Blog - J Wolfgang Goerlich

Text Message Scams

August 27, 2024

Don’t click on the link you received about unpaid tolls. It’s likely a scam.

Excerpt from: If You Get This Text Message, It’s Probably a Scam.

Unpaid toll scams are on the rise, according to the FBI. The agency has received more than 2,000 complaints since March. Unpaid toll scams are classified as smishing, whereby bad actors use text messages and pretend to be a part of a company to extract your personal information.

Toll road scam texts often convey a false sense of urgency. This tricks you into acting quickly before you even consider the possibility that it may be a scam.

“Scared people moving quickly make poor decisions, which is exactly what a scammer wants,” Goerlich said. “If a message makes you feel rushed or afraid, trust your intuition and stop responding.”

Read the full article: https://www.cnet.com/personal-finance/identity-theft/if-you-get-this-text-message-its-probably-a-scam/

Wolf’s Additional Thoughts

Take a beat, take a moment, center yourself, and click from a place of calm. That’s my security awareness advice. While the tactics have changed over the decades, the one thing scams have in common is scaring people into move action. So give yourself a time to think.

This post is an excerpt from a press article. To see other media mentions and press coverage, click to view the Media page or the News category. Do you want to interview Wolf for a similar article? Contact Wolf through his media request form.

Frameworks and Relationships

July 29, 2024

“Today we welcome J Wolfgang Goerlich, an advisory CISO, mentor, and strategist. We delve into the intricacies of security design frameworks and the importance of building and maintaining relationships in the cybersecurity field. Wolfgang shares his expertise on creating effective security programs, fostering trust within teams, and navigating the challenges of the CISO role. Tune in to gain valuable insights on cybersecurity strategy and the significance of collaborative relationships in achieving security goals.”

Ways CISOs Can Stay Ahead

July 25, 2024

Security leaders are expected to defend their organizations against existing and emerging threats. Here are some tactics they can use to crack down on the enemy.

Excerpt from: 9 Ways CISOs Can Stay Ahead of Bad Actors

It is often said that CISOs need to be right all the time and bad actors must only be right once. According to Wolfgang Goerlich, faculty member at independent cybersecurity research and advisory firm IANS Research, that mindset is counterproductive.

“That’s not the case. The criminals are fast, they’re strong, but there are things we can do. I’ve always started with threat intelligence [because] I want to know what the criminals are doing, what their tactics and procedures are. I want to know some good ways to stop them in ways that don’t interfere with my organizations,” says Goerlich. “Security is only as good as the last time you checked, so we will do tabletop exercises, drills, red team exercises and test all those ways a criminal would move through our environment, and ensure we have multiple ways to stop and catch them.”

There are many other things CISOs are doing to stay a step ahead. The following are some examples.

Read the full article: https://www.informationweek.com/cyber-resilience/9-ways-cisos-can-stay-ahead-of-bad-actors

Things to Consider When Buying a Password Manager, U.S. News

April 25, 2024

Modern life means the proliferation of passwords. From banking to BBC iPlayer, nearly every website or application requires creating a password. But remembering multiple passwords is cumbersome and using the same easy-to-remember password for every application is a security nightmare. This is where password managers have come into their own

Excerpt from: Best Password Managers in the UK

Things to Consider When Buying a Password Manager

Security features and encryption. “It’s important to determine whether your passwords are safeguarded with multi-factor authentication and if the protection is structured so that only you have access to your data,” says Wolfgang Goerlich, faculty member at cybersecurity research and advisory firm, IANS Research. “This is commonly known as zero-knowledge architecture, which is a great way of saying that the vendor cannot access my passwords and secrets.”

Data backup and sync. For business users with “higher demands on the availability and integrity of their password manager”, Goerlich says that it is important to look into data recovery options, especially if the product is cloud-based: “If the cloud becomes unavailable, the password managers need to be able to continue to function.

Read the full article: https://www.usnews.com/uk/360-reviews/privacy/password-managers

We were wizards — a foreword to Learning Perl

March 15, 2024

In the 1990s, computers were magic and we were wizards. Want proof? I offer below, Larry Wall’s foreword to Learning Perl from 1993. It greatly inspired a very young me who wandered into a book shop, picked up an odd book with llama on the cover and a seemingly misspelled title. The first few pages had me hooked and led me on a romp that would last decades. I hope it’ll inspire you, too. As Larry put it, “So be it! So do it!” — Wolf

Foreword

Attention, class! Attention! Thank you.

Greetings, aspiring magicians. I hope your summer vacations were enjoyable, if too short. Allow me to be the first to welcome you to the College of Wizardry and, more particularly, to this introductory class in the Magic of Perl. I am not your regular instructor, but Professor Schwartz was unavoidably delayed, and has asked me, as the creator of Perl, to step in today and give a few introductory remarks.

Let’s see now. Where to begin? How many of you are taking this course as freshmen? I see. Hmmm, I’ve seen worse in my days. Occasionally. Very occasionally.

Eh? That was a joke. Really! Ah well. No sense of humor, these freshmen.

Well now, what shall I talk about? There are, of course, any number of things I could talk about. I could take the egotistical approach and talk about myself, elucidating all those quirks of genetics and upbringing that brought me to the place of creating Perl, as well as making a fool of myself in general. That might be entertaining, at least to me.

Or I could talk instead about Professor Schwartz, without whose ongoing efforts the world of Perl would be much impoverished, up to and including the fact that this course of instruction wouldn’t exist.

That might be enlightening, though I have the feeling you’ll know more of Professor Schwartz by the end of this course than I do.

Or, putting aside all this personal puffery, I could simply talk about Perl itself, which is, after all, the subject of this course.

Or is it? Hmmm…

When the curriculum committee discussed as this course, it reached the conclusion that this class isn’t so much about Perl as it is be you! This shouldn’t be too surprising, because Perl is itself also about you – at least in the abstract. Perl was created for someone like you, by someone like you, with the collaboration as many other someones like you. The Magic of Perl was sewn together, stitch by stich and swatch by swatch, around the rather peculiar shape of your psyche. If you think Perl is a bit odd, perhaps that’s why.

Some computer scientists (the reductionists, in particular) would like to deny it, but people have funny-shaped minds. Mental geography is not linear, and cannot be mapped onto a flat surface without severe distortion. But for the last score years or so, computer reductionists have been first bowing down at the Temple of Orthogonality, then rising up to preach their ideas of ascetic rectitude to any who would listen.

Their fervent but misguided desire was simply to squash your mind to fit their mindset, to smush your patterns of thought into some sort of hyperdimensional flatland. It’s a joyless existence, being smushed.

Nevertheless, your native common sense has shown through in spots. You and your conceptual ancestors have transcended the dreary landscape to compose many lovely computer incantations. (Some of which, at times, actually did what you wanted them to.) The most blessed of these incantations were canonized as Standards, because they managed to tap into something mystical and magical, performing the miracle of Doing What You Expect.

What nobody noticed in all the excitement was that the computer reductionists were still busily trying to smush your minds flat, albeit on a slightly higher plane of existence. The decree, therefore, went out (I’m sure you’ve heard of it) that computer incantations were only allowed to perform one miracle apiece. “Do one thing and do it well” was the rallying cry, and with one stroke, shell programmers were condemned to a life of muttering and counting beads on strings (which in these latter days have come to be known as pipelines).

This was when I made my small contribution to saving the world. I was rolling some of those very beads around in my fingers one day and pondering the hopelessness (and haplessness) of my existence, when it occurred to me that it might be interesting to melt down some of those mystical beads and see what would happen to their Magic if I made a single, slightly larger bead out of them. So l fired up the old Bunsen burner, picked out some of my favorite beads, and let them melt together however they would. And lo! the new Magic was more powerful than the sum of its parts and parcels.

That’s odd, thought I. Why should it be that the Sedulous Bead of Regular Expressions, when bonded together with the Shellacious Bead of Gnostic Interpolation, and the Awkward Bead of Simple Data Typology, should produce more Magic, pound for pound, than they do when strung out on strings? I said to myself, could it be that the beads can exchange power with each other because they no longer have to commune with each other through that skinny little string? Could the pipeline be holding back the flow of information, much as wine doth resist flowing through the neck of Doctor von Neumann’s famous bottle?

This demanded (of me) more scrutiny (of it).

So I melted that larger bead together with a few more of my favorite beads, and the same thing happened, only more so. It was practically a combinatorial explosion of potential incantations: the Basic Bead of Output Formats and the Lispery Bead of Dynamic Scoping bonded themselves with the C-rationalized Bead of Operators Galore, and together they put forth a brilliant pulse of power that spread to thousands of machines throughout the entire civilized world. That message cost the Net hundreds if not thousands of dollars to send everywhere.

Obviously I was either onto something, or on something.

I then gathered my courage about me and showed my new magical bead to some of you, and you then began to give me your favorite beads to add in as well. The Magic grew yet more powerful, as yet more synergy was imbued in the silly thing. It was as if the Computational Elementals summoned by each bead were cooperating on your behalf to solve your problems for you. Why the sudden peace on earth and good will toward mentality? Perhaps it was because the beads were your favorite beads? Perhaps it was because I’m just a good bead picker?

Perhaps I just got lucky.

Whatever, the magical bead eventually grew into this rather odd-looking Amulet you see before you today. See it glitter, almost like a pearl.

That was another joke. Really! I assure you! Ah well. I was a freshman once too… The Amulet isn’t exactly beautiful though; in fact, up close it still looks like a bunch of beads melted together. Well, all right, I admit it. It’s downright ugly. But never mind that. It’s the Magic that counts. Speaking of Magic, look who just walked in the door! My good buddy Merlyn, er, I should say, Professor Schwartz, is here just in the nick of time to begin telling you how to perform miracles with this little Amulet, if you’re willing to learn the proper mysterious incantations. And you’re in good hands; I must admit that there’s no one better at muttering mysterious incantations than Professor Schwartz. Eh, Merlyn?

Anyway, to sum up. What you’ll need most is courage. It is not an easy path that you’ve set your foot upon. You’re learning a new language: a language full of strange runes and ancient chants, some easy and some difficult, many of which sound familiar, and some of which don’t. You may be tempted to become discouraged and quit. But think you upon this: consider how long it took you to learn your own native tongue. Was it worth it? I think so. And have you finished learning it? I think not. Then do not expect to learn all the mysteries of Perl in a moment, as though you were consuming a mere peanut, or an olive. Rather, think of it as though you were consuming, say, a banana. Consider how this works.

You do not wait to enjoy the banana until after you have eaten the whole thing.

No, of course not. You enjoy each bite as you take it. And each bite motivates you to take the next bite, and the next.

So then, speaking now of the fruit of Merlyn’s labors, I would urge you to enjoy this, um, course. The fruit course, of course. Ahem, that was a joke too. Ah well.

Here then, Professor, I present to you your new class. They seem to have no sense of humor whatsoever, but I expect you’ll manage somehow. Class, I present to you Professor Randal L. Schwartz, Doctor of Syntax, Wizard at Large, and of course, Just Another Perl Hacker. He has my blessings, just as you have my blessings. May you Learn Perl. May you do Good Magic with Perl. And above all, may you have Lots of Fun with Perl. So be it!

So do it!

Larry Wall
September, 1993

Strategies and Insights for Prioritizing Security Efforts

March 4, 2024

Here’s a session I did with John Gunn, CEO of Token, on prioritizing security efforts this year amid changing technologies (hello, AI) and changing regulations (hello, SEC).

Passkey Authentication, ITProToday

March 2, 2024

Many organizations are interested in using passkeys instead of conventional passwords, but how much better are they?

Despite rising concerns about password security and a growing trend towards passkeys and other multifactor authentication tools, passwords remain the primary mode of authentication.

Excerpt from: Is Passkey Authentication More Secure Than Traditional Passwords?

Organizations are advised to use MFA on every website and application. For added security, users should use MFA methods with a physical token or software-based authenticators rather than less secure methods like text or email-based authentication.

Wolf Goerlich, a faculty member at IANS Research, suggested that IT professionals expand their focus beyond the initial authentication factor. “This should include device identity and posture, and the context and conditions of the request,” Goerlich said. “This risk-based authentication provides a defense against account takeovers by session hijacking, along with other common attack techniques.”

Goerlich also recommended that development teams pay attention to session handling, giving careful consideration to the detection and prevention of session hijacking.

Read the full article: https://www.itprotoday.com/identity-management-and-access-control/passkey-authentication-more-secure-traditional-passwords

Navigating an Evolving Landscape, Forbes

February 25, 2024

The cybersecurity industry is undergoing significant shifts driven by evolving threats, technological advancements, and changing market dynamics. Wolfgang Goerlich recently noted, “There are certainly a lot of conversations going around with respect to how to do tool consolidation. ‘How do I simplify my security portfolio?’”

Excerpt from: Navigating The Evolving Landscape Of Cybersecurity

5 Questions For CISOs. With thousands of cybersecurity vendors, it can be daunting to evaluate and choose from among the myriad of tools and platforms available. Here are some key factors CISOs should consider:

1. How much visibility do you have of your network?

2. How many tools or platforms do you have to correlate to get a comprehensive view of your environment?

3. Can you access your data from anywhere without adding additional cost?

4. Are you relying too heavily on a single tool or technology?

5. Can your visibility and security scale effectively as your IT environment expands?

Read the full article: https://www.forbes.com/sites/tonybradley/2024/02/23/navigating-the-evolving-landscape-of-cybersecurity/

Passwordless authentication supports Zero Trust

February 14, 2024

Passwordless authentication can make a zero-trust environment even more secure. Here’s what state and local governments need to know.

Excerpt from: How Passwordless Authentication Supports Zero Trust

State and local government agencies carry the heavy burden of collecting and managing large amounts of sensitive data to bring essential services to citizens. Naturally, they want to be on the cutting edge of cybersecurity, which is where the zero-trust security model comes in. And now, we’re seeing an innovation that could bolster zero trust’s already formidable defenses: passwordless authentication.

“When we think about zero trust, we want to regularly assess trust and evaluate everything,” Goerlich says. “If we’re constantly going to users and having them put in codes, PINs and passwords, we’re going to get a lot of resistance. So, I think many roadmaps that are successful for state and local governments pursuing zero trust are introducing passwordless as a way to reduce user friction while driving up assurance around identity.”

Passwordless authentication and zero trust work together. An agency may check a user’s fingerprint or face or have a user enter a PIN, but an agency that employs zero trust will also make sure the user is on the right computer in the right location and is behaving in a way that’s expected.

“This is the future of multifactor: implementing the strongest possible factors and addressing concerns around phishing and other common attacks,” Goerlich says.

How Can State and Local Agencies Implement Passwordless Authentication?

Read the full article: https://statetechmagazine.com/article/2024/02/how-passwordless-authentication-supports-zero-trust-perfcon

CISOs in crisis

January 21, 2024

Cybersecurity is an intense race that never lets up, an endless back-and-forth with threat actors looking for a way in. Not surprisingly, CISOs are continually on edge, feeling increased stress and pressure: In fact, 75% are open to change, according to a new report from IANS Research and Artico Search.

Excerpt from: CISOs in crisis – why they feel dissatisfied and neglected by the C-suite and board.

So what can CISOs do to improve their satisfaction levels, standing and influence within a company and broaden their non-technical expertise? For starters, advocate, IANS advises. With traditional characteristics no longer meeting the needs of the new security landscape, CISOs have an “unprecedented opportunity” to argue for their role at the C-suite level and call for enhanced interaction with boards.

Ultimately, says advisory CISO and IANS faculty member Wolfgang Goerlich: “CISOs who manage relationships are more satisfied and successful than CISOs who manage technology.”

Read the full article: https://www.sdxcentral.com/articles/analysis/cisos-in-crisis-why-they-feel-dissatisfied-and-neglected-by-the-c-suite-and-board/2024/01/

Wolf’s Additional Thoughts

Security leadership is a relationship, not a position. I’ve said it before and I’ll say it again. I understand many of us (myself included!) got into this field for our love of technology. Preserve that love, that spark, that joy. But always remember it is our relationship with our peers, the C-Suite, and the board, which enables us to lead and make a difference.

Side note, I’m a fan of coaching. Both being coached, and coaching others. I think it just makes good sense to get an outside opinion on what you’re doing, and what’s possible. The study found it also makes good business sense. “Security leaders who don’t participate in professional development make an average of $369,000 a year, while those with executive coaching take in roughly $550,000 — a difference of nearly $200,000.”