Security Blog
-
Environmental Controls at Planetary Scale
Standard security frameworks often emphasize environmental controls, such as humidity sensors and fire suppression, to maximize mean time between critical failures (MTBCF) in data centers. However, the cost and effort of implementing these controls may not be worth it when operating in thousands of data centers globally. Instead, focusing on regional failover and addressing issues…
-
DNS reflection defense
DDoS attacks exceeding 100 Gbps, particularly DNS reflection attacks, have become prevalent. Understanding DNS operation is crucial for effective defense. Filtering, DNS server protection, redundancy, anycast, segregation, response handling, and rate limiting are key measures to mitigate attacks and ensure robust architecture.
-
How big is 300 Gbps, really?
The 300 Gbps attack on SpamHaus may appear significant, but considering attacker capacity, leverage, and target resilience, it becomes more manageable. Reflected DNS traffic can be easily dropped, making it less effective than other tactics. BroBot botnets pose comparable challenges with varied techniques.
-
Risk compensation
Collaborating with business partners to manage risk is a challenge for the security profession. Avoiding the role of sole custodians, we should engage partners in risk discussions and empower them to analyze risks themselves. By fostering belief and behavioral changes, we can achieve effective risk management.
-
Leveling up Security Awareness
Security awareness has become a contentious issue as organizations resort to generic, checkbox-based computer-based training (CBT) programs. To improve, it’s crucial to separate policy awareness from true security awareness. Instead of wasting resources on annual CBT, create an automated system for employees to check a box, and then focus on targeted, engaging, and incentivized security…
-
Understanding and increasing value
In assessing the value we provide to a business, we must understand its capabilities: the ratio of value over resources. While value is often difficult to measure, we can gauge capabilities by considering skill, effort, and effectiveness. Skill is the ease with which a task is accomplished, effort reflects our approach, and effectiveness depends on…
-
The value of professional certifications
As I prepare to join a panel discussion on information security certifications, the topic of their intrinsic value comes to mind. Examining different models, such as guild certificates, practitioner’s certificates, and reputational certificates, it becomes clear that infosec certifications lean more towards being reputational. However, reputational certificates are only as valuable as the reputation of…
-
Take Over, Bos’n!
Eleven years ago, Danny Lewin was tragically killed. But this story takes us back twelve years prior, when Danny’s relentless spirit inspired me to revolutionize the web. Despite initial doubts, Danny’s unwavering belief in our product led us to create a groundbreaking security model. It took time, but eventually, we transformed e-commerce, e-government, and business…
-
Security Subsistence Syndrome
Security subsistence syndrome (SSS) is a mindset in organizations that believe they have no security choices due to underfunding, leading them to minimally spend on perceived regulatory requirements. It’s an attitude of doing the bare minimum, resulting in lowered expectations and a lack of security value. Breaking free from SSS involves strategic steps that can…
-
Enterprise InfoSec Lessons from the TSA
The TSA’s security practices serve as a valuable analogy for enterprise information security. Like the TSA, security teams often focus on metrics that don’t align with the business’s goals. Weak authentication, limited logging, and reliance on outdated technologies are akin to enterprise practices that hinder effectiveness. Instead, a shift towards flexible security techniques that align…
Leadership Newsletter
-
Managing the End of The Year
Leadership Moment: Holiday Time The holiday season has begun in full force, with Tishri, the month of Jewish observances (Rosh Hashanah, October 7th, Yom Kippur, Sukkot, Shmini Atzeret, and Simchat Torah), drawing to a close (wedged in there was Thanksgiving in Canada). On the heels of Tishri we’ll come into a month of mostly US… Read this …
-
Including
A Moment for Memory Before I get into today’s newsletter, I want to take a moment to reflect on the past year. It’s been 366 days since the most horrific day for Jews since the Holocaust: when Hamas terrorists raped and butchered Israelis, killing 1,195 and abducting 251, including a baby. Many of those remain… Read this …
-
The Perversity of Incentives
Leadership Moment: Tipping Over The Edge A summer camp that hires mostly young adults (high school/college) as its camp counselors has what is probably a standard policy: its counselors do not accept tips (while an understandable choice, not one supported by an argument that the counselors are well-compensated, but that’s a conversation for a different… Read this …
Fiction
-
Skeleton
A necromancer and an Olympic event [Read the story]
-
Albus Dumbledore and the Rituals of Immortality
The words that didn’t make the Harry Potter septology that fill in the blanks for what’s really going on. [Read the story]