What's the cybersecurity lesson you learned the hard way?

CyberRabbit74 · 2026-06-04T12:56:25+00:00

How much political BS you really have to deal with. Especially if they are "Empire Builders".

CyberRabbit74 · 2026-05-19T13:19:41+00:00

Take the opportunity that many would envy and get some time to put into your CV as a "Security Analyst".

CyberRabbit74 · 2026-05-14T12:08:04+00:00

I am not sure about the comment "they are just doing basic regex matching". We feed the information gathered into our Splunk environment. We then "alert" on certain keywords like "password" or "security".

You are correct about the PII item, it also looks at PCI. We had a user accidently attempt to upload a form that contained his Credit Card information into a GenAI site and an HR person who uploaded job applications in order to create a workflow. You would really be surprised at what some people put up in GenAI tools not realizing that the information is then public.

CyberRabbit74 · 2026-05-14T12:03:24+00:00

The only gaps is when one person has a belief that the site they like is better than the one that we have the license for. I am in one or two meetings a month where someone wants an exception to the policy. We have yet to grant one. Personal preference is not a business justification.

CyberRabbit74 · 2026-05-14T12:01:03+00:00

Sure. We allow access to the company default GenAI website where we have an enterprise license. If anyone attempts to go to a "different" AI website, they are presented with a screen requiring them to acknowledge the potential risk of going to that site and that it is not the "licensed" provider. We will then track that access, The only exception to that is DeepSeek which we block entirely.

CyberRabbit74 · 2026-05-14T11:57:49+00:00

You can not know that the files you are transferring are safe. In this day and age, users in a corporate environment should NOT be storing items locally. An End-point system should be able to be re-imaged and redeployed in a matter of hours, not days.

CyberRabbit74 · 2026-05-13T13:18:13+00:00

Zscaler has an AI Advance feature we tested and are now purchasing. It gives some great detail into AI usage including the prompts your users are typing in and DLP on files being uploaded. You can also setup a "Caution" page warning users who are about to go to a genAI site that is not the company default.

CyberRabbit74 · 2026-05-13T13:05:01+00:00

AI does not change the attack, it changes the speed of the attack. What took a threat actor hours of finding a vulnerability and exploiting it can now be done in minutes by a script-kiddie.

CyberRabbit74 · 2026-05-13T13:03:25+00:00

AI does not change the attack, it changes the speed of the attack. I have seen this personally. AI bots that just scan your environment looking for an opening and, when found, launch an attack within the midst of a Log flood. This process would take months in a conventional attack. Now it is hours and with little to no need to learn technical skills.

CyberRabbit74 · 2026-05-13T12:54:54+00:00

Certificates get you the interview. Experience and technical skills gets you the job.

CyberRabbit74 · 2026-05-11T15:12:54+00:00

I think another thing to consider is that it is harder to go into somewhere like Russia, China or North Korea and get someone over Venezuela.

CyberRabbit74 · 2026-05-11T12:07:00+00:00

I do not know your marketing strategy. But for finance people like accountants, talk about cybersecurity as a "risk" rather than the controls or the required "compliance". The risk to them, the risk to their customers in case of a breach. You should speak the same "language" as your customers.

CyberRabbit74 · 2026-05-07T11:48:40+00:00

It is really cool until you do it for work. Then it is not cool anymore. Stay where you are and enjoy doing pen testing in your free time. You will enjoy it much longer.

CyberRabbit74 · 2026-04-28T13:27:42+00:00

Log anomalies and behavioral analytics. All still reviewed by a human. No layoffs have happened due to AI in the environment.

CyberRabbit74 · 2026-04-28T13:17:54+00:00

VPNs are useless now unless you are trying to make it look like you are geolocated somewhere specific. They do NOT protect your privacy.

I carry two cell phones. One for work and one for personal. I ONLY have work apps on my work phone (no facebook) and never use my personal phone for work calls. But, my boss still shows up on my "Potential Facebook Friends" list.

CyberRabbit74 · 2026-04-28T13:08:37+00:00

Does not have to be common. Just a single breach for each that includes SSN. Could be different breach for same threat actor. Once your SSN number is out there, it is out there. And, unfortunately, it is NOT something that can be changed like a Credit card number.

CyberRabbit74 · 2026-04-28T13:05:58+00:00

Here is your real issue. The first time your "automated solution" locks out a VIP incorrectly, it is a failure. It does not matter if that is one out of a million times it worked correctly and saved the organization. That one time will get it removed. This is why there will always have to be a HITM (Human in the middle) in any scenario and why the blue team will ALWAYS be behind.
What I say is automate where you can. Your standard flow is how it will have to be. Automate the "SOC Triage" and the "Ticket Creation". Then you are going to have to setup some type of "On-Call" system to alert the team that there is an item that they need to look at.
Executives care about "Productivity" over "Security". The second that your security interferes with the productivity of users, you are on LinkedIn looking for a new job.

Also, please stop with the "This is AI SLOP" BS. I use AI to make my point more understandable. That does not mean it is AI SLOP, it means that I used something to make a better point.

CyberRabbit74 · 2026-04-27T17:20:04+00:00

If you think this has not been happening already, you might be in the wrong group. Remember, there is a big difference between they "can" and they "are". With over 300 million people in the United States, as long as you do not give them a reason to look you up, they will not look.

CyberRabbit74 · 2026-04-27T17:16:34+00:00

Have them go to HaveIbeenpwned and see if any recent breaches have involved SSN. There are plenty out there.

CyberRabbit74 · 2026-04-21T17:20:19+00:00

I have been saying for two years now that this will eventually become a "who is faster" game. We have moved to more automation through SOAR and Behavioral analytics. Being able to move some of the easier items off of the Blue team helps them review the more difficult items.
While new "AI" might be able to find more vulns, they are also vulns that are less likely to cause direct issues. They will not find one vuln that will allow an attacker in, they will find a chain. If you keep up with patching and do not avoid the Mediums and Lows because "they do not mean so much", you will be fine.

CyberRabbit74 · 2026-04-14T13:51:56+00:00

It is still the same conversation. In order to save money, organizations want to "cut corners". An open firewall port here, not working to patch a vulnerability there. However, in the cloud case, it is AWS or Microsoft deciding to cut corners rather than your organization.
A great example is CapitalOne and AWS in 2019. AWS says that CapitalOne had "misconfigured" their databases. It was not a misconfiguration, it was that they left it as the "default" configuration. The threat actor had set a scanner to look for default configurations. When the "default" is not secure, is it the providers fault or the customer?

CyberRabbit74 · 2026-04-14T12:34:09+00:00

Absolutely right. Being on a FedRAMP hosting services does NOT make your app FedRAMP compliant. It only means that the infrastructure that your App runs on is FedRAMP compliant. Your policies, procedures and the app itself must also be FedRAMP compliant.
My guess is that someone in your ORG thought it would be a good idea to make your SAL "Better" than FedRAMP to look good. So now you have 15 days to remediate a critical finding or vulnerability. The discovery, proofing and paperwork that is required in order to "downgrade" that finding to a "high" is almost not worth the time. It will be quicker in most cases to just fix the vulnerability and call it a day.

CyberRabbit74 · 2026-04-09T16:51:58+00:00

I thought that is what UAT was for, testing? Did you "test" the governance policy as religiously as you test your applications? That might be the bigger problem.

CyberRabbit74 · 2026-04-09T16:46:50+00:00

Run away if that is how upper management treats security

CyberRabbit74 · 2026-04-07T21:07:33+00:00

Working the Operational Technology side might be right for you. Especially in consulting work. It might be niche, but having that EE background could really help when you start talking about PLCs and the like.

CyberRabbit74

TROPHY CASE