The Return of Munrobotic! (&& 'Briefly Briefed:' Newsletter)
After a bit of a false start, I'm back!
Apologies to those who were kind enough to subscribe to my newsletter, and then the posts dried up pretty quickly. I started a new role that was very ‘involved’ and had to take a bit of a (long) break to adjust.
I’m returning by sharing my daily posts to LinkedIn and Twitter in a weekly digest, aggregating them and providing some additional narrative. A lot of people have told me they’re useful and to keep going (they’re probably just being polite), so that’s what I’m going to do. I try to be quite selective and post only once or twice per day (to LinkedIn/Twitter), so the weekly digest won’t be too long to read in a single sitting. Moreover, my narratives focus on summarising the content, rather than lots of opinion or ‘hot takes’ (although I do regularly opine). My goal is to provide enough information to be ‘briefly briefed’ or to help you decide whether you want to read the whole post (a la Blinkist), or not.
Additionally, I’m going to resume my long-form posts, which tend to be more detailed, on a monthly basis. I’ll probably split these into different newsletter sections, but I’ll see how we go. I do hope you decide to stick with me, and please provide me with any feedback.
Lawrence
Briefly Briefed: Newsletter #1 (08/09/2023)
An interesting take on buying [too many] security tools by Alex McGlothlin.
The post underscores the challenges and pitfalls of an overly tool-centric approach to cybersecurity. The article explores how an excessive reliance on tools not only bloats budgets but also creates technical debt and residual risk. This 'Circle Sticker' problem exacerbates as the attack surface grows, requiring continuous investment in new tools. The post also highlights the negative impact on talent recruitment and retention, suggesting that a tool-focused strategy can inadvertently narrow the candidate pool and demotivate existing staff. In conclusion, the author advocates for a 'Security Engineering' culture that empowers engineers to think critically about problem-solving, rather than solely relying on vendor solutions. A balanced approach, they suggest, not only optimises budgets but also fosters a culture of analytical thinking and skill development.
MITRE and CISA release an Operational Technology (OT) extension for Caldera
The repository contains all the Caldera for OT plugins as git submodules. As described in each individual plugin README, it is also possible to git clone a specific protocol plugin directly into the Caldera plugins directory, following the ‘Installation’ guidance.
Microsoft announces AI advancements in Windows 11, notably the introduction of Windows Copilot by Panos Panay
While such a centralised AI assistant may revolutionise user engagement, it equally enlarges the attack surface, creating new opportunities for attackers. Third-party integrations through Bing Chat plugins, although innovative, carry the potential for new vulnerabilities that Microsoft must critically assess. Early adopters of the latest Enterprise technology now have the additional challenge of ‘AI-all-the-things’ in a way that’s reminiscent of IoT in the 2010s (everything’s better with WiFi, right?). Let’s hope we learn our lessons and security becomes a key primitive in tech innovation...
The publication provides guidance for organisations to develop and manage a lifecycle approach to building a cybersecurity and privacy learning program (CPLP). The approach is intended to address the needs of large and small organisations as well as those building an entirely new program. The information leverages broadly accepted standards, regulations, legislation, and best practices. The recommendations are customisable and may be implemented as part of an organisation-wide process that manages awareness, training, and education programs for a diverse set of employee audiences. The guidance also includes suggested metrics and evaluation methods in order that the program be regularly improved and updated as needs will evolve.
Ollie Whitehouse is announced as UK NCSC CTO and Thom-Yorke-alike
Anyone who knows Ollie well, understands how truly he believes in the mission to make the U.K. safer and more secure. I can’t think of anyone better to take on the challenge. Ollie is my former boss, and I wish him all the best in this new challenge.
And finally, a twofer. Two really interesting posts that explain how ChatGPT and similar LLMs work in an accessible way, without serious maths or coding pre-requisites. They’re not really summary-friendly, but if you’re interested in this topic, these are worth some time.