Security Blog
-
Password weakness
In the xkcd comic on password strength, Randall Munroe triggers a discussion on the effectiveness of password algorithms. While he raises valid points, the real risk lies in password reuse and breaches. Moving away from passwords and exploring alternatives like SSL certificates or one-time passwords may be a more promising approach.
-
How certificates go bad
The recent Comodo sub-CA bogus certificate issuance has sparked a loud discussion in the security community. This incident highlights the flaws in the SSL certificate authority (CA) model. Trusting numerous CAs globally creates vulnerability, and compromised registration authorities (RAs) can issue certificates for any domain. Incident response and transparency are crucial, but incidents like this…
-
Architecting for DDoS -Defense
Designing a robust DDoS mitigation strategy requires understanding potential failures and the efficiency of attacks. While increasing capacity can be a simple solution, it’s crucial to push functionality to the edge, prioritize user authentication, employ caching techniques, and store user-generated content. Instead of focusing on recovery time, design for a Minimum Uninterrupted Service Target to…
-
Awareness Training
Implementing a robust security awareness program is not difficult if your company prioritizes security. However, if security is not a concern, you have a significant problem. Many programs focus on meeting auditor requirements with annual training sessions and policy acknowledgments. While these are necessary, a comprehensive program integrates security into various activities and encourages employees…
-
NSEC3: Is the glass half full or half empty?
NSEC3 is a DNSSEC specification that addresses the issue of authenticated denial of existence in DNS. It replaces the NSEC method by using a hashing function and signed hash ranges to prevent easy collection of zone file contents. While NSEC3 improves secrecy, it raises questions about the need for semi-secret public DNS names and suggests…
-
Contracting the Common Cloud
After attending CSO Perspectives, Bill Brenner has some observations on contract negotiations with SaaS vendors. While his panel demonstrated a breadth of customer experience, it was, unfortunately, lacking in a critical perspective: that of a cloud provider. Much of the point of SaaS, or any cloud service, in the economy of scale you get; not just in…
-
The Adaptive Persistent Threat
Much ado has been made of the “Advanced Persistent Threat”. Unfortunately, pundits look at the ease of some of the attacks, and get hung up on the keyword, “Advanced.” How do we know the adversary is so advanced, if he can succeed using such trivial attacks? The relative skill of the adversary is actually uninteresting;…
-
Why is PCI so successful?
At the RSA Conference, participating in a panel discussion on the PCI Data Security Standard, it was evident that PCI has significantly impacted the industry. The standard’s simplicity, broad applicability, and narrow focus on protecting specific data have improved security more than any other standard. It serves as a model for future compliance standards.
-
Why don’t websites default to SSL/TLS?
HTTP is designed for web administrators to host multiple sites on fewer systems, while HTTPS (SSL/TLS) focuses on security-conscious users. SSL’s design creates scalability issues, although solutions like wildcard and SAN certificates, as well as SNI, aim to mitigate them, pending widespread SNI support.
-
Modeling Imperfect Adversaries
Brian Sniffen’s paper at FAST highlights the importance of understanding adversaries in risk assessment, particularly in the streaming media space. It explores concepts like defense in breadth and tag-limited adversaries, emphasizing the need to consider different capabilities and attack strategies when formulating security frameworks. His work provides valuable insights into the evolving landscape of streaming…
Leadership Newsletter
-
One company’s successful approach to gender balance
In an industry where 10-15% of staff are women, the InfoSec team at Akamai—a cybersecurity, content-delivery network and cloud-service provider—is now 40% women. Driving that change—from 28% two years ago—took only a few, simple practices that might work in many other organizations. We drove those changes in partnership between the talent-acquisition team and the hiring managers;… Read this …
-
Unsolicited Advice on Self Improvement
Some thoughts on advice about guiding others’ self-improvement. Often, advice comes in the form of “If you do X, Y will happen.” It’s worth unpacking that. What “If you do X, Y will happen” often really means is, “For some group, which I think is large and I believe you are in, doing X will increase… Read this …
-
Vendor Rebuf
The cybersecurity industry consists of numerous companies seeking appointments, and if I were to entertain each request, I would have no time left for my responsibilities at Akamai, which involve making informed risk decisions. To streamline the process, I have created this form response to minimize the effort and cost of reaching a “no” response.… Read this …
Fiction
-
Skeleton
A necromancer and an Olympic event [Read the story]
-
Albus Dumbledore and the Rituals of Immortality
The words that didn’t make the Harry Potter septology that fill in the blanks for what’s really going on. [Read the story]