Shostack + Friends Blog Archive

 

Dear Mr. President

U.S. President Barack Obama says he’s ”concerned” about the country’s cyber security and adds, ”we have to learn from our mistakes.” Dear Mr. President, what actions are we taking to learn from our mistakes? Do we have a repository of mistakes that have been made? Do we have a “capability” for analysis of these mistakes? […]

 

Usable Security: History, Themes, and Challenges (Book Review)

Simson Garfinkel and Heather Lipford’s Usable Security: History, Themes, and Challenges should be on the shelf of anyone who is developing software that asks people to make decisions about computer security. We have to ask people to make decisions because they have information that the computer doesn’t. My favorite example is the Windows “new network” […]

 

Modeling Attackers and Their Motives

There are a number of reports out recently, breathlessly presenting their analysis of one threatening group of baddies or another. You should look at the reports for facts you can use to assess your systems, such as filenames, hashes and IP addresses. Most readers should, at most, skim their analysis of the perpetrators. Read on […]

 

Published Data Empowers

There’s a story over at Bloomberg, “Experian Customers Unsafe as Hackers Steal Credit Report Data.” And much as I enjoy picking on the credit reporting agencies, what I really want to talk about is how the story came to light. The cyberthieves broke into an employee’s computer in September 2011 and stole the password for […]

 

Base Rate & Infosec

At SOURCE Seattle, I had the pleasure of seeing Jeff Lowder and Patrick Florer present on “The Base Rate Fallacy.” The talk was excellent, lining up the idea of the base rate fallacy, how and why it matters to infosec. What really struck me about this talk was that about a week before, I had […]

 

Active Defense: Show me the Money!

Over the last few days, there’s been a lot of folks in my twitter feed talking about “active defense.” Since I can’t compress this into 140 characters, I wanted to comment quickly: show me the money. And if you can’t show me the money, show me the data. First, I’m unsure what’s actually meant by […]

 

Why Sharing Raw Data is Important

Bob Rudis has a nice post up “Off By One : The Importance Of Fact Checking Breach Reports,” in which he points out some apparent errors in the Massachusetts 2011 breach report, and also provides some graphs. Issues like this are why it’s important to release data. It enables independent error checking, but also allows […]

 

Time for an Award for Best Data?

Yesterday, DAn Kaminsky said “There should be a yearly award for Best Security Data, for the best collection and disbursement of hard data and cogent analysis in infosec.” I think it’s a fascinating idea, but think that a yearly award may be premature. However, what I think is sorta irrelevant, absent data. So I’m looking […]

 

Kudos to Ponemon

In the past, we have has some decidedly critical words for the Ponemon Institute reports, such as “A critique of Ponemon Institute methodology for “churn”” or “Another critique of Ponemon’s method for estimating ‘cost of data breach’“. And to be honest, I’d become sufficiently frustrated that I’d focused my time on other things. So I’d […]

 

Paper: "The Future of Work is Play"

My colleague Ross Smith has just presented an important new paper, “The Future of Work is Play” at the IEEE International Games Innovation Conference. There’s a couple of very useful lessons in this paper. One is the title, and the mega-trends driving games into the workplace. Another is Ross’s lessons of when games work: Over […]

 

Big Brother Watch report on breaches

Over at the Office of Inadequate Security, Dissent says everything you need to know about a new report from the UK’s Big Brother Watch: Extrapolating from what we have seen in this country, what the ICO learns about is clearly only the tip of the iceberg there. I view the numbers in the BBW report […]

 
 

Block Social Media, Get Pwned

At least, that’s the conclusion of a study from Telus and Rotman. (You might need this link instead) A report in IT security issued jointly by Telus and the Rotman School of Management surveyed 649 firms and found companies that ban employees from using social media suffer 30 percent more computer security breaches than ones […]

 

Thoughts on the 2011 DBIR and APT (Authorization Preservation Threats)

So Verizon has recently released their 2011 DBIR. Or perhaps more accurately, I’ve managed to pop enough documents off my stack that my scribbled-on notes are at the top, and I wanted to share some with you. A lot have gone to the authors, in the spirit of questions only they can answer. Here, I […]

 

Diginotar Quantitative Analysis ("Black Tulip")

Following the Diginotar breach, FOX-IT has released analysis and a nifty video showing OCSP requests. As a result, lots of people are quoting a number of “300,000”. Cem Paya has a good analysis of what the OCSP numbers mean, what biases might be introduced at “DigiNotar: surveying the damage with OCSP.” To their credit, FoxIt […]

 

Why Do Outsiders Detect Breaches?

So I haven’t had a chance to really digest the new DBIR yet, but one bit jumped out at me: “86% were discovered by a third party.” I’d like to offer up an explanatory story of why might that be, and muse a little on what it might mean for the deployment of intrusion detection […]

 
 

Another critique of Ponemon's method for estimating 'cost of data breach'

I have fundamental objections to Ponemon’s methods used to estimate ‘indirect costs’ due to lost customers (‘abnormal churn’) and the cost of replacing them (‘customer acquisition costs’). These include sloppy use of terminology, mixing accounting and economic costs, and omitting the most serious cost categories.

 

A critique of Ponemon Institute methodology for "churn"

Both Dissent and George Hulme took issue with my post Thursday, and pointed to the Ponemon U.S. Cost of a Data Breach Study, which says: Average abnormal churn rates across all incidents in the study were slightly higher than last year (from 3.6 percent in 2008 to 3.7 percent in 2009), which was measured by […]

 

Dashboards are Dumb

The visual metaphor of a dashboard is a dumb idea for management-oriented information security metrics. It doesn’t fit the use cases and therefore doesn’t support effective user action based on the information. Dashboards work when the user has proportional controllers or switches that correspond to each of the ‘meters’ and the user can observe the effect of using those controllers and switches in real time by observing the ‘meters’. Dashboards don’t work when there is a loose or ambiguous connection between the information conveyed in the ‘meters’ and the actions that users might take. Other visual metaphors should work better.

 

Lessons from HHS Breach Data

PHIPrivacy asks “do the HHS breach reports offer any surprises?” It’s now been a full year since the new breach reporting requirements went into effect for HIPAA-covered entities. Although I’ve regularly updated this blog with new incidents revealed on HHS’s web site, it might be useful to look at some statistics for the first year’s […]

 

Fair Warning: I haven't read this report, but…

@pogowasright pointed to “HOW many patient privacy breaches per month?:” As regular readers know, I tend to avoid blogging about commercial products and am leery about reporting results from studies that might be self-serving, but a new paper from FairWarning has some data that I think are worth mentioning here. In their report, they provide […]

 

Michael Healey: Pay Attention (Piling On)

Richard Bejtlich has a post responding to an InformationWeek article written by Michael Healey, ostensibly about end user security.  Richard  upbraids Michael for writing the following: Too many IT teams think of security as their trump card to stop any discussion of emerging tech deemed too risky… Are we really less secure than we were […]

 

Petroski on Engineering

As I was reading the (very enjoyable) “To Engineer is Human,” I was struck by this quote, in which Petroski first quotes Victorian-era engineer Robert Stephenson, and then comments: …he hoped that all the casualties and accidents, which had occurred during their progress, would be noticed in revising the Paper; for nothing was so instructive […]

 

The Visual Display of Quantitative Information

In Verizon’s post, “A Comparison of [Verizon’s] DBIR with UK breach report,” we see: Quick: which is larger, the grey slice on top, or the grey slice on the bottom? And ought grey be used for “sophisticated” or “moderate”? I’m confident that both organizations are focused on accurate reporting. I am optimistic that this small […]

 

Comments on the Verizon DBIR Supplemental Report

On December 9th, Verizon released a supplement to their 2009 Data Breach Investigations Report. One might optimistically think of this as volume 2, #2 in the series. A good deal of praise has already been forthcoming, and I’m generally impressed with the report, and very glad it’s available and free. But in this post, I’m […]

 

NotObvious On Heartland

I posted this also to the securitymetrics.org mailing list.  Sorry if discussing in multiple  venues ticks you off. The Not Obvious blog has an interesting write up on the Heartland Breach and impact.  From the blog post: “Heartland has had to pay other fines to Visa and MasterCard, but the total of $12.6 million they […]

 

NEW: Verizon 2009 DBIR Supplement

The supplement provides case studies, involving anonymous Verizon clients, that detail some of the tools and methods hackers used to compromise the more than 285 million sensitive records that were breached in 90 forensic cases Verizon handled last year.

 

Sweden: An Interesting Demographic Case Study In Internet Fraud

(quietly, wistfully singing “Yesterday” by the Beatles) From my favorite Swedish Infosec Blog, Crowmoor.se. I don’t speak Swedish, so I couldn’t really read the fine article they linked to.  Do go read their blog post, I’ll wait here. Back?  Great.  Here are my thoughts on those numbers: SWEDISH FRAUD STATISTICS RELEASED The World Bank estimates […]

 

Engineers vs. Scammers

Adam recently sent me a link to a paper titled, “Understanding scam victims: seven principles for systems security.”  The paper examines a number of real-world (i.e. face-to-face) frauds and then extrapolates security principles which can be applied generically to both face-to-face and information or IT security problems. By illustrating these principles with examples taken from […]

 

Chris Soghoian’s Surveillance Metrics

I also posted about this on Emergent Chaos, but since our readership doesn’t fully overlap, I’m commenting on it here as well. Chis Soghoian, has just posted some of his new research into government electronic surveillance here in the US. The numbers are truly astounding (Sprint for instance provided geo-location data on customers eight million […]

 

Rational Ignorance: The Users' view of security

Cormac Herley at Microsoft Research has done us all a favor and released a paper So Long, And No Thanks for the Externalities:  The Rational Rejection of Security Advice by Users which opens its abstract with: It is often suggested that users are hopelessly lazy and unmotivated on security questions. They chose weak passwords, ignore […]

 

Questions about Schaeffer's 80% improvement

According to Kim Zetter at Wired, in Senate testimony, Richard Schaeffer, the information assurance director at NSA, claimed that “If network administrators simply instituted proper configuration policies and conducted good network monitoring, about 80 percent of commonly known cyber attacks could be prevented.” I’m trying to find if that’s the FDCC (Federal Desktop Core Configuration), […]

 

ICSA Labs report

In the book, Andrew and I wrote about trading data for credibility. If Verizon’s enthusiasm for sharing their learning is any indication, the approach seems to be paying off in spades. At the Verizon Business blog, Wade Baker writes: Today ICSA Labs (an independent division of Verizon Business) released a report based on testing results […]

 
 

Debix Publishes Data on Identity Theft

Finally, we have some real hard data on how often identity theft occurs. Today, Debix (full disclosure, I have a small financial interest) published the largest study ever on identity theft. Debix combed though the 2007 Q4 data on over 250 thousand of their subscribers and found that there was approximately a 1% attempted fraud […]

 

Are We Measuring the Right Things?

One of the reasons that airline passengers sit on the tarmac for hours before takeoff is how the FAA Department of Transportation measures “on time departures.” The on time departure is measured by push-back from the gate, not wheels leaving the tarmac. (Airlines argue that the former is in their control.) If you measure the […]

 

Empiricism

Unfortunately, this was easy to see coming.

 

Breaches in SEC Reports

Gregory Fleischer saw my Shmoo talk, and was kind enough to tell me when he found breaches in SEC reports: At your Shmoocon talk you mentioned that you had difficulty finding SEC filings related to security breaches. I was doing some research and came across several SEC filings that discuss security breaches. Generally, these items […]