Comments on: “80 Percent of Cyber Attacks Preventable” http://newschoolsecurity.com/2009/11/80-percent-of-cyber-attacks-preventable/ The Blog Inspired By The Book Wed, 08 Feb 2012 09:21:02 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Eric http://newschoolsecurity.com/2009/11/80-percent-of-cyber-attacks-preventable/#comment-525 Eric Thu, 19 Nov 2009 16:55:52 +0000 http://newschoolsecurity.com/?p=984#comment-525 I would add that the bigger issue here is at the application level. What are companies doing to protect webapps where the network perimeter is useless? I read recently an estimate that it takes an average of 67 days to fix something as common as XSS(!). Unacceptable. Everyone's throwing stats around - they're a dime a dozen, but we all know the issues are real and damaging. http://artofdefence.wordpress.com/ I would add that the bigger issue here is at the application level. What are companies doing to protect webapps where the network perimeter is useless?

I read recently an estimate that it takes an average of 67 days to fix something as common as XSS(!). Unacceptable. Everyone’s throwing stats around – they’re a dime a dozen, but we all know the issues are real and damaging.

http://artofdefence.wordpress.com/

]]> By: Christopher Porter http://newschoolsecurity.com/2009/11/80-percent-of-cyber-attacks-preventable/#comment-522 Christopher Porter Wed, 18 Nov 2009 21:14:29 +0000 http://newschoolsecurity.com/?p=984#comment-522 Hey Dave, I thought I would cross-post something that Wade Baker posted this last December. I think it fits in quite well with what you've written here. http://securityblog.verizonbusiness.com/2008/12/03/crisis-could-improve-security-in-2009/ Hey Dave, I thought I would cross-post something that Wade Baker posted this last December. I think it fits in quite well with what you’ve written here.

http://securityblog.verizonbusiness.com/2008/12/03/crisis-could-improve-security-in-2009/

]]> By: Augusto Paes de Barros http://newschoolsecurity.com/2009/11/80-percent-of-cyber-attacks-preventable/#comment-521 Augusto Paes de Barros Wed, 18 Nov 2009 20:19:45 +0000 http://newschoolsecurity.com/?p=984#comment-521 Another thing to consider is that the fact that the basics are not necessarily easy when we consider big and complex organizations. For instance, things like privileged accounts control and patch management are very hard to do well when IT operations and infrastructure are not in a "best of breed/best practices" mode. And, again, attackers only need a single mistake. For "basic stuff", doing 80/20 is not good enough, but big organizations may not be in a position to do more than that. Another thing to consider is that the fact that the basics are not necessarily easy when we consider big and complex organizations. For instance, things like privileged accounts control and patch management are very hard to do well when IT operations and infrastructure are not in a “best of breed/best practices” mode. And, again, attackers only need a single mistake. For “basic stuff”, doing 80/20 is not good enough, but big organizations may not be in a position to do more than that.

]]> By: Russell http://newschoolsecurity.com/2009/11/80-percent-of-cyber-attacks-preventable/#comment-520 Russell Wed, 18 Nov 2009 18:22:34 +0000 http://newschoolsecurity.com/?p=984#comment-520 I think there's a flaw in the reasoning, even if you buy the "80%" number. In terms of quantity of attacks, most attacks are opportunistic that exploit the "low hanging fruit" (practically lying on the ground). Even if you accept the proposition that basic/standard configuration practices would eliminate most or all of these vulnerabilities, there is still plenty of fruit in the tree that are accessible with only a modest increase in attacker effort or sophistication. Of course, in the short term, a given company can reduce the success rate of opportunistic attacks if their configuration and security practices are better than their peers. Said one wildebeest to another, "I don't have to run faster than the lion... I just have to run faster than you." But in the long run, if all organizations shift upward to basic/common/standard configuration and security practices, the attackers will simply shift to the next level of fruit. This is like preditor-prey and host-parasite coevolution in nature. I would phrase it this way: "80% of cyber attacks can be shifted from low sophistication to modest sophistication attacks by following basic/common/standard configuration practices". Not very attractive as a headline or in congressional testimony, but this is closer to the reality, IMHO. I think there’s a flaw in the reasoning, even if you buy the “80%” number.

In terms of quantity of attacks, most attacks are opportunistic that exploit the “low hanging fruit” (practically lying on the ground). Even if you accept the proposition that basic/standard configuration practices would eliminate most or all of these vulnerabilities, there is still plenty of fruit in the tree that are accessible with only a modest increase in attacker effort or sophistication.

Of course, in the short term, a given company can reduce the success rate of opportunistic attacks if their configuration and security practices are better than their peers. Said one wildebeest to another, “I don’t have to run faster than the lion… I just have to run faster than you.”

But in the long run, if all organizations shift upward to basic/common/standard configuration and security practices, the attackers will simply shift to the next level of fruit.

This is like preditor-prey and host-parasite coevolution in nature.

I would phrase it this way: “80% of cyber attacks can be shifted from low sophistication to modest sophistication attacks by following basic/common/standard configuration practices”. Not very attractive as a headline or in congressional testimony, but this is closer to the reality, IMHO.

]]>