Shostack + Friends Blog Archive


Emergent Breach Analysis

When I started blogging about breaches and breach notices way back in early 2005, a number of friends wrote to say I was sounding like a broken record. They were right, and at the same time, I felt there was something really big going on, and I wanted to push it and shape it. Over the last couple of years, we’ve gone from fearing breach data to analyzing it, and even the lobbyists are a little less frantic in trying to roll things back. (Only a little, as their arguments dissolve one after another.)

So I was really happy to get mail from David Litchfield, pointing me to his new blog, and his opening entry, “SQL Injection and Data Security Breaches.”

Dan Geer has also been at the data, and has posted “some statistical analysis” of Attrition’s data.

It’s great to see more breach analysis, and I fully expect that we’re going to start seeing such data being used in presentations from Gartner, Burton, and other analyst firms. Why not take some time to look at the data and figure out how your organization could make use of it?

One comment on "Emergent Breach Analysis"

  • Iang says:

    Speaking as a long broken record on phishing … the danger I find isn’t so much that one sounds like a broken record, but that one tends to analyse everything from the perspective of ones one hobby horse.
    With some hobby horses this is dangerous simply because they might be or become a small part of a complex environment. That was one of the motivations that turned me away from further investigation into phishing, in that we crossed the industrialisation point sometime in 2004, and at that point, it didn’t matter if we solved phishing, the bad guys would move onto the next attack … so phishing itself was no longer relevant, and we had a systemic security situation to deal with.
    I see data breach notification as a bit like that, at relevancy level. Important, but even if we fix it totally, it won’t change the overall result much, because the battleground moves faster than we can now deal with it. Given that we crossed the point where it is more than 50% likely that any given American now “shares” their identity, we have more of a systemic issue to worry about than … just tracking more data breaches.
    (Which of course is another favourite rant of mine which is now popping up in the consciousness of security people: fixing the security mess starts with a long hard look at ourselves.)

Comments are closed.