Subscribe: Schneier on Security
http://www.schneier.com/blog/index.rdf
Added By: Feedage Forager Feedage Grade A rated
Language: English
Tags:
computer  costs  environment  faces  firms  malware  neural networks  neural  reply  security  system  test environment  wheels engine 
Rate this Feed
Rate this feedRate this feedRate this feedRate this feedRate this feed
Rate this feed 1 starRate this feed 2 starRate this feed 3 starRate this feed 4 starRate this feed 5 star

Comments (0)

Feed Details and Statistics Feed Statistics
Preview: Schneier on Security

Schneier on Security



A blog covering security and security technology.



Updated: 2016-09-29T11:51:02Z

 



The Cost of Cyberattacks Is Less than You Might Think

2016-09-29T11:51:02Z

Interesting research from Sasha Romanosky at RAND: Abstract: In 2013, the US President signed an executive order designed to help secure the nation's critical infrastructure from cyberattacks. As part of that order, he directed the National Institute for Standards and Technology (NIST) to develop a framework that would become an authoritative source for information security best practices. Because adoption of...

Interesting research from Sasha Romanosky at RAND:

Abstract: In 2013, the US President signed an executive order designed to help secure the nation's critical infrastructure from cyberattacks. As part of that order, he directed the National Institute for Standards and Technology (NIST) to develop a framework that would become an authoritative source for information security best practices. Because adoption of the framework is voluntary, it faces the challenge of incentivizing firms to follow along. Will frameworks such as that proposed by NIST really induce firms to adopt better security controls? And if not, why? This research seeks to examine the composition and costs of cyber events, and attempts to address whether or not there exist incentives for firms to improve their security practices and reduce the risk of attack. Specifically, we examine a sample of over 12 000 cyber events that include data breaches, security incidents, privacy violations, and phishing crimes. First, we analyze the characteristics of these breaches (such as causes and types of information compromised). We then examine the breach and litigation rate, by industry, and identify the industries that incur the greatest costs from cyber events. We then compare these costs to bad debts and fraud within other industries. The findings suggest that public concerns regarding the increasing rates of breaches and legal actions may be excessive compared to the relatively modest financial impact to firms that suffer these events. Public concerns regarding the increasing rates of breaches and legal actions, conflict, however, with our findings that show a much smaller financial impact to firms that suffer these events. Specifically, we find that the cost of a typical cyber incident in our sample is less than $200 000 (about the same as the firm's annual IT security budget), and that this represents only 0.4% of their estimated annual revenues.

The result is that it often makes business sense to underspend on cybersecurity and just pay the costs of breaches:

Romanosky analyzed 12,000 incident reports and found that typically they only account for 0.4 per cent of a company's annual revenues. That compares to billing fraud, which averages at 5 per cent, or retail shrinkage (ie, shoplifting and insider theft), which accounts for 1.3 per cent of revenues.

As for reputational damage, Romanosky found that it was almost impossible to quantify. He spoke to many executives and none of them could give a reliable metric for how to measure the PR cost of a public failure of IT security systems.

He also noted that the effects of a data incident typically don't have many ramifications on the stock price of a company in the long term. Under the circumstances, it doesn't make a lot of sense to invest too much in cyber security.

What's being left out of these costs are the externalities. Yes, the costs to a company of a cyberattack are low to them, but there are often substantial additional costs borne by other people. The way to look at this is not to conclude that cybersecurity isn't really a problem, but instead that there is a significant market failure that governments need to address.




Malware Tries to Detect Test Environment

2016-09-28T11:34:26Z

A new malware tries to detect if it's running in a virtual machine or sandboxed test environment by looking for signs of normal use and not executing if they're not there. From a news article: A typical test environment consists of a fresh Windows computer image loaded into a VM environment. The OS image usually lacks documents and other telltale...

A new malware tries to detect if it's running in a virtual machine or sandboxed test environment by looking for signs of normal use and not executing if they're not there.

From a news article:

A typical test environment consists of a fresh Windows computer image loaded into a VM environment. The OS image usually lacks documents and other telltale signs of real world use, Fenton said. The malware sample that Fenton found...looks for existing documents on targeted PCs.

If no Microsoft Word documents are found, the VBA macro code execution terminates, shielding the malware from automated analysis and detection. Alternately, if more than two Word documents are found on the targeted system, the macro will download and install the malware payload.




Using Neural Networks to Identify Blurred Faces

2016-09-27T14:39:27Z

Neural networks are good at identifying faces, even if they're blurry: In a paper released earlier this month, researchers at UT Austin and Cornell University demonstrate that faces and objects obscured by blurring, pixelation, and a recently-proposed privacy system called P3 can be successfully identified by a neural network trained on image datasets­ -- in some cases at a more...

Neural networks are good at identifying faces, even if they're blurry:

In a paper released earlier this month, researchers at UT Austin and Cornell University demonstrate that faces and objects obscured by blurring, pixelation, and a recently-proposed privacy system called P3 can be successfully identified by a neural network trained on image datasets­ -- in some cases at a more consistent rate than humans.

"We argue that humans may no longer be the 'gold standard' for extracting information from visual data," the researchers write. "Recent advances in machine learning based on artificial neural networks have led to dramatic improvements in the state of the art for automated image recognition. Trained machine learning models now outperform humans on tasks such as object recognition and determining the geographic location of an image."

Research paper




Brian Krebs DDoS

2016-09-27T11:34:27Z

Brian Krebs writes about the massive DDoS attack against his site. In fact, the site is down as I post this. EDITED TO ADD (9/27): Good commentary here....

Brian Krebs writes about the massive DDoS attack against his site. In fact, the site is down as I post this.

EDITED TO ADD (9/27): Good commentary here.




Friday Squid Blogging: Space Kraken

2016-09-23T21:14:12Z

A Lego model of a giant space kraken destroying a Destroyer from Star Wars. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

A Lego model of a giant space kraken destroying a Destroyer from Star Wars.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.




iPhone 7 Jailbreak

2016-09-23T15:11:07Z

It took 24 hours. Slashdot thread....

It took 24 hours.

Slashdot thread.




Amtrak Security Awareness

2016-09-22T18:03:53Z

I like this Amtrak security awareness campaign. Especially the use of my term "security theater."...

I like this Amtrak security awareness campaign. Especially the use of my term "security theater."




Tesla Model S Hack

2016-09-21T12:33:26Z

Impressive remote hack of the Tesla Model S. Details. Video. The vulnerability has been fixed. Remember, a modern car isn't an automobile with a computer in it. It's a computer with four wheels and an engine. Actually, it's a distributed 20-400-computer system with four wheels and an engine....

Impressive remote hack of the Tesla Model S.

Details. Video.

The vulnerability has been fixed.

Remember, a modern car isn't an automobile with a computer in it. It's a computer with four wheels and an engine. Actually, it's a distributed 20-400-computer system with four wheels and an engine.




Two Good Essays on the NSA's "Upstream" Data Collection under Section 702

2016-09-20T18:32:40Z

Both are worth reading....

Both are worth reading.




More on the Equities Debate

2016-09-20T12:34:46Z

This is an interesting back-and-forth: initial post by Dave Aitel and Matt Tait, a reply by Mailyn Filder, a short reply by Aitel, and a reply to the reply by Filder....

This is an interesting back-and-forth: initial post by Dave Aitel and Matt Tait, a reply by Mailyn Filder, a short reply by Aitel, and a reply to the reply by Filder.