The document discusses the importance of threat intelligence reports for informing security strategies and justifying security budgets. However, it notes that many reports contain "fear, uncertainty and doubt" (FUD) that does not provide meaningful guidance. It is important for security professionals to separate fact from hype in these reports to make effective risk management and proactive defense decisions. The document advocates teaching security professionals to better understand evolving threat landscapes and assess the quality of threat intelligence data.

1. www.hackformers.org
Beware
Wolves
in
Sheep’s
Clothing:
Informa9on
Security
Threat
Reports,
Separa9ng
Fact
from
FUD
Clare
Nelson,
CISSP
CEO,
ClearMark
Consul9ng
January
11,
2013
“…just
because
it's
true
doesn't
make
it
not
FUD”1
-­‐
Rafal
Los
1Source:
HP
Enterprise
Security
Blog:
h=p://h30499.www3.hp.com/t5/Following-­‐the-­‐Wh1t3-­‐Rabbit/Abandon-­‐FUD-­‐scare-­‐taMcs-­‐and-­‐markeMng-­‐hype-­‐to-­‐sell-­‐
informaMon/ba-­‐p/5551189

2. Speaker
Background
• 30+
years
in
high
tech,
startups
and
Fortune
100
companies:
– GM
(Space
ShuZle
subcontractor
for
Boeing),
ACC
(now
Ericcson),
CMC
(now
Rockwell),
DEC
(now
HP),
EMC,
Dazel
(now
HP),
Dell,
TeaLeaf
Technology
(now
IBM),
Novell
(now
The
AZachmate
Group),
ClearMark
Consul9ng
• ClearMark
Consul9ng:
business
development
for
Secure
Mentem,
Blue
Coat
spinout
Quarri
Technologies,
SGI
• Technical
background,
Sales
&
Marke9ng
– Soaware
development
(Unix
device
drivers,
encrypted
TCP/IP
variants,
Space
ShuZle
test
soaware)
– System
management,
Product
management,
Marke9ng,
Sales
(Asia,
Europe),
Global
Alliances,
Business
Development,
IAM
• First
female
director
in
Dell’s
Server
and
Storage
division
• CISSP,
Member
Aus9n
ISSA
Board
• Publica9ons
include
“Security
Metrics,”
ISSA
Journal,
August
2010
• BS
Mathema9cs,
Tuas
University
• @Safe_SaaS
• clare_nelson@clearmark.biz

3. Beware
Wolves
in
Sheep’s
Clothing
Informa9on
Security
Threat
Reports,
Separa9ng
Fact
from
FUD
HackFormers
Mission
1. Teach
Security
2. Teach
Christ
3. Teach
Security
in
Christ

4. www.hackformers.org
Teach
Security

5. www.hackformers.org
Scope
• InformaMon
Security
Threat
Reports
• Free
• Download
with
or
without
registraMon
• Sources
– Government,
Industry,
IT
Companies

6. www.hackformers.org
What
is
a
Threat?
“Threat:
The
poten9al
for
a
threat-­‐source
to
exercise
(accidentally
trigger
or
inten9onally
exploit)
a
specific
vulnerability.”
Source:
Diagram
a=ributed
to
Rassmussen,
h=p://www.gideonrasmussen.com/arMcle-­‐24.html
Source:
Threat
definiMon
a=ributed
to
NIST,
SP800-­‐30-­‐2,
“Risk
Management
Guide
for
InformaMon
Technology
Systems,”
July
2002,
page
19

7. www.hackformers.org
What
is
a
Threat,
Really?
Risk
Threats
Source:
Marinus
van
Aswegen,
Security
Architect,
Telic
ConsulMng,
January
4,
2013
blog
entry,
h=p://telicthoughts.blogspot.com/2009/02/threats-­‐vulnerabiliMes-­‐and-­‐risk.html?m=1

8. www.hackformers.org
What
Is
a
Threat
Landscape?
Source:
ForMnet,
h=p://www.forMnet.com/aboutus/aboutus.html

9. www.hackformers.org
What
Is
Your
Threat
Landscape
IQ?
Understanding
Of
Threat
You
Landscape

10. www.hackformers.org
Threat
Landscape:
Knowing
What
You
Don’t
Know
Unclassified
Classified
Unknown
unknowns…
Iceberg
metaphor
a=ributed
to
Shawn
Henry,
President
Services
for
CrowdStrike,
from
DEF
CON
talk

11. www.hackformers.org
What
Is
at
Stake?
Risk,
Loss
Exposure1
“One
company
that
was
recently
the
vic3m
of
an
intrusion
determined
it
had
lost
10
years
worth
of
research
and
development—valued
at
$1
billion—virtually
overnight.”2
Shawn
Henry
ExecuMve
Assistant
Director
Federal
Bureau
of
InvesMgaMon
ISSA
Interna9onal
Conference
BalMmore,
Maryland
October
20,
2011
1
Source:
ConSec
2012,
AusMn,
Texas:
Jack
Jones
on
Risk,
he
prefers
the
term,
“Loss
Exposure”
2Source:
h=p://www.bi.gov/news/speeches/responding-­‐to-­‐the-­‐cyber-­‐threat

12. The
Problem
AZacks
evolve,
morph
and
improve.
Limited
9me
and
resources
for
tracking,
understanding
threat
landscape.

13. How
Do
You
Stay
Informed?

14. Informa9on
Security
Reports

15. Threat
Intelligence
Hype
How
to
measure
the
IQ
of
the
data
you're
being
fed
“It's
not
enough
just
to
tell
you
in
detail
what
has
already
happened.
If
it's
not
helping
you
make
decisions,
or
be
proacMve,
then
it's
not
worth
paying
extra
for
it.”
Wendy
Nather
Research
Director
of
the
Enterprise
Security
Prac3ce,
451
Research
Source:
Dark
Reading,
November
16,
2012;
h=p://www.darkreading.com/security-­‐monitoring/167901086/security/news/240142229/threat-­‐intelligence-­‐
hype.html

16. www.hackformers.org
Secondary
Problem

17. www.hackformers.org
“Threat
Intelligence
Reports
Play
Key
Role
In
Security
Strategies”1
Threat
Intelligence
Reports
are
used
to:
1.
Shape
Security
Strategies
2.
Jus9fy
Security
Resource
and
Budget
Requests
3.
Execs
want
more
"acAonable
intelligence"
and
"defense
recommendaAons”2
Solu9onary
Survey:
n
=
178
“Security
has
evolved
from
a
tacAcal
IT
concern
to
boardroom-­‐level
dilemma.
This
transiAon
has
challenged
many
execuAves
who
are
now
obligated
to
protect
their
organizaAon's
criAcal
assets.”3
1
Source:
Dark
Reading
h=p://www.darkreading.com/threat-­‐intelligence/167901121/security/vulnerabiliMes/240144404/survey-­‐threat-­‐intelligence-­‐reports-­‐play-­‐key-­‐
role-­‐in-­‐security-­‐strategies.html?cid=nl_DR_daily_2012-­‐12-­‐14_html&elq=224c4f1f11cd499a806bf687f64ec08a
2Source:
SoluMonary,
h=p://www.soluMonary.com/index/intelligence-­‐center/press-­‐releases/Threat-­‐Intelligence-­‐Survey.php
3Source:
Security
Ba=leground:
An
ExecuMve
Field
Manual
(book)
by
Michael
Fey,
et
al
(March
2012)

18. www.hackformers.org
Beware
the
Survey
and
other
Jabberwocks
Look
for
reports
based
on
first-­‐hand
evidence
collected
during
forensics
inves9ga9ons

19. www.hackformers.org
Example
1:
August
2012
Press
Release
“Independent
study
finds
that
financial
ins9tu9ons
are
losing
clients
as
a
result
of
a
single
fraud
aZack”
“Third
annual
Guardian
Analy3cs
and
Ponemon
Ins3tute
'Business
Banking
Trust
Study'
detects
widespread
fraud
and
loss
of
funds”
2Source:
h=p://www.guardiananalyMcs.com/newsandevents/press_08062012.php

20. www.hackformers.org
Example
1
(con9nued):
Fact
or
FUD?
• Guardian
paid
Ponemon
to
conduct
the
independent
survey
– 998
SMBs
in
the
US
• Guardian
sells:
Behavior-­‐based
anomaly
detecAon
soluAons
to
prevent
banking
fraud
2Source:
h=p://www.guardiananalyMcs.com/newsandevents/press_08062012.php

21. www.hackformers.org
Example
2:
Fact
or
FUD?
• McAfee
quarterly
threat
report
• “…
the
reports
exaggerated
mobile
malware…”
• "Virus
companies
are
playing
on
your
fears
to
try
to
sell
you
[…bleeped
word…]
protecMon
soqware
for
Android,
RIM,
and,
iOS,"
DiBona
said.
• "They
are
charlatans
and
scammers.
If
you
work
for
a
company
selling
virus
protecMon
for
[them],
you
should
be
ashamed
of
yourself.”
2Source:
h=p://www.csoonline.com/arMcle/715489/threat-­‐reports-­‐finger-­‐android-­‐again

22. www.hackformers.org
What
Are
“Authorita9ve”
Threat
Reports?
Good,
Bad,
Ugly
Organization Threat Report
AVG Threat Labs AVG Threat Labs Website Reports
Insider Threat Study: Illicit Cyber Activity Involving Fraud in the
CERT, CMU (DHS S&T, USSS)
U.S. Financial Services Sector, July 2012
Cisco Cisco 2Q 2011 Global Threat Report
Commtouch Internet Threat Trends Report, October 2012
Deloitte 2012 Deloitte-NASCIO Cybersecurity Study
ESET Global Threat Report: November 2012
FBI, National White Collar Crime Center 2011 Internet Crime Report
FireEye Advanced Threat Report 1H 2012
F-Secure Mobile Threat Report Q3/2012
Georgia Tech Information Security
Emerging Cyber Threats Report 2013
Center
HP 2011 Top Cyber Security Risks Report
IBM IBM X-Force Mid-Year Trend and Risk Report, September 2012
Mandiant M-Trends 2012: An Evolving Threat
McAfee McAfee Threats Report: Third Quarter 2012
Microsoft Security Intelligence Report, (Includes Worldwide
Microsoft
Threat Assessment), Volume 13
Sophos Security Threat Report 2013
Symantec Internet Security Threat Report, Volume 17
Trustwave Trustwave 2012 Global Security Report
US Government Accountability Office
Cybersecurity Threats Impacting the Nation
(GAO)
Verizon Verizon Data Breach Investigations Report (DBIR) 2012
Verizon Verizon 2011 Investigative Response Caseload Review
Websense Websense 2012 Threat Report
WhiteHat Security WhiteHat Security Website Statistics Report, Summer 2012

23. www.hackformers.org
2012
Verizon
DBIR
• 855
incidents,
174
million
compromised
records
– Verizon
– United
States
Secret
Service
(USSS)
– Dutch
NaMonal
High
Tech
Crime
Unit
(NHTCU)
– Australian
Federal
Police
(AFP)
– Irish
ReporMng
&
InformaMon
Security
Service
(IRISS)
– Police
Central
eCrimes
Unit
(PCeU)
of
the
London
Metropolitan
Police
• Summary
Sta9s9cs
– 85%
of
breaches
took
weeks
or
more
to
discover
– 97%
of
breaches
were
avoidable
through
simple
or
intermediate
controls
Source:
h=p://www.verizonbusiness.com/about/events/2012dbir/

24. www.hackformers.org
What
Are
“Authorita9ve”
Threat
Reports?
Who
Tells
Congress
What
to
Read?
Cybersecurity
AuthoritaAve
Reports
and
Resources
Tehan,
R.,
(lastest
version,
December
2012)
Congressional
Research
Service
Prepared
for
Members
of
Congress
7-­‐5700,
www.crs.gov,
R42507

25. www.hackformers.org
What
Are
“Authorita9ve”
Threat
Reports?
Are
They
a
Form
of
Marke9ng?
M-­‐Trends:
The
One
Threat
Report
You
Need
to
Read
If
you're
not
paying
for
something,
you're
not
the
customer;
you're
the
product
being
sold.
-­‐
Andrew
Lewis
Source:
h=ps://www.mandiant.com/blog/archives/2326

26. www.hackformers.org
What
Are
“Authorita9ve”
Threat
Reports?
Are
They
a
Form
of
Marke9ng?
“Annual
security
threat
reports
are
expected
from
security
companies,
while
security
professionals
chomp
at
the
bit
to
read
the
research
findings.”
-­‐
David
Schwartzberg,
SophosLabs
Source:
h=p://www.darkreading.com/blog/240143806/android-­‐riskier-­‐than-­‐pcs-­‐sophos-­‐security-­‐threat-­‐report-­‐2013.html

27. www.hackformers.org
That
Giant
Sucking
Sound1
“I
wish
more
IT
Security
people
would
take:
[Econ
101,
Stats
101,
Formal
Logic,
and
Survey
101]
(all
people
really)”
-­‐-­‐
@joshcorman,
Tweeted
January
7,
2013
1Source:
h=p://en.wikipedia.org/wiki/Giant_sucking_sound,
The
"giant
sucking
sound"
was
United
States
PresidenMal
candidate
Ross
Perot's
colorful
phrase
for
what
he
believed
would
be
the
negaMve
effects
of
the
North
American
Free
Trade
Agreement
(NAFTA),
which
he
opposed.

28. www.hackformers.org
What
Are
“Authorita9ve”
Threat
Reports?
Are
They
a
Form
of
Marke9ng?
Websense
Security
Labs
discovers
and
inves3gates
today’s
advanced
security
threats
and
publishes
its
findings.
Download
report,
get
email,
get
phone
call
...all
within
30
minutes
Source:
Websense,
h=p://www.websense.com/content/websense-­‐2012-­‐threat-­‐report-­‐download.aspx

29. www.hackformers.org
What
Are
“Authorita9ve”
Reports?
Lies,
Damned
Lies
and
Sta9s9cs
McAfee
Explains
The
Dubious
Math
Behind
Its
‘Unscien3fic'
$1
Trillion
Data
Loss
Claim
-­‐
August
3,
2012
Forbes.com
No,
the
staAsAc
was
not
simply
made
up.
Yes,
it’s
just
a
“ballpark
figure”
and
an
“unscienAfic”
one,
the
company
admits.
But
despite
Pro
Publica’s
criAcisms
and
its
own
rather
fuzzy
math,
the
company
stands
by
its
trillion-­‐dollar
conclusion
as
a
(very)
rough
esAmate.
Source:
Tehan,
R.,
(July
2012)
Cybersecurity
Authorita3ve
Reports
and
Resources,
Congressional
Research
Service,
Prepared
for
Members
of
Congress,
7-­‐5700,
www.crs.gov,
R42507.

30. www.hackformers.org
What
Are
“Authorita9ve”
Threat
Reports?
Art
or
Science?
“Threat
analysis,
in
many
ways,
is
equal
parts
art
and
science.”
Source:
McAfee
Threats
Report:
Third
Quarter
2012

31. www.hackformers.org
What
Are
“Authorita9ve”
Reports?
“There
Are
No
Facts,
Only
InterpretaAons”
“At
McAfee
Labs
we
try
to
apply
as
much
math
and
analyMcal
rigor
to
our
analysis
as
we
can,
but
we
oqen
cannot
see
the
whole
picture.
We
must
also
interpret
and
surmise
many
things.
German
philosopher
Friedrich
Nietzsche
wrote
“ There
are
no
facts,
only
interpreta9ons.”
This
bit
of
wisdom
strikes
us
as
quite
relevant
to
analyzing
threats.
Depending
on
one’s
perspec9ve,
threats
can
mean
many
things.
Spam,
for
example,
looks
like
it’s
on
a
steady
decline
when
viewed
globally,
but
when
looked
at
locally
or
by
country
we
see
tremendous
varia9ons.
The
same
can
be
said
of
many
threat
vectors
we
analyze…”
Source:
McAfee
Threats
Report:
Third
Quarter
2012

32. What
is
the
Geographic
Coverage?
F-­‐Secure,
Shadowserver
and
Conficker
Working
Group,
“Conficker
World
Map.”
Source:
h=p://www.f-­‐secure.com/weblog/archives/00001646.html
(September
3,
2012).

33. Why
Do
Some
Reports
Conflict?
Le
Penseur,
by
Auguste
Rodin
Who
Sponsors
the
Reports?
What
is
the
Methodology?

34. Methodology
MSSP
and
Product
Data
Collec9on
• Customer
profile,
installed
base
sampling,
geography
• Filtering,
default
versus
unique
sewngs
• Compare
with
previous
reports,
not
apples-­‐to-­‐apples
• Data
aggregaMon
methods
• Time:
what
period
does
the
Surveys
report
cover?
• UnrepresentaMve
samples
• Does
the
report
clearly
state
• Measurement
error
the
date
of
publicaAon?
– Leading
quesMons
– Social
desirability
• Sampling
error
and
survey
bias

35. Sponsorship
Who
Funded
the
Report?
• Spread
misleading
informaMon
• Spread
FUD
• Skewed
toward
latest
product
or
service

36. www.hackformers.org
Are
Terms
Defined?
Advanced
Persistent
Threat

37. FUD
or
Not?
“Advanced
malware
con3nues
to
grow
and
in
the
first
half
of
2012
is
up
nearly
400%
versus
the
first
half
of
2011.”
Source:
h=p://blog.fireeye.com/research/2012/08/just-­‐released-­‐fireeye-­‐advanced-­‐threat-­‐report-­‐1h-­‐2012.html
(November
1,
2012)

38. www.hackformers.org
Teach
Christ

39. www.hackformers.org
Sermon
on
the
Mount
Beware
of
false
prophets,
which
come
to
you
in
sheep's
clothing,
but
inwardly
they
are
ravening
wolves.
MaZhew
7:15

40. What
is
a
False
Prophet?
Ma=hew
Henry's
Commentary
Mahew
7:15-­‐20
Nothing
so
much
prevents
men
from
entering
the
strait
gate,
and
becoming
true
followers
of
Christ,
as
the
carnal,
soothing,
fla=ering
doctrines
of
those
who
oppose
the
truth.
They
may
be
known
by
the
driq
and
effects
of
their
doctrines.
Some
part
of
their
temper
and
conduct
is
contrary
to
the
mind
of
Christ.
Those
opinions
come
not
from
God
and
lead
to
sin.
Source:
h=p://bible.cc/ma=hew/7-­‐15.htm

41. www.hackformers.org
Sermon
on
the
Mount
Jesus
concludes
the
sermon
by
warning
against
false
prophets,
and
emphasizes
that
humans
are
unable
to
do
right
("bear
fruit")
apart
from
God.

42. www.hackformers.org
MaZhew
7:15-­‐20
15
Beware
of
false
prophets,
which
come
to
you
in
sheep's
clothing,
but
inwardly
they
are
ravening
wolves.
16
Ye
shall
know
them
by
their
fruits.
Do
men
gather
grapes
of
thorns,
or
figs
of
thistles?
17
Even
so
every
good
tree
bringeth
forth
good
fruit;
but
a
corrupt
tree
bringeth
forth
evil
fruit.
18
A
good
tree
cannot
bring
forth
evil
fruit,
neither
can
a
corrupt
tree
bring
forth
good
fruit.
19
Every
tree
that
bringeth
not
forth
good
fruit
is
hewn
down,
and
cast
into
the
fire.
20
Wherefore
by
their
fruits
ye
shall
know
them.
MaZhew
7
,
King
James
Version
(KJV),
h=p://www.biblegateway.com/passage/?search=Ma=hew+7&version=KJV

43. Why
Warn
about
False
Prophets?
Many
warnings
in
Bible
For
false
Christs
and
false
prophets
shall
rise,
and
shall
shew
signs
and
wonders,
to
seduce,
if
it
were
possible,
even
the
elect.
Mark
13:22
But
there
were
false
prophets
also
among
the
people,
even
as
there
shall
be
false
teachers
among
you,
who
privily
shall
bring
in
damnable
heresies,
even
denying
the
Lord
that
bought
them,
and
bring
upon
themselves
swiq
destrucMon.
2
Peter
2:1
Woe
unto
you,
when
all
men
shall
speak
well
of
you!
for
so
did
their
fathers
to
the
false
prophets.
Luke
6:26
And
he
said,
Take
heed
that
ye
be
not
deceived:
for
many
shall
come
in
my
name,
saying,
I
am
Christ;
and
the
Mme
draweth
near:
go
ye
not
therefore
aqer
them.
Luke
21:8
For
many
shall
come
in
my
name,
saying,
I
am
Christ;
and
shall
deceive
many.
MaZhew
24:5
And
many
false
prophets
shall
rise,
and
shall
deceive
many.
MaZhew
24:11
Source:
h=p://bible.cc/ma=hew/7-­‐15.htm,
h=p://bible.cc/ma=hew/24-­‐5.htm,
etc.

44. www.hackformers.org
Teach
Security
In
Christ

45. Who
Influences
Your
Faith?
InfoSec
Ques9ons
• What
are
the
data
sources?
• What
geographies
are
covered?
• Who
funded
the
report?
• Why
was
the
report
published?
• When
was
the
report
published?
• What
are
the
report
biases?
• Who
wrote
the
report?
• Is
the
report
methodology
documented?
• Are
trends
tracked
over
Mme?

46. www.hackformers.org
Beware
“How
to
use
Internet
security
threat
reports”
• “…read
the
threat
reports
with
cauMon.
They
are
vendor
markeMng
documents
designed
to
posiMon
vendor
research
teams
as
industry
experts
that
bring
the
vendor
a
compeMMve
advantage.”
• “The
reports'
findings
only
represent
what
the
vendor
is
looking
for
along
with
a
natural
bias
towards
the
vendor's
business.”
• “Security
pros
can
do
beZer
by
examining
mul9ple
vendor
threat
reports
to
get
a
more
complete
picture
and
map
the
threat
classes
to
the
business.”
Author:
Eric
Ogren,
founder
and
Principal
Analyst
of
the
Ogren
Group,
formerly
with
RSA,
etc.
Source:
h=p://searchsecurity.techtarget.com/news/1373865/How-­‐to-­‐use-­‐Internet-­‐security-­‐threat-­‐reports

47. What
is
Decep9on?
Deceive
de·∙ceive
(d-­‐sv)v.
de·∙ceived,
de·∙ceiv·∙ing,
de·∙ceives
v.tr.
1.
To
cause
to
believe
what
is
not
true;
mislead.
2.
Archaic
To
catch
by
guile;
ensnare.
v.intr.
1.
To
pracMce
deceit.
2.
To
give
a
false
impression:
appearances
can
deceive.
[Middle
English
deceiven,
from
Old
French
deceveir,
from
Vulgar
LaMn
*dcipre,
from
LaMn
dcipere,
to
ensnare,
deceive
:
d-­‐,
de-­‐
+
capere,
to
seize;
see
kap-­‐
in
Indo-­‐European
roots.]
Source:
h=p://www.thefreedicMonary.com/deceive
(November
2,
2012).

48. Discriminate
InfoSec
Strategy
• QuesMon
presenters
and
ask
them
to
cite
their
sources
• PowerPoint
defect:
no
“Insert”
footnote
funcAon
• Plan
your
report
reading
• Don’t
just
read
latest
inbox
delivery
• Create
your
own
top
ten
report
list

49. What
Does
This
Mean
Today?
“The
salva9on
promised
is
more
than
deliverance
from
evil,
it
is
everlas9ng
blessedness.”1
1Source:
h=p://bible.cc/mark/13-­‐13.htm,
Ma=hew
Henry
commentary
on
Mark
13:13

50. Addi9onal
References
1. Tehan,
R.,
(July
2012)
Cybersecurity
Authorita3ve
Reports
and
Resources,
Congressional
Research
Service,
Prepared
for
Members
of
Congress,
7-­‐5700,
www.crs.gov,
R42507
2. Ma=hew
7:15,
Online
Parallel
Bible,
Retrieved
December
1,
2012,
from
h=p://bible.cc/ma=hew/7-­‐15.htm
3. The
Holy
Bible,
King
James
Version
4. Tripwire
blog,
State
of
Security,
“ The
Four
Horsemen
of
the
Apocalypse:
Security
Soqware
FUD”
by
Kevin
Weston,
November
9,
2012,
h=p://www.tripwire.com/state-­‐of-­‐security/off-­‐topic/the-­‐four-­‐horsemen-­‐of-­‐the-­‐cyber-­‐apocalypse-­‐fud-­‐in-­‐
security-­‐soqware-­‐markeMng/
5. Rafal
Los,
“Abandon
FUD,
Scare
TacMcs
and
MarkeMng
Hype,”
February
26,
2012;
h=p://www.infosecisland.com/blogview/20397-­‐Abandon-­‐FUD-­‐Scare-­‐TacMcs-­‐and-­‐MarkeMng-­‐Hype.html
6. Gal
Shpantzer,
“Showcasing
Fear,
Uncertainty
and
Doubt
from
the
InformaMon
Security
Industry,”
May
14,
2010,
h=p://fudsec.com/scsovlf-­‐aka-­‐the-­‐shpantzer-­‐coma-­‐scale-­‐of-­‐vendo
7. InformaMon
Security,
ReputaMon
and
FUD,
July
17,
2012,
h=p://makeitcompliant.blogspot.com/2012/07/informaMon-­‐security-­‐reputaMon-­‐and-­‐fud.html
8. “Just
Say
No
to
FUD,”
October
30,
2009;
h=p://newschoolsecurity.com/2009/10/just-­‐say-­‐no-­‐to-­‐fud/,
Featuring
Dr.
Anton
Chuvakin”
9. CSO
Online,
“Cybersecurity
Expert
Argues
FUD
Can
Be
EffecMve,”
June
11,
2012;
Taylor
Armerding,
h=p://www.csoonline.com/arMcle/708215/cybersecurity-­‐expert-­‐argues-­‐fud-­‐can-­‐be-­‐effecMve
10. Richard
Bejtlich’s
blog,
Monday,
October
27,
2003,
The
Dynamic
Duo
Discuss
Digital
Risk,
h=p://taosecurity.blogspot.com/2003/10/dynamic-­‐duo-­‐discuss-­‐digital-­‐risk.html?m=0

51. www.hackformers.org
Backup
Slides

52. What
is
the
Geographic
Coverage?
Each
country
lists
6
contribuAng
factors,
share
of
malicious
computer
acAvity,
malicious
code
rank,
spam
zombies
rank,
phishing
web
site
hosts
rank,
bot
rank
and
a`ack
origin,
to
substanAate
its
cybercrime
ranking.
BusinessWeek,
Symantec:
Cybercrime:
Top
20
Countries,
h=p://www.enigmasoqware.com/top-­‐20-­‐countries-­‐the-­‐most-­‐cybercrime/
(September
3,
2012).

53. www.hackformers.org
Verizon
DBIR
2012

54. www.hackformers.org
On
FUD
(From
Tripwire
Blog)
• …Some
soqware
security
vendors
create
sensaMonalisMc
reports
or
claims,
these
false
or
exaggerated
stories
are
then
fed
to
the
media.
The
media
propagate
the
story
without
fact
checking
and
someMmes
embellishing
it
further
to
increase
the
likelihood
that
readers
will
click
on
and
share
links
to
the
story
making
it
go
viral.
For
example
the
threat
of
mobile
malware
has
been
overinflated
by
several
vendors
who
sell
mobile
anM-­‐virus
products
who
offer
marginal
levels
of
protecMon
if
any
at
all.
• It
is
important
to
remember
that
many
tech
blogs
make
money
based
on
the
number
of
ad
impressions
they
have
on
their
site,
not
the
factual
integrity
of
the
story
they
are
reporMng.
Pair
the
revenue
model
with
the
number
of
stories
a
professional
blogger
needs
to
post
in
a
day
and
you
can
pre=y
much
guarantee
some
writers
will
not
actually
fact
check,
or
test
the
product
they
are
wriMng
about.
MisinformaMon
travels
just
as
fast
if
not
faster
than
truth.
By
the
Mme
the
story
has
hit
mainstream
media
the
conquest
is
complete,
even
if
there
are
correcMons
to
a
story,
once
it
goes
viral
the
truth
becomes
irrelevant.
Source:
h=p://www.tripwire.com/state-­‐of-­‐security/off-­‐topic/the-­‐four-­‐horsemen-­‐of-­‐the-­‐cyber-­‐apocalypse-­‐fud-­‐in-­‐security-­‐soqware-­‐markeMng/

55. www.hackformers.org
Showcasing
Fear,
Uncertainty
and
Doubt
from
the
Informa9on
Security
Industry
Since
the
founding
of
Fudsec
we've
looked
to
expose
FUD,
but
unMl
today
it's
been
a
li=le
like
JusMce
Stewart's
definiMon
of
obscenity
-­‐
I
can't
define
it,
but
"I
know
it
when
I
see
it."
Source:
h=p://fudsec.com/scsovlf-­‐aka-­‐the-­‐shpantzer-­‐coma-­‐scale-­‐of-­‐vendo

56. www.hackformers.org
Showcasing
Fear,
Uncertainty
and
Doubt
from
the
Informa9on
Security
Industry
• FUD
is
the
tool
of
choice
for
bad
sales
people
in
the
informaMon
security
world,
"you
might
be
subject
to
this,
This
or
even
THIS!!".
•
If
you
hear
these
cries
you
are
probably
talking
to
a
bad
sales
person.
• Honest
consultants
will
help
you
manage
and
understand
informaMon
security
risks.
They
may
even
get
to
the
point
where
they
tell
you
that
some
risks
can't
be
quanMfied
using
tradiMonal
methods
and
then
frame
advice
using
good
pracMce
references.
Source:
h=p://makeitcompliant.blogspot.com/2012/07/informaMon-­‐security-­‐reputaMon-­‐and-­‐fud.html

57. www.hackformers.org
FUD
Origin
• The
term
“FUD”
originated
in
the
1970s
to
describe
some
of
IBM’s
selling
tacMcs
against
compeMtors
(who
had
be=er
price/performance,
etc.).
• The
FUD
technique
was
used
by
IBM
sales
people
to
destabilize
the
decision-­‐maker’s
thinking
process.
FUD
issues
raised
could
not
really
be
answered
by
the
decision-­‐maker
or
the
compeMtor,
and
so
nagged
at
the
back
of
the
mind.
They
had
the
effect
of
causing
the
decision-­‐maker
to
retreat
to
the
safe
decision,
which
was
IBM.
“Nobody
ever
got
fired
for
buying
IBM”.
Source:
h=p://newschoolsecurity.com/2009/10/just-­‐say-­‐no-­‐to-­‐fud/

58. www.hackformers.org
Cybersecurity
Expert
Argues
FUD
Can
Be
Effec9ve
• …she
does
not
advocate
sowing
panic.
But
she
believes
FUD
-­‐-­‐
especially
doubt
-­‐-­‐
"may
make
people
quesMon
things.”
• "It
wouldn't
take
a
hell
of
a
lot
to
do
damage.
Our
SCADA
(supervisory
control
and
data
acquisiMon)
systems
have
been
penetrated
before.”
• …biggest
concern
is
that
nobody
yet
understands
the
long-­‐term
consequences
of
cyber
conflict.
"When
the
atomic
bomb
was
was
developed,
only
a
few
people
saw
the
long-­‐term
consequences.
This
is
really
no
different.
We
don't
have
a
handle
on
it,"
she
said.
-­‐
Sharon
Nelson,
an
a=orney
and
president
of
the
informaMon
security,
digital
forensics
and
IT
consulMng
firm
Sensei
Enterprises
Source:
h=p://www.csoonline.com/arMcle/708215/cybersecurity-­‐expert-­‐argues-­‐fud-­‐can-­‐be-­‐effecMve

59. www.hackformers.org
Are
Threat
Reports
a
Crude
Form
of
Sharing?
• “Enterprises
are
restricted
by
legal
issues,
compe33ve
considera3ons,
and
fears
of
reputa3on
loss.”
• “Government
agencies
are
restricted
by
classifica3on
requirements
and
na3onal
security
concerns.”
Source:
RSA
“Security
for
Business
InnovaMon
Council”
report,
2012.