Infosec Feed

Welcome to volume four of Scrolls, a newsletter for sharing cool stuff from the IndieWeb, Fediverse & Cybersecurity worlds. Featured topics for this week include how, and more importantly, why to start a personal website, as well as how to join and help grow the Fediverse. Enjoy!

In the past, I’ve been a bit self-concious about how/what I posted on my site. I believe there’s some part of my readership that comes to my site specifically for infosec-related stuff. So anything NON-infosec that I post is something that they may see on my site, or in their RSS reader and cause them to lose interest in my site because it’s no longer just the infosec stuff they want to see.

Welcome to volume three of Scrolls, a weekly newsletter for sharing cool stuff from the IndieWeb, Fediverse & Cybersecurity worlds.

Answering the age old question, “what certification or training should I take?”

Welcome to volumen duo of Scrolls, a newsletter for sharing cool stuff from the IndieWeb, Fediverse & Cybersecurity worlds.

*Takes a breath.*

STOP. Please. Just stop. No more. We as a community (the infosec community) must band together and collectively agree to stop creating new phishing name variants. It’s gone too far. There’s too many! Won’t someone think of the aspiring CISSPs? In addition to cramming fire suppression factoids and bollard types into their heads, they will also need to memorize every god forsaken -ishing term too. Back in my day you had just a few, e.g. phishing, vishing, spear phishing, whaling, blah blah - and this was still way too many. What’s with us infosec folks? Why do we do this to ourselves? (Theory: self-loathing, it actually explains a lot about infosec practitioners really). But it was the way it was, and I never complained.

Welcome all to the first issue of Scrolls, a newsletter-ish type thing that I hope to compile each week with all sorts of stuff from across the IndieWeb / Fediverse / Cybersecurity realms. The name “Scrolls” is, as you may have already gathered, a play on a piece of writing, the scrolling we do across our various feeds/sites, and the general magic of the web. Enjoy!

A reference directory of known vulnerability scanners.

If there is anyone out there who subscribes to my blog’s RSS feed who would like to only get the infosec / cybersecurity-related things I write about, I now have an infosec-only RSS feed you can sub to.

On July 19, 2024, CrowdStrike delivered a malformed content update to their global fleet of Windows Falcon agents which resulted in a mass BSOD event affecting ~8.5 million systems worldwide. This event has become known as “ClownStrike”.

Rapid 7 released their 2024 Attack Intelligence Report, an annual writeup containing curated vulnerability data and in-depth analyses of exploit trends. Below I’ve listed a few of my own personal takeaways after reading through the report…

On the difficulty of exploitation in a CTF environment versus actual enterprise organizations…

Welcome to part 3 of the CSC at Home series where I provide practical guidance on how one could implement the CIS Top 20 controls in their home or small-business environment.

Welcome to part 2 of my CSC at Home series where I provide practical guidance on how one could implement the CIS Top 20 controls in their home or small-business environment.

This is the first in a series of posts discussing the CIS Top 20 controls and how they can be implemented in a home or small-business environment. Before getting into the first of these controls, I’ll begin by providing some introductory background on the CIS Top 20.

CIS Critical Security Controls and/or NIST CSF as frameworks to help put you in the right mindset. But so much of what you should do first depends on some variables imo.

In response to one Reddit user’s breaking into infosec plight…

A commonly asked question is whether infosec / cybersecurity is “stressful” and generally “what is the work life balance like?”. I think there are three main things that contribute to whether a job is stressful, none of them particularly unique to infosec.

“Reverse syndication”, i.e. archiving discussions I have elsewhere on the web (PESOS) on my site is very valuable to me for a few reasons…

A redditor asks…

I see a lot of questions about the infosec / cybersecurity job market…

The infosec/technology world is abuzz with discussions and analyses pertaining to the recently identified compromise of the open-source xz/liblzma compression library, i.e. CVE-2024-3094. Here is a roundup of links related to everything going on…

If you are in #infosec / #cybersecurity and looking for an easier way to follow interesting infosec accounts that are relatively high signal-to-noise without having to scour the Fediverse, consider checking out the #mammoth Mastodon client and subscribing to the new #indiesec Smart List! Smart Lists are a unique feature pioneered by Mammoth which offers curated lists of accounts in a number of different subject areas.

What does the #infosec / #cybersecurity (or infosec-adjacent) community think of “establishing” a go-to hashtag for asking infosec-related questions? Something like #AskSecFedi or #AskFediSec? Personally I think the latter has a better ring to it but curious what others think. I’ve seen a lot of people in the community ask questions that don’t get answered due to classic social reach issues but perhaps a dedicated hashtag could help alleviate some of that. (If you have a catchier tag feel free to comment!)

@lcamtuf@infosec.exchange I’ve always said something very similar with regard to infosec disciplines that many regard as “junior” or “easy”. Vulnerability Management is one such role that I think is pretty easy to get started in (and many in security do) and for many considered to just be something that is easy/junior when in reality, doing advanced VM is something that takes a lot of finesse, organizational knowledge, cross-disciplinary skills, coding chops, etc… Same could be said for things like “SOC Analyst”. Sure you can run junior folks through that role but there is definitely a spectrum of proficiency that should not be overlooked.

@john_fisherman Hey! I read your post here and wanted to let you know about my own experience as a random writer on the web (understanding that everyone’s experience differs). I started my blog in 2019 and expected to never really get any interest from people in terms of reading, using or getting feedback on what I had written. After nearly 5 years I’ve been blown away with the reception and level of feedback I have gotten! So what do I think has helped me in terms of people discovering my site, enjoying it and giving me feedback?…

@LaGrange Here’s my “find news” strategy…

Pro Tip: If for whatever reason you still have a Twitter/X account but don’t really use the platform, follow it from here using bird.makeup. This way, if you ever DO see something from there, you’ll know it was hacked somehow 😅. Because apparently getting your X account pwned is something even Mandiant can’t prevent 🤦‍♂️.

Here are the number of “named vulnerabilities” per year (based on data I’ve captured here). Vulnerabilities are counted for a given year based on A. what their CVE ID is, or B. If they don’t have a CVE, when the original article about that vuln was posted.