Comments on: Whaddaya Know? The Need for Evidence-based Security http://spiresecurity.com/?p=142 Risk and Cybersecurity Analysis Wed, 21 Aug 2013 23:28:51 +0000 hourly 1 http://wordpress.org/?v=3.5.1 By: Pete Lindstrom http://spiresecurity.com/?p=142&cpage=1#comment-159 Pete Lindstrom Thu, 21 Aug 2008 04:17:06 +0000 http://spiresecurity.com/blog/?p=142#comment-159 @Dean -

You’ve highlighted the insidious part of this problem. Unless you’re going to tell me that everyone who doesn’t get compromised is invulnerable, we are simply cherry-picking vulnerabilities in hindsight.

There are almost certainly other entities that didn’t get compromised yet have the exact same problems. And there are plenty of other problems to go along.

If everyone is some level of “insecure” then what level of insecurity is reasonable?

]]> By: Dean Loomis http://spiresecurity.com/?p=142&cpage=1#comment-158 Dean Loomis Thu, 21 Aug 2008 00:35:26 +0000 http://spiresecurity.com/blog/?p=142#comment-158 “T.J. Maxx, ChoicePoint, NextOnTheList Inc.? We know their programs were poor because they had an incident. Hogwash, pure hogwash.” Hogwash indeed, but not for the reasons you say. We know TJX was insecure because we know that they failed to remediate well-known weaknesses — they used WEP security on their wireless LANs and didn’t separate store networks from the HQ datacenter networks. We know that Choicepoint was insecure because they didn’t validate need to know for sensitive customer data.

Evidenced-based security will fail because the evidence is kept secret. It works in healthcare because the criteria for morbidity and mortality are well-defined, and there are penalties imposed on doctors ranging up to loss of license for failure to report critical cases. The best that even Dan Geer can suggest for improving reporting is for the FASB to change accounting standards to require valuation of intangible assets. Not gonna happen…

]]>