You are here
Home > Opinion

How security theater misses critical gaps in attack surface and what to do about it

The classic 'security theatre' (yes, UK spelling) you can see any day at an airport near you. Most of what you see makes little difference to your safety but is designed to reassure travellers. I've had discussions with CISOs that want tools that show how 'compliant' they are in reports to the board. I've come at the problem in terms of IT asset management, particularly discovery of unknown or misconfigured assets, they've often been looking instead for platforms that measure...

How to Get an IT Security Job: 3 Hot Skill Sets

I've got a different take on the skills required for information security: Curiosity Ingestion and analysis Teamwork Because of (2) I'd probably favour physics graduates over CompSci, but the curiosity gene trumps formal education and if they can't communicate in a team then their genius will go largely unused . Given that cyber security is ever-changing the ability to keep up with and then get ahead of what's happening now is more important than the ability to ...

Statement in response to exam results

The 'exam' results saga is now so highly politicised that the ICO should involve themselves only if there is something seriously illegal...: An ICO spokesperson said: “We understand how important A-level results and other qualifications are to students across the country. When so much is at stake, it’s especially important that their personal data is used fairly and transparently. We have been engaging with Ofqual to understand how it has responded to the exceptional circ

Securing human resources from cyber attack

I see 'use a VPN' advice being handed out every time remote working is being discussed. To save overwhelming your data centre internet connections, let me modify that advice: 'For cloud services (e.g. 365, Google Apps...), point your end users directly at the service provider. Use a VPN for services that can only be serviced from your own data centre'...: [...] In today’s world, HR users working from somewhere other than the office is not unusual. With this freedom comes the

China is targeting US election infrastructure with cyber attacks because ‘they want to see Trump …

If I were a nation state looking to ferment chaos in the USA, which candidate would I attempt to back?...: Chinese government-linked hackers have been targeting U.S. election infrastructure ahead of the 2020 presidential election, White House National Security Adviser Robert O'Brien warned on Sunday. O'Brien's comments appeared to go beyond a statement released on Friday by the Office of the Director of National Intelligence which said China 'has been expanding its influe...

Redcar Council suffered £10.14m loss due to February ransomware attack

It must be comforting for the ratepayers of Redcar to know that their council's network met the standards of the PSN. Ticking the box is not the same as taking cyber security seriously...: In a budget update report published 4th August, the Redcar council cabinet stated that the ransomware attack resulted in "total forecast impact of £10.144 million", adding that it is still relatively difficult to determine what the ultimate impacts of this unprecedented incident will be ev

Demon sperm, tech overlords and ripped pensioners

The best headline of the week award goes to...: Welcome to Declassified, a weekly column looking at the lighter side of politics. If you’re anything like me, you saw the words “Demon Sperm” trending on social media and assumed that a terrible heavy metal band had held an anti-lockdown concert at which there were multiple fatalities. Alas, the truth was far worse. You’ll likely now be familiar with the, er, work of Dr. Stella Immanuel, who stood on the steps of the U

Beyond the padlock: Essential steps for protecting websites

Articles like this on Security Magazine perpetuate the view that you solve cyber security by buying technology. Wrong, wrong, wrong. Ask any organisation that has to manage dozens or even hundreds of different tools and they'll tell you how difficult it is to maintain effective security controls in complex environments. I've been promoting a 5-step approach that starts with asset identification and threat modelling, not with tool selection: ...

Leadership In Cyber Security: Who Takes Responsibility? – Analysis

Here's a challenging suggestion: the current global approach to cyber security clearly isn't working so outsource it to Singapore?...: [...] But who should take responsibility for leadership in cyber security? Perhaps, a country like Singapore that has invested heavily in cyber research and capacity development, should take the helm. In fact, Singapore features as the top-ranking country in the UN Global Security Index for commitment in cyber. Hence, at a time like this when

Why every CIO should retire their VPNs

I'm going to agree with the thrust of this article, but with more of a focus on the operational realities of VPNs. As a telco, I've been a provider of secure remote access, authentication, and secure gateway services to large enterprises. From a security provider perspective, the debate was always around the termination point of the VPN: 'inside', 'outside', or on a dedicated DMZ. There's no perfect answer and the decision gets more complex when you factor in mobile applicati...