Using a dish full of marshmallows. We’re doing this with my oldest kids, and while I was reading up on it, I had to laugh out loud at the following: …now you have what you need to measure the speed of light. You just need to know a very fundamental equation of physics: Speed of […]
I posted this also to the securitymetrics.org mailing list. Sorry if discussing in multiple venues ticks you off. The Not Obvious blog has an interesting write up on the Heartland Breach and impact. From the blog post: “Heartland has had to pay other fines to Visa and MasterCard, but the total of $12.6 million they […]
Longtime readers know that I’m not the biggest fan of GRC as it is “practiced” today. I believe G & C are subservient to risk management. So let me offer you this statement to chew on: “A metric for Governance is only useful inasmuch as it describes an ability to manage risk” True or False, […]
(quietly, wistfully singing “Yesterday” by the Beatles) From my favorite Swedish Infosec Blog, Crowmoor.se. I don’t speak Swedish, so I couldn’t really read the fine article they linked to. Do go read their blog post, I’ll wait here. Back? Great. Here are my thoughts on those numbers: SWEDISH FRAUD STATISTICS RELEASED The World Bank estimates […]
Real briefly, something that came to me reading Marcus Ranum over at Tenable’s Blog. Marcus writes: Usually, when I attack pseudo-science in computer security, someone replies, “Yes, but some data is better than none at all!” Absolutely not true! Deceptive, inaccurate, and misleading data is worse than none at all, because it can encourage you […]
I’ve given Vz’s DBIR a quick perusal. The data are interesting indeed and the recommendations are obvious. There is little new here in the way of recommendations – I guess nobody is listening or the controls are ineffective (or a bit of both). Regardless, I have a few items that confuse and irritate me a […]
The Microsoft SIR was released 4/8 and is available for download here. Some of the interesting stuff they put in graphs is from the Open Security Foundation’s OSF Data Loss Database (http://datalossdb.org). Among the interesting things in the Microsoft SIR: Good old theft and losing equipment, when combined, still beats the sexier categories hands down. […]
The WSJ has an article up today about how the Russians and Chinese are mapping the US electirical grid. What I thought was more interesting was the graph they used (which is only mildly related to the article itself). If I’m reading this correctly, the DHS is claiming that there were just under 70,000 breaches […]