The FBI has announced a new security threat organizations should be aware of: RDDoS (or RDoS) — Ransom Denial of Service.

Locks on a metal fence overlooking a lake
Locks on a metal fence overlooking a lake
Photo by 30daysreplay (PR & Marketing) on Unsplash
  1. Attackers will send a notice to your company that they’ll DDoS your organization in ~a week unless you pay a ransom in Bitcoin (usually between $110,000 — $230,000).
  2. Various industries have been targeted
  1. Have adequate DDoS protections in place.
  2. It’s important to note that not every organization that received a threat got DDoS’d.
  1. Don’t pay the ransom
  2. Initiate your security incident response and BC/DR plans, which may include contacting law enforcement

To learn more, read the article this information…


Update (25 Jan 2021):

(1) The goal of this paper is to help organizations understand the impact of GDPR’s fines, and that’s best achieved through the latest data. While this paper’s conclusions are still accurate and worth reading, I encourage readers to review DLA Piper’s January 2021 analysis for the most up-to-date information. It can be accessed here: https://www.dlapiper.com/en/uk/news/2020/01/114-million-in-fines-have-been-imposed-by-european-authorities-under-gdpr

(2) The fine amounts levied against Marriott Hotels and British Airways were ultimately reduced by ~90 percent, with the ICO citing the impacts of the pandemic on these companies. …


There’s been a lot in the news lately about Apple not being able to decrypt iPhones of terrorists, criminals, etc. Recently, Pres. Trump and AG Barr have stated that “Apple has to help [decrypt phones],” and last year Sen. Graham stated “[You tech companies are] gonna find a way to do [decrypt phones & messages] or we’re going to do it for you.

Photo by Paul Hanaoka on Unsplash

These public-policy debates are important, and need to happen, but they miss what this is really all about.

These public-policy debates are important, and need to happen, but they miss what this is really all about. The…


I work in cybersecurity. Most cybersecurity news articles are hyped up way too much; however, today’s announcement about Windows is very serious. The US Gov’t is recommending everyone update immediately.

**Update Windows 10 Immediately**

If you are using Windows 10, Windows Server 2016 or Windows Server 2019 at work or at home, update your computer immediately.

The risks of this vulnerability are so high that it’s worth taking time out of your day to update your computer.

How do I update?

1. Select the Start button

2. Go to Settings > Update & Security > Windows Update

3. Click “Check for Updates”

You may need to click “Check…


When we often discuss privacy news stories involving personal data, a common, unspoken assumption is that an organization can either have data on me or they can’t. In this context, privacy is regarded as either being present or not being present. While this assumption is a good start, it is incomplete and can lead to bad policy.

In today’s article, we briefly discuss:

  1. What privacy as a right is
  2. Privacy in the context of other human rights
Photo by Perry Grone on Unsplash

What Privacy as a Right Is

The freedoms we enjoy enable us to, ultimately, have a choice (or agency) in our lives. With the right to free speech, we…


This is a pretty concise article on the importance of fourth-party risk.

Third-party cybersecurity risk is gaining increasing importance throughout the world and for good reason! A couple of good (bad) examples of unmanaged third-party risks are:


As we connect more & more things to the internet, physical safety is an increasing concern that needs to be addressed by the InfoSec industry.

The traditional CIA Triad has been an amazing representation of three main areas of concern to InfoSec personnel (Confidentiality, Integrity and Availability). It’s proved, and continues to prove, to be very useful in a variety of ways.

The CIA Triad

One area, though, where the triad begins to fall short is in physical security. This is not the triad’s fault, as physical security has only become a recent issue of concern to the InfoSec industry. …


Once third-party (vendor) risk assessment has matured, the focus may likely move to fourth parties.

Photo by rawpixel on Unsplash

You’re concerned about your vendor’s cybersecurity posture. One of their vulnerabilities could lead to your sensitive data being exposed, like happened to Target, and damage business.

To cover your bases, you’ve been conducting vendor assessments. But many of these reports are insufficient & cumbersome, so you may have started turning to automated, objective third-party risk assessments, perhaps one offered through a company like RiskRecon [Disclosure: I’m a former employee of RiskRecon and a big fan of their product. I’m not paid/asked by them to feature…


With the growing number of regulations to worry about, many organizations can benefit from developing a comprehensive InfoSec framework.

PCI. HIPAA. GDPR. Russia’s data privacy law. These are just a few of the regulations/standards (‘regulation’ from now on) that exist. Complying with each regulation can easily become a complicated process, requiring a substantial amount of time & resources.

To address this, organizations would do well to consider adopting a comprehensive security framework.

A comprehensive framework combines all of the regulations into one corporate policy. Frameworks like NIST CSF and NIST 800–53 are great ways to start. They contain many policies…


This is the 9th article in a 9-part series | Keeping our children safe is a high priority for most parents and guardians, and this increasingly includes online security.

Here, at the end of the series, we review the most important things to do with your children & provide a list of additional resources

Photo by Simon Matzinger on Unsplash

To better protect your children and family from online security risks, be sure to:

  1. Establish relationships of trust
  2. Make your home a safe environment to ask any questions

Note: Because each browser is different and there are so many different internet service providers, it’s not feasible…

Andrew Sanford

InfoSec & Privacy @RainFocusEvents. Esposo and dad to my favorite people😍 Provide security regulatory compliance & risk assessment consulting. Views are my own

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store