Tag Archive for 'metrics'

NotObvious On Heartland

Published by alex on December 21, 2009 in Data Analysis, Reports and Data and metrics. 1 Comment Tags: , , .

I posted this also to the securitymetrics.org mailing list.  Sorry if discussing in multiple  venues ticks you off.

The Not Obvious blog has an interesting write up on the Heartland Breach and impact.  From the blog post:

“Heartland has had to pay other fines to Visa and MasterCard, but the total of $12.6 million they have set aside to handle the one-time costs is a drop in the bucket compared $1.5 billion in 2008 revenue and does not really even skim much off the top of the $161 million in profits from that same year (the numbers for 2009 look to be tracking the same). It is almost a guarantee that any member of the class action who submits a claim will see many years of scrutiny before receiving any payment, something which Heartland can factor into their yearly financial plans (and accommodate for by increasing fees).”

For thought:

  1. One wonders how much a “sufficient” (loaded term, of course) InfoSec program for a company like Heartland costs on an annual basis.
  2. Does this set a sort of “worst case” bounds to impact distributions?
  3. If so, how does a worst case impact of ~$13million (US) impact security management at retailers (politically)?

For Blog/Twitter Conversation: Can You Defend “GRC”?

Published by alex on December 15, 2009 in Doing it Differently, Science of Risk Management and argument. 15 Comments Tags: , , , , , , , .

Longtime readers know that I’m not the biggest fan of GRC as it is “practiced” today.  I believe G & C are subservient to risk management. So let me offer you this statement to chew on:

“A metric for Governance is only useful inasmuch as it describes an ability to manage risk”

True or False, why, and what are the implications if true or false.

Please discuss.

#newschoolsecurity

Sweden: An Interesting Demographic Case Study In Internet Fraud

Published by alex on December 7, 2009 in Reports and Data, Uncategorized and metrics. 2 Comments Tags: , , , , , .

saab-900(quietly, wistfully singing “Yesterday” by the Beatles)

From my favorite Swedish Infosec Blog, Crowmoor.se. I don’t speak Swedish, so I couldn’t really read the fine article they linked to.  Do go read their blog post, I’ll wait here.

Back?  Great.  Here are my thoughts on those numbers:

SWEDISH FRAUD STATISTICS RELEASED

The World Bank estimates the population of Sweden to be 9,220,986 - 2008

For Reference, London (2006 figures) was 7.5 million, New York City was 8.275 million in 2007

So the Swedish “market” for fraud was around 60,000 people out of a total population of 9,000,000 suffering an average  of  €1050-1100 each.  This line of thinking draws the inevitable comparison to what VC call The Chinese Soft Drink Argument (If we can just get each person from China to buy one drink, we’ll make a billion!), obviously, but I thought it was interesting to put this into context.

When I saw those numbers, I thought of a couple of other stats I’d like to have at hand:

Break down of types of “attacks” that resulted in fraud (was the attack primarily hacking, was their SE involved, was it phishing, etc.), estimated number of attack attempts, number of arrests, demographics around Internet banking and broadband penetration…

What other information do you think would be helpful to you as a practitioner?

obligatory Swedish Chef reference:

Evolution of Information Analysis

Published by alex on April 16, 2009 in Uncategorized. 1 Comment Tags: , .

Real briefly, something that came to me reading Marcus Ranum over at Tenable’s Blog.

Marcus writes:

Usually, when I attack pseudo-science in computer security, someone replies, “Yes, but some data is better than none at all!”  Absolutely not true! Deceptive, inaccurate, and misleading data is worse than none at all, because it can encourage you to spend your time and energy barking up the wrong tree.

Let me propose the following evolutionary path towards information analysis:

Stage 1.)  “Yes, but some data is better than none at all!

Stage 2.)  “Not true!  It can be misinterpreted”

Stage 3.)  “Prior information usually has some informative value in context.  Have we done the right job in presenting uncertainty and context?”

The difference between stage 2 and 3 reminds me of the quote from IJ Good (who sadly just passed away this month) -

“The subjectivist states his judgements, whereas the objectivist sweeps them under the carpet by calling assumptions knowledge, and he basks in the glorious objectivity of science.”

The problem isn’t that we’ve got yucky/squishy/non-”actuarial quality” (whatever that means) data, the problem is in the statement of how prior information is interpreted and thorough identification of bias done in the research itself, and how uncertainty factors in the data are identified.

A Curmudgeon is a Little Confused by the 2009 DBIR

Published by Brooke on April 16, 2009 in Uncategorized. 1 Comment Tags: , , , , .

I’ve given Vz’s DBIR a quick perusal.  The data are interesting indeed and the recommendations are obvious.  There is little new here in the way of recommendations – I guess nobody is listening or the controls are ineffective (or a bit of both).

Regardless, I have a few items that confuse and irritate me a bit:

1)  While only 17% of attacks were considered ‘highly difficult’, they account for 95% of the records breached.  Would the recommendations have fixed this issue?  I can’t imagine, since the recommendations seem more focused on what I would consider fixes for simple attacks.  It does appear that fixing SQL injection issues is the obvious first step.  How long have we as a profession been talking about that one?  Someone has failed and it is us.

2)  What is meant by ‘breach’?  The report talks about ‘breaches’ and then mentions that records are also breached.  What is a ‘breach’?  A few definitions would be helpful for simple-minded folk like myself. % of caseload also seems to be an important metric. Are we worried about being penetrated, the amount of cases that Vz has to work, costs incurred by the involved parties or are we worried about actual data theft/destruction? Certainly all, but some should be a higher priority than others and some are more relevant than others.  There appears to be a bit of comparing apples to oranges in this report and more clarity on the terms we’re talking about would be welcomed.

3) “The majority of breaches still occur because basic controls were not in place or because those that were present were not consistently implemented across the organization. If obvious weaknesses are left exposed, chances are the attacker will exploit them. It is much less likely that they will expend the time and effort if none are readily apparent.” – This important statement isn’t supported by the data. See my point #1 above.  I like to think that attackers are lazy; looking for the easy way in, but it appears that attackers will expend the time and effort necessary. It is their job afterall and it appears that there are at least a few out there that are professionals. The data that support this is the fact that 95% of the records breached occurred via ‘highly difficult’ attacks.  Perhaps ‘highly difficult’ attacks require little time and effort?  Do the recommendations around basic controls actually make a difference if 95% of breaches are ‘highly difficult’?  Maybe basic controls are ‘highly difficult’ to bypass; I’m just not sure.  Can script kiddies now execute ‘highly difficult’ attacks now?

4) Where are the losses?  The data are confusing to me because they state that 31% of breaches occurred in Retail and 30% in Financial Services.  However, Financial Services accounted for 93% of records compromised.  To my point #2 above – what the hell do we mean by breach?  Was there data loss?  What was the actual cost involved with the 285MM records compromised?  Did people/companies have to pay for Vz services, data recovery, new cards being issued, identity theft clean-up, etc?  SHOW ME THE $$!  What are the real $$ losses here?  A breach of data may be necessary for $$ losses, but it isn’t sufficient.

5) Finally, just to be a total jerk about it – I love figure 3.  Let’s thrown in a gratuitous graph that has no meaning and tells us nothing. I guess we may, someday, find a correlation between number of employees and insider initiated events.

I guess you could summarize my confusion and bitterness up in a couple items.  First, it doesn’t appear that we’re clear on our terms which leads to overloading and a bit of confusion.  We’re grabbing loads of data and then trying to figure out how to make a cool report with them.  Second, we should be trying to express losses in terms of the monies expended.  Otherwise things look crazy with big numbers that lack context being thrown about.  With all the hundreds of millions of records compromised each year hasn’t everyone been compromised already and we’ve lost the game?

A close friend pointed out that Peter Tippett, VP of Research and Intelligence for Verizon Business Security Solutions, described this report as “a wake-up call.” Really? As opposed to all the other reports that demonstrate how messed up the situation is? If we really wanted to wake up from this we would have awakened long ago rather than continuing to be Rip-Van-Insecure-Winkle. Sleep on, brothers and sisters, sleep on….it’s only a few hundred million records that we can’t seem to figure out the $$ value of.

Microsoft Security Intelligence Report

Published by alex on April 9, 2009 in Uncategorized. 1 Comment Tags: , , , .

The Microsoft SIR was released 4/8 and is available for download here.  Some of the interesting stuff they put in graphs is from the Open Security Foundation’s OSF Data Loss Database (http://datalossdb.org).  Among the interesting things in the Microsoft SIR:

Good old theft and losing equipment, when combined, still beats the sexier categories hands down.

The Brazilians like their Password stealers, apparently.

This graph shows infection rates world wide. I find the most interesting region to be Japan. You look at Japan and Germany and you have to wonder, “What are they doing right?”

So apparently WoW creds are still more valuable than credit card numbers?

Cyber-Spies!

Published by alex on April 8, 2009 in Uncategorized. 2 Comments Tags: , , , .

The WSJ has an article up today about how the Russians and Chinese are mapping the US electirical grid.  What I thought was more interesting was the graph they used (which is only mildly related to the article itself).

If I’m reading this correctly, the DHS is claiming that there were just under 70,000 breaches that were reported to them from somewhere.  That I’m willing to believe.  But check out that red line for Commercial there – how interesting is that?  And then compare the red bands of ‘06, ‘07, and ‘08…

Now in interpreting the graph, I’m not sure how “complete” the DHS’s Commercial data set is.  After all, businesses will only report a breach when necessary, and it’s not clear where DHS got it’s information from.  But Commerical compared to Government is an interesting contrast (I suppose I’d be willing to put a lower “uncertainty” value on the government reported breaches number reported by DHS).  And then there’s “Individuals”.

I find it real interesting that somewhere south of 50,000 individuals told someone that they had a cybersecurity breach (I apologize for using the term “cyber”, btw). And it’s interesting that this number doubled between ‘07 and ‘08.  I’m not sure what to make of that, or how these numbers are arrived at.  Are these people reporting directly to DHS?  Do any readers know how DHS gets these numbers?