2017 InfoSec Tweet Awards

Another year done.  You know what that means?  It's time for the annual InfoSec Tweets Awards!  This marks the 6th year running.  As you long as you keep reading them, I'll keep writing them.  As in previous years, there are no actual awards.  These are just funny or thought provoking tweets that I've "favorited" over the year (I still refuse to call them "likes").  As always, categories are completely arbitrary and I make them up as I go along...Best Tweet Inspired by a Movie"I could-a give you my word as a CISSP..." "No good. I've known too many CISSPs."— Corum (@Corum) August 25, 2017Best Tweet About PasswordsRaise your hand if you use the same password for everything.Allright, now use that hand to slap yourself in the face.#infosec— Khalil Sehnaoui (@sehnaoui) January 8, 2017Best Tweet About BrowsersI'm not racist, I have lots of friends who run Edge.— egyp7 (@egyp7) January 13, 2017Best Tweet About Twitterforget the 💙, Twitter needs an "I feel your pain" button— b❆B Rudis (@hrbrmstr) July 16, 2017Best Tweet About PentestingIf you're a pentester, hacking skills...
Read more

2016 InfoSec Tweet Awards

Welcome back good reader.  This year marks the 5th Annual InfoSec Tweets Awards!  It's hard to believe I've been doing this for half a decade.In 2016 I reduced the number of accounts I follow and I'm not as obsessive about reading every tweet, but there were still plenty of gems to choose from. As in previous years, there are no actual awards.  These are just funny or thought provoking tweets that I've "favorited" over the year (I still refuse to call them "likes").  As always, categories are completely arbitrary and I make them up as I go along... Best Tweet Inspired by a TV ShowFell for one little ARP spoof and my mom got scaredSaid you're implementing DHCP MitM monitoring with Snare— SwiftOnSecurity (@SwiftOnSecurity) January 26, 2016Best Tweet Inspired by a MovieStar Wars and infosec. You’re convinced you need Death Stars to keep you secure, when actually you should teach your stormtroopers to shoot.— Ben Hughes (@benjammingh) April 11, 2016Best Tweet About CISSPs@wimremes sometimes good people get CISSPs because it's just easier than not having one— FaithSpottedBald🦅 (@ErrataRob) April 18, 2016Best Tweet About Auditors
Read more

Defeating the Rebellion with Security Controls: A Star Wars Story

The weekend Rogue One: A Star Wars Story was released a conversation started on Twitter discussing the missteps made by the Empire which inevitably lead to the theft of the Death Star plans.  To avoid spoiling the movie for everyone, Wolf Goerlich (@jwgoerlich) and I moved the conversation to direct messages.  He has since posted two great videos, "Rogue One and InfoSec" Part 1 & Part 2.  You can find them on his informative YouTube series, Stuck In Traffic with Wolf GoerlichWhat follows are my thoughts on the controls the Empire could have implemented to thwart the Rebellion.*** WARNING: SPOILERS AHEAD *** Prohibit BYOD (Bring Your Own Droid)From R2-D2 to BB-8 it seems everyone has their own personal droids in the Star Wars universe.  Most are designed with a specific task (Astro Mechs, Protocol Droids, etc.) but all are capable of storing large quantities of data and many are equipped with universal Scomp Links or computer interface arms that allow them to access any computer terminal.  Had the Empire prohibited BYOD and implemented network access controls then unauthorized assets (droids) would be unable to connect to computer terminals in the first...
Read more

Breaking Into Security: A Compendium

Like most Information Security practitioners, I am frequently contacted for advice on breaking into this industry.  Rather than write yet another blog post on the subject, I thought it would be more beneficial to collect a variety of quality posts covering different aspects of the industry and provide them as a quick an easy reference. In reverse chronological order:Starting an InfoSec Career – The Megamix  – Lesley Carhart (@hacks4pancakes)If you have no idea where to start then begin here.  Hacks4pancakes has done an amazing job and her "Megamix" is probably the most comprehensive series of articles on breaking into security.How to become a pentester  – Peter Van Eeckhoutte (@corelanc0d3r)Corelanc0d3r is the go-to guy for training when it comes to exploit development.  He has written an extensive post covering time, effort, and the general mind set of a pentester.  He also provides links to resources and a list of companies willing to hire inexperienced pentesters.20 of the Most Misguided Beliefs About InfoSec  – David Spark (@dspark)While this is not technically a "how to break into security" post it does debunk a lot of common misconceptions about security which can be just as valuable when starting your career in InfoSec.  Answers...
Read more

2015 InfoSec Tweet Awards

It's December 31th so that must mean it's time for the 4th annual InfoSec Tweet Awards!  Over 2,100 of you read last years post (my 2nd most popular to date) so it seems I should continuing the tradition.As in previous years, there are no actual awards.  These are just funny or thought provoking tweets that I've "favorited" over the year (yes, I know twitter now calls them "likes").  As always, categories are completely arbitrary. I make them up as I go along... Best Tweet Inspired by a Song (Tie)If there's something strange In your glibc Who ya gonna call? If there's something weird And it's a CVE Who ya gonna call?— Parker Higgsmas (@xor) January 28, 2015I want to hack you like an animal. I want to p0wn you from the inside.— Info Security Jerk (@infosecjerk) January 14, 2015Best Tweet Inspired by a Holiday (Tie)sudo be my valentine #infosecvalentine— ☋Tang0Down☋ (@InfoSystir) February 13, 2015.@mzbat Santa is a member of the Red Team. He breaks in undetected, steals your cookies, and leaves packages that everyone thinks are...
Read more