Sol Invictus wrote:
And THAT my friends is why it IS so hard! People know that if its only one person that knows about it, sooner or later they will shut up and move on. If you're gonna watch your stuff anyway, why not contact the credit bureaus and put an alert on your file and then go FD!Not everyone's cut out for that kind of responsibility. People have different considerations and things that drive them. The reason it's so hard is not for lack of talking but rather for lack of caring. Having worked in both the educational and corporate world I can say, beyond a shadow of a doubt, that what we say here doesn't really reach them for the most part. It reaches software producers, yes... and that was my original point. Appointment jobs are CYA jobs and bandaids are better than fixes in those situations.In the words of our fore fathers, "United we Stand! Divided we fall!"Thank you for being one of the sheep that makes the rest of our jobs harder.
The best way to affect that kind of change is to change the corporate culture -- which is a lot harder than it looks.
Many certified security professionals are taught that risk management is all about cost versus loss. It's like in fight club... it's the formula. a + b + c == x. If x is less than the cost of combined losses then companies don't fix it because it's counterproductive. It's roughly the same in organizations like universities only sometimes worse because there are all manner of divisions of labor and decisions made and deals appropriated that are there just for internal politics and job security for certain individuals. What has to be considered is the fact that cost, in this case, is from the side of the institution. My bank account, for instance, means a lot more to me than it does to my bank. To my bank, I'm a very small percentage of the funds they hold. To me, my bank account is my ability to pay my rent this month. The whole situation won't change until the corporate culture changes to stop being selfish and start considering the interests of the customer. And we're a long way away from that happening, unfortunately.
-bkfsec
p.s. I understand what you're saying, though... that our voices
increase the combined cost to the organization driving them harder to
fix things... this is true... but many organizations will just try to
shift those costs back to you through legal means. We have to pick and
choose our battles.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/