Daniel W Woods
@ieltop.bsky.social
Economics of security and privacy. Lecturer at the University of Edinburgh + Researcher at Coalition.
For the table, I followed the classifications/categories used by the reports.
Fwiw, if the exploit steals config details/usernames/passwords, then enabling MFA or not exposing the admin panel could still prevent the attack. So in a sense, configuration would still matter. It is murky tho.
Fwiw, if the exploit steals config details/usernames/passwords, then enabling MFA or not exposing the admin panel could still prevent the attack. So in a sense, configuration would still matter. It is murky tho.
February 18, 2025 at 8:53 AM
For the table, I followed the classifications/categories used by the reports.
Fwiw, if the exploit steals config details/usernames/passwords, then enabling MFA or not exposing the admin panel could still prevent the attack. So in a sense, configuration would still matter. It is murky tho.
Fwiw, if the exploit steals config details/usernames/passwords, then enabling MFA or not exposing the admin panel could still prevent the attack. So in a sense, configuration would still matter. It is murky tho.
Based on this evidence, we argued that to calibrate Secure by Design with small business risk, there should be more focus on reducing misconfigurations.
www.lawfaremedia.org/article/cali...
www.lawfaremedia.org/article/cali...
Calibrating Secure by Design with the Risks Faced by Small Businesses
Empirical evidence suggests guiding small businesses toward more secure configurations is more
important than eliminating vulnerabilities.
www.lawfaremedia.org
February 18, 2025 at 8:44 AM
Based on this evidence, we argued that to calibrate Secure by Design with small business risk, there should be more focus on reducing misconfigurations.
www.lawfaremedia.org/article/cali...
www.lawfaremedia.org/article/cali...
- The median estimate of stolen credentials was 29% and phishing 17%.
- Vulnerabilities represented a lower share of initial access vectors in samples comprising smaller firms.
- Exposed vulnerabilities/End of Life software represent a minority of notifications sent by Coalition.
- Vulnerabilities represented a lower share of initial access vectors in samples comprising smaller firms.
- Exposed vulnerabilities/End of Life software represent a minority of notifications sent by Coalition.
February 18, 2025 at 8:43 AM
- The median estimate of stolen credentials was 29% and phishing 17%.
- Vulnerabilities represented a lower share of initial access vectors in samples comprising smaller firms.
- Exposed vulnerabilities/End of Life software represent a minority of notifications sent by Coalition.
- Vulnerabilities represented a lower share of initial access vectors in samples comprising smaller firms.
- Exposed vulnerabilities/End of Life software represent a minority of notifications sent by Coalition.
We looked at two main data sources: the causes of cyber incidents via DFIR investigations, and the presence of security issues found via scans. We found:
- Exploits of vulnerabilities were the initial access vectors in <50% of incidents across 7 studies, with 32% being the median estimate
- Exploits of vulnerabilities were the initial access vectors in <50% of incidents across 7 studies, with 32% being the median estimate
February 18, 2025 at 8:43 AM
We looked at two main data sources: the causes of cyber incidents via DFIR investigations, and the presence of security issues found via scans. We found:
- Exploits of vulnerabilities were the initial access vectors in <50% of incidents across 7 studies, with 32% being the median estimate
- Exploits of vulnerabilities were the initial access vectors in <50% of incidents across 7 studies, with 32% being the median estimate
Definitely a blind men and an elephant problem
December 3, 2024 at 9:20 AM
Definitely a blind men and an elephant problem
Interesting slides tho. Will there be a recording?
December 3, 2024 at 9:18 AM
Interesting slides tho. Will there be a recording?
One attack could hit three if the attacker phished credentials and used them to login via RDP
December 3, 2024 at 9:05 AM
One attack could hit three if the attacker phished credentials and used them to login via RDP
Ah it could be. I'll double check. It's why I like sharing figures before publication
December 3, 2024 at 9:04 AM
Ah it could be. I'll double check. It's why I like sharing figures before publication
Strong agree! The threat against consumers is often unrelated to a security breach, typically rooted in defamation, often groundless.
November 26, 2024 at 10:41 AM
Strong agree! The threat against consumers is often unrelated to a security breach, typically rooted in defamation, often groundless.
Ofc! You're the most curious person in cyber risk
November 25, 2024 at 3:34 PM
Ofc! You're the most curious person in cyber risk
Just 1.6% of respondents have cyber coverage, and 8.5% are aware of the product.
It'll be interesting to see how this product evolves.
I think these losses will be absorbed into home insurance policies as a premium option. It's hard to justify a separate sales channel for a <$50 product.
It'll be interesting to see how this product evolves.
I think these losses will be absorbed into home insurance policies as a premium option. It's hard to justify a separate sales channel for a <$50 product.
November 25, 2024 at 10:05 AM
Just 1.6% of respondents have cyber coverage, and 8.5% are aware of the product.
It'll be interesting to see how this product evolves.
I think these losses will be absorbed into home insurance policies as a premium option. It's hard to justify a separate sales channel for a <$50 product.
It'll be interesting to see how this product evolves.
I think these losses will be absorbed into home insurance policies as a premium option. It's hard to justify a separate sales channel for a <$50 product.
Notably, insurers see non-trivial costs associated with cyberbullying.
The typical claim may involve legal costs, counselling and lost wages to respond to the incident.
But in extreme cases, cyber insurance will cover costs associated with moving home or school.
The typical claim may involve legal costs, counselling and lost wages to respond to the incident.
But in extreme cases, cyber insurance will cover costs associated with moving home or school.
November 25, 2024 at 10:02 AM
Notably, insurers see non-trivial costs associated with cyberbullying.
The typical claim may involve legal costs, counselling and lost wages to respond to the incident.
But in extreme cases, cyber insurance will cover costs associated with moving home or school.
The typical claim may involve legal costs, counselling and lost wages to respond to the incident.
But in extreme cases, cyber insurance will cover costs associated with moving home or school.
We also asked participants to estimate how much compensation they would need to cover each cyber incident.
Financial frauds were estimated to be the most expensive, with no statistically significant difference between victims and nn-victims.
The median cost of cyberbullying was estimated to be $0.
Financial frauds were estimated to be the most expensive, with no statistically significant difference between victims and nn-victims.
The median cost of cyberbullying was estimated to be $0.
November 25, 2024 at 9:59 AM
We also asked participants to estimate how much compensation they would need to cover each cyber incident.
Financial frauds were estimated to be the most expensive, with no statistically significant difference between victims and nn-victims.
The median cost of cyberbullying was estimated to be $0.
Financial frauds were estimated to be the most expensive, with no statistically significant difference between victims and nn-victims.
The median cost of cyberbullying was estimated to be $0.
Cyber attack and online fraud are possibly too generic.
There was multiple examples where participants thought they were "very easy" to define, only to find the real definitions from a policy are "not at all similar" when presented with one.
These discrepancies can lead to nasty surprises.
There was multiple examples where participants thought they were "very easy" to define, only to find the real definitions from a policy are "not at all similar" when presented with one.
These discrepancies can lead to nasty surprises.
November 25, 2024 at 9:57 AM
Cyber attack and online fraud are possibly too generic.
There was multiple examples where participants thought they were "very easy" to define, only to find the real definitions from a policy are "not at all similar" when presented with one.
These discrepancies can lead to nasty surprises.
There was multiple examples where participants thought they were "very easy" to define, only to find the real definitions from a policy are "not at all similar" when presented with one.
These discrepancies can lead to nasty surprises.
The second stage designed a survey to explore coverage, risk and product uncertainty.
Some of these coverages are well understood by both high and low security awareness participants, such as cyberbullying and ID theft.
Cyber extortion was perceived to be the hardest to define.
Some of these coverages are well understood by both high and low security awareness participants, such as cyberbullying and ID theft.
Cyber extortion was perceived to be the hardest to define.
November 25, 2024 at 9:55 AM
The second stage designed a survey to explore coverage, risk and product uncertainty.
Some of these coverages are well understood by both high and low security awareness participants, such as cyberbullying and ID theft.
Cyber extortion was perceived to be the hardest to define.
Some of these coverages are well understood by both high and low security awareness participants, such as cyberbullying and ID theft.
Cyber extortion was perceived to be the hardest to define.
Open access version: www.research.ed.ac.uk/en/publicati...
Study club, labor union or start-up? Characterizing teams and collaboration in the bug bounty ecosystem
www.research.ed.ac.uk
November 22, 2024 at 3:13 PM
Open access version: www.research.ed.ac.uk/en/publicati...
My favourite finding is that these teams function like labour unions in negotiating with large tech companies to receive fair bug bounty payouts. This fighting for the little guy was very Ross.
We scraped a bunch of descriptive stats on team size, finding that the biggest teams have 500+ members.
We scraped a bunch of descriptive stats on team size, finding that the biggest teams have 500+ members.
November 22, 2024 at 3:13 PM
My favourite finding is that these teams function like labour unions in negotiating with large tech companies to receive fair bug bounty payouts. This fighting for the little guy was very Ross.
We scraped a bunch of descriptive stats on team size, finding that the biggest teams have 500+ members.
We scraped a bunch of descriptive stats on team size, finding that the biggest teams have 500+ members.