TaoSecurity Blog

Two posts in one day? These are certainly unusual times. I was thinking about words to describe different skill levels in digital security. Rather than invent something, I decided to review terms that have established meaning. Thanks to Google Books I found this article in a 1922 edition of the Archives of Psychology that mentioned four key terms: The novice is a (person) who has no trade ability whatever, or at least none that could not be paralleled by practically any intelligent (person). An apprentice has acquired some of the elements of the trade but is not sufficiently skilled to be trusted with any important task. The journey(person) is qualified to perform almost any work done by members of the trade. An expert can perform quickly and with superior skill any work done by (people) in the trade. I believe these four categories can apply to some degree to the needs of the digital security profession. At GE-CIRT we had three levels -- event analyst, incident...

I saw my like-minded, friend-that-I've-never-met Andrew Thompson Tweet a poll , posted above. I was about to reply with the following Tweet: "If I'm struggling to figure out how to capture a thought in just 1 Tweet, that's a sign that a blog post might be appropriate. I only use a thread, and no more than 2, and hardly ever 3 (good Lord), when I know I've got nothing more to say. "1/10," "1/n," etc. are not for me." Then I realized I had something more to say, namely, other reasons blog posts are better than Tweets. For the briefest moment I considered adding a second Tweet, making, horror of horrors, a THREAD, and then I realized I would be breaking my own guidance. Here are three reasons to consider blogging over Tweeting. 1. If you find yourself trying to pack your thoughts into a 280 character limit, then you should write a blog post. You might have a good idea, and instead of expressing it properly, you're falling into...

Malware Jake Tweeted a poll last night which asked the following: "I have an interesting ethical quandary. Is it ethically okay to use COVID-19 themed phishing emails for assessments and user awareness training right now? Please read the thread before responding and RT for visibility. 1/" Ultimately he decided : "My gut feeling is to not use COVID-19 themed emails in assessments/training, but to TELL users to expect them, though I understand even that might discourage consumption of legitimate information, endangering public health. 6/" I responded by saying this was the right answer. Thankfully there were many people who agreed, despite the fact that voting itself was skewed towards the "yes" answer. There were an uncomfortable number of responses to the Tweet that said there's nothing wrong with red teams phishing users with COVID-19 emails. For example: "Do criminals abide by ethics? Nope. Neither should testing." "Ye...