Wednesday, May 13, 2020

InfoSec and Overall Pandemic Observations and Predictions

I’ve been noticing many changes in InfoSec, and just overall. Which has led me to some predictions which I thought would be fun to share and come back later and see how I did.

Your feedback on mine and your own observations and predictions are most welcome.

Note: These are uncertain times (if you couldn’t tell from almost every single TV ad on air right now) so it isn’t a good time to try to predict anything therefore all or most of the predictions may be wrong.

InfoSec Observations
  1. While the InfoSec job market was on fire before this, it does not seem to be immune to the hiring freezes being put into place.
  2. Many company’s leadership don’t see InfoSec as critical for survival and is an area that can be looked at to cut costs when in survival mode.
  3. Many InfoSec people are taking on non-security IT functions and those are given a higher priority than their typical security duties.
  4. Criminals who have always in the past leveraged news cycles and disasters for attacks are going all in on this one. Many are advanced using new WFH procedures, or leadership needing to make some important decisions or announcements as attacks and not referencing COVID-19 directly. Overall phishing attacks seem way up to me, and more advanced.
  5. Vendor cold emails/calls/LinkedIn requests are through the roof! It feels like the week after RSAC every week.
  6. Virtual vendor gatherings aren’t very appealing, especially after several video conferences for work. Even if I really like the person and/or product it is still an optional evening video conference meeting after a day of them.

InfoSec Predictions
  1. Compromises are going to go way up in 2020 up due to InfoSec hire freezes, added IT duties, and layoffs.
  2. The InfoSec job market won’t be as hot at the end of this as it was before it started, but it won’t be bad either. I’m guessing closer in line with IT overall.
  3. There will be a push to ensure InfoSec is seen as more critical and can’t be taken over by non-security related IT duties again. I think moving InfoSec out of IT will become more common, and regulators will start mandating it.
  4. InfoSec software/service spend will go down in 2020 instead up and many companies in that space won’t survive.
  5. The InfoSec software/service companies that will do well are the ones with high value for the price and can be directly tied to headcount reduction.
  6. The InfoSec software/service companies that will do the worst are ones that relied on a sales approach that primarily involved steak dinners and drinks with prospects, and ones that need a team of people at the client to manage their product to get value out of it.

Overall Observations
  1. Working from home has changed for everyone, even people who worked from home often before. Video is more common and frequently expected where before conference calls were the norm.
  2. Disposable gloves are now on par with plastic bags randomly on the ground and in the weeds.
  3. Restaurants are switching over to all one-use items, and stores don’t allow reusable bags, the amount of recycling/garbage from shopping has gone way up.
  4. Kids are fishing again.
  5. Everyone is enjoying movies at home, the content we have access to is amazing and it looks great.
  6. Unsupervised kids/teenagers outside aren’t social distancing, or I’m old, or both.
  7. People in rural communities are going back to normal and see this as an urban issue.

Overall Predictions
  1. Jobs that can be done remote will continue to largely be done remote forever. The WFH genie is out of the bottle. People will pick careers based on being able to work from home and will expect it.
  2. The Internet is officially a critical service. And with the ability to remote learn and work, rural communities can attract more people and increase their property values if they have fast reliable Internet and I think many will work on that.
  3. Biodegradable is going to start taking over from recyclable and reusable. Those gloves on the ground, one use menus, bags, food containers, etc. It is simply going to be too much to recycle or put in the trash, and we aren’t allowed to use reusable items. We are going to need to figure out how to make more things biodegradable.
  4. Fishing is going to enjoy a surge in popularity long term.
  5. Kids who thought TV’s are for old people will start appreciating larger screens at home.
  6. Movie theaters are toast, people are going to expect their content at home streamed to them.
  7. I think we are going to see a spike in cases in rural areas and in kids/teenagers which will impact everyone before this is over and will likely cause schools to not open in the fall.

Tuesday, February 4, 2020

Keep Technology Away from Voting Part 2

More info has come out. The makers of the app are Shadow Inc.

Linked in shows them as a 2-10 person company:

All 10 people appear to be on LinkedIn:

Notices the titles. No Infrastructure (cloud or otherwise), or security in them. To be fair the CEO, COO, and CTO all appear to have very technical backgrounds and I'm guessing are smart people. In fact I bet they are all smart people. But all three have development/coding backgrounds primarily.

They are hiring, a front-end engineer and a wordpress engineer:

Cloud infrastructure is still infrastructure, networking is networking, and security for all is still critical and can't be left up to your cloud hosting provider to figure out for you.

So far, just wow. We will see what else we learn, too early to judge yet, but so far it doesn't look good.

Keep Technology Away from Voting

I'm posting this in middle of the "total meltdown" of reporting of the Iowa caucus 2020 ( Still a lot is left to be seen and learned about this issue. But as both a security and technology professional for roughly 25 years I want so say this:

Stop trying to use technology for voting!

No credible cyber-security expert who doesn't have a conflict of interest thinks putting any parts of how we vote or record votes online is a good idea. Any part of our voting system that is connected to the Internet will be attacked by state actors. Protecting against state actors is really hard. The most common successful approach to defending systems against state actors when you know they will be attacked is to not connect them to the Internet! Trying to protect them while leaving them connected is likely not possible, but also adds huge complexity which brings us to the next topic.

Technology is hard. All experienced Infrastructure and AppDev people know this. There are more things that can go wrong than you can imagine, and they all do eventually. And if Microsoft can have a major outage because of a certificate expiring ( what do you think the odds are the small companies working on systems for voting can do everything perfectly? The more complex a system is, the harder it is to get it right and keep it from having outages or problems. The more security you try to add to something, the more complex you make it. It is too early to tell with this issue, but I wouldn't be surprised if we eventually find out their attempt to keep this system secured helped cause the outage or problems they ran into last night in Iowa. For example, ensuring systems aren't shared in the cloud might have prevented them from being able to quickly scale out when they ran out of resources.


  • Anything attached to the Internet that has anything to do with US voting will be attacked by state actors
  • Protecting from this threat is somewhere between hard and impossible, and trying will add complexity to the system
  • Complexity is the bane of all technology and makes outages and issues more likely
  • Therefore even if not successfully attacked, outages and issues should be expected due to this complexity
  • Which means we really should keep voting and vote recording systems offline, and use the least amount of technology as possible for the time being