My published articles¶
The UK’s secret iCloud backdoor request: A dangerous step toward Orwellian mass surveillance¶
Published: Net Help Security
Published: 13 Feb 2025
Link: https://www.helpnetsecurity.com/2025/02/13/uk-government-icloud-backdoor-request/
Synopsis: "The United Kingdom government has secretly requested that Apple build a backdoor into its iCloud service, granting the government unrestricted access to users’ private data. This revelation deeply concerns me – it is a blatant overreach that threatens privacy, security and civil liberties.
This raises an urgent question: should technology companies be forced to bow to government pressure and bring in George Orwell’s 1984 nightmare, or should they remain steadfast in protecting our privacy rights?"
A humble proposal: The InfoSec CIA triad should be expanded¶
Published: Net Help Security
Published: 16 Jan 2025
Link: https://www.helpnetsecurity.com/2025/01/16/infosec-cia-triad/
Synopsis: "The inconsistent and incomplete definitions of essential properties in information security create confusion within the InfoSec community, gaps in security controls, and may elevate the costs of incidents.
In this article, I will analyze the CIA triad, point out its deficiencies, and propose to standardize the terminology involved and expand it by introducing two additional elements."
In the cloud, effective IAM should align to zero-trust principles¶
Publisher: ComputerWeekly Think Tank
Published: 27 Nov 2024
Win back lost trust by working smarter¶
Publisher: ComputerWeekly Think Tank
Published: 23 Sep 2024
Link: https://www.computerweekly.com/opinion/Security-Think-Tank-Win-back-lost-trust-by-working-smarter
Are CISOs ready for zero trust architectures?¶
Publisher: HELP NET SECURITY
Published: February 20, 2020
Link: https://www.helpnetsecurity.com/2020/02/20/zero-trust-architectures/
Synopsis: "The concept of zero trust architectures is not new. During my career, I was a member of the Jericho Forum, a group that essentially invented the concept. At that time technology was not mature enough to support a true “zero trust architecture”. This has changed and I firmly believe that today, technology is at a suitable level for enterprises to move to architectures without perimeters."
You can upgrade Windows 7 for free! Why wouldn’t you?¶
Publisher: ComputerWeekly Think Tank
Published: 27 Jan 2020
Link: https://www.helpnetsecurity.com/2020/01/27/upgrade-windows-7-for-free/
Hooded hackers? More like ruthless competitors¶
Publisher: ComputerWeekly Think Tank
Published: 10 Jan 2020
Is it true you can't manage what you don't measure?¶
Publisher: ComputerWeekly Think Tank
Published: 11 Mar 2019
No tech will ever counter-balance poorly implemented processes¶
Publisher: ComputerWeekly Think Tank
Published: 12 Feb 2019
Walk before you run¶
Publisher: ComputerWeekly Think Tank
Published: 16 Jan 2019
Link: https://www.computerweekly.com/opinion/Security-Think-Tank-Walk-before-you-run
Text: We have all tested this postulate: “One needs to first walk before running.” This applies in life as well as in cyber security. I have seen many companies buying shiny and blinking boxes without first addressing fundamental controls, and then failing to receive the promised value from these investments.
Having said that, the paradigm of zero-trust networks, software-defined datacentres and containerisation delivers an exceptional level of security through automation, asset management, self-healing policies and application partitioning.
However, as with anything in IT and cyber security, an exceptional technology operated by untrained and undisciplined people following not-so-well thought through and documented processes is bound to fail. Even worse, a false sense of security could mean higher likelihood of successful attacks.
For companies to benefit from these advanced technology patterns, they need to rethink their processes, eliminating the human element as much as possible, rethink security policies by moving more to industry standards rather than bespoke and, most importantly, train people to use, manage and monitor new technologies.
The key controls should still be implemented even when having these advanced technologies:
An accurate and detailed CMDB [configuration management database] structured from business processes down to infrastructure. A real-time vulnerability and threat management programme. Secure baseline builds and automated reporting/remediation of compliance failures. Well-designed identity and access control – ideally expressed as a code and linked into a single source of truth of identities, roles and organisational structure. Monitoring of events for unusual, out-of-norm events with a follow-up process. There is more, but these present an absolute minimum to be able to reach the level of benefit promised in your business case for investment into zero-trust networks, software-defined datacentres and containerisation.
Think of this when sitting on a supplier’s call showcasing the magic of their technology. There are no shortcuts in life, cyber security included.
Outsource responsibility, not accountability¶
Publisher: ComputerWeekly Think Tank
Published: 06 Aug 2018
Why cloud business continuity is critical for your organization¶
Publisher: Net Help Security
Published: Jul 24, 2015
Link: https://www.helpnetsecurity.com/2015/07/24/why-cloud-business-continuity-is-critical-for-your-organization/ Synopsis: "Business continuity, the ability of a company to continue or quickly restart operations following a systems outage, tends to be a topic overlooked by business leaders. Many see it as a responsibility of their IT teams, and think no more of it. However, this is a dangerous abrogation of responsibility, as any CEO who has suffered through a prolonged systems outage can vouch for."
Context-aware security is business-aware security¶
Publisher: ComputerWeekly Think Tank
Published: 1 Mar 2013
Synopsis: "The static security policy decisions are over. Is your firewall still only a dumb IP based firewall that allows or blocks access based on IP addresses? What about contextual information such as: identity, location, data transferred and behaviour of the traffic?"
Quick time to market to blame for many SQLi attacks¶
Publisher: ComputerWeekly Think Tank
Published: 1 Sep 2012
Synopsis: "Cyber criminals are typically after your data for monetary reasons. From their point of view, the most valued asset in your network is your customer or payment card database; the bigger the merrier. "
Virtualisation and security: In what ways is virtualisation helping and hindering enterprise security?¶
Publisher: ComputerWeekly Think Tank
Published: 18 Jul 2011
Synopsis: "From security point of view, all traditional security controls that a diligent security professional would apply to dedicated HW systems are still relevant in the virtualisation world. There are, however, some that stand out as more important: hypervisor security, change control, and maintaining security posture for offline images and templates."
How can businesses measure the effectiveness of their IT security teams to ensure they are getting value?¶
Publisher: ComputerWeekly Think Tank
Published: 13 Jul 2011
Synopsis: "The question of measuring the value of security in an organisation has not been fully answered since the creation of information security discipline. And this fact is, in my opinion, one of the reasons security teams find it difficult to convince business to invest in security, except perhaps immediately after an incident."
What should businesses do to ensure their IT defences resist targeted, advanced persistent threats (APTs)?¶
Publisher: ComputerWeekly Think Tank
Published: 11 May 2011
Link: tbd Synopsis: "My taken on the question: Security threat reports are increasing, identifying targeted and advanced, persistent threats (APTs) as top priorities for all organisations of all sizes and sectors. The reality of APTs has recently been demonstrated by the successful theft of information from security firm, RSA. In the light of these advisories and the RSA data breach, what should businesses be doing to ensure their IT defences can resist targeted, advanced, persistent (APT) attacks?"
Review: 1Password 3¶
Publisher: (IN)Secure Magazine Issue 24
Published: Feb 1, 2010
Link: https://img2.helpnetsecurity.com/dl/insecure/INSECURE-Mag-24.pdf
Synopsis: "How many times have you, as a security professional, explained to your friends, family or colleagues that using one password for everything is not ideal and not secure - far from it, actually? Yet the report by CPP suggests that many Brits do exactly that! A typical response from those “offenders” is: “It is impossible to remember all those passwords. That is why I use just one strong password.” Obviously, we know it does not really matter how strong that one password really is!"
Federation for the Cloud: Opportunities for a Single Identity¶
Published: ISACA
Published: tbd
Link: tbd
Synopsis: "Cloud computing has changed the way IT departments deliver the services to the business. Many organizations, small or big, need to share the data with their partners. Furthermore, organizations need to give access to their systems to users. Traditional models relied on creating accounts in local identity databases. More recent approach uses federation between two organizations that trust each other. However, what if you take a federation concept to the cloud? Can there be such a service as federated identity in the cloud? Could we all end-up with one single identity that is used for all our activities? This presentation will give some fresh views on the topic."
What’s holding up the cloud?¶
Publisher: ComputerWeekly Think Tank
Link: tbd
Synopsis: "My take on the Think Tank question: Are security concerns and a lack of adequate risk assessment tools the reason SMEs are not adopting cloud computing, or is the real reason something else that security professionals are also in a good position to address"
Enterprise grade remote access¶
Magazine: (IN)SECURE,Jul 12, 2007
Published: 12 Jul 2018
Link: https://img2.helpnetsecurity.com/dl/insecure/INSECURE-Mag-12.pdf
Synopsis: "The way we access applications inside the networks is fascinating subject. The boundaries between inside and outside gradually diminish and we, as security professionals, face the new security threats. Having properly designed, secured and maintained remote access system is the key for the business to compete in fast moving world. It is no longer possible to fire an excuse “I am traveling, will login to my email and send it to you next week when I am back from my business trip.” There will be no-one to send it to then!"
Enforcing the network security policy with digital certificates¶
Magazine: (IN)SECURE, Issue 11 - May 2007
Published: 1 May 2007
Link to PDF: https://img2.helpnetsecurity.com/dl/insecure/INSECURE-Mag-11.pdf
Synopsis: "Far too often, security is compromised because administrators or even security professionals do not know how to use certain technologies. This unfortunately increases the risk and devalues the information security profession in people's eyes. I am going to suggest a solution to two of many security problems that organisations face today: a) Secure VPN access to an office network from the Internet, b) Secure access to Extranet applications for employees or 3rd parties."