At Pythia Cyber, we dream of a world without passwords. True, adding two-factor authentication makes passwords less bad. But imagine a life without them at all. Ah, bliss. But what could replace them? Passkeys have a great shot at that. What is a passkey? The short answer is this: a passkey is a token generated on one end and verified on the other with Public/Private Key (PPK) encryption. Since most people are not comfortable with PPK encryption, we will start with a simple description of that and then get into how this kind of encryption can be used to replace the user ID / password model of authentication. The cool part of PPK is the fact that there are two keys: the public one that you publish to the wide world and the private one that you keep secret. The public key is used to encrypt a payload (whatever you want to share privately) and the private key is used to decrypt the payload. While encrypted the payload is secure and only you can read it. Anyone can encrypt, only you can de...

Like many security professionals, we at Pythia Cyber are not overly impressed with passwords . If they are good passwords then they are hard to remember and hard to type. If you take security seriously, they are a pain to manage: a unique one for every account, changing them at random intervals. Worse, the target systems keep exposing them to criminals. So what to use instead? Two-factor authentication is a big step up: you still have a password, but you are not relying solely on that password. That is what the "two" means: a password plus something else. (Passkeys are also an option, but they get their own post.) All second factors produce a temporary authentication code which is required in addition to your password. But not all second factors are created equal. In order of effectiveness, the common options are: An authenticator app A code sent via text message A code sent via email Before we talk about the best we will dispose of the rest. In last place is a temporary code...

Today, let's take a moment to appreciate the sacrifices of those who died defending democracy in service to our country. (image credit: https://www.abmc.gov/cemeteries-memorials/about-korean-war-monument-at-busan/)

Oh, sigh. It has only been 5 months since my last post on Zero Day Vulnerabilities  and now I am provoked by news of multiple such vulnerabilities in various Microsoft products . My post was about what that term used to mean, came to mean and means now. It was also about why reacting to these issues has become a potential vulnerability in itself. The short version of the definition is that "Zero Day Vulnerability" now means "you should do what you can about this vulnerability as quickly as you can." The short version of the dangers of panic is that panic is dangerous: just because you need to react to a vulnerability ASAP does not mean that you can cut corner or rush. Remember that not only are human beings prone to error when they rush but that evil human beings may try to exploit that tendency by offering corrupted patches which are, themselves, malware. The best way to be able to react ASAP without rushing is to plan ahead. Of course you cannot predict when any g...

Continuing on the theme of leadership -- would you say you're disposable? Ross Young over at CISO Tradecraft has a good post out on how you should envision your leadership role in terms of becoming disposable. His key line: "The most effective leaders aren’t the smartest people in the room; they are the architects of systems that thrive in their absence." As a CISO, or generally as the leader of a technical function, you will work amongst many very smart people. An easy question for you to answer incorrectly is: why am I a leader, while they are not leaders?  So many bad or wrong (or alarming) answers might come to mind for you, such as: I'm the most senior employee; I've done all the jobs here; I'm the highest performing employee; I wanted the leadership job more than they did ; etc. It's unlikely you'll think to yourself that you were the most politically savvy. I can report that I personally know people who thought of themselves as 'saviors...

We here at Pythia Cyber are big believers in rigor so we strongly recommend following a rigorous framework when building your cybersecurity program (CSP). We use the NIST CSF by default but we recognize that there are a few other frameworks which will also do the trick. We seek to season cybersecurity with behavioral science because human behavior is a huge but rarely addressed part of running a CSP. Those who run the CSP are humans. Those who follow the CSP are humans. Those who work to subvert or circumvent the CSP are humans. There is much that is NOT cyber in cybersecurity. There are few places along the path to a great CSP where being human is more evident than in the writing of policies and procedures. The point of these documents is to inform, not impress. The goal is to guide human behavior in times of stress, so clarity and accuracy are of utmost importance. Length or literary flourishes are worse than irrelevant, they are an impediment to being useful in times of stress and u...