Archive

1. April 21, 2024

   Cyberweekly #246 - Walking the floor as a leader

   After last weeks newsletter, I was contacted by a few people to mention that the combination of pieces about "moving away from the shop floor" resonated quite strongly with them. It's really hard when you work in cybersecurity to even work out...

2. April 21, 2024

   Cyberweekly #245 - Who is responsible for security?

   I have just come back from a half week at the excellent London QCon conference, one of my first big conferences in about 5 years for a number of reasons. It was really nice to mix with people, hear talks on the advancing of the art of technology...

3. April 07, 2024

   Cyberweekly #244 - Curiosity killed the (backdoor) campaign

   Jeff Moss spoke at Blackhat a few years back about ["superempowered individuals"](https://www.theregister.com/2022/05/12/jeff_moss_ukraine_cyber_governance/) - people who have more individual power than some nation states due to their combination of...

4. March 24, 2024

   Cyberweekly #243 - What is enterprise security compared to product security?

   Some weeks I read a blogpost that just perfectly encapsulates a bunch of my own thoughts and things really crystalise together. This week was one of those for me. I've spent a far long time than I care to count building, scaling and deploying...

5. March 10, 2024

   Cyberweekly #242 - Sitting on legacy dynamite

   We all use the term "legacy" when talking about IT, but it's rare that organisations actually recognise the real risk that it poses. We know that it can costs tens or hundreds of millions to recover from a cyber attack, but for some reason, the...

6. March 03, 2024

   Cyberweekly #241 - Protecting the edge

   The edge of our systems are both the most vulnerable and the most critical of our systems. It's frequently the case that security appliances themselves can be some of the least effectively secure. That might be because they're under the most...

7. February 25, 2024

   Cyberweekly #240 - Commoditisation of Capability

   There's a concept that's been floating around for decades called the [commoditization of process](https://hbr.org/2005/06/the-coming-commoditization-of-processes) or commoditisation of capability. I first encountered the concept in the business...

8. February 11, 2024

   Cyberweekly #239 - How do we learn technical skills?

   My background is long and deeply nerdy. When I was a teenager, all I wanted to do was make computer games. A close friend and I spent hours on the internet reading tutorials on how to program video graphic with snippets of assembly code embedded...

9. February 04, 2024

   Cyberweekly #238 - Living in the future is both bright and scary

   We live in the future and we're going to have to accept it. There's huge advantages to living in the future. We have been living through a social and cultural revolution with the advent and growth of the global internet in a way that hasn't...

10. January 28, 2024

    Cyberweekly #237 - Who bears the burden of security?

    There's a common view amongst security professionals that everything would be better if users just cared more about security. But the reality is that most users do care about security, it's just that they care about doing their jobs more, and they...

11. January 14, 2024

    Cyberweekly #236 - Data lies beyond the organizations border

    I start this weeks newsletter with a mea-culpa. Last week was of course not the first week of 2025, so I want to thank all of the people (and there were quite a few) who reached out to let me know that we have only just entered 2024! I always like...

12. January 07, 2024

    Cyberweekly #235 - New year, new start

    Welcome to the first newsletter of 2025, and apparently the 235th newsletter that I've written! I've talked before about the way that I write this newsletter. I write this more for me than for the readers, as it's a great forcing mechanism to...

13. December 17, 2023

    Cyberweekly #234 - Are you having a productive week?

    Productivity is one of those mythical things that's almost impossible to measure for 99% of human endeavour. We can more or less measure the productivity of people carrying our repetitive manual tasks, although much of the research into that tends...

14. December 03, 2023

    Cyberweekly #233 - AI both is and isn't an existential threat

    I don't think that AI is coming for your job, and I am on the doubting side that AI is going to rise up and pose a fundemental existential threat to humanity. But I do think that the rapid rise of AI (by which we almost always mean large language...

15. November 19, 2023

    Cyberweekly #232 - Are you radiating your intent?

    The story of the Mirai creators is one of the most interesting I've read all year, and while it would be a stretch to say that they had good intentions with every step, I think it is clear that they didn't really intend to end up where they did, but...

16. November 12, 2023

    Cyberweekly #231 - Living below the cyber poverty line

    Microsoft's annual report has an interesting concept in it, that of organisations that live below the cyber poverty line. The concept here is that there's a minimum amount of cyber security spend that an organisation must be able to pay, which is...

17. November 05, 2023

    Cyberweekly #230 - What do we mean by a risk-based approach?

    We hear the phrase "Take a risk-based approach" or "make a risk-based decision" a lot in security, and I do believe that we should be risk-based in our security approach, but it's so much easier to say than to actually do. Humans are awful at...

18. October 29, 2023

    Cyberweekly #229 - Doing the hard work to make it simple

    When I first joined GDS, there was a poster on the wall that said ["Do the hard work to make it simple"](https://www.gov.uk/guidance/government-design-principles#do-the-hard-work-to-make-it-simple), and I loved the concept that this selection of smart...

19. October 22, 2023

    Cyberweekly #228 - Users are not the first line of defence, or the last

    Phishing exercises do more damage than they prevent. There I said it, in black and white. Running phishing exercises, especially where you rank or score your employees has negligable effects on actual phishing successes, but definitely has a...

20. October 15, 2023

    Cyberweekly #227 - The more we change, the more things stay the same

    Attackers will break into your systems because you haven't applied security patches and you aren't detecting off the shelf commodity malware being run on your desktops and servers. This is the reality of cybersecurity in organisations today, and I...

21. October 08, 2023

    Cyberweekly #226 - Understanding how software is built and deployed

    Something that seems quite common is a bit of a rose tinted view of how software is built and deployed in many organisations. Those people coming from a software development team background tend to assume that there's developer control over some...

22. October 01, 2023

    Cyberweekly #225 - Managing your use of AI

    What does it actually mean to use AI in your organisation or life? You might want to use AI tools because they are cool and let you speed up some of your work, or you might seriously be considering how to best embed large language models into your...

23. September 24, 2023

    Cyberweekly #224 - Building trust between teams

    Welcome back everyone! It's been 6 months since my last issue, in what has become an increasingly and unexpectedly long sabbatical from CyberWeekly, I'm pleased to say that I'm back! I ended up taking a break for a combination of workload, focus...

24. March 26, 2023

    Cyberweekly #223 - Separating the reality from the hype in AI

    AI is having a huge impact right now. I think that whenever I log into twitter, most of what I see is covering AI in some form. There are other emerging technologies that I think are interesting, but AI is really having it’s moment in the...

25. February 19, 2023

    Cyberweekly #222 - The AI Issue

    A couple of months ago, I had seen some initial noises about ChatGPT, had a play, and asked it to generate a CyberWeekly for me. I shared this with some friends, but in the run up to Christmas, what with everything else going on, I didn't actually...

26. February 05, 2023

    Cyberweekly #221 - Can you define a good security culture?

    It's really easy to hand wave and say that we need a better security culture, but it's really hard when you start to drill down on what that actually means. Many people, when they say they want a good security culture either mean sticking up...

27. January 29, 2023

    Cyberweekly #220 - Communicating with your staff

    One of the hardest challenges for new managers is learning how to communicate effectively as a manager. One of the things that makes this difficult is that the career path to management, especially in technology and cyber, is not always straight. ...

28. January 15, 2023

    Cyberweekly #219 - When is a credential not a credential?

    In the move to zero-trust, the concept of credentials to authenticate users comes up a lot. We tend to think of a credential as the thing that the user uses to confirm to the computer who they are. This is typically a username and a password, but...

29. January 08, 2023

    Cyberweekly #218 - Balancing security and usability

    Happy new year and welcome to 2023. Before the break, I had a very busy period at work because I'm currently covering a vacancy of another manager in addition to my existing role. That means that my time to sit and read and digest cybersecurity...

30. November 20, 2022

    Cyberweekly #217 - Raising the cost for attackers

    One of the things that we don't often talk about in security is that we're often not trying to make our systems immune to attacks. Instead, what we are often trying to do is ensure that our system is too hard for the average attacker to compromise...

31. November 13, 2022

    Cyberweekly #216 - Learning from the past

    We aren't very good at learning from the past in cyber security. One of the issues is that we have a really young industry. The US Government and the airline industry [created the NTSB back in...

32. November 06, 2022

    Cyberweekly #215 - Make things open, it makes things better

    As annual reports often tell us, the speed and capability of cyber crime groups and bad actors on the internet is constantly increasing. Red teamers, ethical hackers, and vulnerability researchers share their findings openly, and bad actors are...

33. October 30, 2022

    Cyberweekly #214 - Little snippets of practice

    Firstly, apologies that this weeks issue has been delayed and last weeks issue was completely missing for a number of reasons, partly because it's half term in the UK and I've been spending time with my family, and partly because I've been incredibly...

34. October 16, 2022

    Cyberweekly #213 - When is a vulnerability not a risk?

    We’re moving the dial on the visibility of vulnerabilities. More than ever, we can get constant feeds of the vulnerabilities in software, of the CVE’s that affect us, and of the acres of supply chain exposure that most organisations have. But...

35. October 09, 2022

    Cyberweekly #212 - The danger of frameworks

    Frameworks are brilliant, they let us build something quickly, providing it’s the same shape as the framework intends. We use frameworks in a number of areas, from process frameworks like SCRUM or SAFe, to software frameworks like Ruby on Rails, or...

36. October 02, 2022

    Cyberweekly #211 - Templates and other enablers

    What does it mean to secure the appsec pipeline? In organisations with a reasonably large development team, or teams, there might be multiple product teams, and several development teams. If the ratios follow the normal curve, then you...

37. October 02, 2022

    Cyberweekly #210 - MFA is "simple"

    For years, the security community has said that it's simple to roll out MFA. The Uber hack shows that this is simple not true. Ignoring the swirling rumours around the hack, what is pretty clear is that Uber had deployed MFA across its staff, and...

38. September 18, 2022

    Cyberweekly #209 - Supply chains and inflection points

    We're at a strange time in history for software development and engineering. Paradigms on how we do software development have changed repeatedly in the last few decades, and most organisations and cultures take far longer than that to...

39. September 04, 2022

    Cyberweekly #208 - Process is the backbone of organisations

    Welcome back, apologies for not sending a newsletter out last week, but I was on holiday and tanning myself on the beach. As a reward, a slightly longer than normal newsletter for you. Processes are the bones of an organisation, and like...

40. August 21, 2022

    Cyberweekly #207 - Cognitive load

    I had a great time at Blackhat, BSides and DEFCON. There were loads of talks, on a huge number of technical topics, and one of the things that I came away, both inspired and slightly daunted by, was the breadth of topics that security can...

41. August 07, 2022

    Cyberweekly #206 - Too excited to write coherently

    This newsletter is short for a couple of reasons. The main one is that I’ve been looking forward to heading to [Defcon](https://defcon.org/html/defcon-30/dc-30-index.html) and [Blackhat](https://www.blackhat.com/us-22/) this weekend for quite a...

42. July 31, 2022

    Cyberweekly #205 - Determining whether you have good policies and processes

    I’m not a huge fan of certifications. However, SOC2 seems to actually provide a lot of things that we care about. I’ve often joked in the past that ISO27001, since it focuses on the existence of repeatable processes, doesn’t give you confidence...

43. July 24, 2022

    Cyberweekly #204 - Treat data like toxic waste

    It seems that the argument for privacy and lawful interception has erupted once more. There's a couple of good posts below by some smart thinkers in this field, and while many of the participants firmly disagree with each other, I think it's...

44. July 17, 2022

    Cyberweekly #203 - AI is the new hotness

    Phew! This newsletter is bought to you, late, in absolutely scorching weather in the UK that has made it too hot to sit and read in my office, and especially to sit and write this introduction. I had lots of thoughts and ideas about the role of...

45. July 10, 2022

    Cyberweekly #202 - Where responsibilities lie

    If you run a major company, and use code written by a hobbyist developer, whose job is it to ensure the code is secure? What if that code is not used directly by you, but you are using a popular open source framework that is supported by an open...

46. July 03, 2022

    Cyberweekly #201 - Just do it

    I do love a theoretical argument. If you ask me a question at the right time and place, as my team will ruefully tell you, then I can descend into a full and thorough analysis of the problem, normally starting with sentences like “Oh, that’s a...

47. June 26, 2022

    Cyberweekly #200 - Issue 200

    I can't really believe that I've managed to write 200 of these, and that people continue to subscribe week after week. This has been a somewhat idiocentric project that started about 4 years ago, a few weeks before I flew out to California for a...

48. June 19, 2022

    Cyberweekly #199 - Learning by doing

    How do we learn stuff? There's a lot of different theories about how people learn. One of my teacher friends always gets quite frustrated at the common tropes of "learning styles" because there's quite a lot of evidence to debunk the learning...

49. June 12, 2022

    Cyberweekly #198 - Controlling access to the things that matter

    Identity and Access Control forms the basis of almost all security as we know it. It doesn't matter whether we are talking about using passes to enter a building, issuing tokens for a service to access an API, or forcing users to rotate their...

50. May 29, 2022

    Cyberweekly #197 - Are we getting better or not?

    It's incredibly difficult to legitimately measure our effectiveness at cybersecurity. Security is one of those things, where if you spend money and "nothing happens", it's unclear whether your money made the nothing happen, or if nothing happened...

51. May 22, 2022

    Cyberweekly #196 - Knowing when you are compromised, and doing something about it

    “Just log more” is the advice that we see most often from cybersecurity defenders and cyber talking heads (which reminds me of [Max Headroom](https://en.m.wikipedia.org/wiki/Max_Headroom)). But defenders are often sifting through mountains of log...

52. May 15, 2022

    Cyberweekly #195 - Do we understand our supply chain?

    [Betteridge's law](https://en.wikipedia.org/wiki/Betteridge%27s_law_of_headlines) should tell you the answer to this! Of course the answer here is no. We almost certainly do not understand our supply chains, and I suspect it's likely that we...

53. May 08, 2022

    Cyberweekly #194 - Talking to yourself

    Happy sunday on a gloriously sunny day. Some of you might have noticed that I didn't send a newsletter last week, and I'd love to have a good excuse, but in reality, it's the start of summer and the UK has a number of public holidays that make for...

54. April 24, 2022

    Cyberweekly #193 - Remaining vulnerable

    How you deal with vulnerabilities is critical to your organisations approach to security. In far too many organisations, there simply isn't any defined vulnerability process. If someone finds something, it's reliant on the development team or...

55. April 10, 2022

    Cyberweekly #192 - Integrity in the software supply chain

    We sometimes talk about "securing the software supply chain" as if it will prevent bugs and issues, which isn't quite accurate. The increasing number of software supply chain systems are there to validate and verify the integrity of the supply...

56. April 03, 2022

    Cyberweekly #191 - Risk and Reward

    Humans are funny creatures, we're afraid of flying but drive cars on a daily basis despite one being the safest form of travel and the other being the most dangerous. We have terrible natural senses of probability, risk and reward. Asking almost...

57. March 27, 2022

    Cyberweekly #190 - It's not zero trust, it's moving trust

    Zero trust is the architecture we talk about where there is zero trust in the fact that the requests are ["coming from inside the network"](https://tvtropes.org/pmwiki/pmwiki.php/Main/TheCallsAreComingFromInsideTheHouse). But in fact, all we are...

58. March 20, 2022

    Cyberweekly #189 - Trusting your source

    I’ve referred before to the excellent XKCD cartoon that reminds us that huge amounts of modern commercial systems and code rely on a library maintained by a [single open source developer somewhere in Nebraska](https://xkcd.com/2347/). But have...

59. March 13, 2022

    Cyberweekly #188 - Trust networks

    How networks affect us all is both intuitive and supremely unintuitive at the same time. GPG, rather famously suggested that people have key signing parties, where you would gather in person and you would validate someone's passport or driving...

60. March 06, 2022

    Cyberweekly #187 - Advanced attackers aren't always advanced

    This week has had a lot of cyber security pundits confused that their predictions of the coming cyber apocalypse haven't come true. They predicted another attack the size and impact of NotPetya or Wannacry due to the Russian invasion of Ukraine,...

61. February 27, 2022

    Cyberweekly #186 - Managing people is our job

    I'm going to start this week by explaining why I'm not talking about the situation unfolding in Ukraine. Everybody on the internet has shifted from an expert in microbiology into an expert on foreign policy in the last few days, and quite...

62. February 20, 2022

    Cyberweekly #185 - Classifying data properly

    It's nice to imagine a world with proper classifications and access control systems. You can read declassified US reports and see examples where every single paragraph contains a portion marking, an indicator that this portion of the document bears...

63. February 13, 2022

    Cyberweekly #184 - How much trust in zero-trust do you have?

    Zero-trust is the new saviour of all of our security woes, but I suspect that the effort and impact of it is wildly underestimated by most people. It's not even really clear what it means in most cases. Take the rather excellent [zero-trust memo...

64. February 06, 2022

    Cyberweekly #183 - Does it matter who your adversary is?

    There's a lot of emphasis in threat intelligence about understanding our adversaries. We name them, with threat intel companies competing for the most memorable names in a theme, from Microsoft's rare elements like Phosphorus, Strontium, Nobelium...

65. January 30, 2022

    Cyberweekly #182 - Protecting the things protecting your infrastructure

    Back in the good old days, we had really simple systems and services. We had J2EE stacks and servers, and our systems communicated via JNDI lookups which totally couldn't be abused when logging things. But the problem with these systems is that...

66. January 23, 2022

    Cyberweekly #181 - Cyber Command and Control

    If we assume for a minute that you aren't perfect, that somehow, an adversary has gotten onto one of your users endpoints. What happens next? The [concept of a "Cyber Kill...

67. January 18, 2022

    Cyberweekly #180 - Securing the software supply chain requires action now

    There's a lot of noise around the "software bill of materials" concepts at the moment. This work has been going for years, but really stepped up a gear after both Solarwinds and then log4shell compromises. Some people argue that investing into the...

68. January 09, 2022

    Cyberweekly #179 - Managing a wide ranging and long running incident

    Happy new year! I said last year that I'd take a break for Christmas, and then a fairly major incident broke, and I spent a number of hours writing [the longest cyberweekly newsletter that I've ever...

69. December 22, 2021

    Cyberweekly #178 - Will 2022 be the year of ransomware?

    As we go into the next year, the question that flows around is whether ransomware will continue to be the threat to watch in 2022. It's difficult to give a really convincing argument in either direction. There's a lot changing in the ransomware...

70. November 28, 2021

    Cyberweekly #177 - Automation accelerates our accuracy

    Automation can be seen as a way to make jobs easier, to reduce the grunt work. But automation also means that the job is done the same way every time. It means that you can read the automation specification to know exactly how the job will be...

71. November 21, 2021

    Cyberweekly #176 - The Red Queen Problem

    > "Well, in our country," said Alice, still panting a little, "you'd generally get to somewhere else—if you run very fast for a long time, as we've been doing." > > "A slow sort of country!" said the Queen. "Now, here, you see, it takes all the...

72. November 14, 2021

    Cyberweekly #175 - Privatising our risk

    Ciaran Martin makes excellent points today in this assessment that we have privatised our security risks in a way that prevents control. Ransomware as a scourge has prompted more organisations and nations to action than almost any other...

73. November 07, 2021

    Cyberweekly #174 - One Team, Two Team; Blue Team, Green Team

    Within security we often think a lot about the bad guys, the red team, and how they work, how they can compromise our systems. We also pay a lot of attention to the blue team, the team of defenders watching the screens, analysing the systems and...

74. October 31, 2021

    Cyberweekly #173 - Scaling a community

    This last few weeks, there's been a lot of discussion around whether Facebook is a net positive for society or not. Sadly, the stories of families who can keep in touch, or old university friends who support one another are never newsworthy, and so...

75. October 24, 2021

    Cyberweekly #172 - How do we secure the future of work

    I don't think we yet know where the future of work is going, let alone how to secure it. Analysis shows that there are generational and lifestyle splits over a desire to work in the office, but it's not just about location. The pandemic working...

76. October 17, 2021

    Cyberweekly #171 - Managing your risk from vendors

    We’re going to hear a lot about supply chains over the next few years. This is going to be the next big thing in security, and luckily, lots of smart people are already working on subsets of the problem. But there’s a few big problems with supply...

77. October 10, 2021

    Cyberweekly #170 - Culture eats strategy for breakfast

    It’s long been said that Culture eats strategy for breakfast. The big tech titans, such as the “FAANG” set of Facebook, Apple, Amazon, Netflix and Google, have all developed and inherited a specific culture, and it’s a culture of “deliver at all...

78. October 03, 2021

    Cyberweekly #169 - Knowing how it’s used

    The products and services that we offer to our users and customers is something we can only improve if we actually understand how it is being used. In one of my first experiences with watching user research, nearly a decade ago, I watched a set of...

79. September 26, 2021

    Cyberweekly #168 - The modern cloud is different

    I think I’ve said this before, and I’m sure I’m repeating myself, but lifting and shifting your data centre into the cloud isn’t actually a good idea. The public cloud is like for like more expensive than running your own data center, and the...

80. September 19, 2021

    Cyberweekly #167 - We rely on our suppliers

    Supply chains have been a cybersecurity issue since well before the Solarwinds hack, but have risen to prominance in the last year. They’re super hard to reason about, because in reality, no two supplier relationships are the same. The way that...

81. September 12, 2021

    Cyberweekly #166 - Defending against ransomware

    Ransomware infection is almost certainly the single most impactful cybersecurity incident that your company or organisation could suffer from. If you look at incident breach numbers, then users accidentally sharing information, cloud...

82. September 05, 2021

    Cyberweekly #165 - Taking time to relax

    Last weeks issue seems to have hit a chord with people. I had a number of people reach out to say how much the burnout article resonated with them, and how it really touched on how they were feeling at the moment. It’s echoed with me as well,...

83. August 29, 2021

    Cyberweekly #164 - Investing in your staff for a better future

    The last 18 months has been a particularly rough time for lots of people. A global pandemic has changed working patterns, and as many commentators have pointed out, accelerated a working from home concept, without the normal advantages of working...

84. August 22, 2021

    Cyberweekly #163 - Passing on knowledge

    We're bad as an industry at passing on knowledge. Much of the digital transformation of the last 10 years was a repeat, or reapplication of the agile evolution in software development, which mostly came from the agile manifesto from 2001. But much...

85. August 15, 2021

    Cyberweekly #162 - Whose data is it?

    It’s easy to think of data as being very similar to physical property, this is my browsing data, that is your personally identifiable information, and data is like toxic waste that needs to be minimally collected and stored. But data is ephemeral,...

86. August 08, 2021

    Cyberweekly #161 - How to make a difference

    It's really easy to criticise, in fact I do it on a weekly basis, but it's much harder to create. Reading the Committee on homeland security and governmental affairs report, I was struck that the report catalogs a thoroughly predictable set of...

87. August 01, 2021

    Cyberweekly #160 - Competent adversaries and us

    I think I've said this before, but we're really not good at visualising or understanding risk. One of the biggest issues with security is that you are often talking about predicting events that will occur and taking actions so that they don't...

88. July 25, 2021

    Cyberweekly #159 - The rise of commercial spyware

    (Joel) Hi folks, [Joel](https://twitter.com/joelgsamuel) here. If like Michael and I you spend the vast majority of your working time in central government, you will be aware that the Spending Review 2021 (the UK civil service's next 3-year...

89. July 18, 2021

    Cyberweekly #158 - It always depends on the context

    We can easily be the victim of binary thinking in cybersecurity and digital. You must have a CI/CD pipeline, you should always patch immediately, you must airgap your control network from your operational network. One of the increasing problems...

90. July 11, 2021

    Cyberweekly #157 - A radical focus on users

    Security has for many years been the purview of a rather niche set of people. Not that long ago at all (potentially this week in some organisations), security professionals would be called in purely on an engagement basis. The system under test...

91. July 04, 2021

    Cyberweekly #156 - Celebrating diversity

    This week has seen my twitter feed filled with people in bikini, tank tops, naked in some cases, and showing off their bodies. The story of why this has come around is a [depressingly common...

92. June 27, 2021

    Cyberweekly #155 - Making decisions with data

    It's easy to say that if you had more data then you'd be able to make better decisions. The reality is that most of us have access to more data at our fingertips than is even imaginable just a decade or so ago, and it's getting easier and easier to...

93. June 20, 2021

    Cyberweekly #154 - 2021 is the year of ransomware

    I've been saving a few of these articles for weeks. I've talked before about the fact that I don't generally do "news" here. I like to have time to read a number of perspectives and let the initial excitement die down so that I can get a good grip...

94. June 13, 2021

    Cyberweekly #153 - Learning from failure part 2

    Last weeks post turned out to be somewhat prescient as this week we [had a significant outage](https://www.theguardian.com/technology/2021/jun/08/massive-internet-outage-hits-websites-including-amazon-govuk-and-guardian-fastly) that affected [the UK...

95. June 07, 2021

    Cyberweekly #152 - Learning from the best

    I learn best from my mistakes. It might just be me that's a bad learner, but I suspect that this is true of many of us. There's two things wrong in this statement, that I learn from my *mistakes* and that I learn from *my* mistakes. We tend...

96. May 30, 2021

    Cyberweekly #151 - Bringing light to shadow IT

    Generally speaking, users don't break security protocols on purpose. They don't squeeze through the access door without badging in because they want to make your life harder. They don't click on links in emails to find out if the malware works,...

97. May 23, 2021

    Cyberweekly #150 - Shifting security left

    Shift security left is one of those mantras that sounds great, but in reality, struggles to deliver on the promise. If you speak to some of the luminaries of the original secdevops/devsecops/ruggeddevops movements, they'll explain that development...

98. May 16, 2021

    Cyberweekly #149 - The dark side of ransomware

    Sorry, I couldn't resist the pun! This last few years has seen the rise and rise of ransomware operators. It used to be that the operators had to compromise you and demand a ransom, but there have been changes recently, from the rise of...

99. May 10, 2021

    Cyberweekly #148 - Reading for fun and profit

    It's a short newsletter this week because I've pulled together some absolutely amazing long reads for you, as well as a couple of typical news features. Whether it's getting to understand North Korean use of cybercrime as a funding mechanism, or...

100. May 02, 2021

     Cyberweekly #147 - New platforms need new practices

     As we move towards new platforms, we have to accept that currently accepted “best practice” is no longer suited. Simon Wardley calls this [coevolution of practice](https://medium.com/wardleymaps/anticipation-89692e9b0ced), which is where a practice...

101. April 25, 2021

     Cyberweekly #146 - What even is a data breach?

     Endless headlines about data breaches come and go every month, but I'm not sure that we're always using the words appropriately. The Facebook breach was conducted by a third party using an API to extract customer records that they had legitimate...

102. April 18, 2021

     Cyberweekly #145 - Securing the software supply chain is going to take hard work

     Now that the US has sanctioned a selection of Russian Intelligence associated individuals and organisations, we can all relax and let the whole SolarWinds thing blow over right? Sadly, supply chain vulnerabilities are going to be something of a...

103. April 11, 2021

     Cyberweekly #144 - People are at the heart of security

     The famous joke goes that the only secure computer system is one that is powered off, and preferably in a sealed box buried in a hole in the ground. But that computer system doesn't work because it has no usability, no ability to help the people...

104. April 04, 2021

     Cyberweekly #143 - A good process badly fitted is a bad process

     The solarwinds hack has demonstrated just how vulnerable our software supply chain is. The excellent series from the Atlantic Council, the latest report of which is below, and the first outlined the [history of supply chain...

105. March 28, 2021

     Cyberweekly #142 - Is malware a weapon?

     Cybersecurity has a strong militaristic tonality to it. We talk about attacks, weapons, actors, all with the cyber prefix of course. But at its heart, the vast majority of cybersecurity activity isn't warlike or militaristic at all. The origin of...

106. March 21, 2021

     Cyberweekly #141 - Developing cyber skills in a global world

     I often try to steer away from geopolitics on here for a whole bunch of reasons, but primarily because I'm at best an armchair watcher who reads a lot, rather than an educated commentator. Geopolitics around how states interact with each other is...

107. March 14, 2021

     Cyberweekly #140 - Patching isn’t as simple as all that

     I thought that all the kerfuffle over HAFNIUM and Microsoft exchange patching would be mostly over by now, and it turns out I was wrong. As you’ll see below, Harry contacted me after last week to gently admonish me that patching exchange isn’t...

108. March 07, 2021

     Cyberweekly #139 - APTs, Why does it always have to be APTs?

     Channeling my inner Indiana Jones, but why is it always APTs? Everytime there is an attack, vulnerability or compromise, there are government issued alerts, suppliers and journalists all competing to yell loudly that this is it, this is the big...

109. February 28, 2021

     Cyberweekly #138 - Cyberarms is a technical topic

     Pelroths book looks really interesting. I'm just starting [Sandworm by Andy Greenberg](https://amzn.to/2O8RK3s), but I can see that [Pelroth's This is how they tell me the world ends](https://amzn.to/2NFfhtb) is going to have to go on my list. ...

110. February 21, 2021

     Cyberweekly #137 - Taking your daily exercise

     We don't exercise enough. The pandemic has meant that I can now often go an entire week without leaving the house, and sometimes it feels like I go an entire week without really leaving my desk. But exercise is great for us, the fresh air, the...

111. February 14, 2021

     Cyberweekly #136 - It’s about ethics in cybersecurity

     How should we respond to unethical actions in cybersecurity, and where is the line anyway? Sometimes those of us with a relatively clean past (I dabbled in reading Phrack, 2600 as a teenager, but never really crossed any legal lines) can make out...

112. February 07, 2021

     Cyberweekly #135 - How to tell truth from fiction

     Supermicro. Remember them? That story from Bloomberg that there was chinese malware in SuperMicro motherboards that could entirely compromise computers from below the operating system for which there was a lot of very strong denials from almost...

113. January 31, 2021

     Cyberweekly #134 - Whose device is it anyway?

     End User Devices are one of the roots of trust in any modern system. We might worry about attackers getting into our servers or networks, but it doesn’t matter how much encrypted fairy dust we apply to the data, once it reaches the end user device,...

114. January 24, 2021

     Cyberweekly #133 - The lies our brains tell us

     It remains to be seen what will happen to QAnon now that Biden is president and many of the “facts” and predictions remain totally unfounded. But we’ve seen this before. The scary part of conspiracy theories is that once someone buys into them,...

115. January 17, 2021

     Cyberweekly #132 - New year, new resolutions, and new lessons to learn

     It's hard to believe that we're already at the end of the second week of 2021. For some us, our resolutions will already be broken, especially in the face of a continuing global pandemic and the sheer sense of apathy that everyone I speak to has. ...

116. January 10, 2021

     Cyberweekly #131 - Protecting the cloud

     I hope you all had a good Christmas and New Year! It was an interesting experience that after I made the decision to take a few weeks break from writing Cyber Weekly, we had what might be the biggest cybersecurity incident in years. You should...

117. December 20, 2020

     Cyberweekly #130 - Solarwinds Special

     I was going to have a nice relaxing holiday and take a few weeks off from writing a newsletter and news roundup! Last week I talked a bit about the FireEye breach, and was saying that the loss of the red team tools was not as big a deal as was...

118. December 13, 2020

     Cyberweekly #129 - Even cyber companies get breached

     Remember that term "assumed breached", well if FireEye can get breached, then you should assume that pretty much anyone can. Of course there are companies that you simply have to trust in some ways, your core identity provider is one, generally...

119. December 06, 2020

     Cyberweekly #128 - What makes a good strategy?

     I think that a lot of us spend a lot of our career believing that somewhere at the top of the organisations we work for, despite all the evidence, someone knows what they are doing. We tend to call this strategy, and I think it's much...

120. November 29, 2020

     Cyberweekly #127 - Secure your platforms

     Security isn't just about one thing. Security people cover physical threats, cyber threats as well as information risks and often data protection concerns as well. We tend to get a little focused on our speciality, and see everything through the...

121. November 22, 2020

     Cyberweekly #126 - More secure in the public cloud

     You know, I never really thought the MOD would be the organisation to be the first HMG organisation to say it, but yes, they have. You can be more secure in the public cloud than you might be in your on-premise data center. For all the reasons...

122. November 16, 2020

     Cyberweekly #125 - Self service tooling

     I have long contended that one of the indicators of maturity in an organisation, and one of the drivers of efficiency is the ability of teams to self-service. This can extend from the ability to use the cloud effectively, to the vending machines in...

123. November 08, 2020

     Cyberweekly #124 - Our tools are evolving

     Security tooling has always been a little... peculiar. Part of this comes from the fact that security isn't one culture, it's a mix of compliance officers, architects, hackers and analysts, and so it's rare than one tool fits everyones need. ...

124. October 26, 2020

     Cyberweekly #123 - Developers are not the enemy

     If you are a developer, you need to assume that your users are not the enemy, that they want to get the job done in the safest way possible. If you write code for other developers, you need to assume the same thing. We’ve known for years that...

125. October 18, 2020

     Cyberweekly #122 - Learning from the past, not dwelling in it

     I believe that we fail to learn well enough from the past. I was in a conversation last week, where I was explaining how I wanted to build community, and think about how information is kept and managed, and one of my very smart coworkers responded...

126. October 11, 2020

     Cyberweekly #121 - Can we tell the future

     For those who don't know, I started a new job recently. Leaving behind my contractor ways, I've returned to the civil service to help build security capabilities across government. Part of that role includes setting up better situational awareness...

127. October 04, 2020

     Cyberweekly #120 - How we communicate

     How we communicate really matters. If we want to be taken seriously, we have to be sure that everyone hears us communicate clearly and simply. Security and digital folks alike have a tendency to have our own language, from scrum to penetration...

128. September 27, 2020

     Cyberweekly #119 - The security of comms platforms

     [Apologies for missing last week. I had some personal news that meant that my weekend was taken up with a lot of other stuff, and the newsletter dropped off my radar.] We’ve moved to a distributed world, and many organisations have not had a...

129. September 13, 2020

     Cyberweekly #118 - Do you need a threat model?

     When I see people talking about threat modelling, they can be referring to two totally different kinds of activities. Component based threat modelling tends to look at an individual system and how the components interact. The Microsoft threat...

130. September 06, 2020

     Cyberweekly #117 - What is the inside threat?

     Who can you trust, or sometimes what can you trust? When we think of insiders, a lot of training materials tends to overly focus on the big newsworth espionage cases. These make headlines because the accusations of treason, of betraying your...

131. August 23, 2020

     Cyberweekly #116 - Are we paving the path our users desire?

     AI, Blockchain, Quantum Computing. These are technologies that are "set to revolutionise the world", and yet, half the time I don't feel like the world is very revolutionary. I spend a lot of time looking at future looking technology and trying to...

132. August 16, 2020

     Cyberweekly #115 - Working from home forever?

     What's the future going to look like? I've been thinking about this a lot recently, and nothing is a bigger focus right now than working out how many of our societal shifts from COVID are going to stick around. Will people continue to wash their...

133. August 09, 2020

     Cyberweekly #114 - Continuous Learning

     One of the reasons that I write this newsletter is because it scratches my own itch. I read a lot of articles, blogposts and reddit forums pretty much constantly. I lose track of which ones I've read, and I found myself in meetings with people where...

134. August 02, 2020

     Cyberweekly #113 - The rise and rise of ransomware

     Ransomware is on the rise, affecting more and more companies, and it's always spoken off as if it's highly advanced hacking, the sort that you might expect to be restricted to say 17 year olds. In reality ransomware is a pretty low bar for hacking...

135. July 26, 2020

     Cyberweekly #112 - Wormable and remote vulnerabilities

     There’s a big new vulnerability and you should either be really scared, or a little scared depending which articles you read. You can read more below, and my advice is that you should be making sure that you have patched your internal DNS servers...

136. July 19, 2020

     Cyberweekly #111 - I was just saying

     Last week I was just saying that cloud computing has a bunch of better security properties, and then a once every few years kind of incident comes along that makes me look stupid. [Twitters security...

137. July 19, 2020

     Cyberweekly #110 - Why cloud?

     Why do we use the cloud? I mean, generally speaking, if you are lifting and shifting computers from your data center to a cloud service on a one-for-one basis, the major cloud providers are probably more expensive (depending how you measure your...

138. July 05, 2020

     Cyberweekly #109 - Protecting yourself

     Welcome to July. For a variety of reasons, I've not been able to produce a full newsletter for most of June. I've produced lots of snippets for you, but I've heard from several people that the thing they find the most valuable and interesting is...

139. June 28, 2020

     Cyberweekly #108 - June Roundup

     For the rest of June, I'll be providing a selection of stories from the news without comment or analysis. I've tried to highlight the a quote to sum up the most interesting or relevant part of the story in each case. Here's the weeks reading and...

140. June 21, 2020

     Cyberweekly #107 - Without comment

     For the rest of June, I'll be providing a selection of stories from the news without comment or analysis. I've tried to highlight the a quote to sum up the most interesting or relevant part of the story in each case. Here's the weeks reading and...

141. June 14, 2020

     Cyberweekly #106 - Sans comment

     As stated last week, for the rest of June, I'll be providing a selection of stories from the news without comment or analysis. I've tried to highlight the a quote to sum up the most interesting or relevant part of the story in each case.

142. June 07, 2020

     Cyberweekly #105 - Taking time

     This past few months have been hectic and difficult for all of us. From lockdowns and pandemic to protests and #blacklivesmatter, this is a tough time for people who are concerned about themselves, their family and their friends. This week there's...

143. May 31, 2020

     Cyberweekly #104 - Developing compliance

     How technical are we as security people? Most people in security are not software developers by trade. This isn't necessarily a bad thing, software is just a small part of security. Culture, behaviours and physical aspects of security are just as...

144. May 24, 2020

     Cyberweekly #103 - The steady growth of AI

     Will AI prove to be the downfall of humanity? Probably not. But it's clear that proponents of AI and it's use in multiple systems are firm believers that AI is providing a generational jump similar to the dawn of computing and the information...

145. May 24, 2020

     Cyberweekly #102 - Security isn't binary

     We like to think that things are either secure or insecure, that a person is trusted or not trusted, that someone is an attacker or a defender. These dualities fill information security and lead us to lazy thinking in lots of ways around...

146. May 10, 2020

     Cyberweekly #101 - Making the most of our tools

     Whenever I go to a new client and meet their security team, one of the things I always try to get a good glimpse of is their security tools. How do they track risks on projects? store penetration test results? set and enforce policies on development...

147. May 03, 2020

     Cyberweekly #100 - What's next?

     Welcome to the 100th edition of Cyberweekly! I can't really believe that I've done this for almost 2 years now, and that I've stuck with it, and that people still message me to tell me that they find it useful. I've said before, I mostly write this...

148. April 28, 2020

     Cyberweekly #99 - Collaboration, Risk and Data

     Major General Copinger-Syme’s speech is a rousing affair that outlines 3 areas of opportunity for the UK Military complex that digital disruption is going enable. These are challenges around collaboration, around risk and around use of data. The...

149. April 19, 2020

     Cyberweekly #98 - Governance isn't a dirty word

     I've spent a long time working in Agile. I was on one of the first really big agile programmes of work at the Guardian, and introduced to many of the concepts by people who went on to be great thinkers and definers in agile development. As I've...

150. April 12, 2020

     Cyberweekly #97 - How to work from home

     I'm sorry to tell you this, but I don't think the global quarantines are going to end anytime soon. The Institute for Health Metrics and Evaluation [thinks that UK deaths will continue rising and peak around April...

151. April 05, 2020

     Cyberweekly #96 - The cloud is more secure

     I’m bored of the Zoom infosec debacle at the moment, so I thought I’d look more at one of my favourite hobby horses, the adoption and use of the cloud and how to use it securely. Cloud computing has been around for a long time, and infosec...

152. March 29, 2020

     Cyberweekly #95 - We don't know what people do with our data

     I've had a busy week where I've spent a lot of time writing some data protection impact assessments and privacy policy type stuff. It's felt a little like fiddling while rome burns to be honest. One of the things that annoys me is that privacy...

153. March 23, 2020

     Cyberweekly #94 - Is remote working just letting the enemy inside the walls?

     As pretty much every organisation in the UK and US has made urgent moves towards remote working, there are security and technology teams scrambling to enable remote access for their staff and to make it work. VPN's are being overloaded, broadband...

154. March 15, 2020

     Cyberweekly #93 - Tools shape our thinking

     The more I look at how digital transformation and digital culture is going, the more I realise that one of our big problems is the lack of attention to the tooling that we use. I think everyone has heard the phrase "When all you have is a hammer,...

155. March 08, 2020

     Cyberweekly #92 - What justifies lawful interception

     You may have seen the ["interesting" video about backdoors from Huawei this week](https://twitter.com/Huawei/status/1235128718869164032?s=20), which has been widely panned as company based propaganda. However it does raise an interesting point (and...

156. March 08, 2020

     Cyberweekly #91 - Who actually is security and what are we for?

     A recent tweet asked people to write a scary story in just 3 words. I replied with ["Security says no"](https://twitter.com/bruntonspall/status/1232574851149332481?s=20), and a reply "Who is security" caused me to reply with "we're all...

157. February 23, 2020

     Cyberweekly #90 - How do we deal with personal data?

     Editors Note: Delayed by a day this week because I've been away on holiday and flights back were delayed. That also explains all the comments and analysis helpfully provided by [Joel](https://joelgsamuel.com/) this week. Thanks Joel. There's a...

158. February 15, 2020

     Cyberweekly #89 - Trust in security

     A short one this week I’m afraid. Prepping for half term and a heavy workload this week have conspired against me. So most of the stories are from the backlog from before Christmas. The Crypto AG story however is a fascinating insight into the...

159. February 10, 2020

     Cyberweekly #88 - There's no certainty in risk management

     If you've never seen a risk matrix, then the idea of talking about risks being unlikely, rare, likely and contrasting that with the impact of the risk might seem unusual to you. Here is [a sample risk...

160. February 01, 2020

     Cyberweekly #87 - How much of a target are you?

     Our ego likes to tell us that we are special, that attackers have carefully picked out organisation out of millions of others, that they have taken the time and energy to research us online, get to know our executives, our staff, our technologies...

161. January 25, 2020

     Cyberweekly #86 - Tackling only what we can

     We often want to fix everything around us. We want to fix systems, processes, and entire organisations all at once. And then we burn out unable to get the fixes we need in place. Most company technology estates are enormous complex beasts and it...

162. January 18, 2020

     Cyberweekly #85 - Change is scary for people

     "Security is important, you must patch now". We say this an awful lot in security. I say this a lot! Patching is probably the number 1 security control that you can apply. Almost all cyber attacks from outside exploit known vulnerabilities that...

163. January 11, 2020

     Cyberweekly #84 - What would cyberwar look like?

     Last week I deliberately avoided talking about the Iran/USA international issues because I felt like there was not enough real information and too much misinformation floating around and I didn't want to add to it. I meant to be explicit about it,...

164. January 04, 2020

     Cyberweekly #83 - Poor incentives for cybersecurity industry

     Welcome back for the first newsletter in 2020. I took a few weeks off for christmas and new year while I recovered from my visit to Australia. Several weeks of conferences really can take it out of you it turns out. One of things that I've...

165. December 14, 2019

     Cyberweekly #82 - What do we mean by threat model?

     You often here security researchers talk about “That’s not in my threat model”, “This is secure only for a certain threat model”, or [“the lock is invincible to the people who do not have a...

166. December 07, 2019

     Cyberweekly #81 - What does best practice even mean?

     It's a short one this week because I'm currently touring Australia speaking at [Yow! Brisbane](https://yowconference.com/brisbane/) conference, and I've therefore been enjoying the sun and heat. The subject of my talks is really about where...

167. November 30, 2019

     Cyberweekly #80 - How secure are cryptocurrencies

     With China making clear moves that it intends to have some form of Government backed digital currency. Whether that is a "cryptocurrency" and based on a blockchain or whether it is some other managed digital currency, a government backed digital...

168. November 23, 2019

     Cyberweekly #79 - Do we know why things go right?

     In security, we spend a lot of time thinking about how things fail. Actually, that’s not quite right. We spend a lot of time thinking about how malicious actors can cause things to fail. We think about failure in terms of human decisions on...

169. November 16, 2019

     Cyberweekly #78 - Enough with the cyber-nonsense

     Applications that aren’t immune to compromised endpoints; Nation states that want to steal your lunch; System administrators might have built backdoors into your photo backup system. There is an endless stream of what I tend to call cyber nonsense....

170. November 09, 2019

     Cyberweekly #77 - Progress marches on even if we aren't ready

     Security is hard, that's more or less the theme of Cyberweekly every week. While I get as excited about advances and cool new toys as anyone else (ok, maybe a little more so), one of the problems we have in cybersecurity is the growing legacy of poor...

171. November 02, 2019

     Cyberweekly #76 - General is easier than specific, or why security says no

     Why do we find rules in place that say "No, you can't access twitter" even when the person asking is the social media team? I sometimes make fun of such rules, pointing about the clear absurdity, but in reality, there is a reason for such...

172. October 26, 2019

     Cyberweekly #75 - Coordination is hard

     In big organisations, or across nation states, coordination is really hard. It can be difficult to know who to talk to, who to send issues or problems to, and how to know whether your report is being actioned. We blame users a lot for not using...

173. October 19, 2019

     Cyberweekly #74 - Security things are still really hard

     [Joel](https://twitter.com/joelgsamuel) and [Jon](https://twitter.com/jonplawrence) are back! Hello again. We're covering for Michael just for this week while he recovers from having been [slaving away on a Mauritian...

174. October 12, 2019

     Cyberweekly #73 - Know your users

     We often engage with proxies for our real users. It doesn't matter whether you are building a product that you sell, or writing policy for an organisation, you have real users and then you have decision makers. The decision makers are the ones who...

175. October 05, 2019

     Cyberweekly #72 - What are our boundaries?

     People get overexcited by the term Zero-Trust networking. If you read the [BeyondCorp research papers](https://cloud.google.com/beyondcorp/), or read [the excellent book on Zero-Trust Networks (affiliate link)](https://amzn.to/30PTT4C), they really...

176. September 28, 2019

     Cyberweekly #71 - What actually is hostile social manipulation?

     As we come into some turbulent years for democracies in the west, I think we are going to hear a lot more about hostile social manipulation in various forms. Of course we are already used to cries of “fake news” from certain sides anyways, but it’s...

177. September 21, 2019

     Cyberweekly #70 - Tackling the insider threat

     I've been reading [Edward Snowdon's autobiography (affiliate link)](https://amzn.to/2ABepeY) this week, and it's made me think about insider attacks quite a lot. When we think of insiders, we tend to think of the Edward Snowdon style of attack. ...

178. September 14, 2019

     Cyberweekly #69 - Fake news and adequate pernicious toerags

     None of us like to believe that we can be defrauded, tricked or influenced. There's a fascinating bias called "unconscious bias bias" which is where people can see and identify unconscious biases in others, but cannot see them in themselves. This...

179. September 07, 2019

     Cyberweekly #68 - Do we trust machines?

     How much do we trust machines? It turns out, according to research I read this week, that the majority of people expect an automated aid to perform better at a task than a human. That can include examples such as navigation, driving aids, medical...

180. August 31, 2019

     Cyberweekly #67 - How to compare or weigh risks?

     Some of you will be aware that I have a love/hate relationship with risk management techniques. On one hand I am a firm believer that many organisations focus on entirely the wrong things, on back to back multi-vendor firewalls and sheep-dip...

181. August 24, 2019

     Cyberweekly #66 - Are we unwilling managers

     Many of us in infosec and digital are also team leads or managers of various forms, and most of us tend to be somewhat unwilling managers. The career path in technology tends to mean that most gifted technically competent people are increasingly...

182. August 19, 2019

     Cyberweekly #65 - How much privacy do we expect?

     Privacy is a really interesting concept to study. People have lots of different mental concepts of privacy, and oftentimes those concepts don't entirely align with other humans conceptions of the same behaviours. Couples talk about wanting privacy...

183. August 10, 2019

     Cyberweekly #64 - We need to stop operating IT like it's 1999

     We see this again and again, but the ransomware attacks on enterprise It estates in local government in the US (which are the ones we know the most about) just shows that many small to medium size organisations still haven't got the memo. It's...

184. August 03, 2019

     Cyberweekly #63 - Put more security in your SaaS

     When we talk about companies moving to "the cloud" we tend to mean the migration from data center to hyperscale cloud data center. People moving their servers from an on-premise or colocated data center into Azure, Google Cloud, AWS or...

185. July 27, 2019

     Cyberweekly #62 - The next big malware that wasn't

     The sky is falling, BlueKeep will result in thousands of compromised computers, you must patch now. Lots of people said that this would be the next Wannacry, but it hasn't materialised, and we don't really know why. I've outlined below some of my...

186. July 20, 2019

     Cyberweekly #61 - Just because it’s basic doesn’t mean it’s easy

     There's a great post by Emma W of the NCSC linked below that talks about why patching is often described as basic, even though doing it can be really hard. GDS' has a number of design principles that it used when building GOV.UK as well as for...

187. July 13, 2019

     Cyberweekly #60 - Is it Cyberwar or Cyberespionage?

     The shift in policy of moving the reins of power of offensive cyber from intelligence organisations like the NSA or GCHQ over to military organisations like the US CyberCommand or the Ministry of Defence is an interesting one. The military has...

188. July 06, 2019

     Cyberweekly #59 - How confident are you that your defences work?

     How confident are you in your defences? You've got firewalls, WAF's and even a segmented network. Maybe you have to leave your phone outside before go into your office, have badges that need a pin as a second factor and armed guards who watch...

189. July 06, 2019

     Cyberweekly #58 - Phishing just works

     Remember from the [Verizon Data Breach survey](https://enterprise.verizon.com/en-gb/resources/reports/dbir/2019/results-and-analysis/) earlier on in the year [featured in Cyber Weekly 51](https://www.cyberweekly.net/what-does-cyberwar-actually-mean),...

190. June 22, 2019

     Cyberweekly #57 - Malware is still your biggest threat

     Are you worried that nation states are coming to get you? That the cyber criminals will breach your systems and steal all of your data? Malware, distributed by email or phishing is still the biggest threat to most businesses, and of that malware, the...

191. June 18, 2019

     Cyberweekly #56 - How can we be more positive in security?

     Cybersecurity is a pessamists game right? We are constantly talking about and worrying about being attacked, about what is the worst that can happen, about the nations in a constant state of cyberwar! But we overly focus on the negative. I took...

192. June 08, 2019

     Cyberweekly #55 - Raising the baseline of security

     I've been involved in a bunch of conversations recently around "baseline controls". What is the difference between different security controls, and how should we decide where to invest our money. One train of thought is that any set of security...

193. June 01, 2019

     Cyberweekly #54 - The more things change, the more they stay the same

     Iran's conducting disinformation campaigns, Baltimore shows that people aren't patching at all, let alone fast enough, the Huawei discussion rages on. This is the new normal, and looking down the behaviors of nation states, at the data breach...

194. May 25, 2019

     Cyberweekly #53 - When is a breach a breach?

     In risk management, and data protection, we tend to assume the worst. That if we've exposed the data of millions of users, that someone has actively exploited it and done terrible things with it. But the reality isn't like that most of the time...

195. May 19, 2019

     Cyberweekly #52 - To patch or not to patch

     It has been quite a week of breaches. From [WhatsApp](https://arstechnica.com/information-technology/2019/05/whatsapp-vulnerability-exploited-to-infect-phones-with-israeli-spyware/), to [vulnerabilities in the linux...

196. May 11, 2019

     Cyberweekly #51 - What does cyberwar actually mean?

     The IDF tweeted that they had carried out a missile attack on a Hamas cyber offensive operations team, and it made me ponder the militarisation of cyber warfare. A lot of infosec people tweeting about the IDF attack suggested that they were shocked...

197. May 04, 2019

     Cyberweekly #50 - Who are the attackers we worry about

     The old adage says that on the internet, nobody knows you are a dog. It's always been hard to attribute cyber attacks because of the complexities of internet governance means that country location of servers isn't the same as commercial affiliation...

198. April 27, 2019

     Cyberweekly #49 - We're on a Huawei to hell

     I've been up at the NCSC's flagship conference, CyberUK, in Glasgow this week, for which the Huawei decision was a point of conversation. Mostly it was with a kind of resigned shrug that "Inevitably someone will mention it" that introduced the topic...

199. April 25, 2019

     Cyberweekly #48 - DNS is at the root of our cybersecurity

     I'm back from holiday, so massive thanks to Jon and Joel for covering the newsletter while I was away. I hope you enjoyed it, and it was novel to wake up on a Saturday morning and be able to read the newsletter rather than having to check and write...

200. April 13, 2019

     Cyberweekly #47 - People & Privacy: Consent? Is that your question?

     Us again! Michael has kindly let us edit Cyber Weekly again this week (thanks for having us 'stay' a little longer Michael). The theme we have chosen for this week is 'People & Privacy'. Since the [General Data Protection Regulation...

201. April 06, 2019

     Cyberweekly #46 - People & Security - forever intertwined

     Michael has kindly let us guest edit Cyber Weekly this week (thanks Michael for inviting us along). The theme we have chosen is 'People & Security'. These two things are intertwined, sometimes when we least expect them to be. People are _the_...

202. March 30, 2019

     Cyberweekly #45 - How secure is our software?

     While the debate about the geopolitical implications of Huawei software managing western 5G networks continues on, we really should be worrying about how secure is the software that manages... well everything. We rely, in this day and age, on...

203. March 30, 2019

     Cyberweekly #44 - It’s not always targeted attacks

     Malware is running around an industrial control system. It must be Russia, or China, or Iran, or the US or ... We get a million hot takes within minutes of cyber security news being broken, mostly without enough context to backup the assumptions...

204. March 16, 2019

     Cyberweekly #43 - Hacking Tools

     I'm not actually a very good hacker. I know and understand a lot of the theory, and I've been on web application hacking courses, played at a few Cybergames, and while I don't come first, I don't do terribly. But hacking tools fascinate me because...

205. March 09, 2019

     Cyberweekly #42 - Fake news and propaganda

     I was determined to not talk more about fake news this week. I'd had in mind to do something about how the law affects the internet, but there were just too many good stories this week, especially the absolutely excellent writeup by Recorded Future...

206. March 02, 2019

     Cyberweekly #41 - The evolving practice of security

     I'm [speaking at QCon](https://qconlondon.com/london2019/presentation/evolving-practice-security) this coming week on the evolving practice of security and therefore it's a lot in my mind. As the Department of Defense moves from on premise data...

207. February 25, 2019

     Cyberweekly #40 - Throwing out the baby with the bathwater

     Is ITIL valuable? If you ask that at a DevOps or Agile conference, people will either stare at you blankly, or tell you horror stories of their experiences with CAB. I'm aware of one organisation that had a weekly CAB for any change going to...

208. February 23, 2019

     Cyberweekly #39 - Are developers the kingmakers?

     Stephen Grady wrote a book around 5 years ago called [The New Kingmakers](https://www.amazon.co.uk/New-Kingmakers-Developers-Conquered-World-ebook/dp/B0097E4MEU/ref=sr_1_1?ie=UTF8&qid=1550301534&sr=8-1&keywords=Developers+are+the+new+kingmakers) in...

209. February 09, 2019

     Cyberweekly #38 - Digital transformation is hard

     What is the strategy for doing digital transformation in a large organisation? Do you run little agile projects in the midst of all of the other major projects going forward? How do you get budget for that project that makes sense and how do you...

210. February 02, 2019

     Cyberweekly #37 - The US dominates “cyberspace”

     A long one this week, primarily because the US released the Worldwide threat assessment and the Intelligence Community strategy. This resulted in a lot of reading about various military systems and networks, which always fascinates me. I’ve tried to...

211. January 26, 2019

     Cyberweekly #36 - What will 2019 hold for us?

     I've held off on making predictions about cybersecurity. 2018 was such a bonkers year, from the SuperMicro allegations, to Russian interference everywhere, from Facebook breaches to Google+ breaches, it felt like it just kept getting crazier and...

212. January 21, 2019

     Cyberweekly #35 - Are we still learning?

     How do we continue to learn? Often we are so busy and so up against the deadlines that we barely have time to complete all of our work, let alone take time for "Continuing Professional Development". Security is so often about putting out fires that...

213. January 12, 2019

     Cyberweekly #34 - The sky is falling

     2FA has been broken, and so it's all over. This was what the news seemed to scream at me this week with the release of the modlishka tool. As I've said repeatedly, many times, the most effective cyber security defense you can employ right now is...

214. January 08, 2019

     Cyberweekly #33 - Who are we at Cyberwar with?

     Over the Christmas period, the [twitter argument started by Perry Metzger](https://twitter.com/perrymetzger/status/1075928695058120705?s=20) has made me think and ruminate a lot on Cyber Warfare and adversarial thinking. I’ve spent the last few...

215. December 29, 2018

     Cyberweekly #32 - Happy New Year

     Welcome to CyberWeekly, a weekly roundup of news, articles, long form blog posts and various other miscellania that interests your author, Michael Brunton-Spall. Feel free to forward this on to people you think might be interested. If someone...

216. December 29, 2018

     Cyberweekly #31 - Merry Christmas

     Merry Christmas, I hope you are all starting to relax and get into the holiday spirit. This letter is a little late today because I was at a Christmas Party last night and it's taken a bit of time to be able to compose my thoughts! It's been...

217. December 15, 2018

     Cyberweekly #30 - A breach is just a failure of process

     As we see breach after breach after breach, we tend to see root cause analysis processes and they always come to the same conclusion. The process wasn't in place properly and wasn't followed. Except, that if you did the same analysis without the...

218. December 11, 2018

     Cyberweekly #29 - When is risk management not risk management?

     A theme I've seen recently is a reluctance by organisations to take certain actions to reduce risk because they either aren't perfect, they don't totally remove the risk, or they contain too many unknowns. I've spent a fair amount of time looking...

219. December 01, 2018

     Cyberweekly #28 - Whats next for digital government?

     This week had a bunch of interesting themes for me, but two in particular stand out. Tom Loosemore and Dafydd Vaughan brilliantly explained the journey that digital government has been on and how far we've come. It's very easy to dwell on the size...

220. November 24, 2018

     Cyberweekly #27 - We're all human after all

     A lot of cybersecurity and digital maturity models tend to assume that high performing teams are what economists call "rational actors". We assume that people will follow procedures, that they like rules, and that they don't take decisions that would...

221. November 17, 2018

     Cyberweekly #26 - Small steps to knowledge, taking each one at a time

     I enjoyed following a conversation this week about the value of a philosophy degree in infosec. The conversation quickly descended into discussions about which philosopher would be more fun to have a beer with, which I didn't really follow (I still...

222. November 10, 2018

     Cyberweekly #25 - Digital supply chains should be giving you nightmares today

     2018 could be remembered for a lot of things, it’s been quite the year after all, but I think its the year in which software supply chain issues came to prominence. From the Ticketmaster hack to British Airways to SiteCounter, we are seeing...

223. November 03, 2018

     Cyberweekly #24 - How can we set a security strategy if we don't know what's going on?

     Lots of the stories this week show that organisationally, senior leaders are out of touch with the reality of the security strategy that they write or sponsor. Whether it be a policy that requires users to not browse adult websites, that everyone...

224. October 27, 2018

     Cyberweekly #23 - Is risk management the right approach

     I'm a big believer in risk management. I think that security does depend on the context, and risk management is supposed to help you understand your context and take appropriate risks. But in reality, I'm not sure it's actually working. A friend...

225. October 20, 2018

     Cyberweekly #22 - A new methodology needs a new set of practices

     I've been thinking a lot about serverless recently. I know that I'm years behind the cutting edge here, but I'm bullish that serverless is going to take off soon. I'm hearing more and more that greenfield development should be starting with...

226. October 13, 2018

     Cyberweekly #21 - When is a breach not a breach?

     This week, Google announced that they had found a vulnerability in GooglePlus, but hadn't told anyone. There was some discussion online about whether they had broken the law, in particular GDPR, and whether they had acted responsibly. But it draws...

227. October 06, 2018

     Cyberweekly #20 - China, Russia, Facebook, Conservatives... It's been quite a week

     Phew. I didn't think reading and writing this weeks newsletter would ever end. There's been so many interesting stories, and news that it took me a lot this week to read all of the summaries and try to find just the best links to share with you. ...

228. September 29, 2018

     Cyberweekly #19 - Patching everything all the time might be too expensive

     It's interesting that we know that almost all breaches that get reported are because of unpatched software. It's pretty rare that we actually see 0-day vulnerabilities in use and breaching networks, primarily because most attackers don't need to use...

229. September 22, 2018

     Cyberweekly #18 - Are we getting better?

     This week, I'm keynoting at Agile Cambridge 2018 https://agilecambridge.net/2018/ on the topic of "Does Agile make us less secure" which has led to spending a lot of the past few weeks wondering whether we are actually getting any better at...

230. September 15, 2018

     Cyberweekly #17 - How do normal users make good security decisions?

     Most security products exist in what economists call a Market for Lemons (https://en.wikipedia.org/wiki/The_Market_for_Lemons), which means that purchasers lack the ability to tell a good product from a bad product. The market theory suggests that...

231. September 08, 2018

     Cyberweekly #16 - Blockchain has a history

     _NOTE: This email was sent out without this introduction, it's preserved here as I wrote it, rather than how I sent it out. Sorry for everyone who missed this_ We stand on the shoulders of giants in technology. We often however like to think that...

232. September 01, 2018

     Cyberweekly #15 - Who holds data on you, and what do they do with it?

     This newsletter comes to you from a chilly field in the wilds of the UK, where hackers and makers of all forms have gathered to share news, tips and techniques. The amount of future tech on show that is bodged together with tape, glue and exposed...

233. August 25, 2018

     Cyberweekly #14 - How many breaches will it take?

     It sometimes feels like the news in cybersecurity is an endless slew of breaches, with security professionals standing to one side saying "I told you so". This attitude of enjoying disasterporn, or Schadenfreude, doesn't make us look very good as a...

234. August 18, 2018

     Cyberweekly #13 - Making sense of a complex world

     It's a quiet week this week as I prepare for family holiday and try to get all my work done before I leave, but here's a selection of the best reading I've seen in the busyness of the week. Most interestingly is the theme coming through that a lot...

235. August 11, 2018

     Cyberweekly #12 - Should we trust cyber security stats?

     Several articles this week about various statistics in cybersecurity, which makes me question the mechanism by which we gather these statistics and how they are presented. The cybersecurity vendors have an explicit desire to bulk up the risk, so...

236. August 04, 2018

     Cyberweekly #11 - Two factor or not two factor, that is the question

     This week has all been about two factor authentication. For me, I read the Motherboard article first, but then the Reddit incident and the claim last week from Google made me perk up my ears, and then the internet exploded with comment about...

237. July 28, 2018

     Cyberweekly #10 - That’s edition 8 in octal

     So this week we reach two milestones at more or less the same time. This is the 10th newsletter, that's 10 weeks in a row compiling and sending this out, as well as reaching 100 subscribers this week, so huge thanks to everyone who subscribes, who is...

238. July 22, 2018

     Cyberweekly #9 - Better late than never

     _NOTE: This letter was mistakenly sent with the subject #8 - Better late than never_ What is the purpose of a security team? Why do they even exist? A recent article about misconfiguring of trello boards prompted a bit of a discussion in one of...

239. July 14, 2018

     Cyberweekly #8 - Where are you spending your security budget?

     What do we spend our time and money set aside for security in companies doing? Lots of CISO's and security managers I talk to exclaim that they need significantly bigger budgets, that they can't do all of the stuff that is asked of them. But when I...

240. July 07, 2018

     Cyberweekly #7 - Security has to be usable to be any good

     This week there has been a swathe of articles covering usable security in various forms. I'm loving seeing more and more organisations come up with ways to balance usability and security. We're never going to get this perfect, but we have to...

241. June 30, 2018

     Cyberweekly #6 - Whose fault is a breach anyway?

     This week saw an interesting breach of the Ticketmaster payment processing system. A third party, Monzo, noticed the breach months before Ticketmaster were able to confirm it. Ticketmaster claim it wasn't their breach, but one of their suppliers,...