TCM Security

RIP CVE program?! Yesterday the internet experienced a pretty wild jump scare: the potential end to MITRE’s CVE program. A leaked letter surfaced that stated funding had dissolved for the program. And that could be absolutely disastrous for this critical software-tracking system that acts as the backbone for cybersecurity. We could regress to the “Wild West” of the pre-CVE days. Fortunately, a last-minute decision to use emergency funding means that the CVE program is safe … for now. But what would happen if it actually does expire? Andrew Bellini breaks it down. We will continue to monitor this situation as new developments emerge.

If you want to increase your chances of pentesting success, check out our assortment of courses and certifications: https://tcm.rocks/certs-li What are the traits you should cultivate to be a successful penetration tester? Here are a few qualities that help people excel in this competitive field! 𝗧𝗵𝗲𝘆 𝗻𝗲𝘃𝗲𝗿 𝘀𝘁𝗼𝗽 𝗹𝗲𝗮𝗿𝗻𝗶𝗻𝗴. Successful pentesters know the security landscape is always changing, and they keep up with it. They take courses, they study for certifications, they participate in live trainings, and they stay on top of the latest in cybersecurity news, so they know what is going on in the industry. 𝗧𝗵𝗲𝘆 𝗮𝗿𝗲 𝗿𝗲𝘀𝗶𝗹𝗶𝗲𝗻𝘁. Failure is often unavoidable in any profession, and pentesting is no different. The best pentesters get up after a fall and don't let it define them. 𝗧𝗵𝗲𝘆 𝗽𝗮𝘆 𝗮𝘁𝘁𝗲𝗻𝘁𝗶𝗼𝗻 𝘁𝗼 𝗱𝗲𝘁𝗮𝗶𝗹. They aren't constantly taking shortcuts or skipping over things out of boredom. Instead, they take their time and consider details that might reveal a serious security vulnerability. 𝗧𝗵𝗲𝘆 𝗮𝗿𝗲 𝗮𝗱𝗮𝗽𝘁𝗮𝗯𝗹𝗲. Penetration testing requires frequent pivoting, and those who really stand out know how to embrace their surroundings and pick up new tools and techniques quickly. What would you add on this list? Drop your thoughts in the comments! 

Passwords remain a continual challenge for organizations. As tired as the topic might seem, it remains relevant because so many people miss the mark. (You know right now more than one person out there is using SPRING2025 as their password 𝘳𝘪𝘨𝘩𝘵 𝘯𝘰𝘸.) Today we're providing a refresher on how your organization can do passwords better. Here are a few best practices to start implementing today: - 𝗦𝗲𝗹𝗲𝗰𝘁 𝗮 𝗿𝗲𝗽𝘂𝘁𝗮𝗯𝗹𝗲 𝗽𝗮𝘀𝘀𝘄𝗼𝗿𝗱 𝗺𝗮𝗻𝗮𝗴𝗲𝗿. - 𝗖𝗿𝗲𝗮𝘁𝗲 𝗮 𝗿𝗼𝗯𝘂𝘀𝘁 𝗺𝗮𝘀𝘁𝗲𝗿 𝗽𝗮𝘀𝘀𝘄𝗼𝗿𝗱. - 𝗘𝗻𝗮𝗯𝗹𝗲 𝗺𝘂𝗹𝘁𝗶-𝗳𝗮𝗰𝘁𝗼𝗿 𝗮𝘂𝘁𝗵𝗲𝗻𝘁𝗶𝗰𝗮𝘁𝗶𝗼𝗻 (𝗠𝗙𝗔).  - 𝗣𝗲𝗿𝗳𝗼𝗿𝗺 𝗿𝗲𝗴𝘂𝗹𝗮𝗿 𝗮𝘂𝗱𝗶𝘁𝘀 𝗮𝗻𝗱 𝘂𝗽𝗱𝗮𝘁𝗲𝘀. - 𝗦𝘁𝗮𝘆 𝗶𝗻𝗳𝗼𝗿𝗺𝗲𝗱! This explainer provides some insights into password security, including how to select the best password manager for your needs and what the National Institute of Standards and Technology (NIST) Guidelines define as a secure password. If you're wondering if your password policy could use a review, reach out to the experts on our team! We offer password auditing services, and we look forward to working with you. https://lnkd.in/gRsKBH9c

LIVE: Moose on the loose | CVE | Cybersecurity | AMA

Sign up for the waitlist here: https://lnkd.in/gr3k6KQr Even if you missed April's live training, you can join our waitlist and find out when new Instructor Led Trainings are coming up! Like for example, Hacking and Defending Active Directory Live with Heath returns this May. The earlier you can start planning, the better.

Looking for some Red Team projects to color your resume? We've got a few ideas for you! We'd love to hear any ideas from the community as well, so leave your thoughts in the comments and let's learn from each other. Remember, we have several courses and certification exams available that will give you an edge. Check out certs like the PNPT, PWPA, and PWPP here: https://lnkd.in/gga_RhdJ Projects to Start With: 𝗦𝗠𝗕 𝗦𝗵𝗮𝗿𝗲 𝗦𝗰𝗮𝗻𝗻𝗲𝗿 𝗳𝗼𝗿 𝗛𝗮𝗿𝗱-𝗖𝗼𝗱𝗲𝗱 𝗖𝗿𝗲𝗱𝗲𝗻𝘁𝗶𝗮𝗹𝘀 - This project will help you flex your scripting, networking, and error-handling abilities. Kick it up a notch by implementing features like throttling, file size checks, directory traversal limits, and logging capabilities. 🔥 𝗖𝘂𝘀𝘁𝗼𝗺 𝗖𝟮 𝗦𝗲𝗿𝘃𝗲𝗿 - Design a C2 (Command and Control) server and then be sure to fortify, integrate robust authentication measures, and then design it to serve files or to catch reverse shells. 🔨 𝗕𝘂𝗿𝗽 𝗦𝘂𝗶𝘁𝗲 𝗼𝗿 𝗕𝗿𝗼𝘄𝘀𝗲𝗿 𝗘𝘅𝘁𝗲𝗻𝘀𝗶𝗼𝗻𝘀 - 𝗜𝗳 you want to go for something more Web App themed, try adding to existing extensions or creating your own. These can ultimately help you be more efficient, saving you time and enabling you to work smarter (not harder). 💻 𝗩𝘂𝗹𝗻𝗲𝗿𝗮𝗯𝗹𝗲 𝗔𝗽𝗽𝗹𝗶𝗰𝗮𝘁𝗶𝗼𝗻 𝗧𝗲𝘀𝘁𝗶𝗻𝗴 - Use different open source security scanners to test against a web application you set up. This will not only help you with learning new attack methods, but it will also give you a more defensive perspective, too. 🤔

Looking for an ethical hacking roadmap? We've compiled a resource for you based off Heath Adams' blog post & video on how you can get started with penetration testing! Let's get started on how you build a foundation for ethical hacking success ⬇️ 𝗕𝘂𝗶𝗹𝗱 𝗬𝗼𝘂𝗿 𝗜𝗧 𝗙𝗼𝘂𝗻𝗱𝗮𝘁𝗶𝗼𝗻. Before you can get into any of the hacky stuff, you need to understand the IT foundations you will frequently be working with. You can get a better understanding of these with our Free Practical Help Desk course as well as paid offerings from Professor Messer and Mike Meyers. 𝗨𝗻𝗱𝗲𝗿𝘀𝘁𝗮𝗻𝗱 𝗡𝗲𝘁𝘄𝗼𝗿𝗸𝗶𝗻𝗴 𝗧𝗵𝗼𝗿𝗼𝘂𝗴𝗵𝗹𝘆. Networking is a massive component of penetration testing, and you will need to understand concepts such as the TCP Three-Way Handshake. Some resources to shore up your networking knowledge are the free Cisco Networking Academy, Professor Messer's Network Plus course, and Mike Meyers' paid Network Plus course on Udemy. 𝗟𝗲𝗮𝗿𝗻 𝗟𝗶𝗻𝘂𝘅. Linux is a cornerstone of ethical hacking, and there's no way you can avoid it. The learning curve can be steep, but the more you immerse yourself in it, the easier it is to pick up. We proudly offer a free Linux course that can teach you the basics, and there are other free resources we recommend like Linux Journey and OverTheWire - Bandit. 𝗗𝗼𝗻'𝘁 𝗙𝗼𝗿𝗴𝗲𝘁 𝗖𝗼𝗱𝗶𝗻𝗴! While not every security professional will decide to invest in coding, we recommend that you do. And there's no need to go too deep - having even a basic understanding of programming can become an invaluable asset. We have several programming courses available, including a free fundamentals course. 𝗞𝗻𝗼𝘄 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗖𝗼𝗻𝗰𝗲𝗽𝘁𝘀. Finally, you need an understanding of the core security concepts. These include things like cryptography, incident response, and risk management. You might want to explore these areas with our SOC 101 course. Plus, we have a free fundamentals course coming SOON! 𝗧𝗶𝗺𝗲 𝗳𝗼𝗿 𝘁𝗵𝗲 𝗙𝘂𝗻 𝗦𝘁𝘂𝗳𝗳. Once you've taken these steps, you can now get into the hacky stuff! We offer an assortment of courses that can help you become an ethical hacker, and a few beginner-friendly certs too, like the Practical Junior Penetration Tester (PJPT). Learn more about what this cert involves here: https://lnkd.in/gUCCj6RX

Could you fall in love with an AI chatbot running only on a Raspberry Pi? 👀 Today Andrew Bellini exposes how attackers can use this technology to power shockingly convincing romance scams. Watch how a conversation would unfold and how the LLM leverages emotional manipulation, ultimately leading to a money request. And remember: This chatbot is running on just a Raspberry Pi! Imagine what would be possible with a larger-scale model. https://lnkd.in/gFXrjW8s

Why is it so critical for organizations to be aware of their Active Directory security? Here are some quick stats: ✔️ Approximately 80% of cyberattacks leverage misconfigured credentials (like AD) ✔️ It takes only an average of 16 hours for an attacker to break into an AD environment from initial compromise ✔️ AD was the most targeted attack surface for ransomware in 2024 And that's just the beginning. So why not take advantage of the free Active Directory health check we offer at TCM Security? If your organization has ten or more employees, we are proud to provide an AD health check 𝗳𝗼𝗿 𝗻𝗼 𝗰𝗼𝘀𝘁. Get in touch at info@tcm-sec.com or the contact form: https://lnkd.in/gaJpPfgF

𝗟𝗼𝘄 𝘀𝗲𝗮𝘁 𝗮𝗹𝗲𝗿𝘁! Don't miss out on this opportunity! https://lnkd.in/g9x5YK3W SOC roles are more crucial than ever before, with companies in need of skilled analysts to detect, respond to, and prevent cyber threats. If you want to launch or advance your career in defensive security, our SOC Level 1 Live Training with Andrew Prince is for you! This training will help you establish the skills you need for Tier 1 and 2 SOC roles. Here is what you will get when you sign up for this Instructor Led Training ⬇️ ⚒️ 𝗛𝗮𝗻𝗱𝘀-𝗼𝗻 𝗧𝗿𝗮𝗶𝗻𝗶𝗻𝗴: Gain practical experience in real-world security operations scenarios. 📈 𝗖𝗮𝗿𝗲𝗲𝗿 𝗚𝗿𝗼𝘄𝘁𝗵 Opportunities: Build the core blue team skills that will help elevate your professional journey, from fundamentals through incident response. Join us April 14th to the 17th to get the knowledge you need to make a real impact in cybersecurity.