Posted by: NetLib on Monday, July 12, 2010
Originally published at: http://www.schneier.com
Copyright: 2009 Bruce Schneier

Monster.com Data Breach

Monster.com was hacked, and people's personal data was stolen. Normally I wouldn't bother even writing about this—it happens all the time—but an AP reporter called me yesterday to comment. I said:

Monster's latest breach "shouldn't have happened," said Bruce Schneier, chief security technology officer for BT Group. "But you can't understand a company's network security by looking at public events—that's a bad metric. All the public events tell you are, these are attacks that were successful enough to steal data, but were unsuccessful in covering their tracks."

Thinking about it, it's even more complex than that. To assess an organization's network security, you need to actually analyze it. You can't get a lot of information from the list of attacks that were successful enough to steal data but not successful enough to cover their tracks, and which the company's attorneys couldn't figure out a reason not to disclose to the public.