Subscribe to this blog's feed

Amazon

Recent Posts

Bio

  • David Rice is an internationally recognized information security professional and an accomplished educator and visionary. For a decade he has advised, counseled, and defended global IT networks for government and private industry.

    David has been awarded by the U.S. Department of Defense for “significant contributions” advancing security of critical national infrastructure and global networks. Additionally, David has authored numerous IT security courses and publications, teaches for the prestigious SANS Institute, and has served as adjunct faculty at James Madison University. He is a frequent speaker at information security conferences and currently Director of The Monterey Group.

Archives

More...

Links

Blog powered by TypePad

The views and opinions expressed are those of the author and do not reflect the official policy, position, or recommendations of the author's affiliations, partners, employers, or clients.

« Insanity Indeed | Main | Trust, Misplaced »

April 15, 2009

A Curmudgeon Bludgeoned by the Fudgin'

After glossing over the Verizon Business Data Breach Investigations Report (DBIR) I was a tad confused with some of the findings and recommendations. I comforted myself with the fact that I had only glossed over the report and that, in my haste, I was not able to connect the dots which should obviously connect to show me the bigger picture.

I was wrong.

An excellent post by Brooke Paul over at the The New School of Information Security blog pretty much sums up the confusion I've heard from others.

A Curmudgeon is a Little Confused by the 2009 DBIR

To quote:

There is little new here in the way of recommendations - I guess nobody is listening or the controls are ineffective (or a bit of both).

1.) While only 17% of attacks were considered ‘highly difficult’, they account for 95% of the records breached.  Would the recommendations have fixed this issue?  I can’t imagine, since the recommendations seem more focused on what I would consider fixes for simple attacks.  It does appear that fixing SQL injection issues is the obvious first step.  How long have we as a profession been talking about that one?  Someone has failed and it is us.

2)  What is meant by ‘breach’?  The report talks about ‘breaches’ and then mentions that records are also breached.  What is a ‘breach’?  A few definitions would be helpful for simple-minded folk like myself...

3) “The majority of breaches still occur because basic controls were not in place or because those that were present were not consistently implemented across the organization. If obvious weaknesses are left exposed, chances are the attacker will exploit them. It is much less likely that they will expend the time and effort if none are readily apparent.” - This important statement isn’t supported by the data. See my point #1 above...

Agreed. Either people are not listening (which means the cyber security message isn't resonating) or what they are doing isn't working (which means our guidance is hollow). The muddled signals from the Verizon report does not help matters any nor does the report's fudging on the definition of a "breach" - a aspect central to the report. Regardless, it is a dangerous mixture that shows just how far we have to go towards effecting meaningful change in cyber security.

Posted on April 15, 2009 |

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00e54f9408a3883401156f2b6d63970c

Listed below are links to weblogs that reference A Curmudgeon Bludgeoned by the Fudgin' :

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

The comments to this entry are closed.