Security Boulevard

via the inimitable Daniel Stori at Turnoff.US!

Permalink

The post Daniel Stori’s Turnoff.US: ‘Terminal Password Typing’ appeared first on Security Boulevard.

  By Kevin Hanes, CEO at Reveal Security Like every year, RSA 2025 was a sensory overload – in the best and worst ways. The buzz of AI was everywhere. The show floor was packed with acronyms and animated product demos (along with puppies, goats, monster trucks and American Ninja Warrior-type challenges?!).  But step a few blocks away from Moscone, into the conversations over coffee or dinners, and you could hear a different tone. This year wasn’t just about what vendors were saying on the show floor – it was about what CISOs were quietly discussing off of it.  1. SaaS and Cloud Have Left the Perimeter Behind This shouldn’t feel like news, but RSA 2025 made it impossible to ignore: we’re well past the point where legacy security frameworks make sense. The security industry still loves to talk about endpoints, agents, and network controls – but business operations have moved on. Enterprises now run on SaaS. HR, finance, customer data, source code, and strategic IP all live in third-party environments, accessed by users from everywhere, on everything. And while security teams have made huge strides in cloud posture management and identity and access management, what happens inside these applications remains largely opaque. The move to SaaS hasn’t just changed where data lives – it’s changed how risk manifests. Most organizations are still adapting.  2. AI Is Flattening the Threat Hierarchy (Credit to George Kurtz for the analogy) At a dinner during the conference, Crowdstrike CEO George Kurtz offered a compelling metaphor that resonated with many in the room: think of cyber adversaries as a triangle. Nation-states at the top – sophisticated but scarce. Criminal syndicates in the middle – organized, prolific, and motivated by profit. And at the base, the broader mix: hacktivists, insiders, hobbyists. What AI has done, in Kurtz’s words, is collapse the triangle. Generative tools and automation frameworks are now allowing bottom-tier attackers to use top-tier tactics. Suddenly, everyone can phish with polished pretexting. Everyone can scale lateral movement. Everyone can disguise behavior using AI-generated camouflage. This isn’t a hypothetical risk. Security teams are already seeing more volume, more sophistication, and more gray area. Tactics once associated with nation-state operators are now part of everyday incident response.  3. Identities Are Changing – And So Are the Stakes Another one of the persistent themes this year: identities aren’t just people anymore. Cloud services and SaaS platforms are increasingly operated by a swarm of non-human actors – service accounts, bots, automation scripts, and now, autonomous agents powered by AI. These “users” perform real tasks, often with significant privilege, but live outside of traditional access models. This explosion of non-human identities creates both opportunity and confusion. Who governs them? How is behavior tracked? What does “normal” look like for an agent that acts across systems and multiple SaaS applications? There’s no clean answer yet – but RSA made it clear that the industry is starting to wrestle with this. The shift from managing devices to managing behavior is underway.  4. JPMorgan’s Letter Was a Line in the Sand Mid-conference, JPMorgan’s open letter to its suppliers got serious attention. The message from CISO Patrick Optet was clear: we expect better security from the SaaS companies we depend on and the industry must modernize security architecture to optimize SaaS integration and minimize risk. Optet stated, “The modern ‘software as a service’ (SaaS) delivery model is quietly enabling cyber attackers and – as its adoption grows – is creating a substantial vulnerability that is weakening the global economic system.” The letter outlined requirements for prioritizing security over rushing feature releases, timely breach reporting, and responsible AI use – without mincing words. It also called out the need for security practitioners to work collaboratively to prevent the abuse of interconnected systems. It wasn’t just a list of demands. It was a declaration of changing expectations across the enterprise landscape. Plenty of CISOs nodded along.  While it’s popular to point to the shared responsibility model being a shield for SaaS vendors, it’s time for practitioners to take responsibility for monitoring user behavior and proactively looking for threats in applications just like they do across the rest of their IT estate.   This letter didn’t just raise the bar for suppliers – it gave security teams a new tool to push for better outcomes internally.  5. The Post-Auth Blind Spot: Not a Headline, But a Heartbeat One trend that didn’t dominate the stage – but came up consistently in private conversations – was this: once someone logs into a cloud or SaaS application, visibility drops off sharply. Security leaders acknowledged that while access controls are solid and IAM tools are evolving, there’s very little clarity about what users (or bots) do after authentication. How privileges are used. How data is moved. How behaviors diverge from the norm. This isn’t about a particular product category. It’s a broader recognition that as environments grow more complex and interconnected, the space after access is granted is where risk is migrating. It’s not yet a mainstream message. It wasn’t printed on t-shirts or booth graphics. But if you listened closely, it was one of the most grounded, practical concerns people were bringing into rooms – especially CISOs grappling with third-party SaaS and identity risk.  Closing Reflections RSA 2025 was loud. But beneath the noise, the conversations felt more grounded. Less about the next big feature, and more about foundational changes in how we think about risk, behavior and trust. A few truths stood out: SaaS and cloud are the new normal – and they demand new assumptions AI is accelerating everything: the good, the bad, and the gray areas Identity is getting messier, and non-human actors are here to stay Enterprises are raising expectations on partners and suppliers Post-authentication activity in SaaS and cloud may be the clearest blind spot left   The future of security is going to be quieter, more behavioral, more identity-centric – and much more collaborative. Whether the industry is ready or not, the shift

The post RSA 2025 Reflections: The Conversation Beneath the Noise appeared first on RevealSecurity.

The post RSA 2025 Reflections: The Conversation Beneath the Noise appeared first on Security Boulevard.

Talking to Luigi Caramico, Founder, CTO, and Chairman of DataKrypto, a company that’s fundamentally reshaping how we think about encryption.

The post Encrypt AI, Protect Your IP: DataKrypto Tackles the LLM Security Crisis While Redefining What Encryption Should Be appeared first on Security Boulevard.

DeFi Development Corp. has acquired a record 172,670 SOL tokens, reinforcing its digital asset strategy. Discover the impact and future plans.

The post DeFi Development Corp. Buys 172,670 SOL, Hits $100M Treasury appeared first on Security Boulevard.

Hugging Face acquires Pollen Robotics to democratize robotics with open-source designs. Discover how this impacts innovation and accessibility in AI!

The post Hugging Face Acquires Pollen Robotics for Open-Source Reachy 2 appeared first on Security Boulevard.

Following up on last year’s LOLDriver plugin, Tenable Research is releasing detection plugins for the top Remote Monitoring and Management (RMM) tools that attackers have been more frequently leveraging in victim environments.

Background

In August 2024, Tenable Research released a detection plugin for Nessus, Tenable Security Center and Tenable Vulnerability Management to help customers identify risky third-party Windows drivers utilized by attackers for privilege escalation on victim hosts. As part of our continued research into living off the land (LOTL) tooling utilized by attackers, we’re releasing new detection plugins for popular Remote Monitoring and Management (RMM) applications.

Increased risk from RMM tools

IT operations and information security staff often need to remotely connect to machines dozens, perhaps even hundreds, of times per day to troubleshoot a problem or make a system function well. An administrator or support technician must reach a terminal on a server in a datacenter a continent away, or a user’s workstation in their home. As the role of the remote worker has dramatically expanded across organizations over the last 20 years, it has led to the introduction of RMM products in enterprise environments.

The architecture of these products is fairly straightforward: a listener on the user’s machine, often referred to as an agent, host, or server, and an application to connect to, and control, the machine, often referred to as a viewer or client. In many cases this connection is facilitated by a proxy system, which maintains an inventory of the available machines in the environment, allowing an administrator to select one from a list, use stored credentials and track the health of the listeners. This proxy system might be on-premises, in the cloud, or hosted by the RMM vendor as a SaaS application.

Source: Tenable, May 2025

While these tools may sound handy, attackers also know that these tools are present. They can use them for direct graphical control of a victim’s machines, often at a privilege level that is elevated by design. So, how do attackers get their hands on such a valuable resource?

Attack scenarios for RMM tools

There are several ways an attacker can obtain access to an organization’s RMM tools:

• Credential reuse. The attacker steals credentials belonging to a privileged user, either through social engineering, theft from the user’s workstation or control of an identity service. These credentials are used to authenticate to the RMM central service or to simply connect directly to a listener.
• Exploitation of a vulnerability in the RMM product. Many RMM applications have highly publicized vulnerabilities that allow elevation of privilege or remote code execution.
• Elevation of privilege. An attacker may gain control of a workstation or server used by an administrator and launch the RMM client application from there using the legitimate access of that administrator.

And, of course, attackers with sufficient privileges can simply deploy a RMM tool of their choice on a compromised asset, allowing them to achieve persistence and remote command and control. The nature of modern RMM tool design allows attackers, in some cases, to do monitor and control an asset without formally installing a software package, which might trigger an alert to the organization’s security team.

Defensive strategies for unauthorized RMM tool use

A mature security program will update the organization’s protective, monitoring and response approach to address the risk presented by RMM tools. Some of these strategies include:

• Selecting an authorized RMM product or suite for the organization. This will allow security teams that inventory software on their assets to quickly spot the use of unauthorized RMM tools, which might have been introduced by an attacker.
• Auditing the use of the authorized RMM product. Have administrators that use the tools regularly review reports of sessions performed to ensure no unauthorized activity has occurred. Investigate these unauthorized sessions as soon as possible after detection.
• Reviewing network traffic between assets (especially remote assets) and the internet. Identify connections to known RMM tool websites, e.g., downloading of the tools or access to a proxy or management site.
• Scanning the environment to look for listening services. This strategy can be used to identify services belonging to RMM tools.

How can Tenable customers mitigate the risk of RMM tools?

Tenable has several existing plugins that can detect several different varieties of RMM tools. These include:

• Intelligent Platform Management Interface (IPMI) tools like iDRAC, iLO, ILOM and CIMC, as well as broader detection for any service running the IPMI protocol
• Systems management suites like Microsoft Configuration Manager, BigFix, Altiris, Tanium, LanDesk / Ivanti EM, Workspace ONE UEM / AirWatch, ManageEngine Endpoint Central and JAMF.
• Collaboration tools (yes, attackers use these, too) like Zoom, Teams and WebEx.

Tenable is also releasing a number of Nessus plugins to detect many commonly used commercial and open source RMM or Remote Access Tool products:

Product Plugins TeamViewer 52715, 206009 105111,121245 RemotePC 232745, 232746, 232747 Pritunl 232836, 232837, 232838, 232839 Google Chrome Remote Desktop 232692, 232693, 232694 Duet Display 232296, 232295 Connectwise ScreenConnect 192391, 190883, 190894 Apache Guacamole 232291 JumpDesktop 232297, 232298 TSplus Remote Access 232591 AnyViewer 232316, 232315 Parsec Remote Access 232649, 232651, 232650, VNC Connect 232582, 232580, 232581 Termius 232292, 232293, 232294 LogMeIn 232654, 122754 GoodAccess 233552, 233553, 233554 ISL Light 232853, 232854, 232855 OpenVPN 154346, 191048, 125356, 56022, 107073, 232856, 232857 NoMachine Remote Access 233323, 233324, 233325 RustDesk Remote Desktop 233292, 233291, 233288, 233289, 233290 Remote Utilities 233555, 233556, 233557 WinGate 234718 AirDroid 233774, 233775, 233776 AnyDesk 189953, 189955, 189973

There are also Nessus Web App Scanning plugins for many of these applications, which can help detect the applications’ web UI when detecting the service locally isn’t an option.

A new scan template, Remote Monitoring and Management, has been created in Tenable Nessus to check for this set of RMM products. Customers can use the scan template to ensure that the instances they find are authorized for use in the organization. It is strongly recommended to scan with credentials, so that more exhaustive searches for these products can be performed.

Future development

IT operations and support teams will continue to rely on RMM tools for productivity benefits even as attackers increasingly exploit them. Tenable anticipates that new RMM solutions will emerge and major systems management suites will further integrate remote-control capabilities directly into their platforms.

Meanwhile, vulnerability and threat intelligence researchers will keep their focus on the tools, identifying weaknesses and opportunities for exploitation as well as attacker-usage of such tools. As additional vulnerabilities are discovered and new threat intelligence reports reveal usage of new and existing tools, Tenable plans to publish detection and vulnerability plugins to find them. Given this growing space, organizations must remain vigilant, ensuring continuous monitoring, timely patching and strong security practices around RMM tools.

The post Detecting Remote Monitoring and Management Tools Used by Attackers appeared first on Security Boulevard.

Authors/Presenters: Krity Kharbanda, Harini Ramprasad

Our sincere appreciation to BSidesLV, and the Presenters/Authors for publishing their erudite Security BSidesLV24 content. Originating from the conference’s events located at the Tuscany Suites & Casino; and via the organizations YouTube channel.

Permalink

The post BSidesLV24 – Proving Ground – Demystifying SBOMs: Strengthening Cybersecurity Defenses appeared first on Security Boulevard.

Articles related to cyber risk quantification, cyber risk management, and cyber resilience.

The post Understanding the Total Cost of Ownership of CRQ | Kovrr appeared first on Security Boulevard.

CrowdStrike introduced several enhancements to its Falcon cybersecurity platform and Falcon Next-Gen SIEM at the RSA Conference 2025, highlighting artificial intelligence, managed threat hunting and operational efficiencies aimed at transforming modern Security Operations Centers (SOC).

The post Security Gamechangers: CrowdStrike’s AI-Native SOC & Next Gen SIEM Take Center Stage at RSAC 2025 appeared first on Security Boulevard.

Long lists of firewall rules can lead to misaligned and inconsistent policies, creating gaps in your security perimeter for threat actors to exploit. 

The post Firewall Rule Bloat: The Problem and How AI can Solve it appeared first on Security Boulevard.

Security teams can analyze live network traffic, an approach also known as network detection and response, and be more proactive in detecting the warning signs of an impending breach.

The post Cybersecurity’s Early Warning System: How Live Network Traffic Analysis Detects The ‘Shock Wave’ Before the Breach ‘Tsunami’  appeared first on Security Boulevard.

This critical shift of social media apps becoming “mission-critical” everything apps requires a different approach when it comes to resiliency.   

The post Ensuring High Availability and Resilience in the ‘Everything App’ Era   appeared first on Security Boulevard.

The passage of the CA/Browser Forum ballot to reduce the maximum certificate lifespan to 47 days represents a natural and anticipated progression in the industry’s ongoing effort to enhance security and streamline certificate management. This move, while significant, is neither surprising nor disruptive to those who have been following the industry’s trajectory over the past decade. Rather, it is a continuation of a well-documented trend toward shorter certificate lifetimes - a trend that has consistently aligned with the need for improved security, agility, and automation.

The post The 47-day update: an expected evolution in digital security appeared first on Security Boulevard.

Join hosts Tom Eston, Scott Wright, and Kevin Johnson in a special best-of episode of the Shared Security Podcast. Travel back to 2009 with the second-ever episode featuring discussions on early Facebook bugs, cross-site scripting vulnerabilities, and a pivotal Canadian privacy ruling involving Facebook. Gain insights into social media security from the past and see […]

The post Facebook Flaws and Privacy Laws: A Journey into Early Social Media Security from 2009 appeared first on Shared Security Podcast.

The post Facebook Flaws and Privacy Laws: A Journey into Early Social Media Security from 2009 appeared first on Security Boulevard.

Can Streamlined Secrets Management Enhance Stability? Secrets management can be likened to a well-kept vault of confidential data, critical to the security and performance of any system. Where data breaches are prevalent, effective secrets management is vital. Such a strong stance on security underscores the necessity for Non-Human Identities (NHIs) and their secrets to be […]

The post Achieve Stability with Streamlined Secrets Management appeared first on Entro.

The post Achieve Stability with Streamlined Secrets Management appeared first on Security Boulevard.

Are Your Investments in Cloud-Native NHIs Justified? A new hero has emerged, capable of handling complex security threats to cloud. Meet Non-Human Identities (NHIs), the machine identities that have revolutionized cybersecurity operations. Understanding the Essential Role of Non-Human Identities NHIs, the unsung heroes in the cybersecurity ecosystem, play a vital role in maintaining security, particularly. […]

The post Justify Your Investment in Cloud-Native NHIs appeared first on Entro.

The post Justify Your Investment in Cloud-Native NHIs appeared first on Security Boulevard.

Author/Presenter: Michelle Eggers

Our sincere appreciation to BSidesLV, and the Presenters/Authors for publishing their erudite Security BSidesLV24 content. Originating from the conference’s events located at the Tuscany Suites & Casino; and via the organizations YouTube channel.

Permalink

The post BSidesLV24 – Proving Ground – The Immortal Retrofuturism Of Mainframe Computers And How To Keep Them Safe appeared first on Security Boulevard.

Has the notorious LockBit ransomware gang finally met its end? In a shocking turn of events, LockBit, one of the most notorious ransomware groups, has had its own site defaced and a massive amount of data dumped. LockBit’s own leak site was defaced with a bold message: “Do not crime. Crime is bad.” Alongside that, […]

The post Did LockBit Just Get Locked Out? The Walmart of Ransomware’s Massive Leak appeared first on Security Boulevard.

Most governments struggle with replacing legacy systems for a variety of reasons. But some people claim legacy mainframes can be just as secure as modern ones. So how big is the legacy cyber threat?

The post The Legacy Cyber Threat: Why We Must Prioritize Modernization appeared first on Security Boulevard.

Taking the Helm: The Essential Elements of Non-Human Identities and Secrets Security Management Are we doing enough to safeguard our digital assets? We cannot overlook the strategic importance of Non-Human Identities (NHIs) and Secrets Security Management. This pivotal methodology closes the widening security gaps that persist between R&D and the security teams, enhancing cloud security […]

The post Driving Innovation with Enhanced NHIDR Capabilities appeared first on Entro.

The post Driving Innovation with Enhanced NHIDR Capabilities appeared first on Security Boulevard.