Feeds

Infosec 'needs warrior cryptoboffins' to beat hackers

Drop and give me 50 better data sets, maggot

Seven Steps to Software Security

RSA Europe The infosec industry needs to move beyond "faith-based security" to an evidence-based approach that takes ideas from battlefield combat if corporations are ever to get ahead of hackers and keep security spending down to manageable levels.

Joshua Corman, director of security intelligence at Akamai, argued that while almost every enterprise attempts to develop security metrics for its environment, these approaches are more akin to "numerology" than hard science.

Raw data and numbers are rarely available in the field of information security and, when they are, they tend to get misquoted or misunderstood, according to Corman. For example, a widely cited misquote from a Verizon data breach report – "90 per cent of breaches in 2008 were due to patchable vulnerabilities where a patch had been available for 12-18 months" – is often taken as a basis by enterprises for developing a security policy.

In truth the sentence needed to be qualified "of the 22 per cent that were patchable [the patch had been available for more than a year]. By 2009, only 6.7 per cent (six of 90) breaches stemmed from patchable vulnerabilities. The following year, zero breaches were due to patchable vulnerabilities.

Despite this, most CISOs have programs to "patch faster" while adversaries have moved elsewhere".

Another problem is that advice designed to address the main security shortfalls in small businesses is sometimes misapplied to large enterprises. Raw data on accidents can be applied to draw up actuarial tables for insurance purposes, but the same approach doesn't work in information security, according to Corman.

"Collecting data and numbers to try to develop actuarial tables for security just doesn't work because the problem space just isn't like that," Corman argued. "Information security is less about actuarial tables and more about game theory."

Vendor-supplied statistics are often misleading, Corman told El Reg. "Vendors pluck out figures that support their sales pitch. They use statistics like a drunk uses lampposts – more for support than illumination."

Rather than taking lessons from industry surveys, analyst reports or vendor-supplied arguments, security managers should look to lessons from military doctrine. The "observe, orient, decide and act" loop can be applied as well to fighting cyber-adversaries with unknown capabilities and tactics as it is in battlefield situations, according to Corman.

Corman is due to expand on his ideas during a conference debate snappily entitled Metrics are Bunk!?: A Zombie Apocalypse, Football/Soccer & Security Metrics at the RSA Conference in Europe on Thursday. ®

Mobile application security vulnerability report

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Black Hat anti-Tor talk smashed by lawyers' wrecking ball
Unmasking hidden users is too hot for Carnegie-Mellon
Attackers raid SWISS BANKS with DNS and malware bombs
'Retefe' trojan uses clever spin on old attacks to grant total control of bank accounts
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.