Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Jeffrey Walton <noloader@xxxxxxxxx>]

On Sat, Jan 7, 2012 at 8:42 PM,  <Valdis.Kletnieks@xxxxxx> wrote:
> On Sun, 08 Jan 2012 01:37:21 +0100, Ferenc Kovacs said:
>
>> imo public shaming(ie. owned by kiddies, usually they get bigger media
>> attention) can force companies to take security more seriously, but imo
>> hiring the kiddies isn't the solution.
>
> It matters a lot less than you think.  Go look at Sony's stock price while 
> they
> were having their security issues - it was already sliding *before* PSN got 
> hacked,
> but continued sliding at the *exact same rate* for several months, with no 
> visible
> added dip due to the multiple hacks they had.
Sony has a chronic, progressive problem with data security. Sony (or a
child corporation operating under their name) had been hacked at least
43 times in the past
(http://attrition.org/security/rant/sony_aka_sownage.html).

Adding insult to injury, Sony laid off security folks before the
spectacular breach
(http://techgeek.com.au/2011/06/25/lawsuit-sony-laid-off-security-staff-before-data-breach/).

Sony is the poster child for driving drunk on the information super
highway. Computing is a privilege, not a right. They should have their
privileges revoked.

> The hack at TJX didn't cripple that
> company either.  Cost them a bunch, but nothing they couldn't survive - most
> companies that size already budget a lot more for unforseen events than the
> hacks cost them.
It cost TJX next to nothing, if I recall. It was less than 1% of one
quarter's earnings. The executives were awarded bonuses for a job well
done, and the loss was passed on to the share holders.

> [SNIP]
>
> Remember that computer security is almost always a cost center, not a profit
> center, and one of those "bad priorities" is usually "make more money".
>
> They aren't going to change the flawed process (which will cost money), unless
> you can demonstrate how that will impact the bottom line.  Just like I *could*
> replace my already-paid-off car that gets 27 miles to the gallon with one that
> gets 42, and save $50 month in gas- but then have a $250/month car payment to
> make. That doesn't make fiscal sense, and often neither does fixing the flawed
> process.
>
>> of course many of them will get owned, lose a good chunk of money, some of
>> them even will go out of business, but until most of them can get away with
>> those broken model, they won't try to fix the underlying problem.
>
> And you know what? *Every single decision* a business makes is like that.
>
> [SNIP]
Sadly, you are right.

In the US, we need a legislative change - broader, more encompassing
laws and definitions which benefit the users (whether its a user with
a credit card on file, or a user with PII on file). We need harsh
penalties to act as a deterrent against corporate indifference, and
board members to be held criminally accountable. With harsh penalties
and board accountability, I would argue you could relax legislative
oversight - give them enough rope to hang themselves, and see how many
executives will opt for 'lets spend 10 years in prison' because its
cheaper to do nothing.

Its probably a pipe dream, though (I know it is while corporate
america gets to participate in the oligarchy via bribes (err, PAC
contributions)).

Jeff

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/