A vivid image of Fear, Uncertainty, and Doubt (FUD), from an email promotion by NetWitness.Read More The Face of FUD
To improve threat intelligence, it’s most important to address the flaws in how we interpret and use the intelligence that we already gather. Intelligence analysts are human beings, and many of their failures follow from intuitive ways of thinking that, while allowing the human mind to cut through reams of confusing information, often end up misleading us.Read More Doing threat intelligence right
“Meta-taboo”: The topic itself is not taboo, but any discussion about how to actually get there or deal with the topic is taboo.Read More "It's so Confidential, even we don't know the number"
We think of botnets as networks of computing devices slaved to some command & control system. But what about human-in-the-loop botnets, where humans are either participants or prime actors? I’m coining this label: “social botnets”. Recent example: “Health Insurers Caught Paying Facebook Gamers To Oppose Reform Bill”.Read More Emerging threat: Social Botnets
The supplement provides case studies, involving anonymous Verizon clients, that detail some of the tools and methods hackers used to compromise the more than 285 million sensitive records that were breached in 90 forensic cases Verizon handled last year.Read More NEW: Verizon 2009 DBIR Supplement
If you work in InfoSec outside of the military, you may be thinking that “offensive cyber capability” don’t doesn’t apply to you. Don’t be so sure. I think it’s worth adding to the threat model for every organization. New “hacking gadgets” could be put in the hands of ordinary soldiers, turning them into the equivalent of “script kiddies”. But what if the potential target knows that such attacks may be coming. They could sets up a deceptive defense and redirect the attack to another networkRead More Time to update your threat model to include "friendly fire"
A methodology is presented for guiding individual policy decisions from a risk management perspective, using a form of “abduction validation”. An example is presented using the case of password change policy, drawing from recent blog discussions.Read More Can quantitative risk estimation serve as a guide for every-day policy decisions?
A lesson in miscommunication of risk from “abstinence only” sex education aimed at teenagers. The educators emphasize the failure rate of condoms, but never mention the failure rate of abstinence-only policies when implemented by teenagers.Read More Miscommunicating risks to teenagers
I’m starting on an academic-oriented research project on the arms race between attackers and defenders from the perspective innovation rates and “evolutionary success” – The Red Queen problem. I’m looking for collaborators, contributors, reviewers, etc.Read More Information Security as an Evolutionary Arms Race – Research Collaborators Wanted