Garin Pace

2.6K posts

Garin Pace

@Garin_Pace

I like figuring out how things work. I work in the infosec & privacy (cyber) insurance space as an underwriter. Views are my own and not my employer’s.

Katılım Eylül 2015

850 Takip Edilen363 Takipçiler

Sabitlenmiş Tweet

Garin Pace@Garin_Pace·28 Eki

@codywamsley @jeremiahg @JeffreyLS172 Some - myself included - think that this year may be the year that the falling rates, increasing coverage and threat (recent ransomware spikes) make the market have a largely unprofitable year. Folks who are judging cyber insurance profit on pre 2013 facts need to re-examine!!

English

Garin Pace@Garin_Pace·22 Şub

IT Unprofessional@it_unprofession

Just found out we're being audited by our cyber insurance provider. They want to verify we actually have all the security controls we claimed we have. Problem: we don't have all the security controls we claimed we have. When we applied for the insurance, the application asked if we had multi-factor authentication on all admin accounts. I checked "yes" because we were planning to implement it. We never implemented it. Now the auditor wants to see our MFA logs.I have 48 hours to either: 1. Admit we lied and probably lose our coverage 2. Implement MFA across the entire company in two days 3. Get creative I'm going with option 3.I just enabled MFA on every admin account. Forced enrollment. Everyone had to set it up in the last hour. Then I backdated our MFA implementation logs to show it was enabled six months ago. Is this fraud? Technically maybe. But the security is actually in place now. We're just adjusting the timeline of when we claim we did it. The auditor comes on Monday. By then we'll have 48 hours of MFA logs that I'll present as "recent activity" from our "six-month implementation." Did we lie on the application? Yes. Are we fixing it before anyone finds out? Also yes. Corporate compliance is just staying one step ahead of getting caught.

QST

105

Garin Pace retweetledi

Rachel Tobac@RachelTobac·20 Haz

My favorite way to hack in my ethical hacking is phone call based hacking with impersonation. Why? Because it has the highest success rate. This is what we're seeing in the wild right now, too. Let's talk about how phone call attackers think and how to catch Scattered Spider style attacks for Insurance companies (that are heavily targeted right now, Aflac recently) 1. *Impersonating IT and Helpdesk for passwords and codes* They pretend to be IT and HelpDesk over phone calls and text message to ask for passwords and MFA codes or credential harvest via a link 2. *Remote Access Tools as Helpdesk* They convince teammates to run business remote access tools while pretending to be IT/HelpDesk 3. *MFA Fatigue* They will send many repeated MFA prompt notifications until the employee presses Accept 4. *SIM Swap* They call telco pretending to be your employee to take over their phone number and intercept codes for 2 factor authentication

Sean Lyngaas@snlyngaas

NEW --> Aflac is breached by cybercriminals in the latest hack of insurance industry that bears the hallmarks of Scattered Spider: prnewswire.com/news-releases/…

English

237

62.1K

Garin Pace retweetledi

Heather Adkins - Ꜻ - Spes consilium non est@argvee·4 Nis

Sondeos Global, an SMS gateway provider, compromised. Delivers OTP codes over SMS for million of people... I can't say this enough: it's time to deprecate SMS for 2FA!

DET SYNTETISKE PARTI@Estemuchacho1

Sondeos Global, un gateway SMS, confirmó un acceso no autorizado a sus servidores el 24 de marzo. a vulnerabilidad permitió capturar tráfico de SMS en tiempo real, afectando a clientes con OTP y otros mensajes.

English

12.2K

Garin Pace@Garin_Pace·12 Şub

@a_greenberg “We’re supposed to make any exceptions,…”? Freudian slip?

English

152

Andy Greenberg (@agreenberg at the other places)@a_greenberg·12 Şub

Totally normal and cool email to get from the sitting president of the United States of America

Andy Greenberg (@agreenberg at the other places) tweet media

English

9.7K

Garin Pace@Garin_Pace·21 Oca

I muted someone. Yet when they repost someone else’s post I see the original and that they reposted it. That seems odd.

English

Garin Pace@Garin_Pace·26 Nis

@PyroTek3 So…this is another opportunity for folks to misconfigure and create impacts they don’t fully understand?

English

636

Sean Metcalf@PyroTek3·26 Nis

Microsoft has recreated the Active Directory Forest in the cloud 😆 Tenants (domains) now can be joined together (in a cloud forest) (and remember, it’s Entra ID, not Azure Active Directory)

Scott Schnoll@schnoll

Today we announced that new multi-tenant organization capabilities within Microsoft 365 are now generally available #Microsoft365 #MTO techcommunity.microsoft.com/t5/microsoft-3…

English

303

73.8K

Garin Pace@Garin_Pace·27 Mar

@AlyssaM_InfoSec Mind following for a DM? I’m not verified.

English

Josh Corman ♘@joshcorman·27 Mar

Finally! Read & stop trying to weaken getting stats… cannot manage what you cannot measure… Weaker public goods benefits adversaries

ARCHIVED: Jen Easterly@CISAJen

👉After a lot of hard work, I’m excited to announce that @CISAgov’s Notice of Proposed Rulemaking for the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) is now available on the Federal Register at go.dhs.gov/JbC.

English

2.4K

Garin Pace@Garin_Pace·27 Mar

@AlyssaM_InfoSec @joshcorman I think carriers claiming to have access to “insights” is more marketing, though change is afoot. There are insurers out now buying or forming their own IR firms. And outside US it’s more likely to get detail, but US is biggest insurance market and location of ransomware victims.

English

Garin Pace@Garin_Pace·27 Mar

@AlyssaM_InfoSec @joshcorman I work at one of the bigger cyber insurers; we don’t have the access to forensics data the world thinks we do. The privilege thing in the US really hurts and it’s more common not to get detailed info about incidents we pay on than it is to get it.

English

Garin Pace retweetledi

Jim Sykora@JimSycurity·26 Mar

@rucam365 - Don't use them. 99.9% tasks performed w/ these roles don't require them & can be delegated w/ least privilege. - If you must, only use from a Privileged Access Workstation (+ MFA, long unique PWs, cert-based auth) - Never leave priv account creds/tokens where they can be stolen

English

2.8K

Garin Pace retweetledi

Ian Carroll@iangcarroll·21 Mar

You can view our disclosure at unsaflok.com. Many of us worked on this including @LennertWo, @rqu53, @BusesCanFly, @samwcyo, @sshell_, and @WillCaruana. We believe these locks have been vulnerable for over 36 years, way older than most of us!

English

14.8K

Garin Pace retweetledi

Brett Callow@BrettCallow·21 Mar

An American Hospital Association survey reported on March 15 that almost 60% of respondents say the revenue impact is $1 million per day or higher, and 44% said the adverse effects on revenue will continue for two to four more months. #ransomware scmagazine.com/news/change-he…

English

Garin Pace@Garin_Pace·6 Mar

@ebailey1367 @cisonaut @anton_chuvakin Can you share more on the segment of the market you see? My experience is rates have been falling, even before accounting for reduction in risk from control effectiveness. That doesn’t match the current threat, of course, but the market is the market.

English

Ed Bailey@ebailey1367·6 Mar

Strong programs are seeing higher costs but not terrible. The weaker programs are seeing much higher premiums 4-5x but still not high enough to implement a serious security program. It’s too easy to practice check the box security and hit all the controls insurance companies want to see like do you have an MDR, do you have a SIEM but still have a super weak program. Though recently was introduced to a unicorn insurance auditor who was an actual security expert and his report was unkind to put it mildly and made the company pay attention.

English

Dr. Anton Chuvakin@anton_chuvakin·5 Mar

Somebody cynically pointed out to me that some orgs have literally millions to pay ransom but cannot find any money for security. (1/3)

English

372

61.1K

Garin Pace retweetledi

Fabian Wosar@fwosar·5 Mar

Since people continue to fall for the ALPHV/BlackCat cover up: ALPHV/BlackCat did not get seized. They are exit scamming their affiliates. It is blatantly obvious when you check the source code of the new takedown notice. You will see code like this.

English

241

74.4K

Garin Pace@Garin_Pace·20 Şub

@UK_Daniel_Card @joetidy Fully agree; “you’re paying criminals for a promise?”. However, the “there business depends on their reputation” crowd pushes hard, and it’s also hard to not spend money towards helping the folks whose data was compromised (customers I mean).

English

102

mRr3b00t@UK_Daniel_Card·20 Şub

@Garin_Pace @joetidy yeah i can imagine some do.... I always say... once it's copied... it's copied.. so you know...

English

263

Joe Tidy BBC News@joetidy·20 Şub

“LockBit has caused enormous harm and cost. No longer”.

English

172

34.5K

Garin Pace@Garin_Pace·20 Şub

@UK_Daniel_Card @joetidy I’ve had multiple clients pay “for data suppression”

English

280

mRr3b00t@UK_Daniel_Card·20 Şub

@joetidy i don't think anyone really pays for that. they pay because their backups are fked. I've never seen personally anyone consider paying when there are available data recovery methods (only my small slice of the view)

English

5.5K

Garin Pace retweetledi

Joe Tidy BBC News@joetidy·20 Şub

Very interesting - NCA says that whilst searching through seized servers of LockBit they found data belonging to some victims who had already paid the gang's ransom. So - more evidence that paying these criminals does not mean that your data is deleted as they promise.

English

114

457

261.3K

Garin Pace@Garin_Pace·8 Oca

Every company who says they “identified a cybersecurity incident” when they really mean “we identified ransomware encrypted our files when stuff stopped working” makes me (irrationally?) angry. You didn’t identify anything until the threat actor wanted you to.

English

123

Garin Pace@Garin_Pace·8 Oca

It wasn’t a cyber insurance policy

English

191

Garin Pace retweetledi

Brett Callow@BrettCallow·15 Kas

Production at the maker of Chrysler, Dodge, Jeep and Ram models is being affected after a cyberattack on an automotive supplier disrupted its operations, the automaker said Monday. #Ransomware? detroitnews.com/story/business…

English

23.2K

Keşfet

@a_greenberg @PyroTek3 @AlyssaM_InfoSec @joshcorman @rucam365 @LennertWo @rqu53 @BusesCanFly