mailing list archives
Re: Fwd: Rate Stratfor's Incident Response
From: Paul Schmehl <pschmehl_lists () tx rr com>
Date: Mon, 09 Jan 2012 13:30:06 -0600
--On January 9, 2012 10:34:40 AM -0800 Bob Dobbs <bobd10937 () gmail com>
On Sat, Jan 7, 2012 at 5:42 PM, <Valdis.Kletnieks () vt edu> wrote:
It matters a lot less than you think. Go look at Sony's stock price
were having their security issues - it was already sliding *before* PSN
but continued sliding at the *exact same rate* for several months, with
Indeed. It is surprising to me that customers don't care more about this
than they do. But the customer, in the end, doesn't seem particularly
concerned about their personal data. If they did they would stop buying,
revenue would fall, and stock price would fall.
Or, they don't understand the ramifications of the exposure to them
personally. (I've been watching my bill for months, and i haven't seen any
unauthorized charges. This must not have affected me personally.) Or they
never even hear about it to begin with. (We in IT and Security assume that
"everyone" knows about breaches. Nothing could be further from the truth,
even in the most publicized of cases.)
As high priority as the IT Sec people usually think it should be, or as
priority as a cold hard-line analysis of business cost/benefts says it
be? IT people tend to be *really* bad at estimating actual bottom-line
I can perfectly understand the cold rationalizing of ROI on issues of
security expense. I am much less forgiving of companies who constantly
say (and they all do) that they take great care with your data, won't
share it with anyone else, implement great security, etc. Then they are
owned by some stupid means such as a flawed and out of date
Internet-facing webapp and proven to be liars.
Yeah, but you can always blame some low level person for not following
policy, right? IOW, they had the right policy in place, but they didn't
have good procedures for ensuring that the policy was being rigorously
followed. Auditing wasn't as robust as it should have been, so it didn't
find the edge case that brought the whole system down.
I wish there were far more punitive punishments for customers to pursue
to help shift the ROI towards providing more security.
Except it wouldn't. It would simply raise the cost of the product to the
consumer. Corporations that get "taught lessons" by large fines, simply
pass that cost on to the consumer. They seldom learn as much as you think
they might or should have
There's a gap between policy and procedures and between procedures and
auditing. There are always edge cases that fall outside the purview of the
watchers and escape detection until something bad happens. Technology is
getting better at discovering those gaps, but they will always exist.
For example. Recently a Columbia researcher discovered a way to use an HP
printer to hack into an enterprise and compromise internal assets. A good
security person would have already anticipated the risk and remediated it.
(We moved all our printers to private IPs about 10 years ago for that very
reason.) But many people didn't give it much thought at all. (After all,
who's going to hack a printer? It doesn't really gain you much.)
The same thing was true, back in the old days, of DNS hosts with vulnerable
versions of sendmail installed. "No one" ever thought they might be used
as spam relays - until someone did - and standard install procedures didn't
disable or secure sendmail because that wasn't the purpose of the box.
That's just human nature.
The really secure places plan ahead for such things, routinely check for
out of compliance conditions, and enforce an environment where things are
"done right" all the time.
Very few such places exist.
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson
"There are some ideas so wrong that only a very
intelligent person could believe in them." George Orwell
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/