Tags
6 - Whose fault is a breach anyway?
This week saw an interesting breach of the Ticketmaster payment processing system. A third party, Monzo, noticed the breach months before Ticketmaster were able to confirm it. Ticketmaster claim it wasn't their breach, but one of their suppliers, the supplier admits being hacked but claims it wasn't their responsibility as they didn't recommend putting the javascript onto the payment processing pages.
7 - Security has to be usable to be any good
This week there has been a swathe of articles covering usable security in various forms. I'm loving seeing more and more organisations come up with ways to balance usability and security. We're never going to get this perfect, but we have to try.
8 - Where are you spending your security budget?
What do we spend our time and money set aside for security in companies doing? Lots of CISO's and security managers I talk to exclaim that they need significantly bigger budgets, that they can't do all of the stuff that is asked of them.
9 - Better late than never
_NOTE: This letter was mistakenly sent with the subject #8 - Better late than never_
10 - That’s edition 8 in octal
So this week we reach two milestones at more or less the same time. This is the 10th newsletter, that's 10 weeks in a row compiling and sending this out, as well as reaching 100 subscribers this week, so huge thanks to everyone who subscribes, who is passing it onto friends, and the several hints this week for things to add.
11 - Two factor or not two factor, that is the question
This week has all been about two factor authentication. For me, I read the Motherboard article first, but then the Reddit incident and the claim last week from Google made me perk up my ears, and then the internet exploded with comment about two-factor authentication. In my original comments against these articles I kept asking the question "It might not be brilliant, but isn't it worse if we don't use it?"
12 - Should we trust cyber security stats?
Several articles this week about various statistics in cybersecurity, which makes me question the mechanism by which we gather these statistics and how they are presented.
13 - Making sense of a complex world
It's a quiet week this week as I prepare for family holiday and try to get all my work done before I leave, but here's a selection of the best reading I've seen in the busyness of the week.
14 - How many breaches will it take?
It sometimes feels like the news in cybersecurity is an endless slew of breaches, with security professionals standing to one side saying "I told you so". This attitude of enjoying disasterporn, or Schadenfreude, doesn't make us look very good as a profession, but it is understandable. We should be trying to understand from breaches, trying to work out what happened and what was involved, and what steps we could take that would prevent it next time.
15 - Who holds data on you, and what do they do with it?
This newsletter comes to you from a chilly field in the wilds of the UK, where hackers and makers of all forms have gathered to share news, tips and techniques. The amount of future tech on show that is bodged together with tape, glue and exposed wires is quite fun and always eye opening.
16 - Blockchain has a history
_NOTE: This email was sent out without this introduction, it's preserved here as I wrote it, rather than how I sent it out. Sorry for everyone who missed this_
17 - How do normal users make good security decisions?
Most security products exist in what economists call a Market for Lemons (https://en.wikipedia.org/wiki/The_Market_for_Lemons), which means that purchasers lack the ability to tell a good product from a bad product.
18 - Are we getting better?
This week, I'm keynoting at Agile Cambridge 2018 https://agilecambridge.net/2018/ on the topic of "Does Agile make us less secure" which has led to spending a lot of the past few weeks wondering whether we are actually getting any better at security.
19 - Patching everything all the time might be too expensive
It's interesting that we know that almost all breaches that get reported are because of unpatched software. It's pretty rare that we actually see 0-day vulnerabilities in use and breaching networks, primarily because most attackers don't need to use them given how poorly patched our infrastructure is.
20 - China, Russia, Facebook, Conservatives... It's been quite a week
Phew.
21 - When is a breach not a breach?
This week, Google announced that they had found a vulnerability in GooglePlus, but hadn't told anyone. There was some discussion online about whether they had broken the law, in particular GDPR, and whether they had acted responsibly.
22 - A new methodology needs a new set of practices
I've been thinking a lot about serverless recently. I know that I'm years behind the cutting edge here, but I'm bullish that serverless is going to take off soon. I'm hearing more and more that greenfield development should be starting with serverless architectures.
23 - Is risk management the right approach
I'm a big believer in risk management. I think that security does depend on the context, and risk management is supposed to help you understand your context and take appropriate risks.
24 - How can we set a security strategy if we don't know what's going on?
Lots of the stories this week show that organisationally, senior leaders are out of touch with the reality of the security strategy that they write or sponsor.
25 - Digital supply chains should be giving you nightmares today
2018 could be remembered for a lot of things, it’s been quite the year after all, but I think its the year in which software supply chain issues came to prominence. From the Ticketmaster hack to British Airways to SiteCounter, we are seeing increasingly that digital systems are using JavaScript from a variety of sources and nobody has a good grip on how to secure that supply chain, or in many cases, even visualise and understand the supply chain.
26 - Small steps to knowledge, taking each one at a time
I enjoyed following a conversation this week about the value of a philosophy degree in infosec. The conversation quickly descended into discussions about which philosopher would be more fun to have a beer with, which I didn't really follow (I still don't really know who Wittgenstein is, or whether I'd want a beer or not with him), but one of the things that the conversation reminded me of is that we have very poor interpretations of the real world.
27 - We're all human after all
A lot of cybersecurity and digital maturity models tend to assume that high performing teams are what economists call "rational actors". We assume that people will follow procedures, that they like rules, and that they don't take decisions that would cause them personal harm, or secondarily that would cause them long term harm.
28 - Whats next for digital government?
This week had a bunch of interesting themes for me, but two in particular stand out.
29 - When is risk management not risk management?
A theme I've seen recently is a reluctance by organisations to take certain actions to reduce risk because they either aren't perfect, they don't totally remove the risk, or they contain too many unknowns.
30 - A breach is just a failure of process
As we see breach after breach after breach, we tend to see root cause analysis processes and they always come to the same conclusion. The process wasn't in place properly and wasn't followed.
31 - Merry Christmas
Merry Christmas,
32 - Happy New Year
Welcome to CyberWeekly, a weekly roundup of news, articles, long form blog posts and various other miscellania that interests your author, Michael Brunton-Spall.
33 - Who are we at Cyberwar with?
Over the Christmas period, the [twitter argument started by Perry Metzger](https://twitter.com/perrymetzger/status/1075928695058120705?s=20) has made me think and ruminate a lot on Cyber Warfare and adversarial thinking.
34 - The sky is falling
2FA has been broken, and so it's all over. This was what the news seemed to scream at me this week with the release of the modlishka tool.
35 - Are we still learning?
How do we continue to learn? Often we are so busy and so up against the deadlines that we barely have time to complete all of our work, let alone take time for "Continuing Professional Development". Security is so often about putting out fires that if we aren't actively dealing with disaster, we are either drilling for disaster, or so exhausted that we aren't on best form.
36 - What will 2019 hold for us?
I've held off on making predictions about cybersecurity. 2018 was such a bonkers year, from the SuperMicro allegations, to Russian interference everywhere, from Facebook breaches to Google+ breaches, it felt like it just kept getting crazier and crazier.
37 - The US dominates “cyberspace”
A long one this week, primarily because the US released the Worldwide threat assessment and the Intelligence Community strategy. This resulted in a lot of reading about various military systems and networks, which always fascinates me. I’ve tried to pick out some of the best and most relevant analysis, but I do recommend that interested people read the strategy and threat assessment themselves.
38 - Digital transformation is hard
What is the strategy for doing digital transformation in a large organisation?
39 - Are developers the kingmakers?
Stephen Grady wrote a book around 5 years ago called [The New Kingmakers](https://www.amazon.co.uk/New-Kingmakers-Developers-Conquered-World-ebook/dp/B0097E4MEU/ref=sr_1_1?ie=UTF8&qid=1550301534&sr=8-1&keywords=Developers+are+the+new+kingmakers) in which he argued that people with the ability to write software would fundamentally change the way that business would operate. This hasn’t come true generally, probably a combination of developers having a myopic view of users (developers love to build for other developers, but struggle to remember that many users don’t care about the same things that they do), and the fact that while technology has advanced, most businessiness don’t take advantage of the power of developers.
40 - Throwing out the baby with the bathwater
Is ITIL valuable? If you ask that at a DevOps or Agile conference, people will either stare at you blankly, or tell you horror stories of their experiences with CAB.
41 - The evolving practice of security
I'm [speaking at QCon](https://qconlondon.com/london2019/presentation/evolving-practice-security) this coming week on the evolving practice of security and therefore it's a lot in my mind.
42 - Fake news and propaganda
I was determined to not talk more about fake news this week. I'd had in mind to do something about how the law affects the internet, but there were just too many good stories this week, especially the absolutely excellent writeup by Recorded Future about chinese activity in influence operations.
43 - Hacking Tools
I'm not actually a very good hacker. I know and understand a lot of the theory, and I've been on web application hacking courses, played at a few Cybergames, and while I don't come first, I don't do terribly.
44 - It’s not always targeted attacks
Malware is running around an industrial control system. It must be Russia, or China, or Iran, or the US or ...
45 - How secure is our software?
While the debate about the geopolitical implications of Huawei software managing western 5G networks continues on, we really should be worrying about how secure is the software that manages... well everything.
46 - People & Security - forever intertwined
Michael has kindly let us guest edit Cyber Weekly this week (thanks Michael for inviting us along).
47 - People & Privacy: Consent? Is that your question?
Us again! Michael has kindly let us edit Cyber Weekly again this week (thanks for having us 'stay' a little longer Michael).
48 - DNS is at the root of our cybersecurity
I'm back from holiday, so massive thanks to Jon and Joel for covering the newsletter while I was away. I hope you enjoyed it, and it was novel to wake up on a Saturday morning and be able to read the newsletter rather than having to check and write it!
49 - We're on a Huawei to hell
I've been up at the NCSC's flagship conference, CyberUK, in Glasgow this week, for which the Huawei decision was a point of conversation. Mostly it was with a kind of resigned shrug that "Inevitably someone will mention it" that introduced the topic in many sessions. "A flag of origin is an important factor, but a secondary factor [compared to the technical, security and engineering complexities]" was a good summary of the view that was espoused both on stage and with the individuals who I ended up speaking with.
50 - Who are the attackers we worry about
The old adage says that on the internet, nobody knows you are a dog. It's always been hard to attribute cyber attacks because of the complexities of internet governance means that country location of servers isn't the same as commercial affiliation of the owner, who might be selling to organisations in yet another country.
51 - What does cyberwar actually mean?
The IDF tweeted that they had carried out a missile attack on a Hamas cyber offensive operations team, and it made me ponder the militarisation of cyber warfare.
52 - To patch or not to patch
It has been quite a week of breaches. From [WhatsApp](https://arstechnica.com/information-technology/2019/05/whatsapp-vulnerability-exploited-to-infect-phones-with-israeli-spyware/), to [vulnerabilities in the linux kernel](https://www.bleepingcomputer.com/news/security/linux-kernel-prior-to-508-vulnerable-to-remote-code-execution/), [hardware](https://9to5mac.com/2019/05/14/intel-zombieload-vulnerability-mac/), [Windows](https://blogs.technet.microsoft.com/msrc/2019/05/14/prevent-a-worm-by-updating-remote-desktop-services-cve-2019-0708/) and [Cisco products](https://thrangrycat.com/) and I'm sure I've forgotten some others already.
53 - When is a breach a breach?
In risk management, and data protection, we tend to assume the worst. That if we've exposed the data of millions of users, that someone has actively exploited it and done terrible things with it.
54 - The more things change, the more they stay the same
Iran's conducting disinformation campaigns, Baltimore shows that people aren't patching at all, let alone fast enough, the Huawei discussion rages on.
55 - Raising the baseline of security
I've been involved in a bunch of conversations recently around "baseline controls". What is the difference between different security controls, and how should we decide where to invest our money.
56 - How can we be more positive in security?
Cybersecurity is a pessamists game right? We are constantly talking about and worrying about being attacked, about what is the worst that can happen, about the nations in a constant state of cyberwar!
57 - Malware is still your biggest threat
Are you worried that nation states are coming to get you? That the cyber criminals will breach your systems and steal all of your data?
58 - Phishing just works
Remember from the [Verizon Data Breach survey](https://enterprise.verizon.com/en-gb/resources/reports/dbir/2019/results-and-analysis/) earlier on in the year [featured in Cyber Weekly 51](https://www.cyberweekly.net/what-does-cyberwar-actually-mean), 94% of malware is delivered by email, and Phishing is still the most common threat action carried out in breaches.
59 - How confident are you that your defences work?
How confident are you in your defences? You've got firewalls, WAF's and even a segmented network. Maybe you have to leave your phone outside before go into your office, have badges that need a pin as a second factor and armed guards who watch everyone coming and going?
60 - Is it Cyberwar or Cyberespionage?
The shift in policy of moving the reins of power of offensive cyber from intelligence organisations like the NSA or GCHQ over to military organisations like the US CyberCommand or the Ministry of Defence is an interesting one.
61 - Just because it’s basic doesn’t mean it’s easy
There's a great post by Emma W of the NCSC linked below that talks about why patching is often described as basic, even though doing it can be really hard.
62 - The next big malware that wasn't
The sky is falling, BlueKeep will result in thousands of compromised computers, you must patch now.
63 - Put more security in your SaaS
When we talk about companies moving to "the cloud" we tend to mean the migration from data center to hyperscale cloud data center. People moving their servers from an on-premise or colocated data center into Azure, Google Cloud, AWS or similar.
64 - We need to stop operating IT like it's 1999
We see this again and again, but the ransomware attacks on enterprise It estates in local government in the US (which are the ones we know the most about) just shows that many small to medium size organisations still haven't got the memo.
65 - How much privacy do we expect?
Privacy is a really interesting concept to study. People have lots of different mental concepts of privacy, and oftentimes those concepts don't entirely align with other humans conceptions of the same behaviours. Couples talk about wanting privacy to be a couple together, and sometimes individuals wants privacy from their partner. Groups of people who socialise build "private parties" and ways to segment themselves, and we tend to just keep using the same word over and over.
66 - Are we unwilling managers
Many of us in infosec and digital are also team leads or managers of various forms, and most of us tend to be somewhat unwilling managers.
67 - How to compare or weigh risks?
Some of you will be aware that I have a love/hate relationship with risk management techniques. On one hand I am a firm believer that many organisations focus on entirely the wrong things, on back to back multi-vendor firewalls and sheep-dip antivirus systems for JSON payloads, when those things don't actually ameliorate the risks that the organisations face, they just make busy work.
68 - Do we trust machines?
How much do we trust machines? It turns out, according to research I read this week, that the majority of people expect an automated aid to perform better at a task than a human. That can include examples such as navigation, driving aids, medical checklists and automated highlighting systems.
69 - Fake news and adequate pernicious toerags
None of us like to believe that we can be defrauded, tricked or influenced. There's a fascinating bias called "unconscious bias bias" which is where people can see and identify unconscious biases in others, but cannot see them in themselves.
70 - Tackling the insider threat
I've been reading [Edward Snowdon's autobiography (affiliate link)](https://amzn.to/2ABepeY) this week, and it's made me think about insider attacks quite a lot.
71 - What actually is hostile social manipulation?
As we come into some turbulent years for democracies in the west, I think we are going to hear a lot more about hostile social manipulation in various forms. Of course we are already used to cries of “fake news” from certain sides anyways, but it’s hard to know what is meant when people talk about it.
72 - What are our boundaries?
People get overexcited by the term Zero-Trust networking. If you read the [BeyondCorp research papers](https://cloud.google.com/beyondcorp/), or read [the excellent book on Zero-Trust Networks (affiliate link)](https://amzn.to/30PTT4C), they really say that it is about a new paradigm of computing, it is about access brokers and identity aware proxies and policy enforcement on access and all that good stuff.
73 - Know your users
We often engage with proxies for our real users. It doesn't matter whether you are building a product that you sell, or writing policy for an organisation, you have real users and then you have decision makers.
74 - Security things are still really hard
[Joel](https://twitter.com/joelgsamuel) and [Jon](https://twitter.com/jonplawrence) are back! Hello again. We're covering for Michael just for this week while he recovers from having been [slaving away on a Mauritian beach](https://www.instagram.com/p/B3tfZjrJXe-/)
75 - Coordination is hard
In big organisations, or across nation states, coordination is really hard.
76 - General is easier than specific, or why security says no
Why do we find rules in place that say "No, you can't access twitter" even when the person asking is the social media team?
77 - Progress marches on even if we aren't ready
Security is hard, that's more or less the theme of Cyberweekly every week. While I get as excited about advances and cool new toys as anyone else (ok, maybe a little more so), one of the problems we have in cybersecurity is the growing legacy of poor decisions and poor technology.
78 - Enough with the cyber-nonsense
Applications that aren’t immune to compromised endpoints; Nation states that want to steal your lunch; System administrators might have built backdoors into your photo backup system.
79 - Do we know why things go right?
In security, we spend a lot of time thinking about how things fail.
80 - How secure are cryptocurrencies
With China making clear moves that it intends to have some form of Government backed digital currency. Whether that is a "cryptocurrency" and based on a blockchain or whether it is some other managed digital currency, a government backed digital currency has potential to change quite a lot in finance.
81 - What does best practice even mean?
It's a short one this week because I'm currently touring Australia speaking at [Yow! Brisbane](https://yowconference.com/brisbane/) conference, and I've therefore been enjoying the sun and heat.
82 - What do we mean by threat model?
You often here security researchers talk about “That’s not in my threat model”, “This is secure only for a certain threat model”, or [“the lock is invincible to the people who do not have a screwdriver”](https://www.theregister.co.uk/2018/06/15/taplock_broken_screwdriver/) , but most of us don’t really know what a threat model is, and our users certainly don’t.
83 - Poor incentives for cybersecurity industry
Welcome back for the first newsletter in 2020.
84 - What would cyberwar look like?
Last week I deliberately avoided talking about the Iran/USA international issues because I felt like there was not enough real information and too much misinformation floating around and I didn't want to add to it. I meant to be explicit about it, and forgot while writing the introduction. I'm still going to avoid talking directly to the ongoing conflict. There are many better news sources on foreign affairs who are far more qualified than me to talk about that stuff.
85 - Change is scary for people
"Security is important, you must patch now".
86 - Tackling only what we can
We often want to fix everything around us. We want to fix systems, processes, and entire organisations all at once. And then we burn out unable to get the fixes we need in place.
87 - How much of a target are you?
Our ego likes to tell us that we are special, that attackers have carefully picked out organisation out of millions of others, that they have taken the time and energy to research us online, get to know our executives, our staff, our technologies before striking.
88 - There's no certainty in risk management
If you've never seen a risk matrix, then the idea of talking about risks being unlikely, rare, likely and contrasting that with the impact of the risk might seem unusual to you. Here is [a sample risk matrix](https://www.researchgate.net/figure/Risk-rating-matrix-Impact-probability-matrix_fig1_332424825) to help with the below
89 - Trust in security
A short one this week I’m afraid. Prepping for half term and a heavy workload this week have conspired against me. So most of the stories are from the backlog from before Christmas.
90 - How do we deal with personal data?
Editors Note: Delayed by a day this week because I've been away on holiday and flights back were delayed. That also explains all the comments and analysis helpfully provided by [Joel](https://joelgsamuel.com/) this week. Thanks Joel.
91 - Who actually is security and what are we for?
A recent tweet asked people to write a scary story in just 3 words. I replied with ["Security says no"](https://twitter.com/bruntonspall/status/1232574851149332481?s=20), and a reply "Who is security" caused me to reply with "we're all security".
92 - What justifies lawful interception
You may have seen the ["interesting" video about backdoors from Huawei this week](https://twitter.com/Huawei/status/1235128718869164032?s=20), which has been widely panned as company based propaganda. However it does raise an interesting point (and referencing the story from last week), that legally mandated lawful interception points are also backdoors into systems.
93 - Tools shape our thinking
The more I look at how digital transformation and digital culture is going, the more I realise that one of our big problems is the lack of attention to the tooling that we use.
94 - Is remote working just letting the enemy inside the walls?
As pretty much every organisation in the UK and US has made urgent moves towards remote working, there are security and technology teams scrambling to enable remote access for their staff and to make it work. VPN's are being overloaded, broadband connections saturated and terminal service licenses being exceeded in many organisations.
95 - We don't know what people do with our data
I've had a busy week where I've spent a lot of time writing some data protection impact assessments and privacy policy type stuff. It's felt a little like fiddling while rome burns to be honest.
96 - The cloud is more secure
I’m bored of the Zoom infosec debacle at the moment, so I thought I’d look more at one of my favourite hobby horses, the adoption and use of the cloud and how to use it securely.
97 - How to work from home
I'm sorry to tell you this, but I don't think the global quarantines are going to end anytime soon.
98 - Governance isn't a dirty word
I've spent a long time working in Agile. I was on one of the first really big agile programmes of work at the Guardian, and introduced to many of the concepts by people who went on to be great thinkers and definers in agile development.
99 - Collaboration, Risk and Data
Major General Copinger-Syme’s speech is a rousing affair that outlines 3 areas of opportunity for the UK Military complex that digital disruption is going enable. These are challenges around collaboration, around risk and around use of data.
100 - What's next?
Welcome to the 100th edition of Cyberweekly! I can't really believe that I've done this for almost 2 years now, and that I've stuck with it, and that people still message me to tell me that they find it useful. I've said before, I mostly write this for my own use, and hopefully people find it useful as a side effect, but it forces me to be more methodical with my reading and my analysis that I do all the time anyway.
101 - Making the most of our tools
Whenever I go to a new client and meet their security team, one of the things I always try to get a good glimpse of is their security tools. How do they track risks on projects? store penetration test results? set and enforce policies on development teams?
102 - Security isn't binary
We like to think that things are either secure or insecure, that a person is trusted or not trusted, that someone is an attacker or a defender. These dualities fill information security and lead us to lazy thinking in lots of ways around security.
103 - The steady growth of AI
Will AI prove to be the downfall of humanity? Probably not. But it's clear that proponents of AI and it's use in multiple systems are firm believers that AI is providing a generational jump similar to the dawn of computing and the information age.
104 - Developing compliance
How technical are we as security people?
105 - Taking time
This past few months have been hectic and difficult for all of us. From lockdowns and pandemic to protests and #blacklivesmatter, this is a tough time for people who are concerned about themselves, their family and their friends.
106 - Sans comment
As stated last week, for the rest of June, I'll be providing a selection of stories from the news without comment or analysis. I've tried to highlight the a quote to sum up the most interesting or relevant part of the story in each case.
107 - Without comment
For the rest of June, I'll be providing a selection of stories from the news without comment or analysis. I've tried to highlight the a quote to sum up the most interesting or relevant part of the story in each case.
108 - June Roundup
For the rest of June, I'll be providing a selection of stories from the news without comment or analysis. I've tried to highlight the a quote to sum up the most interesting or relevant part of the story in each case.
109 - Protecting yourself
Welcome to July.
110 - Why cloud?
Why do we use the cloud?
111 - I was just saying
Last week I was just saying that cloud computing has a bunch of better security properties, and then a once every few years kind of incident comes along that makes me look stupid.
112 - Wormable and remote vulnerabilities
There’s a big new vulnerability and you should either be really scared, or a little scared depending which articles you read.
113 - The rise and rise of ransomware
Ransomware is on the rise, affecting more and more companies, and it's always spoken off as if it's highly advanced hacking, the sort that you might expect to be restricted to say 17 year olds.
114 - Continuous Learning
One of the reasons that I write this newsletter is because it scratches my own itch. I read a lot of articles, blogposts and reddit forums pretty much constantly. I lose track of which ones I've read, and I found myself in meetings with people where someone would say "Oh, did you see thing X" and my response was normally "Oh yeah, I read about that weeks ago". Someone suggested that I start tracking what I read, and try to, you know, actually tell others the interesting tidbits that I read to be helpful.
115 - Working from home forever?
What's the future going to look like?
116 - Are we paving the path our users desire?
AI, Blockchain, Quantum Computing. These are technologies that are "set to revolutionise the world", and yet, half the time I don't feel like the world is very revolutionary.
117 - What is the inside threat?
Who can you trust, or sometimes what can you trust?
118 - Do you need a threat model?
When I see people talking about threat modelling, they can be referring to two totally different kinds of activities.
119 - The security of comms platforms
[Apologies for missing last week. I had some personal news that meant that my weekend was taken up with a lot of other stuff, and the newsletter dropped off my radar.]
120 - How we communicate
How we communicate really matters. If we want to be taken seriously, we have to be sure that everyone hears us communicate clearly and simply.
121 - Can we tell the future
For those who don't know, I started a new job recently. Leaving behind my contractor ways, I've returned to the civil service to help build security capabilities across government. Part of that role includes setting up better situational awareness and horizon scanning for Government, a better ability to know what is happening both inside government and outside, in security and technology.
122 - Learning from the past, not dwelling in it
I believe that we fail to learn well enough from the past.
123 - Developers are not the enemy
If you are a developer, you need to assume that your users are not the enemy, that they want to get the job done in the safest way possible. If you write code for other developers, you need to assume the same thing.
124 - Our tools are evolving
Security tooling has always been a little... peculiar.
125 - Self service tooling
I have long contended that one of the indicators of maturity in an organisation, and one of the drivers of efficiency is the ability of teams to self-service.
126 - More secure in the public cloud
You know, I never really thought the MOD would be the organisation to be the first HMG organisation to say it, but yes, they have. You can be more secure in the public cloud than you might be in your on-premise data center.
127 - Secure your platforms
Security isn't just about one thing. Security people cover physical threats, cyber threats as well as information risks and often data protection concerns as well.
128 - What makes a good strategy?
I think that a lot of us spend a lot of our career believing that somewhere at the top of the organisations we work for, despite all the evidence, someone knows what they are doing.
129 - Even cyber companies get breached
Remember that term "assumed breached", well if FireEye can get breached, then you should assume that pretty much anyone can.
130 - Solarwinds Special
I was going to have a nice relaxing holiday and take a few weeks off from writing a newsletter and news roundup!
131 - Protecting the cloud
I hope you all had a good Christmas and New Year!
132 - New year, new resolutions, and new lessons to learn
It's hard to believe that we're already at the end of the second week of 2021. For some us, our resolutions will already be broken, especially in the face of a continuing global pandemic and the sheer sense of apathy that everyone I speak to has.
133 - The lies our brains tell us
It remains to be seen what will happen to QAnon now that Biden is president and many of the “facts” and predictions remain totally unfounded.
134 - Whose device is it anyway?
End User Devices are one of the roots of trust in any modern system. We might worry about attackers getting into our servers or networks, but it doesn’t matter how much encrypted fairy dust we apply to the data, once it reaches the end user device, it has to be decrypted to be shown to the user.
135 - How to tell truth from fiction
Supermicro. Remember them? That story from Bloomberg that there was chinese malware in SuperMicro motherboards that could entirely compromise computers from below the operating system for which there was a lot of very strong denials from almost everyone involved.
136 - It’s about ethics in cybersecurity
How should we respond to unethical actions in cybersecurity, and where is the line anyway?
137 - Taking your daily exercise
We don't exercise enough.
138 - Cyberarms is a technical topic
Pelroths book looks really interesting. I'm just starting [Sandworm by Andy Greenberg](https://amzn.to/2O8RK3s), but I can see that [Pelroth's This is how they tell me the world ends](https://amzn.to/2NFfhtb) is going to have to go on my list. Despite the criticisms, I think it's an interesting looking reading none the less.
139 - APTs, Why does it always have to be APTs?
Channeling my inner Indiana Jones, but why is it always APTs?
140 - Patching isn’t as simple as all that
I thought that all the kerfuffle over HAFNIUM and Microsoft exchange patching would be mostly over by now, and it turns out I was wrong.
141 - Developing cyber skills in a global world
I often try to steer away from geopolitics on here for a whole bunch of reasons, but primarily because I'm at best an armchair watcher who reads a lot, rather than an educated commentator.
142 - Is malware a weapon?
Cybersecurity has a strong militaristic tonality to it. We talk about attacks, weapons, actors, all with the cyber prefix of course.
143 - A good process badly fitted is a bad process
The solarwinds hack has demonstrated just how vulnerable our software supply chain is.
144 - People are at the heart of security
The famous joke goes that the only secure computer system is one that is powered off, and preferably in a sealed box buried in a hole in the ground.
145 - Securing the software supply chain is going to take hard work
Now that the US has sanctioned a selection of Russian Intelligence associated individuals and organisations, we can all relax and let the whole SolarWinds thing blow over right?
146 - What even is a data breach?
Endless headlines about data breaches come and go every month, but I'm not sure that we're always using the words appropriately.
147 - New platforms need new practices
As we move towards new platforms, we have to accept that currently accepted “best practice” is no longer suited.
148 - Reading for fun and profit
It's a short newsletter this week because I've pulled together some absolutely amazing long reads for you, as well as a couple of typical news features.
149 - The dark side of ransomware
Sorry, I couldn't resist the pun!
150 - Shifting security left
Shift security left is one of those mantras that sounds great, but in reality, struggles to deliver on the promise.
151 - Bringing light to shadow IT
Generally speaking, users don't break security protocols on purpose.
152 - Learning from the best
I learn best from my mistakes.
153 - Learning from failure part 2
Last weeks post turned out to be somewhat prescient as this week we [had a significant outage](https://www.theguardian.com/technology/2021/jun/08/massive-internet-outage-hits-websites-including-amazon-govuk-and-guardian-fastly) that affected [the UK Government, BBC, Guardian, Financial Times, Independant, New York Times, The Verge, Amazon, Boots, Paypal, Deliveroo](https://www.theguardian.com/technology/2021/jun/08/internet-outage-which-websites-and-services-were-hit-by-fastly-issue) and many others.
154 - 2021 is the year of ransomware
I've been saving a few of these articles for weeks. I've talked before about the fact that I don't generally do "news" here. I like to have time to read a number of perspectives and let the initial excitement die down so that I can get a good grip of the facts.
155 - Making decisions with data
It's easy to say that if you had more data then you'd be able to make better decisions.
156 - Celebrating diversity
This week has seen my twitter feed filled with people in bikini, tank tops, naked in some cases, and showing off their bodies.
157 - A radical focus on users
Security has for many years been the purview of a rather niche set of people.
158 - It always depends on the context
We can easily be the victim of binary thinking in cybersecurity and digital.
159 - The rise of commercial spyware
(Joel) Hi folks, [Joel](https://twitter.com/joelgsamuel) here.
160 - Competent adversaries and us
I think I've said this before, but we're really not good at visualising or understanding risk.
161 - How to make a difference
It's really easy to criticise, in fact I do it on a weekly basis, but it's much harder to create.
162 - Whose data is it?
It’s easy to think of data as being very similar to physical property, this is my browsing data, that is your personally identifiable information, and data is like toxic waste that needs to be minimally collected and stored.
163 - Passing on knowledge
We're bad as an industry at passing on knowledge. Much of the digital transformation of the last 10 years was a repeat, or reapplication of the agile evolution in software development, which mostly came from the agile manifesto from 2001. But much of that was taken by people who learned the lessons that manufacturing had to learn from Toyota and the Toyota Production System from as late as 1975. We can trace [OKR's](https://rework.withgoogle.com/guides/set-goals-with-okrs/steps/introduction/) back through Google to Intel, and back to Andy Grove in the 70's.
164 - Investing in your staff for a better future
The last 18 months has been a particularly rough time for lots of people.
165 - Taking time to relax
Last weeks issue seems to have hit a chord with people.
166 - Defending against ransomware
Ransomware infection is almost certainly the single most impactful cybersecurity incident that your company or organisation could suffer from.
167 - We rely on our suppliers
Supply chains have been a cybersecurity issue since well before the Solarwinds hack, but have risen to prominance in the last year.
168 - The modern cloud is different
I think I’ve said this before, and I’m sure I’m repeating myself, but lifting and shifting your data centre into the cloud isn’t actually a good idea.
169 - Knowing how it’s used
The products and services that we offer to our users and customers is something we can only improve if we actually understand how it is being used.
170 - Culture eats strategy for breakfast
It’s long been said that Culture eats strategy for breakfast.
171 - Managing your risk from vendors
We’re going to hear a lot about supply chains over the next few years. This is going to be the next big thing in security, and luckily, lots of smart people are already working on subsets of the problem.
172 - How do we secure the future of work
I don't think we yet know where the future of work is going, let alone how to secure it.
173 - Scaling a community
This last few weeks, there's been a lot of discussion around whether Facebook is a net positive for society or not.
174 - One Team, Two Team; Blue Team, Green Team
Within security we often think a lot about the bad guys, the red team, and how they work, how they can compromise our systems.
175 - Privatising our risk
Ciaran Martin makes excellent points today in this assessment that we have privatised our security risks in a way that prevents control.
176 - The Red Queen Problem
> "Well, in our country," said Alice, still panting a little, "you'd generally get to somewhere else—if you run very fast for a long time, as we've been doing."
177 - Automation accelerates our accuracy
Automation can be seen as a way to make jobs easier, to reduce the grunt work.
178 - Will 2022 be the year of ransomware?
As we go into the next year, the question that flows around is whether ransomware will continue to be the threat to watch in 2022.
179 - Managing a wide ranging and long running incident
Happy new year!
180 - Securing the software supply chain requires action now
There's a lot of noise around the "software bill of materials" concepts at the moment. This work has been going for years, but really stepped up a gear after both Solarwinds and then log4shell compromises.
181 - Cyber Command and Control
If we assume for a minute that you aren't perfect, that somehow, an adversary has gotten onto one of your users endpoints. What happens next?
182 - Protecting the things protecting your infrastructure
Back in the good old days, we had really simple systems and services. We had J2EE stacks and servers, and our systems communicated via JNDI lookups which totally couldn't be abused when logging things.
183 - Does it matter who your adversary is?
There's a lot of emphasis in threat intelligence about understanding our adversaries.
184 - How much trust in zero-trust do you have?
Zero-trust is the new saviour of all of our security woes, but I suspect that the effort and impact of it is wildly underestimated by most people.
185 - Classifying data properly
It's nice to imagine a world with proper classifications and access control systems.
186 - Managing people is our job
I'm going to start this week by explaining why I'm not talking about the situation unfolding in Ukraine.
187 - Advanced attackers aren't always advanced
This week has had a lot of cyber security pundits confused that their predictions of the coming cyber apocalypse haven't come true.
188 - Trust networks
How networks affect us all is both intuitive and supremely unintuitive at the same time.
189 - Trusting your source
I’ve referred before to the excellent XKCD cartoon that reminds us that huge amounts of modern commercial systems and code rely on a library maintained by a [single open source developer somewhere in Nebraska](https://xkcd.com/2347/).
190 - It's not zero trust, it's moving trust
Zero trust is the architecture we talk about where there is zero trust in the fact that the requests are ["coming from inside the network"](https://tvtropes.org/pmwiki/pmwiki.php/Main/TheCallsAreComingFromInsideTheHouse).
191 - Risk and Reward
Humans are funny creatures, we're afraid of flying but drive cars on a daily basis despite one being the safest form of travel and the other being the most dangerous.
192 - Integrity in the software supply chain
We sometimes talk about "securing the software supply chain" as if it will prevent bugs and issues, which isn't quite accurate.
193 - Remaining vulnerable
How you deal with vulnerabilities is critical to your organisations approach to security.
194 - Talking to yourself
Happy sunday on a gloriously sunny day. Some of you might have noticed that I didn't send a newsletter last week, and I'd love to have a good excuse, but in reality, it's the start of summer and the UK has a number of public holidays that make for long weekends. I write this newsletter in my spare time, often at the weekend, and when we have a long weekend, I'm far more likely to spend time with my family, so I simply didn't get around to it. Apologies if you felt you missed out, but sadly, writing this newsletter doesn't pay the bills and my day job takes up vast amounts of my time and attention in the week, so it's best effort from me, and as the summer moves on and we have more holidays, we might miss a few weeks. As always, your comments, stories and recommendations always help and I'm happy to include others links and commentary in here, so drop me a message if you'd like to contribute.
195 - Do we understand our supply chain?
[Betteridge's law](https://en.wikipedia.org/wiki/Betteridge%27s_law_of_headlines) should tell you the answer to this!
196 - Knowing when you are compromised, and doing something about it
“Just log more” is the advice that we see most often from cybersecurity defenders and cyber talking heads (which reminds me of [Max Headroom](https://en.m.wikipedia.org/wiki/Max_Headroom)).
197 - Are we getting better or not?
It's incredibly difficult to legitimately measure our effectiveness at cybersecurity.
198 - Controlling access to the things that matter
Identity and Access Control forms the basis of almost all security as we know it.
199 - Learning by doing
How do we learn stuff?
200 - Issue 200
I can't really believe that I've managed to write 200 of these, and that people continue to subscribe week after week.
201 - Just do it
I do love a theoretical argument.
202 - Where responsibilities lie
If you run a major company, and use code written by a hobbyist developer, whose job is it to ensure the code is secure?
203 - AI is the new hotness
Phew!
204 - Treat data like toxic waste
It seems that the argument for privacy and lawful interception has erupted once more.
205 - Determining whether you have good policies and processes
I’m not a huge fan of certifications.
206 - Too excited to write coherently
This newsletter is short for a couple of reasons.
207 - Cognitive load
I had a great time at Blackhat, BSides and DEFCON. There were loads of talks, on a huge number of technical topics, and one of the things that I came away, both inspired and slightly daunted by, was the breadth of topics that security can cover.
208 - Process is the backbone of organisations
Welcome back, apologies for not sending a newsletter out last week, but I was on holiday and tanning myself on the beach. As a reward, a slightly longer than normal newsletter for you.
209 - Supply chains and inflection points
We're at a strange time in history for software development and engineering.
210 - MFA is "simple"
For years, the security community has said that it's simple to roll out MFA.
211 - Templates and other enablers
What does it mean to secure the appsec pipeline?
212 - The danger of frameworks
Frameworks are brilliant, they let us build something quickly, providing it’s the same shape as the framework intends.
213 - When is a vulnerability not a risk?
We’re moving the dial on the visibility of vulnerabilities.
214 - Little snippets of practice
Firstly, apologies that this weeks issue has been delayed and last weeks issue was completely missing for a number of reasons, partly because it's half term in the UK and I've been spending time with my family, and partly because I've been incredibly busy recently.
215 - Make things open, it makes things better
As annual reports often tell us, the speed and capability of cyber crime groups and bad actors on the internet is constantly increasing.
216 - Learning from the past
We aren't very good at learning from the past in cyber security.
217 - Raising the cost for attackers
One of the things that we don't often talk about in security is that we're often not trying to make our systems immune to attacks. Instead, what we are often trying to do is ensure that our system is too hard for the average attacker to compromise easily.
218 - Balancing security and usability
Happy new year and welcome to 2023.
219 - When is a credential not a credential?
In the move to zero-trust, the concept of credentials to authenticate users comes up a lot.
220 - Communicating with your staff
One of the hardest challenges for new managers is learning how to communicate effectively as a manager.
221 - Can you define a good security culture?
It's really easy to hand wave and say that we need a better security culture, but it's really hard when you start to drill down on what that actually means.
222 - The AI Issue
A couple of months ago, I had seen some initial noises about ChatGPT, had a play, and asked it to generate a CyberWeekly for me. I shared this with some friends, but in the run up to Christmas, what with everything else going on, I didn't actually author a CyberWeekly at the time, and never got around to writing about it.
223 - Separating the reality from the hype in AI
AI is having a huge impact right now. I think that whenever I log into twitter, most of what I see is covering AI in some form.
224 - Building trust between teams
Welcome back everyone!
225 - Managing your use of AI
What does it actually mean to use AI in your organisation or life?
226 - Understanding how software is built and deployed
Something that seems quite common is a bit of a rose tinted view of how software is built and deployed in many organisations.
227 - The more we change, the more things stay the same
Attackers will break into your systems because you haven't applied security patches and you aren't detecting off the shelf commodity malware being run on your desktops and servers.
228 - Users are not the first line of defence, or the last
Phishing exercises do more damage than they prevent.
229 - Doing the hard work to make it simple
When I first joined GDS, there was a poster on the wall that said ["Do the hard work to make it simple"](https://www.gov.uk/guidance/government-design-principles#do-the-hard-work-to-make-it-simple), and I loved the concept that this selection of smart people who I was part of was there to [make life as simple and easy as possible for the average citizen](https://gds.blog.gov.uk/2014/07/28/doing-the-hard-work-to-make-things-simple/).
230 - What do we mean by a risk-based approach?
We hear the phrase "Take a risk-based approach" or "make a risk-based decision" a lot in security, and I do believe that we should be risk-based in our security approach, but it's so much easier to say than to actually do.
231 - Living below the cyber poverty line
Microsoft's annual report has an interesting concept in it, that of organisations that live below the cyber poverty line.
232 - Are you radiating your intent?
The story of the Mirai creators is one of the most interesting I've read all year, and while it would be a stretch to say that they had good intentions with every step, I think it is clear that they didn't really intend to end up where they did, but every individual step felt like a logical step forward.
233 - AI both is and isn't an existential threat
I don't think that AI is coming for your job, and I am on the doubting side that AI is going to rise up and pose a fundemental existential threat to humanity.
234 - Are you having a productive week?
Productivity is one of those mythical things that's almost impossible to measure for 99% of human endeavour.
235 - New year, new start
Welcome to the first newsletter of 2025, and apparently the 235th newsletter that I've written!
236 - Data lies beyond the organizations border
I start this weeks newsletter with a mea-culpa. Last week was of course not the first week of 2025, so I want to thank all of the people (and there were quite a few) who reached out to let me know that we have only just entered 2024! I always like to hear from people and I find it quite ironic that in a newsletter where I expressed that I liked to have my opinions challenged, I made such a simple error and so many people promptly challenged me on it!
237 - Who bears the burden of security?
There's a common view amongst security professionals that everything would be better if users just cared more about security.
238 - Living in the future is both bright and scary
We live in the future and we're going to have to accept it.
239 - How do we learn technical skills?
My background is long and deeply nerdy.
240 - Commoditisation of Capability
There's a concept that's been floating around for decades called the [commoditization of process](https://hbr.org/2005/06/the-coming-commoditization-of-processes) or commoditisation of capability.
241 - Protecting the edge
The edge of our systems are both the most vulnerable and the most critical of our systems.
242 - Sitting on legacy dynamite
We all use the term "legacy" when talking about IT, but it's rare that organisations actually recognise the real risk that it poses.
243 - What is enterprise security compared to product security?
Some weeks I read a blogpost that just perfectly encapsulates a bunch of my own thoughts and things really crystalise together. This week was one of those for me.
244 - Curiosity killed the (backdoor) campaign
Jeff Moss spoke at Blackhat a few years back about ["superempowered individuals"](https://www.theregister.com/2022/05/12/jeff_moss_ukraine_cyber_governance/) - people who have more individual power than some nation states due to their combination of skills, placement and curiousity.
245 - Who is responsible for security?
I have just come back from a half week at the excellent London QCon conference, one of my first big conferences in about 5 years for a number of reasons.
246 - Walking the floor as a leader
After last weeks newsletter, I was contacted by a few people to mention that the combination of pieces about "moving away from the shop floor" resonated quite strongly with them.
247 - Delivering what the users want
In Charles Arthur's book on cyber attacks, [Cyber Wars (amazon affiliate link)](https://amzn.to/3y5xxCv), Charles pointed out that the stock price of companies that suffered public breaches often dipped ever so slightly straight after an attack and then rebounded up. Consumers it seems didn't care whether their service providers were hacked or not, and in one case study, it was shown that only people who were considering leaving that quarter anyway actually left, and new customer signups continued at normal pace, which somewhat counter-intuitively, got rid of some of the more difficult customers, and replaced them with loyal ones!
248 - On the subject of passwords
I hope you've all had a glorious week. The UK had the early May bank holiday weekend and I've had a delightful holiday with the return of the sunshine, so I didn't write an edition last weekend as I was enjoying a much needed break instead.
249 - We rely on people, but do we look after them?
Over a career spaning some 25 years, I've learned multiple programming languages, I've learned complex API's, memory management techniques, implemented mathmatical algorithms, led teams building systems at scale, and worked to defend systems from advanced cyber adversaries, and throughout all of that, the focus has almost relentlessly been on the technology and the platforms.
250 - Is this thing on?
Welcome to 2025, and the first newsletter in 7 months, and my 250th newslatter!
251 - It's not what you know, but who you know
Two sides of the same coin today, a reminder that who you know and how you interact with them is more important in many cases than the technical details.
252 - Keeping secrets secret
Our technical systems are filled with secrets, from passwords to API keys or even just internal IP addresses if you listen to some slightly tiresome threat modelling aficionado's
253 - Here little phishy
Phishing remains one of the biggest problems for firms in 2025, and we don't seem to be doing the right things about it.
254 - The real AI risk? Bad code, not just bad actors
It's been quite a week and I was really hoping to not talk about Deep Seek at all this week, but it sits at a really interesting nexus of thoughts around vulnerabilities and AI that has been on my mind all week.
255 - Principles that underpin our security education
I constantly use the refrain around “it’s not a technology problem, it’s a people problem” in a lots of contexts.
256 - The AI Issue (again)
This is Cyberweekly 256, the first Cyberweekly whose issue number can’t be held in a single byte! So maybe I should say that its Cyberweekly 0x0100.
257 - Focusing on the right things
I was taken over the last few weeks at how often we focus on the wrong things. The things that are exciting, interesting and appear in the media are often vastly disproportionate to the actual impact on the business.