Two new posts on cybersec certifications advice from Infosec Resources

Figuring out your appropriate certification program isn’t easy and involves almost as much studying as preparing for the certification exams themselves. But these programs can have big payouts in terms of job advancement, increases in responsibility and salary. I wrote two posts for Infosec Resources.

In our first post, we presented the issues a manager should consider in building a training program for their company. Training budgets tend to be the first ones to be cut in any economic downturn and often don’t get fully funded even when the economy is improving. But training can also have a significant impact on an enterprise: it can increase the pool of available skills, help pave the way for a department to take on new challenges, improve morale and create a sense of purpose for workers. In this first post, I talk about what are some of the benefits of training and ways to measure them, explore some of the costs, and the four different modalities that you can use to design your own training program.

In the second post, I explore the benefits and costs from the individual’s perspective and what you should expect from a certificate program and how to evaluate a program. This post also has a handy comparison chart that shows your costs and other considerations from the major infosec certs.

Avast blog: An Ugly Truth: A book review

56470423. sy475 New York Times reporters Sheera Frenkel and Cecilia Kang have been covering the trials and tribulations of Facebook for the past several years, and they have used their reporting to form the basis of their new book, An Ugly Truth: Inside Facebook’s Battle for DominationThe book is based on hundreds of interviews of these key players  and shows the roles played by numerous staffers in various events, and how the company has acted badly towards protecting our privacy and making various decisions about the evolution of its products. Even if you have been following these events, reading this book will be an eye-opener. If you are concerned with your personal security or how your business uses its customer data, this should be on your summer reading list. The book lays out many of the global events where Facebook’s response changed the course of history.

My review of the book and some of the key takeaways for infosec professionals and security-minded consumers can be found here.

Avast blog: Beware of crypto exchange scams

You may already have won! How many scams have begun with these words?

There is a new breed of scammers gaining popularity, thanks to the wild swings in the cryptocurrency market. I worked with Avast researcher Matěj Račinský who has tracked three different fake crypto exchanges, I show you some of the come-on messages, why their tactics are so compelling and — almost — believable — and how they ply their criminal trade, including phony news sites announcements (as shown here).

You can read more about these scammers, and ways to avoid them, in my blog post for Avast here.

Recently published stories you might be interested in

First off, mea culpa for sending out that test message earlier this month. As you might have guessed, I have moved everyone to a new listserv (still using Mailman after all these years) at, and things seem to be working. LMK if you want to be removed or have your address updated or have issues with the mailings.

Last week was not a quiet week in Lake Wobegon, where all of my sources are above average. I flew for the first time domestically on business, and (unlike the fictional town) the flights and airports were crowded, but everyone was masked up and behaving, thankfully. The trip was to visit the Cyber Shield exercises held at the Utah National Guard base outside of Salt Lake City. I was staying on the base across the street from the monster NSA data center that you can see in the background.

The Guard story is posted here on Avast’s blog. I write about how the Guard is using live cyber ranges to train its cyber soldiers and the very realistic scenarios it is using. The dedication of the 800-some participants during this two-week event was amazing to see first-hand, and I appreciated all the time the Guard took to explain what they were doing and give me some of their stories of how they got involved with both the Guard and how it related to their careers in cybersecurity.

I also wrote another post for Avast about the Pegasus Project that was the work of security researchers at The Citizen Lab in Toronto, the Security Lab of Amnesty International in Berlin, and the Forbidden Stories project in Paris. Pegasus is a surveillance tool sold by the Israeli private firm NSO Group. It can be deployed on both Apple and Android phones with incredible stealth, to the point that targets don’t even know it is there.

The three groups examined phones from 67 people and found 34 iPhones and three Androids had contained traces of Pegasus – about a third of these had evidence that Pegasus had successfully compromised each phone. What was interesting was two items: First, one of the hacked iPhones was running the most current version of iOS. Second, many of the targets show a very tight correlation between the timestamps of the files deposited by Pegasus and particular events that link to the monitoring of the victim. Someone was very interested in these people, which ranged from politicians to journalists, someone who was a client of NSO and could target their tool to these people.

Several years ago, one of my contacts showed me the power of Pegasus on a test phone at my office and it was scary how easily the spyware could collect just about anything on the phone: texts, pictures, IP addresses, phone contacts, and so forth. If you want to read more about this project, several media outlets have written stories about it and are linked in my Avast blog.

Since I am in self-promotions mode, you might also want to check out some of my other work that I have written recently:

  • A story for CSOonline about a new defensive knowledge graph done by Mitre for the NSA called D3FEND. The project will help IT managers find functional overlap in their security tools and help guide new purchases as well as make better defensive decisions.
  • A podcast about a new report by Forrester that Paul Gillin and I recorded about the changing landscape of B2B discussion groups. The 14 minute conversation is how the shift from LinkedIn to Facebook groups has evolved and why IT vendors and channel partners should pay attention to the other social network outlets.

Avast blog: How the National Guard trains its cyber soldiers

Earlier this month, I had the unique opportunity to observe the National Guard conduct its cybersecurity exercises at Cyber Shield 21. This is perhaps the largest training effort of its kind, with more than 800 people across the U.S. taking part. It uses a series of real-world threats to train its “cyber warriors”. For the first time, the Guard took advantage of a virtual cyber range that the Department of Defense developed with more than a dozen contractors. It was an interesting experience, and it busted a few of my long-held myths about our military and demonstrated the value of public-private partnerships.  It was inspiring to see so many dedicated men and women who are willing to give so much time to support this effort, year after year.

You can read my full report for Avast’s blog here.

CSOonline: Mitre’s D3FEND explained

Mitre has created the D3FEND matrix to explain terminology of defensive cybersecurity techniques and how they relate to offensive methods. It is a common language to help cyber defenders share strategies and methods. It is a companion project to the company’s ATT&CK framework.

The goal is to figure out if vendors are using different ways to try to solve the same problem, such as verifying a particular (and potentially malicious) code segment. D3FEND could help IT managers find functional overlap in their current security product portfolios and guide any changes in their investments in a particular functional area, as well to help make them better defensive decisions to project their cyber infrastructure.

You can read more about Mitre’s D3FEND and its promise here in a post for CSOonline.

Nok Nok blog: 10 Years Later – How Nok Nok Labs brought about a change in strong and passwordless authentication

Nok Nok Labs came into being, a decade ago and is having its’ moment in the spotlight. The company has seen the FIDO standards become adopted around the globe, in some cases with very large scalable deployments that involve millions of end users and sold more than 500M key pairs. Along with helping to assemble the beginnings of the FIDO Alliance, Nok Nok engineers were co-creators of this now well-established set of authentication standards and have continued to innovate (with 50 patents filed), integrate and improve upon them in the past decade.

They are now one of the leaders in providing passwordless authentication, which now signifies a bona fide market segment, all thanks to FIDO protocols which make it easier for companies to transition, deploy, and manage a more secure solution that is focused on stronger security and privacy.

You can read my post on Nok Nok’s blog here.

Avast blog: Understanding the Pegasus project

Earlier in July, a group of security researchers revealed that they had been working together to uncover a widespread surveillance of journalists, politicians, government officials, chief executives, and human rights activists. The tool of choice for these activities was the Israeli NSO Group’s Pegasus, a tool that can be deployed on Android and Apple smartphones with a great deal of stealth. In this blog post for Avast, I explain the collaboration, link to various media reports about what they found out, and ways that you can protect yourself — although the chances that you will become a target of this spyware are pretty slim.

Avast blog: Enhancing threat intelligence using STIX and TAXII standards

For many years, cybersecurity companies have invested in building sensor networks and detection capabilities to build a greater understanding of adversaries’ tactics, ever-changing techniques, and the threats posed to the world’s internet community.

One of the critical foundations of protecting all uses of the internet is for the security defenders to better understand what malicious activities look like and how to stop them. With that backstory of gaining greater insight, many security companies must not only understand their own data but also learn and share with others doing the same.

In my latest blog post for Avast, I take a closer look at two threat data sharing standards, STIX and TAXII.

It is 2021. Stop running your IT like it is 2019.

I had a moment to catch up with a friend of mine, Adam, who is an IT director for a DC-based global trade association. Adam and I go way back — so far back that I was present when we turned off a small IBM mainframe in favor of a Novell LAN back in 1995. Those were the days.: that machine had 16 MB RAM and 7.5 GB of disk. My watch has more than that.

Adam has been working remotely for the past 18 months, and actually had to manage to move his office to a new location and plan for the eventual return to the new place.

He told me that “working in the office is so 2019, it is time to start thinking of the future and assume that many people won’t be in their offices full-time. Why do you have to use a domain controller and a VPN when you should be preparing for a virtual environment, whether or not you actually need one?” Good questions.

He used the pandemic as an opportunity to throw some gas on technology changes that he wanted to make happen. “Only instead of taking five years, we managed to do this in a little over a year. The pandemic was a great accelerant to adopting new cloud-based technologies.”

His core IT stack is Microsoft-based, including five critical technologies: Teams, Azure AD, Defender ATP, Intune and Autopilot.

Early on, the focus was on Teams Chat and Video Conferencing as well as migrating an old fashioned file server to Teams/SharePoint. Before the pandemic, Adam was begging staff to abandon audio-conferencing and switch to Teams for internal and external scheduled calls. Then in March 2020 the association had its first remote all-hands meeting via Teams. Over 50 staff joined the call and it went flawlessly. After that first call Teams adoption soared. 

Adam then switched his focus to move the association’s endpoints to Azure Active Directory. In the future, Autopilot, for example, will make it easier to drop ship a new computer and have it onboarded without anyone from IT actually laying their hands on it. Think of it as touchless installation. “The potential is that we can deliver most of our apps without ever seeing the PC.” Remember when IT used disk imaging tools to set up new PCs? That has gone the way of those IBM mainframes.

“Before the pandemic, we did patch management of our endpoints based on the machine being in our office, where they could physically talk to the WSUS server. All of a sudden, that premise-based connection was severed. In the future, we hope to decommission our on-premises Domain Controllers and run all IT infrastructure in Azure AD. The only server left will be a NAS with 8TB of video, audio and photos. It is just too much to put into the cloud at this time.”

Migrating from Active Directory to Azure AD isn’t simple, and their MSP, DelCor, is helping with the back-end transition. Adam and his staff are touching each endpoint themselves. The goal is to make it easier to manage their endpoints, whether they are in an office or dispersed in the homes of staff worldwide. “Companies that still have their AD controllers in a closet someplace should put migrating to a cloud based directory system, whether Azure AD or some other flavor, on their roadmap.” 

For an MFA security solution, his MSP insisted on using Duo’s MFA. “It made their jobs – and mine – much easier, and much more secure.”

As Adam’s team migrates users to Azure AD and Defender ATP, the IT Team is getting better visibility into the threat assessment of each endpoint. “IT directors are in a war, and we have to be continually improving our infrastructure and security footprint. Let’s face it, the most dangerous virus is the one you don’t know about that has been living on your network for months.”

Adam is using the paid Defender ATP license and replacing his Trend Micro AV installation, so he can get a single management screen to see which of his users’ PCs are in need of security updates. “Gone are the days of Windows 10 being stuck in the 2019 release.”

Adam is just a microcosm of the sea changes that IT is going through these days. Whether you are returning to your office or have adopted some hybrid solution, you might want to take a look at what you can to manage more remote workers.