Home > Security News > Security Blog Log: Has CSI/FBI survey jumped the shark?
Security News:
EMAIL THIS
COLUMN

Security Blog Log: Has CSI/FBI survey jumped the shark?

By Bill Brenner
21 Jul 2006 | SearchSecurity.com


Security Wire Daily News
Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google


Security Blog Log
It's been a week since the 11th annual CSI/FBI Computer Crime and Security Survey was released, and some in the blogosphere are focusing less on the findings and more on the credibility of the survey.

The Computer Security Institute (CSI) and the San Francisco-based division of the Federal Bureau of Investigation's (FBI) Computer Intrusion Squad released its 2006 report after surveying 616 computer security practitioners at U.S. corporations, government agencies, financial and medical institutions and universities. The average loss respondents reported due to security breaches was $167,713, an 18% decrease from last year's average loss of $203,606. The survey also pointed out that most companies are still sweeping security incidents under the rug.

The findings were hard for Chris Walsh to swallow in the Emergent Chaos blog, where he wrote, "I want to simply state that there is no reason to give this survey any credence."

Why the harsh response? Walsh said the survey instrument is sent only to CSI members, this time 5,000 of them, and that there's no reason to believe these people are a representative sample of infosec practitioners, or that their employers are representative of employers in general.

About Security Blog Log

Senior News Writer Bill Brenner peruses security blogs each day to see what's got the information security community buzzing. In this column he lists the weekly highlights. If you'd like to comment on the column or bring new security blogs to his attention, contact him at bbrenner@techtarget.com.

Recent columns:
Was the analyst a VA scapegoat?

Metasploit creator promises browser flaws galore

Would Blue Pill create a matrix for PCs?

He also noted that the overall response rate for this survey was just over 12% [616 of 5,000].

"Were the 12% who did answer different in any other way from the 88% who did not?" Walsh asked. "We do not know, because the report doesn't tell us."

This isn't the first time a survey involving the FBI has been met with skepticism. Ira Winkler, president of the Annapolis, Md.-based Internet Security Advisors Group (ISAG) and author of Spies Among Us, wrote a blistering critique of the bureau's 2005 FBI Computer Crime Survey, saying it lacked statistical validity and created a false perception that security technology is ineffective.

A reason for faith in Uncle Sam?
The government has caught hellfire over its lax security procedures ever since the Veterans Affairs data theft that left 26.5 million veterans and about 2.2 million active duty personnel at risk for identity fraud.

Some have asserted that the government has blown golden opportunities to protect the personal data of its citizens. But information security expert Martin McKeay, one of the many people angered over the VA security breach, wrote of one redeeming development in his Network Security blog this week.

In an entry titled "Maybe someone in the government gets it after all," he pointed to a new requirement handed down by the Office of Management and Budget mandating that federal agencies notify the United States Computer Emergency Readiness Team (US-CERT) within an hour of discovering a security breach, even if it is only a suspected breach.

"This does not mean that the public will get notification of a breach any quicker," McKeay said, "but it does mean that agencies won't be able to keep this information internal for months on end."

Motive behind Blue Pill revealed
A few weeks ago, bloggers directed some skepticism at Joanna Rutkowska, a security researcher for Singapore-based IT security firm COSEINC, who claims to have developed Blue Pill, a technology that could be used to create what she has called "100% undetectable malware."

In her Invisible Things blog, Rutkowska has sought to address the skepticism and overall hype her work has generated. To skeptics, she insisted that her creation will indeed allow for the creation of completely invisible malware that won't be based on obscurity of the concept, and she reminded them that she'll be at on hand at the Black Hat Briefings in Las Vegas Aug. 3 to prove that Blue Pill does what she claims it does.

Rutkowska also explained in more detail her motivation for creating Blue Pill. She said all the attention surrounding Blue Pill is a good thing because hardware virtualization technology could become a major security threat in the coming years, when more people will use processors with hardware virtualization support. Her goal with Blue Pill is to show what one of these emerging threats might look like.

"Can we do anything? I believe we can," she said, "but first we need to understand the threat."

Tags: Security Industry Market Trends, Predictions and ForecastsVirtualization Security Issues and ThreatsHacker Tools and Techniques: Underground Sites and Hacking GroupsVIEW ALL TAGS

Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google



RELATED CONTENT
Security Industry Market Trends, Predictions and Forecasts
M86 buys Web security gateway vendor Finjan
Information Security Decisions 2009: Presentation downloads
Bruce Schneier on outsourcing, awareness training
Marcus Ranum on cyberwarfare, infosec careers
McAfee survey finds faults in midmarket enterprise security
Email archiving vendor sues Gartner over Magic Quadrant
Information Security magazine October issue PDF
Editor's Desk: Security 7 Winners Chronicle Trends That Shape The Industry
Information Security magazine Security 7 Award winners
Security Squad: Privacy gone awry
Security Industry Market Trends, Predictions and Forecasts Research

Virtualization Security Issues and Threats
Cloud computing data security starts with internal strategy, experts say
PCI virtualization SIG closer to proposing changes to standard
Security challenges with cloud computing services
Secure virtual desktop software enables remote client security
Security threats to virtual environments less theoretical, more practical
At VMworld 2009, companies focus on virtual desktops for security
Security fundamentals remain focus of virtualization deployments
How to implement virtual firewalls in a complex network infrastructure
How to find virtual machines for greater virtualization compliance
Quiz: Virtualization and compliance

Hacker Tools and Techniques: Underground Sites and Hacking Groups
Metasploit Project acquisition ups ante for penetration testing market
Successful rogue antivirus hinges on social engineering
DEFCON survey suggests hacker community on vacation
DoD urges less network anonymity, more PKI use
New hacker skills optimize revenue
Maturing cybercriminal economy buoyed by business savvy hackers
Juniper pulls ATM hacking presentation from Black Hat
Botnet platform helps cybercriminals bid for zombie PCs
Man pleads guilty in online banking hacking scam
ATM malware lets attackers take over machines

RELATED GLOSSARY TERMS
Terms from Whatis.com − the technology online dictionary
backscatter body scanning  (SearchSecurity.com)
marketecture  (SearchSecurity.com)
NCSA  (SearchSecurity.com)
Palladium  (SearchSecurity.com)

RELATED RESOURCES
2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
Search Bitpipe.com for the latest white papers and business webcasts
Whatis.com, the online computer dictionary



More Tips to Secure Your Network
TechTarget Security Media
Information Security View this month\\'s issue and subscribe today.
Information Security Decisions Apply online for free conference admission.
SearchSecurity.com
HomeNewsMagazineMultimediaWhite PapersLearningAdviceTopicsEventsAbout Us

About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Site Map




All Rights Reserved, Copyright 2003 - 2009, TechTarget | Read our Privacy Policy
  TechTarget - The IT Media ROI Experts