Background

First, for context, this is required reading: Data breach exposes 1.6 million Washington state residents who filed unemployment claims in 2020 — GeekWire

If you listen to my new podcast with my friend Chris Abramson, “Indistinguishable from Magic” we’re about to release a conversation on this (or already have by the time you read this) over here: Indistinguishable from Magic Podcast | With Rafal Los and Chris Abramson — ITSPmagazine | ITSPmagazine At the Intersection of Technology, Cybersecurity, and Society.

OK, now onto the content of this post.

Image for post
Image for post

My Thought Process

When I originally saw that article, my first reaction from the gut…


I was reading up on Microsoft Security (you should really bookmark and read this stuff if you work with Microsoft — https://docs.microsoft.com/en-us/security/) recently. You should probably do it too. Interesting stuff in there.

One bit stuck out for me — emergency accounts — casually mentioned in the Security Rapid Modernization Plan (RAMP) section — https://docs.microsoft.com/en-us/security/compass/security-rapid-modernization-plan.

As I read, I recalled working for a startup a long time ago where we created an “all-else-fails” set of accounts that were domain administrator with all security permissions. We turned on auditing to the maximum and set up alerts if it was ever used…


Solving Security Problems With Money

Have you ever read something that is meant to be funny, kitschy, but ultimately ends up being ridiculous?

Check this LinkedIn post out: https://www.linkedin.com/posts/the-cyber-security-hub_via-hypr-the-passwordless-company-activity-6743110611120480256-SI2H

I read that and chuckled to myself. Then I read the replies…

“This is why we’re in such shit shape” — was my first reaction.

So why such a strong reaction? Because quite frankly it, I suspect accidentally, lampoons security professionals. Look at all the people chiming in and making fun of someone who would sanely hire a PR firm to help during a breach! …


Image for post
Image for post

I was interviewed for a news story that ran on Friday night, on WSB Atlanta, about Child Protective Services (CPS) and how they’ve had a business email compromise.

The insane thing, for me, is that the big headline isn’t that this is yet another example of how simple it is to phish people and steal everyday users’ credentials. It’s not even about how insane it is that an agency that has such highly sensitive information about the weakest and most vulnerable in our society doesn’t appear to use two-factor authentication of any sort. …


I’ve had an employee once, as they were telling me they were leaving the company and my team in favor of a new job, sheepishly ask if I was mad at them or angry. I was confused by this notion… let’s explore this.

I’ve not worked in that many different companies, by comparison to some of my colleagues, but I have done my fair share of leaving. I’ve also been left (aka fired) once or twice in my career, early on. Looking back on things, I’ve picked up a few life and career lessons I’d like to share.

  1. At the…


Security tools and service providers, specifically MSSPs have failed customers in spectacular ways over the last 20 years. One of the most obvious, that I can’t believe we collectively haven’t figured out how to address adequately yet, or at least not en masse, is the reporting of bad things.

On a recent call with a well-known industry security leader and friend talking about managed services, I heard this (paraphrasing):

“I’m skeptical of MSSPs, same problem as the tools vendors. Quit telling me what’s wrong! It’s not as if telling me what’s wrong will make me secure.”

That rang in my…


We’re all dealing with an economic and social catastrophe the likes of which we have not witnessed in many generations, hell, maybe ever. The events over the last several months can give one pause about how to proceed forward with so much that is uncertain. Having been through a few similar types of cycles (for example, 9/11 and the economic downturn in 2008) I thought I would share some unfiltered advice.

Most importantly, things are never going to go back to the way they were before February 2020, ever. This is the reality. This has a significant impact on how…


For years and years, security folks (including myself) have pushed for stronger and more reliable means of identifying yourself to a system or application. Whether you care about security, or privacy, or both — the importance of authentication has been in the front of our collective conscious in Cybersecurity for at least a decade.

But recently, something interesting happened. Well, to be more direct — something globally disastrous happened. Covid-19 challenged us not to touch things that other people may have touched in order to prevent the transmission of a potentially lethal virus. …


It’s strange to think about how quickly the world has changed, seemingly overnight. A virus that has plunged the world into global economic and social catastrophe is also forever altering the way you look at cyber security.

Social distancing” basically has forced a lot of companies and business that operated in a “butts in seats” capacity to suddenly go fully remote. Hospitals have sent non-healthcare staff home to do their jobs, and virtually every other business that can function with a workforce that isn’t required to be in person, has followed suit. That’s a huge deal. Huge. Massive.

Think about…


Since I first heard a few of the folks who would go on to form the Cloud Security Alliance discuss the “cloud computing” model a long, long time ago I have been hopeful that two things would happen. First, I was hopeful that cloud computing would increase an organization’s resilience to failure. Second, I was hopeful that security would find a way to natively build itself into the various cloud constructs.

Turns out neither of those things have happened in a meaningful way.

Consulting on security strategy matters into some of the most interesting companies in the world has definite…

Rafal Los

I’m Rafal, and I’m a 20+ year veteran of the Cyber Security and technology space. I tend to think with a wide-angle lens, and am unapologetically no-bullsh*t.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store