Archive for the “data” category

Exploit Kit Statistics

by adam on April 11, 2013

On a fairly regular basis, I come across pages like this one from SANS, which contain fascinating information taken from exploit kit control panels: There’s all sorts of interesting numbers in that picture. For example, the success rate for owning (…)

Read the rest of this entry »

Indicators of Impact — Ground Truth for Breach Impact Estimation

by Russell on March 18, 2013

One big problem with existing methods for estimating breach impact is the lack of credibility and reliability of the evidence behind the numbers. This is especially true if the breach is recent or if most of the information is not (…)

Read the rest of this entry »

Breach Analysis: Data Source biases

by adam on January 30, 2013

Bob Rudis has an fascinating and important post “Once More Into The [PRC Aggregated] Breaches.” In it, he delves into the various data sources that the Privacy Rights Clearinghouse is tracking. In doing so, he makes a strong case that (…)

Read the rest of this entry »

Your career is over after a breach? Another Myth, Busted!

by adam on August 6, 2012

I’m a big fan of learning from our experiences around breaches. Claims like “your stock will fall”, or “your customers will flee” are shown to be false by statistical analysis, and I expect we’d see the same if we looked (…)

Read the rest of this entry »

Aitel on Social Engineering

by adam on July 19, 2012

Yesterday, Dave Aitel wrote a fascinating article “Why you shouldn’t train employees for security awareness,” arguing that money spent on training employees about awareness is wasted. While I don’t agree with everything he wrote, I submit that your opinion on (…)

Read the rest of this entry »

Why Sharing Raw Data is Important

by adam on May 11, 2012

Bob Rudis has a nice post up “Off By One : The Importance Of Fact Checking Breach Reports,” in which he points out some apparent errors in the Massachusetts 2011 breach report, and also provides some graphs. Issues like this (…)

Read the rest of this entry »

Checklists and Information Security

by adam on April 10, 2012

I’ve never been a fan of checklists. Too often, checklists replace thinking and consideration. In the book, Andrew and I wrote: CardSystems had the required security certification, but its security was compromised, so where did things goo wrong? Frameworks such (…)

Read the rest of this entry »

Time for an Award for Best Data?

by adam on February 1, 2012

Yesterday, DAn Kaminsky said “There should be a yearly award for Best Security Data, for the best collection and disbursement of hard data and cogent analysis in infosec.” I think it’s a fascinating idea, but think that a yearly award (…)

Read the rest of this entry »

Paper: The Security of Password Expiration

by adam on January 5, 2012

The security of modern password expiration: an algorithmic framework and empirical analysis, by Yingian Zhang, Fabian Monrose and Michael Reiter. (ACM DOI link) This paper presents the first large-scale study of the success of password expiration in meeting its intended (…)

Read the rest of this entry »

Top 5 Security Influencers of 2011

by adam on December 12, 2011

I really like Gunnar Peterson’s post on “Top 5 Security Influencers:” Its December and so its the season for lists. Here is my list of Top 5 Security Influencers, this is the list with the people who have the biggest (…)

Read the rest of this entry »