control effectiveness
9 posts
A project name is not a threat model
Project Glasswing has been named but not defined. Without stated scope, identity model, or controls, no security assessment is possible.
Reputation is not a control
Harvard.edu and 140 other domains reported compromised. Why reputation-based controls fail when trusted origins are turned against their consumers.
Your bot defenses just failed
A board-level view of how a stealth Playwright build erodes the assurance value of anti-bot and CAPTCHA controls across the business.
AI just broke 2FA at scale
AI was used to develop a zero-day 2FA bypass deployed at mass scale. The control's economic assumption has been falsified in the wild.
Face ID was never the control
A reported Face ID bypass via avatar collapses the liveness assumption. Every downstream control trusting the boolean inherits the failure.
The record count is not the breach
A board-level brief on the healthcare data breach: access governance did not hold at runtime, and assurance must now be proven, not assumed.
US extradites alleged Chinese state hacker
An extradition in an alleged state-aligned cyber matter shifts the standard of care boards will be measured against in disclosure and litigation.
Encrypted files are writing back to disk
Active ransomware event analysis from an operator perspective: what failed, the underlying mechanism, and the conditions that must now hold.
Why Cybersecurity Consulting Fails to Prevent Breaches
Cybersecurity consulting often produces deliverables but fails to prevent breaches due to lack of continuous validation. This post explains why documented compliance doesn't equate to real-world security.