How resilient is your application? Maybe you've set up a suite of logging tools, an APM, and tests to handle all your own code. What happens when a third-party API goes down? What happens when it stays up, but slows down to the point that your dependent services start to fail? Finding a modern application that doesn't rely on third-party APIs is rare, particularly with the abundance of social login and sharing.

Phishing scams remain one of the most widespread cybercrimes. A phishing scam can be as simple as getting someone to click on a link, attachment, or a picture of cute kittens. I recently received a spam email with the message: “Old friends post embarrassing pictures of Jason Nelson online; click here to see.” Seeing my name in the body or subject line of an email is alarming. That is why scammers word these emails this way.

The CIS Critical Security Controls are a prioritized set of actions for cybersecurity that form a defense-in-depth set of specific and actionable best practices to mitigate the most common cyber attacks. A principle benefit of the CIS Controls are that they prioritize and focus on a small number of actions that greatly reduce cybersecurity risk.

In a previous post, I wrote about my key take-aways from Verizon’s 2019 Payment Security Report. While it’s no surprise it was full of interesting and useful data, (Verizon’s yearly Data Breach Investigation Report (DBIR) has become required reading.) I was delighted to find an excellent guide on the the 9-5-4 model, a means by which an organization can measure and improve its data protection program. It also details ways in which a company can measure the maturity of the program.

This year at BSidesDFW, my local security conference, I highlighted a continuing trend of adversaries using open source offensive tools. The talk reviewed one of these post-exploitation frameworks named Koadic and walked through different ways defenders can build behavioral detections through the use of Event Query Language (EQL).