Archive for the “Data Analysis” category

‘No need’ to tell the public(?!?)

by nsadmin on April 8, 2019

When Andrew and I wrote The New School, and talked about the need to learn from other professions, we didn’t mean for doctors to learn from ‘cybersecurity thought leaders’ about hiding their problems: …Only one organism grew back. C. auris. (…)

Read the rest of this entry »

Measuring ROI for DMARC

by nsadmin on October 17, 2018

I’m pleased to be able to share work that Shostack & Associates and the Cyentia Institute have been doing for the Global Cyber Alliance. In doing this, we created some new threat models for email, and some new statistical analysis (…)

Read the rest of this entry »

GAO Report on Equifax

by nsadmin on October 12, 2018

I have regularly asked why we don’t know more about the Equifax breach, including in comments in “That Was Close! Reward Reporting of Cybersecurity ‘Near Misses’.” These questions are not intended to attack Equifax. Rather, we can use their breach (…)

Read the rest of this entry »

Calls for an NTSB?

by adam on February 20, 2017

In September, Steve Bellovin and I asked “Why Don’t We Have an Incident Repository?.” I’m continuing to do research on the topic, and I’m interested in putting together a list of such things. I’d like to ask you for two (…)

Read the rest of this entry »

You say noise, I say data

by adam on September 20, 2016

There is a frequent claim that stock markets are somehow irrational and unable to properly value the impact of cyber incidents in pricing. (That’s not usually precisely how people phrase it. I like this chart of one of the largest (…)

Read the rest of this entry »

Security Lessons From Star Wars: Breach Response

by adam on May 4, 2013

To celebrate Star Wars Day, I want to talk about the central information security failure that drives Episode IV: the theft of the plans. First, we’re talking about really persistent threats. Not like this persistence, but the “many Bothans died (…)

Read the rest of this entry »

Exploit Kit Statistics

by adam on April 11, 2013

On a fairly regular basis, I come across pages like this one from SANS, which contain fascinating information taken from exploit kit control panels: There’s all sorts of interesting numbers in that picture. For example, the success rate for owning (…)

Read the rest of this entry »

Analyzing The Army’s Accidental Test

by adam on April 3, 2013

According to Wired, “Army Practices Poor Data Hygiene on Its New Smartphones, Tablets.” And I think that’s awesome. No, really, not the ironic sort of awesome, but the awesome sort of awesome, because what the Army is doing is a (…)

Read the rest of this entry »

Breach Analysis: Data Source biases

by adam on January 30, 2013

Bob Rudis has an fascinating and important post “Once More Into The [PRC Aggregated] Breaches.” In it, he delves into the various data sources that the Privacy Rights Clearinghouse is tracking. In doing so, he makes a strong case that (…)

Read the rest of this entry »

The Fog of Reporting on Cyberwar

by adam on December 11, 2012

There’s a fascinating set of claims in Foreign Affairs “The Fog of Cyberward“: Our research shows that although warnings about cyberwarfare have become more severe, the actual magnitude and pace of attacks do not match popular perception. Only 20 of (…)

Read the rest of this entry »