What is the best password strategy to pursue?

When it comes to passwords, there are a variety of opinions.

And that is the problem. Most people choose password is based on requirements brought forced to them by the system.

Still, on password breaches, data analysis shows that most passwords are very weak.

When asking user is why they choose week passwords the common answer is that they can’t remember complex passwords, and H presents too much of a challenge for them.

Yet even choosing a supposedly strong password based on requirements isn’t necessarily the best solution.

I could go into the mathematics of Y system required, strong passwords are weaker than actually choosing a common phrase that you can easily remember.

And that brings us to the solution to having a strong password, Which is not only easy to remember but is mathematically even more complex.

Take a phrase that you can easily remember: the sun is shining in my street at house number 17.

Running a brute force attack on the passphrase like that is very complex. Yet, it is very easy for you to remember because it’s going to be difficult to forget where you actually live.

This is obviously only and example. However, it shows that complex passwords don’t have to be complex and such a way that they are very difficult for a user to remember. Plus, the typing of such information is very easy.

Let me know what you think about this password strategy which is been around for quite a while.

Is your organizations data valuable to outside threats?

Whether or not your organizations data as valuable to outsiders depends heavily on what business you’re in.

Generally said, your organizations data is valuable :period.

There is an ever increasing amounts of data being taken from paper, and digitized.

Therefore they are not only victim to attempts of corporate espionage, but also to data collection spies, And even more persistent threats.

While ago I worked on a case of CEO Frade, in which the main enabler was the fact that the email server of the organization had a vulnerability, which was exploited, and allow the perpetrators to monitor email communication between the chief executive officer, and The chief financial officer.

This angle was then exposed by the attackers to lose a couple of million euros; unretrievable.

So you see, it’s not only corporate espionage that as a threat of valuable information, but much less appearing information can be utilized to harm your organization.

How do you handle antivirus alerts

That depends on the policy behind antivirus incidence.

Should be alert be for a legitimate file, it can be white listed.

Upon the incident being positive and a malicious file being in the system, it needs to be quarantined and delete it.

After the quarantine the source of the file needs to be checked in order to determine where it came from and where the vulnerability is in order to prevent future incidents.

Overtime these anti-virus alerts can be fine-tuned so that’s the frequency of alerts can be reduced.

Removable media control, Endpoint security and The Problem of transportability of data

One of the major problems in the digital age is the transportability of data. Even large quantities of files and papers can be moved on a device smaller than a coin. Therefore, removable media control is one of the essential things to include into your cyber security risk assessment.

One of the countermeasures was the tendency of endpoint security; meaning, that computers and servers were locked down in such a way that files cannot be copied to mobile devices and taking out of the office.

Approximately 10 years Ago I served on a project in which the lack of endpoint security lead to significant damage of the company. The client was a large law firm with the global footprint, and had repeatedly become victims of extortion of employees who were pressed into retreating sensitive data from the organization’s systems.

What we ended up doing was not only implementing an end point security scheme but went one step further and made the general moving files much more difficult, without limiting business operations.

Our solution was to make files available on The company server without making them copyable by any element. Obviously, 100% security could never be guaranteed but the point of the operation was that the possibilities of extracting a file in sensitive information from the corporate server was much more difficult.

Specifically this meant that files which were shared with employees are third-party assets were opened in a browser and could only be sent via link. The link within open the file for review, but classified files could not be downloaded, copied, or otherwise removed from the system.

While this didn’t entirely solve the problem, it took the edge off, and made it possible for the technical personnel to sleep a bit more comfortably.

Cyber insurance versus insurance companies

Getting cyber insurance cover is easy.

Getting cyber insurance coverage that is adequate and up to speed to current threats: totally different story.

Currently, very conservative and traditional insurance companies are trying to deliver top-of-the-line products; mostly to customers who don’t need them.

So what’s up with that?

While ago, I tried to sign an e-commerce business with an insurance company that appeared to be very advanced in signing cyber insurance contracts.

During the negotiations however, it turns out that they generally ruled out e-commerce businesses.

The main argument was that an e-commerce business could fall victim to a denial of service attack.

My counter argument was that any conventional business could burn down, and still they wrote insurance policies for the buildings of this client.

I went on to argue that denial of service attack’s are easily mitigated through various means; the most important one of which is a content distribution network.

Still, the insurance company wouldn’t budge.

Having close connections inside the insurance company I went ahead and looked at their exclusion list. And it was terrifying!

I ended up working with them to reduce the general exclusions, and softened up some of their strict policies towards certain types of businesses. And now, they are doing tremendously well and signing up risks, which are manageable.

Cyber Insurance: What is a DDoS attack and how to mitigate it?

I don’t know how often I had to answer the question what a DDoS attack is. Yet one of the most prominent questions was when I was confronted by an insurance company offering cyber insurance products.

Together with a friend I run a cyber insurance brokerage. Obviously, the clients have to be signed by the insurance company. The products most of the companies have are crap.

And if they are not, their underwriting policies are… well, worth getting used to.

A client of mine operates a rather large e-business, particularly an e-commerce shop.

Like pretty much all of the e-commerce sites, this one was also concerned about the safety of their site, and wanted insurance if they got taken down.

We did my famous analysis of their operation and ruled out most of the obvious risks.

This would give me an easier stance trying to pitch it to the insurance company.

None the less, the first thing the genius underwriter tells me with a frown on his face is that the risk is not coverable because it’s an e-commerce operation relying too heavily on the income from the website.

His main argument, however, was that the risk of a DDoS attack was too big, before resting his case, and trying to send me off.

I asked him if he was even aware of what a DDoS attack was, upon which a large discussion erupted which was mainly focussed on me having crushed his ego.

However, it was fruitful from the angle that I was able to find a “noob” explanation to the issue, which I outlined by explaining to him that it was like a million people trying to exit an aircraft after it had landed, and all of them had to fit through the door. (very short version).

Against all odds, he understood what I was trying to convey to him; yet now came the bigger problem… explaining the solution fo fighting off a DDoS attack.

You see, probably one of the most easiest things to do is to put a content distribution network Infront of your operation. A CDN will take malicious traffic and deal with it differently than with legit traffic coming to a site.

So: bye bye DDoS attacks.

I told him the we could make this a prerequisite for the client to receive insurance coverage… yet the discussion was and burned.



Finding your next employer on the dark web?

Obviously free from state sanctioned pension plans, and otherwise inhibiting characteristics, I recently stumbled upon job advertisements on several marketplaces on the dark web during an investigation.

Probably the most interesting, and first job advertisement was that by liberty market who were looking for a French speaking content “cleaner”.

And they are increasing in number.

Wear this trend originates, and how the specifics are of such an employment leaves to be discovered.

Fact is: the dark web is the most dynamic ecosystem on the planet; currently. All of the business conducted there in requires a lot of ingenuity, Good designers, and even more so very good security experts.

About John Cryan and the nonsense of the cashless society

In his speech at the world economic forum in Davos The former Deutsche bank CEO was one of many to support the quest to rid the world of cash.

Again, he stands in a long line of defenders of this practice.

And while it is true that a large quantity of crime is being committed on the back of cash, the alternative is much more Grimm.

I work together with a variety Of crisis response companies Who reacts to cases of kidnapping and ransom, extortion, and similar risks.

Unanimously these companies I work with sai dad’s paying a kidnapper in conventional currency is one of the most promising factors to retrieve the loot, and to trace the assets back to an individual or organization.

So his cash were taken out of the equation entirely, criminals would resort to alternatives.

In the recent past, and increasing amount of kidnapping around some cases have been changed in appearance by the perpetrators requesting bitcoin and other crypto currency’s in favor of dollars, euros, and other conventional currencies.

The problem is that crypto currency is in general very difficult to trace.

If done right a bitcoin can be in obfuscated that it will never be able to be traced.

The dark web would not be the dark web if it hadn’t invented algorithms to support these types of obfuscation.

Once these have been utilized, criminals often take their new and washed with calling to introduce them to an offshore casino there by entirely eliminating any trace that the crypto currency, which is now conventional currency, was used in a crime.