"We get pentested so we're secure"
Why the annual pentest is a snapshot with no predictive value, how the industry puts junior testers on template reports, and what a good pentest actually is.
essay
20 paginas
Zero-day as a marketing term (and why almost everything is an n-day)
How the term "zero-day" was hijacked by marketing, why most "zero-day attacks" are actually n-day attacks, and who profits from the confusion.
Security theatre and the airport
Why TSA screening and security awareness training are the same problem, how decades of ritual have failed to stop the core attack, and what we learn from that.
MOVEit and the door already open
How Cl0p in 2023 emptied thousands of organisations over one weekend via a file-transfer tool nobody had ever inspected — and why supply chain attacks aren't going away.
The patch you can't apply
On legacy systems, industrial controllers that never reboot, vendors who went bankrupt five years ago, and what to do when 'just patch it' isn't an option.
"We use AWS so we're secure"
How 100 million Capital One customers were looted by an ex-AWS employee with an SSRF exploit, why the cloud isn't security, and what your people don't want to hear.
Security awareness theatre: why training your people doesn't work
On the annual mandatory training everybody clicks through, the gotcha simulations that shame colleagues, and why the research says you're not training people to become defenders.
The insider nobody saw coming (and mostly doesn't exist)
Why Hollywood gives you the wrong picture of insider threats, why the real threat is almost always boring and sloppy, and what offboarding has to do with security.
The logs nobody reads, and why you still need them
On the absurdity of terabytes of logs that nobody ever looks at, the shock of discovering they aren't there, and how to build a logging strategy people will actually use.
MFA fatigue and the teenager from Argentina
How an 18-year-old in September 2022 brought down the entire Uber empire in 24 hours by calling an employee until they pressed approve.
The cyber insurance fairy tale
What cyber insurance does and doesn't do, why it keeps getting more expensive and harder to get, and the painful question of whether you should even want it.
Snowflake and the door you left open yourself
How in the spring of 2024 a hundred large companies were emptied via a service they used every day — and why the vendor could technically claim it wasn't their fault.
The questionnaire that proves nothing but takes three weeks
How an industry of 200-question forms created an illusion of control, and what to do instead if you actually want to know whether your vendor is any good.
The CrowdStrike weekend and what it taught you about trust
On Friday 19 July 2024, 8.5 million Windows machines collapsed simultaneously. It wasn't an attack. It was an update. And it's exactly what modern IT rests on.
NIS2: the reality check your consultant didn't charge for
What NIS2 actually requires, what consultants are selling you, and the difference between those two — explained without a single PowerPoint.
LastPass and the lie of the vault
How a password manager with 33 million customers lost everything its name is literally about — and what that says about your trust in vendors.
Your backup is a lie your vendor sold you
Half of organisations don't know whether their backups work — and most find out on the day it matters.
The mediocre hacker and your unremarkable business
Why you don't need to worry about Russian APT groups and very much should worry about the 14-year-old with a phishing kit he bought on Discord.
Compliance theatre: fifty documents, zero defence
How an organisation can pass ISO 27001, sign NIS2, and still be flattened six weeks later by a teenager with a phishing kit.
The password is dead and nobody has the decency to tell you
Password rotation is a fifteen-year-old superstition. Here's why it survives, why it never worked, and what to do this afternoon.