FINAL POST FROM THE FLOOR: #BlackHatUSA 2025 Coverage!

Access Roulette: How to Stop Betting Your Security on Standing Privileges

This wraps up our on-location content from Las Vegas!

Next week we'll reconnect with our main event sponsors— BLACKCLOAK, Dropzone AI, Stellar Cyber, and Akamai Technologies—to bring you their post-event insights and feedback. Of course ThreatLocker's recap was already captured on the floor and published earlier today. Plus, watch for our closing reflection articles from me Marco Ciappelli and Sean Martin, CISSP!

Our final floor conversation comes thanks to our friends at Apono

Modern enterprises are gambling with security every day. Static permissions, manual approvals, and periodic audits create "privilege creep" that turns every over-privileged account into a potential breach waiting to happen.

At #BlackHat USA 2025, Ofir Stein from #Apono reveals how to break this dangerous cycle.

The stakes keep rising:
• Non-human identities (service accounts, #APIs, #AIagents) retain high-level privileges long after tasks complete
• Organizations discover risks during audits but lack scalable remediation
• #Business teams need rapid access while security teams battle expanding #attacksurfaces

Apono's Zero Standing Privilege model:
• Removes ALL permanent access by default
• Grants access dynamically based on business context
• Automatically revokes permissions when tasks complete
• Works for both human AND non-human identities
• Integrates with existing #identity providers—no rip and replace

Key capabilities:
• Context-based policy management aligned with business objectives
• Continuous discovery of identities, privileges
• Automated remediation of unnecessary privileges
• Real-time anomaly detection feeding #SOC workflows
• Scalable across centralized and decentralized environments

The result?
Engineers gain control over their access (building trust), security teams maintain tight governance, and organizations can finally stop betting their security on standing privileges.

Watch the video: https://youtu.be/ciBsH84PVQU

Listen to the podcast: https://brand-stories-podcast.simplecast.com/episodes/access-roulette-how-to-stop-betting-your-security-on-standing-privileges-a-brand-story-with-ofir-stein-cto-and-co-founder-of-apono-a-black-hat-usa-2025-conference-on-location-brand-story-HD5Uq_kf

Read the blog: https://www.itspmagazine.com/their-stories/access-roulette-how-to-stop-betting-your-security-on-standing-privileges-a-brand-story-with-ofir-stein-cto-and-co-founder-of-apono-a-black-hat-usa-2025-conference-on-location-brand-story

➤ Learn more about Apono: https://itspm.ag/apono-1034

✦ Catch more stories from Apono: https://www.itspmagazine.com/directory/apono

Follow all of our #BHUSA 2025 coverage: https://www.itspmagazine.com/bhusa25

Monday news from ITSPmagazine #happymonday!

Join Marc Manzano, Sean Martin, CISSP and me on this week SandboxAQ Webinar!

After an incredible conversation with Marc on the #RSAC floor in San Francisco — where Sean and I used every second of our time and still had more to explore — I knew the #Sandbox Story couldn’t stop there.

If you missed that on-location episode from #RSAC2025, catch it here:

Security at the Edge of Change – A Brand Story with Marc Manzano from SandboxAQ

https://www.itspmagazine.com/their-stories/security-at-the-edge-of-change-preparing-for-the-cryptographic-and-ai-tipping-point-a-brand-story-with-marc-manzano-from-sandboxaq-an-on-location-rsac-conference-2025-brand-story

Now, we’re keeping the momentum going with a live ITSPmagazine webinar you don’t want to miss — and I won’t either.

How To Detect And Mitigate Non-Human Identity And Cryptographic Vulnerabilities | An ITSPmagazine Webinar with SandboxAQ

Join Marc, Sean, and me as we dig deeper into how SandboxAQ is tackling one of today’s most urgent security challenges.

Unmanaged cryptographic assets and non-human identities have left security teams blind to critical risks. These gaps have fueled vulnerabilities, breaches, compliance challenges, and operational drag across enterprise environments.

By attending, you’ll:

Gain visibility into cryptographic assets and non-human identities like API keys, certificates, and service accounts

See how #AQtiveGuard enables automated discovery, threat detection, and root cause analysis without disrupting workflows

Learn how to future-proof your security with Post-Quantum Cryptography readiness and AI-powered #SecOps

Learn more:

https://www.itspmagazine.com/itspmagazine-webinar-calendar/how-to-detect-and-mitigate-non-human-identity-and-crytographic-vulnerabilities-an-itspmagazine-webinar-with-sandboxaq

REGISTER NOW:

Can’t attend the live webinar? All registrants get exclusive access with a link to rewatch the recording.

https://www.crowdcast.io/c/how-to-detect-and-mitigate-non-human-identity-and-crytographic-vulnerabilities-an-itspmagazine-webinar-with-sandboxaq

Share the news and join us!

See you live on Thursday!

#infosec

#cybersecurity

#technology

#tech

#infosecurity

#AIsecurity

#postquantum

#cryptography

#identitymanagement

I'm curious to hear what others are #SelfHosting! Here's my current setup:

Hardware & OS

• Hardware: #RaspberryPi500 (8 GB RAM, 512 GB SD card) #RPi #RPi500 #SingleBoardComputers #HomeLab
• OS: #Stormux, an accessible #Linux distro based on #ArchLinuxARM #LinuxAccessibility #AccessibleTech

Infrastructure & Networking

• Dashboard: #Glance (#Docker) #DockerApps
• Reverse Proxy: #Caddy
• DNS: #Cloudflare
• Domain Registrar: #Porkbun
• Networking & Remote Access: #Tailscale (non-Docker), love its SSH agent and magic DNS features. #NetworkSecurity

Security & Monitoring

• Ad Blocking: #AdGuardHome (non-Docker). Previously used PiHole but find AdGuardHome slightly faster. #PrivacyTools
• Server Monitoring: #Beszel (non-Docker). Tried Grafana/Prometheus/Alertmanager (accessible but overkill) and Netdata (poor screen reader accessibility). Beszel isn't perfect but best compromise so far. #ServerMonitoring
• Server Overview: #Cockpit (non-Docker)
• Security Tools: #Fail2ban, #FirewallD, #ClamAV, and #Rkhunter (non-Docker). Tried CrowdSec but couldn't get it working on Stormux. #CyberSecurity
• Service Uptime Monitoring: #UptimeKuma (Docker), accessible and easy to use. #MonitoringTools

Authentication & Identity Management

• Authelia (Docker): Just set this up for two-factor authentication and single sign-on. Seems to be working well so far!
  
• LLDAP (Docker): Lightweight LDAP server for managing authentication. Also seems to be working pretty well!
  #AuthenticationTools #IdentityManagement

Productivity & Personal Tools

• Docker Management: #Dockge (Docker). More accessible than Portainer; main issue is built-in terminal isn't readable with screen readers. #DockerCompose
• Docker Logs Viewer: #Dozzle (Docker), great web interface and easy searching.
• Git Hosting: #Forgejo (non-Docker), my personal Git server. #GitServer
• Backups: #IDrive (non-Docker), backs up all my devices easily. #BackupSolutions
• Notes: #Joplin server (Docker). Accessibility improving; love the VSCode extension. #NoteTakingApps
• Bookmarks: #Linkding (Docker). Accessible bookmark manager with good browser extension support. #BookmarkManager
• Recipes: #Mealie (Docker), starting to learn cooking!  #CookingApps
• RSS Feeds: #Miniflux (non-Docker), excellent accessibility. Originally wanted better podcast support but other options had major accessibility issues. #RSSReader
• Automation & Workflows: #N8N (Docker). Haven't explored deeply yet—open to ideas! #AutomationTools #WorkflowAutomation
• Pastebin Service: #PrivateBin (non-Docker). Considering alternatives or CLI tool for easier console access. #PastebinAlternative
• File Sharing & Editing: #Samba (non-Docker), easy file management from my Windows 11 mini PC. #FileSharing #Windows11
• Search Engine: #SearXNG (non-Docker), accessible and searches multiple engines at once. #PrivacySearchEngine
• IRC Client: #TheLounge (non-Docker). Some accessibility issues but best I've found so far for always-connected IRC. #IRCClient
• Read Later Service: #Wallabag (Docker). Biggest issue is Wallabagger Chrome extension doesn't work for me yet. #ReadItLater

Notifications & Development Workflow

• Notifications via: #Ntfy (Docker) and Zoho's ZeptoMail (#Zoho)
• Development Environment: Mostly using VSCode connected to my server via Remote-SSH extension. #VSCodeRemote

Accessibility Focus ️

Accessibility heavily influences my choices—I use a screen reader full-time (#ScreenReader), so I prioritize services usable without sight (#InclusiveDesign, #DigitalAccessibility). Always open to discussing accessibility experiences or recommendations!

I've also experimented with:

• Ollama (#Ollama): Not enough RAM on my Pi.
• Habit trackers like Beaver Habit Tracker (#HabitTracking): Accessibility issues made it unusable for me.

I don't really have a media collection, so no Plex or Jellyfin here (#MediaServer)—but I'm always open to suggestions! I've gotten a bit addicted to exploring new self-hosted services!

What's your setup like? Any cool services you'd recommend I try?

#SelfHosted #LinuxSelfHost #OpenSource #TechCommunity #FOSS #TechDIY

@selfhost @selfhosted @selfhosting

btw, as something of an #introduction, if any new users (or returnees like mahself) want to follow me I may post in the future about things like:

#EVsforall
#electricvehicles
#ebikes
#mistubishi
#minicabMiEV
#auspol
#climatechange
#4dayworkweek
#identitymanagement
#melbourne
#Australia
#thailand
#srilanka
#burningman
#art
#parenting
#parentinghacks
#embryoadoption
#embryology
#neurobiology
#physiology
#ElectricMotorcycles
#electricbikes
#goth
#homerenovation
#bushwalking
#batterytechnology
#offgrid
#sustainability
#worklifebalance
#degrowth
#doughnuteconomics
#twittermigration
#health
#mitochondria
#databody
#Novavax
#DavidSchnarch
#psychology

... and I might add more, now we can edit