Re: They will protect me (won't they?)

[Dotzero <dotzero () gmail com>]

comments on your comments embedded below:

On Tue, Feb 10, 2009 at 9:21 PM, Adriel T. Desautels
<ad_lists () netragard com> wrote:
> Comments embedded below:
>
> On Feb 10, 2009, at 5:39 PM, Dotzero wrote:
>
> > On Mon, Feb 9, 2009 at 1:33 PM, Adriel T. Desautels
> > <ad_lists () netragard com> wrote:
> > > One of my recent thoughts and blog entries...
> > >
> > > So the other day I was talking with my buddy Kevin Finisterre.  One of
> > > the
> > > things that we were discussing was people who just don't feel that
> > > security
> > > is an important aspect of their business because their customers don't
> > > ask
> > > for it.  That always makes my brain scream "WHAT!?". Here's a direct
> > > quote
> > > from a security technology vendor "We don't perform regular penetration
> > > tests because our customers don't ask us to do that."
> >
> >
> > If the customer doesn't contract with that vendor for that particular
> > service why would it be the vendors obligation. I use multiple vendors
> > in the security services area and some I find stronger in some
> > services and others stronger in other services. Sometimes I split
> > things up for other reasons. I don't want my auditor doing my
> > pentests. I view a vendor doing both as a conflict of interest.
>
> I am not talking strictly about security service providers. I am talking
> more along the lines of ISP's and other public service type companies. The
> customers take the security of their providers for granted out of ignorance.

Customers take all sorts of things for granted out of ignorance. For
example, when you board a commercial airliner do you ask for proof
that the plane has had all of the appropriate maintenance and service
checks? Do you check that the person working at the restaurant or
supermarket washed their hands after using the loo?

> Thats not insulting, that is a fact. The providers then turn around and say
> "we don't do it because our customers don't ask for it". That is the problem
> that I am talking about. Its almost as if these businesses are banking on
> their customer's ignorance.  I have ethical problems with that.

Many of these businesses are almost as ignorant as their customers. I
have a list of 25 questions with regard to PCI compliance that I
provide to potential vendors. I provide the questions one hour before
a 30 minute conference call with the technical person they designate.
It is amazing the amount of ignorance I deal with on these sorts of
calls. One vendor CTO called it the most thorough audit he had gone
through. The scary thing is that a number of other companies allow
that company to handle CCs on their behalf.

With reference to ISPs, the skill levels and capabilities are all over
the place. Some of them can't even spell security. On the other hand,
a lot of customers simply aren't interested. They intentionally don't
want to know the risks because that justifies going with the lower
cost vendor. In fact, wasn't this one of the issues you raised in one
of your posts not too long ago?


> > > Isn't it the service provider's/vendor's responsibility to properly
> > > manage
> > > and maintain the security of their infrastructure?  Don't they have an
> > > ethical obligation to their customers to protect the service that they
> > > are
> > > offering and any information that the customers decide to store on their
> > > systems?
> >
> > It depends on the agreement and in some circumstances it may depend on
> > regulatory or contractual compliance obligations that derive from the
> > contract.
> >
> >
> > > The real question is, how many customers would they lose if the customers
> > > heard them say that? That is after all just like saying "We don't care
> > > about
> > > security because our customers aren't asking us to care about it."
> >
> > Actually, they probably wouldn't lose many. It's not that the vendor
> > doesn't care about security, it's that the scope of what they are
> > providing is constrained by what the client/customer says they want.
> > Flip it around.... how many vendors will walk away from a "bad"
> > customer? .... particularly if that customer is a lucrative one?
> >
> > > So who have I heard this from? Here's the (very) short list:
> > >      • Vendors that make security software (like email gateways,
> > > anti-virus technology, Intrusion Prevention Systems, etc).
> > >      • Vendors that make technology that is used to control our Nuclear
> > > Power Plants, Water Purification Plants, Traffic        Control Systems,
> > > etc.
> > >      • Vendors that sell business enabling technologies like PHP based
> > > Content Management Systems, Commercial Web Servers, Server based
> > > applications, Web Applications, etc.
> > >      • Vendors that sell desktop applications like Financial Tracking
> > > Systems, Invoicing Systems, File Sharing Systems, Backup Solutions, etc.
> > >      • I've also heard this from MAJOR Service Providers such as Web
> > > Hosting Providers, Email Providers, Backup Service Providers, etc.
> > >      • The list goes on....
> > > I think that people need a wake up call.  This strikes me as a serious
> > > ethical issue, what about you? Leave me a comment I'm very interested in
> > > feedback on this one.
> >
> > I don't know that I would call it an ethical issue. It is certainly an
> > issue and a serious one. Unfortunately it will probably take a serious
> > incident for the wake up call you mention.
>
> This reminds me of the mentality that the Infrastructure guys have. Why does
> it have to take a 911 to make people realize that they need better security
> in the first place? Why can't people just wake up and prevent the 911.

Human nature. There are a lot of "infrastructure guys" that do care
and do act to protect the infrastructure they are responsible for. To
recognize the nature of a problem does not mean one does not care. I
think you are tarring with an overly broad brush.