I *rarely* call out journalists. But this is an exception.
Hey @dannyjpalmer, this article you wrote is everything that is wrong in infosec.
zdnet.com/article/why-do…
ding ding schools in session!
1/?
Hey @dannyjpalmer, this article you wrote is everything that is wrong in infosec.
zdnet.com/article/why-do…
ding ding schools in session!
1/?
First of all your headline is deliberately inflammatory.
but more critically, you miss the really interesting angle... how is it that these users are setup to fail?
2/?
but more critically, you miss the really interesting angle... how is it that these users are setup to fail?
2/?
The fourth estate is supposed to be elevating the discussion. You sir have let us down here. I don't know you... but I feel like you phone it in on this one.
The article should enlighten. At a few points you come close but don't drive home.
3/?
The article should enlighten. At a few points you come close but don't drive home.
3/?
But most damning in my eyes is that the advice you give isn't actually helpful! MFA to stop client side attacks? Do you realize that I have never _once_ been stopped by MFA during a pen test? No competent attacker ever is... and you know why? Phishing.
4/?
4/?
The very defense that you tell folks to use is HOW attackers defeat MFA.
So in the interest of trying to make the world better, here's what you should have mentioned.
5/?
So in the interest of trying to make the world better, here's what you should have mentioned.
5/?
Phishing attacks work because attackers need user creds. Over the decades, IT/security has effectively forced attackers to the desktops.
We routinely monitor servers and network devices. We do a poor job on the endpoints. Attackers know this and go where visibility is lowest
6/?
We routinely monitor servers and network devices. We do a poor job on the endpoints. Attackers know this and go where visibility is lowest
6/?
Defenders *must* accept this reality. Logging on the endpoints is now a requirement. Testing to see how attackers can get on a desktop regardless of initial entry vector is key. Phishing, drive by download, malicious insider... it no longer matters.
7/?
7/?
Defenders must architect networks so lateral movement is *observable*. pVLANs, host firewalls, etc. All allow us to do that. Many options can be done with just host native tooling. No need for fancy EDR/XDR.
8/?
8/?
Also, let's make a shift on what is protected. Build your detections around safeguarding the most important thing. Hint: the device isn't that important to the attacker. It's a launching point to the data which is THE thing.
9/?
9/?
So please, please, I beg you. (I mean all of us in infosec in any shape)
STOP BLAIMING USERS.
10/?
STOP BLAIMING USERS.
10/?
If you're not convinced about this, consider this. In no other industry do we continue to blame the user as we do in IT/infosec.
In an industrial facility, if someone gets hurt, OSHA (or similar) reviews things. What allowed that worker to get hurt?
11/?
In an industrial facility, if someone gets hurt, OSHA (or similar) reviews things. What allowed that worker to get hurt?
11/?
If you've made it this far.... thanks. Demand better of everyone. Including me... ranting like this doesn't help much... it made me feel a bit better. And I HOPE it gives you a glimpse into how things can be different.
This status quo sucks. We have to shift thinking.
fin.
This status quo sucks. We have to shift thinking.
fin.
OMG! Major shoutout to @pathetiq who's comment on this article made me go down this ranty tweet path.
Sooo... coming back to this.
Has the video been swapped? I get an interview with Maya Horowitz, not Troy Hunt who's quoted in the article.
Can someone verify this? I'd like to see if I'm doing something wrong.
FWIW: I quite liked the interview... but it doesn't match the text
Has the video been swapped? I get an interview with Maya Horowitz, not Troy Hunt who's quoted in the article.
Can someone verify this? I'd like to see if I'm doing something wrong.
FWIW: I quite liked the interview... but it doesn't match the text
• • •
Missing some Tweet in this thread? You can try to
force a refresh
