Predicting the future is hard. As the great philosopher and baseball player, Yogi Berra, once put it: "It's tough to make predictions, especially about the future." A new hire is a prediction of the future. Over at Employment Group, a recent post of theirs put it this way in terms of predicting how would be successful as a new hire: "At its core, hiring is a signal detection challenge. You’re trying to answer one question: Who is most likely to succeed in this role, in this environment? But most hiring processes rely on weak proxies: Resumes as indicators of performance  Interviews as indicators of fit  Experience as a substitute for capability  Without stronger signal, speed becomes dangerous—and slowness becomes inefficient. Neither solves the problem." It seems that it should be easier to find your new best hire. The answer to this problem is that it this is a problem on your end. Bottom line, you're the one who's making it difficult . But you also b...

At Pythia Cyber, we dream of a world without passwords. True, adding two-factor authentication makes passwords less bad. But imagine a life without them at all. Ah, bliss. But what could replace them? Passkeys have a great shot at that. What is a passkey? The short answer is this: a passkey is a token generated on one end and verified on the other with Public/Private Key (PPK) encryption. Since most people are not comfortable with PPK encryption, we will start with a simple description of that and then get into how this kind of encryption can be used to replace the user ID / password model of authentication. The cool part of PPK is the fact that there are two keys: the public one that you publish to the wide world and the private one that you keep secret. The public key is used to encrypt a payload (whatever you want to share privately) and the private key is used to decrypt the payload. While encrypted the payload is secure and only you can read it. Anyone can encrypt, only you can de...

Like many security professionals, we at Pythia Cyber are not overly impressed with passwords . If they are good passwords then they are hard to remember and hard to type. If you take security seriously, they are a pain to manage: a unique one for every account, changing them at random intervals. Worse, the target systems keep exposing them to criminals. So what to use instead? Two-factor authentication is a big step up: you still have a password, but you are not relying solely on that password. That is what the "two" means: a password plus something else. (Passkeys are also an option, but they get their own post.) All second factors produce a temporary authentication code which is required in addition to your password. But not all second factors are created equal. In order of effectiveness, the common options are: An authenticator app A code sent via text message A code sent via email Before we talk about the best we will dispose of the rest. In last place is a temporary code...

Today, let's take a moment to appreciate the sacrifices of those who died defending democracy in service to our country. (image credit: https://www.abmc.gov/cemeteries-memorials/about-korean-war-monument-at-busan/)

Oh, sigh. It has only been 5 months since my last post on Zero Day Vulnerabilities  and now I am provoked by news of multiple such vulnerabilities in various Microsoft products . My post was about what that term used to mean, came to mean and means now. It was also about why reacting to these issues has become a potential vulnerability in itself. The short version of the definition is that "Zero Day Vulnerability" now means "you should do what you can about this vulnerability as quickly as you can." The short version of the dangers of panic is that panic is dangerous: just because you need to react to a vulnerability ASAP does not mean that you can cut corner or rush. Remember that not only are human beings prone to error when they rush but that evil human beings may try to exploit that tendency by offering corrupted patches which are, themselves, malware. The best way to be able to react ASAP without rushing is to plan ahead. Of course you cannot predict when any g...

Continuing on the theme of leadership -- would you say you're disposable? Ross Young over at CISO Tradecraft has a good post out on how you should envision your leadership role in terms of becoming disposable. His key line: "The most effective leaders aren’t the smartest people in the room; they are the architects of systems that thrive in their absence." As a CISO, or generally as the leader of a technical function, you will work amongst many very smart people. An easy question for you to answer incorrectly is: why am I a leader, while they are not leaders?  So many bad or wrong (or alarming) answers might come to mind for you, such as: I'm the most senior employee; I've done all the jobs here; I'm the highest performing employee; I wanted the leadership job more than they did ; etc. It's unlikely you'll think to yourself that you were the most politically savvy. I can report that I personally know people who thought of themselves as 'saviors...