And it’s never over…. If the log4j crisis has proven anything, it is in justifying why the Center for Internet Security (CIS®) Top 18 controls are so vital. Rather than mandating controls to counter every possible attack vector (NIST 800-53 et al), the CIS Top 18 controls are periodically refreshed and reprioritized based on real-world … Continue reading It Ain’t Over Till It’s Over

Log4j remediation is much more than just patching. Here are additional steps you may not have considered in your Log4j response: Do you know if you have Log4j, or any of the other libraries in which Log4j is embedded, in the apps you have developed internally? (You do have a way to track and manage … Continue reading Additional steps to remediate log4j

PWC’s timeline of the days leading up to the deployment of Conti ransomware on May 14. PwC, as reported by Brian Krebs, conducted a great post mortem analysis of the ransomware attack on Ireland's public health system. It highlights two persistent failures that I see consistently. For all the harping on log4j (the latest disaster … Continue reading No organization is immune

Ever since the Apple CSAM debacle earlier this year, I have been searching for alternatives to the “free” products provided by Apple. Apple’s push to implement the CSAM spyware in the face of very vocal opposition by privacy and security researchers (including myself) and civil libertarians around the world revealed to me that Apple’s promises … Continue reading Take Control: Email

Robocall-driven spam/scam calls are out of control. I know, what else is new, but I mean REALLY out of control. Until I developed the system I am about to show you, my phone would ring up to 10 times a day from scam/spam calls at all hours, even after I had implemented my carrier’s spam … Continue reading Take Control: Spam Calls