Slashdot Mirror
Sad Reality: It's Cheaper To Get Hacked Than Build Strong IT Defenses (theregister.co.uk)
It's no secret that more companies are getting hacked now than ever. The government is getting hacked, major corporate companies are getting hacked, and even news outlets are getting hacked. This raises the obvious question: why aren't people investing more in bolstering their security? The answer is, as a report on The Register points out, money. Despite losing a significant sum of money on a data breach, it is still in a company's best interest to not spend on upgrading their security infrastructure. From the report: A study by the RAND Corporation, published in the Journal of Cybersecurity, looked at the frequency and cost of IT security failures in US businesses and found that the cost of a break-in is much lower than thought -- typically around $200,000 per case. With top-shelf security systems costing a lot more than that, not beefing up security looks in some ways like a smart business decision. "I've spent my life in security and everyone expects firms to invest more and more," the report's author Sasha Romanosky told The Reg. "But maybe firms are making rational investments and we shouldn't begrudge firms for taking these actions. We all do the same thing, we minimize our costs." Romanosky analyzed 12,000 incident reports and found that typically they only account for 0.4 per cent of a company's annual revenues. That compares to billing fraud, which averages at 5 per cent, or retail shrinkage (ie, shoplifting and insider theft), which accounts for 1.3 per cent of revenues. As for reputational damage, Romanosky found that it was almost impossible to quantify. He spoke to many executives and none of them could give a reliable metric for how to measure the PR cost of a public failure of IT security systems.
People have no options in the market for strong security, otherwise they'd punish these companies in sales.
Your info is already scattered all over the Internet from previous data breaches. It's cheaper to do nothing than build infrastructure that won't add to the CEO's annual bonus.
Not only that, but most people are too incompetent to do it right if you shove huge piles of money at them.
So you say that the US with its restrictive laws to ban internet crime is in fact hindering business? All the money is made in bulgaria now!!! In the US only the less lucrative "defensive IT security" business model is allowed.
And you can bill the hacker the costs to fix stuff even when the system had no security at all.
Like our doors had no locks on them at all and some one broke in and now we have costs of $ to install locks on the doors.
... tear apart than build.
or would
is that there needs to be either an increase in the rate of hacks or an increase in the damage done to companies by a hack, and only then will companies start to improve on security.
This report looks at a lot of data, but (as noted in the Limitations section) it's only what was publicly available. Lots of breaches, especially w.r.t. ransomware, go unreported. Lots of breaches go undetected and/or aren't as easily measured as money (e.g. a rival company steals your un-patented trade secrets).
However, my biggest issue with this analysis is that its conclusion makes no sense. It says that the cost of cyber breaches is roughly equal to the cost of maintaining a defense. This paper fails to account for how money spent on cyber-defense reduces the money lost to cyber-attacks. If you're advocating for a radical reduction in InfoSec, this is the (only!) figure that matters.
Information Security is important, and there is good work being done here and more work needed. Cutting the InfoSec teams down will correlate to an increase in attacks that get through. This paper seems to be suggesting that reduced InfoSec budgets will somehow also limit the damage they combat. That makes no sense.
Use my userscript to add story images to Slashdot. There's no going back.
Yeah, it's just money....except for that whole bad publicity thing, loss of customer confidence and stuff like that.
on how good your org is at PR/damage control. There's no money to be made if all your clients are too afraid to keep dealing with you.
Then the spending on security will go up.
Don't use the internet for anything business related until business gets serious about fixing the problem. These people just want their profits and, like they learned getting that MBA, the easiest way to do profits is to re-direct costs. In this case, put the costs of doing business online onto the customers. Seriously, who pays the real price when a business gets hacked and all the customer data goes walking out the door/server? The customers suffer from having their data abused, that is who suffers.
Do you trust your ISP with your bank account number, address, phone number, etc? How about your bank? Your employer? Your local utilities? How many of these types of businesses have you seen hacking reports on these past years? All of them, repeatedly, every year.
Do you remember in 1995 when the business and banking communities were warned that the internet was not designed with security in mind, but the complete opposite? Do you remember that they all just said the business opportunities were just too great to ignore and that security would naturally follow usage?
The internet is not for business; the internet is for porn!
Everything in the Universe sucks: It's the law!
It's the cloud. Did any serious security tech ever think that was a good idea.
Sure it's cheaper for the company if you are a greedy CEO type that only worries about himself and what affects his bottom line.
If you added up all the time and effort the poor customer has to deal with, when dealing with changing accounts, re-setting up billpay, fixing credit scores because of a companies breach.
The cost is way more than that measily 200k.
The end is near.
It is like the war on drugs. The enemy is better financed, better equipped, better motivated, better skilled, and the people you are supporting are a major liability.
It is like bullying/violence on the school-ground. The teacher can't stop the bullying, they can only retroactively address an event. The only way to win is not to play the game, and the system is built so that isn't an option.
It is like corporate America - the psychopaths and sociopaths have a strategic advantage, and dominate the field.
It is like sibling rivalry - the younger brother can't force you to share your toys, but he can break the things you build.
So how do you win? You have to change the system. You have to make the blood toxic to sharks. You have to turn the water to dry land. And the sharks don't give you permission to do that. The enemy sharks, and the sharks at the helm. What do you do then? That is the question. There should be a good answer. Perhaps the right stochastic simulation (revisit Peter) can point in the right direction.
I'm hearing about cases where companies got hit with cryptolocker type viruses. And it wasn't something just just happened in a 30 minute period. It was a sleeper virus that waited 72 hours before activating, which invalidates all of your recent backups. All it would take is a sleeper to take 1 month, 6 months, etc to activate and then bam - you're done. No good backups. No data = no company. It would be a nightmare.
"A plan fiendishly clever in its intricacies"- Homer Simpson
When the 1% are affected, we'll see security improve.
If you find a vulnerability, companies must be exposed loudly and embarrassingly as possible. That (or legal threats) are the only things that can stop them.
Remember, there are companies out there that still don't hash passwords.
Irresponsible disclosure is responsible
It is also cheaper (and usually more pleasant) to live in houses with breakable glass windows and pickable locks, and just prosecute the burglars who flaunt the niceties and come in anyway.
Businesses have to compete with each other. If my competitors are not spending on security, they can provide the same product at lower price. Public awareness is low, so they go with the cheaper product. When public awareness is low, government rules are needed but in internet age, any government rules is likely to stagnate innovation and will make things more insecure. So, in the end, security is always going to be a major issue.
In an optimal world, the costs would balance. If you spend zero on defense, then the breaches will increase due to the lack of defense. So, spend some on defense, make it harder to breach, breaches will always be possible, so where's the sense in spending more on defense than the breaches are costing?
Now, in military systems, the potential cost of a breach is rather high...
Information Security is important, and there is good work being done here and more work needed. Cutting the InfoSec teams down will correlate to an increase in attacks that get through. This paper seems to be suggesting that reduced InfoSec budgets will somehow also limit the damage they combat. That makes no sense.
I think the reality that is being recognized is that no amount of money spent on InfoSec is sufficient.
What needs to change is not reducing InfoSec budget as some kind of attempt to balance costs. What needs to change is the foolish belief that any amount of "good work being done" will eventually fix the problem.
The problem here is that dollar-signs are batted around to get people's attention. Of course it is dumb to say "well the cost of protecting the data is the same as losing it, so its just a toss-up". But the bottom line is the same, InfoSec will always fail.That is because it is like any security -- ultimately useless against a sufficiently determined attacker.
From the article, it looks like they may be looking at cost deducted from revenue. But how about the market impact? Wouldn't their overall net worth suffer an immediate blow too? Optimistically, it would recover over some time, but still leaves a stain in the company's image that may drive some investors away. But I'm sure they've accounted for this.
"...it is still in a company's best interest to not spend on upgrading their security infrastructure."
Translation: the investors aren't about to give up a dime because it's not their data that's at risk. They've already got their money so why should they care.
If it's truly the case that it's cheaper to let data breaches happen than to protect against them, then some sort of incentive (or, punishment) needs to be put into place to change that situation. This is one of the few areas where government intervention is actually warranted: When something is not in the best interest of corporations but is very much in the best interest of citizens.
It's probably cheaper to let factory workers die on the job than it is to put all the safety measures in place to ensure they don't. Yet corporations put those safety measures in place anyway. They don't do it out of fondness of the workers, they do it because the government will shut them down if they don't.
A persistent threat that can't be effectively eliminated in a cost effective manner and the easiest way to deal with it is to just make it sort of hard and pass the remaining costs onto consumers?
It means hackers aren't able to make damage which is too valuable, isn't it?
That's the problem in a nutshell. "Dear Sir, we leaked your details, have a year of free monitoring on us!", has become the norm. It does not reflect the cost of the hack though - the pain of changing credit cards is borne by the customer and their banks, not by the companies who got hacked. The pain of identity theft is even worse.
We need to see mandatory payouts. You lose my credit card details forcing a change? Send both me and my bank $100 for our troubles. Lose my personal information (Address, DOB, SSN etc.) send me $10k.
That would get the CFOs' attention really quickly and budgets would change.
Except that the best defense against hacking is user training, policies, network segmentation and other low-tech solutions combined together into an intelligent overall strategy...
If you think you can just go out and buy security, you are most likely getting fleeced.
My eyes reflect the stars and a smile lights up my face.
And yet DARPA made headlines just the other day when they proved exactly the opposite.
113 million dollars to fix.
49 million dollars for the death and destruction costs.
Ford chose death and destruction over the lives of customers.
To this day I won't own Ford.
http://www.popularmechanics.co...
Necessity is the plea for every infringement of human freedom. It is the argument of tyrants; it is the creed of slaves.
If your idea of defense is buying hyper expensive checkboxes, then yes. If you do the little things like actually doing updates, actually configuring your servers properly, etc than perhaps not.
... Or can it? :/ :: sigh ::
He also noted that the effects of a data incident typically don't have many ramifications on the stock price of a company in the long term. Under the circumstances, it doesn't make a lot of sense to invest too much in cyber security.
And that's the bottom line. And this should worry people that put so much personal data on social media, but it won't. Honestly, there's no news here, considering that not many care about their own personal data's security.
Politics; n. : A religion whereby man is god.
There are only a few entities with a massive trove of valuable, private, in-house data. The rest depend on piles of personal data [credit cards, billing info] from their active customer base. You cant sell your stupid, unnecessary service without a credit card, right? Any "private company data" lost in these breaches make up a fraction of those who are in a real position to sustain actual loss.
So they just shrug, and bank on the short-term memory of the proles.
Heavy fines after being hacked and effective jail time for CxO staff if data was not encrypted (negligence) might change the balance.
Having tried the preventive approach on computer security for years, I came to the reluctant conclusion that it's a losing game. In every business scenario I've dealt with, it is simply impossible to protect against every threat and every zero-day exploit that comes down the pipe. Software patching, firewalls, antivirus, specialized appliances, you name it - they all have their limitations. You can protect against any number of possible exploits, but if only one gets through, you lose. So businesses must weight the costs spending more and more on preventive security solutions versus the cost of a security breach.
Obviously the implications of a breach are more severe for some businesses than others, but in many cases I deal with it makes more sense to focus on a good recovery solution rather than focussing mainly on prevention.
It's also cheaper for your bank to use standard residential doors instead of massive several feet thick steel doors to protect their vault. The difference though, is that vault is protecting a metric shit ton more than your house.
Corporate servers are less like your house and more like a bank vault.
The $200k figure is internalized costs; the cost of providing free credit protection to those affected (which almost noone takes them up on), and investigators to figure out what was breached, how, by whom, and to maybe patch the hole they got in through. The externalized amount, the burden on those whose data was stolen, is far greater. Also, one has to keep in mind that most breaches are minor incidents involving insiders; they cost very little to fix (change password: done) and no further spending is necessary or effective; the ones we hear about are mostly the "millions of user account details stolen" incidents caused by external crackers.
Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
And yet DARPA made headlines just the other day when they proved exactly the opposite.
Then the obvious thing to do is move your data and services to DARPA.
Yea, I'd also like a bit clearer accounting of what type of "security solutions" average more than $200,000... I think maybe these guys need a second opinion on what constitutes security.
I was just going to post when your comment made me rethink the whole thing and write this reply instead.
Having worked in I.T. for 25 years or so now, I'm pretty familiar with the "computer security" marketplace. Most of the time, you've got a combination of "former hackers who decided they could make a living out of selling comp-sec stuff" and big companies seeing $$$$'s by getting behind these initiatives to sell solutions.
Meanwhile, in the rest of corporate America, I.T. expenditures are increasingly under a microscope, because companies have long since been burned by and learned from the old idea that I.T. was an investment in the company's future. These days, I.T. is viewed more like a line item expense on budget spreadsheets. Sure, it's necessary .... but it's necessary like hiring a janitor is necessary, or like buying office supplies is necessary. When your I.T. staff recommends the latest gizmo that promises to do X and Y to stop outside system attacks or to analyze traffic? They start asking a lot of questions. What would it really cost us if we didn't buy this and we got hacked? What kind of disaster recovery stuff do we have in place to put things back to the way they were before the hack? What else can I.T. do to improve our security before we go buying all of this new stuff?
And guess what? In the majority of situations, the reasonable answer is to say "no" to the expensive new security appliances or software. A lot of that stuff is going to quickly become obsolete anyway. (Quite a bit of it is subscription-based where it receives regular updates from the manufacturer as long as you stay current on your payments. Guess what? When the (often small startup) security company making it gets bought out by someone else or goes belly up, you're often left with a costly paperweight that someone wants MORE $'s to replace with the "new, supported alternative/improvement" to it.)
If your I.T. people are competent enough, they should be keeping up with all the OS and software updates/patches, and that alone seals up quite a few of the security holes at NO extra cost. Other times, the smarter choice may be outsourcing one or more of the services you used to host in-house. Let the "big guys" host it for you and let THEM pay all that money for the fancy security appliances to protect your data AND the data of thousands of other customers of theirs. At scale, those security tools/software purchases make a lot more sense.
Following this logic, corps should just fake the breach, and sell their user data on the "Dark Web" themselves. It has value, and if that value exceeds the cost of lossing it...profit!!!
... is that its far cheaper and more effective to pay someone to float lies and falsified data like this "research" to convince their competition not to bother securing their networks than it is to just pay market prices for the customer data they want.
If someone was going to die as a result of a malfunction or breach of a system, we'd demand it be air-gapped and have robust CM. There would be hell to pay as a result of failure - think hospital systems. Or military systems.
The thing is, most of the systems businesses use aren't all that important in the grand scheme of things. No one is going to die if Twitter or Walgreens has a breach. Sure, for the individual, this is bad, but you're probably going to get your prescription anyway and having someone impersonate you on your Twitter account is irrelevant.
Cue "assumed breach"...we must assume that systems like Twitter and Walgreens are breached and are leaking data. Therefore, conduct any business with them while insulating yourself from the consequences of said breach.
HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
Right now, I'd say a substantial part of the problem is insurance protection against cyber attacks.
If a company can go to a bog-standard insurance company like Travelers or AIG and spend a small fraction of both the real breach cost and the cost of actually securing things, they will - the profit motive demands it.
What the profit motive DOESN'T demand is the insurance company look at their costs with a blind eye. Right now, I'm sure a large number of those policies are untriggered, so in aggregate, they are still profitable. But when those costs become comparable, and a company factors in the lost productivity and PR issues (both of which are hard to quantify), they will actually secure things. Partially to save money on or qualify for their cyber insurance.
That's part of why news coverage of breaches and forced disclosure laws are so important - right now, to both businesses and insurers, the productivity and PR costs are too easy to ignore, and the insurer has little motive to force compliance. (In fact, it's theoretically more profitable to 'prove' to their customers that attacks happen and no tightening will prevent all attacks - both of which are absolutely true no matter what happens.)
And got Congress to pass a law making arbitration legally binding. SCOTUS just recently upheld it. You'll find a clause in the EULA of every service you use. You done got sold out again.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
Yes, sage advice indeed. Don't bother securing your servers, everything will be fine, we promise! What was your router IP again?
Factory workers got protection because there were a lot of them and they formed Unions. Security breaches only hurt a few people and they're completely unorganized. Hell, when the mega corps got tired of safety they just moved the factories. If we let then weasel out of that we'll let then weasel out of this. Besides, Americans pride themselves on luck. The lucky ones will be fine.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
you're kidding, right?
$200K is a drop in the bucket of possible spend on security.
Stateful firewalls can cost more than that if you need to support a decent number of users at wire rate.
Add mail filters and the need for beefier servers to handle the crypto overhead compared to what you could have used without crypto...
My previous employer spent *at least* $200k/mo on security in IT.
Of course they were protecting IP that led to $34Bn profit on $55Bn gross...
-nB
whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
I didn't see any mention of the productivity losses incurred by heightened security either. Our VPN is so locked down it's almost impossible to get things done remotely unless you happen to work in a business unit that is permitted to use terminal servers. To this day we aren't allowed to have video conferencing with parties outside the corporate firewall. I'd estimate the productivity loss to be around 5-10% of overall effectiveness.
"A person is smart. People are dumb, panicky dangerous animals and you know it." - K
As anything in business it must be driven by the ROI plane and simple. This is why you need real security peoples taking care of the security.
127.0.0.1, or if you prefer, ::1
General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
So I could make my life cheaper and not need to constantly monitor my credit and other issues from fraud and identity theft by not making purchases with these companies.
Enterprise solutions are always extremely expensive because they ship you a crappy product and then lock you in with a support contract made by a sales person who's job it is to push their product as deeply into your company as possible. Sales is always about the personal connection, it's never about the actual item being sold. The well designed products don't need support contracts or they only have replacement contracts (like instant shipping on failed HDDs at the word of the customer). You pay based on what the sales rep can talk you into, not on the actual cost of the services.
The company is sold a turn-key solution and then the seller hires a cheap worker to support that contract. $15 for product delivery, $70K for the new worker, $130K in profit with distributions towards killing competition, handling lawsuits, and making upgrades for the next release.
You can spend glorious tons of money on security and still get hacked. The problem lies is the internet has no boundaries built in and folks are trying to hide information. If it's networked to the internet, directly or indirectly, that information can get shared. Period.
How to fix? Only information you're willing to share with the whole world should be on a system that is networked.
Yes, sage advice indeed. Don't bother securing your servers, everything will be fine, we promise! What was your router IP again?
It was sage advance, but you didn't bother reading it. The only time you'd spend zero securing your servers would be if the cost was zero. That's balance.
My house is not secure against a professional thief. I know this, but I also know that keeping out a professional thief is almost impossible and the costs are inanely high. I'd be best off hiring a full time security guard. My possessions are not worth that. You balance cost with risk. But I still use a lock to keep stupid high school kids out. That's cheap. Just because I don't have perfect security doesn't mean I didn't bother to secure my house.
Back in the 1990s when I took a computer security course taught by Gene Spafford, who made sure we all understood that your level of computer security was primarily an economic decision. You find the right balance between the costs of security (time, money, etc) and the costs of breaches in your security (time, money, etc.).
Perfect security is not free and its unreasonable to implement it all the time. The events leading up to the switch to chip cards in the USA showed that the distribution of the cost of a breach were improperly divided up between the parties involved. Changing that distribution caused changes in security implementations.
I don't think his advice is particularly bad, it's more of an admission of reality. Spend the money to make a good solid security program, but let's face it, with all the 0-days out there and the threat sources, it is probably best to understand that successful attacks are inevitable. At least then, you also set aside time, money, and resources to deal with the impacts, and do planning that assumes that since breaches are possible, they need to be taken seriously when they happen.
I'm less concerned that someone stole my password than I am that a password might have been stolen, but I didn't know about it for weeks or months or years. If I at least know about it, I can take action.
Just realize half of all penetrations are as a result of social engineering or tokens that get passed out beyond your control.
Patch: keep your servers and workstations and laptops and mobile devices patched to the latest fix. Realize the latter two have a high chance of not being, due to their nature.
Backup: keep both daily and periodic backups. Have periodic full backups offsite. Always assume people will corrupt and mess with your key files. Keep offline offsite versions of those.
Rotate: don't always do the exact same thing. If someone hacks one machine in one place, you may notice differences if you switch it up a bit.
trust: never ever ever trust senior execs.
validate: never ever ever trust senior execs. they will give away access always.
confirm: never ever ever ever trust senior execs. they will order people to let the bad guys get access to your key data always.
(i'm starting to sense a pattern here)
-- Tigger warning: This post may contain tiggers! --
More important to me than the cost of keeping out a professional thief (after all, it's only money), is the inconvenience of a bulletproof security system - that's impacting quality of life at home, and similarly impacts the efficiency of businesses that over secure their assets.
This. The only thing I'd argue with is the last statement. I think focusing mainly on prevention is still the best place to put your dollars, because an ounce of prevention is worth a pound of cure. But it depends on what you're calling "prevention." A good backup plan is a relatively cheap way to prevent data loss. It doesn't prevent downtime, but if downtime isn't particularly expensive for you, don't spend half your budget trying to combat it.
Security solutions and spending also often includes the security people operating the solutions. And just one of them can easily be almost $200,000 a pop, not necessarily in salary, but in benefits, salary, and even getting a headhunter to find one.
As far as security software, that's pretty expensive too, but varies based on your level of security. I've seen packages that keep the records of every keystroke made on every server that you connect to it. Real Big Brother types of packages. That easily costs more than $200,000 a pop.
Also note that if you work at a smaller company that uses a certain piece of software that isn't very expensive for you because you have few heads and few computers to secure, that same package becomes much, much more expensive for big companies due to their scale, and even with deep discounting. I have to work with Fortune 100 companies in integrating with their security, and while it is not always inspiring to see their level of competence, it is very easy to see that they spend a shitload of money on what they have because they have high visibility and complex environments.
IT is not expensive, stupid IT is. As my brother and I have found out, we can do the work of 10-30 other people while still being more lazy than everyone else. Work smart, not hard. If you have a lot of hard working employees, you've just discovered that you have a bunch of sub-par IT.
You fell for the Siren songs of the firewall vendors...
If you use the internet as an untrusted comms channel, you can still connect high security computers to this ratsnest. Just don't think the high security system can be bought COTS. All the COTS has been sabotaged by the 1% and their agenda of CONTROL. They fear the day they cannot hack into the computers of the plebs. The plebs could conspire to bring the 1% down, ya know.
But surely you can take something like an AVR or a Z80 CPU, some display, build your own keyboard, program an FPGA (for the secure RS232) and use something like SPARK Ada to build a truly secure computer. Forget the Unix or Windows crapola. Way too many features to be ever secure. Forget C - a snakepit of exploit opportunities if used by humans.
I bet somewhere in China and Russia they do something like I describe.
See subject & IF you try 1 of the SIMPLEST measures (restore points) they're not enabled by default in Win10 (for regular users) - you must RECONFIGURE IT to be able to access restore points & THEN you can try do it (IF it works, as I just helped a pal TRY do this remotely, & the malware he sucked in ("VirusKeeper" apparently) from online hosed the system being able to SEE those older system-generated restore points (like ones created during MS installers operating for instance)).
* Yes, he uninstalled that bogusware, but apparently it didn't cut it (glad I asked him IF he'd installed ANYTHING lately prior to digging in the OS startup areas, browser addons, registry, etc. - et al) - this astounded me that MS MAKES IT TOUGH TO ACCESS RESTORE POINTS (a quick fix usually vs. bogus malware installs many times).
(SO MUCH FOR "LEAST PRIVILEGED USERS" running things on MS' part - malware bypasses it & ACL/WFP/SFP protections easily!)
APK
P.S.=> It made me further realize the CRAP that is Windows 10 after seeing that utter f'ing stupidity (let alone telemetry bs too) & LASTLY:
COMPANIES "pinching pennies" on SECURITY are just ASKING for a CLASS-ACTION LAWSUIT based on NEGLIGENCE - & there's your COLLAPSE due to revenue loss #1 HUGE contributor... apk
Apply the K.I.S.S. principle. Most of the insecurity stems from the bells and whistles some idiots think they need. For example, the WWW by now is a crazy hairball of tacked-on technologies like CSS, video codecs, the Javascript silliness(including the brainfuck of JIT compilers due to a lack of typing in JS) plus a boatload of HTML features.
Modern browsers are more complex than any secure system can ever be.
So if you want to make something secure, first order is to dump the complex "standards" of today.
The next generation of cyber threat will slowly, but steadily alter your data. They will mess with your backup mechanisms.
When you realize the extent of the problem, 9 months of data will be corrupted.
Stuxnet style attacks do not just work for Iran...
No, that's the point. They are not at all.
If Gov't is going to read our data anyway, at least they could provide the service of shielding it from everyone else? :-)
add in the lost business from people who don't shop or use their services anymore? I haven't shopped at Target or Home Depot since they lost my data.
if only we had these things like diff or record comparisons, that would allow us to write back transactions over multiple file generations, and if only these had been created in the 1970s ....
oh
wait
-- Tigger warning: This post may contain tiggers! --
Your house is protecting YOU first and foremost. Personal security is a great comparison with corporate security. We all do reasonable measures to protect ourselves but are hardly spending a large portion of our income to do so. We all know anyone that violates our property will be dealt with by authorities. We can only ask for reasonable security and a justice system that punishes those that go beyond that. Our justice system is AWOL on hacking.
x86 and systems based on it are hopeless from a security perspective, and that is even before considering the ticking time bomb that is Intel's Management Engine. It will be exploited eventually, and it would be surprising if the NSA wasn't already compelling Intel to backdoor it.
See the Mill security architecture, for an example of how a clever architecture can eliminate the bulk of common exploit vectors, and require little more than a recompile. It isn't the only option, but I highlight the Mill because it is a fascinating and novel architecture which also addresses many other long-standing issues with conventional systems. The security mechanisms also enable performant microkernels to be built, and protection between applications and libraries.
Operating systems will require work to take advantage of the protection features, but that will benefit everyone and be well worth the investment. This is the kind of "cyber" initiative I would like to see, rather than the focus on offensive capabilities. The latter poses a direct conflict of interest with securing systems, and ensures that adversaries will stock vulnerabilities rather than share and fix them.
Dear Penthouse -
Whoops, wrong place.
Anyhow...About 22 or so years ago I was sitting in the hot tub with my girlfriend at her apartment complex in Mountain View when two dorky young guys come and jump in with us. I'm thinking "swell, we're usually alone out here all evening and there go my immediate plans for a little semi public nooky".
One starts talking about how he and the other guy are going to start up this search company named Yahoo and went on and on about it. Eventually they left and I turned to my girlfriend and said "That's the stupidest name I've ever heard of for a company".
And I think that sums up Yahoo. Disrupting others for a bit to no purpose, much rambling and meandering, and a silly name.
Not that "Google" is much better, or Microdick...err...Microsoft. It sounds so...little.
BOTTOM LINE - - - and THIS is the real Issue - is that the 'bean counters' are winning (have won)! As long as the profit margins are maintained - then the cost of the lawsuits and penalties are, basically, just a 'cost of doing business', and nothing will change until this fundamental issue is resolved. The cost of non-proactive performance / systemic issues MUST be made more expensive than non-compliance. When the cost accountants (and lawyers) can show that it is cheaper to pay the lawsuit losses and fines than it is to actually fix the problem, then American (and global) business will continue to follow the same old tried-and-true 'pot at the end of the rainbow' - - - the God almighty bottom-line ensconced in the corporate structure that places PROFIT ahead of any other issue - because the board-of-directors MUST be accountable to the shareholders and the fiduciary responsibility of the board is the PRIME DIRECTIVE , or they will be voted out of office. The 'PINTO' example mentioned in this thread is a prime example of this corporate mind-set. AND, a more current example is the 'Do No Evil' motto that has slowly, but surely, evaporated from the GOOGLE empire. SUCKS, but that's life, folks. My only remaining desire is to live long enough to remember - 'the year they killed all the lawyers' - - - NOT a threat, just a fervent, heart-felt wish.
redneck geek
Your house is protecting YOU first and foremost.
It's only really protecting me from the weather. Any theft protection is purely notional — that is, it's based on the notion that breaking and entering is prosecuted more severely than if I just had my stuff lying around outside in boxes. It's trivial to get into almost any house.
We all do reasonable measures to protect ourselves but are hardly spending a large portion of our income to do so.
If I were expected to protect other people's stuff, then I'd also be expected to spend a reasonable amount of money to do that. A gun dealer who didn't put extremely valuable guns in a secure safe would not be trusted by customers.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
I'm not surprised its cheaper for a company to deal with a data breach, its not their product or service that's being taken (or you can bet they'll throw everything they have at stopping that).
Its MY personal information that was stolen! THEY don't have to deal with the fraudulent credit charges to MY account. THEY don't get a bump in spam after MY email is leaked. THEY don't have to deal with shit, its ME who bears the cost.
Basically the people who really need to think about security are those whom failing to implement proper security will land them in jail, being tortures, or dead. Sadly this world is a violent place and the majority of people would incarcerate a minority of the population. Even those whom are non-violent. LGBT in middle eastern countries, people taking or involved in drug distribution, a significant number of people involved in politically unpopular speech (this *INCLUDES* the United States and most of Europe, denying the holocaust, or pretty twisted pornographic content), etc.
Paid for by the Hacker's Collective.
Get ready to change your mind! Hear from the engineer who caused the pinto not to be recalled:
and
I cant possibly quote the whole article but its really quite good: You can believe your simplistic version of events, or you can read the truth as illustrated in a way only malcom gladwell could do.
http://www.newyorker.com/magaz...
-
When I ran websites I had an open invitation to hack the site. I kept a close eye on the logs and kept backups. When a hack got through the outer security I patched it.
We've known this for ages....and I learnt about it the hard way years ago as a webmaster.
I was tasked with managing a web server, and it turned out that PHP needed an immediate update.
Without further ado, to avoid the risk of getting hacked, I went and updated PHP to the next version up.
Turns out that doing so broke a number of customer webpages - who were reliant on some old broken and unmaintained code, who then complained and whined to our company that we threatened their businesses.
Lesson was simple: it is much easier to maintain old versions that keep things working AND DO NOTHING than to do any proactive security maintenance. This works in a number of ways.
Firstly, when you eventually get hacked IT IS NOT YOUR FAULT. It is the fault of some hacker and things will be seen that way. Blame gets shifted away from the admins anyhow.
Secondly, doing nothing is CHEAPER. It involves less risk, less change, and less responsibility. In a world where shareholders, finance and management dictate the aims of IT - you may as well fire the sysadmins because it's risky if they do any maintenance, meaning that since they're not going to do anything you may as well fire them. Just get contractors to build things to work once, then leave the systems on the internet indefinitely until they either end up getting hacked to the point of failure, or the hardware breaks down. Then rebuild the system from scratch with more contractors when that time eventuates.
That's how security patching works in the real world. In other words, it doesn't.
The thing is, it's ALL ABOUT SHIFTING BLAME in the world of IT, and IT is a risk, and it is expensive. That's why there is so much outsourcing combined with support contracts so company managers can point the finger at vendors when things go to hell and then walk away with legal indemnification and still keep their job when things eventually go to pot.
READY.
PRINT ""+-0
The big problem is that data loss is an externality that it is not being priced by the market. So let's have government put a price on it. Pick a number. Five dollars? Ten dollars? Fifty cents? For every person's personal information the company loses, they pay a fine of the mandated amount. Make it treble for social security numbers. Problem solved. Yahoo pays out a cool $250 million, even at 50 cents a pop.
I remember back in the mid to late 90's, many companies viewed I.T. as much more than "overhead". In some cases, it was pretty understandable. They literally brought businesses to whole new levels of efficiency by eliminating paper and pencil methods of handling customer orders, inventory and more.
When you first started giving everyone personal computers as business tools just as essential as the telephones on their desks, you created a massive shift in the way business was conducted. Nobody but internal I.T. (or paid I.T. workers coming in on an hourly basis) were responsible for implementing that.
The problem is, there was an expectation that somehow, I.T. staff would keep coming up with more amazing ways to re-imagine or refine the business to make it more profitable and efficient. And increasingly, that STOPPED happening as the people employed in I.T. found themselves bogged down in just keeping the existing infrastructure functioning and keeping employees trained to use it.
If optimal means minimum total cost, then Khopesh's comment above is spot on. The overall minimum isn't at equal costs, it's at equal derivatives. I.e. when an incremental amount spent on security reduces the breach costs by an equal amount.
It's possible to the two conditions coincide, and this assumption is often made in the absence of better information. But, the real world is non-linear, and coincidence is unlikely. Perhaps RAND will propose a follow-on study to address this point.
People have to get to work, driving or otherwise. They earn money to pay for needs and wants. The reward outweighs the risk.
Terrorism is neither needed nor wanted. People are afraid of the rare, high damage events, that are out of their own control.