TaoSecurity Blog

Today I posted my 5000th Tweet . I've apparently been a Twitter user since 1 December 2008. I remember not Tweeting anything until 15 July 2009, when I attended a Webcast about "security monitoring." The speakers were using Twitter to gather questions, so I decided it was a good time to try participating. With the advent of Twitter I've blogged a lot less. It's tempting to think that I've been sacrificing long, thoughtful blog posts for short, mindless Tweets. It turns out that a decent portion of my blogging volume, especially in my early blogging years (say 2003-2006) involved short posts. I recently reviewed a lot of my earlier blog posts, and noticed many of them looked just like Tweets. They may not have fit within the 140 character limit, but they were short indeed. For me, Twitter is a very compelling medium. It's more interactive, more frequently updated, and just easier to use. I have only ever blogged from a laptop. I use Twitter a l...

Last week in my post SEC Guidance Is a Really Big Deal I mentioned the potential significance of whistleblowers with respect to digital security. I came to this conclusion while participating in a panel for those involved with Directors and Officers insurance. This post provides a few more details. This morning I reviewed slides by Frederick Lipman, author of Whistleblowers: Incentives, Disincentives, and Protection Strategies , pictured at left. Mr Lipman spoke about whistleblowers at the same conference, but I didn't see his presentation. You can read Mr Lipman's slides on this shared Google drive in .pdf format. To briefly summarize Mr Lipman's work, Dodd-Frank, the False Claims Act, IRS rules, and other regulations have created an environment more favorable to those who wish to report wrongdoing within their organizations. Bounties for whistleblowers can amount to tens of millions of dollars. Yes, that's right: individuals have received millions of dollars...

Two weeks ago Vago Muradian from This Week in Defense News interviewed Army Lt Gen Michael Barbero , commander of the Joint IED Defeat Organization. I was struck by the similarities between the problems his command handles regarding improvised explosive devices (IEDs) and those involving digital security professionals. In fact, you may be aware that papers and approaches like Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains by Eric M. Hutchins, Michael J. Cloppert, and Rohan M. Amin, Ph.D. were inspired by the desire to move "left of boom" regarding IEDs. In this post I will highlight elements from the interview which will likely resonate with those working digital security problems. The threat "shares information globally," and engages in an "arms race" with defenders, sometimes by "sitting in front of a computer" devising the latest tools and techniques. The adversary c...

In November I wrote SEC Guidance Emphasizes Materiality for Cyber Incidents , my thoughts after reading an article by Senator Jay Rockefeller and former DHS Secretary Michael Chertoff. They explained why the CF Disclosure Guidance: Topic No. 2, Cybersecurity issued by the SEC in October is a big deal. Since then I attended a conference on Director's and Officer's insurance in Connecticut, and spoke on a panel about that SEC guidance. During the conference I learned that the SEC guidance isn't a big deal -- it's a really big deal. We're talking a game changer, potentially on three fronts. Here's what I heard at the conference. First, lawyers who read the language in the SEC guidance treated it as a " stop whatever you're doing and read this " moment. The lawyers I spoke to said the SEC guidance absolutely defined new reporting duties for companies, despite talk of it being merely a "clarification" or restatement of existing guidan...

If you've been reading this blog for a while, you know I don't think very highly of mathematical valuations of "risk." I think even less highly of the clowns in the financial sector who call security professionals "stupid" because we can't match their "five digit accuracy" for risk valuation. We all know how well those "five digit" models worked out. (And as you see from the last link, I was calling their bluff in 2007 before the markets imploded.) Catching up on last week's Economist this morning I found another example of financial buffoonery that boggles the mind. The article is online: Inter-bank interest rates; Cleaning up LIBOR -- A benchmark which matters to everyone needs fixing : It is among the most important prices in finance. So allegations that LIBOR (the London inter-bank offered rate) has been manipulated are a serious worry. LIBOR is meant to be a measure of banks’ own borrowing costs, and is used as the f...

Today I joined a panel held at FOSE chaired by Mischel Kwon and featuring Amit Yoran. One of the attendees asked the following: At another session I heard that "80% of all breaches are preventable." What do you think about that? My brief answer explained why that statement isn't very useful. In this post I'll explain why. The first problem is the "80%." 80% of what? What is the sample set? Are the victims in the retail and hospitality sectors or the telecommunications and aerospace industries? Speaking in general terms, different sorts of organizations are at different levels of maturity, capability, and resourcefulness when it comes to digital security. In the spirit of salvaging this poorly worded statistic, let's assume (rightly or wrongly) that the sample set involves the retail and hospitality sectors. The second problem is the term "breach." What is a breach? Is it the compromise of a single computer? (What's compromi...

This morning I testified at the U.S.-China Economic and Security Review Commission at a hearing on Developments in China’s Cyber and Nuclear Capabilities . In the picture taken by Mrs Bejtlich (thanks for attending!) I'm seated at the far right. To my left is Nart Villeneuve. To his left is Jason Healey. As stated on their Web site, the U.S. Congress created the U.S.-China Economic and Security Review Commission in October 2000 with the legislative mandate to monitor, investigate, and submit to Congress an annual report on the national security implications of the bilateral trade and economic relationship between the United States and the People’s Republic of China, and to provide recommendations, where appropriate, to Congress for legislative and administrative action. The Commission holds hearings to solicit testimony from subject matter experts and builds on those hearings to produce an excellent annual report. You can access the 2011 report on the Commission Web site,...