Re: [PEN-TEST] Network Attack Trend Analysis

[Ryan Permeh <Ryan () EEYE COM>]

comments within the email as follows:

Signed,
Ryan
eEye Digital Security Team
http://www.eEye.com
----- Original Message -----
From: "H Carvey" <keydet89 () YAHOO COM>
To: <PEN-TEST () SECURITYFOCUS COM>
Sent: Wednesday, September 06, 2000 10:37 AM
Subject: Re: Network Attack Trend Analysis


<SNIP>

> Not only are the graphs meaningless, but the very
> data that the graphs are based on is suspect.  How is
> the data collected?

The graphs have meaning, but, like any statistics course you have taken,
theese graphs only have meaning in context.  i doubt that attrition has any
pretense of being an absolute indication on computer crime.  as for the
attrition mirror increasing computer crime, this is also bunk and based on
the false logic that a public forum increases such activity.  place blame
where blame belongs, on the perpetrators of the crime.  in this same vein,
it would be like stating that a newspaper is the cause of a murder.  the
logic is flawed, as is the argument.  as for the other side, random
defacement notices, this is also incorrect.  the world is less black and
white than that.  attrition gathers it's statistics based on both methods.
http://www.attrition.org/mirror/attrition/stats.html#NOTES adds a bit of
context and explanation to the graphs.

> To be fair, though...I have to say the same thing about
> the CSI/FBI survey...the statistics that are generated
> as a result of the survey are largely misunderstood
> (and very often misquoted), but the very method used
> to collect the data is suspect, as well.

Again, statistics are meaningless without context.  Raw survey data is not
often a valid metod of gaining true statisitical information.  People
misunderstand(as you have said), and people straight out lie.  I agree that
this method is no more accurate than the Attrition method.
> As yet the only information I have seen that even
> remotely approaches validity is the information Cisco
> put out a while ago.  That data was based on
> sanitized data derived from performing vulnerability
> assessments of customer networks.

This also has to be suspect without context.  firstly, Cisco may have
commercial reasoning to publiush any results of this test.  that adds a
possible skew to any gathered data.  Secondly, it is "sanitized" data, which
in and of itself is not bad(as long as sanitized data is allowed within the
context of the statistics).  Thirdly, is the data gathering methods.
Without a detailed, repeaded process used to gather data, the "assesments"
are meaningless.

all in all, the attrition mirror stats are just that.  statisitics based on
the defacements within the attrition mirror.  They do have a very large
percentage of known defacements, and offer this view as *FREE* analysis of
their information.  if the results do not suit your needs, i'm certain that
you, or anyone else, could create similar or even wildly different graphs
based on the availible information.