Strategic cybersecurity insight from the edge of practice

Flat Networks, Fast Breaches, and How Shared Services Undermine Internal Segmentation

September 17, 2025 by Robert Kehl in Network Security, Misconfiguration

In full posture assessments and incident response engagements I often found internal networks still flat. VLANs separated users, servers, management, or wireless, but without internal firewalls these zones offered little resistance and attackers could move freely. Even where segmentation existed, shared services like storage, Citrix, or management platforms spanned environments and bridged production with non-production. This was usually a trade-off between cost, complexity, and legacy design. Cloud stood out more positively, with Azure vNets, AWS VPCs, and GCP VPCs applying ACLs to segment traffic, though gaps remained around shared infrastructure. On paper segmentation looked effective, yet in practice it left broad paths open.

Lessons from OWASP AppSec NZ: Culture, Code, and AI’s Impact on Development

Cyber Millennial

September 07, 2025 by Robert Kehl in AI in Cybersecurity, Application Security

AI introducing additional risks in development is no longer theoretical or fringe. At OWASP AppSec NZ, session after session reinforced the double-edged nature of AI in cybersecurity. LLMs are accelerating delivery, but they also generate vulnerable code nearly 40 percent of the time, and most of it is still pushed to production. Banning them is pointless, because developers, like any other role, will find a way to use these tools whether in a controlled environment or outside it. Until these systemic issues are removed from the training data of future models, if that ever happens, we are essentially living through Stack Overflow 2.0, but with vulnerabilities baked in at scale.

Defending Aotearoa New Zealand from the Inside Out | NZSIS Brief Analysis

Cyber MIllennial

August 27, 2025 by Robert Kehl in National Security and Pol, Threat Landscape

Aotearoa New Zealand may be geographically remote, but the digital threat environment has no borders. The NZSIS Security Threat Environment 2025 report highlights violent extremism, foreign interference, espionage and insider risks, all of which I have seen unfold in US and global contexts. The lesson is clear. Defending the crown jewels requires an inside out approach. Assume breach, watch for insiders, and recognise that foreign state activity and ransomware groups can just as easily exploit local infrastructure and people as they can in larger nations.

Perimeter Firewalls: Strong Technology, Weak Defences

August 26, 2025 by Robert Kehl in Misconfiguration, Network Security

Perimeter firewalls in most enterprises start strong, but in a number of assessments I found organisations not getting the full value of what they paid for. A few had intrusion prevention enabled only in monitor mode, others skipped SSL inspection altogether, some allowed servers to reach the internet as if they were laptops, and many carried forward undocumented rules that no one could fully explain. I also encountered firewalls without application-aware rules, IPv6 left enabled where the business did not support it, exposed management planes reachable from the internet, and VPN web portals like GlobalProtect that have been exploited repeatedly. Features such as user identification, which can provide valuable context, were often left unused. On their own, these gaps may seem manageable, but in combination they create blind spots and pathways that adversaries can exploit. The result is a firewall estate that looks modern and capable on paper yet delivers less defence than the investment should provide.

DMARC Reject: The Policy Everyone Tests, Only 25% Enforce

Cyber Millennial

August 21, 2025 by Robert Kehl in Email Security

Aotearoa New Zealand government mandates around DMARC are forcing agencies to act, but the struggle to enforce reject is hardly limited to the public sector. In my own work with medium and large enterprises, I have seen the same hesitation: once enforcement disrupts mail flow with partners or vendors, it is quickly rolled back. Proofpoint’s figure that only 25% of organisations enforce reject mirrors what I’ve observed in the field. The technology is straightforward, but the organisational tolerance for disruption is not.

Post-Quantum Cryptography: How Global Guidance is Taking Shape

August 12, 2025 by Robert Kehl

Government guidance on post quantum cryptography (PQC) is moving from theory to detailed migration planning. In the last nine months, as highlighted by Zygmunt Łoziński of IBM Research via LinkedIn, countries including Australia, Canada, the EU, France, Germany, Israel, the Netherlands, New Zealand, the UK, and the US have refreshed their positions. A consensus is forming: plan now, migrate high priority systems by 2030 or 2031, and complete the transition by 2035 using NIST approved algorithms such as ML KEM and ML DSA, with the first three standards already finalised in August 2024 and a fourth on the way. These deadlines are critical when factoring in Q Day, the point at which quantum computers can break today’s public key encryption, and the harvest now, decrypt later risk it amplifies. If Q Day happens quietly in a confidential vacuum, the wider world may not realise it for some time. New Zealand has added PQC preparation to its national security manual, signalling that the shift is no longer optional.

The Front Door Is Monitored, but Not the Hallways: When Network Visibility Ends at the Perimeter

Cyber Millennial

August 11, 2025 by Robert Kehl

Many organisations invest heavily in perimeter defences, yet leave the inside of their networks unlit. Internal firewalls are rare, SIEM inputs are often unfiltered and overloaded, and network detection tools are absent. The result is a perfect environment for attackers to move laterally, hide data in seemingly normal DNS traffic, and persist for months without a single alert.

The Service Account Problem We Never (Completely) Fixed

Cyber MIllennial

August 11, 2025 by Robert Kehl in Identity and Access Manag, Security Architecture

The risks tied to over-privileged service accounts are not new, but they remain one of the most consistently overlooked weaknesses in enterprise environments. Kerberoasting is still an effective path to compromise because SPNs are tied to accounts with excessive rights, RC4 is still in use, and stale accounts can still slip by. Hardcoded credentials, interactive logon exceptions, and “temporary” privileges that become permanent keep service accounts in an attacker’s playbook. Group Managed Service Accounts (gMSAs) are rarely implemented despite being a native, low-cost control, and while managing service accounts in a privileged identity and access management platform like CyberArk or Delinea would add even more protection, it is operationally harder to achieve. Security or governance teams may support the idea, but Active Directory operations often sit with IT, which makes control and enforcement uneven. This article looks at why this problem has never been completely fixed and what defenders can do without a major budget or redesign.

High Privilege, Low Discipline: The Risk of Everyday Admin Use in Shared Infrastructure

Cyber MIllennial

August 04, 2025 by Robert Kehl in Security Architecture, Identity and Access Manag

Most IT professionals know they shouldn’t use elevated accounts for everyday tasks. But knowing is not the problem, leaving it enabled by default it is. This article looks at how exposure happens by design when administrative accounts are allowed to log into workstations, Citrix sessions, or virtual desktops without controls. Deny the possibility by default. If an attacker compromises a single endpoint, your architecture should prevent it from becoming a breach-level incident.

Legacy by Design: How Protocol Defaults and Hash Exposure Still Get Us Breached

Cyber Millennial

July 28, 2025 by Robert Kehl in Security Architecture, Threats & Vulnerabilities, Identity and Access Manag

NTLM has not gone away. In many environments, it still underpins logon flows, service account authentication, and credential relay paths that defenders assume are deprecated. Protected Users is rarely enforced. Credential Guard is rare. Even when Kerberos is in use, fallback to NTLM is often quietly enabled. Add LLMNR, NetBIOS, SMBv1, Telnet, and plaintext LDAP, and attackers have everything they need to steal or relay credentials without malware, without exploits, and often without detection. This article breaks down the legacy defaults still exposing modern networks, and what defenders, incident responders, and CISOs can do to harden these protocols before someone else exploits them.

Still Poisoned: Authenticated Users and Microsoft DNS Hijacks

Cyber Millennial

July 25, 2025 by Robert Kehl in Misconfiguration, Security Architecture

Authenticated Users can often write to internal Microsoft DNS zones by default. This misconfiguration turns DNS into a stealth pivot tool. This article unpacks how overlooked permissions in AD-integrated DNS allow attackers to quietly redirect traffic, bypass network controls, and poison trust from the inside.

The Quiet Backdoor: AD Certificate Services Misconfigurations

Cyber Millennial

July 25, 2025 by Robert Kehl in Misconfiguration

Misconfigured ADCS templates continue to enable stealthy privilege escalation in environments that otherwise look secure. These are not niche attacks. They’re practical, repeatable, and often invisible to standard monitoring. This article explores how certificate services quietly undermine security controls and why they remain one of the least reviewed yet most impactful misconfigurations in Active Directory.

It’s 2025. Why Are Default Credentials Still a Threat?

Cyber Millennial

July 24, 2025 by Robert Kehl in Security Architecture, Misconfiguration

From an adversary’s perspective, default credentials are free real estate. Even in 2025, they show up in security appliances, virtual infrastructure, and remote access portals. These are not obscure bugs. They’re predictable entry points, often left behind in environments that look mature on the surface. This article unpacks how attackers find them, why they still work, and what their presence says about our operational blind spots.

Starlink for NZ Defence: Is Elon's DOGE and Palantir Connection Worth the Cybersecurity and Privacy Risks?

Cyber Millennial

July 24, 2025 by Robert Kehl in National Security and Pol

New Zealand’s approval of Starlink for military use may offer operational agility, but it introduces uncomfortable trade-offs around data sovereignty, encryption, and corporate entanglement. Elon Musk’s links to controversial US data projects like DOGE and Palantir raise valid concerns about privacy, persistence, and trust. This article unpacks those tensions and the minimum safeguards NZDF should demand.

Custom GPT's for Cybersecurity Professionals in NZ

Cyber Millennial

July 24, 2025 by Robert Kehl in AI in Cybersecurity

Custom GPTs are tools no different than a hammer. Useful in the right hands, but counterproductive if misapplied. You wouldn’t install a lightbulb with a hammer, and you shouldn’t delegate strategic judgment to a chatbot without sufficient context. These GPTs are designed to prompt reflection, not replace thinking. Each one helps cybersecurity professionals surface lived experience, clarify trade-offs, and turn real work into shareable insight.

AI: A Double-Edged Sword for Security Teams in New Zealand

Cyber Millennial

July 24, 2025 by Robert Kehl in AI in Cybersecurity

AI is transforming cybersecurity, from boosting defensive speed to enabling deepfakes and zero-day exploitation. This piece explores how security teams in Aotearoa New Zealand can secure AI systems, detect synthetic threats, and balance innovation with operational risk.

Defending Your Network Edge in New Zealand (and beyond)

Cyber Millennial

July 24, 2025 by Robert Kehl in Threats & Vulnerabilities, Network Security

Zero-day threats targeting network edge devices are becoming faster and harder to detect. This article breaks down practical strategies for strengthening your edge architecture, improving visibility, and preparing for the next exploit before it lands.