On Tuesday 31 May 2005 23:43, Perry E. Metzger wrote: > Ian G <[EMAIL PROTECTED]> writes:
Just on the narrow issue of data - I hope I've addressed the other substantial points in the other posts. > > The only way we can overcome this issue is data. > > You aren't going to get it. The companies that get victimized have a > very strong incentive not to share incident information very > widely. On the issue of sharing data by victims, I'd strongly recommend the paper by Schechter and Smith, FC03. " How Much Security is Enough to Stop a Thief?" http://www.eecs.harvard.edu/~stuart/papers/fc03.pdf I've also got a draft paper that argues the same thing and speaks directly and contrarily to your statement: Sharing data is part of the way towards better security. (But I argue it from a different perspective to S&S.) > 1) You have one anecdote. You really have no idea how > frequently this happens, etc. The world for security in the USA changed dramatically when Choicepoint hit. Check out the data at: http://pipeda.blogspot.com/2005/02/summaries-of-incidents-cataloged-on.html http://www.strongauth.com/regulations/sb1386/sb1386Disclosures.html Also, check out Adam's blog at http://www.emergentchaos.com/ He has a whole category entitled Choicepoint for background reading: http://www.emergentchaos.com/archives/cat_choicepoint.html Finally we have our data in the internal governance and hacking breaches. As someone said today, Amen to that. No more arguments, just say "Choicepoint." > 2) It doesn't matter how frequently it happens, because no two > companies are identical. You can't run 100 choicepoints and see > what percentage have problems. We all know that the attacker is active and can change tactics. But locksmiths still recommend that you put a lock on your door that is a) a bit stronger than the door and b) a bit better than your neighbours. Just because there are interesting quirks and edge cases in these sciences doesn't mean we should wipe out other aspects of our knowledge of scientific method. > 3) If you're deciding on how to set up your firm's security, you can't > say "95% of the time no one attacks you so we won't bother", for > the same reason that you can't say "if I drive my car while > slightly drunk 95% of the time I'll arrive safe", because the 95% > of the time that nothing happens doesn't matter if the cost of the > 5% is so painful (like, say, death) that you can't recover from > it. Which is true regardless of whether you are slightly drunk or not at all or whether a few pills had been taken or tiredness hits. Literally, like driving when not 100% fit, the decision maker makes a quick decision based on what they know. The more they know, the better off they are. The more data they have, the better informed their decision. > In particular, you don't want to be someone on who's watch a > major breech happens. Your career is over even if it never happens > to anyone else in the industry. Sure. Life's a bitch. One can only do ones best and hope it doesn't hit. But have a read of S&S' paper, and if you still have the appetite, try my draft: http://iang.org/papers/market_for_silver_bullets.html > Statistics and the sort of economic analysis you speak of depends on > assumptions like statistical independence and the ability to do > calculations. If you have no basis for calculation and statistical > independence doesn't hold because your actors are not random processes > but intelligent actors, the method is worthless. No, that's way beyond what I was saying. I was simply asserting one thing: without data, we do not know if an issue exists. Without even a vaguely measured sense of seeing it in enough cases to know it is not an anomoly, we simply can't differentiate it from all the other conspiracy theories, FUD sales, government agendas, regulatory hobby horses, history lessons written by victors, or what-have-you. Ask any manager. Go to him or her with a new threat. He or she will ask "who has this happened to?" If the answer is "it used to happen all the time in 1994 ..." then a manager could be forgiven for deciding the data was stale. If the answer is no-one, then no matter how risky, the likely answer is "get out!" If the answer is "these X companies in the last month" then you've got some mileage. Data is everything. iang -- Advances in Financial Cryptography: https://www.financialcryptography.com/mt/archives/000458.html --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]