Re: Undisclosed breach at major US facility

[pauls () utdallas edu]

--On July 4, 2006 6:22:18 PM -0400 Stack Smasher <stacksmasher () gmail com> 
wrote:

> Hey Jackass, I know HIPAA has stiff penalties but the fact is people
> are to fucking lazy to prosecute cases that don't involve terrorism or
> effect shareholder value, and lets face it millions of peoples
> information has been exposed in the last 5 years and NO ONE has done
> shit about it. Look at Ernest and Young for example, those fuckups
> should all be rotting in jail right now for the amount of customer
> data that has been exposed on multiple occasions. I can count 10
> incidents that I KNOW of, imagine how many have been kept quiet.
> HIPAA,Sarbanes Oxley,GLBA, and California breach act. are paper tigers
> and everyone that has a clue knows it, they are a bulldog with rubber
> teeth to give the general public a warm feeling about doing business's
> with corporations that cant get their shit together. If you think I'm
> wrong then prove it!
If the effects of HIPAA, SOx, GLBA et al could be measured in dollars, it 
has cost corporations millions of dollars in software, hardware and 
personnel expenses.  If they could be measured in time, they have already 
cost corporations hundreds of thousands of man hours.  The regulations have 
spawned uncountable numbers of seminars, speeches, papers and vendor visits 
talking about what it all means and how one comes into compliance. 
Unfortunately, the hype comes first, followed slowly by reasonably priced, 
effective technology that actually addresses the problems that *can* be 
addressed by technology.  The people problems are *much, much* harder to 
address.

Furthermore, large organizations don't just change overnight.  Many 
attitudes have to be changed before change takes place, not least the 
realization that security really does matter.  Just because you don't *see* 
the change doesn't mean the change isn't taking place, and just because 
*you* know the solution to everyone else's problem doesn't mean everyone 
will agree with you.

A perfect example of the dichotomy between what should be and what is is 
the recent theft of a laptop with millions of VA records (including mine) 
on it.  Full disc encryption has only recently become commercially 
available in an easy to use *and* easy to recover methodology, and it's 
still very expensive.  (If we were to encrypt every hard disk we have it 
would cost us a one-fifth of our entire existing IT budget and require 
another half-employee just to keep up with recoveries from employees who 
forget their passwords.)

Furthermore, I'm certain that the theft of the laptop never crossed the 
mind of the employee who took the records home or of his (or her) 
supervisors, who merely winked at the violation of policy (if indeed it 
*was* a violation of policy!), because they were more concerned about 
getting "extra" work out of the employee than they were about the potential 
(and to them, theoretical) loss of data should the laptop be stolen.

In the real world problems don't get fixed overnight, especially ones that 
are embedded into the culture like insecure thinking is.  When passwords 
finally go away (and they will fairly soon), almost one-half of the 
security problem will be solved, simply because humans will no longer be 
making decisions about what constitutes a secure authentication methodology.

In order to understand the problem, you have to stop thinking in terms of 
*your* computer(s) and start thinking in terms of thousands and thousands 
of computers.  All of a sudden the reasons for a lot of things will become 
crystal clear.

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/

Attachment: _bin
Description:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/