From the Winter 2024 Issue

,

Avoiding Phantom Risk – Chasing Exploitability, Not Vulnerability

Author(s):

Alex Haynes, CISO , IBS Software

exploitability

The gravest warning a pen test report could contain are the words “The host may be vulnerable to remote code execution”.  It is hard to know what that immediately means. Did they get system access on a host? Nope. Was there a public exploit available for that version of software that enabled remote code execution? … Read more

From the Winter 2024 Issue

,

QKD versus PQC: A Quantum Showdown? Part 2

Author(s):

Hilary MacMillan, EVP for Engineering, CyLogic

QKD versus RQC

This is part two of a two-part article on secure key distribution in a post-quantum world.  Part one focused on Quantum Key Distribution (QKD) as a method to securely distribute encryption keys.  This article will focus on Post-Quantum Cryptography (PQC), which seeks new quantum-resistant (i.e., hypothesized, but can’t be proven, to be secure against) cryptographic … Read more

From the Winter 2024 Issue

,

QKD versus PQC: A Quantum Showdown? Part 1

Author(s):

Hilary MacMillan, EVP for Engineering, CyLogic

HilaryMacMilan-feature-wn19

The need for communications confidentiality has existed since humans developed language. Accounts of the Greco-Persian wars in fifth century B.C. described steganography, (hiding the existence of a message). Cryptography, on the other hand, hides a message’s meaning. The cryptographic task of encryption enables a sender to “scramble” a message’s content, rendering it unreadable to anyone … Read more

From the Summer 2021 Issue

Addressing Malicious Websites Through Human Security Engineering

Author(s):

Ira Winkler, CISSP, CISO, Author, Skyline Technology Solutions

Addressing Malicious Websites Through Human Security Engineering

In the Spring 2021 issue of the United States Cybersecurity Magazine, “Human Security Engineering: A New Model for Addressing the “User Problem” I highlighted the strategy of Human Security Engineering to address the User Initiated Loss (UIL). To summarize briefly, UIL is the concept that a user does not actually create a loss, but may … Read more

From the Spring 2021 Issue

Safety Or Simplicity? The Costs Of Convenience In Our Connected Life

Author(s):

Justin Petitt, Director, Cybersecurity Center of Excellence, Edgewater Federal Solutions

Larry Letow, CEO, U.S., CyberCX

safety-or-simplicity-the-cost-of-convenience-in-our-connected-life

Modern technology advancements are placing consumers into uncharted territory, granting limitless access to the internet and its benefits in varied and unique ways. From Smart Homes that automate key tasks, to the continued evolution of internet technologies that make activities such as banking, shopping, and connecting with peers easier, there has never been a more … Read more

From the Spring 2021 Issue

Human Security Engineering: A New Model for Addressing the “User Problem”

Author(s):

Ira Winkler, CISSP, CISO, Author, Skyline Technology Solutions

human-security-engineering

Despite best efforts, the cybersecurity professional has yet to be able to adequately handle what people refer to as “The User Problem”. A user will inevitably click on a phishing link. A user will inevitably fall prey to a social engineer. A user will click on a malicious web link. A user will accidentally email … Read more

From the Spring 2021 Issue

Radio Frequency Operations and Training From a Virtually Different Point of View

Author(s):

Rick Mellendick, Chief Security Officer, Process Improvement Achievers, LLC

radio-frequency-operations-and-training

Radio Frequency (RF) security, sometimes called wireless security, is much more than just WiFi. Over the past few years, there has been rapid growth in WiFi training courses, but very few that specialize in RF defensive and operational preparation. The usable RF spectrum for data exfiltration is typically from around 10 MHz though near 12Ghz, … Read more

From the Winter 2021 Issue

DevOps Automated Governance

Author(s):

John Willis, Senior Director, Global Transformations Office, Red Hat

Devops-Automated-Governance

In the Spring of 2019, several organizations worked together to create a forum paper called DevOps Automated Governance.[1] The paper intended to create a reference architecture around Governance, Risk, and Compliance (GRC) and an automated process while simultaneously building off of some of the successful DevOps software delivery patterns (e,g, CI/CD, Pipelines, Software Supply Chains). … Read more

From the Winter 2021 Issue

Zero-Knowledge Proofs, D-Day, and the Promise of Trustable Software

Author(s):

David W. Archer, PhD, Principal Scientist, Niobium Microsystems and Galois, Inc.

ZKP image

An old proverb tells us, “You know nothing until another knows you know it.” Sometimes, though, you don’t want that someone to know sensitive details – just the “fact of.” For example, take April 1942. In two months’, Operation Overlord would invade Germany’s “Fortress Europe.” The Allies’ deception operation, Fortitude South – following a strategy … Read more