Profile picture
Jake Williams @MalwareJake
, 5 tweets, 1 min read Read on Twitter
If you're researching the true cost of a data breach, let me help you out and tell you that nobody knows. There's no standard for reporting what is and isn't included in the cost. IT overtime to rebuild systems? Sure that makes sense. But many costs aren't black and white 1/n
GRC time to write new control policies?
Replacing your outdated VPN concentrator?
Finally migrating off of Win 2k3?
Installing AV organization wide?
Pentesting to find other exposures?
Threat hunting to find other actors in the network?
All of these have been included 2/n
I'm not saying whether these things should or shouldn't be included (I have WAY worse examples BTW). My point is that when an organization says "this was a $5 million breach" that carries as much meaning as saying I'll sell you a car for 25 grizblocks. No frame of reference. 3/n
Ugh, I just realized that someone will create a crypto currency called "grizblocks" just to invalidate my point. But I digress... Without clear standards on what is/isn't included in the cost of a breach, we can't make ANY actionable recommendations based on available data. 4/n
You should be immediately suspicious of vendors peddling this data without caveats. They are either ignorant of what the data does (and doesn't) mean or they are being intentionally dishonest. Neither is a good outcome for you... 5/5
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Jake Williams
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @MalwareJake see all

Profile picture
Twas the night before Christmas and all over the ‘net,
Not a creature was stirring except China hacking Tibet.

The IPS were strung by the egress with care,
In hopes that St WannaCry soon would be stopped there.
1/n
The children were nestled all snug in their beds,
While IoT devices mined the dreams from their heads.

Mama with her EDR and I with my IDS
Were ready to tackle an infosec mess.

Down in the SOC there arose such a clatter,
I logged into my dashboard to see what was the matter 2/
This thing had better work, it cost so much cash.
But gosh darnit, I can’t use it until I update Adobe Flash…

Pondering the alarms I thought “Oh heck no!”
That’s because the threshold for alerting was configured so low.
3/n
Read 14 tweets
Profile picture
I certainly don't agree with everything in this thread, but it is very thought provoking nonetheless. I tell clients regularly that cyber security IS warfare if APT is in your threat model. We often fight nation state hackers with nearly infinite resources by deploying a CEH. 1/n
This obviously doesn't work. When you step back and look at resources that APT groups have, it's obvious they can comrpomise almost any organization. My favorite example is the China/Bit9 example. Picture being an attacker who can't get into a top tier target. 2/n
Now imagine that you think "Bit 9 is standing in our way, so we'll 'just' go comrpomise them." Um, that's a moonshot. Ask yourself:
1. What kind of organization dedicates resources to moonshots?
2. How many moonshots do we not know about?
3. How valuable was that target?
3/n
Read 7 tweets
Profile picture
I'm writing a new blog post but I need some help. We have a problem in the tech industry with consent vs. informed consent. Problems with confusing the two are not unique to infosec. Medicine has been practiced for millennia, but informed consent is at best ~50 years old. 1/n
Legalese terms of service can't be comprehended by a large percentage of a user base. Even if you understand what is being collected, do you understand how it will be used? A patient can't give informed consent without a discussion of risk. 2/n
Doctors don't routinely downplay risk in a procedure. This comes from two sources:
1. Liability
2. In most cases (electives are a counter-example), the doctor has a product (the procedure) the patient needs

These do not hold true in the technology field. 3/n
Read 7 tweets

Related threads

Profile picture
#Help Personally #Verified
I met Shyla last year in a meeting. Her father had dreamt of making her a doctor. But his dreams drowned in the sewer he had died in. This is her story. (ruralindiaonline.org/articles/my-mo…)
Ten years later, Shyla is almost close to realising her father’s dream. She is doing her nursing course, and she needs help. As a society that sent her father down the sewers, I think it is our responsibility to see that she becomes a nurse.
When I met her again last month, Shyla was exuding confidence. “I will soon be a nurse and if you need anything, call me over” she told me and i cant wait.
Shyla’s course fee for third year comes close to Rs 1 lakh. I already have someone pledging Rs 10,000.
Read 4 tweets
Profile picture
Next up: Katie Malone @multiarmbandit From Presidential campaign trail to Enterprise - Building a #DataScience team @CivisAnalytics
Effective #data-driven teams: different in existing organizations than start-ups. Need to find the best places to build in data value without overturning everything else. Challenges: personal-level analytics, resource allocation, security, privacy. #ODSCWest
Business & data teams will see problems differently. Data teams need to be comfortable with trade-offs in business. Metrics can be ill-defined. Speed can be better than perfection. Important to understand adequate accuracy of models. #ODSCWest Oh yeah, and security.
Read 9 tweets
Profile picture
1/3 Was trying to remember when the ES&S hack was - when @VotingVillageDC reminded me last night. It was Aug 2017 - In the massive 1.8 mill #voter ES&S #data breach part of the download was...encrypted versions of passwords for ES&S employee accounts. usatoday.com/story/tech/201…
2/3 @UpGuard is the company who found the breach. “The worse-case scenario is that they could be completely infiltrated right now,” said Upguard's director of strategy Jon Hendren.
3/3 ES&S is the largest provider of voting equipment in the country. Let me just repeat that for emphasis. “The worse-case scenario is that they could be completely infiltrated right now.” And hackers could have had a full year to do what they need to do. apnews.com/f6876669cb6b4e…
Read 4 tweets
Profile picture
Damn, I am really looking forward to announcing my current project. I've been working on it since the start of the year, through some pretty intense times, and it's almost, _almost_ done. It's an entirely fabricated non-fiction book, and it's... quite in-depth. You'll like it.
(For clarity: (1) this isn't the Schneider Wrack sequel, but I'm still well keen to work on that when the day comes (2) it's not a followup to 100 Games (3) it is with a new publisher and an announcement shouldn't be too far away)
Wider update on my work, for those who want to know - alongside the aforementioned new book, I've been doing some REALLY fun work with Rebellion on the games side of things this year, which I can't say much about yet, and making my debut with Black Library in the new INFERNO!
Read 5 tweets
Profile picture
UCC had opportunity to comment on the #Data.Protection & Privacy Bill. The enactment of this law is long overdue. A comprehensive law on the collection & processing personal information gives effect to the right to Privacy envisaged under Article 27(2) of the Constitution
UCC welcome the protections offered by the Bill in terms of export of data, breach notification requirements, data subjects access rights, automated decision making, compensation and the right to be forgotten and provision for financial and penal sanctions for breach of the law.
Distinction between Data collectors & data controllers.
The Bill should however clarify & distinguish Data Collectors, from Data Processors & Data Controllers. Clause 2 is inconsistent with international good practice which provides for two broad categories of Data Controllers
Read 17 tweets
Profile picture
THREAD: there is no one way to be a writer, no one way to tell a story, no one way to do this thing we do as a hobby or as a job or as an art form. Some write a little every day, in an office; some write a lot at one time at varying, sporadic points. It's all okay.
I think it's important to challenge all pieces of "Known Writing Advice," all those chestnuts of Vital Lore, and to see what they are and what works for you. We all have our own weird fingerprints to imprint upon this thing we do.
I think it IS important to talk about the things you do and the processes you use to write and tell a story and to hold them up and examine them -- share them with others, and listen to their ways of doing things, too.
Read 32 tweets

Trending hashtags

#Exvangelical #GDPR #NeuralNetwork #GoodbyeDemocrats #Belgariad #PaulMcCartney #EgyptStation #45DaysOfElvisCostello #LostHighway #Winning #BelgariadRead #Data #hackthepentagon #RecordStoreDay #YouDontKnowEvangelicals #Aadhaar #GodBless #LookNow #true #PleaseStand #Vet #FLYJOHNNYFLY #InternetBillofRights #ItsTime #Hivites

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($3.00/month or $30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!