Daniel Miessler

Thoughts on the OWASP Top 10 2021

Daniel Miessler

This post will talk about my initial thoughts on The OWASP Top 10 release for 2021. Let me start by saying that I have respect for the people working on this project, and that as a project maintainer myself, I know how impossibly hard this is.

The Presenting Vendor Paradox

Daniel Miessler

There’s a paradox in information security where the community wants two things at once: High quality research and talks, and. Unbiased research and talks. I’ve personally been one of these affiliated speakers countless times.

Insiders

Sign Up for our Newsletter

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

It’s Time for Vendor Security 2.0

Daniel Miessler

In a previous post I talked about how security questionnaires are security theater. They were in 2018—and they still are—but pointing this out always raised the same challenge: Fine, but we have to do something. What’s the alternative?

Risk 200

Explaining Threats, Threat Actors, Vulnerabilities, and Risk Using a Real-World Scenario

Daniel Miessler

Casey Ellis (of Bugcrowd fame) had a great post on Twitter today about security terminology. Casey also added that Acceptable Risk would be being willing to get punched in the face.

Risk 264

How to Avoid the Pain and Cost of PCI Compliance While Optimizing Payments

Speaker: P. Andrew Sjogren, Sr. Product Marketing Manager at Very Good Security, Matt Doka, Co-Founder and CTO of Fivestars, and Steve Andrews, President & CEO of the Western Bankers Association 

In this webinar, we have a great set of panelists who will take you through how Zero Data strategies can be used as part of a well-rounded compliance and security approach, and get you to market much sooner by also allowing for payment optimization. They’ll share how to grow your business faster and minimize costs for both security and compliance

Dead Drops and Security Through Obscurity

Daniel Miessler

There’s massive confusion in the security community around Security Through Obscurity. In general, most people know it’s bad, but they can’t say exactly why.

The Consumer Authentication Strength Maturity Model (CASMM)

Daniel Miessler

This post is an attempt to create an easy-to-use security model for the average internet user. Basically, how secure is someone’s current behavior with respect to passwords and authentication, and how can they improve? People like moving up rankings, so let’s use that!

A @TomNomNom Recon Tools Primer

Daniel Miessler

There are recon tools, and there are recon tools. tomnomnom —also called Tom Hudson—creates the latter. I have great respect for large, multi-use suites like Burp , Amass , and Spiderfoot , but I love tools with the Unix philosophy of doing one specific thing really well.

CASMM (The Consumer Authentication Strength Maturity Model)

Daniel Miessler

This post is an attempt to create an easy-to-use security model for the average internet user. People like moving up rankings, so let’s use that! Basically, how secure is someone’s current behavior with respect to passwords and authentication, and what can they do to improve?

No, Moving Your SSH Port Isn’t Security by Obscurity

Daniel Miessler

I just came across another post on Hacker News talking about why you shouldn’t move your SSH port off of 22 because it’s Security by Obscurity. There are some good reasons not to move SSH ports in certain environments, such as usability.

What if We Made Paying Ransoms Illegal?

Daniel Miessler

I was on Twitter the other day and saw someone suggest that we could fix people paying ransoms by making it illegal for them to do so. I was a bit flippant with my response.

Back to the Office: Privacy and Security Solutions to Compliance Issues for 2021 and Beyond

Speaker: Mike Cramer, Director of HIPAA & Data Security at The Word & Brown Companies

Now that companies are slowly allowing employees to return to work at the office, it's time to re-evaluate your company’s posture towards privacy and security. Join Mike Cramer, Director of HIPAA & Data Security at The Word & Brown Companies, for a discussion that will focus on compliance and the types of privacy and security measures your company should be aware of, as well as tips and methods for implementing these measures.

Everyday Threat Modeling

Daniel Miessler

Threat modeling is a superpower. When done correctly it gives you the ability to adjust your defensive behaviors based on what you’re facing in real-world scenarios. And not just for applications, or networks, or a business—but for life. The Difference Between Threats and Risks.

VPN 210

Our Problem is Gullibility, Not Disinformation

Daniel Miessler

I think we’ve lost the plot on disinformation. It’s not the attacks that are the problem. It’s the fact that too many Americans are willing to believe almost anything. Ideally we’d reduce both the attacks and the vulnerability. Of course it would be nice to have fewer attacks.

Scams 210

Analysis of the 2021 Verizon Data Breach Report (DBIR)

Daniel Miessler

Every year I like to look at Verizon’s DBIR report and see what kind of wisdom I can extract. This year they appear to have put in even more effort, so let’s get into it.

The New Reality of State-sponsored Attacks on US Businesses

Daniel Miessler

The Lawfare Podcast is one of my few staples, and I just listened to another great episode on espionage against US buisnesses.

Demand, CyberInsurance, and Automation/AI Are the Future of InfoSec

Daniel Miessler

I think there are four main trends that will play out in the field of information security in the next 20 years.

This Zoom Hate is Silly

Daniel Miessler

I’ve been processing my thoughts on the Zoom Security stuff for a couple of weeks now, and I think I finally have an opinion. The hate is silly. Like I said, I sense something strange here. I get there are security issues. And some seem pretty bad.

Why an NTSB Wouldn’t Be Helpful For Ransomware

Daniel Miessler

Twitter is great for quick ideas that may or may not be useful. I had one the other day: An NTSB, but for ransomware. — ?????? ???ss??? DanielMiessler) May 22, 2021.

News & Analysis | No. 281

Daniel Miessler

SECURITY NEWS. Darkside, the ransomware group that ransomed Colonial, has largely gone dark after its servers and Bitcoin were seized. Its blog, payments collection site, and its CDN have gone offline.

Analysis of the RECON/Attack Surface Management Space

Daniel Miessler

I am often asked for my thoughts on the Bug Bounty / RECON / Asset Inventory / Attack Surface Management spaces. This is partially because I founded a company, called HELIOS, back in 2016, which I separated from at the end of 2018.

Cyber Pearl Harbor Is Happening Right Now — It’s Ransomware

Daniel Miessler

Since 2007 the InfoSec industry has been talking about TheBigOne™—the event that would change cyber threats from annoyances to existential concerns. They called it Cyber Pearl Harbor. This doesn’t mean it can’t still happen.

How to Initiate Contact With a Mentor

Daniel Miessler

I’ve been in security for over 20 years now and have received thousands of emails asking for help or mentorship. And throughout that time I’ve also reached out to hundreds of people asking for something similar.

3 Metrics That Will Indicate We’re Taking Security Seriously

Daniel Miessler

A lot of people are surprised when I tell them that computer security isn’t really a priority in most companies, or for our society in general. I captured this in my piece Why Software Remains Insecure , which basically comes down to security being precisely as good as it needs to be.

I Actually Like Remote and Pre-recorded Presentations

Daniel Miessler

I have an unpopular opinion about the security conference scene. Basically, it’s the opposite of what John Strand said here: Can we all agree that pre-recorded Conference talks are horrible? I mean… Why? — strandjs (@strandjs) October 28, 2020.

Ransomware Groups Add a Third Threat Vector: DDoS

Daniel Miessler

I’ve been writing a lot on ransomware recently , and wanted to comment on an interesting new development in attackers’ toolchests. At first they started with: If you don’t pay, you won’t get your data back. This is the original ransomware tactic.

DDOS 134

What They Don’t Tell You About Being a Bounty Hunter or Content Creator

Daniel Miessler

I have been following the bug bounty and security creator/influencer scenes since they started. And as someone in security who also creates content, I feel very close to it all. What I’ve seen in the last year has been troubling.

Media 136

Mechanizing The Methodology

Daniel Miessler

Download the Slides. I presented at DEFCON’s Red Team Village on August 8th, and the topic was the automation of common Recon and Security activities. More specifically, it was about how to do those things with common tools like Linux, Bash, Cron, Email, and Slack.

Opening vs. Closing is a False Dichotomy

Daniel Miessler

If you want to have a productive discussion on a difficult topic, start by discarding the extremes. Very few want pure communism, pure market capitalism, zero taxes, or taxes to be doubled.

Risk 144

Zuboff vs. Doctorow vs. Miessler: What’s the Greatest Threat to Human Privacy?

Daniel Miessler

Shoshana Zuboff came out with a brilliant work called Surveillance Capitalism a while back, which I reviewed here. It talked about not just the threat of the tech itself but how that tech could be used to control the behavior of populations. I highly recommend it.

Sickness Monitoring is the Opening Video Surveillance Has Been Waiting For

Daniel Miessler

I’ve thought for a long time that public video feed monitoring would become ubiquitous. My basis for this was looking at humans ultimately desire, not at the tech itself.

Reverse Threat Modeling for Pursuing Attribution

Daniel Miessler

I was thinking about the recent Twitter hack the other day and thought of a simple technique for evaluating possible threat actors of information warfare campaigns.

Unsupervised Learning: No. 238

Daniel Miessler

This is a Member-only episode. Members get the newsletter every week, and have access to the Member Portal with all existing Member content. Non-members get every other episode. Sign in. Become a member and get immediate access. —.

Unsupervised Learning: No. 237

Daniel Miessler

THIS WEEK’S TOPICS: Americans in China, TikTok Banning, Chinese Critics, BlueLeaks, Router Security, COVID Accelerating Trends, Twitter Subscriptions?, Technology News, Human News, Ideas Trends & Analysis, Discovery, Recommendations, and the Weekly Aphorism…. Subscribe To Podcast.

Unsupervised Learning: No. 236

Daniel Miessler

THIS WEEK’S TOPICS: Encrochat breach, F5 Big Problem, DHS Social Election Query, WastedLocker, India Bans Chinese Apps, Florida DNA Privacy, Technology News, Human News, Ideas Trends & Analysis, Discovery, Recommendations, and the Weekly Aphorism…. Subscribe To Podcast. Show Notes.

Unsupervised Learning: No. 235

Daniel Miessler

THIS WEEK’S TOPICS: Chinese diplomats stealing secrets, COVID flying risk, RT interviewing US cops, Army Ignite future predictors, China launches its GPS network, Russians paid bounties to kill US troops, Technology News, Human News, Ideas Trends & Analysis, Discovery, Recommendations, and the Weekly Aphorism…. Subscribe To Podcast.

Unsupervised Learning: No. 234

Daniel Miessler

THIS WEEK’S TOPICS: Ripple20 IoT Vulns, Homeland Security Surveillance, US Cyber Budget, Adobe EOL, AWS DDoS, Bellingcat Poison Investigation, Technology News, Human News, Ideas Trends & Analysis, Discovery, Recommendations, and the Weekly Aphorism…. Subscribe To Podcast. Show Notes.

Unsupervised Learning: No. 233

Daniel Miessler

THIS WEEK’S TOPICS: SMBleed, Republicans. vs. China, Hawkey Surveillance, COVID in August 2019, IBM Facial PR, Palantir NHS, Blockchain Misinformation, Technology News, Human News, Ideas Trends & Analysis, Discovery, Recommendations, and the Weekly Aphorism…. Subscribe To Podcast.

Unsupervised Learning: No. 232

Daniel Miessler

THIS WEEK’S TOPICS: COVID-19 Trends, New Zoom Trouble, Facebook Blocking, Chrome Incognito Suit, Retail Rents, Nuclear Contractor Hack, Technology News, Human News, Ideas Trends & Analysis, Discovery, Recommendations, and the Weekly Aphorism…. Subscribe To Podcast. Show Notes. Newsletter.

Retail 130

Unsupervised Learning: No. 230

Daniel Miessler

THIS WEEK’S TOPICS: Twitter Bots, Face Recognition Headsets, Chrome Bug Memories, Virtual Currency, White House OPSEC, Realtime Language Translation, Technology News, Human News, Ideas Trends & Analysis, Discovery, Recommendations, and the Weekly Aphorism….

Analysis of the 2020 Verizon Data Breach Report

Daniel Miessler

TOPIC: In this episode, Daniel takes a look at the 2020 Verizon Data Breach Investigations Report. He looks at the key findings and talks about what they might mean to us going forward. The newsletter serves as the show notes for the podcast. The Dataviz Game on Point.

Unsupervised Learning: No. 229

Daniel Miessler

THIS WEEK’S TOPICS: Feds Release Top Vulns, China Brainwave Tracking, Europe CISSP Masters, Army Electronic Warfare, Microsoft Third-largest Patch Tuesday, Technology News, Human News, Ideas Trends & Analysis, Discovery, Recommendations, and the Weekly Aphorism…. Subscribe To Podcast.

Unsupervised Learning: No. 228

Daniel Miessler

THIS WEEK’S TOPICS: Thunderbolt Attack, Celebrity Ransomware, ClearView Government, Blackhat DEFCON Virtual, War Thunder, 5G Bio Attacks, PC Game Cheating, Zoom Keybase, Technology News, Human News, Ideas Trends & Analysis, Discovery, Recommendations, and the Weekly Aphorism….