Archive for the “Reports and Data” category

House Oversight Committee on Equifax

by nsadmin on December 11, 2018

The House Oversight Committee has released a scathing report on Equifax. Through the investigation, the Committee reviewed over 122,000 pages of documents, conducted transcribed interviews with three former Equifax employees directly involved with IT, and met with numerous current and (…)

Read the rest of this entry »

Measuring ROI for DMARC

by nsadmin on October 17, 2018

I’m pleased to be able to share work that Shostack & Associates and the Cyentia Institute have been doing for the Global Cyber Alliance. In doing this, we created some new threat models for email, and some new statistical analysis (…)

Read the rest of this entry »

Calls for an NTSB?

by adam on February 20, 2017

In September, Steve Bellovin and I asked “Why Don’t We Have an Incident Repository?.” I’m continuing to do research on the topic, and I’m interested in putting together a list of such things. I’d like to ask you for two (…)

Read the rest of this entry »

Dear Mr. President

by adam on July 14, 2016

U.S. President Barack Obama says he’s ”concerned” about the country’s cyber security and adds, ”we have to learn from our mistakes.” Dear Mr. President, what actions are we taking to learn from our mistakes? Do we have a repository of (…)

Read the rest of this entry »

Usable Security: History, Themes, and Challenges (Book Review)

by adam on November 17, 2014

Simson Garfinkel and Heather Lipford’s Usable Security: History, Themes, and Challenges should be on the shelf of anyone who is developing software that asks people to make decisions about computer security. We have to ask people to make decisions because (…)

Read the rest of this entry »

Modeling Attackers and Their Motives

by adam on November 11, 2014

There are a number of reports out recently, breathlessly presenting their analysis of one threatening group of baddies or another. You should look at the reports for facts you can use to assess your systems, such as filenames, hashes and (…)

Read the rest of this entry »

Published Data Empowers

by adam on November 2, 2012

There’s a story over at Bloomberg, “Experian Customers Unsafe as Hackers Steal Credit Report Data.” And much as I enjoy picking on the credit reporting agencies, what I really want to talk about is how the story came to light. (…)

Read the rest of this entry »

Base Rate & Infosec

by adam on September 25, 2012

At SOURCE Seattle, I had the pleasure of seeing Jeff Lowder and Patrick Florer present on “The Base Rate Fallacy.” The talk was excellent, lining up the idea of the base rate fallacy, how and why it matters to infosec. (…)

Read the rest of this entry »

Active Defense: Show me the Money!

by adam on June 21, 2012

Over the last few days, there’s been a lot of folks in my twitter feed talking about “active defense.” Since I can’t compress this into 140 characters, I wanted to comment quickly: show me the money. And if you can’t (…)

Read the rest of this entry »

Why Sharing Raw Data is Important

by adam on May 11, 2012

Bob Rudis has a nice post up “Off By One : The Importance Of Fact Checking Breach Reports,” in which he points out some apparent errors in the Massachusetts 2011 breach report, and also provides some graphs. Issues like this (…)

Read the rest of this entry »