It’s common to hear that it’s hard to get into cybersecurity, and…
Thinking About the Future of InfoSec (v2022)
I’m starting a new series with this 2022 edition where I think about what…
How to Tell the Difference Between a Legitimate NFT and a Rug Pull
A lot of people, especially in the security industry, are concerned that NFTs…
Not All MFA is Equal, and the Differences Matter a Lot
People are starting to get the message that text/SMS is a weak form of multi-factor…
The Irony of InfoSec’s Reaction to Crypto, NFTs, and Web3
There’s something strange about how our InfoSec community is reacting to…
Comparing My Top Four Security Podcasts/Newsletters
I get asked a lot what my go-tos are for security content. My top four recommendations…
The Subsequent Waves of log4j Vulnerabilities Aren’t as Bad as People Think
If you’re reading this you’re underslept and over-caffeinated due…
The Vigilant
We should have a new internet group called The Vigilant—a group of open-source…
Degrees and Credentials in InfoSec
If you’re on InfoSec Twitter you’ve probably seen the recent iteration of…
It’s Time for Vendor Security 2.0
In a previous post I talked about how security questionnaires are security theater.…
Thoughts on the OWASP Top 10 2021
This post will talk about my initial thoughts on The OWASP Top 10 release for…
The Strange World of “Good Enough” Fencing
I’ve always been fascinated by security that was “just good enough”.…
Dead Drops and Security Through Obscurity
There’s massive confusion in the security community around Security Through…
The Presenting Vendor Paradox
There’s a paradox in information security where the community wants two…
Why an NTSB Wouldn’t Be Helpful For Ransomware
Twitter is great for quick ideas that may or may not be useful. I had one the…
Analysis of the 2021 Verizon Data Breach Report (DBIR)
Every year I like to look at Verizon’s DBIR report and see what kind of…
Explaining Threats, Threat Actors, Vulnerabilities, and Risk Using a Real-World Scenario
Casey Ellis (of Bugcrowd fame) had a great post on Twitter today about security…
What if We Made Paying Ransoms Illegal?
I was on Twitter the other day and saw someone suggest that we could fix people…
The Consumer Authentication Strength Maturity Model (CASMM) V6
If you know anything about internet security then you likely spend a lot of your…
A @TomNomNom Recon Tools Primer
There are recon tools, and there are recon tools. @tomnomnom—also called…
3 Metrics That Will Indicate We’re Taking Security Seriously
A lot of people are surprised when I tell them that computer security isn’t…
Analysis of the RECON/Attack Surface Management Space
I am often asked for my thoughts on the Bug Bounty / RECON / Asset Inventory /…
The New Reality of State-sponsored Attacks on US Businesses
The Lawfare Podcast is one of my few staples, and I just listened to another great…
Demand, CyberInsurance, and Automation/AI Are the Future of InfoSec
I think there are four main trends that will play out in the field of information…
I Actually Like Remote and Pre-recorded Presentations
I have an unpopular opinion about the security conference scene. Basically, it’s…