇨🇦🇫🇷🇩🇪🇮🇹🇯🇵🇬🇧🇺🇸) ranked "cyber-attacks on their country" as their top concern in 2025, followed by "economic or financial crisis" and "disinformation campaigns from enemies."The Munich Security Index data suggests that trade wars, economic coercion, and geopolitical rivalry are increasingly perceived as systemic risks.

16

The Biggest Cybersecurity Vulnerability? It’s Not Technology! It’s people. No firewall can stop someone who willingly gives away their password. That’s why social engineering works. It doesn’t attack systems. It attacks emotions. ⚠️ Urgency — “Act now or your account will be closed.” ⚠️ Fear — “Suspicious login detected.” ⚠️ Authority — “Message from HR / CEO / IT Support.” Phishing emails don’t say, “Hi, I’m a hacker.” They look like: • Bank alerts • HR updates • Delivery notifications They look normal. That’s the danger. The real security skill? ✔️ Check the sender’s address carefully ✔️ Hover over links before clicking ✔️ Pause before reacting Technology matters. But awareness is a security control. A strong security culture will always outperform expensive tools. Cybersecurity isn’t just technical. It’s psychological. #Cybersecurity #SocialEngineering #PhishingAwareness #InfoSec #CyberSecurityCareers #SecurityCulture

25

1 Comment

Your Webflow site has 5 critical security vulnerabilities right now. This is PART 4 of my Website Security Series - focusing on Webflow-specific blind spots most designers miss. I've audited 100+ Webflow projects and these are the most dangerous gaps I consistently find. Each fix takes 5-10 minutes but protects you from: → Data breaches → Spam attacks   → Unauthorized access → Client data exposure Swipe through for the exact step-by-step fixes → Missed the previous parts? Check my recent posts: 📌 Part 1: WordPress Security Essentials 📌 Part 2: Shopify Security Essentials 📌 Part 3: WIX Website essentials Which security blind spot will you tackle first? #WebflowSecurity #WebSecurity #WebDesign #FreelanceDesigner #WebDevelopment #SecuritySeries #Part4 👉 Follow for Part 5: Squarespace Security

8

6 Comments

Let’s face it – traditional security isn’t built for this. 357,000+ active stolen German credit cards. - Fake PhotoTAN flows that beat your MFA. - Infostealer logs traded like groceries on Telegram. - Phishing kits more convincing than real banking apps. And still… most companies focus on what’s inside the perimeter. Meanwhile, attackers know your infrastructure better than you do. They map your exposed assets. Monitor your executives. Abuse your brand – and sell it in underground chats. 👉 The latest Brandefense Germany Threat Report shows it clearly: The threat is external, fast-moving, and personalized. So why are so many teams still busy scanning servers instead of watching the real battlefield? If you want to regain the initiative, start where attackers start: Monitor what they see. Understand what they trade. Act before they strike. We can show you how – in 7 days. #Cybersecurity #ExternalAttackSurface #DarkWebMonitoring #Phishing #Infostealer #DigitalRiskProtection #BrandAbuse #ThreatIntelligence

43

6 Comments

Lost iPhone? Don’t Fall for Phishing Texts Stating It’s Been Found “The Swiss National Cyber Security Centre (NCSC) is warning iPhone owners about a phishing scam that claims to have found your lost or stolen iPhone but is actually trying to steal your Apple ID credentials. When iPhone customers lose their phone or it is stolen, they can set a custom message [https://lnkd.in/e4e6yB8D] in Apple's Find My app that appears on the lock screen. When lost, this message may include an email address or phone number to contact the owner. According to the NCSC, threat actors may be using this information to send targeted phishing texts (smishing) through SMS or iMessage to the displayed contact information, claiming to be from Apple's Find My team and stating that their phone had been found. ‘Losing your iPhone is always annoying. Not only is the device gone, but your personal data may also be lost,’ explains the NCSC [https://lnkd.in/e2Y6xqu3]. ‘Once the initial panic has passed, most people are left hoping that someone honest will find it. But if scammers have your phone, they may try to exploit this hope. They send text messages or iMessages that appear to come from Apple, claiming that the lost iPhone has been found abroad.’ The phishing message includes convincing details such as the phone's model, color, and any other information that can be extracted directly from the locked device. ‘We are pleased to inform you that your lost iPhone 14 128GB Midnight has been successfully located,’ reads the phishing text. ‘To view the current location of your device, please click the link below: <phishing url>’ ‘If you did not initiate a lost device report or believe this message was sent in error, please disregard it or contact our support team immediately.’ The phishing message contains a link to the alleged Find My website that shows the device's location. However, instead of leading to Apple's official website, it redirects to a phishing page with a login prompt that mimics Apple's Find My website. When victims enter their Apple ID and password, the credentials are sent to the attackers, giving them full access to the account.” https://lnkd.in/e_QQ52rS

13

3 Comments

Most “OSINT” isn’t OSINT-- and that’s okay. I've noticed we often use OSINT to mean "online research" or “I quickly looked it up online.” It's 100% valuable work, but the INT matters: requirements → collection → processing → analysis → dissemination. That’s intelligence. PAI collection (including quick searches, data pulls, screenshots, and other collection from open sources) is different-- and mission-critical. It enables investigations, intelligence operations, and ensures awareness of fast-breaking events. But, calling everything OSINT can blur roles, weaken standards, and undersell the speed/value of great non-OSINT PAI work. Questions for you: • In your org, do you distinguish PAI collection from those building finished OSINT products? • For fast-paced PAI collection, do you use lightweight intel-cycle steps (requirements, confidence statements, source grading) and do they actually stick? • Any thoughts on non-OSINT PAI collectors leveraging similar tradecraft (eg. training, standards, managed attribution) as dedicated OSINTers? Not trying to be pedantic; rather, naming work precisely helps resource both disciplines correctly and reduces risk. Both PAI and OSINT collect information from open sources, but the output/goal is different. Curious to hear what’s working (and what isn’t) in your world. #OSINT #PAI #Tradecraft #CTI #OPSEC #ManagedAttribution

28

3 Comments

3 years ago we realized that the best way to protect data was to encrypt every single sensitive value with a different key. That means if you use CipherStash every email address, dob, medicare number or SSN stored in your database is encrypted using a different key. 1000 email addresses = 1000 keys. Nuts, right!? We thought so too at first but it turns out this approach has some powerful advantages. And because CipherStash is so fast, it's very practical as well. In traditional systems, a single key will be used to encrypt thousands or even millions of values. This is the only practical solution for current cloud-based tools because lack the performance for anything more granular. The problem is that for security teams, knowing if a key was used doesn't provide any information about what data was decrypted. Audit logs are therefore broad-brushed: they can only record if one of perhaps 1000s of unique values or customer records were accessed. 🔑 Key per value encryption solves that! Because every key can uniquely identify what data was accessed, audit logs become powerfully precise. Now it's possible to identify exactly how data is being accessed without knowing anything about the data itself! For many of our customers having this visibility has revealed some surprising results in how their data is being accessed. Plus, because everything remains encrypted they get none of the risks of traditional access logging tools. It turns out having a bold idea can pay off if you stick at it :)

58

15 Comments

A client hired me to fix a Wazuh setup that was generating 400,000 alerts a day. Someone had done the installation before me. Basic setup, no tuning, walked away. The client was left with a dashboard that never stopped screaming. 400,000 alerts. Every single day. Nobody was looking at them. Not because the team didn't care because no human can process 400,000 alerts a day. So they did what anyone would do. They ignored the dashboard entirely. I started tuning. Rule by rule. False positive by false positive. Misconfigured threshold by misconfigured threshold. When I was done, the daily alerts dropped to 197. Here is what was in those 197. Active attack attempts on their infrastructure. Failed login attempts on sensitive accounts, repeated, pattern-based, the kind that suggest someone was methodically trying to get in. These weren't new threats. They had been happening while the dashboard was screaming 400,000 alerts a day. Buried under the noise. Invisible because everything looked equally urgent. 400,000 alerts means nothing is a priority. 197 alerts means your team can actually respond. The goal of a SOC isn't more visibility. It's the right visibility.

225

6 Comments

Do you know how to do identify a Qualified Opinion in a SOC 2 report? Well, it's actually not that difficult, as long as you read the Service Auditor's Report (most of the time labeled as Section 1). In the Service Auditor's Report, there will be a paragraph labeled "Basis for Qualified Opinion". Then in the "Opinion" paragraph right below it, it will include language such as, "except for the matter described in the preceding paragraph". In the example attached, the system description was fairly stated, the controls were suitably designed, but the opinion was QUALIFIED for the operating effectiveness of controls. An Unqualified Opinion will not have an additional paragraph added to the Service Auditor's Report and the "Opinion" paragraph will state that the system description was presented in accordance with the description criteria and the controls were suitably designed and operating effectively to meet the applicable trust services criteria. The "except for" language will not be included. So, the real question. What do TPRM teams when they come across a prospective vendor that has a SOC 2 report with a Qualified Opinion?

79

28 Comments