mailing list archives
Re: [PEN-TEST] Network Attack Trend Analysis
From: H Carvey <keydet89 () YAHOO COM>
Date: Wed, 6 Sep 2000 17:37:36 -0000
Just curious why you would consider the
attrition.org stats "not factual"?
I'd have to agree that perhaps "not factual" is an
incorrect phrase...how about "hardly substantial"?
Here's my reasoning...
How does Attrition become aware become aware of
web page defacements? Is the predominant method
that someone informs them? Who does this? The
person who defaces the page, or someone who
notices the defacement? If the former, it is therefore
a logical argument that sites like Attrition lead to more
web page defacements. If the latter, then what is to
say that the statistics are representative...if someone
just happens to notice by accident that a web page is
I have just spent some time reviewing several
(though admittedly not all) of the graphs available on
the Attrition site. While I applaud the efforts of the
Attrition staff, I have to ask...of what use are the
graphs? I have taken graduate courses in statistics
and statistical analysis...yet it isn't clear at all what
the graphs are intended to represent.
Take for example:
What does the Y-axis represent? Fraction of what?
And the X-axis is labeled "Defacements per day,
simple"...what constitutes a "simple" defacement?
is entitled "OS totals by month"...but what do the
various colors on the bars indicate?
I guess the point is this...if you have nothing better to
do and want to waste someone's time...sure, show
these graphs to your boss. They are meaningless,
though colorful and probably quite enjoyable to look at
when printed on a color printer.
Not only are the graphs meaningless, but the very
data that the graphs are based on is suspect. How is
the data collected?
To be fair, though...I have to say the same thing about
the CSI/FBI survey...the statistics that are generated
as a result of the survey are largely misunderstood
(and very often misquoted), but the very method used
to collect the data is suspect, as well.
As yet the only information I have seen that even
remotely approaches validity is the information Cisco
put out a while ago. That data was based on
sanitized data derived from performing vulnerability
assessments of customer networks.