Stilgherrian (@stilgherrian)

Wentworth Falls NSW AU

The below is an off-site archive of all tweets posted by @stilgherrian ever

August 23rd, 2016

intelwire Twitter an excellent venue to find quality people who should be allowed access to your entire life twitter.com/davidfrum/stat…

via Twitter Web Client (retweeted on 11:18 PM, Aug 23rd, 2016 via Tweetbot for iΟS)

It probably seemed like a good idea at the time… pic.twitter.com/h6ebi2H1RC

via Twitter for iPhone

@dobes It doesn’t get the probe unless it fills in the survey.

via Tweetbot for iΟS in reply to dobes

I suppose I should wander over to the @zdnetaustralia office, assuming it’s safe to do so.

via Tweetbot for iΟS

Dear God that is all kinds of wrong.

via Tweetbot for iΟS in reply to stilgherrian

This is why you all need to be more careful, people. twitter.com/dobes/status/7…

via Tweetbot for iΟS

@jpwarren I did. But can’t think of another pun so that’s pretty much the end of that.

via Tweetbot for iΟS in reply to jpwarren

@jpwarren Although I encountered a digital risk the other day when slicing carrots.

via Tweetbot for iΟS in reply to jpwarren

@jpwarren Some folks I spoke to thought that, yes, we already have a risk management structure so why add a digital one.

via Tweetbot for iΟS in reply to jpwarren

Here ends the Gartner Security & Risk Management Summit 2016. Thank you linesmen. Thank you ballboys.

via TweetDeck

SwiftOnSecurity Based on what I hear, pretty sure dial-up is the only thing online in Australia. twitter.com/eevblog/status…

via Twitter for iPhone (retweeted on 5:02 PM, Aug 23rd, 2016 via TweetDeck)

Byrnes says Gartner is commonly asked to explain to the Board what their CISO just said.

via TweetDeck

I’ve got a lot of time for Christian Byrnes, but Net Promoter Score is some high-grade bullshit.

via TweetDeck in reply to stilgherrian

Really? The Digital Risk Officer will talk NPS? Kill them. Kill them all. pic.twitter.com/aEYWMXoG2F

via Twitter for iPhone

@burgotastic The Digital Risk Officers will create so many new risks by just waving their fingers.

via TweetDeck in reply to burgotastic

“I’m not saying this is what they do. It’s just what the law requires.” [Smirk.]

via TweetDeck in reply to stilgherrian

“Uncoordinated risk management will itself be a risk.” See requirements for US power grids.

via TweetDeck

MitchellBrendon “My wife and I get fresh credit cards every 3 months” that’s how bad it is out there @cbyrnes

via Twitter for iPhone (retweeted on 4:44 PM, Aug 23rd, 2016 via TweetDeck)

Elapsed time from incident to regulation can be very short. pic.twitter.com/YWVmMRQ3K3

via Twitter for iPhone

Byrne says digital risks are only faced by people “with something rare, like a credit card.” [Smirks.]

via TweetDeck

MitchellBrendon “The first orgs to be hit will be hospitals! ” “Attacks are going to endanger human life” @cbyrnes pic.twitter.com/7alUj1Rrkq

via Twitter for iPhone (retweeted on 4:40 PM, Aug 23rd, 2016 via TweetDeck)

“Digital attacks with physical impacts are no longer a novelty,” but CISOs haven’t been asked to deal with these risks.

via TweetDeck

“The [infosec] risks we face in the next five years will be greater than we’ve had in our entire careers.” — Christian Byrnes.C

via TweetDeck

Example: Smart electrical outlets taken over and turned into a botnet for [internal?] DDoS attack. Cute.

via TweetDeck

More emphasis from Byrnes on OT security flaws enabling orgs to be shut down. Elevators, electrical outlets, aircon etc.

via TweetDeck

Hmmm. I thought I’d written about that 2015 model, but apparently not.

via TweetDeck in reply to stilgherrian

Here’s Gartner’s 2015 addition to that model. pic.twitter.com/zUqSlQdEHv

via Twitter for iPhone

Byrnes is running through Gartner’s scenario planning from 2013. Here’s how I wrote it up then. cso.com.au/article/524934…

via TweetDeck

Closing keynote now: “Security 2020 — the Future of cybersecurity” with Christian Byrnes.C

via TweetDeck

That’s a paraphrase ‘cos I was just settling into the room as Prof MacLeod was finishing his presentation.

via TweetDeck in reply to stilgherrian

“Spearphishing works best against orgs where the leaders create a culture of never questioning the leaders.” Prof Andrew MacLeod

via TweetDeck

OH: “You’ll need to retrofit middle management,” which is a glorious euphemism I reckon.

via Tweetbot for iΟS

Rob_Stott Hey now the Greens aren’t that bad pic.twitter.com/N0UX2WXxqK

via TweetDeck (retweeted on 4:08 PM, Aug 23rd, 2016 via Tweetbot for iΟS)

Can I just say that the at this event is fuckin’ dismal.

via TweetDeck

Damn I could have saved so much time! twitter.com/Styvo51/status…

via Tweetbot for iΟS

tauriqmoosa This is literally how all sci-fi horror films start twitter.com/gizmodo/status…

via Twitter for iPhone (retweeted on 2:55 PM, Aug 23rd, 2016 via Tweetbot for iΟS)

Sentences like this are much better without context. twitter.com/dobes/status/7…

via Tweetbot for iΟS

Just saw a woman who’d made her phone hands-free by sliding it into the folds on the side of her hijab. Neat trick.

via Tweetbot for iΟS

@liquidparanoia My understanding is that a proof of concept has been done.

via TweetDeck in reply to liquidparanoia

“Segment your network. Light bulbs should be with light bulbs.”

via TweetDeck

“If the trusted execution environment goes evil, what to we do next? I’m sorry, that”s probably a movie plot.” And yet..EC

via TweetDeck

@elizabeth_joh “Things are people too,” says Gartner. So yeah, IoT devices become victims of identity theft. Maybe independent of humans.

via TweetDeck in reply to elizabeth_joh

Mobile threat defence might spot sudden increase in battery drain, apps launching in unusual contexts etc.

via TweetDeck

@MateoMGJ “It’s just a drawing…” ;)

via TweetDeck in reply to MateoMGJ

Lance_Bradley The social media manager for @esquire can go ahead and take the rest of the day off. They’re not topping this. pic.twitter.com/Hui1brBS3r

via TweetDeck (retweeted on 2:12 PM, Aug 23rd, 2016 via TweetDeck)

@rashasman This is the whole point of the discussion here. Devices can’t have ALL your authority, just certain bits of it.

via TweetDeck in reply to rashasman

Girard says the auth networks around door locks and aircon and cars are complex. Will anyone want to deal with the complexity?

via TweetDeck

@SwiftOnSecurity Well there’s a question. There’s a bunch of talk here about distributed trust networks.

via TweetDeck in reply to SwiftOnSecurity

Some IoT devices might run on a battery for 10 to 20 years. Example: Someone rewrites your tollroad tag to do… something elseEC

via TweetDeck

As more than one presenter at has said, “Things are people too.” twitter.com/rashasman/stat…

via TweetDeck

“It claims to be John’s laptop but it might really be a hacked printer pretending to be a laptop.”

via TweetDeck in reply to stilgherrian

Gartner: By 2020, 70% of orgs will treat all endpoints as untrusted, up from 20% today.

via TweetDeck

Is the air conditioning too cold in the office? Just download an Android app that’ll let you take over the HVAC system and turn up the temp.

via TweetDeck

Example: Send malicious PDF to org, when printed it re-flashes printer firmware, printer hacks IP phones, all become audio bugging devices.

via TweetDeck

@voltagex You should equip your wheelchair with those Ben Hur rotating knives for chariot wheels. Many handy uses.

via TweetDeck in reply to voltagex

“I used to not get paranoid about lightbulbs, but now you have to worry about what the lightbulbs are up to.” Prezactly.

via TweetDeck

@voltagex Oh dear. Web 3.0 was supposedly the semantic web” and it’s not anywhere near being a thing. Kill them.

via TweetDeck in reply to voltagex

What’s the point of soldiers guarding your nuclear power plant if anyone can connect in over the network?

via TweetDeck

Those ICS apps were “download and control your whole factory from your phone” things and not all a a riskm no siree.

via TweetDeck in reply to stilgherrian

In the last year, 70% of IoT devices had no encryption. ALL Android ICS apps were vulnerable. 3.4 million cars have major vulns.

via TweetDeck

Girard reckons mobile security and IoT security are extensions of each other.

via TweetDeck

Next up for me: “How Digital Business Reshapes Mobile Security” with John Girard.

via TweetDeck

@marcuskelson @MelbourneGeek We just have to find our fun where we can.

via TweetDeck in reply to marcuskelson

LukewSavage Using complex calculations, Trudeau explains how it’s possible to be a feminist while selling arms to Saudi Arabia. pic.twitter.com/FJHfkmhSu0

via Twitter Web Client (retweeted on 1:35 PM, Aug 23rd, 2016 via TweetDeck)

StephenAtHome Farewell, @Gawker. Hope some other website will step up and finally publish my nudes.

via TweetDeck (retweeted on 1:34 PM, Aug 23rd, 2016 via TweetDeck)

The CISO stream is only part of what happens. Vendors need to explain how they help with the strategy. twitter.com/MelbourneGeek/…

via TweetDeck

@JohnBarronUSA Well as you know, I am a terrible human being…

via TweetDeck in reply to JohnBarronUSA

Imagine the action that might have taken place on this beauty. twitter.com/JohnBarronUSA/…

via TweetDeck

If we’re still having to tell people to do this basic stuff then we really are screwed.

via TweetDeck in reply to stilgherrian

So how long have we all been hammering these things now? pic.twitter.com/Xhn98XApba

via Twitter for iPhone

State-sponsored threats are just a normal part of the landscape now. pic.twitter.com/nBIO9ZORlp

via Twitter for iPhone

@tobyhede All PowerPoint is excellent, but yes this one is more excellent than most.

via TweetDeck in reply to tobyhede

“Hands up who knows someone who’s been affected by ransomware?” About 80% of people raise their hands.

via TweetDeck

I let the river wash over me. I am at one with The Message. And later I shall drink. Heavily. But not of the river. twitter.com/Beaker/status/…

via TweetDeck

Window from a vulnerability being announced to being exploited was average 45 days in 2006, 15 days now.

via TweetDeck

@jdub Yeah I was kinda wondering what he was getting at there.

via TweetDeck in reply to jdub

Gartner: Through 2020, 99% of vulnerabilities being exploited will have been out there for a year or more.

via TweetDeck

Threat trends: Multi-vector, low and slow, targeted, evasive, low tech / phishing, monetised, nation state.

via TweetDeck

Bussa has said “data exhaust” a couple of times. I’m thinking “big data” could be seen as pollution, especially for privacy.

via TweetDeck

@elronxenu Indeed, and I made this very point at AusCERT two years ago. “Look, I know genocide has a bad reputation, but…”

via TweetDeck in reply to elronxenu

I like the idea of “Responsible Citizen IT”. pic.twitter.com/3qwXPgrbHJ

via Twitter for iPhone

Containerisation was just referred to as “the Wild West” in terms of standards. “It’s not 100% Docker (yet).” [Smirk.]

via TweetDeck

Garther: Through 2017, SaaS use in 75% or organisations will be dominated by untracked / shadow IT.

via TweetDeck

@MelbourneGeek Some of us are, um, late filing our tax documents, so it’s perennial I’d have thought.

via TweetDeck in reply to MelbourneGeek

The strategic trends, all of which have security implications. pic.twitter.com/sRnY6SjTcK

via Twitter for iPhone

Gartner: 86% of senior IT/business pros believe there’s a cybersecurity skills shortage. [Feels are not facts, though.]

via TweetDeck

Gartner: By 2020, a third of successful attacks experienced by enterprises will be on their shadow IT resources.

via TweetDeck

Application security is still “improvisational”. And development is rubbish, imo. pic.twitter.com/DFbu27pOOM

via Twitter for iPhone

Most common email phishing lures. The bad guys A/B test these. pic.twitter.com/PAu5dBuUQL

via Twitter for iPhone

Surprise! Users are still the weakest link. pic.twitter.com/M7R5Fh9gA1

via Twitter for iPhone

jackdrat lol you can’t take online threats seriously pic.twitter.com/THPs3fzyjl

via TweetDeck (retweeted on 11:03 AM, Aug 23rd, 2016 via TweetDeck)

Next for me: “State of the Threat Environment 2016” with Toby Bussa

via TweetDeck

johnb78 Everyone who meets Nick Cater should call him “Dick Carter” and then say “whevz loser” when he corrects them twitter.com/TimWattsMP/sta…

via Twitter for Android (retweeted on 10:44 AM, Aug 23rd, 2016 via Tweetbot for iΟS)

Oh look! An arsehat organisation using an arsehat word match to do arsehat unfocused spam. Yeah fuck off. twitter.com/fitness2vufree…

via Tweetbot for iΟS

What to do about cloud security when you get back to your desk. pic.twitter.com/dbwW6tYx6l

via Twitter for iPhone

Gartner’s strategic assumption: By 2022 the exceptional scenario won’t be “cloud computing” but “local computing”.

via TweetDeck

Most orgs are out of the first column and now working on the second. Column 3 may still be too hard. pic.twitter.com/mWUfNnF8QL

via Twitter for iPhone

Riley says some orgs have fights over who operates the control panel for SaaS, Often it’s business units not IT/security teams.

via TweetDeck

@jdub There is that. Presentations seem to be reinforcing the basics of how you can best use cloud. There’s apparently also corp politics.

via TweetDeck in reply to jdub

What Gartner’s clients are asking for in SaaS providers. pic.twitter.com/IZML0uiWRr

via Twitter for iPhone

@GTRoberts His hair is still a bit spikey, but I suspect there’s quite a bit less coverage than you may remember.

via TweetDeck in reply to GTRoberts

Nice term, “control panel fatigue”, because we have “too many point security products”.

via TweetDeck

We’re seeing tools emerging that help integrate security into the DevOps cycle, apparently. pic.twitter.com/JG5cnhTZBW

via Twitter for iPhone

This is what Gartner’s clients are asking for in IaaS providers. pic.twitter.com/7zvRqypwMT

via Twitter for iPhone

Once more it’s about risk-based decisions. pic.twitter.com/pRUGSUVPku

via Twitter for iPhone

Gartner’s view of how cloudsec will evolve. pic.twitter.com/56MMVLwKxq

via Twitter for iPhone

The three tiers of cloud service providers. pic.twitter.com/LeyN0akmvX

via Twitter for iPhone

@GTRoberts Yep, he’s wandering around the floor rather than on stage, and it’s conversational.

via TweetDeck in reply to GTRoberts

Some kinds of security transparency are more useful than others. pic.twitter.com/iRlB6MoltZ

via Twitter for iPhone

If customers keep demanding more transparency, cloud providers will have to come up with the goods. Keep asking, says Riley.

via TweetDeck

peproctor This manifestly not true. pic.twitter.com/GUGrr3dmLy

via Twitter for iPhone (retweeted on 9:23 AM, Aug 23rd, 2016 via TweetDeck)

1. Control phishing on endpoints. 2. Manage your accounts. 3. Monitor cloud activity.

via TweetDeck in reply to stilgherrian

So your greatest risk here is poor credential management. pic.twitter.com/oLWPtxqe0d

via Twitter for iPhone

This is the first of Gartner’s position statement on cloud security. pic.twitter.com/TghP4dng0K

via Twitter for iPhone

And now it’s that now-old message that “They have more money [for security] than you do.”

via TweetDeck

Riley says it’ll be easier to demonstrate security compliance with a public cloud provider than with your private cloud.

via TweetDeck

One of the biggest worries is about multi-tenancy, but check the news and you’ll see no problems related to multi-tenancy.

via TweetDeck

Gartner figures show that security and privacy concerns are still what keeps organisations from using public cloud services.

via TweetDeck

Riley suggests auditing your organisation’s proxy logs. You’ll probably find 100 to 1000 SaaS services being used.

via TweetDeck in reply to stilgherrian

Riley: “If you’re still paying for it when it’s turned off, then it isn’t cloud.”

via TweetDeck

Interesting point about different definitions and understanding here. pic.twitter.com/uNEfa7boZw

via Twitter for iPhone

First up for me today: “State of Cloud Security 2016” with Steve Riley.

via TweetDeck

It’s Adelaide. They were shocked that the axe was only used on a bicycle. twitter.com/BrettClappis/s…

via Tweetbot for iΟS

NO I DON’T WANT CHOCOLATE CROISSANTS I WANT SOMETHING WITH BACON IN IT.

via Tweetbot for iΟS

No this can’t be right. There must be some sort of mistake. twitter.com/dannolan/statu…

via TweetDeck

Tue plan: 0900 Gartner Security & Risk Management Summit, Day 2 gartner.com/events/apac/se… ; haircut; @zdnetaustralia video shoot.

via TweetDeck in reply to stilgherrian

@semanticwill @wine_o_phile @davidjbland True enough. And much as I love visiting San Francisco… etc.

via TweetDeck in reply to semanticwill

@wine_o_phile @semanticwill @davidjbland The whole “in a mansion” thing is reinforcing the idea that thought leadership is related to money.

via TweetDeck in reply to wine_o_phile

@wine_o_phile @semanticwill @davidjbland Actually I’d like to see them in a tent in rural East Africa with no electricity or running water.

via TweetDeck in reply to wine_o_phile

semanticwill What could possibly go wrong???? twitter.com/davidjbland/st…

via TweetDeck (retweeted on 7:01 AM, Aug 23rd, 2016 via TweetDeck)

VirtualTal Ladies & gentlemen, meet your new CMO, @ChuckTingle - amazon.com/Starting-Busin…

via Twitter Web Client (retweeted on 6:57 AM, Aug 23rd, 2016 via TweetDeck)

@garystark But remember too that @R_Chirgwin is a suppository of wisdom.

via TweetDeck in reply to garystark

@garystark Look haemorrhoids are basically @R_Chirgwin’s organising principle for life.

via TweetDeck in reply to garystark

andreasdotorg AWACS müde. AWACS Strandurlaub! twitter.com/ExpertDefense1…

via Twitter for Android (retweeted on 6:48 AM, Aug 23rd, 2016 via TweetDeck)

“When Women Stopped Coding”, @planetmoney Oct 2014. npr.org/sections/money… [It came up in conversation yesterday.] pic.twitter.com/M8aVDBKFuk

via TweetDeck

msuiche A friend working for a Firewall company took this picture at the office today pic.twitter.com/RZPySNaZXg

via Twitter for iPhone (retweeted on 6:27 AM, Aug 23rd, 2016 via TweetDeck)

All my tweets from Monday (and all the others too) are at stilgherrian.com/twitter/2016/0…, should anyone care.

via TweetDeck

Tue plan, supplemental: Somewhere in there we should probably figure out these @zdnetaustralia video will actually contain.

via TweetDeck in reply to stilgherrian

Tue plan, draft: 0900 Gartner Security & Risk Management Summit, Day 2 gartner.com/events/apac/se… ; @zdnetaustralia video shoot.

via TweetDeck

Tuesday. The more you poke at it, the more it’s likely to fall over. Tuesday

via Tweetbot for iΟS