Security Basics mailing list archives
RE: Fwd: Why suing auditors won't solve the data breach epidemic
From: "Rui Pereira" <wavefront1 () shaw ca>
Date: Fri, 10 Sep 2010 13:58:05 -0700
Mind giving us a link to the article you are referring to? Thank You , Rui -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of lonervamp () gmail com Sent: June-22-09 8:13 AM To: security-basics () securityfocus com Subject: Re: Fwd: Why suing auditors won't solve the data breach epidemic Normally passing off links to mailing lists annoys me, but I hadn't seen this article so I have to grudgingly say thanks! :) I don't like the idea of suing auditors. To me it smacks of just part of the "pass the blame" game. I can be convinced, however... But if this continues, I'd like some feedback on some of my opinions on the possible implications of this case: 1. If auditors can be sued, this may result in more strict contracts that absolve auditors for these things? 2. This could result in the demand that auditors have even more visibility and power on the networks they audit. No more turning off that server while the auditors are scanning! 3. I think this should scare the rubber-stamp, unskilled auditors/pen-test firms, but will it also scare away truly good ones? 4. Savvis may have missed a glaringly obvious checkbox with storing unencrypted data (whether or not that even mattered in the actual breach; it's arguable what your real value is in encrypting that layer). But does that possibly just reinforce checkbox auditing? 5. What about auditors that do pass a client, but the client only looks good when it is audit time? Will this lead to more 24/7 monitoring/auditing? One may as well go with an MSSP or just beef it up inhouse, right? (Of course, beefing up in-house means you can only fire someone for a breach and likely can't get reparations like a lawsuit to a vendor.) I mean, seriously, how often do companies turn on the alert dashboards or rush out patches only during audit week? 6. Will any of this be compatible with what we all have to accept: security cannot ever be perfect; plan for the breach. And kudos to the author to do a quick glancing blow on the idea of suing someone/something for the accuracy of their opinion, in relation to suing for securities/firm valuations, etc. My apologies for vomiting this whole thing out, but I wouldn't mind seeing some discussion on it. ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727 d1 ------------------------------------------------------------------------ ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Re: Fwd: Why suing auditors won't solve the data breach epidemic lonervamp (Sep 10)
- RE: Fwd: Why suing auditors won't solve the data breach epidemic Rui Pereira (Sep 13)