Implicit Deny was started by a like-minded group of information security professionals from a variety of backgrounds. After months of swapping war stories, hacks, mitigations, workarounds, and best practices, they realized they were all asking the same question:
Why does Information Security seem so difficult?
In private and public organizations, at financial institutions and Fortune 100 companies, from the CISO to the marketing department, misunderstandings abound. “It’s too hard.” “It’s too expensive.” “We’re not a target.” “I don’t know how to prioritize my risks.” It’s time to clear the air.
Everyone is at risk
Regardless of industry, asset size, intellectual property, or infrastructure, nobody can afford to be ignorant. In an increasingly connected world, security through obscurity cannot be a viable defense strategy. Existing IT infrastructure must understand the threats, know its own vulnerabilities, and take actions to reduce the risk. Emerging programs must be built from the ground up with a security-conscious mindset. As shown time and time again, ignoring security will end in disaster – it’s just a question of when.
Security is not magic
Just because security needs to be a foundational consideration does not mean it needs to be scary. Technology is a tool, and with any tool, effective use requires training, knowledge, and practice. Proper security cannot be obtained through wishful thinking or luck. Many of the resources commonly used are freely available online. All it takes is someone willing to learn and apply them.
Security advocates are not wizards
We are not the dark-hooded stereotype, holed up in a basement, incapable of human interaction. Understanding information security is not a question of nature versus nurture. Everyone who cares about their own personal privacy should understand the basic principles of information security. Most security professionals have simply taken common technical skills and experience and applied them to ensuring the safety of those around them. It doesn’t even take technical skills to be secure, however – all it takes is a desire to be protected and a willingness to learn.
For too long, information technology has been seen as unknowable, out of reach, and unnecessarily complex. Let’s get back to basics. Let’s use the tools and methods that we know work: Least privilege. Strong encryption. Secure passwords. Multifactor authentication. Segregation of duties. Implicit Deny.
- Pentesting the Hard Way, Part One: What is a Pentest? - July 12, 2016
- Security for Everybody: Secure Your Browser - June 21, 2016
- Cracking Domain Passwords from NTDS.dit with Metasploit and john - May 3, 2016