For some, they’re a learning experience, for others they inspire, and for still others, they’re a great way to have fun by reading what can sometimes be an opinionated and sarcastic piece of content. Whatever the reason, reading cybersecurity blogs is a daily routine for most of us.
Here at SecurityTrails, we keep a handy list of bookmarked cybersecurity blogs to follow, and we thought it would be a good idea to share that list with you. Allow us to introduce you to a few authors you might not have encountered but will find worthwhile.
Here are our favorite cybersecurity blog posts you should be reading in 2020:
Top 10 Best Cybersecurity Blogs
In this list you’ll find small, independent researchers, respected security vendors and popular media sites. What they all have in common is that they provide value, and they do it frequently.
We’ve made sure to compile a good mix of blogs including those run by individual researchers and those that are part of larger organizations and enterprises. We would love to include even more, but rather than make you read a list of 50 blogs, we narrowed it down to 10.
Included are commentaries, news on the most recent data breaches, useful how-to tutorials and more. This list is based on all of the blogs we here have bookmarked and turn to daily for inspiration, and to share with others. If any interest you, be sure to bookmark them. We’d also like to hear about your own favorite cybersecurity blogs that didn’t make it on this list.
1. Krebs on Security
Krebs on Security is one of the most influential blogs in the field, and its author Brian Krebs has already been included in our list of 10 cybersecurity legends. Krebs is a well-known investigative journalist who covers computer security and cyber crime, earning himself many awards through the years; most recently, he was named CISO MAG Cybersecurity Person of the Year in 2019.
Surprisingly, Krebs has no formal technical background in the security field, but after being hacked by the Lion worm twice, he developed an obsession for computer security that hasn’t stopped since. The former Washington Post journalist started Krebs on Security in 2009, where he publishes investigative series on uncovering cybercrime groups, high-profile data breaches, the latest cyber threats, and details on these investigations that you can’t find anywhere else.
His high standing in the cybersecurity industry has allowed him access to key resources that have led to taking down several hacker groups. He’s also discovered various large data breaches like the ones affecting Target (also identifying the malicious actor behind it), Home Depot, Goodwill, Adobe and Ashley Madison, among others.
His expertise with the dark side of the Internet has given Krebs valuable and unique insights on the emerging threats and sophistication of cybercrime groups. And in his blog, he offers detailed security investigations on both tactics of the attack and personal information on the criminals themselves, which often puts him at risk: Krebs on Security was hit with one of the biggest DDoS attacks ever targeted to publications of its type. Still, that doesn’t change his strong sense of justice, which is viable in each of his reports. We applaud the depth, authority and consistent dash of recognisable humour in his work, which makes him one of our first stops for the best in cybersecurity news.
Our top picks for Krebs on Security blog posts:
- A Deep Dive on the Recent Widespread DNS Hijacking Attacks
- Who Hacked Ashley Madison?
- Sources: Target Investigating Data Breach
2. Schneier On Security
Described by The Register as “The closest the security industry has to a rock star,” Bruce Schneier is a world-renowned security professional, critic and commentator. It’s no wonder that his blog, Schneier on Security, is this high up on our list.
Schneier has authored dozens of books, most notably “Applied Cryptography” in 1994 (which made him a legend in the world of cryptography), “Beyond Fear: Thinking Sensibly About Security in an Uncertain World” in 2003 and his latest, “Security and Survival in a Hyper-connected World.”
He’s been running his newsletter “Crypto-Gram” since 1994 and his blog Schneier on Security since 2004. Widely known as an unapologetic security critic, Schneier was highly active during the post-9/11 TSA era, when he harshly critiqued the state of panic created by the TSA, calling the entire ordeal “security theater.”
Schneier posts on his website almost daily, and on it you’ll find cybersecurity news along with his commentary, essays, academic papers, calendar of future speaking engagements on top cybersecurity conferences (RSA 2020!) and more.
His insightful views on the value of privacy and academic approach to security with a dash of creative storytelling make Schneier on Security a blog you need in your bookmarks. It’s definitely in ours!
Favorite reads from Schneier on Security:
- In Praise of Security Theater
- Police Surveillance Tools from Special Services Group
- Hacking McDonald’s for Free Food
3. Daniel Miessler
Daniel Miessler’s field of study, interests, and topics on his blog can best be described with three words: Security, technology, and people.
Miessler has over 20 years of experience in infosec. During his long career he’s written many articles with topics including information security, OSINT, tech tutorials, philosophical pieces, learning and creativity. He currently works at the OWASP Internet of Things Security Project and runs an amazing weekly newsletter covering the best books, podcasts and blogs in the infosec industry.
We love Miessler’s blog as it covers so many topics that intersect while dealing with security from both sides: the technological, and the human. A respected thought leader in the industry, he’s provided valuable insights and critiques on different theories, such as his piece on security by obscurity which we particularly liked.
Dividing his blog content into four categories— Infosec, Technology, Philosophy and Creativity—Miessler enriches each post with its respective principle. By venturing past the infosec/tech side of each blog, Miessler engages readers with thought-provoking, philosophical writing that deals with business as much as everyday life.
Enjoy his blog, his amazing newsletter (our recommendation), or plug in to his podcast, Unsupervised Learning, if you’d like to take in his newsletter in a different form. Whichever you choose, Daniel Miessler’s website and blog are among the best in cybersecurity to follow in 2020.
SecurityTrails highly recommends these picks from Daniel Miessler’s blog:
- Secrecy (Obscurity) is a Valid Security Layer
- Be Worthy of a Wikipedia Entry
- Purple Team Pentests Mean You’re Failing at Red and Blue
Stay in the loop with the best infosec news, tips and tools
Follow us on Twitter to receive updates!Follow @SecurityTrails
4. Zero Day | ZDNet
Zero Day, a security blog by ZDNet, is one of our first stops for fresh infosec and cybersecurity news. What really makes them stand out is that they offer 24/7 coverage of all technology and security news. If something happens in the infosec world, it’s on Zero Day.
Whatever your role in IT, you’ll find something of interest on ZDNet: their main site allows you to follow along for breaking news on data breaches, newly discovered vulnerabilities and active threats, emerging technology trends, newly released software and software patches, and more. Their website features categories including Enterprise Software, Security, Cloud and AI, with the Zero Day blog focusing on the latest in security research.
With their frequency of posting (around 5 times a day), they’re sure not to miss anything in our industry, which we know is a busy one! With no boring days in cybersecurity, we always keep ZDNet bookmarked for valuable news.
Our favorite blog posts from ZDNet:
- What is malware? Everything you need to know about viruses, trojans and malicious software
- Thousands of hacked Disney+ accounts are already for sale on hacking forums
- Microsoft has a subdomain hijacking problem
5. Troy Hunt
Here’s another entry from our list of cybersecurity legends. Australian security expert Troy Hunt is a Microsoft Regional Director who’s also been named Microsoft’s Most Valued Professional (MVP) in Developer Security. He’s often seen in the press covering big data leaks, and in the Congress testifying on their global impact.
“Have I Been Pwned” is a project that has given Hunt worldwide recognition: the site is a public service that helps those affected with data breaches find out which of their accounts have been compromised. Besides running “Have I Been Pwned’” Troy also writes in his blog regularly, giving weekly updates on where he talks about new technology, information about his work, conferences he’s participated in and news about private workshops, analysis of data breaches, his own security experiences, and more.
Along with his blog, his website also features links to his numerous Pluralsight courses, media coverage and appearances at industry conferences and workshops. Practically a household name, it’s no surprise he’s earned his own high spot on this list.
Top picks for Troy Hunt’s blog:
- Data breach disclosure 101: How to succeed after you’ve failed
- Banks, Arbitrary Password Restrictions and Why They Don’t Matter
- Here’s how I verify data breaches
For us, when searching for industry hot topics, Threatpost goes hand-in-hand with ZDNet.
Threatpost is an authority in the world of security news, and it brings you all the latest in major security threats, breaches, phishing scams, vulnerabilities and hacks.
Topics covered on Threatpost include malware, vulnerabilities, cloud security, mobile security, IoT and privacy. You can also find different ways to consume the content: through written blog posts, reports, videos and podcasts.
Threatpost’s award-winning editorial team works hard to keep their important spot as leaders in reporting on everything involving cybersecurity, with their own distinct flare for expert commentary.
This blog really is a terrific starting point for high-quality, security-related news, but let us share our favorites of the blog posts they’ve published so far:
- Why Cloud, Collaboration Breed Insider Threats
- Mean Time to Hardening: The Next-Gen Security Metric
- Drake Lyrics Used as Calling Card in Malware Attack
Some might call it shameless self-promotion, but we’re going to call it being realistic. Okay, maybe that’s going a bit far, but not too far: this list wouldn’t be complete without including our own SecurityTrails blog. We strive to provide no-fluff, bi-weekly blog posts that share new tips, encourage you to learn something new, and even provide the occasional spot of fun.
We’ve perfected our blog content pipeline during the past year, and with a lot of testing, brainstorming and trying new things, we’re confident in our ability to provide opinions on security theories, break cybersecurity myths, share tips on protecting yourself in the ever-growing threat landscape, and engage you with fun, off-beat [interviews] with your favorite cybersecurity experts.
Tune in every Tuesday and Thursday to read our latest posts, or check out our archive for additional cybersecurity commentary and learning.
It’s hard for us to pick favorites when it’s so close to home, but here are some recent items we believe are worth a read:
- 6 Tips to Harden Your HTTP Headers
- The Social Engineering Toolkit
- Accepting the Irrationality of Biases in InfoSec: Interview with Kelly Shortridge
8. Dark Reading
Dark Reading is another well-known and beloved website and blog dedicated to cybersecurity. It represents one of the most trusted online communities for tech and security professionals with topics ranging from reports on data breaches and endpoint security to cloud, IoT, perimeter security, threat intelligence and more.
They share frequent blog posts each week to stay on trend with the topics they choose to publish, but they also don’t oversaturate their feed with indiscriminate reporting—their blog posts are carefully crafted to add value to any topic they cover.
To quote their website: “Our goal is to challenge community members to think about security by providing strong, even unconventional points of view, backed by hard-nosed reporting, hands-on experience and the professional knowledge that comes only with years of work in the information security industry.”
Along with their regular blog posts, you can also find content in the form of live chats, radio shows, story discussions and discussion boards. For our marketing team, Dark Reading is a must for daily cybersecurity content exploration.
Here are some of our favorite recent stories from Dark Reading:
- 8 Things Users Do That Make Security Pros Miserable
- 44% of Security Threats Start in the Cloud
- Zero-Factor Authentication: Owning Our Data
Wired is a long-standing online publication that reports on technology and security and their impact on global politics, culture and society.
Notable about Wired is that while they might not publish a few times a day and cover every news and data breach that’s happened, they do take on topics involving security, emerging threats and cybercrime, adding insightful commentary with their recognised sense of humour and sarcasm. Some of the categories you can enjoy on Wired include business, culture, gear, transportation, security and AI.
Another thing unique about Wired is that they aren’t specifically geared towards people in the IT or security industry, but to anyone interested in learning today’s technology and its societal and cultural value. And they always include amazing graphics with each post!
Thanks to its long history and important role in the industry, Wired is a must among cybersecurity blogs. Something to keep in mind is that when you reach your daily limit of blog posts on Wired, you’ll get blocked by a big pop-up telling you to get the yearly subscription. Know that going in.
Here are some of our favorite recent picks from Wired:
- Wikipedia Is the Last Best Place on the Internet
- An Artist Used 99 Phones to Fake a Google Maps Traffic Jam
- Dashlane’s Super Bowl Ad Proves Password Managers Have Arrived
CSO is one of our list entries that’s more oriented towards enterprise security. They’re focused on providing the hottest topics in the industry and their importance in business, as well as commentary on best enterprise security practices, post-breach analysis, cloud computing, application security, risk management, critical infrastructure, top cybersecurity conferences and what they offer, and more.
At its core, CSO is dedicated to providing enterprise security decision makers and CSOs (as the name implies) with crucial knowledge on the threat landscape and loss prevention as well as general guidelines on information security that can inform their decision-making process. We value their content as we’ve learned so much from it, gaining different perspectives and even drawing inspiration from CSO to form our own.
Due to their authoritative position in the industry—and all the ‘little things’ we’ve learned from their blog—CSO has rightfully earned their spot on our list of the best cybersecurity blogs to follow.
Enjoy some of our favorite picks from CSO:
- The 25 worst passwords of 2019, and 8 tips for improving password security
- Marriott data breach FAQ: How did it happen and what was the impact?
- How the Tour de France secures its broadcast from disruption
Today we reviewed the top 10 cybersecurity blog posts, and we hope that along with seeing some familiar names, you’ve learned about a few. We ran a poll on Twitter to get some insight into the reading habits of our followers and the majority disclosed that they read 0-2 cybersecurity/infosec blogs a day.
We believe that making it a habit to read at least one article per day is a great way to stay plugged into the threat landscape, learn about hot and emerging threats, and simply stay ‘in the know’ about all things cybersecurity.
Let us know what you’ve liked on our list, and if there’s a blog or blog author we’ve missed!
Did reading about all of these blogs reporting on different cybercrime investigations inspire you to start your own? Why not start with your own assets, both known and unknown? Attack Surface Reduction - ASR provides you with just that, the ability to contain and monitor a directory of your known and suspected assets to catch emerging threats before they become an attack. For more information, contact our sales team today!