Uncategorized

Living with your password strength head in the sand

Password audits, if you ask some security pros you will hear a million reasons why you would be insane to do them… ask me however and the answer is more nuanced. They are activities that must be handled with the upmost care, however…. they (in my experience) have been incredibly useful to help improve security postures and to enable organisations to understand risk! You are of course free to ignore what I think and live like an ostrich (or it really might not be suitable for your environment). I’m not going to talk about how to do a password audit today, I’m also not going to advise in this post on sourcing strategy (you may want to do in house or you might want to outsource, after all, you normally put all your hashes in someone else’s computer when you use cloud right!?), anyway enough rambling, year ago the NCSC UK did some password auditing research (it was good work – Spray you, spray me: defending against password spraying… – NCSC.GOV.UK) and now the DOI have also done similar, check out the report In the link below:

Read more “Living with your password strength head in the sand”
Leadership

Current State Cyber Challenges and why communication is important

Currently I’d list some of the major challenges we face as a civilisation as the following (clearly not exhaustive etc.)

  • The general population largely don’t understand cyber
  • Lots of people think there is nothing they can really do
  • People have shockingly bad personal cyber security
  • A large number of organisations have shockingly poor cyber security postures
  • People’s passwords are often ridiculously weak
  • People re-use passwords all the time
  • People seem to believe we have “magic nation state cyber shields”
  • Organisation’s largely do not invest adequately in cyber security
Read more “Current State Cyber Challenges and why communication is important”
Leadership

The Cyber Acid Test

I’ve been working with all kinds of different organisations over the years, and I keep running into similar scenarios.  The current state of the majority of organisations security postures are simply (as a broad-brush statement) far riskier than they need to be.

Conversely there are a range of common challenges I find in almost every org:

Read more “The Cyber Acid Test”
Threat Intel

LastPass Breach – The danger of metadata

When an organisation suffers a data breach it’s usually bad. When an organisation that stores 25 million people’s passwords that’s really bad.

There are multiple risks here at play.

Firstly, when we give people our data, it’s our risk and our choice. I’m ok with that, I chose to give lastPass my data.

My vault data might be gone, but I have a strong master password, how we interpreted the theft of the basically cryptographic materials is a bit like when we full disk encrypt a drive.

If you lose a laptop that’s got FDE do you report this as a data loss to the ICO? Or do you say, it’s encrypted so actually I haven’t lost the data per say, I’ve just lost a random (ish) bunch of 0s an 1s so I don’t count that as an incident? I’m not here to be judge or jury.

Read more “LastPass Breach – The danger of metadata”
Leadership

What is a “Winning Cyber Security Strategy”?

A winning cyber security strategy should have several key components.

First, it should involve a thorough assessment of your organization’s current security posture, including identifying any potential vulnerabilities or weaknesses. This assessment should be ongoing, with regular updates to ensure that your security measures are keeping pace with the evolving threat landscape.

Read more “What is a “Winning Cyber Security Strategy”?”
Copyright (c) Xservus Limited