Daniel Miessler

The Cybersecurity Skills Gap is Another Instance of Late-stage Capitalism

Daniel Miessler

It’s common to hear that it’s hard to get into cybersecurity, and that this is a problem. That seems to be true, but it’s informative to ask a simple follow-up: The current cybersecurity jobs gap sits at around 2.7 million people. A problem for who?

Not All MFA is Equal, and the Differences Matter a Lot

Daniel Miessler

People are starting to get the fact that texts (SMS) are a weak form of multi-factor authentication (MFA). Fewer people know that there’s a big gap between the post-SMS MFA options as well. As I talked about in the original CASSM post , there are levels to this game.


Sign Up for our Newsletter

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Why I’m OK With Amazon Buying One Medical

Daniel Miessler

A number of security people have come out against Amazon buying One Medical. It’s to be expected, as most security people are rightly worried about big corporations getting a hold of more personal data.

The Subsequent Waves of log4j Vulnerabilities Aren’t as Bad as People Think

Daniel Miessler

If you’re reading this you’re underslept and over-caffeinated due to log4j. Thank you for your service. I have some good news. I know a super-smart guy named d0nut who figured something out like 3 days ago that very few people know. Once you have 2.15

Successful Change Management with Enterprise Risk Management

Speaker: William Hord, Vice President of ERM Services

Join us as we discuss the various tangents of data and the change management process that will help you make better risk-based business decisions to save time and money for your organization.

How Good is DALL·E 2 at Creating NFT Artwork?

Daniel Miessler

If you’ve not heard, there are these things called NFTs. I think they’re simultaneously the future of digital signaling and currently mostly hype. But whatever—that’s not what this post is about.

L33t H4cking vs. M0st H4acking

Daniel Miessler

Information Security

Thoughts on the OWASP Top 10 2021

Daniel Miessler

This post will talk about my initial thoughts on The OWASP Top 10 release for 2021. Let me start by saying that I have respect for the people working on this project, and that as a project maintainer myself, I know how impossibly hard this is.

The Presenting Vendor Paradox

Daniel Miessler

There’s a paradox in information security where the community wants two things at once: High quality research and talks, and. Unbiased research and talks. I’ve personally been one of these affiliated speakers countless times.

How to Tell the Difference Between a Legitimate NFT and a Rug Pull

Daniel Miessler

A lot of people, especially in the security industry , are concerned that NFTs are a scam. And that’s for a good reason in many cases, since many of them are. In fact, I’d say it’s something like 95%. That’s not a real number, but that’s where I’d put the ratio.

Scams 207

The Consumer Authentication Strength Maturity Model (CASMM)

Daniel Miessler

This post is an attempt to create an easy-to-use security model for the average internet user. Basically, how secure is someone’s current behavior with respect to passwords and authentication, and how can they improve? People like moving up rankings, so let’s use that!

Cover Your SaaS: How to Overcome Security Challenges and Risks For Your Organization

Speaker: Ronald Eddings, Cybersecurity Expert and Podcaster

In this webinar, Ronald Eddings, Cybersecurity Expert, will outline the relationship between SaaS apps and IT & security teams, along with several actionable solutions to overcome the new difficulties facing your organization.

CASMM (The Consumer Authentication Strength Maturity Model)

Daniel Miessler

This post is an attempt to create an easy-to-use security model for the average internet user. People like moving up rankings, so let’s use that! Basically, how secure is someone’s current behavior with respect to passwords and authentication, and what can they do to improve?

A @TomNomNom Recon Tools Primer

Daniel Miessler

There are recon tools, and there are recon tools. tomnomnom —also called Tom Hudson—creates the latter. I have great respect for large, multi-use suites like Burp , Amass , and Spiderfoot , but I love tools with the Unix philosophy of doing one specific thing really well.

Explaining Threats, Threat Actors, Vulnerabilities, and Risk Using a Real-World Scenario

Daniel Miessler

Casey Ellis (of Bugcrowd fame) had a great post on Twitter today about security terminology. Casey also added that Acceptable Risk would be being willing to get punched in the face.

Risk 264

It’s Time for Vendor Security 2.0

Daniel Miessler

In a previous post I talked about how security questionnaires are security theater. They were in 2018—and they still are—but pointing this out always raised the same challenge: Fine, but we have to do something. What’s the alternative?

Risk 231

Just Copy What Works

Daniel Miessler

I’ve had an idea lingering for years about habits and behaviors and outcomes. If we accept that peoples’ output usually comes from their inputs, what if we just completely copied their inputs? For example, I’m a heavy guy because I eat too much. I have a friend who eats way less. He’s very thin.

How Preparation and Strategy Can Be Used to Fight and Defeat Any Ransomware Attack

Speaker: Karl Camilleri, Cloud Services Product Manager at phoenixNAP

Through a detailed analysis of major attacks and their consequences, Karl Camilleri, Cloud Services Product Manager at phoenixNAP, will discuss the state of ransomware and future predictions, as well as provide best practices for attack prevention and recovery.

Dead Drops and Security Through Obscurity

Daniel Miessler

There’s massive confusion in the security community around Security Through Obscurity. In general, most people know it’s bad, but they can’t say exactly why.

The Strange World of “Good Enough” Fencing

Daniel Miessler

I’ve always been fascinated by security that was “just good enough” I think lots of security actually qualifies (see The News), but I think fencing (and maybe bike locks) take first prize. As a kid I used to love breaking into stuff. Nighttime construction sites.

Risk 230

How Much Incel Terrorism Can We Prevent With Kindness?

Daniel Miessler

When I think about violence caused by young, socially-rejected males, I often wonder how much bullying and mistreatment cause their violent behavior. That doesn’t mean excuse the behavior; I am talking about the proximate cause—or exacerbation—that contributes to the act.

Thinking About the Future of InfoSec (v2022)

Daniel Miessler

I’m starting a new series with this 2022 edition where I think about what Information Security could or should look like in the distant future—say in 2050. The ideas will cover multiple aspects of InfoSec, from organizational structure to technology.

How to Avoid the Pain and Cost of PCI Compliance While Optimizing Payments

Speaker: P. Andrew Sjogren, Sr. Product Marketing Manager at Very Good Security, Matt Doka, Co-Founder and CTO of Fivestars, and Steve Andrews, President & CEO of the Western Bankers Association 

In this webinar, we have a great set of panelists who will take you through how Zero Data strategies can be used as part of a well-rounded compliance and security approach, and get you to market much sooner by also allowing for payment optimization. They’ll share how to grow your business faster and minimize costs for both security and compliance

What if We Made Paying Ransoms Illegal?

Daniel Miessler

I was on Twitter the other day and saw someone suggest that we could fix people paying ransoms by making it illegal for them to do so. I was a bit flippant with my response.

No, Moving Your SSH Port Isn’t Security by Obscurity

Daniel Miessler

I just came across another post on Hacker News talking about why you shouldn’t move your SSH port off of 22 because it’s Security by Obscurity. There are some good reasons not to move SSH ports in certain environments, such as usability.

The New Reality of State-sponsored Attacks on US Businesses

Daniel Miessler

The Lawfare Podcast is one of my few staples, and I just listened to another great episode on espionage against US buisnesses.

Everyday Threat Modeling

Daniel Miessler

Threat modeling is a superpower. When done correctly it gives you the ability to adjust your defensive behaviors based on what you’re facing in real-world scenarios. And not just for applications, or networks, or a business—but for life. The Difference Between Threats and Risks.

VPN 218

Back to the Office: Privacy and Security Solutions to Compliance Issues for 2021 and Beyond

Speaker: Mike Cramer, Director of HIPAA & Data Security at The Word & Brown Companies

Now that companies are slowly allowing employees to return to work at the office, it's time to re-evaluate your company’s posture towards privacy and security. Join Mike Cramer, Director of HIPAA & Data Security at The Word & Brown Companies, for a discussion that will focus on compliance and the types of privacy and security measures your company should be aware of, as well as tips and methods for implementing these measures.

Demand, CyberInsurance, and Automation/AI Are the Future of InfoSec

Daniel Miessler

I think there are four main trends that will play out in the field of information security in the next 20 years.

Degrees and Credentials in InfoSec

Daniel Miessler

If you’re on InfoSec Twitter You’ve probably seen the recent iteration of the neverending debate around degrees, certs, and InfoSec. Basically, one side argues that you need college to be taken seriously in security, and the other side says nuh-uh!

Our Problem is Gullibility, Not Disinformation

Daniel Miessler

I think we’ve lost the plot on disinformation. It’s not the attacks that are the problem. It’s the fact that too many Americans are willing to believe almost anything. Ideally we’d reduce both the attacks and the vulnerability. Of course it would be nice to have fewer attacks.

Scams 210

Analysis of the RECON/Attack Surface Management Space

Daniel Miessler

I am often asked for my thoughts on the Bug Bounty / RECON / Asset Inventory / Attack Surface Management spaces. This is partially because I founded a company, called HELIOS, back in 2016, which I separated from at the end of 2018.

Cyber Pearl Harbor Is Happening Right Now — It’s Ransomware

Daniel Miessler

Since 2007 the InfoSec industry has been talking about TheBigOne™—the event that would change cyber threats from annoyances to existential concerns. They called it Cyber Pearl Harbor. This doesn’t mean it can’t still happen.

Comparing My Top Four Security Podcasts/Newsletters

Daniel Miessler

I get asked a lot what my go-tos are for security content. My top four recommendations are Darknet Diaries , Risky Business , Unsupervised Learning (yes, my own show), and TL;DRSec. What’s so interesting about these four is how different they are.

This Zoom Hate is Silly

Daniel Miessler

I’ve been processing my thoughts on the Zoom Security stuff for a couple of weeks now, and I think I finally have an opinion. The hate is silly. Like I said, I sense something strange here. I get there are security issues. And some seem pretty bad.

The Vigilant

Daniel Miessler

We should have a new internet group called The Vigilant—a group of open-source code maintainers that steward and protect our top 1000 open-source applications. Here’s how it could work. Step 1: A group of internet technology and security leaders are elected and put into place.

Analysis of the 2021 Verizon Data Breach Report (DBIR)

Daniel Miessler

Every year I like to look at Verizon’s DBIR report and see what kind of wisdom I can extract. This year they appear to have put in even more effort, so let’s get into it.

Sickness Monitoring is the Opening Video Surveillance Has Been Waiting For

Daniel Miessler

I’ve thought for a long time that public video feed monitoring would become ubiquitous. My basis for this was looking at humans ultimately desire, not at the tech itself.

Opening vs. Closing is a False Dichotomy

Daniel Miessler

If you want to have a productive discussion on a difficult topic, start by discarding the extremes. Very few want pure communism, pure market capitalism, zero taxes, or taxes to be doubled.

Risk 177

I Actually Like Remote and Pre-recorded Presentations

Daniel Miessler

I have an unpopular opinion about the security conference scene. Basically, it’s the opposite of what John Strand said here: Can we all agree that pre-recorded Conference talks are horrible? I mean… Why? — strandjs (@strandjs) October 28, 2020.

Why an NTSB Wouldn’t Be Helpful For Ransomware

Daniel Miessler

Twitter is great for quick ideas that may or may not be useful. I had one the other day: An NTSB, but for ransomware. — ?????? ???ss??? DanielMiessler) May 22, 2021.

News & Analysis | No. 281

Daniel Miessler

SECURITY NEWS. Darkside, the ransomware group that ransomed Colonial, has largely gone dark after its servers and Bitcoin were seized. Its blog, payments collection site, and its CDN have gone offline.

How to Initiate Contact With a Mentor

Daniel Miessler

I’ve been in security for over 20 years now and have received thousands of emails asking for help or mentorship. And throughout that time I’ve also reached out to hundreds of people asking for something similar.