Firewall Wizards mailing list archives
RE: Firewalls and 802.1q trunking
From: "Marcus J. Ranum" <mjr () ranum com>
Date: Wed, 11 Dec 2002 15:18:54 -0500
Sloane, David wrote:
Of course, using only "reported" intrusions limits the sample quite a bit.
The CSI Survey is (so far) the best thing out there. But even it is fatally flawed because it is based on a self-selected sample. In other words, the measure is based on those who WANTED to be measured or CARED ENOUGH to be measured. Self-selected samples also raise the question of all the folks who couldn't even measure because they keep no metrics. So the CSI survey is based on a subset of the community that we _can_ know something about, but we _don't_ know about the folks who didn't respond. :( :( They don't teach testing methodologies or statistics in CS curricula, but they really ought to touch on the topic for Infosec practitioners... :( CSI also tried to get into dollar losses as a metric, but the losses were anonymously reported and the victim assessed their own damages. So that means whatever they chose it to. Some organizations may have counted virus outbreaks. Others may have counted loss of stock market capitalization or competitive position - there's no apples-to-apples comparison here. [Disclaimer: the folks at CSI are friends of mine. They did the best they could with an impossible situation. So I'm not busting on their efforts. Is poor science better than no science at all? You decide.]
In addition, the U.S. Treasury Department said insiders committed 60% of the computer intrusions reported by banks and other financial institutions in the first four months of this year.
I believe that "computer intrusions" in this case included insider wire fraud. Which comes back to what I asked earlier about the definition of "attack" If you count Code Red as an "attack" (I do, actually...) then it and the other Internet-borne mass-rooters/scanners render the insider threat utterly insignificant in terms of sheer numbers of incidents. mjr. --- Marcus J. Ranum http://www.ranum.com Computer and Communications Security mjr () ranum com _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Firewalls and 802.1q trunking Eric Vyncke (Dec 04)
- Re: Firewalls and 802.1q trunking Luca Berra (Dec 04)
- <Possible follow-ups>
- Re: Firewalls and 802.1q trunking Steffen Kluge (Dec 04)
- RE: Firewalls and 802.1q trunking Steve Evans (Dec 10)
- RE: Firewalls and 802.1q trunking Marcus J. Ranum (Dec 11)
- Re: Firewalls and 802.1q trunking Dragos Ruiu (Dec 12)
- RE: Firewalls and 802.1q trunking Bill Royds (Dec 13)
- Re: Firewalls and 802.1q trunking t (Dec 13)
- Re: Firewalls and 802.1q trunking Dragos Ruiu (Dec 12)
- RE: Firewalls and 802.1q trunking Sloane, David (Dec 11)
- RE: Firewalls and 802.1q trunking Marcus J. Ranum (Dec 12)
- RE: Firewalls and 802.1q trunking R. DuFresne (Dec 13)
- RE: Firewalls and 802.1q trunking Marcus J. Ranum (Dec 12)
- Re: Firewalls and 802.1q trunking Mike Hoskins (Dec 14)
- Re: Firewalls and 802.1q trunking Brian Ford (Dec 15)