Mornings With Mark

Some perceptions override the logic behind risk decisions. How do you fight through to make a sound decision?

If you're working by hand, you're failing. In today's world of security, rapid delivery, and new technologies, automation is critical. Check out this article from Thomas A. Limoncelli for ACM Queue, "Manual Work is a Bug"

Getting your first job in cybersecurity can be super frustrating. How can we work through traditional HR processes to get started?

The popular perception of A.I. does not line up with it's current capabilities. A look at what's real and what's not. References; the piece from the New York Times on A.I. in the fashion industry more on how Facebook is blocking the wrong things from Bloomberg

Design has a massive impact on user behaviour. Sadly, it's often ignored when it comes to security and privacy. Why is that?

Building on the episode 75's theme, today's episode looks at the advantages of collaborating on a design review. If you can put the personal investments aside, working together can result in a strong security posture or project goal. The challenge--as always--is that the security team usually doesn't work that way. It's time to get out there and collaborate!

We've spoken a lot of maintaining and expanding perspective when it comes to cybersecurity. In this episode, we dive in highlight a methodology called "service design thinking". It's designed (ha!) to help you examine the entire experience around a product or service. Something critical to successful security! More on service design thinking

We trust the networks we connect to everyday but should we? Stories, like the recent piece by The Intercept detailing the ways that traffic is intercepted and analyzed, continue to show us that our networks can't be trusted completely. We need to better understand the possible threats and what mitigations are available to counter them. More from The Intercept on NSA + AT&T More on the new WPA3 standard from The Verge

Tanacon 1.0 was an unmitigated disaster. Not only is this a reminder that physical security is critical but it's an example of a failure to analyze risk properly (or at all). It's not uncommon for people to oversimplify a problem based on what they know vs asking the right people the right questions. In cybersecurity this leads to weak systems and hacks. In the real world, it leads to Tanacon. More on Tanacon

Attending a partner conference, it struck me again how hard culture change is. We (the IT community) don't push for cultural change because it requires persistent and dedicate long term work. That runs counter to the usual pace of technology. We (the security community) are even worse off. We have a culture that runs counter to our stated goals but continue to work on technology solutions instead of investing in culture

Ethical questions and quandaries are tough enough to work though when they are theoretical. But when you're confronted with them in the real world, there are usually real world consequences. This makes a hard situation even harder. What do you do? What can you do?

Technology is neutral...maybe. In cybersecurity, we regularly deal with technologies that have the ability to defend and attack. To protect and violate privacy on a massive scale. How they are used and built is really up to us. Regardless of your moral compass, it's important that you discuss the creation & use of these tools with your teams and larger community. As a cybersecurity professional, you need to be comfortable having the uncomfortable discussions Initiating essay from Ramona Pringle Some thoughts by Matt Wood from AWS

Getting started in cybersecurity can be hard. Sticking to core principles is critical as technology will change. But one of the hardest aspects to cultivate is perspective. I'm a strong advocate of a rotational approach where cybersecurity team members work in other roles for weeks or months in order gain a better understanding of the challenges. That's a difficult thing to justify organizationally but the perspective it provides is hard to beat!

With iOS 12, Apple will reduce the time an iOS device responds to the USB port when locked down to an hour. Having a hard time understanding why that matters to you? It's because it really won't. It is however a gap in the security posture of these devices that Apple is fixing. Reports are out (see below) that this is Apple moving against law enforcement. I believe that's disingenuous. This is simple a move to fix a security flaw. Other avenues (iCloud, court order against the device owner, etc.) exist for law enforcement to gain access to an iOS device. The original story from Motherboard Coverage from Bloomberg Coverage from the New York Times

G Suite for Education is making waves in the Canadian education market. And why not? It looks like a win-win-win. But there are significant challenges around privacy, explicit consent, and data sovereignty. More from CBC Radio

Cryptocurrency is a digital asset. As such, it's a major target for cybercriminals. We've seen attack after attack in the past few months as exchanges, apps, and other players in the cryptocurrency market aren't aligning their security to the threats they face. More on the recent Taylor hack More on the Coinrail hack A fantastic Canadian legal explanation from Anna Manley, "Terrorist Lunch Money"

Net Neutrality is a simple dictate that states all network packets must be treated equally. This--of course--tanks a few business models for ISPs and in the US, they have successfully lobbying to remove previously regulations. So US ISPs are free to customize their networks. That doesn't sound too bad for privacy and security until you start to look at the second order effects... Here's a great video from The Verge on the issue,

This week Apple is holding it's annual developer conference, WWDC. There haven't been too many major announcements but that in itself is an announcement. This round of OS updates should see a substantial boost in quality. ...and that will mean a big win for security. More on WWDC, https://www.apple.com/apple-events/june-2018/ More on the specific privacy features, https://www.cnet.com/videos/mac-os-gets-better-privacy-and-security-features/

The push to move to a "DevOps" culture is a great opportunity to improve security. But first, we need to understand the general development workflow!

Security and privacy center on trust. You can't have that without a high level of transparency. In this day and age, everything comes to light eventually. Better to be up front and open with most activities. More on the latest in the Facebook scandal series