Thoave

I frequently see DIY website creation solutions used for small business sites that provision accounts and take CC payments without having configured TLS. Not sure which is worse, the business or their customers not knowing any better.

Really nice work by @singe and team on wifi threats. Check out Dom's talk if you are at DEFCON.https://twitter.com/singe/status/1026751720821542912 …

So take your triple A security preso to GRC, privacy, or Auditing conferences and bring the level of security discorse up to a higher level in these organization's own backyard.

And do not forget about how important the role that counsel and auditors play in decisions that are being made. They too need to be educated and it should come outside of their internal echo chambers.

Technical comprehension limitations aside, business operatives are desperate for ways to reframe the argument to improve security control postures. And there are some who honestly do not understand the stakes. Infosec professionals are all about the debate. Take it there!

Sure, it is amazeballs to pontificate with peers and friends and sharing knowledge makes for a stronger community. But at the end of the day, the infosec industry needs to overcome the value proposition issues intrinsic in corporate operational funding debates.

There is a huge untapped opportunity for researchers who only target high profile infosec conferences to take that info and educate the people who really need it - members of corporate leadership. No, not CISOs. I am talking about COOs, CIOs, CROs, and their respective underlings

This is tangential to the current cert procturing debate, but reminds me that driving the pursuit of a mastery of practical infosec knowledge and execution is what good certs/training programs do. I think @offsectraining exemplifies this. Shot out to @sensepost as well.

Many years ago, @marcoslaviero told me that it is perfectly ok to have to google commands or tool options that I could not recall in real time, so long as I understood what I was attempting to get the system to do and why.

I see infosec as a zero-sum game. Sides are playing against a finite set of resources, so the idea of absolute control is a bit of a fallacy. There is always risk associated with inherent points of failures. Present objective intel to allow for informed risk decisions.

I know the cert/collegiate degree debate has simmered down now, but a recent interview dialogue on the topic reminded me that most collegiate infosec majors utilize professional certs as core curriculum. CompTIA, Cisco, ISC2, EC Council... I guess that says it all?

Meltdown/Spectre personal hot take free zone here. I am of the 'TL:DR' camp on this one and defer to people much smarter than me to lay it down.

Happy New Year to all of my infosec and privacy friends!

Nothing frustrates me quite like Google Nearby shoving ads on my phone when walking through the mall by taking advantage of the fact that I use bluetooth peripherals. What happened to this being an opt-in service? Another example of forcing features to program user complacency.

Someone asked me what sports team the @ThinkstCanary beanie I was wearing represented. I replied, "Not exactly a sports team, but they kick ass at defensive strategies all the same."

I am not an attorney, but why aren't there static classes of users pre-defined per industry? For instance, retail or medical breaches should invoke a class for recompense by default. It seems more effective than offering worthless credit monitoring.

I have shown business partners that intrinsic lack of trust in the testing of controls aligned to governance expectations cannot be processed around. Integrity of assessments can be improved to a degree through transparency, otherwise it is a agree to disagree proposition.

Does the infosec community have a centralized metric as to the current state of industry-wide technical debt, like an IT doomsday clock?