Security

A 368-post collection

Fixing Data Breaches Part 5: Penalties

In the first 4 parts of "Fixing Data Breaches", I highlighted education, data ownership and minimisation, the ease of disclosure and bug bounties as ways of addressing the problem. It was inevitable that we'd eventually end up talking about penalties though because the fact remains that although all the aforementioned recommendations make perfect sense, we're still faced with data breaches day in and day out from companies just not getting the message. This part of the series is also the hardest to implement. It requires regulatory changes, can be highly subjective and poses all sorts of cross-border challenges. But it's important, so let me do my best articulating it. Are Organisations Actually Paying Attention? Here's what really strikes...

Fixing Data Breaches Part 4: Bug Bounties

Over the course of this week, I've been writing about "Fixing Data Breaches" which focuses on actionable steps that can be taken to reduce the prevalence and the impact of these incidents. I started out by talking about the value of education; let's do a better job of stopping these incidents from occurring in the first place by avoiding well-known coding and configuration flaws. I went on to data ownership and minimisation where I talked about giving people back control of their data and collecting less of it in the first place. And then yesterday, I encouraged people to make disclosure easier because there are way too many cases where serious issues go unreported. Today's post extends on...

Fixing Data Breaches Part 3: The Ease of Disclosure

This week, I've been writing up my 5-part guide on "Fixing Data Breaches". On Monday I talked about the value of education; let's try and stop the breach from happening in the first place. Then yesterday it was all about reducing the impact of a breach, namely by collecting a lot less data in the first place then recognising that it belongs to the person who provided it and treating with the appropriate respect. Today, I want to focus on the ease of disclosure. What I'm talking about here is ensuring that when someone wants to report something of a security nature - and that could be anything from a minor vulnerability through to a major data breach...

Fixing Data Breaches Part 2: Data Ownership & Minimisation

Yesterday, I wrote the first part of this 5-part series on fixing data breaches and I focused on education. It's the absolute best bang for your buck by a massive margin and it pays off over and over again across many years and many projects. Best of all, it's about prevention rather than cure. The next few parts of this series all focus on cures - how do we fix data breaches once bad code has already been written or bad server configurations deployed? In part 2 of the series, I want to talk about data ownership and minimisation and this is all about reducing the impact on individuals and organisations alike when things do go wrong. Who Owns Our...

Fixing Data Breaches Part 1: Education

We have a data breach problem. They're constant news headlines, they're impacting all of us and frankly, things aren't getting any better. Quite the opposite, in fact - things are going downhill in a hurry. Last month, I went to Washington DC, sat in front of Congress and told them about the problem. My full written testimony is in that link and it talks about many of the issue we face today and the impact data breaches have on identity verification. That was really our mandate - understanding the impact on how we verify ourselves - but I want to go back a step and focus on how we tackle data breaches themselves. Before I left DC, I promised the...

I'm Sorry You Feel This Way NatWest, but HTTPS on Your Landing Page Is Important

Occasionally, I feel like I'm just handing an organisation more shovels - "here, keep digging, I'm sure this'll work out just fine..." The latest such event was with NatWest (a bank in the UK), and it culminated with this tweet from them: I'm sorry you feel this way. I can certainly pass on your concerns and feed this back to the tech team for you Troy? DC— NatWest (@NatWest_Help) December 12, 2017 This was after a concerned customer and then myself trying to explain to them that serving their home page over a non-secure connection wasn't such a good idea. The "I'm sorry you feel this way" tweet was in response to...

New Pluralsight Play by Play: What You Need to Know About HTTPS Today

As many followers know, I run a workshop titled Hack Yourself First where I spend a couple of days with folks running through all sorts of common security issues and, of course, how to fix them. I must have run it 50 times by now so it's a pretty well-known quantity, but there's one module more than any other that changes at a fierce rate - HTTPS. I was thinking about it just now when considering how to approach this post launching the new course because let's face it, I've got a lot of material focusing on the topic already. But then I started thinking about the rate of change; just since the beginning of last year, here's a bunch...

The Trouble with Politicians Sharing Passwords

Yesterday I had a bunch of people point me at a tweet from a politician in the UK named Nadine Dorries. As it turns out, some folks were rather alarmed about her position on sharing what we would normally consider to be a secret. In this case, that secret is her password and, well, just read it: My staff log onto my computer on my desk with my login everyday. Including interns on exchange programmes. For the officer on @BBCNews just now to claim that the computer on Greens desk was accessed and therefore it was Green is utterly preposterous !!— Nadine Dorries (@NadineDorries) December 2, 2017 For context, the back story to this is that another British pollie (Damian...

Here's What I'm Telling US Congress about Data Breaches

Last week I wrote about my upcoming congressional testimony and wow - you guys are awesome! Seriously, the feedback there was absolutely sensational and it's helped shape what I'll be saying to the US Congress, including lifting specific wording and phrases provided by some of you. Thank you! As I explained in that first blog post, I'm required to submit a written testimony 48 hours in advance of the event. That testimony is now publicly accessible and reproduced below. Do keep in mind that the context here is the impact on identity verification in "a post-breach world". My task is to ensure that the folks at the hearing understand how prevalent breaches are, how broadly they're distributed and...

I'm Testifying in Front of Congress in Washington DC about Data Breaches - What Should I Say?

Edit: I'm putting this up front as a lot of people are asking for it - the hearing will be live-streamed on YouTube and there's already an embedded video on the hearing page. There's a title I never expected to write! But it's exactly what it sounds like and on Thursday next week, I'll be up in front of US congress on the other side of the world testifying about the impact of data breaches. It's an amazing opportunity to influence decision makers at the highest levels of government and frankly, I don't want to stuff it up which is why I'm asking the question - what should I say? For a bit more context, I've been chatting with folks...