Re: Fwd: Rate Stratfor's Incident Response

[Paul Schmehl <pschmehl_lists () tx rr com>]

--On January 9, 2012 10:34:40 AM -0800 Bob Dobbs <bobd10937 () gmail com> 
wrote:

> On Sat, Jan 7, 2012 at 5:42 PM, <Valdis.Kletnieks () vt edu> wrote:
>
>
> It matters a lot less than you think.  Go look at Sony's stock price
> while they
> were having their security issues - it was already sliding *before* PSN
> got hacked,
> but continued sliding at the *exact same rate* for several months, with
> no visible
>
>
>
> Indeed. It is surprising to me that customers don't care more about this
> than they do. But the customer, in the end, doesn't seem particularly
> concerned about their personal data. If they did they would stop buying,
> revenue would fall, and stock price would fall.

Or, they don't understand the ramifications of the exposure to them 
personally.  (I've been watching my bill for months, and i haven't seen any 
unauthorized charges.  This must not have affected me personally.)  Or they 
never even hear about it to begin with.  (We in IT and Security assume that 
"everyone" knows about breaches.  Nothing could be further from the truth, 
even in the most publicized of cases.)

> As high priority as the IT Sec people usually think it should be, or as
> high
> priority as a cold hard-line analysis of business cost/benefts says it
> should
> be?  IT people tend to be *really* bad at estimating actual bottom-line
> costs.
>
> I can perfectly understand the cold rationalizing of ROI on issues of
> security expense. I am much less forgiving of companies who constantly
> say (and they all do) that they take great care with your data, won't
> share it with anyone else, implement great security, etc. Then they are
> owned by some stupid means such as a flawed and out of date
> Internet-facing webapp and proven to be liars.

Yeah, but you can always blame some low level person for not following 
policy, right?  IOW, they had the right policy in place, but they didn't 
have good procedures for ensuring that the policy was being rigorously 
followed.  Auditing wasn't as robust as it should have been, so it didn't 
find the edge case that brought the whole system down.

> I wish there were far more punitive punishments for customers to pursue
> to help shift the ROI towards providing more security.

Except it wouldn't.  It would simply raise the cost of the product to the 
consumer.  Corporations that get "taught lessons" by large fines, simply 
pass that cost on to the consumer.  They seldom learn as much as you think 
they might or should have

There's a gap between policy and procedures and between procedures and 
auditing.  There are always edge cases that fall outside the purview of the 
watchers and escape detection until something bad happens.  Technology is 
getting better at discovering those gaps, but they will always exist.

For example.  Recently a Columbia researcher discovered a way to use an HP 
printer to hack into an enterprise and compromise internal assets.  A good 
security person would have already anticipated the risk and remediated it. 
(We moved all our printers to private IPs about 10 years ago for that very 
reason.)  But many people didn't give it much thought at all.  (After all, 
who's going to hack a printer?  It doesn't really gain you much.)

The same thing was true, back in the old days, of DNS hosts with vulnerable 
versions of sendmail installed.  "No one" ever thought they might be used 
as spam relays - until someone did - and standard install procedures didn't 
disable or secure sendmail because that wasn't the purpose of the box.

That's just human nature.

The really secure places plan ahead for such things, routinely check for 
out of compliance conditions, and enforce an environment where things are 
"done right" all the time.

Very few such places exist.

-- 
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson
"There are some ideas so wrong that only a very
intelligent person could believe in them." George Orwell

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/