Questions about Schaeffer's 80% improvement
According to Kim Zetter at Wired, in Senate testimony, Richard Schaeffer, the information assurance director at NSA, claimed that “If network administrators simply instituted proper configuration policies and conducted good network monitoring, about 80 percent of commonly known cyber attacks could be prevented.”
I’m trying to find if that’s the FDCC (Federal Desktop Core Configuration), SCAP, or something less crisply defined.
The hearings include a testimony link to a PDF, and the NSA.gov site has a version as well. I haven’t had a chance to watch the testimony as delivered.
Neither contain “80” or “eighty.” Does someone know exactly what set of practices constitute “proper configuration policies and conducted good network monitoring,” and over what timeline and population they were measuring? Are there cost estimates for the activity suggested?