Eric Alexander

December 26, 2018

2018 Breach Data

If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle. -Sun Tsu, The Art of War Some advice on preventing about 70% of the incidents I see over in /r/securitybreach, a sub reddit started to help answer the questions: What’s the enemy after? ... Read more

December 20, 2018

You're Not the Customer

If you are not paying for it, you’re not the customer; you’re the product being sold. @andlewis If you asked me: What company has full access to un-hashed passwords, email accounts, social media accounts and location data, for the sole purpose of monetizing that data, on over 1 million people around the globe? Until a few days ago I’d answer: Google maybe, but don’t they hash/salt passwords? Let’s back up a bit. ... Read more

March 3, 2018

Dishes in the Sink

Have you ever witnessed a broken process that was obviously broken and doomed fail? Not because it couldn’t work. The process would never work simply because the owner of the process was blind to why it didn’t work: The human factor. I’ve seen this in security all too often. We often want to ignore how our brains work and blame the training or blame human nature. Proposed fixes are often more training or threats of termination. ... Read more

January 27, 2018

Security Awareness Training - What Works?

Need to be PCI, CJIS, or NIST 800-53 compliant? If so, Security Awareness Training (SAT) isn’t optional. What if you’re not bound by those security requirements? What if you could take a pragmatic approach and do it, not because you have to; rather, your only motivation is to reduce risk. Let’s say you’re launching a new cryptocurrency exchange. You’re not bound by any compliance requirement, but, you’re also a major target. ... Read more

January 10, 2018

Make Change Happen

“Look at email, go to meetings, discuss designs, have my head explode because people are retarded, look at vuln reports on production servers, head explodes because people haven’t patched shit in 2 fuckin years, send emails, write power point presentations telling management how bad their people suck, talk to some lawyers, respond to an incident then go the fuck home to do it all over again the next day.” ... Read more

November 24, 2017

Uptime Is the Evil of Secure

Who hates uptime? If we’re talking system uptime, then yeah, this guy hates uptime. Service uptime? Love it. Metrics? Love those also. My favorite metrics are aggregates. I love single values that can tell a story. Uptime is one of the best aggregates. Uptime tells us the obvious: How long has it been up? It also tells us the not so obvious: How good are we at patching systems and how good are we at designing resilient services? ... Read more

November 12, 2017

Can They Code?

We have a coding skill set requirement for engineering candidates at The Trade Desk. It’s a requirement for everyone from our DBAs to our Information Security Engineers. I can probably guess what you may be thinking. Let’s get some common arguments out of the way. “Software Engineers should focus on writing code. Let me focus on my discipline” “There’s a shortage of InfoSec candidates. Why further limit the talent pool?” ... Read more

November 8, 2017

Infosec Hierarchy of Needs

Ever pondered the natural order of reducing risk in InfoSec or the natural order of working towards compliance? It’s something I’ve been thinking about lately. Maybe it’s related to the recurring conversation my wife and I have on the topic of Maslow’s hierarchy of needs. Maslow’s hierarchy helps us understand the essential nature of needs and why some needs are only achieved when we’ve built the right foundation by solving needs in lower tiers. ... Read more

November 5, 2017

Getting the Blog Back Together

I used to have a blog. My old blog content is probably still hiding somewhere on archive.org. The death of my last blog was the culmination of a fading interest in blogging and a desire to simplify by reducing the number of things that needed my attention and time. I eventually came to the realization that I wanted to do other things and maintaining a blog wasn’t one of them. ... Read more

© Eric Alexander 2017