security

We have a cybersecurity talent shortage. You know it, and I know it. But part of the problem is self-inflicted. We don’t know how to interview.

A common complaint about security professionals is that we’re all smug know-it-alls. We have that reputation because that’s precisely the kind of person our interview process is designed to find. We won’t solve the cybersecurity talent shortage and our people skills problem until we get beyond looking for people who can pass CISSP in a suit.

Read more

What is fuzzing? Fuzz testing, or fuzzing, is a concept in computer security. Like the name suggests, it’s the practice of sending messed-up data to a system to see how it behaves. A good computer system should handle fuzzing gracefully. As you might guess, not all do.

When a computer receives data it doesn’t expect, it may malfunction in unpredictable ways. Fuzzing attempts to find those malfunctions.

Read more

Authenticated vulnerability scans are usually better than unauthenticated scans. But sometimes there are valid reasons for running unauthenticated vulnerability scans. Here are some reasons you might want to do that.

The main reason to run unauthenticated vulnerability scans is to limit the information you share with people outside your organization, such as auditors. But they are also helpful for preparing for penetration tests.

Read more

Social media infers a lot about you. After all, if the service is free, you’re the product. Here’s how to view your Twitter inferred interests and see what Twitter thinks it knows about you.

Read more

Web browser manufacturers Google and Mozilla have been taking heat lately for wanting to implement a technology called DNS over TLS. This is an important technology, so let’s talk about what DNS over TLS does and why you need it.

An increasing amount of our communications online is encrypted, which keeps other people from snooping on what we do. Not encrypting our traffic to DNS, which is the Internet’s phone book, makes it possible to see who we’re communicating with online, even though the communications themselves aren’t visible. DNS over TLS seeks to close this huge privacy gap. When your operating system says your connection is secured, it’s only talking basic security.

Read more

A friend of a friend suggested to me that I should carefully preserve my Commodores and other vintage computer gear, because it’s the only secure computer equipment available. I said I don’t complain too loudly since security is my job. He then said I’ll always have a job, because so many security threats are deliberate. While he’s not wrong, saying all security threats are deliberate is unhealthy. Here’s why.

Deliberate security threats certainly exist, because planting backdoors in the supply chain is the best way to get into certain highly sensitive networks. But I’ll argue that more security threats are honest mistakes than intentional sabotage.

Read more

From time to time I get questions from people looking to break into my field. Here’s a good one: What’s better to get, a cyber security degree or certifications?

If you’re in school now, get the degree. But if you’re not currently in school, and can learn on your own, the certification route is much cheaper, and probably faster. The key is having something on your resume that gets you through HR, and most companies know they can’t demand both.

Read more

Kenna is a revolutionary vulnerability management tool. It completely changed my approach to vulnerability management. But it can be hard to get used to. The most maddening thing about it is how you can deploy an update, and then your Kenna score increases. That’s not the outcome you wanted. Here’s why patching can make your Kenna score go up instead of down, and what to do about it.

Kenna’s math is tricky, but the thing to remember is the risk score isn’t exactly an average. Once you deploy enough patches for high-risk vulnerabilities, your risk score will start to drop as expected. The key is sticking with it long enough for the score to drop.

Read more