Sometimes, I read the ole’ RSS and have to literally walk away from the computer. Because I’m such a nice, caring guy I thought I’d share with you.
STEALTH MALWARE!!!
The first one is from Gartner, found at “The Captain’s Blog” the weblog of Shavlik CEO Mark Shavlik. The hype is not his fault, this is what Gartner told him:
By the end of 2007, 75 percent of enterprises will be infected with undetected, financially motivated, targeted malware that evaded their traditional perimeter and host defenses.
This seems to me kind of like a TV psychic type of prediction. If the malware is undetectable, whose to say you aren’t infected?
IT’S NOT INFOSEC, IT’S CYBERWAR!!!
It’s not like the Daily Mail is a totally credible infosec paper, but the following is from this article:
Tens of millions of pounds are wiped off the share price of companies like Amazon as fears grow that the whole Internet credit card payment network is now vulnerable and insecure.
Eventually, reports start to flood in that hundreds of thousands of personal bank accounts have been raided overnight.
Panicked bank chiefs and PR men go on TV to try to reassure, promising that this is no more than an electronic glitch, but thousands of anxious citizens take to the streets, many in tears, and pour angrily into the banks to demand their savings in cash.
When the ATM system goes down, the government steps in. A task force is appointed. There is a rush on hard cash that leads to a shortage of notes and coins.
Soon, it is clear that the United Kingdom (and much of Europe) has been subjected to a sustained and effective cyber-terrorist attack. Disaster is narrowly avoided when a series of sophisticated viruses disrupt the workings of the National Air Traffic Control System.
Here’s the kicker:
Such a scenario, say some experts, is not only possible but likely in the near future.
Um, no. Let me go on record here (not that I’m an expert): I don’t think this is very probable at all in the near future.
SECURITY RESEARCHER SHOCKED! AT CIO, CISO GRASP OF SECURITY CONCEPTS
This is another exercise in “slow news day”. That above is the actual title of this article. It’s essentially a six paragraph article with a shocker headline based on what a (good) blogger wrote in a couple of paragraphs way down at the bottom of a fairly long blog post (here) and is almost mentioned as an aside. Seriously, SearchSecurity.com -this is the new journalism?
SO HOW ABOUT SOME HYPE BUSTING?!
Bugs With No Bite from Dark Reading starts off as a good if not very refreshing read. The premise of the article is, duh, not everything marked as critical is really critical. Unfortunately from my perspective, it doesn’t even delve into my personal assertion that so-called critical vulnerabilities rarely equate to high risk situations. Even more unfortunate is the fact that they can’t let go of the FUD factor, and in the last two paragraphs they about face on the whole hype busting thing and try to scare you into accepting the risk tolerance of Ptacek and Maynor. Sorry guys, you’re really good vulnerability researchers and all, but there’s some sort of odd divide between your day job and good ole’ real business risk.
A GOOD CRITIQUE OF MY OWN APPROACH
So maybe I’m just as hype guilty? “Why Mathematical Models Just Don’t Add Up.” Found on the always excellent “Statistical Modeling, Causal Inference, and Social Science” weblog. To quote them, “It’s something every quantitative modeler should read.”
Let’s just say we’ll see today if I’m in the Plateau of Productivity (image from Watchfire’s Blog).
Tags: compliance, information risk, information, risk, risk management, risk_management, information, security, information security, information_security, governance, compliance, enterprise_architecture
(via RiskAnalys.is)May 31, 2007, 10:26am Comments
