security

I’ve spent a little more time than I would like studying severity models in vulnerability scanners. One question that comes up occasionally is Qualys severity vs CVSS, or any of its competitors, for that matter. Let’s take a look at how Qualys severity compares against the industry standard.

Qualys’ severity score predates CVSS, which is now the industry standard. The two have similarities but there are various reasons for choosing one over the other.

Read more

In security, we talk about asymmetric attacks all the time. If you don’t know what that means, here’s an easy definition and some examples from the real world. We have to be careful not to conduct asymmetric attacks on ourselves, because frequently we inadvertently do just that.

An asymmetric attack is an attack that’s substantially more expensive to protect against than to launch. This makes them a common challenge in security.

Read more

I don’t think it’s news to anybody that there’s been some civil unrest in 2020. And in many cases, when protestors have been detained, cops and feds have cited possession of police scanners as proof that they were up to no good. But are police scanners illegal?

Police scanners are not illegal. A police scanner is just a radio, picking up broadcasts on radio waves, which belong to anybody, some of which happen to be used by police. So-called police scanners have uses other than listening to police broadcasts, and listening to police broadcasts is not illegal.

Read more

What is the difference between CVE and CVSS? It can be confusing, especially if you’re not a security professional. Here’s how to make sense of the alphabet soup you hear from security analysts like me.

Both CVE and CVSS are industry standards that refer to vulnerabilities in computer software. Think of CVSS as the tracking number, and CVE as a measure of severity.

Read more

What In Information Security and Information Technology, CVE stands for Common Vulnerabilities and Exposure. It is a standard identifier for tracking vulnerabilities in computer software. I’ve only deployed updates to fix about 800,000 of them, but that experience taught me a little bit about working with them.

The CVE database is maintained by MITRE, and there are about 100 CVE Numbering Authorities (CNAs) who assign them. The CVEs themselves don’t include a lot of detail, but they serve the purpose of providing a common identifier that vendors and security professionals can use to track each unique security flaw.

Read more

What is CVSS? CVSS stands for Common Vulnerability Scoring System. It is a method to express the relative strength of vulnerabilities compared to each other. It’s a common statistic in computer security, especially in the field of vulnerability management.

There are two versions of CVSS in common use. The major difference is version 3 allows you to account for environmental factors to adjust it, but both of these versions have one significant weakness.

Read more

Thanks to an embarrassing hack where someone gained access to a Twitter administration tool and used high-profile accounts to tweet out a Bitcoin scam in July 2020, social engineering has a lot of attention. But what is social engineering? How does it work?

There’s no need to complicate social engineering. It’s not something new, it’s just an old-fashioned con job in modern times, sometimes using modern technology.

Read more

Let’s do something taboo today and talk about money. CISSP money. What exactly is realistic when it comes to CISSP salary expectations?

The average CISSP salary is somewhere around $120,000. That’s average, and CISSP covers a broad range of jobs, but keep that number in mind if someone offers you $54,000. I’ve seen $54,000 cited as the low end and that’s, frankly, ridiculously low.

Read more

I’ve had lots of discussions about imposter syndrome in both tech in general and cyber security specifically. I have thoughts.

Read more