[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response
- To: Bob Dobbs <bobd10937@xxxxxxxxx>, Valdis.Kletnieks@xxxxxx
- Subject: Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response
- From: Paul Schmehl <pschmehl_lists@xxxxxxxxx>
- Date: Mon, 09 Jan 2012 13:30:06 -0600
--On January 9, 2012 10:34:40 AM -0800 Bob Dobbs <bobd10937@xxxxxxxxx>
wrote:
> On Sat, Jan 7, 2012 at 5:42 PM, <Valdis.Kletnieks@xxxxxx> wrote:
>
>
> It matters a lot less than you think. Go look at Sony's stock price
> while they
> were having their security issues - it was already sliding *before* PSN
> got hacked,
> but continued sliding at the *exact same rate* for several months, with
> no visible
>
>
>
> Indeed. It is surprising to me that customers don't care more about this
> than they do. But the customer, in the end, doesn't seem particularly
> concerned about their personal data. If they did they would stop buying,
> revenue would fall, and stock price would fall.
>
Or, they don't understand the ramifications of the exposure to them
personally. (I've been watching my bill for months, and i haven't seen any
unauthorized charges. This must not have affected me personally.) Or they
never even hear about it to begin with. (We in IT and Security assume that
"everyone" knows about breaches. Nothing could be further from the truth,
even in the most publicized of cases.)
>
> As high priority as the IT Sec people usually think it should be, or as
> high
> priority as a cold hard-line analysis of business cost/benefts says it
> should
> be? IT people tend to be *really* bad at estimating actual bottom-line
> costs.
>
> I can perfectly understand the cold rationalizing of ROI on issues of
> security expense. I am much less forgiving of companies who constantly
> say (and they all do) that they take great care with your data, won't
> share it with anyone else, implement great security, etc. Then they are
> owned by some stupid means such as a flawed and out of date
> Internet-facing webapp and proven to be liars.
>
Yeah, but you can always blame some low level person for not following
policy, right? IOW, they had the right policy in place, but they didn't
have good procedures for ensuring that the policy was being rigorously
followed. Auditing wasn't as robust as it should have been, so it didn't
find the edge case that brought the whole system down.
> I wish there were far more punitive punishments for customers to pursue
> to help shift the ROI towards providing more security.
>
Except it wouldn't. It would simply raise the cost of the product to the
consumer. Corporations that get "taught lessons" by large fines, simply
pass that cost on to the consumer. They seldom learn as much as you think
they might or should have
There's a gap between policy and procedures and between procedures and
auditing. There are always edge cases that fall outside the purview of the
watchers and escape detection until something bad happens. Technology is
getting better at discovering those gaps, but they will always exist.
For example. Recently a Columbia researcher discovered a way to use an HP
printer to hack into an enterprise and compromise internal assets. A good
security person would have already anticipated the risk and remediated it.
(We moved all our printers to private IPs about 10 years ago for that very
reason.) But many people didn't give it much thought at all. (After all,
who's going to hack a printer? It doesn't really gain you much.)
The same thing was true, back in the old days, of DNS hosts with vulnerable
versions of sendmail installed. "No one" ever thought they might be used
as spam relays - until someone did - and standard install procedures didn't
disable or secure sendmail because that wasn't the purpose of the box.
That's just human nature.
The really secure places plan ahead for such things, routinely check for
out of compliance conditions, and enforce an environment where things are
"done right" all the time.
Very few such places exist.
--
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson
"There are some ideas so wrong that only a very
intelligent person could believe in them." George Orwell
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/