Full Disclosure mailing list archives
Re: Fwd: Rate Stratfor's Incident Response
From: Jeffrey Walton <noloader () gmail com>
Date: Sat, 7 Jan 2012 21:09:26 -0500
On Sat, Jan 7, 2012 at 8:42 PM, <Valdis.Kletnieks () vt edu> wrote:
On Sun, 08 Jan 2012 01:37:21 +0100, Ferenc Kovacs said:imo public shaming(ie. owned by kiddies, usually they get bigger media attention) can force companies to take security more seriously, but imo hiring the kiddies isn't the solution.It matters a lot less than you think. Go look at Sony's stock price while they were having their security issues - it was already sliding *before* PSN got hacked, but continued sliding at the *exact same rate* for several months, with no visible added dip due to the multiple hacks they had.
Sony has a chronic, progressive problem with data security. Sony (or a child corporation operating under their name) had been hacked at least 43 times in the past (http://attrition.org/security/rant/sony_aka_sownage.html). Adding insult to injury, Sony laid off security folks before the spectacular breach (http://techgeek.com.au/2011/06/25/lawsuit-sony-laid-off-security-staff-before-data-breach/). Sony is the poster child for driving drunk on the information super highway. Computing is a privilege, not a right. They should have their privileges revoked.
The hack at TJX didn't cripple that company either. Cost them a bunch, but nothing they couldn't survive - most companies that size already budget a lot more for unforseen events than the hacks cost them.
It cost TJX next to nothing, if I recall. It was less than 1% of one quarter's earnings. The executives were awarded bonuses for a job well done, and the loss was passed on to the share holders.
[SNIP] Remember that computer security is almost always a cost center, not a profit center, and one of those "bad priorities" is usually "make more money". They aren't going to change the flawed process (which will cost money), unless you can demonstrate how that will impact the bottom line. Just like I *could* replace my already-paid-off car that gets 27 miles to the gallon with one that gets 42, and save $50 month in gas- but then have a $250/month car payment to make. That doesn't make fiscal sense, and often neither does fixing the flawed process.of course many of them will get owned, lose a good chunk of money, some of them even will go out of business, but until most of them can get away with those broken model, they won't try to fix the underlying problem.And you know what? *Every single decision* a business makes is like that. [SNIP]
Sadly, you are right. In the US, we need a legislative change - broader, more encompassing laws and definitions which benefit the users (whether its a user with a credit card on file, or a user with PII on file). We need harsh penalties to act as a deterrent against corporate indifference, and board members to be held criminally accountable. With harsh penalties and board accountability, I would argue you could relax legislative oversight - give them enough rope to hang themselves, and see how many executives will opt for 'lets spend 10 years in prison' because its cheaper to do nothing. Its probably a pipe dream, though (I know it is while corporate america gets to participate in the oligarchy via bribes (err, PAC contributions)). Jeff _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Fwd: Rate Stratfor's Incident Response, (continued)
- Re: Fwd: Rate Stratfor's Incident Response Valdis . Kletnieks (Jan 07)
- Re: Fwd: Rate Stratfor's Incident Response Laurelai (Jan 07)
- Re: Fwd: Rate Stratfor's Incident Response Ferenc Kovacs (Jan 07)
- Re: Fwd: Rate Stratfor's Incident Response Laurelai (Jan 07)
- Re: Fwd: Rate Stratfor's Incident Response Shyaam Sundhar (Jan 07)
- Re: Fwd: Rate Stratfor's Incident Response Valdis . Kletnieks (Jan 07)
- Re: Fwd: Rate Stratfor's Incident Response Laurelai (Jan 07)
- Re: Fwd: Rate Stratfor's Incident Response Ferenc Kovacs (Jan 07)
- Re: Fwd: Rate Stratfor's Incident Response Shyaam Sundhar (Jan 07)
- Re: Fwd: Rate Stratfor's Incident Response Valdis . Kletnieks (Jan 07)
- Re: Fwd: Rate Stratfor's Incident Response Jeffrey Walton (Jan 07)
- Re: Fwd: Rate Stratfor's Incident Response Ferenc Kovacs (Jan 07)
- Re: Fwd: Rate Stratfor's Incident Response Valdis . Kletnieks (Jan 07)
- Re: Fwd: Rate Stratfor's Incident Response Bob Dobbs (Jan 09)
- Re: Fwd: Rate Stratfor's Incident Response Paul Schmehl (Jan 09)
- Re: Fwd: Rate Stratfor's Incident Response Valdis . Kletnieks (Jan 07)
- Re: Fwd: Rate Stratfor's Incident Response gold flake (Jan 09)
- Message not available
- Message not available
- Re: Fwd: Rate Stratfor's Incident Response Ian Hayes (Jan 08)
- Re: Fwd: Rate Stratfor's Incident Response Valdis . Kletnieks (Jan 07)
- Re: Fwd: Rate Stratfor's Incident Response Dave (Jan 08)
- Re: Fwd: Rate Stratfor's Incident Response J. von Balzac (Jan 09)