Shostack + Friends Blog Archive


Questions about Schaeffer's 80% improvement

According to Kim Zetter at Wired, in Senate testimony, Richard Schaeffer, the information assurance director at NSA, claimed that “If network administrators simply instituted proper configuration policies and conducted good network monitoring, about 80 percent of commonly known cyber attacks could be prevented.”

I’m trying to find if that’s the FDCC (Federal Desktop Core Configuration), SCAP, or something less crisply defined.

The hearings [link to no longer works] include a testimony link to a PDF, and the site has a version as well [link to no longer works]. I haven’t had a chance to watch the testimony as delivered.

Neither contain “80” or “eighty.” Does someone know exactly what set of practices constitute “proper configuration policies and conducted good network monitoring,” and over what timeline and population they were measuring? Are there cost estimates for the activity suggested?

2 comments on "Questions about Schaeffer's 80% improvement"

  • DC says:

    I believe that he’s talking about improvements based on following the CAG.

    Google concensus audit guidelines.

  • I think he means buy CIS and OWASP memberships, apply all DISA STIG/etc guidance, and perform constant CNE using a combination of Impact, Canvas, and one of the commercial Metasploits (e.g. Saint or Rapid7).

    The “other 80 percent” that he didn’t refer to means that you have to do binary/bytecode, source code, and design/architectural security reviews for every application in use.

    Expect this to change during future testimonies and hearings.

Comments are closed.