Re: Fwd: Why suing auditors won't solve the data breach epidemic

[lonervamp () gmail com]

Normally passing off links to mailing lists annoys me, but I hadn't seen this article so I have to grudgingly say 
thanks! :)

I don't like the idea of suing auditors. To me it smacks of just part of the "pass the blame" game. I can be convinced, 
however... 


But if this continues, I'd like some feedback on some of my opinions on the possible implications of this case:

1. If auditors can be sued, this may result in more strict contracts that absolve auditors for these things?

2. This could result in the demand that auditors have even more visibility and power on the networks they audit. No 
more turning off that server while the auditors are scanning!

3. I think this should scare the rubber-stamp, unskilled auditors/pen-test firms, but will it also scare away truly 
good ones?

4. Savvis may have missed a glaringly obvious checkbox with storing unencrypted data (whether or not that even mattered 
in the actual breach; it's arguable what your real value is in encrypting that layer). But does that possibly just 
reinforce checkbox auditing?

5. What about auditors that do pass a client, but the client only looks good when it is audit time? Will this lead to 
more 24/7 monitoring/auditing? One may as well go with an MSSP or just beef it up inhouse, right? (Of course, beefing 
up in-house means you can only fire someone for a breach and likely can't get reparations like a lawsuit to a vendor.) 
I mean, seriously, how often do companies turn on the alert dashboards or rush out patches only during audit week?

6. Will any of this be compatible with what we all have to accept: security cannot ever be perfect; plan for the breach.

And kudos to the author to do a quick glancing blow on the idea of suing someone/something for the accuracy of their 
opinion, in relation to suing for securities/firm valuations, etc.

My apologies for vomiting this whole thing out, but I wouldn't mind seeing some discussion on it.

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------