Failing to update your skills
Apr 10th, 2018 by Jesper Kråkhede
I love doing presentations and I had the opportunity in southern Europe to present for a few customers my view on how to administer on-prem services. What I presented was Microsoft Secure Privilege Access Roadmap. If you havn´t read it please do. It gives to quite some details how you should manage the administration tasks in your environment. Focus is of course on credential theft as that is account is the new perimeter for information.
Credential theft is interesting as it comprises of many different things but one of the more important is stealing of the hash and how to prevent it. I explained how it works and the number of ways you could mitigate it. Halfway through the presentation one person in the public, CISSP-certified and known to me to have worked within the field for 15 years, raised the hand and asked with a bit annoyed voice: “This credential theft you are talking about. Is it something you recently invented? I have never heard of if before.” The room fell silent and I was stunned a few seconds trying to comprehend what was just said. Gladly the person sitting next started to whisper and within a few seconds a heard a faint. “Sorry!”
There was a bit of a laugh in the auditorium but it opened up an opportunity for me to discuss the importance of using the correct terminology when discussing security and even more important, making sure that your customer understood. I was very sure that credential theft was a known terminology but apparently not. This phrase is common in the literature but if you are spending your studying to maintain your CISSP on just a limited amount of sites you might miss the latest for 15 years. ?