One of my part-time hobbies is pushing to professionalize the Information Security profession. Admittedly, it is a lonely pastime and not nearly as exhilarating as it sounds. I wrote a multi-part article about the topic called “What does Information Security have in common with Eastern Air Lines Flight 401?” Allow me to quote myself:

Attacks come from many angles in the Information Security game. To wit, a spat between two security vendors – Carbon Black and DirectDefense. DirectDefense released a report on Carbon Black’s Cb Response product. In a report titled “Harvesting Cb Response Data Leaks for fun and profit,” DirectDefense uncovered some disturbing data leakage.

When scanners attack, it just makes you WannaCry. So we had WannaCry, DoublePulsar, Petya – the whole EternalBlue exploit release. EternalBlue exploits a vulnerability in Microsoft’s implementation of the Server Message Block (SMB) protocol. The vulnerability exists because the SMB version 1 (SMBv1) server in various versions of Microsoft Windows accepts specially crafted packets from remote attackers, allowing them to execute arbitrary code on the target computer.

Soon coming to the Internet of Things (IoT) is the Injunction of Technology (IoT). In another post I
noted that my WiFi router’s power brick had a UL certification, yet the actual WiFi router had nothing similar stating it was safe to use on the Internet. In addition, nothing to ensure it would not hurt other’s use of the Internet.

Brigadier General (retired) Gregory Touhill was the first federal CISO of the United States. Fresh from that role, he did an interview with the Information Security Media Group (ISMG) during a visit at RSA 2017.

I wrote about this before in a post called “Big Things and Small Things”. I documented how two very large companies failed to support Information Security in a corporate environment with even a basic level of accommodation. More came to light this week when reviewing Microsoft Exchange 2016...