Your City is Not Ready for Ransomware

20 (and growing) cities in Texas shut down thanks to ransomware. Baltimore taking $6M in funds from other city programs to pay for their ransomware attack. We’ve only scratched the surface of how bad things could get at a city, county, and even state level should a concerted and wide-spread effort be undertaken to disrupt governmental operations. Forget hacking voting machines, what happens when you can’t conduct any government business, much less vote? Shut down local government and by extension you start to shut down local and to a degree inter-state commerce. How long before we stop treating these events as novelties and recognizing them as a spear to our soft underbelly?

Perimeter Defense You Say?

How is that working out for you? You may not be thinking about the mail as an attack vector, but someone else is (among several other unconventional vectors no doubt). Generally speaking, a threat that might sound like it was taken out of a bad hacker movie aren’t to be taken seriously, but the nature of technology (persistent, ubiquitous) today is such that it’s hard to rule anything out anymore.

We Value Our Customers…

For every survey that says customers will flee if you get hacked, there is at least another that points out that few if any actually stop shopping at a compromised store or cancel their credit card accounts. The fact of the matter is that pwnage of organizations of all stripes is too commonplace for people to be hopping from one to another. There is literally no where else to go. That doesn’t mean firms shouldn’t take efforts to protect themselves and their customers, but it should shift the discussion away from rebuilding customer trust and

Oops, You Did it Again

You can research bugs or other issues without leaking data. No, really, you can.

You Can Lead a Horse to Water

Between Password Checkup and Have I Been Pwnd there is really no excuse for anyone to not know if their old passwords have been compromised, and to act accordingly. A password manager seems like a lot of overhead, but when you consider how it radically improves your ability to thwart credential compromises (especially when used in conjunction with 2FA) the literal extra seconds you spend using it is well worth the value it provides.

This Will Make for Interesting Campaign Promises

The idea that the voting population cares enough about cybersecurity to make it a political or campaign issue is, to my mind, questionable. Having tracked these issues for years, and knowing what makes headlines, it’s hard to argue folks will vote one way or another because of a candidate’s stance on endpoint protection or the value of attribution. Cybersecurity will be a true political issue immediately after tragedy strikes, and not before.

No Two Are Alike, And That’s a Problem

The power of biometrics to serve as an authentication tool is hard to deny, but behold the double-edged sword: you can change a strong and complex password; you can’t change your fingerprints or irises. If you’re going to use biometrics to improve security for your product or service, you have to improve the security that protects the biometrics. Once that data is gone, you’ve effectively rendered it useless as a protection or authentication mechanism.

Cybersecurity 101

Your regular reminder that you can’t protect it if you don’t know you have it.

Stunt Hacking

Is there value in hyping exploitable vulnerabilities that aren’t really all that? Those that despite ‘stunt hacking’ have a point in that we’ve got enough ‘boy who cried wolf’ going on in this business. But if we’re all being honest, sometimes the only way you get people to pay attention is to wave it in front of their face. You don’t want to make it a habit of course, but every once in a while it’s not the worst thing in the world to get people to think twice before connecting yet-another random thing to the Internet.

Security is in the Eye of the Beholder

Bad cybersecurity is, to paraphrase Supreme Court Justice Potter Stewart and his definition of pornography, something you know when you see it. Of course if you claim you didn’t see it, does it exist? If you’ve ever spent any time in government, have you ever seen a more classic bureaucratic move? What other discipline doesn’t have impartial third-parties conducting such investigations and evaluations? Take comfort, citizens, that all is well, and that whatever catastrophe strikes tomorrow, it was totally unforeseeable and unstoppable.

Target Rich Environment

With almost half of all SMBs still running Windows 7, is it any wonder that the prospect of a safer and more secure cyberspace is growing ever more distant and hopeless? Is it a function of firms not being able to afford regular upgrades, ignorance, or laziness? The idea that business owners aren’t aware of the threat seems suspect (but not entirely out of the realm of possible). If financial pressures are the problem, then we should start to give real consideration to ways that make the adoption of current technology (not to mention security technology) more affordable. Everyone has to make a living, but if your revenue generating paradigm excludes or marginalizes the weakest of us, you can’t really say you’re for security.