Share this page!

Plane Facts 🛫✈️🛬🛫✈️🛬✈️🛫🛬 Profile picture
Twitter logo
26 Oct, 4 tweets, 1 min read
I'm part of an IT architecture task force guiding business units and vendors in our supply chain.
The cyber requirements we write 90% __do not require specialized InfoSec skills__. They require IT staff with competency in their tools, provided resources and management backing.
If you work in IT and work to work in InfoSec, congratulations, you start today. Understand your tools, their security implications and guidelines, and how to integrate that into your architecture. That's what Security is.
"Who makes sure the bridge doesn't fall down?"
The person who designs it.
Sure there's other checks and changes during building and inspections and service expectations, but it's the designer. Not the Bridge-Don't-Fall-Down Department.
Because IT is not a formalized liable profession like Civil Engineering, designers in IT are often pressured by circumstance and rot into making things that aren't proper or qualified. I've done it many times. But that's where we have to fix it. Not strapping on girders later.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Plane Facts 🛫✈️🛬🛫✈️🛬✈️🛫🛬

Plane Facts 🛫✈️🛬🛫✈️🛬✈️🛫🛬 Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @SwiftOnSecurity

Plane Facts 🛫✈️🛬🛫✈️🛬✈️🛫🛬 Profile picture
27 Oct
If you are junior IT in small to medium biz, isolated, caring about critical security issues you learn about daily as you expand your knowledge — I've been right the fuck exactly where you are. Years isolated, stewing in humiliation.

Here's what I learned the hardest way, alone:
1.) It is naively admirable to identify yourself and take personal stake in security of your employer's network. It sounds like a way to establish personal investment in the success of a project.
But it's a false idol. Be passionate on aims, but not occlusive in career scope.
Sidebar: Power is restraint.
Technical command of a subject – ability to speak authoritatively to others – is not itself correctness or effectiveness. Biting your tongue is not weakness.
It's strategy. Only you know your mind. Choosing not to strike rhetorically is discipline.
Read 4 tweets
Plane Facts 🛫✈️🛬🛫✈️🛬✈️🛫🛬 Profile picture
22 Oct
Funny thing about data centers, one of the most connected things on the planet, is you can only see them in-person. Nobody involved can share photos. It's a strong policy taboo everywhere. The justification basis for this is weak, but still just not something ever published.
Google and Microsoft have a few press photos of last-generation dataventers. Some carefully abstracted video segments. Otherwise, nada. One of the most critical pieces of physical infrastructure has no real public existence.
Something I bring up often because it tickles me: The people who work on cloud programming and the people allowed in cloud datacenters are separate workforces. At Microsoft you have less ability to enter them than a customer on a tour. Books of separation of duties requirements.
Read 4 tweets
Plane Facts 🛫✈️🛬🛫✈️🛬✈️🛫🛬 Profile picture
14 Oct
Sometimes you just need people hitting F12 and seeing if there's a hidden column for social security numbers on your site. Computer security, especially data disclosure, is hugely about assurance against mistakes.
However, offering a public interface to your raw HR data is architecturally wrong. It should be different silo entirely even if you have to periodically replicate a subset of the columns. There's no way a public site should be able to send queries against tables with PII.
I received a $10,000 bug bounty by just looking at text attributes on a high-profile site, trust me you should just go poke around stuff. They had sanitization built and validated, they thought they did everything right, but it _broke in certain situations_.
Read 4 tweets
Plane Facts 🛫✈️🛬🛫✈️🛬✈️🛫🛬 Profile picture
14 Oct
I doubt the modern credentials of anybody who decries maturing technologists of today.
In my world, everything accepted simple HTML input for quick designs. You could spin up a mail server on your home DSL.
Everything is behind layers and layers of presuppositional framework now.
In my world, I took HTML and applied it anywhere. Neopets, MySpace, Angelfire. These kingdoms of naïveté before established monetary incentives for abuse. You needed to know a couple words to change a background color. Now? You are expected to abide massive stacks of abstraction.
In my world, a mail server was a port you delivered mail to and accepted mail from on the internet.
Today it is bounded by reputational validation, tens of DNS lookups, authorization syntax, public cryptography keys for header and content validation, and more.
The entry is hard.
Read 4 tweets
Plane Facts 🛫✈️🛬🛫✈️🛬✈️🛫🛬 Profile picture
13 Oct
Something I do not like about tests is answering to what the exam wants to hear, and not what's true. There is vanishingly little evidence of commercial advantage hacking. Instead, states may pursue info through intelligence agencies then distribute the data to national industry.
Our competitors are not our concern. Their governments are.
A competitor will just hire talent and the info in their brain. It's totally legal (subject to some civil law). Higher-end threats may groom and convince an insider to load up a USB drive and fly to a country without consequences. But hacking? I'm not worried about that.
Read 5 tweets
Plane Facts 🛫✈️🛬🛫✈️🛬✈️🛫🛬 Profile picture
10 Oct
Searching YouTube for videos of a burglar actually kneeling down and picking a lock has no results I've found.
Replacing all locks on house with commercial grade 2 Schlage locks with electronic keypads, which are about $100 each. I'm interested in reliability, serviceability, and simple physical overpowering of the cylinder. Otherwise, reinforcing doors and making windows less attractive.
Just to be clear, these are very good locks that are a significant upgrade compared to bulk builder quality. But I live with surround windows they're just going to smash until I get rolling security shutters.
Read 12 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @SwiftOnSecurity has new unrolls!

Check out other threads from @SwiftOnSecurity!

Read all threads by @SwiftOnSecurity

:(