The Demystifying Tech Podcast invited me back as a guest, and during the conversation the security of elections was discussed. It was given only a few minutes between other items which is a real shame, so I thought I’d expand on some of the points I made here and give a little bit of an introduction to the prior art of election hacking.
The Problems of Security Testing and Unmanageable Reports
I’d like to talk a little bit about security testing, the problem of information overload and issue prioritisation. To do this I intend on broadly discussing some of the problems of the various options for security testing that organisations have.
I’ve written about some related things before, if you’d like a warm up:
- Vulnerability Assessments vs Penetration Tests.
- Security is Hard: Why are you laughing
- Security is Hard: Where do I start
However, I’d like to look a little at security a little more strategically today and to discuss the wider problems with security testing. To centre around the idea that, there are three main problems with the way companies approach security testing:
This post is not supposed to be a complete list of steps a company should take when securing a network, system, or company – but more of a handy reference for when companies ask me: “Where do we even start?” Which happens about once a week…
My pinned tweet got a lot of attention online, in fact it’s got more attention than probably ever one of my other tweets combined – even more than that time I had a Rap Battle over twitter! Tweets are short, you’re limited to 140 characters and it’s difficult to give depth and context in such a small message.
This weekend I posted a tweet, a short simple statement – with a lot hidden behind it:
Security is Hard
I was trying to provoke discussion around two opposite ends of the security spectrum. The idea that security is so difficult that we might as well abandon the whole idea and the idea that security is trivially simple but there are certain blockers in the way (such as managerial denial, being understaffed, tech debt) which are preventing any real progress. The idea being that people are laughing at the statement “Security is hard” because they so wholeheartedly believe one of the above views that they cannot see the other.
…we don’t whitelist hackers!”
Criminals try to gather information about us online in order to scam us and steal our identities. In America in 2012, identity theft cost the average victim $365 and 12 hours of work to rectify. In 2013 there were 13.1 million U.S. adult victims, that’s nearly one victim every two seconds! That figure represents 5.5% of U.S. adults. This is why being savvy with our online privacy is important!