Re: Fwd: Rate Stratfor's Incident Response

[Ferenc Kovacs <tyra3l () gmail com>]

On Sun, Jan 8, 2012 at 2:42 AM, <Valdis.Kletnieks () vt edu> wrote:

> On Sun, 08 Jan 2012 01:37:21 +0100, Ferenc Kovacs said:
>
> > imo public shaming(ie. owned by kiddies, usually they get bigger media
> > attention) can force companies to take security more seriously, but imo
> > hiring the kiddies isn't the solution.
>
> It matters a lot less than you think.  Go look at Sony's stock price while
> they
> were having their security issues - it was already sliding *before* PSN
> got hacked,
> but continued sliding at the *exact same rate* for several months, with no
> visible
> added dip due to the multiple hacks they had.  The hack at TJX didn't
> cripple that
> company either.  Cost them a bunch, but nothing they couldn't survive -
> most
> companies that size already budget a lot more for unforseen events than the
> hacks cost them.
>
> > able to secure your infrastructure, but the industry is rotten mostly
> > because it-sec isn't as high priority as it should be.
>
> As high priority as the IT Sec people usually think it should be, or as
> high
> priority as a cold hard-line analysis of business cost/benefts says it
> should
> be?  IT people tend to be *really* bad at estimating actual bottom-line
> costs.
>
> > it is an added-value, usually bolted-on top of the screwed up legacy
> > processes/softwares, and the higher-ups expect it to be bought by money
> > alone.
>
> Remember that at the C level, *everything* is bought by money alone.
> An initiative will cost $X in capex, $Y in manpower costs, and is predicted
> to return $Z per year.  If Z is bigger than X+Y, we proceed, if not, we
> don't.
> (Of course, the fun is in nailing X Y and Z down to accurate numbers :)
>
> > company, but they won't change the flawed processes, and the bad
> priorities.
>
> Remember that computer security is almost always a cost center, not a
> profit
> center, and one of those "bad priorities" is usually "make more money".
>
> They aren't going to change the flawed process (which will cost money),
> unless
> you can demonstrate how that will impact the bottom line.  Just like I
> *could*
> replace my already-paid-off car that gets 27 miles to the gallon with one
> that
> gets 42, and save $50 month in gas- but then have a $250/month car payment
> to
> make. That doesn't make fiscal sense, and often neither does fixing the
> flawed
> process.
>
> > of course many of them will get owned, lose a good chunk of money, some
> of
> > them even will go out of business, but until most of them can get away
> with
> > those broken model, they won't try to fix the underlying problem.
>
> And you know what? *Every single decision* a business makes is like that.
>
> You run a restaraunt, and make a bet that you can sell a fajita that's 20%
> bigger than your competitor, for 50 cents less,and still make money.  Maybe
> you're right, and you end up expanding into a nationide fajita chain. Maybe
> you're not - something like 50% of restaraunts fold in under 3 years.
>
> You manage an office building complex, and make a bet that if there's a
> fire,
> only one of the buildings will burn down and not all of them, so you don't
> insure for "everything burning down" because that's a *lot* higher premium
> per
> year and you don't really see them *all* burning as being likely.  If one
> burns
> down, you collect the insurance, rebuild, and get on with running an office
> complex.  If they all burn down, you're probably screwed.  Unless you're
> one
> lucky guy like Larry Silverstein, and they're ruled separate events at the
> WTC
> so you get paid for all the buildings anyhow:
>
>
> http://articles.cnn.com/2004-12-06/justice/wtc.trial_1_larry-silverstein-single-occurrence-insurers?_s=PM:LAW
>
> You run a company, and make a bet that there's only a X% chance of being
> hacked, and it will probably cost you $Y, so you spend $Z.  Maybe you guess
> wrong, like Sony did, maybe you don't, and all the money you didn't spend
> on
> security becomes profit, not cost.
>
> But it's the same thing - you estimate your chances, and place your bet.
> It's
> called the way business works.

it seems that you are missing my point.
I don't try to say that security should be the top priority, I'm saying
that:
- it should be handled the same way as QA, it's not a feature, it's a way
of doing things, you can't just buy it from a vendor without changing
anything on your side.
- currently the efforts for it security in most cases are below what a
formal risk analysis/evaluation would identify for most of the companies
out there.

A kiddie with no formal education, or relevant experience, but with being
handy using a pc and the internet shouldn't be able to "own" companies and
create loss/stole millions of dollars.

So I would be curious what is your opinion about those two points.

btw: A Sony is a good counter-example, but we also see CA companies
recently going out of business after being hacked, usually losing customer
trust is more grave where the trust is more important to begin with.
Maybe people didn't started buying less Sony phones/tvs/ps3, etc. but I
would bet, that less people would fill out his CC info on the PSN again. At
least I don't know anything in my social network who would do that again
since the breach.

-- 
Ferenc Kovács
@Tyr43l - http://tyrael.hu

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/