cydia 现实没有网络
最近更新 (Recent Updates)
- 2020/04/27: Added a list of recommended Security RSS blogs and newsfeeds. 2020/04/27:添加了推荐的安全RSS博客和新闻源的列表。
- 2020/04/28: Added a list of recommended Security mailing lists. 2020/04/28:添加了建议的安全邮件列表的列表。
欢迎来到现实世界网络安全博客! (Welcome to the Real World Cyber Security Blog!)
Einstein allegedly defined insanity as “doing the same thing over and over again and expecting different results.” Well, in information security and cybersecurity, we’ve sure been doing a lot of “the same old thing” over and over again, but we continue to get hacked. I guess we’re insane then, because we expect that what we’re doing will keep us from getting breached, but it doesn’t. Yet, we keep doing more and more of it and expecting different results. Insanity? You betcha!
据称,爱因斯坦将精神错乱定义为“一遍又一遍地做同一件事,并期望得到不同的结果。” 好吧,在信息安全和网络安全方面,我们确实一遍又一遍地做了很多“相同的旧事”,但是我们继续遭到黑客攻击。 我想那时我们疯了,因为我们希望我们所做的事情能够防止我们受到侵犯,但事实并非如此。 但是, 我们将继续做越来越多的事情,并期待不同的结果。 疯狂? 完全正确!
A few years ago, what we consider today to be a minor breach would have been headline news. Breaches have become so common that most major ones are relegated to being buried somewhere deep inside the business section of the newspaper, with only the truly monumental ones making headlines. And, the breaches keep coming, and coming at a seemingly increasing pace, each one more significant, more damaging, and more costly than the previous. Yet, we keep doing the same old things to try to prevent the hacks. Either we are actually insane, or there is something seriously wrong with what we are doing and our thought processes behind it. I choose to believe the latter.
几年前,我们今天认为是次要的违规行为已经成为头条新闻。 违法行为变得如此普遍,以至于大多数主要违法行为被降级到埋葬在报纸商业版块的深处,只有真正具有纪念意义的违宪行为才成为头条新闻。 而且,违规行为不断出现,并且似乎以越来越快的速度在不断发展,每一个漏洞都比以前的漏洞更加严重,破坏性更大,成本更高。 但是,我们一直在做同样的事情,以防止黑客入侵。 要么我们实际上是疯了,要么我们正在做的事情以及背后的思维过程存在严重错误。 我选择相信后者。
That’s what this blog is about: What we are doing wrong in security and how we need to fix it. Looking at the problem from 65,000 feet, I see two fundamental problems: First and foremost, we are trying to treat cybersecurity problems as though they are information security problems; second, we are basing much of our security thought processes on outdated premises. Yes, there are numerous other issues we face, but until we address those fundamentals, we have no hope.
这就是本博客的主题: 我们在安全方面做错了什么以及我们需要如何修复它。 从65,000英尺的高度看问题,我看到两个基本问题:首先,也是最重要的是,我们试图将网络安全问题看作是信息安全问题。 第二,我们将许多安全思想流程建立在过时的前提下。 是的,我们还面临许多其他问题,但是在我们解决这些基本问题之前,我们没有希望。
So, let’s briefly think about those two points.
因此,让我们简要考虑一下这两点。
First, too many security problems are caused by too narrow of a view of security, such as treating all security problems as information security problems, resulting in the failure to identify the actual security gaps associated with threats. Information security focuses on the protection of information, whereas cybersecurity focuses on the protection of everything connected by some network to something else on some network, including the networks themselves. Cybersecurity requires both a much broader focus and a somewhat different mindset than information security. These differences in focus and mindset are critical issues that are usually left unaddressed in most organizations.
首先,太多的安全性问题是由于对安全性的看法过于狭窄所致,例如将所有安全性问题视为信息安全性问题,从而导致无法识别与威胁相关的实际安全性差距。 信息安全侧重于信息的保护,而网络安全侧重于保护由某个网络连接到该网络上其他设备的所有事物,包括网络本身。 与信息安全相比,网络安全既需要更广泛的关注,又需要不同的思维方式。 这些重点和思维方式上的差异是关键问题,在大多数组织中通常都无法解决。
And, second, most of the fundamental principles on which we base all security today have changed very little since the 1980s (or earlier). Meanwhile, the scope of what must be secured has vastly increased, and changed from its original information security focus upon which these fundamental principles were developed. Thus, it is long past time that we change our thinking regarding our approach to security — both in terms of what must be protected and how we should go about protecting it.
第二,自1980年代(或更早)以来,我们今天作为所有安全基础的大多数基本原理都几乎没有改变。 同时,必须保护的内容的范围已大大增加,并且已从其最初的信息安全重点转变为这些基本原理。 因此,很长一段时间以来,我们改变了对安全方法的看法,无论是在必须保护的方面还是在如何保护它方面。
We also have one big practical issue we need to address as well: Simply too much of the security we have in place today is “security theater” — that is, measures intended to give the illusion of security while actually doing little or nothing to secure the assets intended to be protected, and potentially making those assets less secure. Every organization has this problem — the only question is how much of its security is real and effective, versus simply theater?
我们还需要解决一个重大的实际问题:我们今天拥有的太多安全只是“安全战区”,也就是说,旨在给安全带来错觉的措施,而实际上却很少或根本没有采取任何措施来确保安全。打算保护的资产,并可能使这些资产的安全性降低。 每个组织都有这个问题-唯一的问题是,与简单的剧院相比,其安全性是多少是真实有效的?
The objective of this blog is to provide some thoughts on what should be considered “security done right.” That is, how do you reduce risk in a cost-effective manner? The objective of both information and cybersecurity should be to first reduce risk to the greatest extent practical. Then, when a breach does occur, to detect it and shut it down as rapidly as possible, and in the process to have collected the information required to determine how the breach occurred, what was infiltrated, what was exfiltrated, and how to prevent a future reoccurrence.
该博客的目的是就应该被视为“正确完成安全性”的问题提供一些想法。 也就是说, 您如何以具有成本效益的方式降低风险? 信息和网络安全的目标应该是首先最大程度地降低风险。 然后,当确实发生违规时,要尽快检测并关闭它,并在此过程中收集了确定违规如何发生,被渗透,被渗透,以及如何防止破坏的必要信息。将来再次发生。
If you are reading this blog in hopes of discovering how to prevent getting hacked, you’re not going to find that information here. In fact, I will go so far as to state that anyone who claims he or she can prevent an organization from getting hacked is either terribly naive or a liar!
如果您正在阅读此博客,希望发现如何防止被黑客入侵,则不会在此处找到该信息。 实际上,我要说的是, 任何声称自己可以阻止组织被黑客入侵的人要么是天真的,要么是骗子!
This blog focuses on cybersecurity but also covers many aspects of traditional information security, and even touches on traditional corporate security as well. It includes both technical and non-technical content, and is oriented towards two different corporate audiences:
该博客不仅关注网络安全,还涵盖了传统信息安全的许多方面,甚至还涉及了传统的公司安全。 它包含技术和非技术内容,并且面向两个不同的公司受众:
- Information security and cybersecurity professionals and their managers, whose responsibility it is to secure the organization’s assets; and 信息安全和网络安全专业人员及其经理,负责保护组织资产的责任; 和
- C-level corporate executives and board members whose responsibility it is to define an acceptable level of security risk; and both to provide strategic direction to the organization’s security professionals, and to provide adequate funding for security. 负责确定可接受的安全风险等级的C级公司高管和董事会成员; 并为组织的安全专业人员提供战略指导,并为安全提供足够的资金。
This blog is written at a level that should be easily understood by anyone with an interest in either information security or cybersecurity, from students and interns through corporate executives and board members, and every security practitioner and manager in between. Please feel free to leave me a note if you have any questions.
对博客感兴趣的人,无论是对信息安全还是网络安全感兴趣的任何人,从学生和实习生到企业高管和董事会成员,以及介于两者之间的每位安全从业人员和经理,都应以易于理解的水平编写此博客。 如有任何疑问,请随时给我留言。
The Blog Index follows in the next sections.
下一节将介绍Blog索引。
Thanks for reading!
谢谢阅读!
Check back regularly for updates.
定期检查更新。
主题:关于安全性的一切知识都是错误的! (Topic: Everything You Know About Security Is Wrong!)
Okay, maybe not everything, but a whole lot of what you think you know about security is probably either wrong, out-of-date, or both.
好的,也许不是全部 ,但是您认为关于安全性的很多知识可能是错误的,过时的或两者兼而有之 。
The biggest problem with cybersecurity is that everything in the field is changing so fast that it is nearly impossible to keep current. In fact, the insider-joke in the industry is that security follows the inverse of Moore’s Law — that is, every eighteen months, half of everything you know is now obsolete. Thus, if you are not continually reading and following security news feeds, and attending courses and conferences at least twice yearly, you are probably falling behind. Security is simply changing that fast, and a lot of what you think you know is now obsolete.
网络安全的最大问题是,该领域中的所有事物变化如此之快,以至于几乎无法保持最新状态。 实际上,业内的一个内部笑话是, 安全性遵循摩尔定律的反面 ,也就是说, 每隔18个月,您所知道的所有事物中就有一半已经过时 。 因此,如果您不连续阅读和关注安全新闻提要,并且至少每年两次不参加课程和会议,则您可能会落后。 安全性正在以如此快的速度变化,您认为很多现在已经过时了。
Welcome to the real world of cybersecurity!
欢迎来到网络安全的现实世界!
Staying current is one problem, and it is definitely a very big problem in the industry. However, probably the most significant problem is that many of the industry’s most fundamental beliefs and principals — which most people in the industry simply take as gospel, and are what I call “security mantras” — are simply incomplete, and/or incorrect, and/or out-of-date. Worse, many of the security industry’s most sacred security mantras are flat out wrong!
保持最新状态是一个问题,那肯定是在同行业中一个非常大的问题。 但是,可能最重要的问题是,该行业的许多最基本的信念和原则(不被该行业的大多数人视为福音,我称之为“安全性口头禅”)只是不完整和/或不正确,并且/或已过期。 更糟糕的是,许多安全行业最神圣的安全宣言完全是错误的!
“What’s wrong with what we think we know about security,” is the focus of this section of the blog.
“我们认为我们对安全性了解的地方出了问题”,是博客本节的重点。
定义网络安全 (Defining Cybersecurity)
If You Can’t Properly Define Cybersecurity, How Can You Know What It Is?It’s clear that the cybersecurity industry hasn’t been able to agree upon what cybersecurity is and isn’t. Even NIST, who is responsible for the definition of technical terms used by the U.S. Federal Government, has four different definitions of cybersecurity! At a minimum, there are dozens of different definitions of cybersecurity currently in use. Nearly all are incomplete in scope, some are horridly wrong, and nearly all fail to differentiate between cybersecurity and its information security cousin.
如果您无法正确定义网络安全,您怎么知道它是什么? 显然,网络安全行业尚未就什么是网络安全还是没有网络安全达成共识。 甚至负责美国联邦政府使用的技术术语定义的NIST,也 对网络安全 有 四个 不同的定义! 至少,当前使用了数十种不同的网络安全定义。 几乎所有人的范围都不完整,有些人犯了严重错误,几乎所有人都无法区分网络安全和它的信息安全堂兄。
安全提供的基本服务是什么? 提示:中央情报局不是答案 (What Are The Fundamental Services Provided By Security? Hint: CIA Is Not The Answer)
The CIA Triad Is Dangerously Obsolete and IncompleteThe CIA Triad (Confidentiality, Integrity, Availability) purports to define the services that are provided by security to defend against threats to an asset being secured. Yet, it only provides defenses for three of the seven widely-recognized categories of security threats. An incomplete definition of the security’s fundamental services means we are also dangerously incomplete in the proper securing of our assets.
CIA Triad危险地过时且不完整 CIA Triad(机密性,完整性,可用性)旨在定义安全性提供的服务,以防御对所保护资产的威胁。 但是,它只能为七种公认的安全威胁中的三种提供防御。 对证券基本服务的不完整定义意味着我们在适当保护资产方面也很危险。
只有两种验证方式 (There Are Only Two Ways to Authenticate)
Why Biometrics Are Not Valid AuthenticatorsMost security courses teach there are three ways to authenticate: “What you know,” “What you have,” and “What you are.” However, authenticators must be revocable and deterministic. Biometrics (“What you are”) are probabilistic and non-revocable. Thus, biometrics cannot serve as a means of authentication.
为什么生物识别技术不是有效的身份验证者 大多数安全课程都讲授三种身份验证方法:“您知道什么”,“您拥有什么”和“您自己是什么”。 但是,验证者必须是可撤销的和确定性的。 生物特征识别(“您是什么”)是概率性的且不可撤销的。 因此,生物特征不能用作认证的手段。
AAA缺少“ I”和“ A” (AAA Is Missing An “I” and an “A”)
(coming soon!)Access control systems are often focused on only authentication, authorization, and accounting, and neglect identification and audit. Even identity and access management systems often neglect the audit aspect of access control. But, this incomplete view of access control can lead to critical security weaknesses.
(即将推出!)访问控制系统通常只专注于身份验证,授权和记帐,而忽略标识和审核。 甚至身份和访问管理系统也经常忽略访问控制的审计方面。 但是,访问控制的这种不完整视图可能导致严重的安全漏洞。
您不应该更改密码 (You Should Never Change Your Password)
Seriously! A Password Should Only Be Changed If There Are Indications Of Its CompromiseThe decades-old practice of changing your password every 30 (or 60 or 90 or whatever) days is lousy security. You should pick a strong password and not change it without a good reason to do so. Passwords shouldn’t be the gatekeeper for logins; rather, it should be a password in combination with a “second factor,” such as an app-generated code or a hardware security token.
认真! 仅在有迹象表明可以妥协 的情况下 才能更改密码 几十年来,每30天(或60或90天或任何其他天)更改一次密码的做法很糟糕。 您应该选择一个强密码,不要在没有充分理由的情况下更改它。 密码不应成为登录的守门员; 相反,它应该是与“第二因素”结合使用的密码,例如应用程序生成的代码或硬件安全令牌。
没有两个因素 (Two Factor Not)
(coming soon!)The good, bad, and ugly of two-factor authentication.
(即将推出!)两因素身份验证的好,坏和丑陋。
单一登录:黑客的梦想成真 (Single Sign-On: A Hacker’s Dream Come True)
(coming soon!)Single sign-on (SSO) without two-factor authentication (TFA) is handing the keys to your kingdom to a hacker. Even with TFA, a bad implementation of SSO can substantially increase your organization’s exposure to identity hijacking.
(即将推出!)没有两步验证(TFA)的单点登录(SSO)会将您的王国的密钥交给了黑客。 即使使用TFA,SSO的错误实施也会大大增加您的组织遭受身份劫持的风险。
“ sudo”和“ runas”不是基于角色的访问控制 (“sudo” and “runas” Are Not Role-Based Access Control)
(coming soon!)
(快来了!)
您称其为安全性要求吗? (You Call That a Security Requirement?)
Proper Requirements Are The First Step To Verifiable SecurityAll too often, organizations lack any appropriate definition of their security requirements. And, the alleged requirements documents that do exist are most likely design specifications, not requirements specifications. Serious security breaches are unavoidable without a proper understanding of what is to be secured and why. That is, serious security breaches are unavoidable without proper security requirements.
正确的要求是可验证安全性的第一步 通常,组织缺乏对其安全性要求的任何适当定义。 并且,据称存在的所谓需求文档很可能是设计规范,而不是需求规范。 如果不正确地了解要保护的内容及其原因,就不可避免地会发生严重的安全漏洞。 也就是说,没有适当的安全要求就无法避免严重的安全漏洞。
您不能使用非对称密码来加密邮件 (You Can’t Encrypt Messages Using Asymmetric Cryptography)
(coming soon!)The most data that an asymmetric cypher can encrypt is several bytes less than the length of its key. What actually occurs when using asymmetric cyphers to encrypt messages is that the asymmetric cypher is used to encrypt the key of a symmetric cypher used to encrypt the message. This blog post gives an inside look at that process.
(即将推出!)非对称密码可以加密的大多数数据比其密钥的长度少几个字节。 使用非对称密码对消息进行加密时,实际上发生的事情是非对称密码用于对用于加密消息的对称密码的密钥进行加密。 这篇博客文章深入介绍了该过程。
互联网不是七层网络 (The Internet Is Not A Seven Layer Network)
RFC1122 Specifies Only Four Layers in The Internet Protocol StackIt is a common misperception that the Internet is based upon the ISO 7-Layer Model. It is not. It is based upon a software protocol stack defined in RFC1122 that has several differences from the ISO specification.
RFC1122仅在Internet协议栈中指定四层。 人们普遍误以为Internet是基于ISO 7层模型的。 它不是。 它基于RFC1122中定义的软件协议栈,与ISO规范有一些差异。
CISSP是初级安全认证 (CISSP Is A Junior-Level Security Certification)
(coming soon!)
(快来了!)
主题:新兴威胁 (Topic: Emerging Threats)
This section of the blog covers those threats which may not be headline issues today, but are bound to be headlines in the near future. It also includes some threats that are here today but are not in the headlines. But, they are serious threats you need to know about.
博客的这一部分涵盖了那些威胁,这些威胁现在可能不是当今的头条新闻,但在不久的将来必将成为头条新闻。 它也包括今天存在但尚未成为头条新闻的某些威胁。 但是,它们是您需要了解的严重威胁。
您可以帮助使互联网更安全,更快捷 (You Can Help Make The Internet Safer And Faster)
A New Tool Detects If Your ISP Has Implemented Route Hijacking MitigationsThe Internet runs on a protocol called BGP, which determines how your data is routed from your ISP to its destination, such as Apple or Netflix. However, BGP, in its default configuration, is insecure and subject to hijacking attacks. There are mitigations for such attacks, but your ISP must explicitly implement them. A new tool from Cloudflare lets you check your ISP, and name and shame them if they haven’t implemented appropriate fixes.
一种新工具可以检测您的ISP是否实施了路由劫持缓解措施 Internet运行在称为BGP的协议上,该协议确定了如何将数据从ISP路由到其目的地,例如Apple或Netflix。 但是,BGP的默认配置不安全,容易遭受劫持攻击。 有缓解此类攻击的方法,但您的ISP必须明确实现它们。 Cloudflare 的新工具 可让您检查ISP,并在未实施适当的修复的情况下对其进行命名和羞辱。
微码补丁不会“修复”处理器 (Microcode Patches Don’t “Fix” Your Processor)
Your Processor Remains ExploitableThe common perception is that if you update your processor’s microcode, your processor is “fixed.” Well, it isn’t. Every time you reset your processor (e.g., reboot), the microcode patches are wiped. This leads to exploitable security holes in your system.
您的处理器仍可利用 普遍的看法是,如果更新处理器的微代码,则处理器是“固定的”。 好吧,不是。 每次您重置处理器(例如重新启动)时,微代码补丁都会被擦除。 这会导致系统中可利用的安全漏洞。
英特尔架构中的负面影响:您可能从未听说过的安全威胁 (Negative Rings in Intel Architecture: The Security Threats You’ve Probably Never Heard Of)
Not Actual Protection Rings, But Conceptual Privilege Levels Susceptible To ExploitationMost likely, you’re aware of the hardware “protection rings” in Intel Architecture processors — the familiar “Ring 0” for the kernel through “Ring 3” for userland. But, have you ever heard of “rings” “minus one” through “minus three”? If not, you’re missing out on three entire levels of processor vulnerabilities.
不是实际的保护环,而是 容易被 利用的概念特权级别 最有可能的是,您知道Intel体系结构处理器中的硬件“保护环” —熟悉的内核“ Ring 0”到用户区的“ Ring 3”。 但是,您是否听说过“铃声”,“减一”到“减三”? 如果不是这样,您将错过三个完整级别的处理器漏洞。
听说过MINIX吗? 这是世界上使用最广泛的操作系统 (Ever Heard of MINIX?
It’s The World’s Most Widely Used Operating System)
Have an Intel Processor? Then you’re a user!MINIX: It’s the world’s most widely used operating system and another security threat that you’ve never heard of! Like all operating systems, it has bugs. Only you can’t patch the bugs in MINIX!
有英特尔处理器吗? 那您就是用户! MINIX:它是世界上使用最广泛的操作系统,并且是您从未听说过的另一种安全威胁! 像所有操作系统一样,它也有错误。 只有您无法修补MINIX中的错误!
ME:这是您无法关闭的计算机 (ME: It’s The Computer You Can’t Turn Off)
(coming soon!)The Management Engine (ME) is the “Ring -3” processor on your IA chipsets which you can’t turn off. “Powering Off” your computer does not power off the ME. The only way to power off the ME is to remove all power from the processor. Thus, even when “power is off” to your computer, but line or battery power is connected to the computer’s mainboard, the ME continues to run. And, the ME has access to everything accessible by your computer. And, that’s just the tip of this iceberg.
(即将推出!)管理引擎(ME)是IA芯片组上的“ Ring -3”处理器,您无法关闭它。 “关闭电源” 不会 关闭ME的电源。 关闭ME电源的唯一方法是断开 处理器的 所有 电源。 因此,即使您的计算机“电源关闭”,但线路或电池电源已连接到计算机的主板,ME仍会继续运行。 而且,ME可以访问您的计算机可访问的所有内容。 而且,这只是冰山一角。
分支预测,线程和其他处理器漏洞:未来几年我们无法修复的硬件错误 (Branch Prediction, Threads, and Other Processor Vulnerabilities: Our Unfixable Hardware Bugs for Years To Come)
(coming soon!)
(快来了!)
随着严重的安全风暴越来越阴云密布:为什么不可能保护公共云 (Increasingly Cloudy with Severe Security Storms: Why It Is Impossible to Secure the Public Cloud)
(coming soon!)
(快来了!)
主题:安全政策与政治 (Topic: Security Policy and Politics)
Ah, politics. Everyone’s favorite subject today. Or, maybe not.
啊,政治。 今天是每个人最喜欢的主题。 或者可能不是。
Regardless, politics pay a critical role in all policy decisions. Thus, I include both topics under this one single heading.
无论如何,政治在所有政策决策中都起着至关重要的作用。 因此,我将两个主题都放在一个标题下。
This section discusses how policies impact security, and how politics often result in insecurity.
本节讨论政策如何影响安全以及政治通常如何导致不安全。
轻易击败加密后门:您无法将加密精灵塞回瓶子 (Trivially Defeating Crypto Backdoors: You Can’t Stuff The Crypto Genie Back Into The Bottle)
Why The Cryptographic Backdoors Law Enforcement Seeks Are Worthless Against Any Minimally-Determined Adversary.Their purported “need” for encryption backdoors is purely and simply a barefaced lie. There’s no other civilized way of putting it. Backdoors are neither necessary, nor will they solve the alleged “encryption problem.” Worse, backdoors will critically compromise everyone’s security.
为什么加密后门执法机构的执法人员对任何最低限度的对手都一无所获。 他们所谓的对加密后门的“需求”纯属无稽之谈。 没有其他文明的表达方式。 后门既不是必需的,也不会解决所谓的“加密问题”。 更糟糕的是,后门将严重危害每个人的安全。
企业安全:被遗忘的安全领域 (Corporate Security: The Forgotten Security Domain)
(coming soon!)The lack of a formal corporate security organization creates costly gaps and overlaps in an organization’s security.
(即将推出!)缺乏正式的公司安全组织会造成成本高昂的缺口和组织安全方面的重叠。
LinkedIn对您的组织构成安全威胁 (LinkedIn Is A Security Threat To Your Organization)
(coming soon!)Where does a hacker who wishes to target your organization begin her recognizance? Most likely, on LinkedIn.
(即将推出!)希望以您的组织为目标的黑客在哪里开始认证? 最有可能在LinkedIn上。
我在采访某人担任安全角色时问的第一个问题 (The First Question I Ask When Interviewing Someone For A Security Role)
A Guide To Learning How Well A Candidate Understands SecurityInterviews for security roles tend to come in three flavors: How have you solved a given security problem in the past? How would you configure a particular security tool to solve a specific problem? Or, tell us about your previous experience (as though they hadn’t bothered to read my résumé). None of these approaches provide insight into a candidate’s actual understanding of basic security principals and their application. This blog post presents a guide to interviewing security candidates with a focus on whether they actually understand security fundamentals.
学习候选人 对安全性 了解程度的指南 对安全角色的面试通常有以下三种方式:您过去如何解决给定的安全问题? 您将如何配置特定的安全工具来解决特定的问题? 或者,告诉我们您以前的经历(好像他们没有理会我的简历一样)。 这些方法都无法洞察候选人对基本安全原理及其应用的实际理解。 这篇博客文章提供了采访安全候选人的指南,重点是他们是否真正了解安全基础知识。
网络安全职位名称和职位描述的人力资源指南 (An H.R. Guide to Cybersecurity Job Titles and Job Descriptions)
(coming soon!)I am an architect-level and executive-level security consultant. It’s unbelievable the number of recruiters who contact me for a “Security Architect” position which only requires 5 years of security experience. When I see such a job description, it tells me two things about the organization: (1) They are most likely clueless when it comes to security, and (2) They are only willing to pay for a security engineer, and not a security architect. In this blog post, I explain security roles, responsibilities, experience, and appropriate job titles.
(即将推出!)我是架构师和执行官的安全顾问。 与我联系担任“安全架构师”职位的招聘人员数量令人难以置信,该职位仅需要5年的安全经验。 当我看到这样的职位描述时,它告诉了我有关组织的两件事:(1)关于安全性,他们很可能一无所知;(2)他们只愿意为安全工程师付费,而不愿意为安全付费建筑师。 在此博客文章中,我将解释安全角色,职责,经验和适当的职位。
黑客攻击会议室:向非技术的C级主管展示技术信息 (Hacking The Boardroom: Presenting Technical Information To Non-Technical C-Level Executives)
(coming soon!)
(快来了!)
您的CIO正在破坏安全性:您的公司结构如何破坏安全性 (Your CIO Is Sabotaging Security: How Your Corporate Structure Is Undermining Security)
(coming soon!)
(快来了!)
我关注的安全博客和新闻源 (Security Blogs and Newsfeeds I Follow)
(and You Should Too)
(你也应该)
All of the following blogs and newsfeeds support RSS.
以下所有博客和新闻源均支持RSS。
US-CERT (now called, CISA)
US-CERT (现称为CISA)
Public Intelligence (low volume)
公共情报 (小批量)
Securosis Blog (low volume)
Securosis博客 (小批量)
The following mailing lists are worth subscribing. Choose wisely, as some are very high volume.
以下邮件列表值得订阅。 明智地选择,因为有些体积很大 。
Security Mailing Lists @ SecLists.org This is not a mailing list. Rather, it is a topic-based list of mailing security mailing lists.
安全邮件列表@ SecLists.org 这不是邮件列表。 而是,它是邮件安全邮件列表的基于主题的列表。
我支持的安全组织 (Security Organizations I Support)
(and You Should Too)
(而且你也应该)
特色图片 (Featured Image)
Featured Image Credit: NASA
特色图片来源:NASA
翻译自: https://medium.com/@RealWorldCyberSecurity/real-world-cyber-security-38888880bf11
cydia 现实没有网络
3658
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
