A Beginner's Guide to Cyber War, Cyber Terrorism and Cyber Espionage

January 18, 2022 by Tony MartinVegue in Information Security

Tune in to just about any cable talk show or Sunday morning news program and you are likely to hear the terms “cyber war,” “cyber terrorism,” and “cyber espionage” bandied about in tones of grave solemnity, depicting some obscure but imminent danger that threatens our nation, our corporate enterprises, or even our own personal liberties. Stroll through the halls of a vendor expo at a security conference, and you will hear the same terms in the same tones, only here they are used to frighten you into believing your information is unsafe without the numerous products or services available for purchase.

Improving Defender Decision Making

October 29, 2018 by Tony MartinVegue in Decision Analysis

Improving defender decision making when responding to ransomware infections and other forms of cyber extortion has been a research topic of mine for several years now. It was sparked by the fairly common advice I heard, and continue to hear, from experts, law enforcement and security vendors: don't ever pay the ransom.

FAIR Institute, San Francisco Chapter June Meeting Recap

July 15, 2018 by Tony MartinVegue in Quantitative Risk

The San Francisco Chapter of the FAIR Institute had its latest meeting on June 21, 2018, generously hosted by Twilio at their company headquarters. It was a well-attended event and featured two great speakers; Jack Jones, Chairman of the FAIR Institute and Calvin Liu, Director of Operations at Ventura Enterprise Risk Management. Both talks elaborated on specific use cases of FAIR, quantitative risk analysis and techniques, with ample time to network and ask questions. As with all local FAIR chapters, the San Francisco meetings are a fantastic opportunity to hear great speakers, get tips on how to integrate quantitative risk into your risk program and meet new people — from newcomers to FAIR, to those with broad experience.

How to Lie with Statistics, Information Security Edition

July 09, 2018 by Tony MartinVegue in Statistics

Have you ever finished reading a vendor whitepaper or a research institution’s annual security report and felt your Spidey sense begin to tingle with doubt or disbelief after reading some of the conclusions or research methodology? What you are probably sensing is a manipulation of statistics, an age-old hoodwink that has been occurring as long as numbers have been used to convey information.

Quantitative Cyber Risk Talks & Events: RSA Week 2018

March 30, 2018 by Tony MartinVegue in Conferences

From April 15–20 2018, the city of San Francisco hosts several simultaneous security conferences. The sub-field of quant, data driven cyber / information security / technology risk and metrics is very small, so I’ve started to compile a list of talks and events that week. To make it on this list, the talk should be about the sub-field described above OR presented by/hosted by someone who is active in that sub-field.

Black Swans in Risk: Myth, Reality and Bad Metaphors

March 24, 2018 by Tony MartinVegue in Quantitative Risk

The term “Black Swan event” has been part of the risk management lexicon since its coinage in 2007 by Nassim Taleb in his eponymous book titled The Black Swan: The Impact of the Highly Improbable. Taleb uses the metaphor of the black swan to describe extreme outlier events that come as a surprise to the observer, and in hindsight, the observer rationalizes that they should have predicted it.

Book Chapter on Cyber Risk Quantification in Fintech

March 05, 2018 by Tony MartinVegue in Quantitative Risk

Jack Freund, of Measuring and Managing Information Risk fame, edited and released a new book titled Fintech: Growth and Deregulation. I’m happy to announce that I wrote a chapter titled “Cyber-risk Quantification of Financial Technology.”

Will the Real “Year of the Data Breach” Please Stand Up?

January 04, 2018 by Tony MartinVegue in Cognitive Bias

My New Year’s Day ritual has been the same for nearly 10 years now: a late breakfast, a cup of strong coffee and a scan of security blogs and news for two things that always make me chuckle: cyber predictions for the new year, and a retrospective that declares the past year the “Year of the Data Breach.” Kelly Shortridge perfectly parodied the former and I actually thought we might go a year without the latter, until I found this headline on Bloomberg news in which 2017 is named the Year of the Data Breach.

Selection Bias and Information Security Surveys

March 10, 2017 by Tony MartinVegue in Cognitive Bias

Selection bias is what makes these surveys virtually worthless. I previously wrote about the problems of surveys in information security vendor reports and I want to dig in deeper on a topic from the last post: properly selecting a representative sample from the general population being surveyed. This matters so much. This is perhaps the most important step when conducting a statistically sound survey.

The Problem with Security Vendor Reports

February 25, 2017 by Tony MartinVegue in Statistics

The information security vendor space is flooded with research: annual reports, white papers, marketing publications — the list goes on and on. This research is subsequently handed to marketing folks (and engineers who are really marketers) where they fan out to security conferences across the world, standing in booths quoting statistics and attending pay-to-play speaking slots, convincing executives to buy their security products.

What I learned from resetting over 300 passwords

August 04, 2015 by Tony MartinVegue in Information Security

In May, Lastpass announced an intrusion on its network that led to a data breach of user account information. LastPass is a cloud-based password manager; users load the LastPass extension into their web browsers and all the pesky password management tasks are taken care of. The user is given one-click access to fill in the username and password on known sites and the option to generate a long password and save credentials on new sites.

Gift Card Fraud: How It’s Committed and Why It’s So Lucrative

June 24, 2015 by Tony MartinVegue in Information Security

Gift cards have caused quite a headache for retailers in the last month, exposing another way that fraudulent activity can eat into razor-thin profit margins. Gift card fraud can range from physical theft to cloning to exploiting programming errors on the merchant side.

The methods of attack are very similar to what is seen with credit card fraud, but gift card fraud is less widely reported in the news. The reason is that, unlike data breaches that involve credit cards, personally identifiable information (PII) is rarely disclosed. Regardless, it is important for both merchants and customers to know how gift card fraud occurs, so they can recognize the behavior and protect themselves.

What combination locks teach us about encryption weakness

May 18, 2015 by Tony MartinVegue in Information Security

Last week, an interesting story made the rounds on social media about a researcher named Samy Kamkar who discovered a flaw in Master-brand combination locks and was able to open the lock in eight tries or less. It’s a great discovery and is of particular interest to security professionals because it teaches us about encryption, the concept of brute-force attacks and weaknesses in implementation.

What’s the difference between a vulnerability scan, penetration test and a risk analysis?

May 12, 2015 by Tony MartinVegue in Information Security

An often overlooked, but very important process in the development of any Internet-facing service is testing it for vulnerabilities, knowing if those vulnerabilities are actually exploitable in your particular environment and, lastly, knowing what the risks of those vulnerabilities are to your firm or product launch. These three different processes are known as a vulnerability assessment, penetration test and a risk analysis. Knowing the difference is critical when hiring an outside firm to test the security of your infrastructure or a particular component of your network.

Security BSides San Francisco, 2015 conference review

April 27, 2015 by Tony MartinVegue in Conferences

Have you ever wanted to get in a time machine and go back to when security industry visionaries were just starting out? Imagine meeting Martin Roesch when he was writing the first version of Snort or Bruce Schneier as he was just putting his ideas down for Applied Cryptography. I don’t have a DeLorean, but I can do the next best thing. I can take you to a place where tomorrow’s thinkers are forming their ideas and honing presentation skills, today.

Are we witnessing a cyber war between Russia and Ukraine? Don’t blink — you might miss it

April 23, 2015 by Tony MartinVegue in Information Security

In February 2015, The Daily Beast published an insightful article about cyber war activity between Russia and Ukraine. The article profiled Eugene Dokunin, a Ukrainian web security consultant who gave up his day job to launch cyber-attacks against Russian targets. He works with a team of volunteers and performs an innumerable amount of combative actions, from financial account takeovers to hacking into CCTV systems in order to report on troop activity.

How to survive security conferences: 4 tips for the socially anxious

April 13, 2015 by Tony MartinVegue in Conferences

One of the world’s largest security conferences, RSA 2015, is right around the corner. Beginning April 19, it’s bookended by two other great, but smaller, events: BSides and the Yahoo Privacy Unconference. Security professionals from all over the world will be in San Francisco that week, and this will arguably be the single best chance all year for those of us in the industry to network.