cybersecurity

The original post: /r/cybersecurity by /u/sebby2 on 2025-06-26 07:35:59.

Hello everyone! This may not be the right place but I'm not sure where else to ask.

I recently started using the NIST CVE API (https://nvd.nist.gov/developers/vulnerabilities) to sift through CVE's and noticed that the API is really inconsistent.

Sometimes the API would send less vulnerabilities than it reported (a.i. totalVulns != length of actual vulnerabilities), sometimes even none at all or actually broken JSON.

Has anyone else noticed this aswell? Is the API really just that broken? What else can I do except just retrying and hoping that it will eventually work? I don't want to spam NIST.

The original post: /r/cybersecurity by /u/tekz on 2025-06-26 06:33:17.

The original post: /r/cybersecurity by /u/BeNiceToYerMom on 2025-06-26 06:26:30.

Hey all,

I’m helping a very small investment firm with their security. They fall under the mandate of the SEC’s cyber compliance regime. Upon investigation, I found woefully little prescriptive guidance from the SEC about how to satisfy an SEC cyber audit. It’s almost as if the guidance is, “Get secure. If we audit you, you’ll find out whether you made the right choices.”

I’m a big fan of CIS 18 for small businesses. Is it appropriate to help this firm get compliant with IG1 as a way to satisfy an SEC audit if one ever occurs?

The original post: /r/cybersecurity by /u/shrewd-afternoon-tea on 2025-06-26 03:53:38.

Hello Cybersecurity community! I hope this message finds you well. I am a new cybersecurity professional who completed the Google Cybersecurity Professional Certificate program and passed the CompTIA Security+ CE exam. Since then, I’ve been working on strengthening my understanding of cybersecurity by reviewing core concepts, learning new materials, and improving my skills through labs and exercises, all while searching for a job.

Like many others in the industry, I have networked and applied to hundreds of positions-from internships and entry-level security roles to help desk positions- non of which have been fruitful. Recently, however, I was offered and accepted a part-time position as a bookkeeper for a small company that is still in their early stages. The company does not have many employees, and they lack an IT or security team. I am therefore considering to offer to take on a cybersecurity role and perform related tasks on the days I’m not working as a bookkeeper.

I am aware that this scenario is far from ideal; I have no real life experience and I would be the only security professional for the business. I know that this will come with significant challenges and risks. However, I believe that difficult experiences are often times the best places to learn from and some of the most powerful growth happens when we’re pushed/forced to be resourceful and effective. I love learning, I love challenges, and I am highly motivated. However, before taking such a step, I want to seek advice from seasoned professionals: Would you advise against this?

I have genuinely fallen in love with the security world. I find cybersecurity fascinating, thrilling, rewarding, and intellectually stimulating. I even have fun writing security reports! I am determined to not give up on my dream of being a security professional and contributing towards the protection of people, assets, and businesses. However, the well being of the company, its employees, and customers are the priority. If stepping into a cybersecurity role in this situation could potentially cause more harm than good, I am willing to hold off and seek experience in another way.

Thank you very much for reading and for any guidance you can offer. I sincerely appreciate it.

The original post: /r/cybersecurity by /u/Different-Car6898 on 2025-06-25 11:44:00.

Hello fellow cyber security experts!

My company is currently in the process of acquiring ISO 27001 certification. We are using a compliance software, and while doing Vendor Discovery, we got a match on around 300 small apps (max 3 accounts each), where the account was created using the google workspace work email.

Accounts include: facebook, instagram, youtube, spotify, some free online PDF managers, some quick post or image editors etc.

How am I supposed to rank these? We do offer trainings for security best practices, but cannot really monitor 24/7 people and what they do with their laptop. In theory an employee could have uploaded a pdf report with sensitive data to freePDFEditor online or similar... Does that make the tool "high risk"?

Any wisdom on how to tackle situations like this, would be appreciated :)

Edit: typo

The original post: /r/cybersecurity by /u/Party_Wolf6604 on 2025-06-25 10:53:52.

The original post: /r/cybersecurity by /u/NudgeSecurity on 2025-06-25 19:48:01.

The reality is traditional security training can be... less than thrilling. What unconventional approaches have actually worked for your team? What have been your most effective tactics for education and awareness?

The original post: /r/cybersecurity by /u/reddrag0n51 on 2025-06-25 18:31:04.

Where do the actually important things happen at BlackHat in Vegas?

Do you actually need a ticket, or is it similar to RSAC where you just hop around the bars and network.

The original post: /r/cybersecurity by /u/fireflymilk on 2025-06-25 18:30:06.

Building out some tabletop exercises for my org and wondering how much effort people put into building their exercises out.

How many hours are you putting in? Do you do multiple a year? If you are doing multiple a year how do you segment it?

The original post: /r/cybersecurity by /u/ZYADWALEED on 2025-06-25 18:10:52.

Hi everyone,

I'm currently working as a SOC engineer and have recently started dealing more with malware.

I can analyze samples and extract IOCs, but when it comes to code-level analysis and reverse engineering, that's where I struggle. Unfortunately, there's no one on my team with strong reversing skills that I can learn from.

I’ve been working on different malware samples and doing my best, but I still feel stuck when it comes to understanding the inner workings of the code.

My goal is to transition from SOC to becoming a full-time malware analyst.

What advice would you give me to improve my reverse engineering skills? Any books, courses, or structured paths you recommend to help me get out of this loop?

Thanks in advance!

The original post: /r/cybersecurity by /u/WaveHacker on 2025-06-25 17:58:20.

I ran across an interesting statistic.

Only about 4.3 million Americans have Secret Clearance and of that, only 1.3 million have Top Secret.

So the question of “who the hell are these companies hiring” popped into my head because these numbers mean not many people have a clearance, let alone in InfoSec.

For example, this number could or could not include Military, and the boat load of the other non-IT/ IS jobs that require clearances to work.

So it begs the question, who are these companies hiring if they are requiring active clearances? Are they just sniping each others employees? Are the willing to train non-IT/IS people because of the clearance?

Thought a lot of you smart people here could share some of your thoughts & maybe even validate my feelings lol.

Apologies if this has been discussed previously, I did not find the thread.

EDIT: The reason I ask is because in my area, there are nothing but contractors requiring active Secret & TS clearances for most IS roles. If none are willing to sponsor, how and who do they hire all the time.

The original post: /r/cybersecurity by /u/BespokeChaos on 2025-06-25 17:56:42.

I have a friend who is on an IT team for a big medical corporation. They recently just had a ransomware attack. Apparently besides the firewall provided by Aruba and windows and some strict group policies the only other system they use is sentinel One. While I’m study cybersecurity has m by no means an expert. He asked if I knew of any vendors they could work with. Besides recommending Tyrol, Huntress and Rubrix (for their supposed back up they check for malware and such) are there any tools and vendors i can recommend?

The original post: /r/cybersecurity by /u/CapnDogWater on 2025-06-25 17:43:49.

I’ve tried combing reviews outside of sites like Gartner and can’t really find anyone who has anything to say about Cloudflare’s Email Gateway or any of their Email Security.

The original post: /r/cybersecurity by /u/FineAssignment1423 on 2025-06-25 17:27:21.

I remember Optiv being THE go to Cybersecurity-related VAR not that long ago.

I recently started researching again to find one, and now everyone seems to despise Optiv and recommend Guidepoint and other VARs. When and why did this happen?

The original post: /r/cybersecurity by /u/Daars- on 2025-06-25 15:11:38.

I'm currently a SOC Analyst II and have received an offer for a SOC Analyst I position. Although it's technically a lower-level role, it comes with a higher salary and a more flexible setup.

Based on the job description/responsibilities I believe I'm overqualified for the role. The workload also appears to be lighter (though that doesn’t matter much—just worth mentioning).

Would you accept this kind of offer if you were in my position, especially if increasing your income was a priority?

The original post: /r/cybersecurity by /u/Desperate_Bath7342 on 2025-06-25 15:06:23.

FAANG version for appsec people

The original post: /r/cybersecurity by /u/ProcedureFar4995 on 2025-06-25 13:07:48.

So basically I have 2.5 years of experience as a penetration tester. I have an offer from an international company working remotely, for a good salary . But the problem is that I probably will be doing all the work alone , and I consider myself mid level yet .

On the other hand the other company is hybrid , the team there is considered to be the best in the country and I will learn a lot from them . The salary there is also good not bad at all , just that the other salary is higher.

I need money, but at this stage of my career I need experience more which can be provided by the other team member through meetings and review. What is better ?? Should I go for higher salary although I know I lack some experience? Or go for knowledge and experience ?

The original post: /r/cybersecurity by /u/Malwarebeasts on 2025-06-25 12:50:21.

French authorities arrested five BreachForums hackers, IntelBroker(!!), ShinyHunters(!!), Hollow, Noct, and Depressed, on June 23, 2025, suspected of data breaches targeting Capgemini, Accor, France's Ministry of National Education, LVMH and others. Interestingly it was Scattered Spider that was rumored to be behind the LVMH breaches.

Reports also reveal IntelBroker was apparently arrested on February 22, 2025, a detail undisclosed until now. A major blow to the stolen data marketplace.

Source: https://www.valeursactuelles.com/societe/info-va-les-administrateurs-francais-du-site-de-vente-de-donnees-volees-breachforums-interpelles

The original post: /r/cybersecurity by /u/GiraffeProper3744 on 2025-06-25 12:24:26.

I'm curious as to what you guys think is the easiest way to implement CIS hardening on machines, mainly Windows machines. I've come across a few ways:

• Intune
• HardeningKitty
• Manually building GPOs
• CIS Build Kits
• PowerShell scripts on GitHub, etc.

Every one of these has its pros and cons. Obviously the CIS build kits are paid, the PowerShell scripts are mostly outdated/cause issues, Intune only works if you manage devices via Intune (if I'm not mistaken).

The sweet spot is HardeningKitty I believe. The only issue is it doesn't really separate the fixes into L1 and L2 . This could be problematic. I'm curious if there are any other tools/scripts/ways you guys can suggest?

Paid or free, either works. Thanks

The original post: /r/cybersecurity by /u/cyberkite1 on 2025-06-25 03:46:29.

A new vulnerability (CVE-2025-49144) in Notepad++ v8.8.1 or prior versions allows attackers to exploit the installer via binary planting, gaining full SYSTEM-level access. With a working proof-of-concept already published, this raises serious concerns—especially since minimal user interaction is required for the attack.

Why This Matters: The Third-Party App Problem:

Tools like Notepad++ are popular, but they rely on manual updates and often lack hardened security around their installers in my opinion. This is part of a growing trend of vulnerabilities introduced through third-party apps and outdated software that users forget to update—or don’t update in time.

A Better Practice: Use Auto-Updating, Native Tools:

One simple option: minimize the use of third-party apps that don't auto-update. So instead of notepad++ try this:

Win 11 notepad It auto-updates through the Microsoft Store—making it a more secure, low-maintenance option. Now includes tab support, syntax highlighting.

MacOS users have TextEdit - although it's limited on programming related aspects, it can be useful enough and then the AI tools can be used after that.

Both OSs code notepad capabilities can be extended with the use of AI tools like GitHub Copilot, Gemini, Grok & ChatGPT and other programming AI tools.

Alternatively, /r/notepadplusplus could add Notepad++ to Microsoft Store and Apple Mac App Store for auto updating?

I don't know. Will this approach work? What do you think?

To do:

• Update Notepad++ to v8.8.2 (when its released or higher immediately) via official site: https://notepad-plus-plus.org/
• Avoid running installers from shared or unsafe directories
• Reevaluate your toolset and reduce third-party app dependency
• In small business clients eg 10-20 staff usually without IT: Consider secure, auto-updating OS native or auto updating apps as your new default to stay on top of the ever-changing vulnerabilities. Alternatively premium web based alternatives.
• And for larger clients eg over 20 with IT: slow rolled and pretested auto updates controlled by admin and ban users installing anything unless they request and IT installs

(CVE-2025-49144): https://nvd.nist.gov/vuln/detail/CVE-2025-49144

Read this alert article on notepad++ vulnerability below: https://cybersecuritynews.com/notepad-vulnerability/

The original post: /r/cybersecurity by /u/m_i_c_h_u on 2025-06-25 11:05:03.

Anyone using Correlium for mobile iOS pentesting? Are there any limitations comparing to testing on physical devices?

The original post: /r/cybersecurity by /u/Sweaty_Minimum_7126 on 2025-06-25 10:35:42.

The original post: /r/cybersecurity by /u/zzh315 on 2025-06-25 10:20:20.

I’m currently doing an internship at a small company, and I’ve been asked to set up a phishing simulation using Gophish. However, I’ve encountered several issues when trying to configure the SMTP server:

I initially tried using Brevo and SMTP2Go, but as soon as I attempted to send a test email with a domain set up on their platforms, my account was suspended. Their support teams informed me they have a zero-tolerance policy for any activity resembling phishing—even for ethical simulations.

I then attempted to set up a custom SMTP server on a Google Cloud VPS, but ran into another obstacle: most cloud providers, including Google, block outbound traffic on port 25, which prevented me from sending emails.

Are there any SMTP providers that explicitly support ethical phishing simulations with Gophish?

Thanks for any help!

The original post: /r/cybersecurity by /u/Public-Coat1621 on 2025-06-25 09:18:05.

i am planning to take CRTO but it uses CS as a C2, in my limited knowledge CS is captured by most AV and EDRs and useless in 2025, can someone correct me, thanks

The original post: /r/cybersecurity by /u/2hinreza on 2025-06-25 08:08:49.

Hey folks,

My company wants to create a combined vulnerability assessment report by merging data from Nessus and CrowdStrike.

Here’s the challenge:

• Nessus reports are plugin-based, meaning vulnerabilities are identified and described based on specific plugins.
• CrowdStrike, on the other hand, reports vulnerabilities using CVE identifiers.

We want to integrate both data sources into a single, simplified report that’s easy to understand and actionable for the security team.

Has anyone done something like this? What’s the best approach or tools you’d recommend for mapping plugin IDs to CVEs or merging these different formats? Any tips on report formats or automation ideas?

Thanks in advance for any insights!