Secure Ideas, LLC

Wishing you a fantastic day!

With the holiday right around the corner, we wanted to ask our consultants what advice they’re most thankful for! Do you have any advice that you’re grateful to have received in your life or career journey? Aaron Moss:  Don’t Stop Believing - Journey Jordan Bonagura: If you don’t believe in yourself, nobody will. So keep working on it and just wait and trust! Pablo Vergara: Too many to list, but the two most poignant ones that come to mind are, “Growth happens in the discomfort” - Embrace the challenge of not knowing and risking failure. That’s where success is born. The other is from Master Oogway (Kung Fu Panda): Yesterday is history, tomorrow is a mystery, but today is a gift. That is why it is called the present.

Ever feel like you're one mistake away from being "discovered" as a fraud in cybersecurity? You're not alone. Imposter syndrome is real, and it hits many of us in the field. Join Jennifer Shannon on December 12th for a Professionally Evil Webcast where she'll share real stories and practical tips to overcome self-doubt. You'll leave with strategies to combat imposter syndrome and a reminder that even the top experts experience it. Jason Gillam will be hosting. See you there! https://lnkd.in/gKgmafJ8

When deciding whether to outsource penetration testing or keep it in-house, there are a few key factors to think about. First, consider your team’s expertise. Pen testing requires specialized skills and constant knowledge updates. Can your in-house team keep up, or would a dedicated external firm be a better fit? Also, think about your budget and needs. If pen testing isn’t something you need all the time, outsourcing may be more cost-effective than hiring a full-time specialist. Compliance is another big factor, certain certifications might be required, and outsourcing can help meet those needs. Plus, third-party testing can provide an objective perspective, spotting vulnerabilities your team might miss. A hybrid approach, combining in-house talent with occasional outsourced testing, might be the sweet spot for many organizations. Ultimately, it’s about balancing expertise, flexibility, and cost. Use our free security checklist to see if you’re in need of a penetration test! Secure Ideas | Security Checklist https://hubs.la/Q02ZxRb80

We are looking forward to the Professionally Evil Tour of 2025! Hopefully we'll see you at BSides Tampa in May.

As IoT and AI continue to transform healthcare, we’re seeing some major improvements in patient care and efficiency. But with all these connected devices, there’s a huge concern: device security. We've seen plenty of vulnerabilities over the years, from recalls of pacemakers to insulin pumps, all due to hacking risks. That’s where IEEE 2933 comes in. This new standard focuses on making sure medical devices are secure and can safely talk to each other across systems. It’s built around the TIPPSS principles (Trust, Identity, Privacy, Protection, Safety, and Security), designed to keep devices and patient data safe from cyber threats. With hackers getting smarter, it’s no longer optional to think about device security. Healthcare organizations need to adopt standards like IEEE 2933 to protect patient safety and keep systems running smoothly. If you're in healthcare or tech, what do you think of IEEE 2933?

I Fell for It Friday… Now What? Cybersecurity is always evolving, and sometimes you don't realize how easy it is to overlook vulnerabilities in your defense strategy, especially when it feels like there's just too much to keep track of. Here’s the deal: ➜ What happened? With thousands of new vulnerabilities emerging every year, it's impossible for any organization to catch them all. But instead of diving into an endless cycle of patching, it's crucial to focus on the ones that truly matter. Risk-based assessments and regular penetration testing are key to identifying and prioritizing the most critical flaws. ➜ Why is this dangerous? Network intrusions, zero-day vulnerabilities, and ransomware attacks are the biggest threats to organizations today. On the software side, flaws like XSS, misconfigurations, and improper authentication bugs can leave your system wide open for exploitation. And many times, these issues go unnoticed until it’s too late. ➜ What should we do? It’s time to shift the approach. Rather than patching everything blindly, take a step back and assess what’s actually at risk. Resources like Mitre’s CWE Top 25 and OWASP’s Top Ten are great starting points to help you understand the most dangerous software weaknesses. They can guide your efforts in strengthening your security posture in a more focused way. If you're responsible for managing security at your organization, it’s time to re-evaluate. Cyber threats won’t slow down, but with the right approach, you can stay a step ahead. See if your organization may be vulnerable and in need of a penetration test with our free security checklist! Secure Ideas | Security Checklist https://hubs.ly/Q02ZcNjs0

A new version of the Python-based NodeStealer malware is making waves, and it’s targeting Facebook Ad Manager accounts, and stealing credit card info from web browsers. What’s interesting is how the malware has evolved since its first appearance in May 2023, shifting from JavaScript to Python and now focusing on ad accounts and business data, likely to fuel malvertising scams. The updated version uses some pretty sketchy techniques, like hijacking Windows Restart Manager to unlock database files and sending stolen data via Telegram. It even collects budget details and access tokens from Facebook Ad Manager accounts using the Facebook Graph API. It’s also designed to avoid systems in Vietnam, which may point to the likely origin of the attackers. Given how Facebook ads are being used to spread this, it’s a good reminder that even platforms we trust can be weaponized for scams.

Every week, we like to give you insight into who our consultants are outside of their amazing work. This week, let's get a little personal by finding out what the biggest challenge some of our consultants have faced is. Do you relate? Jennifer Shannon: Professionally? I would say developing confidence.  When I first started it sometimes felt like I was the only one lost and confused with certain things.  It also held me back from putting myself out there for talks and presentations because it felt like other people already covered these things better.  I eventually learned to stop comparing myself to others.  I don’t need to be better than anyone else, I just need to be better than I was a year ago. Kathy Collins: Imposter syndrome. After twenty years in a completely different field, understanding it so well, and usually being the expert in the room, the pivot to tech was hard. It’s constant learning, changes, and advancement in this field, so you never feel like the expert, even when you are. Aaron Moss:  Good question.  Working through all the certifications was a huge challenge, but it was super fun at the same time it was frustrating.  I think my BIGGEST challenge is simply learning when to be quiet when I really want to say something. Pablo Vergara: Professional challenge - getting into Cybersecurity (achievement unlocked!) was by far the most challenging given my lack of connections and seemingly zero experience with web app pen testing outside of some labs and practice sites. Fifteen years in QA felt like wasted time only to realize everything I had learned was a set up for where I am today. Personal challenge - these last two years out of work were a turning point. It took the downtime for me to reset, reboot, and recalibrate everything I want to become from here on in.

Welcome to the team David Card!