Incident Response | InfoSec Perception

Today I increased my virtue coefficient by getting to the swimming pool up the road from where I live (well, 7 km from where I live in farming country) early in the morning. On my way out after a vigorous set of laps (I normally swim a “mile,” which is an ancient measure of distance still used in backwaters such as the USA), I stopped at the desk to tell the attendant that I would like to switch my automatic payments from my credit card to a direct withdrawal from my bank account (VISA charges are rough on the profits of this small business in the wilds of Vermont and I’d like to do my part to help these folks out).

Continue reading

It’s a commonplace that information assurance suffers from two fundamental problems in information acquisition: failure of ascertainment (failing to realize that a breach of security has occurred) and failure of reporting (keeping apprehend breaches secret). In an overview of statistical methods in computer-crime reporting, I pointed out that one of the most striking research studies of ascertainment and reporting was carried out by the United States (US) Department of Defense:

In a landmark series of tests at the Department of Defense, the Defense Information Systems Agency found that very few of the penetrations it engineered against unclassified systems within the DoD seem to have been detected by system managers. These studies were carried out from 1994 through 1996 and attacked 68,000 systems. About two-thirds of the attacks succeeded; however, only 4% of these attacks were detected…. [O]f the few penetrations detected, only a fraction of 1% were reported to appropriate authorities.

Continue reading

The following contribution is from information security expert Michael Krausz in Vienna with editorial and textual contributions from Mich Kabay.

At a courthouse in Austria, on 28 February 2012, a security-training exercise went wrong.

In the weeks running up to the events of 28 February, police forces and the courthouse management were involved in planning what they believed to be a bright idea: conducting an exercise for courthouse staff on how to respond to someone running amok within the building.

Continue reading