There’s an infinite number of studies of ransomware lately, all breathlessly talking about how to fight this dangerous threat. They’re all dangerously wrong. Ransomware is not the problem. Read the full article over at Dark Reading.

People sometimes ask me about my recording setup, and I wanted to share some thoughts about recording good learning content. The most important thing I’ve learned is the importance of conceptualizing what you want it to look like. The other thing I’ve learned is that the more expensive gear is…

There’s an insightful comment, “Everybody has a testing environment. Some people are lucky enough enough to have a totally separate environment to run production in.” Similarly, everybody has both enterprise and product architecture. Some people are lucky enough to be able to design them. I have to say that because…

It was just over a year ago that I last walked out of the Seattle airport. Before the pandemic, I was a very frequent flyer. As the pandemic was starting, I was under the weather and chose to skip RSA, having little idea what was coming. That trip, in early…

Abhay Bhargav has a really excellent post on Better OKRs for Security through Effective Threat Modeling. I really like how he doesn’t complain about the communication issues between security and management, but offers up a concrete suggestion for improvement. Key quote: “Effective Threat Modeling by itself can ensure that your…

You may have noticed that my end of the year posts are all science focused. Today, a set of resources on the COVID vaccines. First, the FDA has authorized two vaccines for emergency use. The review memoranda (Pfizer, Moderna) are all sorts of fascinating. …

Scientists have discovered a chunk of amber with a dinosaur tail in it. (Poor dinosaur!) National Geographic has the story, which is not brand-new, but is a nice bit of scientific joy for the day.

As we look at what’s happened with the Russian attack on the US government and others via Solarwinds, I want to shine a spotlight on a lesson we can apply to threat modeling. An example of asset-driven thinking leads the article Hack may have exposed deep US secrets; damage yet…

Fireeye’s announcement of their discovery of a breach is all over the news. The Reuters article quotes a ‘Western security official’ as saying “Plenty of similar companies have also been popped like this.” I have two comments. First, it’s easy for anyone to label attackers “sophisticated.” Fireeye certainly has more…