Re: [fw-wiz] Firewalls and 802.1q trunking

From: Dragos Ruiu (dr@kyx.net)
Date: 12/12/02


From: Dragos Ruiu <dr@kyx.net>
To: "Marcus J. Ranum" <mjr@ranum.com>
Date: Thu Dec 12 16:58:01 2002

Lies, damn lies, and statistics. - Mark Twain

On Tue, 10 Dec 2002 23:01:05 -0500
"Marcus J. Ranum" <mjr@ranum.com> wrote:

> Steve Evans wrote:
> >And can you say that the traffic coming from the internet is the most
> >dangerous traffic on the network. I've always understood that the vast
> >majority of the attacks come from the inside.
>
> The "80% of attacks come from the inside" statistic that
> has been broadly quoted by INFOSEC practitioners is, as far
> as I can tell, completely made up. In fact, the shocking
> results of a recent study revealed that 99.5% of statistics
> regarding Internet Security are made up, or otherwise based
> on flawed assumptions.*
>
> If it _were_ a real statistic it'd have had to take into
> account some interesting questions:
> - What percentage of "attacks" did damage?
> - Were the "attacks" counted as "successful attacks" or did
> probes count as well?
> - Is a Nessus scan an "attack"?
> - Does an "attack" like a Nessus scan (if counted as an attack)
> count as one "attack" or as "N attacks" where N is the
> number of discrete tests attempted?
> - How many "attacks" does a Code Red worm launch? 1? 25?
> What about a mass-rooter? Does a "cluster attack"
> count as a single attack or a multiple attack.
> - Does a scan of a subnet count as 255 hosts attacked? Or
> 255 * number of ports scanned? Or what?
> - Is a virus an "attack"?
>
> What I think the people who made that saying up were trying to
> do was get people to keep a balanced perspective on the relative
> insider/outsider threat. But making up bullsh@+ is not the way to
> do it. The way to do it is to point out that, as an enterprise
> grows, the personnel perimeter grows with it, and sooner or later
> you'll have a Bad Guy on the inside. And, it's probably a safe bet,
> a Bad Guy on the inside will have a higher level of access, a
> lower level of audit, and a greater knowledge of where the goodies
> are - and will be accordingly more dangerous. Will they be 80% dangerous
> to the Internet script-kiddy's 20%? It's silly to put a number on
> it.
>
> If you're out in the jungle someplace, do you worry
> more about a tiger, or a bacterium? The wise man worries about
> both! :)
>
> mjr.
> (* Poll source: I asked my horse. He appeared dubious.)
> ---
> Marcus J. Ranum http://www.ranum.com
> Computer and Communications Security mjr@ranum.com
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

-- 
--dr                  pgpkey: http://dragos.com/dr-dursec.asc
        0 = 1 , for large values of zero and small values of one.


Relevant Pages

  • Re: Information Needed on Malicious Traffic
    ... > I am doing some research on the amount of malicious traffic on the internet. ... It receives requests from a lot of infected machines. ... IMHO statistics how long a machine can survive without being ... Reporter (to Mahatma Gandhi): Mr Gandhi, what do you think of Western ...
    (Incidents)
  • RE: [fw-wiz] Firewalls and 802.1q trunking
    ... >And can you say that the traffic coming from the internet is the most ... >majority of the attacks come from the inside. ... results of a recent study revealed that 99.5% of statistics ... a Bad Guy on the inside will have a higher level of access, ...
    (Firewall-Wizards)
  • Re: [fw-wiz] Firewalls and 802.1q trunking
    ... accounting on the other end makes the internet a dangerous game. ... >>majority of the attacks come from the inside. ... > results of a recent study revealed that 99.5% of statistics ... > a Bad Guy on the inside will have a higher level of access, ...
    (Firewall-Wizards)
  • Re: This group is popular!
    ... >>> While wasting time today browsing the internet, ... >>>internet. ... According to use net statistics this ... John Pertwee ...
    (alt.tv.survivor)
  • Re: This group is popular!
    ... > While wasting time today browsing the internet, ... >internet (Binaries not included). ... According to use net statistics this ...
    (alt.tv.survivor)