Practical Risk Tolerance

Excellent article on security risk management from Black Swan Security:

“…but I don’t hear any formalisation of measuring and assessing controls that are beyond the Control Tolerance of an organisation. We care about risk tolerances and exceptions, the risk owners care about these but the risk owners and the business managers also care about the ‘Control Tolerance’ or at least they care about controls beyond it.”

“If the practical risk tolerance that the security teams are working to is below the control tolerance then such a reset is inevitable. If the control implementations are below the Control Tolerance but the Risk Tolerance would practically have allowed for less stifling control environments then such a reset will likely not only reduce the impact of stifling controls but also unnecessarily increase the overall risk tolerance and associated exposure to security risk. Ironically over-zealous security controls lead to a less well-secured environment.”



A Private Network for IoT Devices

Cloudflare has just announced an interesting and potential game changer for IoT-based threats:

“Orbit sits one layer before the device and provides a shield of security, so even if the device is running past its operating system’s expiration date, Cloudflare protects it from exploits. And while devices may be seldom patched, the Cloudflare security team is shipping code every day, adding new firewall rules to Cloudflare’s edge. Think of it like changing IoT to I*oT — devices can still access the Internet, but only after passing through Cloudflare where malicious requests can be filtered.

For the last year, Cloudflare has been working with a number of IoT vendors to develop Orbit. Already more than 120 million IoT devices are safer behind Cloudflare’s network. Lockitron is one of the IoT companies using Cloudflare. “Keeping our products and customers secure is our primary concern,” says Paul Gerhardt, co-founder of Lockitron. “Cloudflare provides an extra layer of security that allows us to keep our devices continually updated and ahead of any vulnerabilities.””

Source: https://blog.cloudflare.com/orbit/



Misunderstanding APT Indicators of Compromise | Threatpost

A really interesting piece on IOCs (Indicators of Compromise) and how the term is often misunderstood and used in ways which are misleading for marketing from security vendors.

It also makes use of a great definition from MITRE on what the difference between ‘Observables‘ and ‘Indicators‘.

Observables are stateful properties and measurable events pertinent to the operation of computers and networks. Information about a file (name, hash, size, etc.), a registry key value, a service being started, or an HTTP request being sent are all simple examples of Observables. […] Indicators are a construct used to convey specific Observables combined with contextual information intended to represent artifacts and/or behaviors of interest within a cyber security context. They consist of one or more Observables potentially mapped to a related TTP context and adorned with other relevant metadata on things like confidence in the indicator’s assertion, handling restrictions, valid time windows, likely impact, sightings of the indicator, structure test mechanisms for detection, suggested course of action, the source of the indicator, etc.”

MITRE also defines several interrelated terms that address higher-level constructs and organizational objectives: Incidents; Tools, Tactics, and Procedures (TTPs); Campaign, Threat Actor, and Course Of Action (COA).

Source: Misunderstanding APT Indicators of Compromise | Threatpost | The first stop for security news



Website Updates – Security & Performance

I’m making some changes to the hosting and configuration of this site, you can see the rough goals below:

  • Changing hosting provider from a legacy shared server to a cloud hosting provider with better security and high availability.
  • Adding stricter (and end-to-end) encryption to the entire site using a combination of CloudFlare and LetsEncrypt.
  • Changing the sites security / performance configuration to support and enforce:
    • Content-Security-Policy
    • X-Frame-Options
    • X-XSS-Protection
    • X-Content-Type-Options
    • Strict-Transport-Security
    • HTTP Strict Transport Security (HSTS)
    • Authenticated Origin Pulls
    • HTTP/2 + SPDY
    • IPv6 Compatibility
    • Scrape Shield

Using various tools this should actually be quite straightforward. I plan to detail the main stages / steps in some later posts.



Password Complexity vs. Password Length

It has become far more common these days to hear ‘normal’ people talk about password security, previously it was exclusively IT professionals and enthusiasts who would say things like “you need at least a number and symbol in your password for it to be secure”. Fortunately we’re moving towards a future where more and more nontechnical or home users are actually understanding the reasons for ensuring a password is strong and hard for another person to guess.

Unfortunately there is increasingly complex advice when it comes to choosing a secure password which leaves people confused or following practices which are not as useful as others.

This post will focus on the two main pieces of advice for choosing a secure password, explain the reasons why you should choose one or other (or combine them) and finally give recommendations aligned with other best practises and also simple to remember and repeatable method for having secure and hard to guess passwords every time. So firstly lets define what complexity and length mean when discussing passwords.


Passwords are almost always made up of a combination of letters, numbers and symbols. The complexity comes in when you substitute or add combinations of all three to create a hard to guess (and in many cases hard to remember) password.
An example would be taking the name of your favourite book (Data and Goliath), film (Fight Club) and tv show (Grimm) and using just the first letters of each to form something like this: “dagfcg”. Now this is a completely random and hard to guess (for a human) password. However, it is only 6 characters long and simple for a computer to work out, after all computers can guess passwords at a rate of millions a minute and therefore would make short work of a password like “dagfcg”.
In this case some advice would tell you to make it complex and therefore make it far harder to guess. Take the password and now add a number and a symbol to it. We’ll use the number 5 and the dollar symbol ($). So “dagfcg” becomes “5dagfcg$”. Instantly you have a harder to guess password (for a human or computer) and it’s now 8 characters long, which is at least better than 6! The next technique take a different approach, and favours length over complexity.


The average password is often between 6-9 digits in length and (hopefully) contains a mix of letters, numbers and symbols. The ‘complex’ method above when in isolation and with short passwords (under 12 characters) actually proves to have limited effectiveness in keeping your accounts and computers secure. Due to the huge scale passwords are attacked and guess by computers these days it is important that passwords are also longer (at least 12 characters) in length.
This presents a problem, while our above example of “dagfcg” was easy to remember (book, film and tv show) we need to add twice as many memorable things to our password method to meet the 12 character minimum. Fortunately, while short passwords should NEVER contain simple words or sequences of numbers (like ‘Batman’ or ‘123456’), longer passwords can have simple words strung together which actually creates a long and strong password.
Using our above example, “dagfcg” could become something like this: “DataFightGrimm” which is 14 characters, easy to remember and meets our requirement of being 12 characters or more. A computer could easily guess any of those words in isolation as a password, but together they create a unique and very hard to crack password.

Complexity & Length:

Having a simple long password which is easy to remember is better than the earlier short but complex password. However. to really ensure your password is secure it should incorporate both techniques. So taking what we have learned from each of them we could create a password like this: “5DataFightGrimm$”. This password is now 16 characters long, contains lower and upper case letters, a number and a symbol. This is the ideal type of password, because you can easily recall the primary words (just think, favourite book, film and tv show) and then remember you started it with a number five (5) and ended it with a dollar symbol ($).

We have now created a great looking password, however we now have a problem. If we use it on every website and service we have it increases the risk of that website being compromised and the password being leaked. Now, this ’shouldn’t’ ever happen, but it does. Whether it’s Evernote or Target, these companies cannot guarantee that the database which contains your complex and long password won’t make it’s way out onto the internet via some hacker forum. Therefore we need a way to ensure we use a different password for every different website or service we use. With many online users having 100’s of online accounts this would be highly challenging to use the above methods and also maintain complicity and length.

Therefore we use a variation technique which works like this. You take your ‘root’ password, which should be both long and complex (just like our one above) and then add a slight variation for every different account you have. An example for the BBC website would look something like this: “5DataFightGrimm$BBC” or like this for the service Twitter: “5DataFightGrimm$TWIT”. This instantly ensures that your password will still be easy to remember as you have one ‘root’ password with slight variations based on the account your logging into. All you need to do is say the name of the service or website in your head and you then know the additional letters at the end of your password. You could also place them at the start of the password or middle. As long as your method is consistent you can have 100’s of variations to your password but be able to remember them each time you need them.


There are two primary lessons to remember:

  • Length First, Complexity Second:
    Although complexity does boost the security of a password, the length of a password is of greater importance, specifically ensuring the length is 12 or more characters.
  • Use Variation
    Never use the same password (strong or not) on multiple websites, you don’t know what they are doing with them and don’t know if they are stored safely. Therefore use a variation of your ‘master’ or ‘root’ password on each site by adding the letters, acronyms or syllables to the password per account you need to have a password for.

Note: This was first authored (by myself) for a small blog/project which is now shutdown and I wanted to keep the content.