This video was prompted by discussions with someone that was adamant that they would never, never, everrrrr put their logs in the cloud.

I enquired as to why they weren’t open to the option, and their response was that they don’t believe that sensitive information like logs should be in the cloud.

Now that’s all cool and stuff – I mean, everyone has their own risk models. But in the big scheme of things, the company was already using cloud infrastructure and apps for a variety of different things.

I mean, if you’re putting your entire customer management system, and your financials in a cloud app – there aren’t many more valuable things left to protect.

I’m not saying you should or shouldn’t adopt the cloud, or use a particular provider or not. What I do reckon, is that we should be a bit more sensible when looking at the wider corporate adoption and all the information contained therein, and adapt the security controls accordingly.

It’s coming up on my 3 year anniversary at AlienVault – and after a conversation with a friend, it dawned on me that I don’t think I’ve ever really explained what AlienVault does.

So, when I was in Austin this last week I recruited some of my colleagues to help make this short video to give an overview of the product.

Find out more at www.alienvault.com
Or follow @AlienVault on twitter (tell them I sent you)

A lot of individuals and companies of all sizes often use the phrase where they ‘think’ they’ve been hacked or breached, or had some form of unwanted event.

There is usually a lack of conviction in this statement, and in hindsight it’s not easy to validate.

Sure, one could use a service like haveibeenpwned.com to retrospectively check, or wait for a service provider to inform them that their data has been compromised – but there are better ways, if one is more proactive in their approach.

Perhaps one of the best features of Gmail is the ability to add a +something to your email address to identify which providers are either breached or have shared your email address.

For example, if my email is [email protected]; when signing up for BSidesLondon, I’ll provide my email address as [email protected]

It’s also worth looking at getting an adblocker (note not all adblockers are created equally – look for a good one that won’t sell you out in other ways). But basically, the less scripts that are allowed to run in your browser, the less tracking, and the less opportunity available for anyone to inject malicious content is good.

For those that have a bit more patience to validate every connection, get something like LittleSnitch or RadioSilence (or similar – I’m not endorsing these products). But anything that can detect outbound connections applications and software on your machine is making. It gives you the ability to control and decide which apps can communicate externally and send who knows what data.

Finally, one of my favourite techniques is to use honey tokens. The free ones available at Canarytokens are super easy to use and set up.

Other ways to set up your own honey tokens would be to put false customer records into your CRM. Set this customers email to an address that you control. That way, if you ever get emails sent to that particular address, you know that your customer records have been compromised – probably by your most recently-departed sales person.

While there are many other things one can do to enable quick detection of compromises, I find these some of the easiest and quickest to setup and get running with.

Having an early warning system is good, but it’s only as good as the response. Therefore you should have a plan of action as to what to do if you are notified that someone has accessed your files or compromised your accounts. Mainly this would include changing your passwords, notifying relevant parties, and putting your guard up. But it will depend on what is triggered, by who, and what your personal risk tolerance is.

For small businesses, and even larger corporations, these techniques can still work – however, there robust enterprise-grade offerings available which are more suited to the task (maybe the Canary hardware device is good for you, or AlienVault USM Anywhere) . Still, I wouldn’t be against having a few honey tokens scattered around a corporate network just to see who may be poking their nose around where it doesn’t belong.

Anytime we discuss security, it’s mainly to talk about the failures. So I’m taking time out today to spread some positivity to all those security folks that have made it through the week without an incident occurring.

 

via IFTTT After its 2015 breach, the Information Commissions Office (ICO) has released a very thorough report which highlights a number of deficiencies in Carphone Warehouse’s security.

I’ve summed up some of the key points in dramatic fashion

The report well worth a read: http://ift.tt/2AM6B7B

It dawned on me, that I’ve never written a browser extension before.

And there are words IT Security articles continually overuse that I wish they wouldn’t.

So, I combined both these together and wrote a chrome extension that would change commonly misused words to something a little more interesting.

Examples:

– IoT becomes ‘cheap connected garbage’
– Machine learning becomes magic
– gdpr becomes the MacGuffin
– Cyber becomes IT

Full details of the words changed and link to download the extension available at uncybered.j4vv4d.com

2018 has kicked off with a flurry of M&A activity in the infosec space. There have been four that I’ve been aware of,

Barracuda acquired Phishline
Cyxtera acquired Immunity Inc
Verizon acquired Niddel
Threatcare acquired Savage Security

I wonder how many more deals will be announced between now and RSA. Either way, it looks like it could be a busy year ahead.

I recently had my 17 anniversary… which is almost as long as I’ve been working in information security.

Information security is great for communication, and communication is great for all relationships and friendships.

The cool researchers over at freedom to tinker found two scripts that exploit browsers built in login managers to retrieve and exfiltrate ID’s.

Below is the email I sent, and the reply from OnAudience

 

 

The script that OnAudience uses can be found here

if you have time, check out this tweet thread between Carl and AntiSocial Engineer as they discuss the law vs what happens (or should happen) in reality.

If everyone and their dog is talking about Meltdown and Spectre, then it would be negligent of me to not keep up with all the cool kids.

Website for the vulnerabilities: Meltdown Attack

Google Project Zero blog

NCSC’s advice

Linus Torvalds statement

Work for long enough in one industry for any period of time and you end up speaking an entirely language altogether. This isn’t necessarily a bad thing, in many cases it’s convenient and allows rapid communication amongst peers.

However, in Information security we need to be mindful when communicating with non security, or even non technology users and simplify the messaging as much as possible.

To put my theory to the test, I gathered a bunch of frequently-used terms and asked my non-tech friend if he could decipher what they meant.

Of course, many users would never even feel the need to use or understand some of the terms, but I threw them in there just for fun.

I thought I’d kick off the new year by poking around the news stories, surely not much could have happened. But quite a lot did unfortunately.

In the video are the top 3 stories or headlines that caught my attention, but more importantly, I think we should make a pact to stop using these buzzwords this year.

My current suggestions are to replace these words as follows

Machine Learning = Magic
AI = Witchcraft
GDPR = The MacGuffin

Hope you have a great 2018 ahead of you.

Honoured to be the guest editor for Infosecurity Magazine yesterday.

It was a day of fun which involved several things:

1. The announcement was made, which included this video

2. I took over their twitter account for an hour (brave of them)

3. I submitted a guest editorial

4. Had a Q&A with the real editor, Eleanor Dallaway

All in all, it was a great day and I ended up appreciating Eleanor’s job a whole lot more!

It was my first time in Lisbon, it was my first time keynoting at a Bsides… what could possibly go wrong?

Thanks so much to the whole team and attendees at BSides Lisbon for a fantastic event!

You can read my full writeup on the event over on my AlienVault blog. It includes a link to my entire keynote.

 

via IFTTT Read the original blog by Rowenna here: http://ift.tt/2zgNKou

If PCI DSS paid off the mortgage, then GDPR looks well on its way to buy the yacht.

But how does one go about making some of that GDPR gangster money if they don’t know much about the regulation? Well, becoming a GDPR consultant is simple, with these seven simple steps.

Note: This is a parody video – it’s kinda sad I have to say that, but you never know who takes these things seriously!