Feeds

Infosec 'needs warrior cryptoboffins' to beat hackers

Drop and give me 50 better data sets, maggot

5 things you didn’t know about cloud backup

RSA Europe The infosec industry needs to move beyond "faith-based security" to an evidence-based approach that takes ideas from battlefield combat if corporations are ever to get ahead of hackers and keep security spending down to manageable levels.

Joshua Corman, director of security intelligence at Akamai, argued that while almost every enterprise attempts to develop security metrics for its environment, these approaches are more akin to "numerology" than hard science.

Raw data and numbers are rarely available in the field of information security and, when they are, they tend to get misquoted or misunderstood, according to Corman. For example, a widely cited misquote from a Verizon data breach report – "90 per cent of breaches in 2008 were due to patchable vulnerabilities where a patch had been available for 12-18 months" – is often taken as a basis by enterprises for developing a security policy.

In truth the sentence needed to be qualified "of the 22 per cent that were patchable [the patch had been available for more than a year]. By 2009, only 6.7 per cent (six of 90) breaches stemmed from patchable vulnerabilities. The following year, zero breaches were due to patchable vulnerabilities.

Despite this, most CISOs have programs to "patch faster" while adversaries have moved elsewhere".

Another problem is that advice designed to address the main security shortfalls in small businesses is sometimes misapplied to large enterprises. Raw data on accidents can be applied to draw up actuarial tables for insurance purposes, but the same approach doesn't work in information security, according to Corman.

"Collecting data and numbers to try to develop actuarial tables for security just doesn't work because the problem space just isn't like that," Corman argued. "Information security is less about actuarial tables and more about game theory."

Vendor-supplied statistics are often misleading, Corman told El Reg. "Vendors pluck out figures that support their sales pitch. They use statistics like a drunk uses lampposts – more for support than illumination."

Rather than taking lessons from industry surveys, analyst reports or vendor-supplied arguments, security managers should look to lessons from military doctrine. The "observe, orient, decide and act" loop can be applied as well to fighting cyber-adversaries with unknown capabilities and tactics as it is in battlefield situations, according to Corman.

Corman is due to expand on his ideas during a conference debate snappily entitled Metrics are Bunk!?: A Zombie Apocalypse, Football/Soccer & Security Metrics at the RSA Conference in Europe on Thursday. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
One HUNDRED FAMOUS LADIES exposed NUDE online
Celebrity women victimised as Apple iCloud accounts reportedly popped
Rubbish WPS config sees WiFi router keys popped in seconds
Another day, another way in to your home router
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
NZ Justice Minister scalped as hacker leaks emails
Grab your popcorn: Subterfuge and slur disrupts election run up
HP: NORKS' cyber spying efforts actually a credible cyberthreat
'Sophisticated' spies, DIY tech and a TROLL ARMY – report
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
prev story

Whitepapers

Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Advanced data protection for your virtualized environments
Find a natural fit for optimizing protection for the often resource-constrained data protection process found in virtual environments.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.