The Computer Security Institute (CSI) and the San Francisco-based division of the Federal Bureau of Investigation's (FBI) Computer Intrusion Squad released its 2006 report after surveying 616 computer security practitioners at U.S. corporations, government agencies, financial and medical institutions and universities. The average loss respondents reported due to security breaches was $167,713, an 18% decrease from last year's average loss of $203,606. The survey also pointed out that most companies are still sweeping security incidents under the rug.
The findings were hard for Chris Walsh to swallow in the Emergent Chaos blog, where he wrote, "I want to simply state that there is no reason to give this survey any credence."
Why the harsh response? Walsh said the survey instrument is sent only to CSI members, this time 5,000 of them, and that there's no reason to believe these people are a representative sample of infosec practitioners, or that their employers are representative of employers in general.
"Were the 12% who did answer different in any other way from the 88% who did not?" Walsh asked. "We do not know, because the report doesn't tell us."
This isn't the first time a survey involving the FBI has been met with skepticism. Ira Winkler, president of the Annapolis, Md.-based Internet Security Advisors Group (ISAG) and author of Spies Among Us, wrote a blistering critique of the bureau's 2005 FBI Computer Crime Survey, saying it lacked statistical validity and created a false perception that security technology is ineffective.
A reason for faith in Uncle Sam?
The government has caught hellfire over its lax security procedures ever since the Veterans Affairs data theft that left 26.5 million veterans and about 2.2 million active duty personnel at risk for identity fraud.
Some have asserted that the government has blown golden opportunities to protect the personal data of its citizens. But information security expert Martin McKeay, one of the many people angered over the VA security breach, wrote of one redeeming development in his Network Security blog this week.
In an entry titled "Maybe someone in the government gets it after all," he pointed to a new requirement handed down by the Office of Management and Budget mandating that federal agencies notify the United States Computer Emergency Readiness Team (US-CERT) within an hour of discovering a security breach, even if it is only a suspected breach.
"This does not mean that the public will get notification of a breach any quicker," McKeay said, "but it does mean that agencies won't be able to keep this information internal for months on end."
Motive behind Blue Pill revealed
A few weeks ago, bloggers directed some skepticism at Joanna Rutkowska, a security researcher for Singapore-based IT security firm COSEINC, who claims to have developed Blue Pill, a technology that could be used to create what she has called "100% undetectable malware."
In her Invisible Things blog, Rutkowska has sought to address the skepticism and overall hype her work has generated. To skeptics, she insisted that her creation will indeed allow for the creation of completely invisible malware that won't be based on obscurity of the concept, and she reminded them that she'll be at on hand at the Black Hat Briefings in Las Vegas Aug. 3 to prove that Blue Pill does what she claims it does.
Rutkowska also explained in more detail her motivation for creating Blue Pill. She said all the attention surrounding Blue Pill is a good thing because hardware virtualization technology could become a major security threat in the coming years, when more people will use processors with hardware virtualization support. Her goal with Blue Pill is to show what one of these emerging threats might look like.
"Can we do anything? I believe we can," she said, "but first we need to understand the threat."