Do phishing tests do more harm than good? – Wolfgang Goerlich – ESW #376
- Phishing in Organizations: Findings from a Large-Scale and Long-Term Study
- The GoDaddy Phishing Awareness Test
- The Chicago Tribune - How a Phishing Awareness Test Went Very Wrong
- University of California Santa Cruz - This uni thought it would be a good idea to do a phishing test with a fake Ebola scare
I’ve spent my career immersed in solving the constant and ever evolving challenge of cybersecurity. The constant change and evolution always keeps it interesting. Right now I’m defining security models for LLM. In the past, l’ve co-led the industry charge towards securing cloud, putting the Sec in DevOps, and making Zero trust deployable and manageable for enterprises of every size. I’m an IANS Al, Zero Trust, and Security Leadership expert and you’ll find me speaking as well as listening at conferences.
Leader, coach, mentor, manager, tinker, tailor, soldier, spy.
Speed, Flexibility, and AI: The Case for Migrating from Legacy SOAR Systems – Whitney Young – ESW #376
Whitney Young is a Solutions Engineering Manager at Tines. Since joining in April 2022, her role focuses on supporting teams in their evaluation of Tines, a smart, secure workflow platform designed to automate any manual task, regardless of complexity. A career sales and technology professional, Whitney works with businesses based in the Western and Central regions of the United States.
Cybersecurity: is the talent gap a myth? Is the industry delusional? – ESW #376
- the maturity of the industry
- the supposed "talent gap" with millions of open jobs despite complaints that this industry is difficult to break into
- cybersecurity's 'delusion' problem
- researchers accidentally take over a TLD
- When nearly all your customers make the same insecure configuration mistakes, maybe it's not all their fault, ServiceNow finds out
Adrian Sanabria
- ESSAYS: Cybersecurity Workforce Woes
An essay examining the "talent gap". Is it real? Was it all a myth? Was it ever real?
There's a lot of nuance in the answers to these questions, and Chris Hughes does a good job of covering the bases in this long(ish) read.
- ESSAYS: Prioritizing Detection Engineering
This is a followup on Ryan's infamous 2017 essay titled, Lessons Learned in Detection Engineering. Ryan seems to share my obsession with understanding what works and what doesn't in the enterprise, and how things fail when they don't work.
If I'm being honest, I see a LOT of my own mistakes in this one. Granted, many of those were made almost exactly 20 years ago, but I imagine people being people, some of those same mistakes are still being made today.
- ESSAYS: Cybersecurity’s Delusion Problem
BREAKING: Cybersecurity is not the most important thing to the business. It's not even their biggest risk. Not by a long shot.
- ESSAYS: Beyond Immature Rhetoric: The Case Against Mockery and Ambulance Chasing in the Security Industry
Sit down, be humble
- WHOOPSIES: We Spent $20 To Achieve RCE And Accidentally Became The Admins Of .MOBI
One of those incredible stories that will become legend.
Situations like this is why the entire category of External Attack Surface Management (EASM) was created, but to find these kinds of issues for one customer - an organization and its subsidiaries. It wasn't designed to find these issues at the TLD or internet architecture level!
Every now and then, it feels like Lopht testifying before Congress in 1998 all over again.
- WHOOPSIES: Enterprise ServiceNow Knowledge Bases at Risk
Similar to that issue Salesforce had last year. In fact, I just realized it was discovered by the same person, Aaron Costello, and that's how he got his job at AppOmni, as a security researcher!
This is in that category of "misconfiguration due to unclear UI/UX". We have at least one of these every year - there should be an award, in the shape of an S3 bucket.
- BREACHES: Fortinet confirms data breach after hacker claims to steal 440GB of files
The threat actor, known as "Fortibitch,"
Okay, NOW you've got my attention.
- DUMPSTER FIRES: Cybersecurity Pen Test Arrests: 5 Years Later
An incredible listen. Remember when a couple of physical pentesters were thrown in jail in Iowa during a paid engagement to break into a courthouse? This is THAT story, with the benefit of 5 years of hindsight.
Includes both pentesters, the CISO of Coalfire, and the journalist at Dark Reading that covered it as the news was breaking. 5 years later, and these poor guys are still dealing with the fallout on an almost daily basis.
- SQUIRREL: ‘The data on extreme human ageing is rotten from the inside out’ – Ig Nobel winner Saul Justin Newman
This is less of a non-sequitur than I usually post for a squirrel story, because it's a tale about what can happen when you don't check the integrity of your source data. I've run into this problem on several occasions while working with data scientists in cybersecurity, though none of them were as huge and impactful as this one.
This science faux pas isn't quite as bad as the misunderstanding that lead to a food industry-wide fat-free craze, but it's still pretty bad.










