About
Career spanning military, commercial and multiple government organizations. U.S. Air…
Activity
134 followers
-
Mike Loos CISSP, CEH, CCFE posted thisWe Built All the Cyber Layers Except the One That Actually Holds Them Together. When people break down the “layers of cybersecurity,” the discussion usually centers on the technical stack — firewalls, identity, monitoring, segmentation, response, and every other tool we deploy. But there’s a critical layer missing from almost every conversation: Accountability. And for some reason, very few — if any — cybersecurity posts here on LinkedIn ever talk about it. You can build the most advanced, multilayered defense imaginable, but if no one is responsible for maintaining those layers, validating them, and ensuring they stay aligned, the entire structure becomes fragile. Most security failures don’t come from a lack of technology. They come from a lack of ownership. Nowhere is this more obvious than in Patch Management, which remains the weakest link across most organizations. Not because patching is inherently difficult, but because accountability around patching is inconsistent or nonexistent. Critical updates get delayed. Known vulnerabilities sit untouched. Systems drift out of compliance. And attackers don’t need zero‑days when the doors are already wide open. So when there is gross negligence — when systems go unpatched for months/years, when basic hygiene is ignored, when responsibilities are shrugged off — the real question becomes: Where is the accountability? Because that’s not a technical failure. That’s a leadership failure. Accountability is the layer that makes every other layer real. It’s the operational backbone that turns a security model into a functioning security program. Without it, even the best tools degrade into shelfware, and the same preventable weaknesses keep resurfacing year after year. Until accountability is treated as a formal, non‑negotiable layer of cybersecurity — especially around patch management — organizations will continue to struggle with the exact same issues, no matter how much they invest or how many tools they deploy.
-
Mike Loos CISSP, CEH, CCFE shared thisHi Burglar who is trying to break into my house all the time, can you build my home security system for me? Could it be that most all our security hardware is made in china (Cisco, Juniper, etc..)? Hopefully every single hardware/firmware being built in China is being evaluated/scrutinize before selling them to customers to ensure their products were not altered (no back-doors were injected into the supply). If back-doors are installed it is fairly simple to evade tools.Mike Loos CISSP, CEH, CCFE shared thisState-sponsored hackers from China have developed techniques that evade common cybersecurity tools and enable them to burrow into government and business networks to spy on victims for years without detection, Mandiant shares with WSJ https://mndt.info/3lrYBWFWSJ News Exclusive | Wave of Stealthy China Cyberattacks Hits U.S., Private Networks, Google SaysWSJ News Exclusive | Wave of Stealthy China Cyberattacks Hits U.S., Private Networks, Google Says
-
Mike Loos CISSP, CEH, CCFE posted thisAPPLICANTS PLEASE USE CAUTION WITH APPLICATION LINKS THAT TAKE YOU TO A FORM TO INPUT YOUR SENSITIVE DATA WITHOUT ANY AUTHENTICATION: Many companies nowadays have software that is configured to email you an automatic link to complete a security questionnaire requiring additional information about you to be completed to continue in the application process. When you click on the link (after confirming the sender and link is legitimate) – the applicant will be presented with a form in their browser, often times pre-populated with some of their data already submitted during the initial application to the role. Accessing this security questionnaire form, via the link, requires zero authentication (the authentication is in the URL itself) versus requiring the user to enter an username/password to access the form containing their PII. The URL is not encrypted or protected in anyway. It is sent in the clear over the wire to be captured by anything or anyone. So anyone with the URL can put it in any browser, from any device to retrieve everything the applicant entered into the unprotected form. *Note, after hitting submit in many cases, this does not close out the URL, but the URL still is accessible for an unknown duration (months, years, etc..). I have been seeing a lot of companies do this, and when I report, most do not even know their software is misconfigured leading to this leak of PII. One should never put an PII data into something that requires zero authentication. One should always log into a secure portal and provide sensitive data, mail it, or hand-deliver it. Companies/organizations should evaluate their application process to ensure they are not falling victim to this misconfiguration and putting their applicants privacy and data at risk for compromise. As noted in another post, free Internet email is not secure and offers no privacy (unless you take extra steps to encrypt or pay for that type of service), so putting the URL in email that provides full access to someones data without any authentication exposes their data to many 3rd party companies collecting and selling the data being scraped from those free internet servers. Please use caution when receiving links that require you to input all your data that never asked you for a username/password. Please report it to the company so they can reconfigure their servers to use username/password feature or multi-factor authentication versus the zero authentication access to your data. Just passing it along in case it helps spread the word for this configuration flaw to be fixed. If you see it, report it to the company to make them aware. #data #security #email #privacy #software #hiring #recruitingprocess #recruiting #vulnerability #vulnerabilities #vulnerabilityassessment #penetrationtesting
-
Mike Loos CISSP, CEH, CCFE posted thisWant to apply to a fantastic opportunity? Are you supplying or being asked to supply your sensitive personal information securely through the hiring process? Is the application process flawed and violating your privacy and putting your personal identifiable information (PII) at risk for a malicious compromise? Perhaps you are being asked to send your birth certificate, passport, DD-214, SF-50, SSN#, etc.. via email or fax, but is this wise? Maybe this post will help shed further insight as to how to better protect data when collecting/sending it over the Internet. Identity theft or social engineering attacks are some large consequences of improperly exposing PII. There is no expectation of privacy when using unsecure protocols – bottom line is please refrain from sending information or requesting information that is sensitive/private without it being encrypted in transit and at rest. FAX – A very old unsecured protocol offering zero protection at all for the data being transmitted this way. Sure there are “Secure Fax”, which requires the send and receiver to exchange encryption keys, but that is costly and just isn’t convenient – thus often discarded. It’s just like putting a letter in the mailbox containing your most secretive information without wrapping it in an envelope first. Yes, most today is done via email, but many places still are using Fax (especially for all those Government folks who need to get a record from archives – they will know what I mean). EMAIL – Very old unsecure protocol. Everything stored on most email servers (especially Internet email servers) is unencrypted, unless extra steps are preformed to encrypted using techniques often not included in free Internet email. Who has access to those email servers? Answer: Strangers. And you should not share sensitive documents or sensitive information with strangers. Many Cyber Security professionals and organizations know Fax and Internet email (without encryption at rest) offers zero protection to the contents transmitted. However, despite all this knowledge, why is it so widely used and accepted form for facilitating the collection of sensitive information? Why do companies request sensitive information / documents over these unencrypted channels? Answer: Convenience. Many do it without hesitation not having much thought to the risks involved. Many believe email to be secure. Ask this question, why is Internet email free? Most Internet free email services make money by collecting data and selling the information to 3rd party companies. Are you ok with letting your most sensitive PII go to those 3rd party companies? Can anyone guarantee that every person working at every one of these 3rd party companies collecting/handling your data is doing so without malice? Why risk certain data from being subjected to this? #hiring #cyber #privacy #securityprofessionals #data #vulnerability #vulnerabilities #recruitment #recruiting
Mike Loos CISSP, CEH, CCFE commented on a post
3d
Where is “Patch Management” and “Accountability & Ownership” — two of the weakest points in cybersecurity? For all the frameworks and domains we rely on, these fundamentals rarely get the explicit emphasis they deserve. Most major breaches still trace back to unpatched systems, unsupported devices, or controls that were never fully implemented. Patch management isn’t flashy, but it’s the backbone of real cybersecurity, and when it breaks, everything else becomes irrelevant.
Just as critical is the lack of clear ownership. Cybersecurity fails when responsibility is diffused and no one is accountable for outcomes. The strongest programs aren’t defined by tools or policies — they’re defined by leaders who take end‑to‑end responsibility for risk, controls, and mission impact. As the field evolves, it’s worth asking whether our industry standards and certifications should elevate these fundamentals into explicit domains, because no cybersecurity program is stronger than the accountability and patch discipline behind it.
Mike Loos CISSP, CEH, CCFE commented on a post
3d
The CISSP and CCSP frameworks have shaped the cybersecurity profession for decades, and their influence on global security standards is undeniable. As the field continues to evolve, there’s an opportunity to strengthen these certifications even further by explicitly incorporating ownership and accountability as a core domain.
While both certifications address governance, risk, and leadership principles, the modern threat landscape has made one truth unmistakable: security succeeds or fails based on who takes responsibility for it. Clear accountability — for risk decisions, control implementation, and mission outcomes — is now as essential as any technical or architectural discipline.
Elevating ownership and accountability into a defined domain wouldn’t replace existing content; it would reinforce it.
As cybersecurity becomes increasingly integrated with business operations, cloud ecosystems, and executive‑level decision‑making, formalizing accountability as a domain would strengthen the certifications’ relevance and further prepare practitioners for the realities of modern cyber leadership.
-
Mike Loos CISSP, CEH, CCFE liked thisMike Loos CISSP, CEH, CCFE liked thisHiring: Counterintelligence Analyst (GS-14) Office of the Director of National Intelligence – National Counterintelligence & Security Center Location: Bethesda, MD This role conducts in-depth research and analysis of complex counterintelligence issues for senior policymakers and IC components. Prepares and delivers briefings, identifies collection and analytic gaps, and supports strategic analysis on national security priorities. Salary: $143,913 – $187,093 per year Open: March 23, 2026 – March 30, 2026 Requires U.S. citizenship, Bachelor's degree, TS/SCI eligibility, and strong counterintelligence/IC analytic experience. Full details here: https://lnkd.in/e9icySEE
Experience & Education
-
Oracle
View Mike’s full experience
See their title, tenure and more.
or
Licenses & Certifications
-
-
-
Certified Expert Penetration Tester (CEPT)
information assurance certification review board
-
Certified Forensic Computer Examiner (CFCE)
Information assurance certification review board (IARCB)
-
-
-
-
-
-
Recommendations received
1 person has recommended Mike
Join now to viewExplore more posts
Explore top content on LinkedIn
Find curated posts and insights for relevant topics all in one place.
View top content