| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 10 Apr 2010 23:09:22 -0400
From: Valdis.Kletnieks@...edu
To: "Thor (Hammer of God)" <Thor@...merofgod.com>
Cc: Full-disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Re: Compliance Is Wasted Money, Study Finds
On Sat, 10 Apr 2010 18:00:23 -0000, "Thor (Hammer of God)" said:
> According to the 2009 Verizon Business Breach Report, 81% of the attack victims were not PCI compliant:
>
> http://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf
Verizon Business has gotten a good reputation for having good hard numbers.
I'd have to say their breach reports are probably close to the most accurate
numbers we're going to get in this industry.
> 81% of victims were not PCI compliant.
In and of itself, doesn't say much, but combined with these 3:
> 83% of attacks were not highly difficult.
> 87% were considered avoidable through simple or intermediate controls.
> 99.9% of records were compromised from servers and applications (meaning, not clients).
Sad, ain't it? Over 4 out of 5 times, the hack wasn't hard, and almost 9 out
of 10 times, basic hardening would have prevented it.
Unfortunately, there's not enough data there to say if the 81% had been compliant,
if that would have imposed enough hardening to stop the attacks dead in their
tracks. Probably in most of the cases it would have, though.
Content of type "application/pgp-signature" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists