This is basically untrue. I can deal with a good rant as long as there's some value in it. As it is (I'm sorta sorry) I picked this apart. On Jun 12, 2013 12:04 AM, "Ricky Beam" <jfbeam@gmail.com> wrote:
On Tue, 11 Jun 2013 22:55:12 -0400, <Valdis.Kletnieks@vt.edu> wrote:
But seriously, how do you measure one's security?
Banks and insurance companies supposedly have some interesting actuarial data on this.
The scope is constantly changing.
Not really. The old tricks are the best tricks. And when a default install of Windows still allows you to request old NTLM authentication and most people don't think twice about this, there's a problem.
While there are companies one can pay to do this, those reports are *very* rarely published.
It seems you are referring to two things - exploit writing vs pen testing. While I hate saying this, there are automated tools that could clean up most networks for a few K (they can also take down things if you aren't careful so I'm not saying spend 2k and forget about it). Basically, not everyone needs to pay for a professional test out of the gate - fix the easily found stuff and then consider next steps. As for exploit writing, you can pay for this and have an 0day for between $10 and $50k (AFAIK - not what I do with my time / money) but while you've got stuff with known issues on the net that any scanner can find, thinking someone is going to think about using an 0day to break into your stuff is a comical wet dream.
And I've not heard of a single edu performing such an audit.
And you won't. I'm not going to tell you about past problems with my stuff because even after I think I've fixed everything, maybe I missed something that you can now easily find with the information I've disclosed. There are information sharing agreements between entities generally in the same industry (maybe even some group like this for edu?). But this will help with source and signatures, if your network is like a sieve, fix that first :)
The only statistics we have to run with are of *known* breaches.
As I indicated above, 0days are expensive and no one is going to waste one on you. Put another way, if someone does, go home proud - you're in with the big boys (military, power plants, spy agencies) someone paid top dollar for your stuff because you had everything else closed.
And that's a very bad metric as a company with no security at all that's had no (reported) intrusions appears to have very good security, while a company with extensive security looks very bad after a few breaches.
I'll take that metric any day :) Most companies only release a break in if they leak customer data. The only recent example I can think of where this wasn't true was the Canadian company that develops SCATA software disclosing that China stole their stuff. Second, if you look at the stocks of public companies that were hacked a year later, they're always up. The exception to this is HBGary who pissed of anonymous and are no longer in business (they had shady practices that were disclosed by the hack - don't do this).
One has noone sniffing around at all, while the other has teams going at it with pick-axes.
If you have no one sniffing around, you've got issues.
One likely has noone in charge of security, while the other has an entire security department.
Whether you have a CSO in name or not might not matter. Depending on the size of the organization (and politics), a CTO that understands security can do just as much.