How to do a ranking when you can’t present a rank list:
use a distribution graph.
Also how to do a randomized control trial when there are active
five ways to find out if and how much they are affecting the results.
This was in my apparently annual talk at TPRC 41, the Telecommunications
Policy Research Conference in Arlington, Virginia.
With slides, abstract, full paper, and video.
The sound is not good, though; it was taken with my smartphone.
Why don’t conferences do their own video and put it on the web?
There were a few sensitive presentations at this one, but they
were few, and the rest could have gone up.
They didn’t, so I got somebody to video with my phone.
A secondary domain hosted by Bluehost was defaced by an opportunistic
attack. We are consolidating the secondary domains in our primary
provider and all domains will be pointing to our web site.
Last week I was looking to join SIRA’s email list and mistyped .com for .org.
Finding www.societyinforisk.com had “HaCKeD By : brkod” on it, I mentioned that to SIRA.
They fixed it as above.
The interesting part is that the VERIS Community Database is an effort
to expand the annual
Verizon Data Breach Investigations Report (DBIR)
into something more timely and comprehensive:
It’s not very big yet (63 commits and 1546 incidents),
but it’s a welcome start.
It doesn’t have nearly the comprehensiveness, frequency, nor regularity
of the spam blocklist data underlying
but it has, or it can have, more depth in reporting what happened and why.
Microsoft, world leader in Internet security, will doubtless clean up its spamming act when it sees its AS 8075 is #1 for outbound spam in the U.S. for April 2012 in rankings from PSBL data, pushing the U.S. to #1 worldwide.
Other rankings don’t show Microsoft high, but does MSFT really want to show up in any of these rankings?
Percent of top 10
These rankings that show Microsoft high are derived by SpamRankings.net from PSBL blocklist data. The April 2012 SpamRankings.net from CBL blocklist data do not show Microsoft in the top 10. Apparently PSBL’s spam traps happened to be in the line of spam from Microsoft, while CBL’s were not.
And of course Microsoft probably doesn’t mean to be sending any of that spam. More likely botnets exploited a MSFT security vulnerability. Here’s hoping they clean it up soon!
made the Davos Top 5 Global Risks in Terms of Likelihood.
Davos, the annual conclave of the hyper-rich and famously elected,
has also discovered Severe income disparity
and Water supply crisis, so maybe they’re becoming
However, in Figure 17 on page 25 they’ve got Cyber attacks
as an origin risk, along with Massive incident of data fraud or theft
and Massive digital misinformation. I think they’re missing the point,
which is the real origin risk is poor infosec, and the origin of that
is vendors like MSFT knowingly shipping systems with design flaws
and people and organizations running them while hiding such problems.
Registrants may seek to mitigate damages from a cyber incident
by providing customers with incentives to maintain the business
Hm, incentives like showing an improved reputational risk ranking?
Perhaps in order to prevent this sort of thing?
Cyber incidents may also result in diminished future cash flows, thereby
requiring consideration of impairment of certain assets including
goodwill, customer-related intangible assets, trademarks, patents,
capitalized software or other long-lived assets associated with hardware
or software, and inventory.
The SEC is still missing at least one connection between dots:
Prior to a Cyber Incident
Registrants may incur substantial costs to prevent cyber
incidents. Accounting for the capitalization of these costs is addressed
by Accounting Standards Codification (ASC) 350-40, Internal-Use Software,
to the extent that such costs are related to internal use software.
Sure, infosec costs money.
But if infosec actually prevents loss of customer goodwill, infosec
could attract and retain customers,
so infosec could be a source of profit.
If anybody knows about it, that is.
One of the cardinal rules of computer programming is to never trust your input. This holds especially true when your input comes from users, and even more so when it comes from the anonymous, general public. Apparently, the developers at Oklahoma’s Department of Corrections slept through that day in computer science class, and even managed to skip all of Common Sense 101. You see, not only did they trust anonymous user input on their public-facing website, but they blindly executed it and displayed whatever came back.
The result of this negligently bad coding has some rather serious consequences: the names, addresses, and social security numbers of tens of thousands of Oklahoma residents were made available to the general public for a period of at least three years.
Georgia’s governor wants to standardize information security reporting across
the entire state government:
The Executive Order calls for a single set of information security reporting standards for all agencies to follow. Currently, state agencies use a variety of reporting standards, making it difficult to measure information security across state government or to track progress from year to year.
Governor Perdue has directed the Georgia Technology Authority (GTA) to work with the Georgia Department of Audits and Accounts and the Governor’s Office of Planning and Budget to develop a reporting format and required content for agency information security reports. Each agency will be responsible for reporting to GTA at the end of the fiscal year. GTA will compile agency reports into a single Enterprise Information Security Report, available by October 31 of each year.
We think there’s an emerging way of approaching the world, which we call
the New School.
We start with a look at some persistent issues like spam and identity
theft. From there, we look at why the information security industry
hasn’t just fixed them, and some of the data sources which we rely on
and how poor they are. We then look at some new source of data, and new
ways of interpreting them, and close with some very practical steps that
any individual or organization can take to make things better.