Background

First, for context, this is required reading: Data breach exposes 1.6 million Washington state residents who filed unemployment claims in 2020 — GeekWire

If you listen to my new podcast with my friend Chris Abramson, “Indistinguishable from Magic” we’re about to release a conversation on this (or already have by the time you read this) over here: Indistinguishable from Magic Podcast | With Rafal Los and Chris Abramson — ITSPmagazine | ITSPmagazine At the Intersection of Technology, Cybersecurity, and Society.

OK, now onto the content of this post.

My Thought Process

When I originally saw that article, my first reaction from the gut…


I was reading Bruce’s article again “On Not Fixing Old Vulnerabilities” where he ponders the unbelievable result of a report on very, very old vulnerabilities still in real-world existence today, and came upon a disturbing thought.

As I scrolled through the comments section (yes, I read comments as often as I can stomach them) one particular one caught my attention. Then I had a lightbulb moment. Not the bright lightbulb of “Ah, ha!” but the red one of “Oh, shit!”. This comment:

I guess that the reason many companies are still on Windows 7 — or even XP — is…


We’re a third of the way through 2021. I’ll pause and let that hit you and sink in before I continue…

Now that you’ve had a minute to think about the statement I made above, I’d like to draw your attention to a LinkedIn post I made a while back, essentially asking people to write down the first three words that come to mind when I say the words “vulnerability management”. The results were, sadly, predictable.

Call me a pessimist, or a realist, but at this point in my career, it’s difficult to surprise me. This survey didn’t surprise me…


I was reading up on Microsoft Security (you should really bookmark and read this stuff if you work with Microsoft — https://docs.microsoft.com/en-us/security/) recently. You should probably do it too. Interesting stuff in there.

One bit stuck out for me — emergency accounts — casually mentioned in the Security Rapid Modernization Plan (RAMP) section — https://docs.microsoft.com/en-us/security/compass/security-rapid-modernization-plan.

As I read, I recalled working for a startup a long time ago where we created an “all-else-fails” set of accounts that were domain administrator with all security permissions. We turned on auditing to the maximum and set up alerts if it was ever used…


Solving Security Problems With Money

Have you ever read something that is meant to be funny, kitschy, but ultimately ends up being ridiculous?

Check this LinkedIn post out: https://www.linkedin.com/posts/the-cyber-security-hub_via-hypr-the-passwordless-company-activity-6743110611120480256-SI2H

I read that and chuckled to myself. Then I read the replies…

“This is why we’re in such shit shape” — was my first reaction.

So why such a strong reaction? Because quite frankly it, I suspect accidentally, lampoons security professionals. Look at all the people chiming in and making fun of someone who would sanely hire a PR firm to help during a breach! …


I was interviewed for a news story that ran on Friday night, on WSB Atlanta, about Child Protective Services (CPS) and how they’ve had a business email compromise.

The insane thing, for me, is that the big headline isn’t that this is yet another example of how simple it is to phish people and steal everyday users’ credentials. It’s not even about how insane it is that an agency that has such highly sensitive information about the weakest and most vulnerable in our society doesn’t appear to use two-factor authentication of any sort. …


I’ve had an employee once, as they were telling me they were leaving the company and my team in favor of a new job, sheepishly ask if I was mad at them or angry. I was confused by this notion… let’s explore this.

I’ve not worked in that many different companies, by comparison to some of my colleagues, but I have done my fair share of leaving. I’ve also been left (aka fired) once or twice in my career, early on. Looking back on things, I’ve picked up a few life and career lessons I’d like to share.

  1. At the…


Security tools and service providers, specifically MSSPs have failed customers in spectacular ways over the last 20 years. One of the most obvious, that I can’t believe we collectively haven’t figured out how to address adequately yet, or at least not en masse, is the reporting of bad things.

On a recent call with a well-known industry security leader and friend talking about managed services, I heard this (paraphrasing):

“I’m skeptical of MSSPs, same problem as the tools vendors. Quit telling me what’s wrong! It’s not as if telling me what’s wrong will make me secure.”

That rang in my…


We’re all dealing with an economic and social catastrophe the likes of which we have not witnessed in many generations, hell, maybe ever. The events over the last several months can give one pause about how to proceed forward with so much that is uncertain. Having been through a few similar types of cycles (for example, 9/11 and the economic downturn in 2008) I thought I would share some unfiltered advice.

Most importantly, things are never going to go back to the way they were before February 2020, ever. This is the reality. This has a significant impact on how…


For years and years, security folks (including myself) have pushed for stronger and more reliable means of identifying yourself to a system or application. Whether you care about security, or privacy, or both — the importance of authentication has been in the front of our collective conscious in Cybersecurity for at least a decade.

But recently, something interesting happened. Well, to be more direct — something globally disastrous happened. Covid-19 challenged us not to touch things that other people may have touched in order to prevent the transmission of a potentially lethal virus. …

Rafal Los

I’m Rafal, and I’m a 20+ year veteran of the Cyber Security and technology space. I tend to think with a wide-angle lens, and am unapologetically no-bullsh*t.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store