May 22, 2022
Cyberweekly #196 - Knowing when you are compromised, and doing something about it
“Just log more” is the advice that we see most often from cybersecurity defenders and cyber talking heads (which reminds me of [Max Headroom](https://en.m.wikipedia.org/wiki/Max_Headroom)). But defenders are often sifting through mountains of log...
May 15, 2022
Cyberweekly #195 - Do we understand our supply chain?
[Betteridge's law](https://en.wikipedia.org/wiki/Betteridge%27s_law_of_headlines) should tell you the answer to this! Of course the answer here is no. We almost certainly do not understand our supply chains, and I suspect it's likely that we...
May 08, 2022
Cyberweekly #194 - Talking to yourself
Happy sunday on a gloriously sunny day. Some of you might have noticed that I didn't send a newsletter last week, and I'd love to have a good excuse, but in reality, it's the start of summer and the UK has a number of public holidays that make for...
April 24, 2022
Cyberweekly #193 - Remaining vulnerable
How you deal with vulnerabilities is critical to your organisations approach to security. In far too many organisations, there simply isn't any defined vulnerability process. If someone finds something, it's reliant on the development team or...
April 10, 2022
Cyberweekly #192 - Integrity in the software supply chain
We sometimes talk about "securing the software supply chain" as if it will prevent bugs and issues, which isn't quite accurate. The increasing number of software supply chain systems are there to validate and verify the integrity of the supply...
April 03, 2022
Cyberweekly #191 - Risk and Reward
Humans are funny creatures, we're afraid of flying but drive cars on a daily basis despite one being the safest form of travel and the other being the most dangerous. We have terrible natural senses of probability, risk and reward. Asking almost...
March 27, 2022
Cyberweekly #190 - It's not zero trust, it's moving trust
Zero trust is the architecture we talk about where there is zero trust in the fact that the requests are ["coming from inside the network"](https://tvtropes.org/pmwiki/pmwiki.php/Main/TheCallsAreComingFromInsideTheHouse). But in fact, all we are...
March 20, 2022
Cyberweekly #189 - Trusting your source
I’ve referred before to the excellent XKCD cartoon that reminds us that huge amounts of modern commercial systems and code rely on a library maintained by a [single open source developer somewhere in Nebraska](https://xkcd.com/2347/). But have...
March 13, 2022
Cyberweekly #188 - Trust networks
How networks affect us all is both intuitive and supremely unintuitive at the same time. GPG, rather famously suggested that people have key signing parties, where you would gather in person and you would validate someone's passport or driving...
March 06, 2022
Cyberweekly #187 - Advanced attackers aren't always advanced
This week has had a lot of cyber security pundits confused that their predictions of the coming cyber apocalypse haven't come true. They predicted another attack the size and impact of NotPetya or Wannacry due to the Russian invasion of Ukraine,...
February 27, 2022
Cyberweekly #186 - Managing people is our job
I'm going to start this week by explaining why I'm not talking about the situation unfolding in Ukraine. Everybody on the internet has shifted from an expert in microbiology into an expert on foreign policy in the last few days, and quite...
February 20, 2022
Cyberweekly #185 - Classifying data properly
It's nice to imagine a world with proper classifications and access control systems. You can read declassified US reports and see examples where every single paragraph contains a portion marking, an indicator that this portion of the document bears...
February 13, 2022
Cyberweekly #184 - How much trust in zero-trust do you have?
Zero-trust is the new saviour of all of our security woes, but I suspect that the effort and impact of it is wildly underestimated by most people. It's not even really clear what it means in most cases. Take the rather excellent [zero-trust memo...
February 06, 2022
Cyberweekly #183 - Does it matter who your adversary is?
There's a lot of emphasis in threat intelligence about understanding our adversaries. We name them, with threat intel companies competing for the most memorable names in a theme, from Microsoft's rare elements like Phosphorus, Strontium, Nobelium...
January 30, 2022
Cyberweekly #182 - Protecting the things protecting your infrastructure
Back in the good old days, we had really simple systems and services. We had J2EE stacks and servers, and our systems communicated via JNDI lookups which totally couldn't be abused when logging things. But the problem with these systems is that...
January 23, 2022
Cyberweekly #181 - Cyber Command and Control
If we assume for a minute that you aren't perfect, that somehow, an adversary has gotten onto one of your users endpoints. What happens next? The [concept of a "Cyber Kill...
January 18, 2022
Cyberweekly #180 - Securing the software supply chain requires action now
There's a lot of noise around the "software bill of materials" concepts at the moment. This work has been going for years, but really stepped up a gear after both Solarwinds and then log4shell compromises. Some people argue that investing into the...
January 09, 2022
Cyberweekly #179 - Managing a wide ranging and long running incident
Happy new year! I said last year that I'd take a break for Christmas, and then a fairly major incident broke, and I spent a number of hours writing [the longest cyberweekly newsletter that I've ever...
December 22, 2021
Cyberweekly #178 - Will 2022 be the year of ransomware?
As we go into the next year, the question that flows around is whether ransomware will continue to be the threat to watch in 2022. It's difficult to give a really convincing argument in either direction. There's a lot changing in the ransomware...
November 28, 2021
Cyberweekly #177 - Automation accelerates our accuracy
Automation can be seen as a way to make jobs easier, to reduce the grunt work. But automation also means that the job is done the same way every time. It means that you can read the automation specification to know exactly how the job will be...
November 21, 2021
Cyberweekly #176 - The Red Queen Problem
> "Well, in our country," said Alice, still panting a little, "you'd generally get to somewhere else—if you run very fast for a long time, as we've been doing." > > "A slow sort of country!" said the Queen. "Now, here, you see, it takes all the...
November 14, 2021
Cyberweekly #175 - Privatising our risk
Ciaran Martin makes excellent points today in this assessment that we have privatised our security risks in a way that prevents control. Ransomware as a scourge has prompted more organisations and nations to action than almost any other...
November 07, 2021
Cyberweekly #174 - One Team, Two Team; Blue Team, Green Team
Within security we often think a lot about the bad guys, the red team, and how they work, how they can compromise our systems. We also pay a lot of attention to the blue team, the team of defenders watching the screens, analysing the systems and...
October 31, 2021
Cyberweekly #173 - Scaling a community
This last few weeks, there's been a lot of discussion around whether Facebook is a net positive for society or not. Sadly, the stories of families who can keep in touch, or old university friends who support one another are never newsworthy, and so...
October 24, 2021
Cyberweekly #172 - How do we secure the future of work
I don't think we yet know where the future of work is going, let alone how to secure it. Analysis shows that there are generational and lifestyle splits over a desire to work in the office, but it's not just about location. The pandemic working...
October 17, 2021
Cyberweekly #171 - Managing your risk from vendors
We’re going to hear a lot about supply chains over the next few years. This is going to be the next big thing in security, and luckily, lots of smart people are already working on subsets of the problem. But there’s a few big problems with supply...
October 10, 2021
Cyberweekly #170 - Culture eats strategy for breakfast
It’s long been said that Culture eats strategy for breakfast. The big tech titans, such as the “FAANG” set of Facebook, Apple, Amazon, Netflix and Google, have all developed and inherited a specific culture, and it’s a culture of “deliver at all...
October 03, 2021
Cyberweekly #169 - Knowing how it’s used
The products and services that we offer to our users and customers is something we can only improve if we actually understand how it is being used. In one of my first experiences with watching user research, nearly a decade ago, I watched a set of...
September 26, 2021
Cyberweekly #168 - The modern cloud is different
I think I’ve said this before, and I’m sure I’m repeating myself, but lifting and shifting your data centre into the cloud isn’t actually a good idea. The public cloud is like for like more expensive than running your own data center, and the...
September 19, 2021
Cyberweekly #167 - We rely on our suppliers
Supply chains have been a cybersecurity issue since well before the Solarwinds hack, but have risen to prominance in the last year. They’re super hard to reason about, because in reality, no two supplier relationships are the same. The way that...
September 12, 2021
Cyberweekly #166 - Defending against ransomware
Ransomware infection is almost certainly the single most impactful cybersecurity incident that your company or organisation could suffer from. If you look at incident breach numbers, then users accidentally sharing information, cloud...
September 05, 2021
Cyberweekly #165 - Taking time to relax
Last weeks issue seems to have hit a chord with people. I had a number of people reach out to say how much the burnout article resonated with them, and how it really touched on how they were feeling at the moment. It’s echoed with me as well,...
August 29, 2021
Cyberweekly #164 - Investing in your staff for a better future
The last 18 months has been a particularly rough time for lots of people. A global pandemic has changed working patterns, and as many commentators have pointed out, accelerated a working from home concept, without the normal advantages of working...
August 22, 2021
Cyberweekly #163 - Passing on knowledge
We're bad as an industry at passing on knowledge. Much of the digital transformation of the last 10 years was a repeat, or reapplication of the agile evolution in software development, which mostly came from the agile manifesto from 2001. But much...
August 15, 2021
Cyberweekly #162 - Whose data is it?
It’s easy to think of data as being very similar to physical property, this is my browsing data, that is your personally identifiable information, and data is like toxic waste that needs to be minimally collected and stored. But data is ephemeral,...
August 08, 2021
Cyberweekly #161 - How to make a difference
It's really easy to criticise, in fact I do it on a weekly basis, but it's much harder to create. Reading the Committee on homeland security and governmental affairs report, I was struck that the report catalogs a thoroughly predictable set of...
August 01, 2021
Cyberweekly #160 - Competent adversaries and us
I think I've said this before, but we're really not good at visualising or understanding risk. One of the biggest issues with security is that you are often talking about predicting events that will occur and taking actions so that they don't...
July 25, 2021
Cyberweekly #159 - The rise of commercial spyware
(Joel) Hi folks, [Joel](https://twitter.com/joelgsamuel) here. If like Michael and I you spend the vast majority of your working time in central government, you will be aware that the Spending Review 2021 (the UK civil service's next 3-year...
July 18, 2021
Cyberweekly #158 - It always depends on the context
We can easily be the victim of binary thinking in cybersecurity and digital. You must have a CI/CD pipeline, you should always patch immediately, you must airgap your control network from your operational network. One of the increasing problems...
July 11, 2021
Cyberweekly #157 - A radical focus on users
Security has for many years been the purview of a rather niche set of people. Not that long ago at all (potentially this week in some organisations), security professionals would be called in purely on an engagement basis. The system under test...
July 04, 2021
Cyberweekly #156 - Celebrating diversity
This week has seen my twitter feed filled with people in bikini, tank tops, naked in some cases, and showing off their bodies. The story of why this has come around is a [depressingly common...
June 27, 2021
Cyberweekly #155 - Making decisions with data
It's easy to say that if you had more data then you'd be able to make better decisions. The reality is that most of us have access to more data at our fingertips than is even imaginable just a decade or so ago, and it's getting easier and easier to...
June 20, 2021
Cyberweekly #154 - 2021 is the year of ransomware
I've been saving a few of these articles for weeks. I've talked before about the fact that I don't generally do "news" here. I like to have time to read a number of perspectives and let the initial excitement die down so that I can get a good grip...
June 13, 2021
Cyberweekly #153 - Learning from failure part 2
Last weeks post turned out to be somewhat prescient as this week we [had a significant outage](https://www.theguardian.com/technology/2021/jun/08/massive-internet-outage-hits-websites-including-amazon-govuk-and-guardian-fastly) that affected [the UK...
June 07, 2021
Cyberweekly #152 - Learning from the best
I learn best from my mistakes. It might just be me that's a bad learner, but I suspect that this is true of many of us. There's two things wrong in this statement, that I learn from my *mistakes* and that I learn from *my* mistakes. We tend...
May 30, 2021
Cyberweekly #151 - Bringing light to shadow IT
Generally speaking, users don't break security protocols on purpose. They don't squeeze through the access door without badging in because they want to make your life harder. They don't click on links in emails to find out if the malware works,...
May 23, 2021
Cyberweekly #150 - Shifting security left
Shift security left is one of those mantras that sounds great, but in reality, struggles to deliver on the promise. If you speak to some of the luminaries of the original secdevops/devsecops/ruggeddevops movements, they'll explain that development...
May 16, 2021
Cyberweekly #149 - The dark side of ransomware
Sorry, I couldn't resist the pun! This last few years has seen the rise and rise of ransomware operators. It used to be that the operators had to compromise you and demand a ransom, but there have been changes recently, from the rise of...
May 10, 2021
Cyberweekly #148 - Reading for fun and profit
It's a short newsletter this week because I've pulled together some absolutely amazing long reads for you, as well as a couple of typical news features. Whether it's getting to understand North Korean use of cybercrime as a funding mechanism, or...
May 02, 2021
Cyberweekly #147 - New platforms need new practices
As we move towards new platforms, we have to accept that currently accepted “best practice” is no longer suited. Simon Wardley calls this [coevolution of practice](https://medium.com/wardleymaps/anticipation-89692e9b0ced), which is where a practice...
April 25, 2021
Cyberweekly #146 - What even is a data breach?
Endless headlines about data breaches come and go every month, but I'm not sure that we're always using the words appropriately. The Facebook breach was conducted by a third party using an API to extract customer records that they had legitimate...
April 18, 2021
Cyberweekly #145 - Securing the software supply chain is going to take hard work
Now that the US has sanctioned a selection of Russian Intelligence associated individuals and organisations, we can all relax and let the whole SolarWinds thing blow over right? Sadly, supply chain vulnerabilities are going to be something of a...
April 11, 2021
Cyberweekly #144 - People are at the heart of security
The famous joke goes that the only secure computer system is one that is powered off, and preferably in a sealed box buried in a hole in the ground. But that computer system doesn't work because it has no usability, no ability to help the people...
April 04, 2021
Cyberweekly #143 - A good process badly fitted is a bad process
The solarwinds hack has demonstrated just how vulnerable our software supply chain is. The excellent series from the Atlantic Council, the latest report of which is below, and the first outlined the [history of supply chain...
March 28, 2021
Cyberweekly #142 - Is malware a weapon?
Cybersecurity has a strong militaristic tonality to it. We talk about attacks, weapons, actors, all with the cyber prefix of course. But at its heart, the vast majority of cybersecurity activity isn't warlike or militaristic at all. The origin of...
March 21, 2021
Cyberweekly #141 - Developing cyber skills in a global world
I often try to steer away from geopolitics on here for a whole bunch of reasons, but primarily because I'm at best an armchair watcher who reads a lot, rather than an educated commentator. Geopolitics around how states interact with each other is...
March 14, 2021
Cyberweekly #140 - Patching isn’t as simple as all that
I thought that all the kerfuffle over HAFNIUM and Microsoft exchange patching would be mostly over by now, and it turns out I was wrong. As you’ll see below, Harry contacted me after last week to gently admonish me that patching exchange isn’t...
March 07, 2021
Cyberweekly #139 - APTs, Why does it always have to be APTs?
Channeling my inner Indiana Jones, but why is it always APTs? Everytime there is an attack, vulnerability or compromise, there are government issued alerts, suppliers and journalists all competing to yell loudly that this is it, this is the big...
February 28, 2021
Cyberweekly #138 - Cyberarms is a technical topic
Pelroths book looks really interesting. I'm just starting [Sandworm by Andy Greenberg](https://amzn.to/2O8RK3s), but I can see that [Pelroth's This is how they tell me the world ends](https://amzn.to/2NFfhtb) is going to have to go on my list. ...
February 21, 2021
Cyberweekly #137 - Taking your daily exercise
We don't exercise enough. The pandemic has meant that I can now often go an entire week without leaving the house, and sometimes it feels like I go an entire week without really leaving my desk. But exercise is great for us, the fresh air, the...
February 14, 2021
Cyberweekly #136 - It’s about ethics in cybersecurity
How should we respond to unethical actions in cybersecurity, and where is the line anyway? Sometimes those of us with a relatively clean past (I dabbled in reading Phrack, 2600 as a teenager, but never really crossed any legal lines) can make out...
February 07, 2021
Cyberweekly #135 - How to tell truth from fiction
Supermicro. Remember them? That story from Bloomberg that there was chinese malware in SuperMicro motherboards that could entirely compromise computers from below the operating system for which there was a lot of very strong denials from almost...
January 31, 2021
Cyberweekly #134 - Whose device is it anyway?
End User Devices are one of the roots of trust in any modern system. We might worry about attackers getting into our servers or networks, but it doesn’t matter how much encrypted fairy dust we apply to the data, once it reaches the end user device,...
January 24, 2021
Cyberweekly #133 - The lies our brains tell us
It remains to be seen what will happen to QAnon now that Biden is president and many of the “facts” and predictions remain totally unfounded. But we’ve seen this before. The scary part of conspiracy theories is that once someone buys into them,...
January 17, 2021
Cyberweekly #132 - New year, new resolutions, and new lessons to learn
It's hard to believe that we're already at the end of the second week of 2021. For some us, our resolutions will already be broken, especially in the face of a continuing global pandemic and the sheer sense of apathy that everyone I speak to has. ...
January 10, 2021
Cyberweekly #131 - Protecting the cloud
I hope you all had a good Christmas and New Year! It was an interesting experience that after I made the decision to take a few weeks break from writing Cyber Weekly, we had what might be the biggest cybersecurity incident in years. You should...
December 20, 2020
Cyberweekly #130 - Solarwinds Special
I was going to have a nice relaxing holiday and take a few weeks off from writing a newsletter and news roundup! Last week I talked a bit about the FireEye breach, and was saying that the loss of the red team tools was not as big a deal as was...
December 13, 2020
Cyberweekly #129 - Even cyber companies get breached
Remember that term "assumed breached", well if FireEye can get breached, then you should assume that pretty much anyone can. Of course there are companies that you simply have to trust in some ways, your core identity provider is one, generally...
December 06, 2020
Cyberweekly #128 - What makes a good strategy?
I think that a lot of us spend a lot of our career believing that somewhere at the top of the organisations we work for, despite all the evidence, someone knows what they are doing. We tend to call this strategy, and I think it's much...
November 29, 2020
Cyberweekly #127 - Secure your platforms
Security isn't just about one thing. Security people cover physical threats, cyber threats as well as information risks and often data protection concerns as well. We tend to get a little focused on our speciality, and see everything through the...
November 22, 2020
Cyberweekly #126 - More secure in the public cloud
You know, I never really thought the MOD would be the organisation to be the first HMG organisation to say it, but yes, they have. You can be more secure in the public cloud than you might be in your on-premise data center. For all the reasons...
November 16, 2020
Cyberweekly #125 - Self service tooling
I have long contended that one of the indicators of maturity in an organisation, and one of the drivers of efficiency is the ability of teams to self-service. This can extend from the ability to use the cloud effectively, to the vending machines in...
November 08, 2020
Cyberweekly #124 - Our tools are evolving
Security tooling has always been a little... peculiar. Part of this comes from the fact that security isn't one culture, it's a mix of compliance officers, architects, hackers and analysts, and so it's rare than one tool fits everyones need. ...
October 26, 2020
Cyberweekly #123 - Developers are not the enemy
If you are a developer, you need to assume that your users are not the enemy, that they want to get the job done in the safest way possible. If you write code for other developers, you need to assume the same thing. We’ve known for years that...
October 18, 2020
Cyberweekly #122 - Learning from the past, not dwelling in it
I believe that we fail to learn well enough from the past. I was in a conversation last week, where I was explaining how I wanted to build community, and think about how information is kept and managed, and one of my very smart coworkers responded...
October 11, 2020
Cyberweekly #121 - Can we tell the future
For those who don't know, I started a new job recently. Leaving behind my contractor ways, I've returned to the civil service to help build security capabilities across government. Part of that role includes setting up better situational awareness...
October 04, 2020
Cyberweekly #120 - How we communicate
How we communicate really matters. If we want to be taken seriously, we have to be sure that everyone hears us communicate clearly and simply. Security and digital folks alike have a tendency to have our own language, from scrum to penetration...
September 27, 2020
Cyberweekly #119 - The security of comms platforms
[Apologies for missing last week. I had some personal news that meant that my weekend was taken up with a lot of other stuff, and the newsletter dropped off my radar.] We’ve moved to a distributed world, and many organisations have not had a...
September 13, 2020
Cyberweekly #118 - Do you need a threat model?
When I see people talking about threat modelling, they can be referring to two totally different kinds of activities. Component based threat modelling tends to look at an individual system and how the components interact. The Microsoft threat...
September 06, 2020
Cyberweekly #117 - What is the inside threat?
Who can you trust, or sometimes what can you trust? When we think of insiders, a lot of training materials tends to overly focus on the big newsworth espionage cases. These make headlines because the accusations of treason, of betraying your...
August 23, 2020
Cyberweekly #116 - Are we paving the path our users desire?
AI, Blockchain, Quantum Computing. These are technologies that are "set to revolutionise the world", and yet, half the time I don't feel like the world is very revolutionary. I spend a lot of time looking at future looking technology and trying to...
August 16, 2020
Cyberweekly #115 - Working from home forever?
What's the future going to look like? I've been thinking about this a lot recently, and nothing is a bigger focus right now than working out how many of our societal shifts from COVID are going to stick around. Will people continue to wash their...
August 09, 2020
Cyberweekly #114 - Continuous Learning
One of the reasons that I write this newsletter is because it scratches my own itch. I read a lot of articles, blogposts and reddit forums pretty much constantly. I lose track of which ones I've read, and I found myself in meetings with people where...
August 02, 2020
Cyberweekly #113 - The rise and rise of ransomware
Ransomware is on the rise, affecting more and more companies, and it's always spoken off as if it's highly advanced hacking, the sort that you might expect to be restricted to say 17 year olds. In reality ransomware is a pretty low bar for hacking...
July 26, 2020
Cyberweekly #112 - Wormable and remote vulnerabilities
There’s a big new vulnerability and you should either be really scared, or a little scared depending which articles you read. You can read more below, and my advice is that you should be making sure that you have patched your internal DNS servers...
July 19, 2020
Cyberweekly #111 - I was just saying
Last week I was just saying that cloud computing has a bunch of better security properties, and then a once every few years kind of incident comes along that makes me look stupid. [Twitters security...
July 19, 2020
Cyberweekly #110 - Why cloud?
Why do we use the cloud? I mean, generally speaking, if you are lifting and shifting computers from your data center to a cloud service on a one-for-one basis, the major cloud providers are probably more expensive (depending how you measure your...
July 05, 2020
Cyberweekly #109 - Protecting yourself
Welcome to July. For a variety of reasons, I've not been able to produce a full newsletter for most of June. I've produced lots of snippets for you, but I've heard from several people that the thing they find the most valuable and interesting is...
June 28, 2020
Cyberweekly #108 - June Roundup
For the rest of June, I'll be providing a selection of stories from the news without comment or analysis. I've tried to highlight the a quote to sum up the most interesting or relevant part of the story in each case. Here's the weeks reading and...
June 21, 2020
Cyberweekly #107 - Without comment
For the rest of June, I'll be providing a selection of stories from the news without comment or analysis. I've tried to highlight the a quote to sum up the most interesting or relevant part of the story in each case. Here's the weeks reading and...
June 14, 2020
Cyberweekly #106 - Sans comment
As stated last week, for the rest of June, I'll be providing a selection of stories from the news without comment or analysis. I've tried to highlight the a quote to sum up the most interesting or relevant part of the story in each case.
June 07, 2020
Cyberweekly #105 - Taking time
This past few months have been hectic and difficult for all of us. From lockdowns and pandemic to protests and #blacklivesmatter, this is a tough time for people who are concerned about themselves, their family and their friends. This week there's...
May 31, 2020
Cyberweekly #104 - Developing compliance
How technical are we as security people? Most people in security are not software developers by trade. This isn't necessarily a bad thing, software is just a small part of security. Culture, behaviours and physical aspects of security are just as...
May 24, 2020
Cyberweekly #103 - The steady growth of AI
Will AI prove to be the downfall of humanity? Probably not. But it's clear that proponents of AI and it's use in multiple systems are firm believers that AI is providing a generational jump similar to the dawn of computing and the information...
May 24, 2020
Cyberweekly #102 - Security isn't binary
We like to think that things are either secure or insecure, that a person is trusted or not trusted, that someone is an attacker or a defender. These dualities fill information security and lead us to lazy thinking in lots of ways around...
May 10, 2020
Cyberweekly #101 - Making the most of our tools
Whenever I go to a new client and meet their security team, one of the things I always try to get a good glimpse of is their security tools. How do they track risks on projects? store penetration test results? set and enforce policies on development...
May 03, 2020
Cyberweekly #100 - What's next?
Welcome to the 100th edition of Cyberweekly! I can't really believe that I've done this for almost 2 years now, and that I've stuck with it, and that people still message me to tell me that they find it useful. I've said before, I mostly write this...
April 28, 2020
Cyberweekly #99 - Collaboration, Risk and Data
Major General Copinger-Syme’s speech is a rousing affair that outlines 3 areas of opportunity for the UK Military complex that digital disruption is going enable. These are challenges around collaboration, around risk and around use of data. The...
April 19, 2020
Cyberweekly #98 - Governance isn't a dirty word
I've spent a long time working in Agile. I was on one of the first really big agile programmes of work at the Guardian, and introduced to many of the concepts by people who went on to be great thinkers and definers in agile development. As I've...
April 12, 2020
Cyberweekly #97 - How to work from home
I'm sorry to tell you this, but I don't think the global quarantines are going to end anytime soon. The Institute for Health Metrics and Evaluation [thinks that UK deaths will continue rising and peak around April...
April 05, 2020
Cyberweekly #96 - The cloud is more secure
I’m bored of the Zoom infosec debacle at the moment, so I thought I’d look more at one of my favourite hobby horses, the adoption and use of the cloud and how to use it securely. Cloud computing has been around for a long time, and infosec...
March 29, 2020
Cyberweekly #95 - We don't know what people do with our data
March 23, 2020
Cyberweekly #94 - Is remote working just letting the enemy inside the walls?
As pretty much every organisation in the UK and US has made urgent moves towards remote working, there are security and technology teams scrambling to enable remote access for their staff and to make it work. VPN's are being overloaded, broadband...
March 15, 2020
Cyberweekly #93 - Tools shape our thinking
The more I look at how digital transformation and digital culture is going, the more I realise that one of our big problems is the lack of attention to the tooling that we use. I think everyone has heard the phrase "When all you have is a hammer,...
March 08, 2020
Cyberweekly #92 - What justifies lawful interception
You may have seen the ["interesting" video about backdoors from Huawei this week](https://twitter.com/Huawei/status/1235128718869164032?s=20), which has been widely panned as company based propaganda. However it does raise an interesting point (and...
March 08, 2020
Cyberweekly #91 - Who actually is security and what are we for?
A recent tweet asked people to write a scary story in just 3 words. I replied with ["Security says no"](https://twitter.com/bruntonspall/status/1232574851149332481?s=20), and a reply "Who is security" caused me to reply with "we're all...
February 23, 2020
Cyberweekly #90 - How do we deal with personal data?
Editors Note: Delayed by a day this week because I've been away on holiday and flights back were delayed. That also explains all the comments and analysis helpfully provided by [Joel](https://joelgsamuel.com/) this week. Thanks Joel. There's a...
February 15, 2020
Cyberweekly #89 - Trust in security
A short one this week I’m afraid. Prepping for half term and a heavy workload this week have conspired against me. So most of the stories are from the backlog from before Christmas. The Crypto AG story however is a fascinating insight into the...
February 10, 2020
Cyberweekly #88 - There's no certainty in risk management
If you've never seen a risk matrix, then the idea of talking about risks being unlikely, rare, likely and contrasting that with the impact of the risk might seem unusual to you. Here is [a sample risk...
February 01, 2020
Cyberweekly #87 - How much of a target are you?
Our ego likes to tell us that we are special, that attackers have carefully picked out organisation out of millions of others, that they have taken the time and energy to research us online, get to know our executives, our staff, our technologies...
January 25, 2020
Cyberweekly #86 - Tackling only what we can
We often want to fix everything around us. We want to fix systems, processes, and entire organisations all at once. And then we burn out unable to get the fixes we need in place. Most company technology estates are enormous complex beasts and it...
January 18, 2020
Cyberweekly #85 - Change is scary for people
"Security is important, you must patch now". We say this an awful lot in security. I say this a lot! Patching is probably the number 1 security control that you can apply. Almost all cyber attacks from outside exploit known vulnerabilities that...
January 11, 2020
Cyberweekly #84 - What would cyberwar look like?
Last week I deliberately avoided talking about the Iran/USA international issues because I felt like there was not enough real information and too much misinformation floating around and I didn't want to add to it. I meant to be explicit about it,...
January 04, 2020
Cyberweekly #83 - Poor incentives for cybersecurity industry
Welcome back for the first newsletter in 2020. I took a few weeks off for christmas and new year while I recovered from my visit to Australia. Several weeks of conferences really can take it out of you it turns out. One of things that I've...
December 14, 2019
Cyberweekly #82 - What do we mean by threat model?
You often here security researchers talk about “That’s not in my threat model”, “This is secure only for a certain threat model”, or [“the lock is invincible to the people who do not have a...
December 07, 2019
Cyberweekly #81 - What does best practice even mean?
It's a short one this week because I'm currently touring Australia speaking at [Yow! Brisbane](https://yowconference.com/brisbane/) conference, and I've therefore been enjoying the sun and heat. The subject of my talks is really about where...
November 30, 2019
Cyberweekly #80 - How secure are cryptocurrencies
With China making clear moves that it intends to have some form of Government backed digital currency. Whether that is a "cryptocurrency" and based on a blockchain or whether it is some other managed digital currency, a government backed digital...
November 23, 2019
Cyberweekly #79 - Do we know why things go right?
In security, we spend a lot of time thinking about how things fail. Actually, that’s not quite right. We spend a lot of time thinking about how malicious actors can cause things to fail. We think about failure in terms of human decisions on...
November 16, 2019
Cyberweekly #78 - Enough with the cyber-nonsense
Applications that aren’t immune to compromised endpoints; Nation states that want to steal your lunch; System administrators might have built backdoors into your photo backup system. There is an endless stream of what I tend to call cyber nonsense....
November 09, 2019
Cyberweekly #77 - Progress marches on even if we aren't ready
Security is hard, that's more or less the theme of Cyberweekly every week. While I get as excited about advances and cool new toys as anyone else (ok, maybe a little more so), one of the problems we have in cybersecurity is the growing legacy of poor...
November 02, 2019
Cyberweekly #76 - General is easier than specific, or why security says no
Why do we find rules in place that say "No, you can't access twitter" even when the person asking is the social media team? I sometimes make fun of such rules, pointing about the clear absurdity, but in reality, there is a reason for such...
October 26, 2019
Cyberweekly #75 - Coordination is hard
In big organisations, or across nation states, coordination is really hard. It can be difficult to know who to talk to, who to send issues or problems to, and how to know whether your report is being actioned. We blame users a lot for not using...
October 19, 2019
Cyberweekly #74 - Security things are still really hard
[Joel](https://twitter.com/joelgsamuel) and [Jon](https://twitter.com/jonplawrence) are back! Hello again. We're covering for Michael just for this week while he recovers from having been [slaving away on a Mauritian...
October 12, 2019
Cyberweekly #73 - Know your users
We often engage with proxies for our real users. It doesn't matter whether you are building a product that you sell, or writing policy for an organisation, you have real users and then you have decision makers. The decision makers are the ones who...
October 05, 2019
Cyberweekly #72 - What are our boundaries?
People get overexcited by the term Zero-Trust networking. If you read the [BeyondCorp research papers](https://cloud.google.com/beyondcorp/), or read [the excellent book on Zero-Trust Networks (affiliate link)](https://amzn.to/30PTT4C), they really...
September 28, 2019
Cyberweekly #71 - What actually is hostile social manipulation?
As we come into some turbulent years for democracies in the west, I think we are going to hear a lot more about hostile social manipulation in various forms. Of course we are already used to cries of “fake news” from certain sides anyways, but it’s...
September 21, 2019
Cyberweekly #70 - Tackling the insider threat
I've been reading [Edward Snowdon's autobiography (affiliate link)](https://amzn.to/2ABepeY) this week, and it's made me think about insider attacks quite a lot. When we think of insiders, we tend to think of the Edward Snowdon style of attack. ...
September 14, 2019
Cyberweekly #69 - Fake news and adequate pernicious toerags
None of us like to believe that we can be defrauded, tricked or influenced. There's a fascinating bias called "unconscious bias bias" which is where people can see and identify unconscious biases in others, but cannot see them in themselves. This...
September 07, 2019
Cyberweekly #68 - Do we trust machines?
How much do we trust machines? It turns out, according to research I read this week, that the majority of people expect an automated aid to perform better at a task than a human. That can include examples such as navigation, driving aids, medical...
August 31, 2019
Cyberweekly #67 - How to compare or weigh risks?
Some of you will be aware that I have a love/hate relationship with risk management techniques. On one hand I am a firm believer that many organisations focus on entirely the wrong things, on back to back multi-vendor firewalls and sheep-dip...
August 24, 2019
Cyberweekly #66 - Are we unwilling managers
Many of us in infosec and digital are also team leads or managers of various forms, and most of us tend to be somewhat unwilling managers. The career path in technology tends to mean that most gifted technically competent people are increasingly...
August 19, 2019
Cyberweekly #65 - How much privacy do we expect?
Privacy is a really interesting concept to study. People have lots of different mental concepts of privacy, and oftentimes those concepts don't entirely align with other humans conceptions of the same behaviours. Couples talk about wanting privacy...
August 10, 2019
Cyberweekly #64 - We need to stop operating IT like it's 1999
We see this again and again, but the ransomware attacks on enterprise It estates in local government in the US (which are the ones we know the most about) just shows that many small to medium size organisations still haven't got the memo. It's...
August 03, 2019
Cyberweekly #63 - Put more security in your SaaS
When we talk about companies moving to "the cloud" we tend to mean the migration from data center to hyperscale cloud data center. People moving their servers from an on-premise or colocated data center into Azure, Google Cloud, AWS or...
July 27, 2019
Cyberweekly #62 - The next big malware that wasn't
The sky is falling, BlueKeep will result in thousands of compromised computers, you must patch now. Lots of people said that this would be the next Wannacry, but it hasn't materialised, and we don't really know why. I've outlined below some of my...
July 20, 2019
Cyberweekly #61 - Just because it’s basic doesn’t mean it’s easy
There's a great post by Emma W of the NCSC linked below that talks about why patching is often described as basic, even though doing it can be really hard. GDS' has a number of design principles that it used when building GOV.UK as well as for...
July 13, 2019
Cyberweekly #60 - Is it Cyberwar or Cyberespionage?
The shift in policy of moving the reins of power of offensive cyber from intelligence organisations like the NSA or GCHQ over to military organisations like the US CyberCommand or the Ministry of Defence is an interesting one. The military has...
July 06, 2019
Cyberweekly #59 - How confident are you that your defences work?
How confident are you in your defences? You've got firewalls, WAF's and even a segmented network. Maybe you have to leave your phone outside before go into your office, have badges that need a pin as a second factor and armed guards who watch...
July 06, 2019
Cyberweekly #58 - Phishing just works
Remember from the [Verizon Data Breach survey](https://enterprise.verizon.com/en-gb/resources/reports/dbir/2019/results-and-analysis/) earlier on in the year [featured in Cyber Weekly 51](https://www.cyberweekly.net/what-does-cyberwar-actually-mean),...
June 22, 2019
Cyberweekly #57 - Malware is still your biggest threat
Are you worried that nation states are coming to get you? That the cyber criminals will breach your systems and steal all of your data? Malware, distributed by email or phishing is still the biggest threat to most businesses, and of that malware, the...
June 18, 2019
Cyberweekly #56 - How can we be more positive in security?
Cybersecurity is a pessamists game right? We are constantly talking about and worrying about being attacked, about what is the worst that can happen, about the nations in a constant state of cyberwar! But we overly focus on the negative. I took...
June 08, 2019
Cyberweekly #55 - Raising the baseline of security
I've been involved in a bunch of conversations recently around "baseline controls". What is the difference between different security controls, and how should we decide where to invest our money. One train of thought is that any set of security...
June 01, 2019
Cyberweekly #54 - The more things change, the more they stay the same
Iran's conducting disinformation campaigns, Baltimore shows that people aren't patching at all, let alone fast enough, the Huawei discussion rages on. This is the new normal, and looking down the behaviors of nation states, at the data breach...
May 25, 2019
Cyberweekly #53 - When is a breach a breach?
In risk management, and data protection, we tend to assume the worst. That if we've exposed the data of millions of users, that someone has actively exploited it and done terrible things with it. But the reality isn't like that most of the time...
May 19, 2019
Cyberweekly #52 - To patch or not to patch
It has been quite a week of breaches. From [WhatsApp](https://arstechnica.com/information-technology/2019/05/whatsapp-vulnerability-exploited-to-infect-phones-with-israeli-spyware/), to [vulnerabilities in the linux...
May 11, 2019
Cyberweekly #51 - What does cyberwar actually mean?
The IDF tweeted that they had carried out a missile attack on a Hamas cyber offensive operations team, and it made me ponder the militarisation of cyber warfare. A lot of infosec people tweeting about the IDF attack suggested that they were shocked...
May 04, 2019
Cyberweekly #50 - Who are the attackers we worry about
The old adage says that on the internet, nobody knows you are a dog. It's always been hard to attribute cyber attacks because of the complexities of internet governance means that country location of servers isn't the same as commercial affiliation...
April 27, 2019
Cyberweekly #49 - We're on a Huawei to hell
I've been up at the NCSC's flagship conference, CyberUK, in Glasgow this week, for which the Huawei decision was a point of conversation. Mostly it was with a kind of resigned shrug that "Inevitably someone will mention it" that introduced the topic...
April 25, 2019
Cyberweekly #48 - DNS is at the root of our cybersecurity
I'm back from holiday, so massive thanks to Jon and Joel for covering the newsletter while I was away. I hope you enjoyed it, and it was novel to wake up on a Saturday morning and be able to read the newsletter rather than having to check and write...
April 13, 2019
Cyberweekly #47 - People & Privacy: Consent? Is that your question?
Us again! Michael has kindly let us edit Cyber Weekly again this week (thanks for having us 'stay' a little longer Michael). The theme we have chosen for this week is 'People & Privacy'. Since the [General Data Protection Regulation...
April 06, 2019
Cyberweekly #46 - People & Security - forever intertwined
Michael has kindly let us guest edit Cyber Weekly this week (thanks Michael for inviting us along). The theme we have chosen is 'People & Security'. These two things are intertwined, sometimes when we least expect them to be. People are _the_...
March 30, 2019
Cyberweekly #45 - How secure is our software?
While the debate about the geopolitical implications of Huawei software managing western 5G networks continues on, we really should be worrying about how secure is the software that manages... well everything. We rely, in this day and age, on...
March 30, 2019
Cyberweekly #44 - It’s not always targeted attacks
Malware is running around an industrial control system. It must be Russia, or China, or Iran, or the US or ... We get a million hot takes within minutes of cyber security news being broken, mostly without enough context to backup the assumptions...
March 16, 2019
Cyberweekly #43 - Hacking Tools
I'm not actually a very good hacker. I know and understand a lot of the theory, and I've been on web application hacking courses, played at a few Cybergames, and while I don't come first, I don't do terribly. But hacking tools fascinate me because...
March 09, 2019
Cyberweekly #42 - Fake news and propaganda
I was determined to not talk more about fake news this week. I'd had in mind to do something about how the law affects the internet, but there were just too many good stories this week, especially the absolutely excellent writeup by Recorded Future...
March 02, 2019
Cyberweekly #41 - The evolving practice of security
I'm [speaking at QCon](https://qconlondon.com/london2019/presentation/evolving-practice-security) this coming week on the evolving practice of security and therefore it's a lot in my mind. As the Department of Defense moves from on premise data...
February 25, 2019
Cyberweekly #40 - Throwing out the baby with the bathwater
Is ITIL valuable? If you ask that at a DevOps or Agile conference, people will either stare at you blankly, or tell you horror stories of their experiences with CAB. I'm aware of one organisation that had a weekly CAB for any change going to...
February 23, 2019
Cyberweekly #39 - Are developers the kingmakers?
Stephen Grady wrote a book around 5 years ago called [The New Kingmakers](https://www.amazon.co.uk/New-Kingmakers-Developers-Conquered-World-ebook/dp/B0097E4MEU/ref=sr_1_1?ie=UTF8&qid=1550301534&sr=8-1&keywords=Developers+are+the+new+kingmakers) in...
February 09, 2019
Cyberweekly #38 - Digital transformation is hard
What is the strategy for doing digital transformation in a large organisation? Do you run little agile projects in the midst of all of the other major projects going forward? How do you get budget for that project that makes sense and how do you...
February 02, 2019
Cyberweekly #37 - The US dominates “cyberspace”
A long one this week, primarily because the US released the Worldwide threat assessment and the Intelligence Community strategy. This resulted in a lot of reading about various military systems and networks, which always fascinates me. I’ve tried to...
January 26, 2019
Cyberweekly #36 - What will 2019 hold for us?
I've held off on making predictions about cybersecurity. 2018 was such a bonkers year, from the SuperMicro allegations, to Russian interference everywhere, from Facebook breaches to Google+ breaches, it felt like it just kept getting crazier and...
January 21, 2019
Cyberweekly #35 - Are we still learning?
How do we continue to learn? Often we are so busy and so up against the deadlines that we barely have time to complete all of our work, let alone take time for "Continuing Professional Development". Security is so often about putting out fires that...
January 12, 2019
Cyberweekly #34 - The sky is falling
2FA has been broken, and so it's all over. This was what the news seemed to scream at me this week with the release of the modlishka tool. As I've said repeatedly, many times, the most effective cyber security defense you can employ right now is...
January 08, 2019
Cyberweekly #33 - Who are we at Cyberwar with?
Over the Christmas period, the [twitter argument started by Perry Metzger](https://twitter.com/perrymetzger/status/1075928695058120705?s=20) has made me think and ruminate a lot on Cyber Warfare and adversarial thinking. I’ve spent the last few...
December 29, 2018
Cyberweekly #32 - Happy New Year
Welcome to CyberWeekly, a weekly roundup of news, articles, long form blog posts and various other miscellania that interests your author, Michael Brunton-Spall. Feel free to forward this on to people you think might be interested. If someone...
December 29, 2018
Cyberweekly #31 - Merry Christmas
Merry Christmas, I hope you are all starting to relax and get into the holiday spirit. This letter is a little late today because I was at a Christmas Party last night and it's taken a bit of time to be able to compose my thoughts! It's been...
December 15, 2018
Cyberweekly #30 - A breach is just a failure of process
As we see breach after breach after breach, we tend to see root cause analysis processes and they always come to the same conclusion. The process wasn't in place properly and wasn't followed. Except, that if you did the same analysis without the...
December 11, 2018
Cyberweekly #29 - When is risk management not risk management?
A theme I've seen recently is a reluctance by organisations to take certain actions to reduce risk because they either aren't perfect, they don't totally remove the risk, or they contain too many unknowns. I've spent a fair amount of time looking...
December 01, 2018
Cyberweekly #28 - Whats next for digital government?
This week had a bunch of interesting themes for me, but two in particular stand out. Tom Loosemore and Dafydd Vaughan brilliantly explained the journey that digital government has been on and how far we've come. It's very easy to dwell on the size...
November 24, 2018
Cyberweekly #27 - We're all human after all
A lot of cybersecurity and digital maturity models tend to assume that high performing teams are what economists call "rational actors". We assume that people will follow procedures, that they like rules, and that they don't take decisions that would...
November 17, 2018
Cyberweekly #26 - Small steps to knowledge, taking each one at a time
I enjoyed following a conversation this week about the value of a philosophy degree in infosec. The conversation quickly descended into discussions about which philosopher would be more fun to have a beer with, which I didn't really follow (I still...
November 10, 2018
Cyberweekly #25 - Digital supply chains should be giving you nightmares today
2018 could be remembered for a lot of things, it’s been quite the year after all, but I think its the year in which software supply chain issues came to prominence. From the Ticketmaster hack to British Airways to SiteCounter, we are seeing...
November 03, 2018
Cyberweekly #24 - How can we set a security strategy if we don't know what's going on?
Lots of the stories this week show that organisationally, senior leaders are out of touch with the reality of the security strategy that they write or sponsor. Whether it be a policy that requires users to not browse adult websites, that everyone...
October 27, 2018
Cyberweekly #23 - Is risk management the right approach
I'm a big believer in risk management. I think that security does depend on the context, and risk management is supposed to help you understand your context and take appropriate risks. But in reality, I'm not sure it's actually working. A friend...
October 20, 2018
Cyberweekly #22 - A new methodology needs a new set of practices
I've been thinking a lot about serverless recently. I know that I'm years behind the cutting edge here, but I'm bullish that serverless is going to take off soon. I'm hearing more and more that greenfield development should be starting with...
October 13, 2018
Cyberweekly #21 - When is a breach not a breach?
This week, Google announced that they had found a vulnerability in GooglePlus, but hadn't told anyone. There was some discussion online about whether they had broken the law, in particular GDPR, and whether they had acted responsibly. But it draws...
October 06, 2018
Cyberweekly #20 - China, Russia, Facebook, Conservatives... It's been quite a week
Phew. I didn't think reading and writing this weeks newsletter would ever end. There's been so many interesting stories, and news that it took me a lot this week to read all of the summaries and try to find just the best links to share with you. ...
September 29, 2018
Cyberweekly #19 - Patching everything all the time might be too expensive
It's interesting that we know that almost all breaches that get reported are because of unpatched software. It's pretty rare that we actually see 0-day vulnerabilities in use and breaching networks, primarily because most attackers don't need to use...
September 22, 2018
Cyberweekly #18 - Are we getting better?
This week, I'm keynoting at Agile Cambridge 2018 https://agilecambridge.net/2018/ on the topic of "Does Agile make us less secure" which has led to spending a lot of the past few weeks wondering whether we are actually getting any better at...
September 15, 2018
Cyberweekly #17 - How do normal users make good security decisions?
Most security products exist in what economists call a Market for Lemons (https://en.wikipedia.org/wiki/The_Market_for_Lemons), which means that purchasers lack the ability to tell a good product from a bad product. The market theory suggests that...
September 08, 2018
Cyberweekly #16 - Blockchain has a history
_NOTE: This email was sent out without this introduction, it's preserved here as I wrote it, rather than how I sent it out. Sorry for everyone who missed this_ We stand on the shoulders of giants in technology. We often however like to think that...
September 01, 2018
Cyberweekly #15 - Who holds data on you, and what do they do with it?
This newsletter comes to you from a chilly field in the wilds of the UK, where hackers and makers of all forms have gathered to share news, tips and techniques. The amount of future tech on show that is bodged together with tape, glue and exposed...
August 25, 2018
Cyberweekly #14 - How many breaches will it take?
It sometimes feels like the news in cybersecurity is an endless slew of breaches, with security professionals standing to one side saying "I told you so". This attitude of enjoying disasterporn, or Schadenfreude, doesn't make us look very good as a...
August 18, 2018
Cyberweekly #13 - Making sense of a complex world
It's a quiet week this week as I prepare for family holiday and try to get all my work done before I leave, but here's a selection of the best reading I've seen in the busyness of the week. Most interestingly is the theme coming through that a lot...
August 11, 2018
Cyberweekly #12 - Should we trust cyber security stats?
Several articles this week about various statistics in cybersecurity, which makes me question the mechanism by which we gather these statistics and how they are presented. The cybersecurity vendors have an explicit desire to bulk up the risk, so...
August 04, 2018
Cyberweekly #11 - Two factor or not two factor, that is the question
This week has all been about two factor authentication. For me, I read the Motherboard article first, but then the Reddit incident and the claim last week from Google made me perk up my ears, and then the internet exploded with comment about...
July 28, 2018
Cyberweekly #10 - That’s edition 8 in octal
So this week we reach two milestones at more or less the same time. This is the 10th newsletter, that's 10 weeks in a row compiling and sending this out, as well as reaching 100 subscribers this week, so huge thanks to everyone who subscribes, who is...
July 22, 2018
Cyberweekly #9 - Better late than never
_NOTE: This letter was mistakenly sent with the subject #8 - Better late than never_ What is the purpose of a security team? Why do they even exist? A recent article about misconfiguring of trello boards prompted a bit of a discussion in one of...
July 14, 2018
Cyberweekly #8 - Where are you spending your security budget?
What do we spend our time and money set aside for security in companies doing? Lots of CISO's and security managers I talk to exclaim that they need significantly bigger budgets, that they can't do all of the stuff that is asked of them. But when I...
July 07, 2018
Cyberweekly #7 - Security has to be usable to be any good
This week there has been a swathe of articles covering usable security in various forms. I'm loving seeing more and more organisations come up with ways to balance usability and security. We're never going to get this perfect, but we have to...
June 30, 2018
Cyberweekly #6 - Whose fault is a breach anyway?
This week saw an interesting breach of the Ticketmaster payment processing system. A third party, Monzo, noticed the breach months before Ticketmaster were able to confirm it. Ticketmaster claim it wasn't their breach, but one of their suppliers,...