TaoSecurity Blog

This is the sort of story that starts as a comment on Twitter, then becomes a blog post when I realize I can't fit all the ideas into one or two Tweets. (You know how much I hate Tweet threads, and how I encourage everyone to capture deep thoughts in blog posts!) In the interest of capturing the thought, and not in the interest of thinking too deeply or comprehensively (at least right now), I offer seven security strategies, summarized. When I mention the risk equation, I'm talking about the idea that one can conceptually image the risk of some negative event using this "formula": Risk (of something) is the product of some measurements of Vulnerability X Threat X Asset Value, or R = V x T x A. Denial and/or ignorance. This strategy assumes the risk due to loss is low, because those managing the risk assume that one or more of the elements of the risk equation are zero or almost zero, or they are apathetic to the cost. Loss acceptance. This strategy may assume...

At an earlier point in my career, I used to read a lot of technical security books. From 2006 to 2012 I published a series of Best Book Bejtlich Read posts. Beginning in 2013 I became much more interested in military-derived strategy and history, dating back to my studies at the Air Force Academy in the early 1990s. I stopped reviewing books at Amazon.com and didn't talk about my reading. Last week I read Every Book I Read in 2015 by T. Greer, which inspired me to write my own version of that post. I have records for 2014-2015 thanks to a list I keep at Amazon.com. I'm modifying Greer's approach by not including personal reading, but I am adopting his idea to bold those titles that were my favorites. The following are presented such that the most recently read appears first. 2015 Reading (37 books): Restraint: A New Foundation for U.S. Grand Strategy   by Barry R. Posen  *(I'm joining the "restraint" school. I will say more about this in 2016.) Le...

I'd like to make a quick note on strategy, after reading  After high-profile hacks, many companies still nonchalant about cybersecurity in the Christian Science Monitor today. The article says: In a survey commissioned by defense contractor Raytheon of 1,006 chief information officers, chief information security officers, and other technology executives, 78 percent said their boards had not been briefed even once on their organization’s cybersecurity strategy over the past 12 months... The findings are similar to those reported by PricewaterhouseCoopers in its Global State of Information Security Survey last year in which fewer that 42 percent of respondents said their board actively participates in overall security strategy . Does this worry you? Do you want to introduce strategic thinking into your board discussion? If the answer is yes, consider these resources. 1. Check out my earlier blog posts on strategy , especially the first two articles. 2. Wa...

I am not a fan of the way many media sources cite "statistics" on digital security incidents. I've noted before that any "statistic" using the terms "millions" or "billions" to describe "attacks" is probably worthless. This week, two articles on security incidents caught my attention. First, I'd like to discuss the story at left, published 17 February in The Japan Times, titled  Cyberattacks detected in Japan doubled to 25.7 billion in 2014 . It included the following: The number of computer attacks on government and other organizations detected in Japan doubled in 2014 from the previous year to a record 25.66 billion , a government agency said Tuesday. The National Institute of Information and Communications Technology used around 240,000 sensors to detect cyberattacks... Among countries to which perpetrators’ Internet Protocol addresses were traced, China accounted for the largest share at 40 percent, while South K...

Faster is better! Those of us with military backgrounds learned that speed is a "weapon" unto itself, a factor which is "inherently decisive" in military conflict. The benefit of speed was so ingrained into my Air Force training that I didn't recognize I had been brainwashed by what Dr. Thomas Hughes rightly identified as The Cult of the Quick . Dr. Hughes published his article of this title in the Winter 2001 issue of the Aerospace Power Journal. His main point is the following: At a time when the American military has global commitments arrayed at variable threats, both real and potential, the Pentagon’s single-minded view of speed leaves the nation’s defenders poorly prepared for the range of military opposition and enemies they may face. Although Dr. Hughes wrote his article in 2001, his prescription is as accurate as ever. I found his integration of Edward Luttwak's point very telling: In the 1990s, the quest for swift war, replete with exit s...

I just read a thoughtful article by Michael O'Hanlon and James Steinberg, posted at Brookings and Foreign Policy titled Don't Be a Menace to South (China Sea) . It addresses thorny questions regarding China as President Obama visits South Korea, Japan, Malaysia, and the Philippines. I wanted to share five quick thoughts on the article, fully appreciating I don't have all the answers to this complex strategic problem. 1. "Many in China see the U.S. rebalance as ill-disguised containment, while many in the United States see Chinese military modernization and territorial assertiveness as strong indications that Beijing seeks to undermine Washington's alliances and drive the United States from the Western Pacific." I agree with these statements as being perceptions by both sides, but I also think they are closer to the truth than what the authors believe. I recommend Dr Ashley Tellis' monograph  Balancing Without Containment: An American Strategy for...

Earlier today I read a post by Dave Aitel to his mailing list titled  Drinking the Cool-aid . Because it includes a chart you should review, I included a screenshot of it in this blog, below. Basically Dave lists several gross categories of defensive digital security technology and tools, then lists what he perceives as deficiencies and benefits of each. Embedded in these pluses and minuses are several tactical elements as well. Please take a look at the original or my screenshot. I had three reactions to this post. First, I recognized that it's written by someone who is not responsible for defending any network of scale or significance. Network defense is more than tools and tactics. It's more often about people and processes. My initial response is unsatisfying and simplistic, however, even though I agree broadly with his critiques of anti-virus, firewalls, WAFs, and some traditional security technology. Second, staying within the realm of tools and tactics, Dave i...