Security Blog
-
Virtual Patching
Virtual patching, adding rules to a WAF to filter out traffic exploiting known vulnerabilities, is beneficial. While it shortens the mitigation window, the real debate lies in managing the underlying vulnerability. Some argue for fixing the specific vulnerability, while others advocate fixing the entire category of vulnerabilities for long-term benefits.
-
DDoS Thoughts
DDoS attack efficiency is typically measured in bits-per-second ratios. To extend this measurement, we can use “flits per second” to gauge cost and impact. Reducing attack ratios and increasing client costs are key defensive strategies. Traffic filtering and capacity increases offer potential solutions.
-
Compliance, Security, and the relations therein
As an amateur hairdresser, I’ve learned that just like the diverse disciplines within information security, there are countless techniques and specialties in hairstyling. It reminds me to approach other professionals with humility, acknowledging their expertise in their respective fields. We all have valuable knowledge to contribute.
-
Security and hairdressing
Being an amateur hairdresser has taught me a valuable lesson about the diverse disciplines within information security. Just like braiding hair, where I’ve only scratched the surface, I’ve realized that I may only know bits and pieces about the various security specialties. It’s important to approach other professionals with humility, recognizing their expertise in their…
-
The Problem with Password Unmasking
There is a disagreement regarding whether passwords should be shown in clear text or masked while being typed. One perspective argues that password masking reduces usability and offers limited protection against snoopers. However, the opposing view emphasizes the importance of security and raises questions about the effectiveness of unmasking passwords. The ultimate solution lies in…
-
Sanitization vs. crypto
Bruce Schneier disagrees with NIST’s stance on encryption as a means of sanitization. He argues that properly implemented encryption, with secure key management, can effectively sanitize data. While NIST has removed the paragraph, Schneier acknowledges the numerous qualifications required for encryption to be fully secure, suggesting that sanitization should still be performed when possible.
-
Security and Obscurity
The mantra “Security through obscurity is no security at all” originated from concerns about proprietary cryptographic algorithms. However, in the context of security systems and architectures, obscurity plays a crucial role. No system is perfectly secure, so a good security professional aims to reduce vulnerabilities and make exploitation costly. Layered security and maintaining architectural details…
-
Social Engineering Self-training
In contrast to traditional security systems, social engineering has an interesting advantage: the more unsuccessful attempts made to deceive someone, the better prepared they become to resist future attacks. Each failed social engineering attempt serves as valuable training for the target, enhancing their defenses.
-
Phishing
While we prioritize phishing prevention in banking, other sites like LinkedIn may become targets for identity thieves. The ease of phishing login information and the potential to exploit trust within a professional network highlight the need for heightened vigilance beyond banking. Personal experiences remind us to be more cautious.
-
Invisibility Cloak
As the possibility of invisibility draws nearer, its potential implications become apparent. Scary applications include concealed weapons, bombs, and potential traffic hazards. However, in the cool category, it opens doors for urban renewal, architectural innovations, and even portable privacy umbrellas, although such technologies may also have concerning uses.
Leadership Newsletter
-
Walk in their shoes
Leadership Moment: When adversaries pray together It’s probably no secret to many of you that I love the game of football. The Women’s Football Alliance recently started its 2023 season, with the defending champion Boston Renegades taking on the D.C. Divas this weekend. The game got very chippy at times, with a Divas player being… Read this …
-
Hop onboard!
Leadership Moment: Helping the newcomers In Matt Johansen’s Vulnerable U newsletter, he provides guidance for newcomers to and industry (in this case, security) on dealing with some of the biggest challenges they’ll face, which mostly organize around “you’re new here, and we use words in surprising ways”. Matt focuses on what a newcomer can do… Read this …
-
Kindle a light, not a bonfire
Leadership Moment: Spotting burnout A quick-read article on HBR covers burnout, when chronic stress creates a sort of perpetual exhaustion, and spotlights six categories of stress: workload, values, reward, control, fairness, and community. While I haven’t yet read the source book (The Burnout Challenge: Managing People’s Relationships with Their Jobs), I’d likely place “control” as… Read this …
Fiction
-
Skeleton
A necromancer and an Olympic event [Read the story]
-
Albus Dumbledore and the Rituals of Immortality
The words that didn’t make the Harry Potter septology that fill in the blanks for what’s really going on. [Read the story]