Archive for the “disclosure” category

You say noise, I say data

by adam on September 20, 2016

There is a frequent claim that stock markets are somehow irrational and unable to properly value the impact of cyber incidents in pricing. (That’s not usually precisely how people phrase it. I like this chart of one of the largest (…)

Read the rest of this entry »

Why Don’t We Have an Incident Repository?

by adam on September 14, 2016

Steve Bellovin and I provided some “Input to the Commission on Enhancing National Cybersecurity.” It opens: We are writing after 25 years of calls for a “NTSB for Security” have failed to result in action. As early as 1991, a (…)

Read the rest of this entry »

FBI says their warnings were ignored

by adam on August 17, 2016

There’s two major parts to the DNC/FBI/Russia story. The first part is the really fascinating evolution of public disclosures over the DNC hack. We know the DNC was hacked, that someone gave a set of emails to Wikileaks. There are (…)

Read the rest of this entry »

The New Cyber Agency Will Likely Cyber Fail

by adam on February 10, 2015

The Washington Post reports that there will be a “New agency to sniff out threats in cyberspace.” This is my first analysis of what’s been made public. Details are not fully released, but there are some obvious problems, which include: (…)

Read the rest of this entry »

Security 101: Show Your List!

by adam on January 5, 2015

Lately I’ve noted a lot of people quoted in the media after breaches saying “X was Security 101. I can’t believe they didn’t do X!” For example, “I can’t believe that LinkedIn wasn’t salting passwords! That’s security 101!” Now, I’m (…)

Read the rest of this entry »

Employees Say Company Left Data Vulnerable

by adam on October 7, 2014

There’s a recurring theme in data breach stories: The risks were clear to computer experts inside $organization: The organization, they warned for years, might be easy prey for hackers. But despite alarms as far back as 2008, $organization was slow (…)

Read the rest of this entry »

BSides LV: Change Industry Or Change Professionals?

by adam on August 27, 2014

All through the week of BSides/BlackHat/Defcon, people came up to me to tell me that they enjoyed my BSides Las Vegas talk. (Slides, video). It got some press coverage, including an article by Jon Evans of TechCrunch, “Notes From Crazytown, (…)

Read the rest of this entry »

What Security Folks Can Learn from Doctors

by adam on June 11, 2014

Stefan Larson talks about “What doctors can learn from each other:” Different hospitals produce different results on different procedures. Only, patients don’t know that data, making choosing a surgeon a high-stakes guessing game. Stefan Larsson looks at what happens when (…)

Read the rest of this entry »

Security Lessons From Star Wars: Breach Response

by adam on May 4, 2013

To celebrate Star Wars Day, I want to talk about the central information security failure that drives Episode IV: the theft of the plans. First, we’re talking about really persistent threats. Not like this persistence, but the “many Bothans died (…)

Read the rest of this entry »

Exploit Kit Statistics

by adam on April 11, 2013

On a fairly regular basis, I come across pages like this one from SANS, which contain fascinating information taken from exploit kit control panels: There’s all sorts of interesting numbers in that picture. For example, the success rate for owning (…)

Read the rest of this entry »