TaoSecurity Blog

Today I posted my 5000th Tweet . I've apparently been a Twitter user since 1 December 2008. I remember not Tweeting anything until 15 July 2009, when I attended a Webcast about "security monitoring." The speakers were using Twitter to gather questions, so I decided it was a good time to try participating. With the advent of Twitter I've blogged a lot less. It's tempting to think that I've been sacrificing long, thoughtful blog posts for short, mindless Tweets. It turns out that a decent portion of my blogging volume, especially in my early blogging years (say 2003-2006) involved short posts. I recently reviewed a lot of my earlier blog posts, and noticed many of them looked just like Tweets. They may not have fit within the 140 character limit, but they were short indeed. For me, Twitter is a very compelling medium. It's more interactive, more frequently updated, and just easier to use. I have only ever blogged from a laptop. I use Twitter a l

Last week in my post SEC Guidance Is a Really Big Deal I mentioned the potential significance of whistleblowers with respect to digital security. I came to this conclusion while participating in a panel for those involved with Directors and Officers insurance. This post provides a few more details. This morning I reviewed slides by Frederick Lipman, author of Whistleblowers: Incentives, Disincentives, and Protection Strategies , pictured at left. Mr Lipman spoke about whistleblowers at the same conference, but I didn't see his presentation. You can read Mr Lipman's slides on this shared Google drive in .pdf format. To briefly summarize Mr Lipman's work, Dodd-Frank, the False Claims Act, IRS rules, and other regulations have created an environment more favorable to those who wish to report wrongdoing within their organizations. Bounties for whistleblowers can amount to tens of millions of dollars. Yes, that's right: individuals have received millions of dollars

Two weeks ago Vago Muradian from This Week in Defense News interviewed Army Lt Gen Michael Barbero , commander of the Joint IED Defeat Organization. I was struck by the similarities between the problems his command handles regarding improvised explosive devices (IEDs) and those involving digital security professionals. In fact, you may be aware that papers and approaches like Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains by Eric M. Hutchins, Michael J. Cloppert, and Rohan M. Amin, Ph.D. were inspired by the desire to move "left of boom" regarding IEDs. In this post I will highlight elements from the interview which will likely resonate with those working digital security problems. The threat "shares information globally," and engages in an "arms race" with defenders, sometimes by "sitting in front of a computer" devising the latest tools and techniques. The adversary c

In November I wrote SEC Guidance Emphasizes Materiality for Cyber Incidents , my thoughts after reading an article by Senator Jay Rockefeller and former DHS Secretary Michael Chertoff. They explained why the CF Disclosure Guidance: Topic No. 2, Cybersecurity issued by the SEC in October is a big deal. Since then I attended a conference on Director's and Officer's insurance in Connecticut, and spoke on a panel about that SEC guidance. During the conference I learned that the SEC guidance isn't a big deal -- it's a really big deal. We're talking a game changer, potentially on three fronts. Here's what I heard at the conference. First, lawyers who read the language in the SEC guidance treated it as a " stop whatever you're doing and read this " moment. The lawyers I spoke to said the SEC guidance absolutely defined new reporting duties for companies, despite talk of it being merely a "clarification" or restatement of existing guidan