TaoSecurity Blog

In Predictions for 2008 in included the following: 3) Expect increased awareness of external threats and less emphasis on insider threats. Maybe this is just wishful thinking, but the recent attention on botnets, malware professionalization, organized criminal cyber enterprises, and the like seems to be helping direct some attention away from inside threats. This may be premature for 2008, but I expect to see more coverage of outsiders again. Today I saw the SANS Top Ten Cyber Security Menaces for 2008 . (I thought using the term "menace" neatly sidesteps trying to classify these items using traditional terms, since the list mixes threats, attacks, tools, and so on.) Here is the "consensus list," according to 12 "cyber security veterans," in ranked order: Increasingly Sophisticated Web Site Attacks That Exploit Browser Vulnerabilities - Especially On Trusted Web Sites Increasing Sophistication And Effectiveness In Botnets Cyber Espionage Efforts By Wel...

Almost one month ago I wrote Predictions for 2008 . They included 2) Expect greater military involvement in defending private sector networks. and 4) Expect greater attention paid to incident response and network forensics, and less on prevention. Relevant to number 2, today I read Intelligence Chief Proposes Wide Cyber Surveillance , which says: US National Intelligence Director says government should be able to tap all email, file transfers, and Web searches.. In an interview scheduled to be published in Monday's forthcoming edition of The New Yorker, McConnell offers some insight into his long-awaited draft U.S. Cyber-Security Policy... To accomplish his plan, the government must have the ability to read all the information crossing the Internet in the United States -- in order to protect it from abuse. The plan gives government agencies the right to monitor email, file transfers, and even Web searches, according to reports. McConnell's proposals also include reducing the ...

For the last five years I've resisted the urge to write year-end predictions (thanks Anton ). However, I'm seeing indications of the following, so maybe this is more about highlighting trends than taking wild guesses. Here are my five predictions for 2008. Expect greater government involvement in assessing the security of private sector networks. I base this item on what's happening in the UK following their latest data breach. The article Data watchdog seeks dawn-raid powers states the following: The Information Commissioner’s Office (ICO), which polices the security of the nation’s data, is to be given the power to raid Government departments suspected of breaching protection laws. The move, announced today by Gordon Brown, comes in response to the loss by HM Revenue & Customs (HMRC) of personal details of some 25 million Britons. The Prime Minister said the ICO would be given extra powers to carry out “spot checks” of government departments. However, it is unclea...