Tag: education

Guides

Reporting an email as phishing in Office 365 with…

Did you ever just ignore or delete a phishing email? I mean that’s great in one sense that you won’t have any negative impact. But if the email did get past the mail security filters, you can report it using the “Mark as phishing” option.

What if as well you wanted to not only enable users to report but also pass the intelligence onto the NCSC Suspicious Email Reporting Service (SERS)? How cool would that be! Well, have no fear people, we are going to show you how easy this stuff is to deploy and configure. Read more “Reporting an email as phishing in Office 365 with NCSC SERS”

Leadership

The problem with gatekeeping in the cyber security industry

Stark Realities

Imagine having an industry where you can’t be in it without already being an expert in all fields, imagine having to be able to command policy and drive strategy but not having anyone having ever helped you learn how to do this, imagine that if you did all the activities involved with secure service and yet people say you aren’t part of the industry because your job title doesn’t have the word “security” in it and imagine if that you are told you aren’t part of the cyber security industry because you also have to worry about budgets, sales, marketing, new business initiatives, IT services and well anything else!

What would happen if we had this as our cyber security industry principles… well that’s simple?

Read more “The problem with gatekeeping in the cyber security industry”

Leadership

The Art of Cyber

Cyber Security is an intersection of different activities, processes and capabilities. It uses skills from multiple traditional roles. As such the definition of it, often seems to lie in the reader. I did a poll the other day on twitter where ~30% of people thought a scenario I described wasn’t cyber because basically an “IT” person did the activity or they made assumptions that the IT person was told to do it (they were not). This led me to try and describe what Cyber means to me:

Read more “The Art of Cyber”
Guides

mRr3b00ts Pentest Plus Study Notebook

I created a PDF notebook a while ago when I decided on a whim to to the Pentest+. I have quite a few people ask me about getting into cyber security and well, you know when I was younger this stuff was just called IT mainly (IT + Infosec) so I thought let’s go test out the Pentest+. I did the course and exam in a week (whilst writing the notebook) (don’t think that’s a good idea but my objectives were more to make sure if I think it’s any good or not). Pleased to say I thought the course was good (I used pluralsight at 1.x speed) and the exam was fun (for an exam).

Hopefully this helps people explore the some of the world of offensive security and appsec. Read more “mRr3b00ts Pentest Plus Study Notebook”

Defense

Can Cyber Deception be used as a force for…

Scams, Disinformation & Supply Chain Compromise

Now this might come to a shock to some of you but I’m not actually (as my LinkedIn profile currently says) Tony Stark! I know, shocking but it’s true. Why I’m experimenting with this will hopefully be apparent after reading this post (although this isn’t an explanation specifically). What I’m looking at is how deception is used from a range of perspectives from marketing, cybercrime and how we can use deception in a positive way, to actively defend ourselves from the cyber criminals! Read more “Can Cyber Deception be used as a force for good?”

Defense

Cloud Security – 26 Foundational Security Practises and Capabilities…

That is quite the catchy title don’t you agree? Ok so that needs some work and when we think about cloud security, we need to realise that Computing as a Service isn’t a silver bullet.

One Cloud to Rule them all and in the darkness bind them

Ok so the cloud was promised as the saviour of IT and Cyber security but the promise vs the reality. Well, let’s be frank, they don’t really match up. But have no fear – secure cloud design is here (omg cringe)! Ok now we have that out of my system let’s look at some basic cloud security considerations to make when thinking about cloud services.

Checklist

Ok so the world doesn’t work with a checklist however, if you are like me you will want to use lists and aides to jog the little grey cells into action. Let’s think about cloud services and security: Read more “Cloud Security – 26 Foundational Security Practises and Capabilities Checklist”

Defense

Defending against authentication attacks

Ok so my most popular blog on pwndefend is about using Hydra… so I guess that’s all the goodies using it for good things, right? Probably not but it does help people understand the weaknesses of single factor authentication systems without supplementary controls.

So, let’s look at authentication defences, but let’s do this from an attacker perspective! (The opposite of what helps an attacker usually helps defend). Crazy madness right, let’s get to it!

Foundations of Sand

Ok so authentication is a key security control in computer systems. To understand the challenge around authentication and think it’s all a technical problem is to error.

See most modern computer systems require at least two things to authenticate:

  • A Username
  • A Password

Read more “Defending against authentication attacks”

Defense

Cyber Security Tips – Keeping your digital self, safe!

Not even most of my digital life is in the enterprise security space, whilst this is great if you have access to technology budgets, security specialists and modern business class solutions, this doesn’t really fit into the general populations landscape of technology. I thought I’d take a high-level exploration of what digital security looks for people who aren’t security nerds! This is a bit of an experiment for me as it’s a journey into a world where although some things apply to me (obviously I’m human), some of this from a thinking/blogging point of view aren’t my comfort space. So, let’s see what a world outside of being a nerd look like!

Commons Risks

I’m thinking the risk landscape is still broad however when we think about risks, I reckon a general view model may look at some of the following scenarios:

  • Fraud/Scams
  • Sextortion
  • Phishing
  • Social Media Account Takeover
  • Device Theft
  • Device Loss
  • Equipment Failure/Data Loss
  • Threat from known individuals with physical access
  • Human Error

Read more “Cyber Security Tips – Keeping your digital self, safe!”

Guides

Cyber Security Design Review

Purpose

To conduct a solution review we need to consider multiple perspectives. Cyber security can be described as (from the NCSC):

“Cyber security’s core function is to protect the devices we all use (smartphones, laptops, tablets and computers), and the services we access – both online and at work – from theft or damage. It’s also about preventing unauthorised access to the vast amounts of personal information we store on these devices, and online.”

Cyber Security is concerned with risks, threats, vulnerabilities, and controls. This really means the breadth and depth of cyber security is vastly wide and terribly deep. Read more “Cyber Security Design Review”

Defense

Risk management is easy! Isn’t it?

Information security theory and practises use a commonly understood and simple range of tools, methods, and practises to help organisations understand their risk portfolio and to enable them to make both strategic and tactical investment decisions….

Ok someone pinch me. this simply isn’t the reality I see on the ground. The theory is vast, complex and there are a multitude of good/best/insert phrase frameworks and tools that you can leverage to map, model, and communicate risks, vulnerabilities, controls, threats etc.

I’m not going to do a detailed analysis and comparison of different models here, but I am going to at least give people a view of some of the tools and frameworks that you can and may likely experience in the cyber security world. Read more “Risk management is easy! Isn’t it?”