Threat Scoring and Risk Management

Threat Intelligence teams and Information

Security teams often struggle to communicate to leadership why a specific vulnerability should be taken seriously or given more precedence, especially when the CVSS score is low.

This post is a brief explanation of how to use a threat scoring matrix to consistently evaluate threat actors, then combine that score with a CVSS score to communicate the true risk posed to your organisation. It helps provide a measurable score that can easily be integrated with CVSS scoring systems, thereby also facilitating risk scoring automation. It also allows the leadership to make a well-informed decision as a vulnerability is considered within the context of a comprehensive threat actor profile seeking to exploit the vulnerability. We discuss the example matrix metrics below, and you may download the The Threat Actor Impact Scoring Matrix PDF from here [1]. It uses a five-point scale to scorer a threat actor based on nine criteria: determination, motivation, technical resources, financial resources, intelligence resources, skills/expertise, time they went undetected, team size, and time available to dedicate to malicious activities. It then scores the target (presumably you) on three criteria: probability of successful attack, stage of any technical exploit, and the attacker’s focus.

Continue reading "Threat Scoring and Risk Management"

From the department of redundancy: repetitious phrases to stop using

Austin Powers famously stumbled over his introduction: Allow myself to introduce myself.
Hilarious to be sure, but the rest of us non-comedic secret agents need to stop using a plethora of redundant phrases.
Why these phrases became so commonplace is probably due to a desire for additional emphasis.
That, or perhaps they are just mistakes that stuck around?

Continue reading "From the department of redundancy: repetitious phrases to stop using"

Apostrophes have no place in plural acronyms

The proper use of apostrophes when denoting plural or possessive nouns is the subject of many tutorials, especially the rule-breaker “its/it’s.”
But there should be no debate about whether acronyms or other all-capitalised or numeric constructions should include an apostrophe when made plural: they shouldn’t!

Continue reading "Apostrophes have no place in plural acronyms"

Why You Don’t Need a DevOps Team


DevOps is a term emerging from the collision of two major related trends.
The first was also called “agile system administration” or “agile operations” — with focus on applying newer Agile approaches to operations work.

This new “fashion” trend is making some companies abuse the Agile terminologies, making both Dev and Ops life miserable.

The second is a much expanded understanding of the value of collaboration between development and operations staff throughout all stages of the development lifecycle when creating and operating a service.

Continue reading "Why You Don’t Need a DevOps Team"

From DEVOPS to devops


For evangelists, DevOps is a culture and a transformation. For some engineers, DevOps is a set of agile tools and techniques. For managers, DevOps is a probably a methodology. For other people it is just a buzzword and for recruiters, DevOps is a job.

I think DevOps is not just a buzzword but somehow it is a mix of all the above definitions: There is no digital transformation without the right methodologies, the right tools and the right engineers.

Continue reading "From DEVOPS to devops"

DevOps As Design


The DevOps movement has encountered a certain amount of criticism for not being more prescriptive. “The principles sound nice,” critics say, “but how do we actually do it?” They get even more frustrated when proponents answer, “you have to figure it out for yourself.”

Continue reading "DevOps As Design"

/usr/bin/time, Jim, but not as you know it


Open up a terminal. Run ‘type time’. You’ll be told that “time is a shell keyword”. Now run ‘which time’ and you’ll see ‘/usr/bin/time’, which looks like a path to a binary. Are they the same thing? Nope.

In fact, one of them can give you a whole lot of interesting information that the other can’t.

Continue reading "/usr/bin/time, Jim, but not as you know it"

Why do devs wear headphones? Same reason that you can’t juggle.


Some call it eliminating distractions. Some call it flow. Tuning out of your immediately surroundings has been shown to increase focus on internal thinking processes. In this post I’ll dive into both the neurological components as well as folk-advice surrounding this phenomenon.

Continue reading "Why do devs wear headphones? Same reason that you can’t juggle."