Firefox is Rolling-Out DNS-over-HTTPS. Are you ready?

The Monday Morning Pop-Up from Firefox

I was greeted with this unexpected pop-up from Firefox this morning. If you haven’t seen it yet, figure it’s just a matter of time. Listen to the short video for some things you may need to consider, particularly if you’re managing an internal network with DNS services or if you’re using DNS filtering as part of your security plan.

If you need help assessing how the different browsers moving to DNS-over-HTTPS (DoH) may impact your organziation or you, visit our contact form and drop us a line!

Smash that Like Button and Ring that Bell! We’re adding video content :-)

OpenVAS installation on Ubuntu 18.04

There are some questions that are going to be asked more than once, and there are some answers you’ll want to work through at your own pace and you’ll want to know that you’re seeing what you’re supposed to be seeing — and maybe anecdotal experience tossed in for good measure will be worthwhile. For those situations, a video is about as close to ideal as is currently possible.

While I’ve personally done my time lecturing from podiums and blackboard, but this… is a little different. Like most things, it’ll take some time and practice — and maybe some better lighting and some acoustic wall treatments — before things are polished. Hopefully the content will carry the effort through until then 🙂

In the meantime, a few private videos have gone out discussing topics of interest including security alerts and commentary to clients who might be affected. So, go ahead and subscribe to the channel for the occasional public release. If you have a question or topic of interest, let us know — maybe we’ll add it to the queue. And if you might benefit from checking off that box of having people keeping up with threat intelligence on your organization’s behalf, visit the contact form and drop us a line!

Quantitative Risk Analysis in the Corona Era

Listen to the news and look around: Everyone else is running the numbers to make their decisions. Are you?

Today in Maryland…

Since May 1st, 2020, the State of Maryland has been averaging 1005 +/- 263 (1-standard deviation) new COVID-19 cases per day. Statistically, around 7% each day’s new cases will be dead in 10 days.

There is no shortage of threads to pull or rabbit holes to dive into with the numbers. Bear with me as I tug on one.


Of those 1000 per day new cases, some percentage are medical professionals — the doctors, nurses, EMTs, etc. Arguably, medical professionals are:

  1. The best informed regarding the transmission of the disease;
  2. The best equipped to defend themselves against transmission from individuals and environment; and,
  3. The most alert, with peer pressure, personnel health checks, and other reminders all around them to stay alert, plus a natural presumption that each new patient entering their perimeter is infected.

In spite of those three basic factors, some percentage will fall. It may be a single lapse in judgement or attention, it may be something assumed clear is dirty, or it may just be the virus beating the odds that one time ~ who knows? But it happens.

It’s on my to-do list to see if I can’t dig up those numbers, but in the meantime, it’s sufficient to know that there is a non-zero probability baseline: the most informed, most protected, and most alert do succumb with prolonged exposure in dirty environments over extended periods of time. That or they get back-doored, maybe during a relaxed moment in the break room, at the grocery store, or by a spouse or kid at home. Regardless, there is a non-zero probability of an event.

What does it Cost?

What does it cost the health industry — the hospital, the doctor’s office, the clinic, the fire station — if a specialist, doctor, a nurse, or an EMT is knocked out of the rotation for two-weeks? How about for life? And what does it cost the infected individuals’ families? We’ve heard about the outbreaks at nursling homes / assisted living centers; it’ll probably be some time before we hear about the impact of these events on the entire industry. How do you suppose disclosure of an outbreak at a hospital would affect public health and governance? How will each loss affect the individual families?

And for the Common Man?

Some presumably small percentage of those 1000 new cases per day in Maryland are medical professionals, but what about the rest? Today, in the middle of May 2020, it’s extremely unlikely that anyone is unaware of the pandemic or the mandated or recommended measures to avoid contracting or spreading the virus — and having been at this for more than two months, it’s likely they’ve been cognizant for at least two weeks. It’s not likely then that any recent day’s 1000 new cases were ignorant. So, what happened?

Assuming a “people are fundamentally good / we trust our community” model, we’d have to assume:

  1. No person would knowingly leave a safe space while sick, where any symptom would be assumed to be an indicator of infection until proven otherwise, and illness of a spouse, child, or another at home would similarly lock the person down until proven otherwise.
  2. No person would enter a space without assuming it was contaminated and no person would interact with another without assuming the other was infected, and therefore would take all appropriate protective measures.
  3. All people maintaining places where people gather, such as grocery stores, ensure that they and their personnel maintain themselves and their environment to inhibit the transmission of the virus between any parties.

So what happened?

  • Lapse in discipline? I forgot my mask. I’ll just rinse my hands. I was only in there for a minute. They were coughing but said it was just a cold.
  • Lapse in awareness, falling into old habits, not giving space, touching one’s face and everything around us.
  • Insufficient protective measures for the circumstances?
  • Lack of respect for others? Trust me, I’m fine ~ you have nothing to worry about.
  • Something else? Simply an accident? Maybe today it just got lucky?

Even when we are all on guard and acting with good intentions and a sense of social responsibility, it can still happen. What if we’re not all such model citizens? Either way, maybe it’s happening here a thousand times a day.

Comparative Risk?

For the last few years, Maryland has suffered a bit over 500 deaths per year from a bit over 100-thousand automobile accidents per year. That’s a 1/2% death rate from around 275 events per day (assuming they’re spread out evenly across the year). They’re presumably all licensed and have the same basic training. Everybody knows the rules and what they’re supposed to do in different situations. Most have had some years of driving experience and survive the trip without incident nearly 100% of the time. So, what happens? Lapse in discipline? Lapse in awareness? Not prepared for the conditions? Disregard of other vehicles? Something else? Simply an accident? Someplace they had to be in spite of the weather? Don’t worry, I’m good to drive?

We have licensing, education, restrictions, insurance, road maintenance, towing & repair, and enforcement apparatuses in place, combined with continuous improvements in engineering, to improve safety on the road — all presumably because we feel our economy depends on folks hopping in their cars. We’re willing to accept 500 deaths per year — a bit over one death per day on average — from 100-thousand mostly survivable accidents toward that end.

So, what if it’s one thousand events per day with 50-100 deaths per day?

Now You, Security Guru…

I mean, it must sound familiar, no?

  • Your perimeter is under relentless attack, both with and without cause, even if you’re no one special.
  • There’s a job to do, and there are varying degrees of assets from the commodity to the irreplaceable that must come together and be protected to accomplish that mission.
  • Your technical countermeasures may be about useless if your people aren’t trained, tested, and on their game.
  • Nothing may be more catastrophic than assuming something inside your safe zone is trusted.
  • You’re just one off-duty, guard-down lapse away from being back-doored.
  • You’re likely infected and doing significant damage for some time before you’re aware.
  • There is a non-zero probability that something bad will happen. They’ve happened to groups far more competent, better trained and provisioned, and more on alert than yours.
  • It happens whether everyone under our roof is trustworthy or not, whether everyone shares good intentions or not, and whether they maintain vigilance or not ~ sometimes if only because their best does not match your own as the SME and their personal risk models may differ from yours.
  • If your reputation is shot, your business may be done. Don’t ignore the intangibles in your asset and threat analyses.

Listen to the news and look around: Everyone else is running the numbers to sensibly guide their decisions. Are you?

You Know the Drill…

If you need help getting your Risk Management Process in place, underpinned with proper Quantitative Risk Management methodologies, visit the contact page and introduce yourself 🙂