Shostack + Friends Blog Archive



So it’s early Sunday AM, and I’m getting my RSA Schedule together finally.  So here’s what I’m looking forward to this week, leave us stuff in the comments if you’ve identified other cool stuff: =============== Monday:  8 freaking AM – I’m talking with Rich Mogull of @securosis about Risk Management.  Fun! Monday is also Metricon, […]


Threat Modeling Fails In Practice

Would be interested in readers thoughts on Ian G’s post here:


Please Participate: Survey on Metrics

I got an email from my friend John Johnson who is doing a survey about metrics.  If you have some time, please respond… ———————————————————————————————————————————————— I am seeking feedback from others who may have experience developing and presenting security metrics to various stakeholders at their organization. I have a number of questions I’ve thought of, and […]


Discussing Norm Marks' GRC Wishlist for 2012

Norm Marks of the famous Marks On Governance blog has posted his 2012 wishlist.  His blog limits the characters you can leave in a reply, so I thought I’d post mine here. 1.  Norm Wishes for “A globally-accepted organizational governance code, encompassing both risk management and internal control” Norm, if you mean encompassing both so […]


Particularly NewSchool Job Posting

From Keith Weinbaum, Director of Information Security of Quicken Loans Inc. From the job posting: WARNING:  If you believe in implementing security only for the sake of security or only for the sake of checking a box, then this is not the job for you.  ALSO, if your primary method of justifying security solutions […]


The One Where David Lacey's Article On Risk Makes Us All Stupider

In possibly the worst article on risk assessment I’ve seen in a while, David Lacey of Computerworld gives us the “Six Myth’s Of Risk Assessment.”  This article is so patently bad, so heinously wrong, that it stuck in my caw enough to write this blog post.  So let’s discuss why Mr. Lacey has no clue […]


Some Thoughts on Binary Risk Assessment

Ben Sapiro showed off his Binary Risk Assessment (BRA) at SecTor recently.   While I didn’t see the presentation, I’ve taken some time and reviewed the slides and read through the documentation.  I thought I’d quickly give my thoughts on this: It’s awesome and it sucks. IT’S AWESOME That’s not damning with faint praise, rather, it’s […]



I’ve left Verizon.  A lot of folks have come up to me and asked, so I thought I’d indulge in a rather self-important blog-post and explain something: It wasn’t about Verizon, but about the opportunity I’ve taken. Wade, Chris, Hylender, Marc, Joe, Dave, Dr. Tippett & all the rest – they were all really, really […]


Worst.Technology.Application.Ever. (?)

It’s occurring to me this morning that in terms of benefit/cost, purely in “damage to society” terms, the decision to put html in emails could be one of the worst ideas in the past 25 years. But that’s just me.  Your thoughts on others in the comments?


Quick Quotes For Your Morning

From Krugman (commentary is his): “Without metrics, you’re just another guy with an opinion. — Stephan Leschka, Hewlett Packard When I hear words from almost anyone about how their approach is better than some other approach, I think of this quote. And as Daniel Patrick Moynihan said: Every man is entitled to his own opinion, […]


VERIS Community Data

Seriously. Interesting.  Go check this out: Take a look, impact information!


Why Do You Write The Way You Do?

Hey Kids, Reader Mark Wallace wrote in a comment to the blog yesterday, and I wanted to answer the comment in an actual blog post. So here goes: — Mark, Thanks for reading! There’s a point where publicly writing forces me to answer a few questions that I’m not ready to make a quick decision […]


What is Risk (again)?

The thread “What is Risk?” came up on a linkedin Group. Thought you might enjoy my answer: ———————- Risk != uncertainty (unless you’re a Knightian frequentist, and then you don’t believe in measurement anyway), though if you were to account for risk in an equation, the amount of uncertainty would be a factor. risk != […]


Why The New School Is Important

I participated in another security metrics and risk discussion yesterday (yeah, me talk about metrics & risk –  you don’t say).  As part of this discussion someone echoed a sentiment I’ve been hearing more and more of recently.  A casual acceptance of the logic of metrics and data followed quickly by a dismissive, skeptical statement […]


NewSchool Zombies, Moneyball, & Metrics

Hey!   Tomorrow at 1pm ET reg now: @joshcorman & I redux our (in)famous ‘Metrics are Bunk!?’ debate from RSAC 2011:              


Hey! SourceBoston is going to be CRAZY!

Not crazy like Sammy-Hagar-has-clearly-abused-his-brain-and-its-giving-him-bad-information-to-come-out-of-his-mouth crazy, but crazy like, there-are-so-many-good-talks-you-can’t-possibly-not-get-value-out-of-the-conference crazy. For example, I’ll be talking twice. Once with Dan Geer and Greg Shannon about Prediction Markets in InfoSec.  Then I’ll be giving one of THE FIRST EVER (!) debriefings of the 2011 DBIR (which is going to be crazy like both of the above). I’m […]


Back to You, Rob!

Rob is apparently confused about what risk management means. I tried to leave this as a comment, but apparently there are limitations in commenting.  So here go:   Rob, Nowhere did I imply you were a bad pen tester.  I just said that you should have a salient view of failure in complex systems (which […]


Actually It *IS* Too Early For Fukushima Hindsight

OR – RISK ANALYSIS POST-INCIDENT, HOW TO DO IT RIGHT Rob Graham called me out on something I retweeted here (seriously, who calls someone out on a retweet?  Who does that?): And that’s cool, I’m a big boy, I can take it.  And Twitter doesn’t really give you a means to explain why you […]



THURSDAY, THURSDAY, THURSDAY!!!!!!! Hi everyone! SIRA’s March monthly webinar is this Thursday, March 10th from 12-1 PM EST. We are excited to have Mr. Nicholas Percoco, Head of SpiderLabs at Trustwave, talk to us about the 2011 Trustwave Global Security Report. Block off your calendars now! Hello , Alexander Hutton invites you to attend this […]


SIRA Meeting Today at Noon EST! >> RICH MOGULL

HEY Y’ALL @securosis’ own @rmogull for today’s “al desco” SIRA meeting.  Details, details: SIRA’s February monthly online meeting is TODAY; February 10th from 12-1 PM EST. We are excited to have Mr. Rich Mogull from Securosis talk to us with a behind-the-scene look at Securosis’ “2010 Data Security Survey”. Block off your calendars now! The […]


Self Promotion: A Little Interview about Alex @ RSA

Self Promotion time, sorry for the spam, but I think the stuff I’ll be participating in at RSA is pretty NewSchool.  Here’s an interview that talks about both of the things I’ll be doing and you can see if they’ll be interesting:


Gunnar on Heartland

Analysis of Heartland’s business as a going concern by @oneraindrop. Especially interesting after comments on the CMO video.


Gunnar's Flat Tax: An Alternative to Prescriptive Compliance?

Hey everybody! I was just reading Gunnar Peterson’s fun little back of the napkin security spending exercise, in which he references his post on a security budget “flat tax” (Three Steps To A Rational Security Budget).  This got me to thinking a bit  – What if, instead of in the world of compliance where we […]


CRISC – The Bottom Line (oh yeah, Happy New Year!)

No doubt my “Why I Don’t Like CRISC” blog post has created a ton of traffic and comments.  Unfortunately, I’m not a very good writer because the majority of readers miss the point.  Let me try again more succinctly: Just because you can codify a standard or practice doesn’t mean that this practice is sane. […]


The Only Trust Models You'll Ever Need

Lately there has been quite a bit of noise about the concept of “trust” in information security.  This has always confused me, because I tend towards @bobblakley when he says: “trust is for suckers.” But security is keen on having trendy new memes, things to sell you, and I thought that I might as well […]


Nate Silver in the NYT: A Bayesian Look at Assange

From The Fine Article: Under these circumstances, then, it becomes more likely that the charges are indeed weak (or false) ones made to seem as though they are strong. Conversely, if there were no political motivation, then the merits of the charges would be more closely related to authorities’ zealousness in pursing them, and we […]


Lazy Sunday, Lazy Linking

Hey, remember when blogging was new and people would sometimes post links instead of making “the $variable Daily” out of tweets?  Well even though I’m newschool with the security doesn’t mean I can’t kick it oldschool every so often.  So here are some links I thought you might enjoy, probably worth discussion and review even […]


Risk & Metrics Interview over Twitter Today at 3pm EST

HEY! – At 3pm today Alex (@alexhutton) will be doing an interview over the twitters with Dark Reading’s (@DarkReading) Kelly Jackson Higgins  (@kjhiggins). Follow along with the hashtag #verizonDR! We’ll be talking risk, metrics, data, – you know, the new school-y stuff.


What is Information Security: New School Primer

Recently, I’ve heard some bits and pieces about how Information Security (InfoSec) can be “threat-centric” or “vulnerability-centric”.  This stuck me funny for a number of reasons, mainly  it showed a basic bias towards what InfoSec *is*.  And to me, InfoSec is too complex to be described as “threat-centric” or “vulnerability-centric” and yet still simple enough […]


Happy Birthday, Stan

“baseball’s rich in wonderful statistics, but it’s hard to find one more beautiful than Stan Musial’s hitting record.” – George Will “When you first hear about this guy, you say, ‘it can’t be true.’ When you first meet him you say, ‘It must be an act.’ But as you watch him and watch him and […]


Visualization for Gunnar's "Heartland Revisited"

You may have heard me say in the past that one of the more interesting aspects of security breaches, for me at least, is the concept of reputation damage.  Maybe that’s because I heard so many sales tactics tied to defacement in the 90’s, maybe because it’s so hard to actually quantify brand equity and […]


VERIS Community Incident Reporting

PEOPLE OF EARTH – The VERIS Community Application is out: Announcement here:  Website here:  From Wade’s announcement: If the VERIS framework describes what information should be shared, the VERIS application provides how to actually share it. Anyone wishing to classify and report an incident can do so responsibly and anonymously using the application. In taking […]


Flaw Of Averages – Society of Information Risk Analysts Meeting

Another friendly reminder: Alexander Hutton invites you to attend this online meeting. Topic: RISK ANALYST MEETING Date: Thursday, November 11, 2010 Time: 12:00 pm, Eastern Standard Time (New York, GMT-05:00) Meeting Number: 749 697 377 Meeting Password: riskisswell ——————————————————- To join the online meeting (Now from iPhones and other Smartphones too!) ——————————————————- 1. Go to […]


TSA Body Scanning is COMPLETELY SAFE… unless

Body scanners that the TSA is basically encouraging use of by threatening to otherwise grope, fondle, or molest you or your children are basically perfectly safe.  Well, unless you happen to be any one of the following: a woman at risk to breast cancer a pregnant woman an immunocompromised individual (HIV and cancer patients) a […]


SIRA Meeting Thursday – Flaw Of Averages

Hey everyone.  The Society of Information Risk Analysts (SIRA) would like to invite you to our November meeting this Thursday at 12 noon EST. Here’s a link to a meeting invite: This month, we’ll have Sam Savage, author of the excellent book, The Flaw Of Averages join us.  He’ll be talking about the book […]


Cloudiots on Parade

UPDATE: Should have known Chris Hoff would have been all over this already. From the Twitter Conversation I missed last night: Chris, I award you an honorary NewSchool diploma for that one. ——————————————————————————- From:  Amazon Says Cloud Beats Data Center Security where Steve Riley says, “in no uncertain terms: it’s more secure there than in […]


TSA: Let us Take Nekkid Pics of You Or You Get "Bad Touch"

Apparently, the TSA is now protecting us so well that they make women cry by touching them inappropriately. According to (CNN Employee Rosemary) Fitzpatrick, a female screener ran her hands around her breasts, over her stomach, buttocks and her inner thighs, and briefly touched her crotch. “I felt helpless, I felt violated, and I felt […]


A Letter from Sid CRISC – ious

In the comments to “Why I Don’t Like CRISC” where I challenge ISACA to show us in valid scale and in publicly available models, the risk reduction of COBIT adoption, reader Sid starts to get it, but then kinda devolves into a defense of COBIT or something.  But it’s a great comment, and I wanted […]


Seriously? Are We Still Doing this Crap? (RANT MODE = 1)

These days I’m giving a DBIR presentation that highlights the fact that SQLi is 10 years old, and yet is still one of the favorite vectors for data breaches. And while CISO’s love it when I bring this fact up in front of their dev. teams, in all deference to software developers and any ignorance […]


Call for Questions: 451 & Verizon DBIR Webinar

Hey everyone. I wanted to mention that Josh Corman of the 451 Group has graciously decided to make a webinar with me on the Data Breach Investigations Report , and has even made the webinar open to the public. So as such, Josh is collecting questions ahead of time.  If you want to submit some […]


Society Of Information Risk Analysts (SIRA) Meeting Thursday!

HEY! SIRA Meeting on Thursday – click here for a calendar invite/reminder thingy/.ics file -> In long format: Topic: SIRA RISK OCT – SANS! Date: Thursday, October 14, 2010 Time: 10:30 am, Eastern Daylight Time (New York, GMT-04:00) Meeting Number: 745 433 825 Meeting Password: sira ——————————————————- To join the online meeting (Now from […]


Dear CloudTards: "Securing" The Cloud isn't the problem…

@GeorgeResse pointed out this article from @DavidLinthicum today.  And from a Cloud advocate point of view I like four of the assertions.  But his point about Cloud Security is off: “While many are pushing back on cloud computing due to security concerns, cloud computing is, in fact, as safe as or better than most […]


Michael Healey: Pay Attention (Piling On)

Richard Bejtlich has a post responding to an InformationWeek article written by Michael Healey, ostensibly about end user security.  Richard  upbraids Michael for writing the following: Too many IT teams think of security as their trump card to stop any discussion of emerging tech deemed too risky… Are we really less secure than we were […]


Friday WTF?

CSO Online has an article based on an unlinked Forrester study that claims: The survey of 2,803 IT decision-makers worldwide found improving business continuity and disaster recovery capabilities is the number one priority for small and medium businesses and the second highest priority for enterprises. (emphasis mine). The WTF Pie Chart Says:


SOIRA Presentation/Meeting TOMORROW, 10:30 EST!

Hey everyone! Pete Lindstrom will be giving us his “Risk 2.0” presentation tomorrow via webex at 10:30 EST. I’ve seen the deck, and it will be a great preso. Topic: Risk Analysis Date: Thursday, September 9, 2010 Time: 10:30 am, Eastern Daylight Time (New York, GMT-04:00) Meeting Number: 748 861 569 Meeting Password: risk?whatrisk? ——————————————————- […]


The lumbering ogre of Enterprise Governance is no replacement for real Quality Management.

Gideon Rasmussen, CISSP, CISA, CISM, CIPP, writes in his latest blog post ( about the BP Oil spill and operational risk, and the damages the spill is causing BP.  Ignoring the hindsight bias of the article here… “This oil spill is a classic example of a black swan (events with the potential for severe impact […]


Measurement Theory & Risk Posts You Should Read

These came across the SIRA mailing list. They were so good, I had to share: Thanks to Kevin Riggins for finding them and pointing them out.


Illogical Cloud Positivism

Last we learned, Peter Coffee was Director of Platform Research for  He also blogs on their corporate weblog, CloudBlog, a blog that promises “Insights on the Future of Cloud Computing”. He has a post up from last week that called “Private Clouds, Flat Earths, and Unicorns” within which he tries to “bust some myths” […]


What They Know (From the WSJ)

Interesting interactive data app from the Wall Street Journal about your privacy online and what various websites track/know about you. Full disclosure, our site uses Mint for traffic analytics.


Cisco's Artichoke of Attack

Cisco has their security report up – find it here.  My favorite part?  “The Artichoke of Attack”


Society of Information Risk Analysts Webex/Meeting Tomorrow

Hey, just so you all know, SOIRA is having our lunch (or breakfast) Al-Desko Webex.  This month we have the pleasure of watching Chris Hayes show how to use quantitative risk analysis for real, pragmatic business purposes.  It’s going to be seriously useful. Join SOIRA here: for the invite.


Survey Results

First, thanks to everyone who took the unscientific, perhaps poorly worded survey. I appreciate you taking time to help out.  I especially appreciate the feedback from the person who took the time to write in: “Learn the proper definition of “Control Systems” as in, Distributed Control Systems or Industrial Control systems. These are the places […]


Risk -> Operational Security Survey

Hi, I’m very interested right now in finding the quality of risk analysis as it relates to operational security. If you’re a risk analyst, a security executive, or operational security analyst, would you mind taking a one question survey? It’s on SurveyMonkey, here:”


ISACA CRISC – A Faith-Based Initiative? Or, I Didn't Expect The Spanish Inquisition

In comments to my “Why I Don’t Like CRISC” article, Oliver writes: CobIT allows to segregate what is called IT in analysable parts.  Different Risk models apply to those parts. e.g. Information Security, Architecture, Project management. In certain areas the risk models are more mature (Infosec / Project Management) and in certain they are not […]


Thinking about Cloud Security & Vulnerability Research: Three True Outcomes

When opining on security in “the cloud” we, as an industry, speak very much in terms of real and imagined threat actions.  And that’s a good thing: trying to anticipate security issues is a natural, prudent task. In Lori McVittie’s blog article, “Risk is not a Synonym for “Lack of Security”, she brings up an […]


RiskIT – Does ISACA Suffer From Dunning-Kruger?

Just to pile on a bit…. You ever hear someone say something, and all of the sudden you realize that you’ve been trying to say exactly that, in exactly that manner, but hadn’t been so succinct or elegant at it?  That someone much smarter than you had already thought about the subject a whole lot […]



PREFACE:  You might interpret this blog post as being negative about risk management here, dear readers.  Don’t. This isn’t a diatrabe against IRM, only why “certification” around information risk is a really, really silly idea. Apparently, my blog about why I don’t like the idea of CRISC has long-term stickiness.  Just today, Philip writes in […]


Bleh, Disclosure

Lurnene Grenier has a post up on the Google/Microsoft vunlerability disclosure topic. I commented on the SourceFire blog (couldn’t get the reminder from Zdnet about my password, and frankly I’m kind of surprised I already had an account – so I didn’t post there), but thought it was worth discussing my comments here a bit […]


Measuring The Speed of Light Using Your Microwave

Using a dish full of marshmallows.  We’re doing this with my oldest kids, and while I was reading up on it, I had to laugh out loud at the following: …now you have what you need to measure the speed of light. You just need to know a very fundamental equation of physics: Speed of […]


Excellent Post On Maturity Scale for Log Management Raffael Marty’s great  post on how to measure the maturity level for your log management program.   Excellent as always.


B-Sides Las Vegas Call For Papers

Friend of the blog and TV’s own <grin> Chris Nickerson has firmed up B-Sides for Las Vegas and is looking for a few good people to submit a few good presos. I spoke last year with David Mortman and it was awesome.  Chris put on some real good event/space for us all. I encourage you […]


ANNOUNCEMENT: The Society of Information Risk Analysts

I was talking with (the now nationally famous) Rich Mogull at Secure360 last week in St. Paul (fabulous security gathering, btw, I highly recommend it), and he reiterated his position that we had too much “echo chamber” and not enough engagement with everyone – especially our peers who are down in the trenches and too […]


On Uncertain Security

One of the reasons I like climate studies is because the world of the climate scientist is not dissimilar to ours.  Their data is frought with uncertainty, it has gaps, and it might be kind of important (regardless of your stance of anthropomorphic global warming, I think we can all agree that when the climate […]


Risks Interconnection Map

The sweet interactive version is here: Beyond the cool visualization, I’m really interested in the likelihood/impact of data fraud/data loss over on the left there…


Why I'm Skeptical of "Due Diligence" Based Security

Some time back, a friend of mine said “Alex, I like the concept of Risk Management, but it’s a little like the United Nations – Good in concept, horrible in execution”. Recently, a couple of folks have been talking about how security should just be a “diligence” function, that is, we should just prove that […]


Symantec State of Security 2010 Report Out Thanks to big yellow for not making us register!  Oh, and Adam thanks you for not using pie charts…


Happy Valentine's Day!

They say that Y equals m-x plus b (well, when you remove the uncertainty). So let me reveal a secret confession: You’re the solution to my least squares obsession. stolen from the applied statistics blog


Does It Matter If The APT Is "New"?

As best as I can describe the characteristics of the threat agents that would fit the label of APT, that threat community is very, very real.  It’s been around forever (someone mentioned first use of the term being 1993 or something) – we dealt with threat agents you would describe as “APT” at MicroSovled when […]


Applying Utility Functions To Humans?

From Less Wrong: I’m at The Open Group Security Forum this week in Seattle, speaking about risk and stuff.  Adam gave a great talk about Security: From Art to Science.  One recurring theme all week was the need to borrow from disciplines outside of Comp Sci and Engineering.   When we think about the […]


That's Some Serious Precision, or Watch Out, She's Gonna Go All Decimal!

So last night the family and I sat down and watched a little TV together for the first time in ages.  We happened to settle on the X-Games on ESPN, purely because they were showing a sport that I can only describe as Artistic Snowmobile Jumping.  Basically, these guys get on snowmobiles, jump them in […]


Quote For Today

Their judgment was based on wishful thinking rather than on sound calculation of probabilities; for the usual thing among men, is when they want something, they will, without any reflection, leave that to hope; which they will employ the full force of reasoning in rejecting what they find unpalatable. — Thucydides


Shameless Self-Promotion

Hi, If you like risk, risk management, and metrics, I’ll be giving an online presentation you might want to see tomorrow at 2 EST: Gleaning Risk Management Data From Incidents


Why I Don't Like CRISC, Day Two

Yesterday, I offered up a little challenge to suggest that we aren’t ready for a certification around understanding information risk.  Today I want to mention why I think this CRISCy stuff is dangerous. What if how we’re approaching the subject is wrong?  What if it’s mostly wrong and horribly expensive? I’m going to offer that […]


Why I Don't Like CRISC

Recently, ISACA announced the CRISC certification.  There are many reasons I don’t like this, but to avoid ranting and in the interest of getting to the point, I’ll start with the main reason I’m uneasy about the CRISC certification: We’re not mature enough for a certification in risk management. Don’t believe me?  Good for you, […]


NotObvious On Heartland

I posted this also to the mailing list.  Sorry if discussing in multiple  venues ticks you off. The Not Obvious blog has an interesting write up on the Heartland Breach and impact.  From the blog post: “Heartland has had to pay other fines to Visa and MasterCard, but the total of $12.6 million they […]


For Blog/Twitter Conversation: Can You Defend "GRC"?

Longtime readers know that I’m not the biggest fan of GRC as it is “practiced” today.  I believe G & C are subservient to risk management. So let me offer you this statement to chew on: “A metric for Governance is only useful inasmuch as it describes an ability to manage risk” True or False, […]


Sweden: An Interesting Demographic Case Study In Internet Fraud

(quietly, wistfully singing “Yesterday” by the Beatles) From my favorite Swedish Infosec Blog, I don’t speak Swedish, so I couldn’t really read the fine article they linked to.  Do go read their blog post, I’ll wait here. Back?  Great.  Here are my thoughts on those numbers: SWEDISH FRAUD STATISTICS RELEASED The World Bank estimates […]


Awesome Vendor-Speak

I received an unsolicited ( I’ve tried to unsubscribe several times there, techtarget ) email today, that I actually happened to open because it advertised an “integrated maturity model for governance and security”.  Yeah, I’m a sucker like that.  This is what I read: …a practical maturity model with illustrative use cases that can be […]


2010 Security Prognosticators – Put Your Money Where Your Mouth Is!!!

Just saw where Symantec has released their 2010 Security Trends to watch.  Now not to pick on Symantec (I’m guilty of the same mess in the past myself over on my old blog) but usually these sorts of prognostication lists are full of the same horse@!@#$.  For example: 8.  Mac and Mobile Malware Will Increase […]


For Those Not In The US (or even if you are)

I’d like to wish US readers a happy Thanksgiving. For those outside of the US, I thought this would be a nice little post for today: A pointer to an article in the Financial Times, “Baseball’s love of statistics is taking over football“ Those who indulge my passion for analysis and for sport know that […]


Rich Mogull's Divine Assumptions

Our friend Rich Mogull has an interesting post up on his blog called “Always Assume“.  In it, he offers that “assumption” is part of a normal scenario building process, something that is fairly inescapable when making business decisions.  And he offers a simple, pragmatic process for assumptions which is mainly scenario development, justification, and action.    […]


Something For Soscia, Girardi, & Charlie Manuel

It’s the probabilistic decision making tool for baseball managers.  On the iPhone.  It’s like a business intelligence application in the palm of your hand 🙂 Basically, it takes the probabilistic models of either Win Expectancy or Run Expectancy (any given action has some probability of contributing a run or a win) and given a situation, […]


Are Security "Best Practices" Unethical?

Anton Chuvakin’s been going old school.  Raising the specter of “risk-less” security via best practices and haunting me like the ghost of blog posts past.   Now my position around best practices in the past has been that they are, to use Jack Jones’ phrase, Infosec “shamansim”.  We do these things because our forefathers do them, […]


Some Stuff You Might Find Interesting 9-8-2009

IT’S A TAB DUMP Hey,  because of the holiday, I missed posting some stuff for you all about security & visualization last week. So I thought I’d make it up to you today (plus, I’m about to declare Firefox tab bankruptcy, as I tend to find things to mention on the blog here and then […]


I'm OK When The System Works – Even If It Is A False Alarm

——————————— UPDATE:  @lbhuston gives us the dirty low down here: ——————————— This was a test of the emergency broadcast system.  This was only a test, had this been a real change in the Threat Landscape….. You may have read in various media outlets about a little incident that happened yesterday concerning the mailing of […]


Visualization Friday – Back From Hiatus

Hey all, sorry it’s been so long since I put up some eye candy.  Today’s posts come from the usual sources (flowing data and other various information design blogs) but I also wanted to point you to a new source of cool: So without futher adieu, your Visualization Friday Posts (some pertinent to the […]


Mike Dahn Wants to NewSchool PCI

And I couldn’t agree more. Capability and Maturity Model Creation in Information Security — PS – sorry for using “NewSchool” as a verb.


Mortman/Hutton Security-BSides & Black Hat Presentation Available

Hey y’all, happy Monday morning.   I’ve put Dave & my presentation for Security BSides up on slideshare: Mortman/Hutton Security B-Sides Presentation View more presentations from alexhutton. Also note that this includes the Black Hat presentation we gave on the Mortman/Hutton Vulnerability/Exploit model.  I hope you will enjoy! PS – There’s probably audio available for […]


Quantitative Analysis of Web Application Usefulness (Or Why Your ROSI is wRONG)

The amazing (in both quality and quantity of blog post production) Lori MacVittie of f5 has a blog post up on their corporate blog called,  “A Formula for Quantifying Productivity of Web Applications.” Basically, Lori proposes that we study web server processes and the time to complete them over a period of time rather than […]


Visualization Friday & More!

OK, so this week for Visualization Friday, I’m going to point you to just one thing: At Last, a Scientific Approach to Infographics A blog post by the awesome visualization expert Stephen Few that praises: Visual Language for Designers: Principles for Creating Graphics that People Understand by Connie Malamed OK, I’ll also mention that I […]


Visualization Friday!

Yesterday I got to see what might have been one of the most amazing(ly bad) security dashboards I’ve ever seen.  And those who have read my posts on visualization know that I find the visualization of risk & security to be a pretty fascinating field of study.  So given the quality of the GRC apps […]


A Farewell to Bernstein

From Chandler, who is in China: Adam sent along to the authors of this blog a link to the New York Times obituary for Peter Bernstein yesterday Peter L. Bernstein, an economic historian and a widely read popularizer of the efficient market theory, which changed trading behavior on Wall Street, died Friday at NewYork-Presbyterian/Weill […]


Links To Interesting Stuff

I have a ton of tabs open in Firefox about stuff I thought would be some sweet newschool-esque reading for everybody out there. 1.) Threat and Risk Mapping Analysis in Sudan Not really about measurement and progress, but a fascinating look at “physical risk management” nonetheless: 2.)  I thought Gunnar did a great job […]


Statistics Police?!

From Gelman’s blog: U.K. Sheriff Cites Officials for Serious Statistical Violations I don’t know if we need an “office” of information assurance in the government sector, but it would be nice to have some penalty on the books for folks who abuse basic common sense statistical principles. Of course, the *real* answer lies in education […]



Hey everyone.  I wanted to let you know that Rich, Adrian & Co. at Securosis are spearheading a research project  called “Quant”.  They currently have a survey up on survey monkey about Patch Management that they’d like participation in.  If you can, please give thoughtful contribution to the survey. There’s something about a registration […]


New Means of Pie Chart Abuse

Just for Adam, because I know he’ll *love* this. Was reading the “How to transform your ETL tool into a data quality toolkit” post on the data quality blog when I noticed something. In the graphic they’re presenting there: The.Pie.Chart.Spins. Which could be one of the most awesome data visualization abuses.  ever.


Thoughts on Bejtlich's Information Security Incident Ratings

Check out Richard Bejtlich’s Information Security Incident Rating post. In it, he establishes qualitative, color-based scales for various asset-states in relation to the aggregate threat community.  As Richard states, he’s not modeling risk, but rather he’s somewhat modeling half of risk (in FAIR terms, an attempt at TEF/LEF/TCap information, just not the loss magnitude side). […]


PCI Data Available

Interesting information was made available today from VISA about PCI Compliance status for Level 1, 2, and 3 merchants.  Find it as a .pdf >>here<< (thanks to Mike Dahn for bringing it to our notice). **UPDATE** You may want to check out what Pete Lindstrom has done with that data, in his Blog Post, “Is […]


Richard Bejtlich's Quantum State

Is Statistically Mixed? Richard Bejtlich (whom I do admire greatly in most all of his work) just dug up a dead horse and started beating it with the shovel, and I just happen to have this baseball bat in my hands, and we seem to be entangled together on this subject, so here goes: I […]


The Eyes of Texas Are on Baseboard Management Controllers? WHAT??!!!

OR TEXAS HB1830S IS SWINEFLU LEGISLATION, IT’S BEEN INFECTED BY PORK! **UPDATE:  It looks like the “vendor language” around Section Six has been struck! Given Bejtlich’s recent promises, I thought we’d take a quick but pragmatic look at why risk assessments, even dumb, back-of-the-envelope assessments, might just be a beneficial thing. As you probably know, […]


Time To Patch, Patch Significance, & Types of Cloud Computing

Recently, a quote from Qualys CTO Wolfgang Kandek struck me kind of weird when I was reading Chris Hoff yet again push our hot buttons on cloud definitions and the concepts of information security survivability.  Wolfgang says (and IIRC, this was presented at Jericho in SF a couple of weeks ago, too): In five years, […]


@Mortman MP3d on Threat Post

I’ll go ahead and promote David.  He’s interviewed over at Threat Post.  Pod/Talk cast it up! In this episode of the Digital Underground podcast, Dennis Fisher talks with David Mortman, CSO-in-residence at Echelon One and longtime security executive, about whether we’ve become too reliant on compliance, the changing nature of the CSO’s job and how […]


Project Quant: Patch Management Metrics

Rich Mogull, Adrian Lane, (of Securosis) and Jeff Jones (of Microsoft) have started a “transparent” metrics project “to help build an independent model to measure the costs and effectiveness of patch management.”  They’re calling it (for now) Project Quant.  As you can probably guess, I’m all for transparent metrics projects, and I hope you’ll at […]


Evolution of Information Analysis

Real briefly, something that came to me reading Marcus Ranum over at Tenable’s Blog. Marcus writes: Usually, when I attack pseudo-science in computer security, someone replies, “Yes, but some data is better than none at all!”  Absolutely not true! Deceptive, inaccurate, and misleading data is worse than none at all, because it can encourage you […]


Black Swan-Proof InfoSec?

I came across an interesting take on Nassim Taleb’s “Black Swan” article for the Financial Times via JP Rangaswami‘s blog “Confused in Calcutta“.   Friends and folks who know me are probably tired of my rants about what I think of Taleb’s work and what I think he’s gotten wrong.  But really, I find his FT […]


Microsoft Security Intelligence Report

The Microsoft SIR was released 4/8 and is available for download here.  Some of the interesting stuff they put in graphs is from the Open Security Foundation’s OSF Data Loss Database (  Among the interesting things in the Microsoft SIR: Good old theft and losing equipment, when combined, still beats the sexier categories hands down. […]


New School Bloggers Speaking Today

So I apologize for short notice.  Hopefully the webmaster will get in gear and put up an event calendar or something, but here are a couple of events you might want to attend today that New School Bloggers are speaking at. First, David Mortman is giving “The Mortman Briefing:  Metrics for the Real World”over at […]



The WSJ has an article up today about how the Russians and Chinese are mapping the US electirical grid.  What I thought was more interesting was the graph they used (which is only mildly related to the article itself). If I’m reading this correctly, the DHS is claiming that there were just under 70,000 breaches […]


Hello World?

Thanks for stopping by The New School of Information Security Blog.  We’re very “beta” right now, and anticipate having everything ready by the RSA conference (the week of the 17th).  If you’d like to see some recent content by our authors, I had a recent post on the Verizon/Cybertrust blog about the PCI DSS and […]