RE: [fw-wiz] Firewalls and 802.1q trunking

From: Marcus J. Ranum (mjr@ranum.com)
Date: 12/12/02


To: "Sloane, David" <DSloane@vfa.com>, "'firewall-wizards@honor.icsalabs.com'" <firewall-wizards@honor.icsalabs.com>
From: "Marcus J. Ranum" <mjr@ranum.com>
Date: Thu Dec 12 16:58:14 2002

Sloane, David wrote:
>Of course, using only "reported" intrusions limits the sample quite a bit.

The CSI Survey is (so far) the best thing out there. But even it
is fatally flawed because it is based on a self-selected sample.
In other words, the measure is based on those who WANTED to be
measured or CARED ENOUGH to be measured. Self-selected samples
also raise the question of all the folks who couldn't even
measure because they keep no metrics. So the CSI survey is based
on a subset of the community that we _can_ know something about,
but we _don't_ know about the folks who didn't respond. :( :(
They don't teach testing methodologies or statistics in CS
curricula, but they really ought to touch on the topic for
Infosec practitioners... :( CSI also tried to get into dollar
losses as a metric, but the losses were anonymously reported
and the victim assessed their own damages. So that means whatever
they chose it to. Some organizations may have counted virus
outbreaks. Others may have counted loss of stock market
capitalization or competitive position - there's no apples-to-apples
comparison here.

[Disclaimer: the folks at CSI are friends of mine. They did the best
they could with an impossible situation. So I'm not busting on their
efforts. Is poor science better than no science at all? You decide.]

>In addition, the U.S. Treasury Department said insiders committed
>60% of the computer intrusions reported by banks and other financial
>institutions in the first four months of this year.

I believe that "computer intrusions" in this case included
insider wire fraud. Which comes back to what I asked earlier
about the definition of "attack"

If you count Code Red as an "attack" (I do, actually...) then
it and the other Internet-borne mass-rooters/scanners render
the insider threat utterly insignificant in terms of sheer
numbers of incidents.

mjr.

---
Marcus J. Ranum				http://www.ranum.com
Computer and Communications Security	mjr@ranum.com