Coffee Musings of a Cyber Security Expert

  Last week we talked about why you might want to own a home lab, if you're keen on the technical side of cyber security. The first impediment to building a home lab can be the cost of equipment, so let’s break through that barrier. Even an older laptop, say from the last 7 to 10 years, can often be more than capable for starting out. If you only have one laptop and it’s your “daily driver,” you won’t want to turn it into Dr Frankenstein’s monster. A better plan is to install a type 2 (host-based) hypervisor such as VirtualBox , and then create your world of fantasy inside it. A type 2 hypervisor is simply an application you install on your existing operating system, such as Linux, macOS, or Windows. Within it, you can create entire systems. For example, you can install and use a Linux operating system even though your laptop runs Windows. This is an excellent way to learn a new OS. Each of these new systems is called a “ virtual machine .” Under the hood, a VM is really just a fi...

  Anyone who’s had the immense pleasure of sitting across the table from me in a technical job interview knows I like to ask candidates about their home lab. The question usually gets anything from a proud grin to a look of pure shock. I don’t ask because I expect colleagues to spend their evenings “working” in a lab at home. I ask because I want to see what sparks their curiosity - the passion that drives them. And yes, I’ve hired people who’ve said, “Actually, I don’t have a home lab,” because they’ve gone on to share other qualities that matter just as much. A software developer might point me to their GitLab repository or the open-source projects they’ve contributed to. Thinking about this recently over another coffee, I came across a ZDNet article that explains why home labs are worth considering . The author compares a home lab to an artist’s portfolio - a place to showcase skill, knowledge, and the ability to keep up with trends. That portfolio-like quality can be the differ...

  TL;DR: Heard about the "16 Billion Credentials Leak"? Don't panic, it's mostly a repackaging of older breaches. ✔ Use a password manager ✔ Enable multi-factor authentication (MFA) ✔ Check your email on Have I Been Pwned ✔ Take action where needed, but stay calm and take a risk-based approach. ☕  And maybe... have a coffee while you're at it. There's plenty of chatter in the news about the " 16 Billion Credentials Leak ". Once again, it's claimed to be " the biggest breach in history ", the result of (insert latest buzzphrase here) "Infostealer malware", and to really  maximise click-bait potential, media outlets throw in "Facebook, Google, Apple services are at risk". Sure, there's elements of truth in these claims, but let's remember what really matters: a calm, measured, risk-based approach. Even better if the discussion can be had over a nice cup of coffee 😉  I've extolled the virtues of password ma...

I don't like victim blaming. You could say I'm a victim of the avo-smash trend , accuse me of being "one of them", tell me I'm a follower not a trend-setter, and ask when I'm going to switch to cale-based foods . Or you could empathise with me and tell a story about when you've fallen victim to a similarly large nation-wide fad to make me feel included and safe whilst I chow down on delicious sour dough bread smothered in pale green goodness. Which of those two paths will you choose? Now you're in that mindset, let's talk about cyber scams and remember we're all human and we're all unique. That means we all learn differently, we comprehend and process information differently, and we react differently. That's a good thing!   When (not if!) each of us makes a mistake, it's up to everyone to work together to help recover from the mishap and take steps to reduce the likelihood it'll happen again. Done well, this turns t...

  I used to be head of cyber security for a store that sells peanuts. Well, it wasn't peanuts, but for the sake of this story and several confidentiality agreements I've signed over the years, let's go with that. Every month or so, all of the cyber security peeps from the peanut stores all around the country would get together and share stories. It was cathartic in a way: one would say "last month I lost nearly half a million dollars in peanut sales to cyber fraud!" and all would commiserate and offer to buy drinks at the pub that evening for the unfortunate soul who'd lost the most.  Importantly though, we'd also share intelligence. We never discussed what sort of peanuts we each sold, or what new and amazing flavours our store would be introducing in the coming months, but we would certainly share details about the types of cyber fraud we'd observed in our stores recently. This elevated the cyber security resilience of all peanut stores , without giv...

We've all had the experience; a coffee shop staffed by frightened employees ducking in fear each time the manager barks the next round of orders. It's unpleasant for customers, and usually the fearful staff end up making a sub-par coffee, but we tolerate it in order to get our caffeine fix.  What about that other coffee shop - the one with the friendly owner who welcomes everyone in and speaks kindly (but firmly, of course) to their team? The coffee always tastes good, doesn't it? And have you ever noticed after a few months or even years that the team hasn't changed much - it's mostly the same staff. Why? They feel secure in their workplace. They know they have a job to do and they do it efficiently, and usually they "go the extra mile" because they genuinely want to. They know the boss treats them kindly (but firmly - boundaries are important), so they WANT to perform better to please their boss.  Sure it doesn't always work, and occasionally a less-...

Imagine finishing a delicious cup of coffee and availing yourself of the facilities in your workplace, and on the door of said restroom you notice an educational message from your cyber security team: "what did you just dump?" For context, there is an accompanying photo of a waste paper basket showing discarded papers with credit card numbers, expiry dates and CVVs clearly visible. Simple message; think about what you throw in the trash and ensure you shred confidential and/or personally identifiable information, however it's delivered in a way that you'll probably never forget! This didn't actually happen. My mentor suggested it but management shut it down, thinking that it would not resonate with the conservative nature of the organisation we worked for. However I'm sure you get the point - and with a creative mind, you can come up with one or many ideas of your own to educate those in your workplace about cyber security risk management. Remember, you don...