Post-Quantum Cryptography: How Global Guidance is Taking Shape

Government guidance on post quantum cryptography (PQC) is moving from theory to detailed migration planning. In the last nine months, as highlighted by Zygmunt Łoziński of IBM Research via LinkedIn, countries including Australia, Canada, the EU, France, Germany, Israel, the Netherlands, New Zealand, the UK, and the US have refreshed their positions. A consensus is forming: plan now, migrate high priority systems by 2030 or 2031, and complete the transition by 2035 using NIST approved algorithms such as ML KEM and ML DSA, with the first three standards already finalised in August 2024 and a fourth on the way. These deadlines are critical when factoring in Q Day, the point at which quantum computers can break today’s public key encryption, and the harvest now, decrypt later risk it amplifies. If Q Day happens quietly in a confidential vacuum, the wider world may not realise it for some time. New Zealand has added PQC preparation to its national security manual, signalling that the shift is no longer optional.

Read More

The Front Door Is Monitored, but Not the Hallways: When Network Visibility Ends at the Perimeter

Cyber Millennial

Many organisations invest heavily in perimeter defences, yet leave the inside of their networks unlit. Internal firewalls are rare, SIEM inputs are often unfiltered and overloaded, and network detection tools are absent. The result is a perfect environment for attackers to move laterally, hide data in seemingly normal DNS traffic, and persist for months without a single alert.

Read More

When Familiar Names are Phishing?

Cyber Millennial
in

This post breaks down a real phishing attempt that targeted ITP NZ members using a spoofed display name. It wasn’t a compromised account, but a crafted message designed to exploit familiarity and provoke a reply. By unpacking how this tactic works and what subtle signals gave it away, we hope to sharpen member awareness, encourage better reporting practices, and help readers think like an adversary. If you receive something suspicious, please send it as an attachment to info@itp.nz so the headers can be analysed properly.

Read More

High Privilege, Low Discipline: The Risk of Everyday Admin Use in Shared Infrastructure

Cyber MIllennial
in ,

Most IT professionals know they shouldn’t use elevated accounts for everyday tasks. But knowing is not the problem, leaving it enabled by default it is. This article looks at how exposure happens by design when administrative accounts are allowed to log into workstations, Citrix sessions, or virtual desktops without controls. Deny the possibility by default. If an attacker compromises a single endpoint, your architecture should prevent it from becoming a breach-level incident.

Read More

PAM is Not Enough: When Forgotten Accounts Bypass Your Controls

Cyber Millennial
in ,

Even mature environments misjudge the scope of their privileged access exposure. This article unpacks how real-world privilege creep unfolds, from nested AD groups to unmanaged service accounts, forgotten appliance credentials, and newly created local admins. PAM tooling helps, but it is often blind to the accounts that matter most. If your visibility stops at Domain Admins or naming convention–based groups like CyberArk-Admins-VMWare or Delinea-SA-Storage, you are not seeing the breach path.

Read More

Legacy by Design: How Protocol Defaults and Hash Exposure Still Get Us Breached

Cyber Millennial
in , ,

NTLM has not gone away. In many environments, it still underpins logon flows, service account authentication, and credential relay paths that defenders assume are deprecated. Protected Users is rarely enforced. Credential Guard is rare. Even when Kerberos is in use, fallback to NTLM is often quietly enabled. Add LLMNR, NetBIOS, SMBv1, Telnet, and plaintext LDAP, and attackers have everything they need to steal or relay credentials without malware, without exploits, and often without detection. This article breaks down the legacy defaults still exposing modern networks, and what defenders, incident responders, and CISOs can do to harden these protocols before someone else exploits them.

Read More

The Quiet Backdoor: AD Certificate Services Misconfigurations

Cyber Millennial
in

Misconfigured ADCS templates continue to enable stealthy privilege escalation in environments that otherwise look secure. These are not niche attacks. They’re practical, repeatable, and often invisible to standard monitoring. This article explores how certificate services quietly undermine security controls and why they remain one of the least reviewed yet most impactful misconfigurations in Active Directory.

Read More

Starlink for NZ Defence: Is Elon's DOGE and Palantir Connection Worth the Cybersecurity and Privacy Risks?

Cyber Millennial
in

New Zealand’s approval of Starlink for military use may offer operational agility, but it introduces uncomfortable trade-offs around data sovereignty, encryption, and corporate entanglement. Elon Musk’s links to controversial US data projects like DOGE and Palantir raise valid concerns about privacy, persistence, and trust. This article unpacks those tensions and the minimum safeguards NZDF should demand.

Read More

Custom GPT's for Cybersecurity Professionals in NZ

Cyber Millennial
in

Custom GPTs are tools no different than a hammer. Useful in the right hands, but counterproductive if misapplied. You wouldn’t install a lightbulb with a hammer, and you shouldn’t delegate strategic judgment to a chatbot without sufficient context. These GPTs are designed to prompt reflection, not replace thinking. Each one helps cybersecurity professionals surface lived experience, clarify trade-offs, and turn real work into shareable insight.

Read More