- InfoSec Experts
- Posts
- Issue #0 | The First Bit
Issue #0 | The First Bit
Well, here it is! Our first InfoSec Experts newsletter issue!
Issue #0 | The First Bit
Well, here it is! Our first newsletter issue!
Firstly, I would like to say a huge thank you; the growth rate of this community in the short space of a week has been incredible. I really appreciate all the feedback, contributions and comments so far.
I want these newsletters to be fun, community-orientated, and educational.
So, if you have any feedback/suggestions, please hit reply and let me know - I’d love to hear from you!
📰 Top News Headlines
The most pressing cyber security headlines of the last few weeks, all in one place.
Ransomware Attacks Targeting VMware ESXi Infrastructure Adopt New Pattern
State-Sponsored Hackers Exploit Two Cisco Zero-Day Vulnerabilities for Espionage
‘TunnelVision’ Attack Leaves Nearly All VPNs Vulnerable to Spying
Hackers Created Rogue VMs to Evade Detection in Recent MITRE Cyber Attack
Update Chrome Browser Now: 4th Zero-Day Exploit Discovered in May 2024
Researchers Warn of Chinese-Aligned Hackers Targeting South China Sea Countries
Hackers are exploiting critical GitLab password reset vulnerability — here’s what you need to know
Suspected supply chain attack backdoors courtroom recording software
🤣 Meme of the Week
📌 Top Tip
Lurking in InfoSec cert study forums, subreddits, Discords, etc, even if you don’t indend on taking a qualification, is a great way to soak up rich info!
🔦 Community Highlight
Each week, we’re highlighting one of our incredible members. Whether it’s a passionate opinion piece, an engaging story, or an intriguing look into their unique job, you’re in for a treat! Want to feature? Hit reply to this email and get in touch!
A special thanks to Brannen Taylor for this week’s piece!
InfoSec vs Networking — can’t we all just get along?
I want to talk about a few things I’ve learned along the way to obtaining my “gray beard” status, after almost 30 years.
These are just some observations and a little wisdom I can hopefully impart on to my IT colleagues - particularly in regard to Networking and Information Security (I’ll call them InfoSec).
The basics of it are, we (network engineers) want to connect everything, that’s what we do. My friends in InfoSec would feel a lot better if nothing was connected, and everything was secure.
Since we’re both in IT, we’ve both been saddled with the label of “cost centers”, but more on that in a bit.
What I love about networking, is understanding how I’m writing this in Google Docs, on a website, that’s in a physical datacenter server, somewhere, on a physical computer, somewhere, and I understand how my traffic got to that server, across the Internet, out my local connection, across my personal modem, router, and Wi-Fi access point, to this computer. I understand all that network connection, because that’s what I do - I connect this computer to Google, and other destinations…
Along comes InfoSec — who have different priorities & concerns than I do...
They have to make sure the information I’m typing is secure, I’m not stealing company data, make sure the website I connect to is secure, trusted & appropriate, and my connection to the website is secure, trusted, and unchanged from what I sent to what is received, and I don’t get a virus, don’t get malware, etc, etc.
For a long time in my career, I regarded InfoSec as “the department of no” (as my good Infosec Manager friend calls it)
InfoSec has a tough job - convincing people, like me, that “restrictions” and “limitations” are prudent, sometimes. But essentially, we have the same job, to provide VALUE to the business. And we have similar frustrations and challenges - showing value from something that has not happened.
If the website goes down, and there’s an easy way to show $1M in revenue loss per hour, that’s a pretty easy calculation - but what if the headquarters loses Internet, voice calls are dropped, emails can’t be sent, documents can’t be saved to Office365, and code can’t be uploaded to Git - it’s harder to show productivity loss - similar to showing a risk analysis in InfoSec of identifying risks of not implementing a security program, the potential loss, cost of mitigation vs cost (and likelihood) of a potential incident.
Over time, I’ve learned that Networking and Infosec are more alike than I realized when I was a n00b. We both exist to serve the business as professionally, to the best of our abilities, and to the highest of availability as the business will allow - meaning, spending money - on professionals, on training, on applications, on hardware - to provide the “Five 9’s” of business uptime (not system uptime).
InfoSec and Networking are Brothers - securely enabling the business to generate revenue.
InfoSec and Networking write policies which will adhere to industry best practices, state and local regulations, and often are often imposed by third parties which our business wants to conduct its business with, or through.
InfoSec and Networking work together to produce standards which will meet the policies.
Then, Networking (engineering) takes over, and produces procedures and methods which meet the standards which meet the policies.
All this being said - Infosec and Networking work together to enable revenue generation and then we protect the revenue.
Networking and InfoSec - two sides of the business coin - connecting almost everything, securely - in service of our business.
💬 Post of the Week
Thanks to Travis, who started a great conversation on the VPN ‘TunnelVision’ vulnerability where we discussed our thoughts.
A real wake-up call that zero-days almost always exist in even the most basic of software and protocols. In some cases, for over 20 years!
Missed out on the action? Click here to view the post.
🗑️ Cyber Trash 📉
It’s at the bottom of the pile for a reason… here’s the special nominations for the Top 3 InfoSec fails this week. Want to feature next time? Just kidding…
Prize | What Happened? | Source |
---|---|---|
🥇 First | Dell API abused to steal 49 million customer records in data breach | |
🥈 Second | Hackers Can Abuse Apple’s Wi-Fi Positioning System to Track Users Globally | |
🥉 Third | Dropbox Discloses Breach of Digital Signature Service Affecting All Users |
That’s just about it for this week’s issue of InfoSec Experts! Thanks for reading!
If you enjoyed, please share with your friends and colleagues, please send any feedback — it will help shape future newsletters!
Stay safe out there,
Ed
Reply