mailing list archives
Re: Fwd: Rate Stratfor's Incident Response
From: Jeffrey Walton <noloader () gmail com>
Date: Sat, 7 Jan 2012 21:09:26 -0500
On Sat, Jan 7, 2012 at 8:42 PM, <Valdis.Kletnieks () vt edu> wrote:
On Sun, 08 Jan 2012 01:37:21 +0100, Ferenc Kovacs said:
imo public shaming(ie. owned by kiddies, usually they get bigger media
attention) can force companies to take security more seriously, but imo
hiring the kiddies isn't the solution.
It matters a lot less than you think. Go look at Sony's stock price while they
were having their security issues - it was already sliding *before* PSN got hacked,
but continued sliding at the *exact same rate* for several months, with no visible
added dip due to the multiple hacks they had.
Sony has a chronic, progressive problem with data security. Sony (or a
child corporation operating under their name) had been hacked at least
43 times in the past
Adding insult to injury, Sony laid off security folks before the
Sony is the poster child for driving drunk on the information super
highway. Computing is a privilege, not a right. They should have their
The hack at TJX didn't cripple that
company either. Cost them a bunch, but nothing they couldn't survive - most
companies that size already budget a lot more for unforseen events than the
hacks cost them.
It cost TJX next to nothing, if I recall. It was less than 1% of one
quarter's earnings. The executives were awarded bonuses for a job well
done, and the loss was passed on to the share holders.
Remember that computer security is almost always a cost center, not a profit
center, and one of those "bad priorities" is usually "make more money".
They aren't going to change the flawed process (which will cost money), unless
you can demonstrate how that will impact the bottom line. Just like I *could*
replace my already-paid-off car that gets 27 miles to the gallon with one that
gets 42, and save $50 month in gas- but then have a $250/month car payment to
make. That doesn't make fiscal sense, and often neither does fixing the flawed
of course many of them will get owned, lose a good chunk of money, some of
them even will go out of business, but until most of them can get away with
those broken model, they won't try to fix the underlying problem.
And you know what? *Every single decision* a business makes is like that.
Sadly, you are right.
In the US, we need a legislative change - broader, more encompassing
laws and definitions which benefit the users (whether its a user with
a credit card on file, or a user with PII on file). We need harsh
penalties to act as a deterrent against corporate indifference, and
board members to be held criminally accountable. With harsh penalties
and board accountability, I would argue you could relax legislative
oversight - give them enough rope to hang themselves, and see how many
executives will opt for 'lets spend 10 years in prison' because its
cheaper to do nothing.
Its probably a pipe dream, though (I know it is while corporate
america gets to participate in the oligarchy via bribes (err, PAC
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/