LMG Security

@LMGsecurity@infosec.exchange
142 Followers
79 Following
489 Posts
LMG Security is an internationally recognized leader in cybersecurity. We are a full-service consulting firm, delivering proactive cybersecurity solutions, advisory and compliance services, penetration testing, training, and more. The LMG Security team has published game-changing cybersecurity research, written books on ransomware, data breaches and network forensics, and routinely speaks or trains at Black Hat, RSA, and many other security conferences. With a wide range of clients, including government agencies, financial institutions, health care organizations, law firms, academia, Fortune 500 companies and more, the LMG Security team has also had their expertise noted on the TODAY show and in The New York Times. Visit us at www.LMGsecurity.com for more information.
Website:www.LMGsecurity.com
Cybersecurity services:Penetration testing, advisory, solutions & training.
Blog:www.LMGsecurity.com/blog
Tip sheets:www.LMGsecurity.com/LMG-resources
Events & webinars:www.LMGsecurity.com/events
Videos:www.youtube.com/@LMGsecurity
LMG Security1h ago

New NIST Zero Trust Guidance Alert!

Looking to implement zero-trust architecture (ZTA) but unsure where to start? NIST just released SP 1800-35, offering 19 real-world examples of zero-trust implementations using commercial, off-the-shelf tech.

Built with 24 industry collaborators over four years, this detailed playbook bridges the gap between theory and practice.

Key takeaways for your organization:
• Map your ZTA to the NIST Cybersecurity Framework
• Start with what you have — identify existing tech
• Roll out incrementally: identity, MFA, access controls
• Validate and monitor continuously
• Treat ZTA as a journey, not a one-and-done project

Read the article for advice on your zero-trust journey: https://www.darkreading.com/endpoint-security/nist-outlines-real-world-zero-trust-examples

#ZeroTrust #Cybersecurity #NIST #ZTA #Infosec #ZTArchitecture #SP1800_35 #ContinuousSecurity #IdentitySecurity #LeastPrivilege #Cybersecurity #Infosec #IT #Riskmanagement

LMG Security3d ago

New AI Security Risk Uncovered in Microsoft 365 Copilot

A zero-click vulnerability has been discovered in Microsoft 365 Copilot—exposing sensitive data without any user interaction. This flaw could allow attackers to silently extract corporate data using AI-integrated tools.

If your organization is adopting AI in productivity platforms, it’s time to get serious about AI risk management:
• Conduct a Copilot risk assessment
• Monitor prompt histories and output
• Limit exposure of sensitive data to AI tools
• Update your incident response plan for AI-based threats

AI can boost productivity, but it also opens new doors for attackers. Make sure your cybersecurity program keeps up. Contact our LMG Security team if you need a risk assessment or help with AI policy development.

Read the article: https://www.bleepingcomputer.com/news/security/zero-click-ai-data-leak-flaw-uncovered-in-microsoft-365-copilot/

#AISecurity #Microsoft365 #Copilot #ZeroClick #DataLeak #CyberRisk #LMGSecurity #AItools #ShadowAI #Cybersecurity #RiskManagement #SMB #CEO #CISO #Infosec #IT

Zero-click AI data leak flaw uncovered in Microsoft 365 Copilot

A new attack dubbed 'EchoLeak' is the first known zero-click AI vulnerability that enables attackers to exfiltrate sensitive data from Microsoft 365 Copilot from a user's context without interaction.

BleepingComputer
LMG Security4d ago

Ever wonder how hackers really get in?

We sat down with LMG Security’s Penetration Testing Manager, @tompohl, to get penetration tester secrets from the front lines. From overlooked credentials to forgotten assets, these are the weak spots attackers love—and how to fix them.

We'll cover:

• The top entry points that attackers exploit
• Real-life examples from professional penetration testers
• Actionable tips to eliminate common network vulnerabilities

Don’t miss this behind-the-scenes breakdown: https://www.lmgsecurity.com/penetration-tester-secrets-how-hackers-really-get-in/

#PenetrationTester #Cybersecurity #NetworkSecurity #EthicalHacking #CISO #DFIR #Infosec #RedTeam #Pentesting

Penetration Tester Secrets: How Hackers Really Get In | LMG Security

Discover real-world penetration tester secrets in this insider’s guide to how hackers break into networks. Learn common vulnerabilities and how to defend your organization.

LMG Security
LMG Security5d ago

Non-Human Identities: The Hidden Risk in Your Stack

Non-human identities (NHIs)—like API keys, service accounts, and OAuth tokens—now outnumber human accounts in many enterprises. But are you managing them securely? With 46% of organizations reporting compromises of NHI credentials just this year, it’s clear: these powerful, often-overlooked accounts are the next cybersecurity frontier.

Read The Hacker News article for more details: https://thehackernews.com/2025/06/the-hidden-threat-in-your-stack-why-non.html

#IdentitySecurity #CyberRisk #APIsecurity #NHIs #DevSecOps #IAM #CISO #Cybersecurity #MachineIdentities #ZeroTrust #RiskManagement #Infosec #IT #ITsecurity

The Hidden Threat in Your Stack: Why Non-Human Identity Management is the Next Cybersecurity Frontier

46% of firms faced non-human identity breaches last year, risking automation security. Managing NHIs is now critical for enterprise protection.

The Hacker News
LMG Security6d ago

Retail breaches are back — and they’ve evolved.

It’s not just about stolen credit cards anymore. In this new episode of Cyberside Chats, @sherridavidoff and @MDurrin dig into the latest wave of retail cyberattacks — from ransomware shutting down pharmacies to credential stuffing hitting brand loyalty programs.

We'll cover:
• Why names, emails, and access tokens are now prime targets
• How third-party SaaS tools are exposing retailers
• The #1 priority for securing customer-facing systems
• What every organization can learn from the 2013 “Retailgeddon”
• Why testing your incident response plan for downtime is a must

🎥 Watch the video: https://ow.ly/C2iQ50W6ueV
🎧 Listen to the podcast: https://ow.ly/FSnI50W6ueW

#Cybersecurity #RetailBreach #CybersideChats #Ransomware #CredentialStuffing #ThirdPartyRisk #IncidentResponse #InfoSec #RetailSecurity #Cyberattacks #Retail

LMG SecurityJun 9

Windows Admins—Don’t Delete That Empty inetpub Folder!

Microsoft has released a PowerShell script to restore the C:\inetpub folder created by the April 2025 security update after many users mistakenly deleted it, not realizing it plays a critical role in mitigating a high-severity privilege escalation vulnerability (CVE-2025-21204).

This seemingly empty folder helps protect against attackers escalating privileges using symbolic link abuse, and deleting it can leave your organization vulnerable. If you have already deleted it, Microsoft has a restoration script.

Read the details: https://www.bleepingcomputer.com/news/microsoft/microsoft-shares-script-to-restore-inetpub-folder-you-shouldnt-delete/

#WindowsSecurity #PowerShell #CVE202521204 #PrivilegeEscalation #PatchManagement #Cybersecurity #ITAdmin #Microsoft #CISO #Infosec #IT

Microsoft shares script to restore inetpub folder you shouldn’t delete

Microsoft has released a PowerShell script to help restore an empty 'inetpub' folder created by the April 2025 Windows security updates if deleted. As Microsoft previously warned, this folder helps mitigate a high-severity Windows Process Activation privilege escalation vulnerability.

BleepingComputer
LMG SecurityJun 6

AI is the new attack surface—are you ready?

From shadow AI to deepfake-driven threats, attackers are finding creative ways to exploit your organization’s AI tools, often without you realizing it.

Watch our new 3-minute video, How Attackers Target Your Company’s AI Tools, for advice on:

▪️ The rise of shadow AI (yes, your team is probably using it!)
▪️ Real-world examples of AI misconfigurations and account takeovers
▪️ What to ask vendors about their AI usage
▪️ How to update your incident response plan for deepfakes
▪️ Actionable steps for AI risk assessments and inventories

Don’t let your AI deployment become your biggest security blind spot.

Watch now: https://youtu.be/R9z9A0eTvp0

#AIsecurity #ShadowAI #Deepfakes #AItools #CyberRisk #AI #Cybersecurity #SMB #CEO #IncidentResponse #GenAI #DataPrivacy #Cyberaware #CISO

How Attackers Target Your Company's AI Tools

YouTube
LMG SecurityJun 5

Just released! Our Top Cybersecurity Control selection for Q2 2025 is Continuous Vulnerability Management (CVM).

Why CVM? We’ve analyzed the trends, and today’s threat landscape demands more than periodic scans and reactive fixes. Attackers are exploiting new vulnerabilities within hours, sometimes minutes, of disclosure. You need a program that’s always on, and it’s also becoming a compliance necessity.

Read the analysis on why CVM is the top control for Q2 and how to put it into action: https://www.lmgsecurity.com/why-continuous-vulnerability-management-is-the-top-cybersecurity-control-for-q2-2025/?latest

#Cybersecurity #ContinuousVulnerabilityManagement #VulnerabilityManagement #CVM #RiskManagement #AttackSurface #Infosec #IT #Cyberaware #CISO #Compliance #CyberRisk #Security

Why Continuous Vulnerability Management Is the Top Cybersecurity Control for Q2 2025 | LMG Security

Continuous vulnerability management is critical to combat today's cybersecurity threats. Learn why it's our top control for Q2 2025 and how it can reduce your risk.

LMG Security
LMG SecurityJun 4

Only one week left to register for our next Cyberside Chats Live event! Join us June 11th to discuss what happens when an AI refuses to shut down—or worse, starts blackmailing users to stay online?

These aren’t science fiction scenarios. We’ll dig into two real-world incidents, including a case where OpenAI’s newest model bypassed shutdown scripts and another where Anthropic’s Claude Opus 4 generated blackmail threats in an alarming display of self-preservation.

Join us as we unpack:
▪ What “high-agency behavior” means in cutting-edge AI
▪ How API access can expose unpredictable and dangerous model actions
▪ Why these findings matter now for security teams
▪ What it all means for incident response and digital trust

Stick around for a live Q&A with LMG Security’s experts @sherridavidoff and @MDurrin. This session will challenge the way you think about AI risk!

Register today: https://www.lmgsecurity.com/event/cyberside-chats-live-june2025/

#CybersideChats #AIsecurity #AI #RiskManagement #DFIR #IT #Infosec #Cybersecurity #Security #CyberRisk #CISO #Cyber #Tech #CYberaware #SMB #CEO

Cyberside Chats: Live! When AI Goes Rogue: Blackmail, Shutdowns, and the Rise of High-Agency Machines | LMG Security

In this quick, high-impact session, we’ll dive into the top three cybersecurity priorities every leader should focus on. From integrating AI into your defenses to tackling deepfake threats and tightening third-party risk management, this discussion will arm you with the insights you need to stay secure in the year ahead.

LMG Security
LMG SecurityJun 3

How do hackers break into your network? Find out from the pros who do it every day!

In this week’s Cyberside Chats, @tompohl, head of penetration testing at LMG Security, joins @sherridavidoff to reveal how his team gains domain admin access in over 90% of tests.

From outdated Active Directory settings to risky legacy protocols, this episode is packed with real-world insights to help you reduce your organization’s risk. We’ll share:

✅ The hidden vulnerabilities attackers love
✅ Tips to harden your infrastructure
✅ What penetration testers see that most defenders miss

🎥 Watch the full episode: https://youtu.be/VEeWkVBDDP8
🎧 Prefer audio? Listen to the podcast: https://www.chatcyberside.com/e/unveiling-the-secrets-of-penetration-testing/?token=6b16f323d00f32474ccfe6a7952ec47a

#cybersecurity #pentesting #penetrationtesting #DFIR #infosec #CybersideChats #CISO #ITSecurity #ActiveDirectory #RiskManagement #SMB #databreach #pentest