Coffee Musings of a Cyber Security Expert

  TL;DR: Heard about the "16 Billion Credentials Leak"? Don't panic, it's mostly a repackaging of older breaches. ✔ Use a password manager ✔ Enable multi-factor authentication (MFA) ✔ Check your email on Have I Been Pwned ✔ Take action where needed, but stay calm and take a risk-based approach. ☕  And maybe... have a coffee while you're at it. There's plenty of chatter in the news about the " 16 Billion Credentials Leak ". Once again, it's claimed to be " the biggest breach in history ", the result of (insert latest buzzphrase here) "Infostealer malware", and to really  maximise click-bait potential, media outlets throw in "Facebook, Google, Apple services are at risk". Sure, there's elements of truth in these claims, but let's remember what really matters: a calm, measured, risk-based approach. Even better if the discussion can be had over a nice cup of coffee 😉  I've extolled the virtues of password ma...

I don't like victim blaming. You could say I'm a victim of the avo-smash trend , accuse me of being "one of them", tell me I'm a follower not a trend-setter, and ask when I'm going to switch to cale-based foods . Or you could empathise with me and tell a story about when you've fallen victim to a similarly large nation-wide fad to make me feel included and safe whilst I chow down on delicious sour dough bread smothered in pale green goodness. Which of those two paths will you choose? Now you're in that mindset, let's talk about cyber scams and remember we're all human and we're all unique. That means we all learn differently, we comprehend and process information differently, and we react differently. That's a good thing!   When (not if!) each of us makes a mistake, it's up to everyone to work together to help recover from the mishap and take steps to reduce the likelihood it'll happen again. Done well, this turns t...

  I used to be head of cyber security for a store that sells peanuts. Well, it wasn't peanuts, but for the sake of this story and several confidentiality agreements I've signed over the years, let's go with that. Every month or so, all of the cyber security peeps from the peanut stores all around the country would get together and share stories. It was cathartic in a way: one would say "last month I lost nearly half a million dollars in peanut sales to cyber fraud!" and all would commiserate and offer to buy drinks at the pub that evening for the unfortunate soul who'd lost the most.  Importantly though, we'd also share intelligence. We never discussed what sort of peanuts we each sold, or what new and amazing flavours our store would be introducing in the coming months, but we would certainly share details about the types of cyber fraud we'd observed in our stores recently. This elevated the cyber security resilience of all peanut stores , without giv...

We've all had the experience; a coffee shop staffed by frightened employees ducking in fear each time the manager barks the next round of orders. It's unpleasant for customers, and usually the fearful staff end up making a sub-par coffee, but we tolerate it in order to get our caffeine fix.  What about that other coffee shop - the one with the friendly owner who welcomes everyone in and speaks kindly (but firmly, of course) to their team? The coffee always tastes good, doesn't it? And have you ever noticed after a few months or even years that the team hasn't changed much - it's mostly the same staff. Why? They feel secure in their workplace. They know they have a job to do and they do it efficiently, and usually they "go the extra mile" because they genuinely want to. They know the boss treats them kindly (but firmly - boundaries are important), so they WANT to perform better to please their boss.  Sure it doesn't always work, and occasionally a less-...

Imagine finishing a delicious cup of coffee and availing yourself of the facilities in your workplace, and on the door of said restroom you notice an educational message from your cyber security team: "what did you just dump?" For context, there is an accompanying photo of a waste paper basket showing discarded papers with credit card numbers, expiry dates and CVVs clearly visible. Simple message; think about what you throw in the trash and ensure you shred confidential and/or personally identifiable information, however it's delivered in a way that you'll probably never forget! This didn't actually happen. My mentor suggested it but management shut it down, thinking that it would not resonate with the conservative nature of the organisation we worked for. However I'm sure you get the point - and with a creative mind, you can come up with one or many ideas of your own to educate those in your workplace about cyber security risk management. Remember, you don...

"Another day, another breach." I grew tired of hearing that phrase around about 2019! Even back then I thought it's time everyone acknowledges that breaches are inevitable.  Many of us already have, and that's why the cyber security industry has a fantastic set of standards such as NIST CSF to draw upon for incident response and preparedness. However what I mean by "everyone" is just that - not just cyber sec pros. Business experts, CEOs, tradespeople, school teachers, the whole lot, all must acknowledge breaches are inevitable, and be prepared. I'm going to compare this to preparedness for other types of disaster, for the sake of the point I want to make. We accepted long ago that floods, fires and droughts were inevitable, so we have a strong culture of preparedness for these. I'm not going to delve into the truly devastating effects of natural disasters, other than to briefly point out that data breach incidents can result in similar...

Has anyone ever completely nerded out over numbers, patterns and maths? I saw this article on ABC News about commonly used PINs, and I clicked into it not expecting to be quite this interested. The authors have taken the four digit PINs from Troy's Have I Been Pwned site (using the API) and split them into the first two digits and the last two, so that the data could be plotted on an X-Y graph. The result is a graph which shows visually the most common combinations of digits. It's a brilliant idea, because it makes the task of identifying patterns very simple, using visual means. Unsurprisingly, PINs like 0000, 1111, 1234, 1212 etc are the most common. The repeated digit combinations nicely show up as a straight diagonal line. There's also a strong representation for PINs beginning with 19 and 20, because these form the first two digits of the birth years of everyone alive today. The visual representation also shows some popular PINs that I didn't expect to be common, ...