What is the misunderstood, unloved, and overly complicated security technology that underpins most modern digital solutions? #PKI. Public Key Infrastructure. It’s where my career in security began. Digital #certificates protect so many things we use. From this website you’re visiting (check the 🔒 icon on your address bar to be sure), to your ability to use your LinkedIn login to federate to other sites, to the authenticity of the patch just applied to update your browser… And it’s just scratching the surface. PKI has gone from #security technology to #infrastructure. And if you are a user of Microsoft Teams, today you may have seen a failure of that infrastructure. Microsoft Teams, like many modern solutions, has a separate front-end and back-end, connected through an #API. And[…]

Cyber security is a hot area for #startups. Just in the greater DC metro, there are 3 incubators that focus on cyber security, many startups, and many more in the orbit – from funds to investors to advisors. A walk around the RSA or Black Hat expo floors will show you a lot of money is being spent to create some of the next big things. Some are new takes on existing products. Many are hyper-specialized solutions trying to fill a need that only exists for a few with *very* deep pockets. Very few are truly #innovative. As is typical with startups, #cybersecurity have a low success rate. This weekend Synopsys acquired Tinfoil Security. The dollar value was so low that Synopsys stated the[…]

Tomorrow is the first day of 2020. Not just a new year, but a phrase we use to describe perfect vision. What are you going to do in #2020 so that when you look back on it, it will be as if you had 20/20 vision? My recommendation is to work toward being more #proactive. The best approach to health is to see your doctor regularly, get annual physicals, and have open and regular communication. Follow their advice to eat healthy and exercise more. You don’t want to end up in the emergency room with a serious illness or injury. The same is true for your #digital health. Consult your #security professional, have open and regular communication. Take the steps they recommend to make positive[…]

I often talk about #experience and #security. I don’t see them as mutually exclusive; you can have both great experience and strong security. People are making a different trade-off on a regular basis and aren’t considering the ramifications. I’m speaking about #privacy vs. #convenience. The explosion of smartphones and apps have afforded us tremendous convenience. Much of that comes at a price – reducing our privacy. Yes, it’s convenient to get deals at your favorite store, or be alerted to changing traffic or weather conditions, or get alerted to sports updates in real time. To deliver these services, the applications require information about you. What stores you like, where you are, where you live and work, what your favorite teams are. Most have very little regard[…]

I often tell people that #security is not a thing you can buy. It’s a feeling. You do something and it makes you feel secure. Businesses spend a lot of money on products in the top-right of a #Gartner magic quadrant to feel better. They see “improve security” as a goal, and equate spending on the tool with accomplishment of that goal. No tool is a silver bullet; it won’t prevent every imaginable risk. You find a gap, and it makes you feel insecure. Next year you budget for a tool that fills that gap. And that tool has a gap, and you repeat the process every year. The spending spins out of control… and you’re no closer to that feeling of security. An[…]

In April, 2014, CVE-2014-0160 was released, better known as the Heartbleed bug. Heartbleed is devastating – it can reveal sensitive information not just of the user, but anything on the machine. In practice it has been used to export private keys for TLS/SSL certificates. These stolen private keys can then be used to impersonate a legitimate website for the purposes of stealing credentials, performing phishing attacks, and other malicious activity. It is hard to understate the potential damage that Heartbleed could create. When Heartbleed was first released,┬áRobert Graham scanned 28 million machines across the Internet, and found over 615,000 of them were vulnerable to Heartbleed. As soon as the vulnerability was disclosed, web hosting providers, commercial software vendors, and even[…]