Getting ROI From a Security Advisory Board That Works: Part 2

Earlier I wrote about why a good security advisory board can be a powerful addition to any business. In this article I dive in to exactly how to make sure you get that value from your advisory board. My taking the right actions, you can ensure a strong ROI for your time and money while significantly boosting the security of your organization.

How To Defend Yourself Against APT / Nation State Attackers

When talking about information security, nation-state backed hackers are set up as the ultimate threat. The countries have brilliant hackers, unlimited resources, endless exploits, and they are all after you! Fortunately for us, there are also many more nation state hackers who are not that skilled, on a tight budget, and forced to use off-the-shelf tools. Just because your organization might be of interest to foreign services does not mean that you should just give up.

Read the entire article here

 Published on cyber

Published on cyber


Getting ROI From a Security Advisory Board That Works: Part 1 - Why


In 2016, my CEO asked me to work with an outside advisor, Gary McGraw, to create a Security Advisory Board (SAB) for our company. Right away, I realized that creating a strong advisory board to effectively support the company would take a lot of work. We spent significant time thinking about how this board could add value to the business, and how to ensure that the board’s ideas and solutions were implemented. First, let me note that credit for many of the ideas in these articles should go to Gary. He was instrumental in the creation and continued success of our SAB. In the first article of this two-parter, I will explore the kinds of value a SAB can bring to a company, and why its creation is worth all the effort. In the next article, I will talk about the nuts and bolts of executing a successful SAB.

The End of an Era

I founded Anonymizer Inc. in 1995, almost 23 years ago. It was born of my passion and commitment to privacy, security, and anonymity. I deeply appreciate the support, encouragement, and loyalty from the millions of people who have used the service over the years.

I am profoundly proud of what this company has accomplished. We were the first commercial internet privacy service in the world. We created the Kosovo Privacy Project, provided censorship circumvention services to hundreds of thousands of people in China and Iran, and worked with numerous human rights groups to provide protected communications and safe access to information. We also set up a secure anonymous terrorist tip site in the first days following 9/11.

Read More

The DNC Hacker Indictment: A Lesson in Failed Misattribution

Reading legal documents is not something I usually enjoy. The Muller indictment of the Russian DNC hackers was different - the amount of detail revealed in the document stunned me, and suggests that the US had very deep visibility into the hackers’ operations. In this article I am not going to look at the details of the hacking or phishing attacks used. Rather, I am interested in how the hackers attempted to misattribute their activities and how their actions and errors undercut that effort.

Read the whole article at Security Week to see my analysis of all they ways the hackers failed in trying to remain hidden.

Preventing the Other Kind of Hack Back

There has been endless discussion among security professionals about the ethics, propriety, legality, and effectiveness of corporations “hacking back” against attackers. On the other hand, there is no hesitation on the part of attackers to hack back against threat intelligence researchers who are investigating them. Identification and retaliation are a constant risk for anyone probing the darkest back alleys of the internet.

Read the whole article at Security Week to see why and how watching the wrong people can lead to counter-attack.

Keeping it on the Down Low on the Dark Web

Sites on the Dark Web Have Several Motivations to Unmask Their Visitors

So, there you are, finally on the private sections of a dark market. You have established reputation and credibility with your targets. Suddenly, you get exposed as a “rat” and banned for life. They grab your escrowed cryptocurrency, and you are back at square one with a foe who is even more alert than before... How did this happen?

Read the full article at Security Week for my thoughts on staying anonymous while visiting the dark web.

Do you make any of the top 6 managed attribution mistakes?

Staying anonymous while engaging online is hard, particularly if you need to do so over an extended period of time. While there are thousands of things that can trip you up there are six mistakes that cause most of the problems. Read the article to learn what they are.

The Top 6 Mistakes That Will Blow Your Online Cover - SecurityWeek

Breaking the OODA Loop!

I am very excited to see that the first in a series of articles I am writing for Security Week has been published. I would love to hear what you think.

The OODA loop is a well established concept often used in security which originated in the military. OODA stands for Observe, Orient, Decide, Act.
OODA is an iterative process because after each action you need to observe your results and any new opposing action. The idea is that if you can consistently get to the action faster than your opponent you can beat them. It is typically described using an airplane dogfight analogy – airplanes try to turn more quickly and sharply than their opponent in order to get off a shot. But, as you turn faster and faster the g-forces build and at this point the ever faster OODA loop is more like a centrifuge crushing us. We need to break out of the loop and find a new way to play the security game.

Read the whole article.