Okta is responding to a public cybersecurity incident, what can we learn from how they handled communications?
CloudFlare launches a new API Gateway product, will is shake up the market?
Attackers can find your cloud misconfigurations with almost no effort, why can’t you?
Once you’ve aggregated all of your AWS Security Hub Findings, here’s one way to visualize and analyze them.
Once you’ve aggregated all of your AWS Security Hub Findings, here’s one way to visualize and analyze them.
Are NFTs, Web3, and Blockchains useful? Or just hype?
Too much hype and money make NFTs a risky bet right now.
Two minutes of work can stop hackers in cold in their tracks.
Bug bounties help bridge the gap between security researchers and companies.
The risks of smart contract bugs are quickly becoming apparently. They can cost millions.
Misconfigurations in Amazon S3 keep happening. Here’s why and how to stop them.
The NFT/Web3 world certain is the wild west…and some projects are way, way more wild.
If you can’t read the code in a Web3 contract, do you really know what it’s going to do?
If a smart contract works as coded and the code is wrong, is the contract valid?
Anytime there’s a security issue, someone gets labelled a hacker. Is that the right term?
AWS Security Hub Findings are great, but they can be better. Here’s a simple pattern from the AWS team to enrich those findings automatically.
“Um” is not a great call to action, but sometimes it’s all you’ve got.
Can you—as a user—understand an app or service’s security posture? If so, how?
Should be able to encrypt your communications? The debate is on…again
A lot of risk decisions are made in the dark…why?
How do we respond to risk? Do we have the data we need to make an informed decision?
It’s exciting building solutions with the latest frameworks and technology. Is that the best route to meet our goals? What ARE our goals?
When we talk about privacy, what are we really talking about? The formal definition of privacy is definitely outdated. What would a good definition …
If the goal of cybersecurity is to make sure that the system you are building works as intended and only as intended, what about stopping hackers?
Security and privacy are inextricably linked. Why aren’t they at the core of all technology?
The leadership session at AWS re:Invent provide a deeper dive into a specific area of focus. Stephen Schmidt, CISO at AWS takes the stage to talk all …
Amazon Inspector first launched in 2015. Now in 2021, it’s re-launching with a brand new architecture and a host of new features.
Amazon Inspector first launched in 2015. Now in 2021, it’s re-launching with a brand new architecture and a host of new features.
AWS re-launches a dramatically improved Amazon Inspector, a software vulnerability discovery/management service.
Most security practices make the same set of mistakes when moving to the cloud. This talk looks at those mistakes and how to avoid them.
There are massive opportunities to advance your security practice as your business moves into the cloud. This talk provides a step-by-step approach …
DevSecOps is the latest in a long line of buzzwords. The core makes sense: work on security earlier. But why isn’t this everywhere? Here’s …
Passwords suck. Why are we forced to follow these weird rules. Do they really keep us safe? Here is a solid way to safely handle all of your …
Twitch has been hit by a major data breach. 165GB of critical information was leaked on 4chan. What will the impact be? Will this cause even more …
The Microsoft Edge browser team is conducting an experiment in an attempt to increase the cybersecurity of the browser and how it handles javascript. …
A new report from a United States Senate Committee gave 24 US department and agencies an average grade of C- in cybersecurity. That’s not good.
The region of Lazio was hit by a ransomware attack and is struggling to recover from this attack on critical infrastructure. BlackMatter, a new …
EA got hacked and 780 GB of source code was stolen. The hackers attempted to extort EA and when they didn’t pay, the data was dumped online.
Twitter’s latest transparency report shows a low uptake for the multi-factor authentication feature. This is a great security control …
The Pegasus Project is a collaborative effort by a number of media and advocacy organizations around to the world. With their work, they are shining a …
There are now 5 seniors leaders in the US federal governments with cybersecurity as their primary mandate. Is this going to be a problem?
Two new resources launched to help people understand the challenges associated with ransomware; StopRansomware.gov and RansomWhe.re
REvil has been one of the top ransomware groups for the past few months but they’re suddenly offline. No note, no warning, just gone.
Long after the headlines pass, victims of ransomware are left struggling to get back to “normal” operations. It’s a long, …
The out-of-band patch for PrinterNightmare on Microsoft Windows doesn’t completely fix the issue. What are IT and security teams to do?
The REvil gang attack Kaseya, an IT management platform, and that got them access to 800—1,500 more businesses without any additional effort setting …
Ransomware is absolutely everywhere. What is going on? Why is ransomware so effective? Is there anything we can do about it?
Criminals are using real apps they’ve made and a push to remove ads to harvest Facebook credentials in order to gain more personal information …
PrinterNightmare is a high severity vulnerability that affects all versions of Windows and is being actively exploited…on a long weekend 😬
Microsoft Windows 11 will require a Trusted Platform Module (TPM) on all PCs. Will this long-needed requirement help or hinder?
Some WD My Book Live users had a shock this week as hackers remotely wiped their data. What can they do about it?
Apple is under fire on a number of fronts. The biggest issue this week is several bills introduced in the US. A key issue? The ability to …
A discussion about the evolution of security in the cloud. Security is now becoming a critical piece of a developer’s pipeline, what does that …
Celebrating three years of the CISO/Security Vendore Relationship Podcast
A purely digital RSAC 2021 kicks off looking back at a challenging year and to the challenges ahead for the security community.
In software, developers often don’t have a choice. Speed becomes a business imperative for survival and to stay competitive.
An all virtual RSAC 2021 kicked off today. What are the themes? What do we expected to see? This discussion on theCube has you covered.
AWS IAM has been going strong for 10 years! To celebrate the anniversay, this four part series by various AWS Heroes, highlights some key features of …
I recently made a career move and it’s allowed me to re-double my efforts in the community. What do you want to learn about cloud and security?
iOS 14.5 introduces App Tracking Transparency or ATT. Here’s what it means to you.
No other technology revolution has induced more fear, uncertainty, and doubt for so long than the cloud. This post explores the “why” of …
Ubiquiti suffered a data breach and makes it worse by not communication clearly with it’s customer base.
iOS 14.4.2 fixes a critical cybersecurity issue. Make sure to update now.
Setting a new cloud account well is reasonably simple, but what about accounts that are already active? Here are some tips to add guardrails after the …
iOS 14.4.1 fixes a couple of critical cybersecurity issues. Make sure to update now.
Security and privacy are linked yet for some reason, you see privacy experts ignoring the impact of security and security experts who are unconcerned …
As you continually evolve your use of AWS products and services, it’s important to consider ways to improve your security posture and take advantage …
Passwords are the worst. Trying to pick a “secure” one makes the whole thing worse. Every site and service has it’s own variation on …
Apple recently launched macOS Big Sur and a security researcher’s post vent viral highlighting a steady stream of communications that …
Ad-tech, digital marketing, and the surveillance economy are worth billions and billions of dollars. It all hinges on the ability to target ads and …
Epic Games is current waging war on Apple and Google over the right to distribute apps to mobile users. There’s been a ton of excellent coverage …
The Canada Revenue Agency suffered a large breach exposing over 5,000 citizens to COVID-19 benefit fraud. This issue exposes some of the challenges of …
On July 15th, 2020, Twitter was hit with the most visible hack of a social network of all time. 130 of the top accounts tweeted out a bitcoin scam. A …
To make sure that systems work as intended and only as intended. That’s the goal of cybersecurity.
The President has promised to ban TikTok in the United States for national security reasons. Is that the case? Are there real security & privacy …
Video conferencing platform Zoom has been in the news almost constantly over the past few weeks. At first it was hailed as a tool to help reduce this …
Security is often spoken of in absolutes. Is this secure? Is that insecure? The reality is that security is a spectrum. It is a series of implicit and …
Technology is omnipresent in our lives. From the time you wake up and check the weather to the time your head hits the pillow, you will have spent at …
CBC’s Go Public pointed out the rising rates of e-transfer fraud and consumers are shocking. The expectation was that e-transfers were safe and …
Letting customers know about a security vulnerability is never an easy thing. From the logistics of it to the reputation management issues. But this …
Is application security (AppSec) dead? Did it every really work? Let’s discuss…
Zoom.us had a pretty egregious security issue this week. Their response was poor despite the best efforts for responsible disclosure by the security …
Cybercriminals don’t always use complicated technical attacks to get around your cybersecurity. Sometimes—probably more often than we care to …
Huawei was recently put on the US Entity List from the US Department of Commerce. That essentially means that it needs a license to receive technology …
The NBA playoffs are in full swing and there’s a huge rules controversy around one superstar’s—James Harden—jump shot. Is it a foul? …
A recent report from the Canadian Commission for Complaints for Telecom-television Services (CCTS) saw a dramatic increase in complaints with billing …
A recent study by NCSU found that there are way more API keys and tokens uploaded to GitHub than previously thought. In fact, there’s almost a …
Google recently announced a new, all-in-the-cloud gaming service called Stadia. For gaming fans, there’s a lot of potential that—fingers …
A recent survey from RightScale showed a lot of confusion around cloud computing costs. The common take away? Organizations are surprised at how high …
I you were just starting to try and understand the cybersecurity problem space, a CEO or CIO working to better grasp the challenges facing your …
We rely on some digital services for critical functions around security and privacy. Trusting those services is paramount to their success and ours. …
There has been a significant increase in DNS hijacking attacks over the past couple of months…and why not? It’s a simple, direct way for …
Cybersecurity is a major topic when it comes to modern elections. With Canada probably going to the polls in the fall, discussion is heating up about …
Security research can be a tricky thing. Depending on where you are and what jurisdiction you fall under, the research you conduct may be illegal. …
GDPR has been in effect for a few months and we’re starting to see the first major rulings. Google was just hit with a 50m Euro fine for not …
Network security is struggling to keep up with the reality of how organizations are build and connect today. From hybrid network (on-premises and in …
Security metrics are hard. But that doesn’t mean you should ignore them. In fact, a lot of teams are measuring the WRONG things which leads them …
Cyberattack attribution is HARD. But time and time again, we’re seeing attributions—who carried out the attack—made publicly with little to no …
Trust is a tricky thing. Dotto Tech posed a number of great questions about trust in business and online that got me thinking. Do you trust the …
During a large incident response, bringing everyone together to a “war room” can be the difference in a speedy recovery, but there are …
Google recently conducted a complete security & privacy review of various APIs associated with Google+. The result? The service is shutting down …
With the Bloomberg report on hardware hacking looking more in doubt, more and more politics are coming into play. Anytime you evaluate news, …
Bloomberg has an absolutely earth shattering report citing a hardware supply chain attack that—they say—impacted several big names. Here’s why …
Criminals are winning the battle against security practitioners. Need proof? Look no further than the new headlines in any given week.
Billions of …
October is National Cybersecurity Awareness Month (#NCSAM). Look for tons of great content online as the community comes together—globally, not just …
Security is a quality issue. Except we don’t treat it that way and that’s costing us dearly.
With the initial set of cybersecurity basics segments done, I’m think it’s worth moving to a “basics” basics series. The goal …
Built-in security is always best. That’s “security by design” but when that fails (due to mistakes, oversight, humans), built-in …
In your personal life you’re assessing risk constantly whether you know it or not. In the digital world the same thing happens BUT you probably …
Risk assessments are useful when kept in context and continually updated. A penetration test (or pen test) is when your system undergoes a …
Personally identifiable information (PII) and Personal Health Information (PHI) are critical concepts. They help identify information that needs …
Who did it? It’s a powerful question and the answer to “What is attack attribution?”
Authentication and authorization are two critical concepts that are intertwined. Understanding the difference and their purpose is key to …
Hackers and cybercriminals are all “malicious actors”. While you may not know who is attacking a system, having a better understanding of …
Malicious software (malware) is an umbrella term that covers a number of different types of software designed to do bad things…but those …
Encryption: what is it? why does it work?
Perspective is a tricky thing….maybe the hardest aspect of cybersecurity
What is a password? Why do we use them? Why are they so frustrating? …some answers
Continuing the “basics” series, here’s an easy way to understand the terms: vulnerability, exploit, threat, and risk
The basics starts with understanding the goal of security. It sounds simple but the goal is to make sure whatever you build works as you …
A friend highlighted a real issue: there isn’t enough material about basic cybersecurity that’s easily relatable.
Connecting with others is critical but it can also pose a risk. It’s important not to “leak” information needlessly. This is a …
Security is there to ensure that the systems you build work only as intended. Part of that is realizing the potential for abuse and ensuring that the …
Getting your first cybersecurity role can be difficult. Is part of the problem how organizations are hiring talent?
Passwords are a horrible way to verifying identities but they are the best thing we currently have that works at scale. Adding a 2nd factor to that …
You cannot stand at “Red Alert” 24/7 but that’s exactly what we do in cybersecurity…often without realizing it. What impact …
A common step when you’re trying to get started in a career in cybersecurity is getting a basic certification. What comes after?
If you’re working by hand, you’re failing. In today’s world of security, rapid delivery, and new technologies, automation is …
Getting your first job in cybersecurity can be super frustrating. How can we work through traditional HR processes to get started?
There’s only upside to collaborating more deeply with other teams in the org. So why doesn’t the security get out there and do it?!?
We’ve spoken a lot of maintaining and expanding perspective when it comes to cybersecurity. In this episode, we dive in highlight a methodology …
We trust the networks we connect to everyday but should we?
Tanacon 1.0 was an unmitigated disaster. Not only is this a reminder that physical security is critical but it’s an example of a failure to …
We (the IT community) don’t push for cultural change because it requires persistent and dedicated long term work. That runs counter to the usual …
How new technologies are used and built is really up to us. Regardless of your moral compass, it’s important that you discuss the creation & …
Getting started in cybersecurity can be hard. Sticking to core principles is critical as technology will change. But one of the hardest aspects to …
Cryptocurrency is a digital asset. As such, it’s a major target for cybercriminals. We’ve seen attack after attack in the past few months …
The DevOps movement is the single biggest opportunity security teams have had in a long time. The goal of DevOps is speed and innovation. That goal …
We know that cybersecurity isn’t the best name to describe what is ostensibly, “information security” but it’s the name …
Is it just attitude that keeps security teams from working well with the rest of the organization? And if so, can that attitude be changed? …
At some point in the past few years, the term “information security” took a back seat to “cybersecurity”. Does it matter? Why?
Most of the focus around cybersecurity education is on the technical aspects. Is that the right approach?
I am often asked what a good undergraduate program is to take if someone is aiming for a career in cybersecurity. There are plenty of fantastic …
GDPR comes into effect tomorrow and one of it’s biggest advantages is how it will force companies to actually manage their data…well at …
GDPR is now of the law of the land in the EU. Did everything change overnight?
Apparently the FBI misrepresented the number of devices they can’t access due to encryption by up to a factor of 6x. This is most likely due to …
GDPR comes into effect on Friday, 25-May. What does it mean globally? Um…we’re not really sure.
Listening to customers is built into the DNA of a lot of organizations…why aren’t security teams doing the same?
Deep thoughts in this episode around ethics in technology and their use. Sparked by the latest issues around mobile phone tracking, this episode …
How can you create a break for yourself to get started on a cybersecurity career path? A few thoughts…
Getting started in cybersecurity isn’t as hard as you think. There’s no “ONE” path but there are a few key attributes …
There have been a lot of advancements in AI research and use lately, but are we moving in the right direction? Are we having the right conversations …
In this episode, I speak to the challenges around today’s cybersecurity and what that means for those just starting down the cybersecurity path.
Passwords are the worst. Just the worst.
Passwords are the best of a mountain of bad solutions. Picking a strong password lies at the intersection of math (yay!) and …
Gmail just launched a nice, new redesigned UI. It’s slick and has some great new features. One feature, “Confidential Mode”, is …
Can new technology solve everything? We in the security community need to spend more time investing in people and process.
Is IP blocking still effective? Is it a sledge hammer when you really need a scalpel?
Cybersecurity is often positioned from the negative. There are bad things coming to get you! What a waste of energy…
Encryption on mobile devices is a challenge for law enforcement. 3rd party companies often use hacks in their products to address this need. Is it …
It’s often stated that you have to trade usability for security. I call 💩
CPU Vulnerabilities Seem Like A Massive Problem. Are they deserving of the hype?
One of the biggest challenges in cybersecurity today is the tendency to secure components instead of the larger system. It’s understandable but …
SXSW, Canadian budget, Apple, and more
Security awareness is next to useless. Educate users instead
Good data drives good decisions. This is a major problem in cybersecurity where the data simply isn’t available or accurate.
Ransomware is the scourge of the digital world. Cybercriminals are making money hand over fist. What can you do to protect yourself?
When you hide a message inside of another message, it’s called steganography. While you might not have known it’s name, this technique has a long and …
Great content from @marknca
Why do all incident response communications from customers feel the same? Why do they all miss the mark? How hard is it to do better?
Shellshock is a surprising bug. Hidden for decades, what do you need to know to help your organization respond?
A summary of the D.C. Metro Cyber Security Summit 2014.
Cloud computing is more than just fast self-service of virtual infrastructure. Developers and admins are looking for ways to provision and manage at …
If you strip away a lot of security terminology, it’s really about understanding what’s going on. If you want slap a fancy term back on, …
Great content from @marknca
As AWS opened their summit series for 2014, 5000+ people packed into the Moscone Center. There was a ton of energy in the air and I got to talk about …
What does a modern security practice look like in the cloud? How do each of the area change?
Forensics is an area that’s often lacking in corporate environments. Few people have time to truly dig into an incident after it’s been …
Network security monitoring is changing dramatically in the cloud as more and more responsibilities are shifted to the Cloud Service Provider. How …
Incident response is often overlooked by everyone outside of the security team. In the cloud, automation and cooperation reign supreme.
The cloud is a fantastic opportunity to improve your security posture…but only if you update how you handle operations.
The cloud security discussion has changed from ‘should we’ to ‘how do we’. Here are the top issues you should be tackling.
When speaking to security issues in the media, what’s the right level of technical depth?
This post provides information that is designed to help you defend against phishing, spear phishing, and whaling attacks. Exploring the reasons for …