Strategy

When forming a strategy you must realise for starts that people view the word strategy differently. However, the general view is STRATEGY AS A PLAN. Without a PLAN a strategy is a DREAM.

The plan must be supported by a rang of factors, it must also be managed. It should be something which helps you go from where you are (CURRENT STATE) to where you want to be (FUTURE STATE) and should have a roadmap (TRANSITION PLAN/ROADMP) of how you will get there.

When we talk about can I see your strategy, you will need to have it documented, a strategy without a document isn’t a strategy that can be shared and communicated. As to what “THE STRATEGY” document must be… well there is no such thing as a MUST, but there’s some component that are largely and widely recognised to be useful.

Guides

Service Security Architecture and Assurance

Have you every tried to understand the risk level of a service? Ever wanted to provide assurance to someone that “it’s been well designed, is secure from common threats, likely risk scenarios and is securely operated” etc.? have you ever tried to conduct testing against a service that is relatively unknown? Ever needed to actually do more than throw some packets at the front door? Guess what, I have. Most orgs don’t have a decent level of documentation on service architecture and security controls. And as the NSA nicely put, the way they get into networks is to know them better than you do! So in my travels I see lots of different orgs and largely there’s one common similarity, most of them aren’t well documented (docs are boring right!) and if we then make another huge sweeping generalisation, about 90% of orgs have security postures you wouldn’t want to have to defend as a blue teamer, but you might fancy if you were a nation state actor or cyber criminal!

Leadership

Red Team Readiness Assessment

I am seeing lots of “debate” about the value in red teaming, so I thought I would put together my thought process of how I look at as a broad stroke when I consider a generic starting position in an organisation. When I’m defending a business, I tend to ask myself (and the team/customers etc.) these kind of questions (they are not exhaustive):

Education

Stop rushing for “the solution”!

Before you start solutioning

Everyone these days seems to rush towards “the solution”, well as someone who now has few years under their belt, I’d advise people slow down a little and think about their business requirements, outcomes, current state, and constraints. Significantly as well think about how a service will run over a period, not just how to buy it and “fling it into production”.

Architecture

The difference between what can be vs what often…

I’ve travelled all over the internet, I’ve worked with logs of organisations from banks through to small ISVs and one thing I would say is fairly universally true. What can be isn’t what is.

There’s a lot of different operating models and technologies in the world. There’s logs of differen’t specifics. This diagram here is not mean’t as a refrence architecture but more as an indicator.

There is also a massive reality people must understand, cyber good most definatley costs more at the point of deployment than cyber bad. Cyber bad’s ROI is truly variable and in mind mind is too hard to measure. For one org with cyber bad can experiance a significant breach (and cost) and another may have lady luck on their side.

Defense

Cloud Security – 26 Foundational Security Practises and Capabilities…

That is quite the catchy title don’t you agree? Ok so that needs some work and when we think about cloud security, we need to realise that Computing as a Service isn’t a silver bullet.

One Cloud to Rule them all and in the darkness bind them

Ok so the cloud was promised as the saviour of IT and Cyber security but the promise vs the reality. Well, let’s be frank, they don’t really match up. But have no fear – secure cloud design is here (omg cringe)! Ok now we have that out of my system let’s look at some basic cloud security considerations to make when thinking about cloud services.

Checklist

Ok so the world doesn’t work with a checklist however, if you are like me you will want to use lists and aides to jog the little grey cells into action. Let’s think about cloud services and security: Read more “Cloud Security – 26 Foundational Security Practises and Capabilities Checklist” →

Guides

Cyber Security Design Review

Purpose

To conduct a solution review we need to consider multiple perspectives. Cyber security can be described as (from the NCSC):

“Cyber security’s core function is to protect the devices we all use (smartphones, laptops, tablets and computers), and the services we access – both online and at work – from theft or damage. It’s also about preventing unauthorised access to the vast amounts of personal information we store on these devices, and online.”

Cyber Security is concerned with risks, threats, vulnerabilities, and controls. This really means the breadth and depth of cyber security is vastly wide and terribly deep. Read more “Cyber Security Design Review” →

Leadership

Cyber Security Architecture

I remember (now it was a long time ago) when I worked in a support role and my dream job was being a technical architect, back in the warm and fuzzy days of no host-based firewalls, IPsec being something only MCPs knew about other than the networking team and when cybercrime was a shadow of how it is today.

It wasn’t until I had a few more notches under my belt when I realised that architecture in technology has different viewpoints, not only that but even the industry can’t agree on what things are or are not. That aside the reality is, is that architecture has different domains, specialisms, views, and viewpoints. I often find myself working across a whole range of areas, that is driven largely by specific customer requirements and scenarios (this is why I have a cool lab and lots of kit!)

When we consider a business technology system it has risk and by nature cyber security in that view. To think of this not being the case would be odd because ultimately “business” is the highest abstraction, and let’s think about what makes up a business: Read more “Cyber Security Architecture” →

Leadership

Measuring Cyber Defence Success

What does “good” cyber security look like? Sure, we can run a maturity assessment and see what good indicators are and we can create a baseline of our current state to establish where we are and what gaps we have (honestly in real terms this isn’t something to consider you should be doing this!) but how do we measure success in cyber security? Is every success an invisible outcome? Because one question that often comes to mind here is, just because we don’t see something, does that mean everything is ok? In the fast-paced world of cyber security, measuring success isn’t as easy as you would think. I’ll give an example of this, let’s say we don’t monitor, we get breached, but the threat actor just performs crypto mining (let’s say this is on premises) and we never really notice in the grand scheme of the world that our energy consumption costs have increased, if we didn’t know this had occurred, we might think our security is good. Read more “Measuring Cyber Defence Success” →

Defense

Cyber Security Assesments for Normal People

Ok so you might think I’m mad with the title but bear with me!

So, the world is in an interesting place, we’ve got a pandemic, we’ve got prolific cyber crime and we have all kinds of different views on how we should tackle this problem.

Now I love a framework and there’s ton’s of them. But the truth is they are complex, detailed, nuanced and generally require a level of nerd that a lot of organistaions do not have.

In 2020 during the pandemic I decided to try and write something to simplify this position, whilst I didn’t want to be too narrow, I wanted to try and capture the breadth of cyber security that is relevent to the general purpose organistaion. I came up with a set of 140 questions which I believe are a good take on things to consider and ask when conducting a security review at a high level. (yes 140 questions is a high level view, this stuff is complex as hell at the detailed end of things, and the devil is in the detail).