June 22, 2024

It has been about 6 years since the Automate IT² event organized by me and Gabriele Gerbino. During the event, Xavier Homes presented a case that fascinated me. Today we might call it: Firewall as Code.

Post cover
June 11, 2024

This book originates from the authors’ experience in conducting security incident simulations within companies. The scenarios described are always based on real cases, modified to make them unrecognizable while still usable as tabletop exercises.

Post cover
April 29, 2024

Web Archive is an online service (non-profit) that has long been recording various websites by archiving them in a virtually permanent manner so that anyone can analyze the history and changes of a specific website.

Post cover
April 11, 2024

I couldn’t find a suitable title for this post, in which I try to gather various insights that I’ve received in the past few days and that I’ve planned, sooner or later, to discuss together with Rocco Sicilia.

Post cover
June 15, 2022

I’m discussing the IEC 62443 certification with an organization: that build and sell ICS plants which are risky from a safety perspective. They currently comply with the Machinery Directive (Directive 2006/42/EC of the European Parliament), but they are not considering the Cyber risk.

Post cover
May 25, 2022

Managing Cybersecurity is expensive, we all know that. But not managing it is also more expensive. Given my experience, an SME recovers from a critical Cyberattack in 5-10 days, if it can recover (yes I also personally know companies that lost everything because of a Cyberattack).

Post cover
May 20, 2022

Many companies (hopefully) are collecting logs in a central system. The reason besides that is for compliance and sometimes for root cause analysis. In this post, I want to recap that log management is not just about log collections, and why and how the process should be designed.

Post cover
May 18, 2022

In this article, I’m explaining why we are executing VA, why the traditional approach is dangerous and how we should manage the risk bound to vulnerabilities. I’m also discussing a few false myths about VA.

Post cover
March 29, 2022

Nowadays (hopefully) all companies are executing regular vulnerability assessments. They often use different partners/tools each year and they often limit themselves to vulnerability assessments. VAs are not the end of a security strategy, they are just a small step at the beginning.

Post cover
March 28, 2022

A few days ago, together with Rocco Sicilia and FESTO Academy , I presented a webinar on OT/ICS Cybersecurity approach. We are often spending time increasing Cybersecurity awareness, and that webinar was focused to gives Cybersecurity fundamentals to OT managers.

Post cover