>From the desk of Julian Assange:
>A flawed and useless study. When will these people find some academic
>and statistical rigor? The above figures are useless without error
>margins. Having digits after the decial point implies an error margin
>less than 0.05%. In a field like this, I am confident such a figure is
>one of sheer deception. I suspect strongly that the error margin in this
>sort of study approximates +-49.9%.
While Julian raises some good points about the statistical accuracy
of *any* surveys, I would like to say that the results of CSI's
survey match pretty closely with what we have seen in the field, so
I wouldn't toss the baby out with the bath water.
>From our experience:
o Most companies wouldn't know if they were broken into unless the
attacker were very stupid, very sloppy or just unlucky.
("No amount of planning can ever replace dumb luck") 8^)
o The Access Control Mechanisms of most corporations are grossly
inadequate. Case in point: any banking-by-phone systems where
you only have to enter your PIN # and the size of your last
deposit (gee, dial code, 2 nested loops, write the results to
a file & do the cleanup code - real rocket science).
o Most companies do *NOT* have good InfoSec (or reasonable facsimile
o Most external connections are either wide-open or have an extremely
trivial authentication mechanism which could be bypassed in a couple
hours (if you lost your decoder ring).
o The Operating System security is the same as when it was installed
OOTB (Out Of The Box). No alarms, no ACLs, & security turned off
o Most companies are very vulnerable to social engineering.
o Many companies (and state/local governments) are outsourcing their
IT operations. You can imagine how enthused the police departments
are about this proposition. The possibilities for corruption/abuse
just took a sharp turn in the wrong direction.
Pretty miserable state of affairs. It is estimated that corporations
will only lose >$10 Billion dollars due to hacking this year. I wonder
why. Things are getting better, though. The recent publicity about
the Internet & hacking has caused many companies to wonder how good
their security really is and to be genuinely concerned.
Any sufficiently advanced bug is indistinguishable from a feature.
-- Rich Kulawiec
The opinions expressed above are of the author and may not
necessarily be representative of Fortified Networks Inc.
Fortified Networks Inc. - Information Security Consulting
http://www.fortified.com Phone: (317) 573-0800 FAX: (317) 573-0817
Home of the Free Internet Firewall Evaluation Checklist