Cyber Risk GmbH - Reading room



Our monthly newsletter


May 2024 (6.84 MB, 94 pages)

April 2024 (6.67 MB, 114 pages)

March 2024

February 2024

January 2024

November 2023

October 2023

September 2023

July 2023

June 2023

May 2023

April 2023

March 2023

February 2023

January 2023

November 2022

October 2022

September 2022

July 2022

June 2022

May 2022

April 2022

March 2022

February 2022

January 2022



Cyber Risk GmbH, some of our clients



Presentations, articles, papers, news


1. Christina Lekati, interview, Schweizer Radio und Fernsehen (SRF): “Social Engineers und ihr Lieblingsnetzwerk”.

Beim Social Engineering geht es darum, Menschen zu manipulieren, um an Infos oder Geld zu kommen. Kaum ein Hackerangriff kommt heute ohne eine gute Portion «Human Hacking» aus. Wie funktioniert es, was kann man dagegen tun und welche Rolle spielt LinkedIn?

https://www.srf.ch/audio/digital-podcast/social-engineers-und-ihr-lieblingsnetzwerk?id=12484536



Christina Lekati, Schweizer Radio und Fernsehen (SRF)



2. Christina Lekati, October 2023, presentation at the Swiss Cyber Storm (Bern, Switzerland): “Targeting Key Individuals, Profiling, and Weaponizing Psychology.”

Targeted social engineering attacks that weaponize psychology have become tools employed by State-sponsored adversaries and cybercriminals. They want to infiltrate organizations, steal information, recruit insiders, and move to other critical infrastructure entities. What must individuals with privileged access to information or systems do?

https://www.youtube.com/watch?v=_qbJvjsRAPo



Swiss Cyber Storm Christina Lekati



3. Christina Lekati, November 2023, 2 days training at the DeepSec Conference in Vienna, Austria: “Security Intelligence: Practical Social Engineering and Open-source Intelligence for Security Teams”

In this rapidly evolving threat landscape, security professionals and penetration testers / red teamers must understand better how social engineering works, and how to identify and disrupt attack verticals.

https://deepsec.net/schedule.html



DeepSec Christina Lekati



4. Christina Lekati, October 2023, interview for the Swiss “Inside IT” News Platform: "Man muss sich immer fragen: Dürfen Kriminelle das wissen?"

Am Ende hängt doch alles am Menschen: Wenn man sein Passwort weitergibt, die Zweifaktor-Authentifizierung ausschaltet oder Geld an Kriminelle überweist, nützt ein ausgeklügeltes Sicherheitssystem wenig. Und auch wenn es abgedroschen klingt: Der Faktor "Mensch" wird oft noch unterschätzt, besonders wenn man sich vergegenwärtigt, wie viele heikle Informationen im Netz publiziert sind. Und wie einfach diese mittlerweile mit den richtigen Tools und Methoden gesammelt werden können – raffiniertere Google-Befehle genügen bereits für erstaunliche Resultate. Wenn die Angreifer dann noch über grosse Ressourcen verfügen, wird es richtig düster. Wie das geht, weiss Christina Lekati, Spezialistin für Social Engineering und Open Source Intelligence (OSINT). An der diesjährigen Swiss Cyber Storm in Bern wird sie über den "Human Factor" sprechen. Wir haben uns im Vorfeld mit ihr unterhalten.

https://www.inside-it.ch/man-muss-sich-immer-fragen-duerfen-kriminelle-das-wissen-20231012



Inside IT Christina Lekati



5. Black Hat Asia 2023. Christina Lekati and Samuel Lolagar lead the class: “Fundamentals of Cyber Investigations and Human Intelligence” at Marina Bay Sands, Singapore.

In this class, participants learn a comprehensive methodology for gathering in-depth information on a human target, following three intelligence disciplines:

• Open-source intelligence (OSINT),

• Social media intelligence (SOCMINT), a sub-brunch of OSINT,

• Human intelligence (HUMINT), and particularly, virtual HUMINT.

https://www.blackhat.com/asia-23/training/schedule/#fundamentals-of-cyber-investigations--human-intelligence-29747



Christina Lekati, Black Hat Asia 2023



6. Presentation at the Insomni’hack conference in Lausanne, Switzerland, in 2023: “Targeted Social Engineering Attacks: Weaponizing Psychology”.

Targeted social engineering attacks that weaponize psychology have become tools employed by cybercriminals to infiltrate organizations in the public and private sector, steal sensitive information, recruit insiders, and help threat actors breach an organization's security. This presentation covers some of the most recent social engineering techniques and case studies.

https://www.youtube.com/watch?v=SfBj0xnd_XI



Christina Lekati, Presentation at the Insomni’hack conference in Lausanne, Switzerland, in 2023



7. Featured for her presentation at the Insomni’hack conference in LeTemps, one prominent newspaper in Switzerland, March 2023.

“The Insomni'hack conference, organized at EPFL, highlights ultra-sophisticated phishing techniques. Explanations from cybersecurity specialist Christina Lekati”

https://www.letemps.ch/economie/hackers-usent-psychologie-fine-pieger-leurs-victimes



Christina Lekati, LeTemps newspaper, Switzerland, March 2023



8. Article for Golem.de (in German): “ChatGPT und die Zukunft des Social Engineering”.

https://www.golem.de/news/e-mail-phishing-mit-ki-chatgpt-und-die-zukunft-des-social-engineering-2305-173296.html



Christina Lekati, Article for Golem.de (in German): “ChatGPT und die Zukunft des Social Engineering”



9. Article for Heise’s iX Magazine (in German): “Sicherheitsrisiko Mitarbeiter: Mit Psychologie Cybersecurity-Kultur Schärfen Der Mensch ist das schwächste Glied in der IT-Security-Kette. Psychologisches Know-how hilft beim Aufbau einer Cybersecurity-Kultur.”

https://www.heise.de/hintergrund/Sicherheitsrisko-Mitarbeiter-Mit-Psychologie-Cybersecurity-Kultur-schaerfen-7187096.html



Christina Lekati, “Sicherheitsrisiko Mitarbeiter: Mit Psychologie Cybersecurity-Kultur Schärfen Der Mensch ist das schwächste Glied in der IT-Security-Kette. Psychologisches Know-how hilft beim Aufbau einer Cybersecurity-Kultur.”



10. Expert opinion for an article of Die Zeit (in German): “Hier Spricht die Polizei". Telefonbetrüger geben sich als Beamte von Europol aus, um Geld zu erbeuten. Unsere Autorin hat mit einigen gesprochen – und mit einem Opfer, das mehr als 30.000 Euro verloren hat.

https://www.zeit.de/2022/25/telefon-betrug-europol-polizei



Christina Lekati, Expert opinion for an article of Der Zeit (in German)



11. Podcast Interview for Hensoldt Analytics: “Social Engineering and the Protection of High-Value Targets.” In this podcast episode we discuss the risks posed by social engineering, and how OSINT can be used for the protection of high-value targets.

https://www.youtube.com/watch?v=d2do-JGzw8c&list=PLfodXJHGJlWm06UItlJ-hNAhvF1CZxy9r&index=7



Christina Lekati, Hensoldt Analytics, “Social Engineering and the Protection of High-Value Targets”



12. Article for Feedly’s Threat Intelligence Community “Ahead”: “Social Engineering Kill-Chain: Predicting, Minimizing, & Disrupting Attack Verticals.” Protecting an organization from social engineering attacks is NOT an easy, or one-dimensional task. This is an asymmetric game in which information, knowledge, & strategy are paramount. But how do threat actors build their attack strategy, and how can we inform ours? This article explains and breaks down the typical social engineering kill-chain, and offers practical tips for a defense strategy.

https://ahead.feedly.com/posts/social-engineering-kill-chain-predicting-minimizing-and-disrupting-attack-verticals



Christina Lekati, Feedly’s Threat Intelligence



13. Article for Feedly’s Threat Intelligence Community “Ahead”: “High Value Targets (HVT): Where Should You Focus Your Intelligence Collection & Analysis Efforts?” Ensuring the security of an HVT requires more than having adequate technical infrastructure or a close protection operative. That individual's public and private actions can directly impact their personal and organizational security. A protective intelligence report identifies weaknesses and informs the organization's security strategy. You may read the article for more details:

https://ahead.feedly.com/posts/high-value-targets-focus-intelligence-collection



Christina Lekati, Article for Feedly’s Threat Intelligence



14. SANS Summit Talk for the Open-Source Intelligence Summit (Washington DC): “Protecting High-Value Individuals: An OSINT Workflow.”

This presentation walks you through the workflow of a (sanitized) OSINT assessment case for a high value-target. This case revolves around a company executive a few days before moving into public announcements that were likely to trigger hacktivist groups.

Cyber harassment can start from online platforms but it may also continue into the physical sphere of the targeted individual. Most often, the goal is either to influence the behavior of the target and make them resign, change their decisions and future behavior, or to cause significant psychological distress – that will ultimately affect their work performance. Knowing that harassment was a highly likely scenario, the company requested an OSINT assessment on this individual to help them eliminate or manage information that could pose a risk to the individual and ultimately affect his performance and the company.

https://www.youtube.com/watch?v=rE4mORq9T5s



Christina Lekati, SANS Summit Talk for the Open-Source Intelligence Summit (Washington DC)



15. Interview for the State of OSINT. A community project that captures the views and experiences of some of the most renowned open-source intelligence practitioners. Read expert's views on the best (and worst) of OSINT, their favourite tools and techniques, and how they think the landscape is changing.

https://stateofosint.com/posts/2022-christina-lekati/



Christina Lekati, Interview for the State of OSINT



16. Presentation at the CEO corner and the CISO/DPO Cyber Day in Luxemburg, organized by PwC Luxembourg.

At the CEO Corner, Christina was invited for an executive briefing on the highly personalized, social engineering threats targeting CEOs and the Board of Directors, in an interactive, in-person session among a small group of select executives and CEOs.

During the CISO/DPO Cyber Day, Christina presented the evolving nature of social engineering attacks, what we should expect in the future, and how weaponizing psychology is currently a threat to information security. She recommended Target Vulnerability Assessments that will assist high value targets avoid or better identify and respond to weaponized psychology attacks against them or their organization.



Christina Lekati Presentation at the CEO corner and the CISO/DPO Cyber Day in Luxemburg, organized by PwC Luxembourg



17. Keynote Presentation for SecIT by Heise. In this presentation, Christina Lekati discussed the psychological elements and behavioural science involved in facilitating users to adopt better cybersecurity habits. She talked about the drivers of motivation, people’s perception of risk and reward, the psychology of wilful compliance, but also about common mistakes in the process. This presentation aided security managers and executives to more effectively communicate and implement the necessary cybersecurity policies and procedures that employees need to practice within their organization.



Christina Lekati Heise



18. DEF CON 29, presentation at the Social Engineering Village. "Judging By the Cover; Profiling and Targeting Through Social Media".

The presentation demonstrated how attackers gather information through social media and utilize them to manipulate and victimize their targets, ultimately leading to a security breach.



Christina Lekati DEFCON


19. Interview for the TAZ Newspaper (In German): Jeder hat eine Schwachstelle. Betrüger bauen Vertrauen auf, um an Daten oder Geld zu kommen. Welche Tricks sie dafür nutzen, erklärt Sicherheitstrainerin Christina Lekati.

https://taz.de/Sicherheitsexpertin-ueber-Social-Engineering/!5711020/



Christina Lekati, Interview for the TAZ Newspaper



20. SANS Summit Talk for the Open Source Intelligence Summit (Washington DC): “Judging By The Cover - Profiling Through Social Media”. The talk demonstrates how attackers gather information on their targets through social media and utilize them to manipulate and victimize them – ultimately leading to a security breach. If you have a SANS account you may find the slides of the presentation by visiting:

https://www.sans.org/cyber-security-summit/archives



Christina Lekati SANS



21. Interview for Golem.de (In German): Social Engineering: Die unterschätzte Gefahr. Die größten Schwachstellen in technischen Systemen sind bis heute Menschen. Social Engineers machen sich ihre Sorglosigkeit zunutze - und finden auf sozialen Netzwerken alles, was sie für einen erfolgreichen Angriff brauchen.

https://www.golem.de/news/social-engineering-die-unterschaetzte-gefahr-1908-142812.html



Christina Lekati, Interview for Golem.de



22. Interview for the Dot Magazine: “Creating a “Human Firewall” for IT Security”. Psychologist and social engineer Christina Lekati from Cyber Risk GmbH explains the psychological basis of phishing and how to arm staff with effective defenses.

https://www.dotmagazine.online/issues/securing-the-future/human-firewall-for-it-security



Christina Lekati, Interview for the Dot Magazine



23. Interview for the ECO Association - Europe’s Largest Internet Association (In German): Social Engineering: Mitarbeiter stärker für IT-Security sensibilisieren. Mitarbeiter müssen lernen, wie sie auf diese Anfragen in einer angemessenen Weise reagieren können. Dies geschieht durch intensive Schulung. Sie müssen verstehen, dass das Thema: Sicherheit geteilte Verantwortung bedeutet und, dass sie eben einen Teil dieser Verantwortung mittragen.

https://www.eco.de/news/social-engineering-unwissenheit-am-meisten-ausgenutzt/



Christina Lekati, Interview for the ECO Association



24. Conference Presentation at Hacktivity: "Social Engineering Through Social Media". The talk demonstrates how attackers gather information on their targets through social media and utilize them to manipulate and victimize them – ultimately leading to a security breach.

https://www.youtube.com/watch?v=D8Z69AsSFn0&t=577s



Christina Lekati, Conference Presentation at Hacktivity



25. Conference Presentation at ElBsides Hamburg: "When Your Biggest Threat is on Your Payroll – Drivers and Enablers of Insider Threat Activities". The talk discusses the organizational factors enabling insider threat operations and countermeasures against them, by combining the lessons learned on insider activity prevention from the fields of counterintelligence, psychology, and cyber-security.

https://www.youtube.com/watch?v=5ovY0YlLZNU&t=2208s



Christina Lekati, Conference Presentation at ElBsides Hamburg


26. Cyber Terror Campaigns Against High Value Individuals and Public Figures.

https://www.cyber-risk-gmbh.com/Cyber_Terror_Campaigns_Against_High_Value_Individuals_and_Public_Figures.html



27. How Psychology and Behavioural Science Can Help You Build Your Cybersecurity Culture.

https://www.cyber-risk-gmbh.com/How_Psychology_and_Behavioural_Science_Can_Help_You_Build_Your_Cybersecurity_Culture.html



28. Wie Psychologie und Verhaltenswissenschaft ihnen beim Aufbau ihrer Cybersecurity-Kultur helfen können.

https://www.cyber-risk-gmbh.com/Wie_Psychologie_und_Verhaltenswissenschaft_ihnen_beim_Aufbau_ihrer_Cybersecurity_Kultur_helfen_koennen.html



29. Psychological Exploitation of Social Engineering Attacks.

https://www.cyber-risk-gmbh.com/Psychological_Exploitation_of_Social_Engineering_Attacks.html



30. Psychologische Ausnutzung von Social-Engineering-Angriffen.

https://www.cyber-risk-gmbh.com/Psychologische_Ausnutzung_von_Social_Engineering_Angriffen.html



Our new Youtube Channel


We invite you to subscribe to the new YouTube Channel of Cyber Risk GmbH.

We keep the message short and sweet, and we cover a difficult subject in 3-4 minutes. People like it when you get to the point.

Appetizers rock. We hope they will make you want more.

https://www.youtube.com/@CyberRiskGmbH


YouTube Channel Cyber Risk GmbH